[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMj1kXHJxmdLie1JE=k3O4zne8tHED7g63rj42q-sL_JQUpvNw@mail.gmail.com>
Date: Wed, 30 Mar 2022 09:39:23 +0200
From: Ard Biesheuvel <ardb@...nel.org>
To: Matthew Garrett <mjg59@...f.ucam.org>
Cc: Daniel Kiper <daniel.kiper@...cle.com>,
Alec Brown <alec.r.brown@...cle.com>,
Kanth Ghatraju <kanth.ghatraju@...cle.com>,
Ross Philipson <ross.philipson@...cle.com>,
"dpsmith@...rtussolutions.com" <dpsmith@...rtussolutions.com>,
"piotr.krol@...eb.com" <piotr.krol@...eb.com>,
"krystian.hebel@...eb.com" <krystian.hebel@...eb.com>,
"persaur@...il.com" <persaur@...il.com>,
"Yoder, Stuart" <stuart.yoder@....com>,
Andrew Cooper <andrew.cooper3@...rix.com>,
"michal.zygowski@...eb.com" <michal.zygowski@...eb.com>,
James Bottomley <James.Bottomley@...senpartnership.com>,
"lukasz@...rylko.pl" <lukasz@...rylko.pl>,
linux-efi <linux-efi@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
The development of GNU GRUB <grub-devel@....org>,
Kees Cook <keescook@...omium.org>
Subject: Re: Linux DRTM on UEFI platforms
On Wed, 30 Mar 2022 at 09:27, Matthew Garrett <mjg59@...f.ucam.org> wrote:
>
> On Wed, Mar 30, 2022 at 09:23:17AM +0200, Ard Biesheuvel wrote:
> > On Wed, 30 Mar 2022 at 09:19, Matthew Garrett <mjg59@...f.ucam.org> wrote:
> > > From a conceptual perspective we've thought of the EFI stub as being
> > > logically part of the bootloader rather than the early kernel, and the
> > > bootloader is a point where the line is drawn. My guy feeling is that
> > > jumping into the secure kernel environment before EBS has been called is
> > > likely to end badly.
> >
> > If you jump back into the system firmware, sure.
> >
> > But the point I was trying to make is that you can replace that with
> > your own minimal implementation of EFI that just exposes a memory map
> > and some protocols and nothing else, and then the secure launch kernel
> > would be entirely in charge of the execution environment.
>
> We can't just replace system firmware with an imitation of the same -
> for instance, configuring the cold boot prevention memory overwrite
> requires us to pass a variable through to the real firmware, and that's
> something that we do in the stub.
>
But these are exactly the kinds of things the secure launch kernel
wants to be made aware of, no? The secure launch kernel could just
MITM the calls that it chooses to allow, and serve other calls itself.
But more fundamentally, I am failing to see the distinction here
between stub code and other kernel code. Is it related to the exact
moment the secure launch event is triggered?
The way I see it, being able to marshall everything that goes on
between the stub and the secure launch kernel allows the latter to
make an informed decision about how the stub has manipulated the
global system state before triggering the secure launch event at
exitbootservices time.
But perhaps my mental model is simply too inaccurate - it would be
helpful to understand what exactly needs to be locked down, and what
aspects of the system state are of interest for the DRTM measurements.
Powered by blists - more mailing lists