| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Jul 2022 13:06:19 +0930
From: Brendan Trotter <btrotter@...il.com>
To: "Daniel P. Smith" <dpsmith@...rtussolutions.com>
Cc: The development of GNU GRUB <grub-devel@....org>,
Ard Biesheuvel <ardb@...nel.org>,
Matthew Garrett <mjg59@...f.ucam.org>,
Daniel Kiper <daniel.kiper@...cle.com>,
Alec Brown <alec.r.brown@...cle.com>,
Kanth Ghatraju <kanth.ghatraju@...cle.com>,
Ross Philipson <ross.philipson@...cle.com>,
"piotr.krol@...eb.com" <piotr.krol@...eb.com>,
"krystian.hebel@...eb.com" <krystian.hebel@...eb.com>,
"persaur@...il.com" <persaur@...il.com>,
"Yoder, Stuart" <stuart.yoder@....com>,
Andrew Cooper <andrew.cooper3@...rix.com>,
"michal.zygowski@...eb.com" <michal.zygowski@...eb.com>,
James Bottomley <James.Bottomley@...senpartnership.com>,
"lukasz@...rylko.pl" <lukasz@...rylko.pl>,
linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org,
James Morris <jmorris@...ei.org>
Subject: Re: Linux DRTM on UEFI platforms
Hi,
On Thu, Jul 7, 2022 at 7:18 PM Daniel P. Smith
<dpsmith@...rtussolutions.com> wrote:
> On 7/5/22 20:03, Brendan Trotter wrote:
> Greetings!
>
> Not sure why I got dropped from distro, but no worries.
>
> > On Wed, Jul 6, 2022 at 4:52 AM Daniel P. Smith
> > <dpsmith@...rtussolutions.com> wrote:
> >> On 6/10/22 12:40, Ard Biesheuvel wrote:> On Thu, 19 May 2022 at 22:59,
> >> To help provide clarity, consider the following flows for comparison,
> >>
> >> Normal/existing efi-stub:
> >> EFI -> efi-stub -> head_64.S
> >>
> >> Proposed secure launch:
> >> EFI -> efi-stub -> dl-handler -> [cpu] -> sl_stub ->head_64.S
> >
> > For more clarity; the entire point is to ensure that the kernel only
> > has to trust itself and the CPU/TPM hardware (and does not have to
> > trust a potentially malicious boot loader)..Any attempt to avoid a
> > one-off solution for Linux is an attempt to weaken security.
>
> Please elaborate so I might understand how this entrypoint allows for
> the kernel to only trust itself and the CPU/TPM.
Is this a serious request?
Kernel is started (via. firmware using the kernel's efi-stub, or via.
"kexec()", or..); and regardless of how the kernel was started the
kernel establishes its own dynamic root of trust.(e.g. AMD"s SKINIT or
Intel's TXT, followed by measuring the remainder of itself and
anything passed from firmware like APCI tables) without relying on a
call-back provided by "untrusted by kernel" third-parties that don't
exist in most cases. The dynamic root of trust that kernel creates
depends on the kernel, CPU, TPM, etc (and excludes untrusted and
unnecessary third parties)..
The only potential benefit that the callback solution provides is that
it, in theory, it could reduce duplication of work for other operating
systems (FreeBSD, Solaris, Haiku, Fuchsia, .. could use the same
callback instead of doing it themselves); but previous discussions
(talk of formalising the contract between the boot stub and the Linux
kernel) suggest that you aren't interested in any other OS.
This leaves me wondering what your true motivation is. Are you trying
to benefit GRUB/Trenchboot (at the expense of security, end-user
convenience, distro installer hassle, etc); or trying to manufacture
scope for future man-in-the middle attacks (by promoting a solution
that requires something between firmware and kernel)?
- Brendan
Powered by blists - more mailing lists