[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <41521e8ecd2876327cd8dd929b32aa3b7e9daca8.camel@HansenPartnership.com>
Date: Wed, 30 Mar 2022 08:46:41 -0400
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Ard Biesheuvel <ardb@...nel.org>,
Matthew Garrett <mjg59@...f.ucam.org>
Cc: Daniel Kiper <daniel.kiper@...cle.com>,
Alec Brown <alec.r.brown@...cle.com>,
Kanth Ghatraju <kanth.ghatraju@...cle.com>,
Ross Philipson <ross.philipson@...cle.com>,
"dpsmith@...rtussolutions.com" <dpsmith@...rtussolutions.com>,
"piotr.krol@...eb.com" <piotr.krol@...eb.com>,
"krystian.hebel@...eb.com" <krystian.hebel@...eb.com>,
"persaur@...il.com" <persaur@...il.com>,
"Yoder, Stuart" <stuart.yoder@....com>,
Andrew Cooper <andrew.cooper3@...rix.com>,
"michal.zygowski@...eb.com" <michal.zygowski@...eb.com>,
"lukasz@...rylko.pl" <lukasz@...rylko.pl>,
linux-efi <linux-efi@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
The development of GNU GRUB <grub-devel@....org>,
Kees Cook <keescook@...omium.org>
Subject: Re: Linux DRTM on UEFI platforms
On Wed, 2022-03-30 at 09:39 +0200, Ard Biesheuvel wrote:
> On Wed, 30 Mar 2022 at 09:27, Matthew Garrett <mjg59@...f.ucam.org>
> wrote:
> > On Wed, Mar 30, 2022 at 09:23:17AM +0200, Ard Biesheuvel wrote:
> > > On Wed, 30 Mar 2022 at 09:19, Matthew Garrett <
> > > mjg59@...f.ucam.org> wrote:
> > > > From a conceptual perspective we've thought of the EFI stub as
> > > > being logically part of the bootloader rather than the early
> > > > kernel, and the bootloader is a point where the line is drawn.
> > > > My guy feeling is that jumping into the secure kernel
> > > > environment before EBS has been called is likely to end badly.
> > >
> > > If you jump back into the system firmware, sure.
> > >
> > > But the point I was trying to make is that you can replace that
> > > with your own minimal implementation of EFI that just exposes a
> > > memory map and some protocols and nothing else, and then the
> > > secure launch kernel would be entirely in charge of the execution
> > > environment.
> >
> > We can't just replace system firmware with an imitation of the same
> > - for instance, configuring the cold boot prevention memory
> > overwrite requires us to pass a variable through to the real
> > firmware, and that's something that we do in the stub.
> >
>
> But these are exactly the kinds of things the secure launch kernel
> wants to be made aware of, no? The secure launch kernel could just
> MITM the calls that it chooses to allow, and serve other calls
> itself.
The problem would become that the MITM firmware has to be evolved in
lockstep with the boot stub. The problem isn't really a point in time,
figure out what config the boot stub extracts from EFI now and measure
it, it's an ongoing one: given an evolving kernel and UEFI subsystem
means that over time what configuration the kernel extracts from EFI
changes, how do we make sure it's all correctly measured before secure
launch?
If the MITM doesn't support a capability a newer kernel acquires, that
MITM must fail secure launch ... which becomes a nightmare for the
user.
One possibility might be that the MITM actually does nothing at all
except record Boot Service requests and responses up to exit boot
services (EBS). We could call that record the boot configuration and
measure it, plus we could then intercept EBS, and do the DRTM secure
launch to the return point. It's conceptually similar Matthew's idea
of a callback except it won't require modification of the boot
parameters.
James
Powered by blists - more mailing lists