| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241009-feathered-polar-manul-ea6e33@leitao> Date: Wed, 9 Oct 2024 03:46:32 -0700 From: Breno Leitao <leitao@...ian.org> To: Jonathan McDowell <noodles@...th.li> Cc: Ard Biesheuvel <ardb@...nel.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, James Bottomley <James.Bottomley@...senpartnership.com>, Usama Arif <usamaarif642@...il.com>, linux-efi@...r.kernel.org, kexec@...ts.infradead.org, bhe@...hat.com, vgoyal@...hat.com, tglx@...utronix.de, dave.hansen@...ux.intel.com, x86@...nel.org, linux-kernel@...r.kernel.org, rmikey@...a.com, gourry@...rry.net, linux-integrity@...r.kernel.org Subject: Re: [RFC] efi/tpm: add efi.tpm_log as a reserved region in 820_table_firmware On Wed, Oct 09, 2024 at 10:10:57AM +0100, Jonathan McDowell wrote: > On Wed, Sep 18, 2024 at 09:36:06AM +0200, Ard Biesheuvel wrote: > > On Wed, 18 Sept 2024 at 05:14, Eric W. Biederman <ebiederm@...ssion.com> wrote: > > > Ard Biesheuvel <ardb@...nel.org> writes: > > > > On Tue, 17 Sept 2024 at 17:24, Eric W. Biederman <ebiederm@...ssion.com> wrote: > > > >> Ard Biesheuvel <ardb@...nel.org> writes: > > > > >> This should not be the kexec-on-panic kernel as that runs in memory > > > >> that is reserved solely for it's own use. So we are talking something > > > >> like using kexec as a bootloader. > > > > > > > > kexec as a bootloader under TPM based measured boot will need to do a > > > > lot more than pass the firmware's event log to the next kernel. I'd > > > > expect a properly engineered kexec to replace this table entirely, and > > > > include the hashes of the assets it has loaded and measured into the > > > > respective PCRs. > > > > > > > > But let's stick to solving the actual issue here, rather than > > > > philosophize on how kexec might work in this context. > > > > > > I am fine with that. The complaint I had seen was that the table was > > > being corrupted and asking how to solve that. It seems I haven't read > > > the part of the conversation where it was made clear that no one wants > > > the tpm_log after kexec. > > > > > It was not made clear, that is why I raised the question. I argued > > that the TPM log has limited utility after a kexec, given that we will > > be in one of two situations: > > - the kexec boot chain cares about the TPM and measured boot, and will > > therefore have extended the TPM's PCRs and the TPM log will be out of > > sync; > > - the kexec boot chain does not care, and so there is no point in > > forwarding the TPM log. > > > > Perhaps there is a third case where kdump wants to inspect the TPM log > > that the crashed kernel accessed? But this is rather speculative. > > Generally the kernel/host OS and the firmware are touching different > PCRs in the TPM. > > The firmware eventlog covers what the firmware/bootloader measured; > itself, option ROMs, secure boot details, bootloader, initial > kernel/initrd (if we're talking grub as the initial bootloader). These > details are not changed by a kexec, and provide the anchor of the > software trust chain. > > A kexec'd kernel will generally not touch the same PCRs. The primary way > I know to carry kexec measurements / logs over to new kernels is using > IMA, which will be configured to use one of the later PCRs (default of > 10). What about in the case where you don't have Grub, but, use the kernel as the bootloader, kexecing into the desired kernel? Will the bootloader-kernel touch the same PCRs as GRUB, or it will only touch PCRs above 10? Thanks --breno
Powered by blists - more mailing lists