Received: by 2002:a25:5b86:0:0:0:0:0 with SMTP id p128csp787738ybb; Thu, 28 Mar 2019 12:11:26 -0700 (PDT) X-Google-Smtp-Source: APXvYqykLVPizHQJPX7UePZG5Y0qVuJcTcUZNhFNrgQ9OkVH60Q6EnGenyXdDxSQwKfIJ1fIaNZ8 X-Received: by 2002:a63:2141:: with SMTP id s1mr41784971pgm.430.1553800286535; Thu, 28 Mar 2019 12:11:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553800286; cv=none; d=google.com; s=arc-20160816; b=kx+QmRDjdPW6x00srXIB78lb0z/nV3Zu7us2VlnfhxeVZ3N6zlmZLMHi5Dmww2L3uH WwGDd4J3P5tW+1fAJ+SI9sf8cgUGHTwqz3rDGVgrbUxJxAs2SrbR369biN8S+31boVHC DvNcIFd5xFlwefw6i4voZR69k3NAYJYxCot/DOaxVWu3HmYRPXPfHj3HFrq8BD9I7pze 6NpAv9PPBKIN8HnUKBTnaX2t7VdehM111ljhXdOHWL7r1RLY8HQN12S+JbwaogsSYzHO dN1BgW6SOyG632j4TSjs7bu/wRan16JjuTXZxc9agLbbJyTgmGlFr8z5BLPi+Z9DkDCX py+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=7L7cFXWIDXmECMfv+hU3LVVggFg7IekbkyABmSoVhMA=; b=AiivaVCnXv5eyORI3xSsUQ39dvnEr28iTJum+D/VcIYvWQv9qP5pz8TqyLLdwarka4 fBGi1CfnoCq3/AkOCw+slUd0OuN/e+39MHjddmdd1BIWNtqqRkfbJHxDVr4VCCV4lb9a Cka49q8Pq6u5u3OeePSdBJpFC9puetnqa4Wv/71naiHVDo/LqQ7YG4tu9nYCX+UjA7w3 lBgfZ1J7dTSfBPtM/fPu8yI3EV2wGQ1fy5jKrcCT1lhT9b0asgOMVcrULpp/VGybEeeR jkIhLL6HJRO86qPEHbfmar0CkvE4NM3AhXrmO9KwkgfGumKkMcQZiTiboJL5Q9ld/cwi OzOg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d62si22319134pfg.209.2019.03.28.12.11.10; Thu, 28 Mar 2019 12:11:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726484AbfC1TKI (ORCPT + 99 others); Thu, 28 Mar 2019 15:10:08 -0400 Received: from terminus.zytor.com ([198.137.202.136]:55887 "EHLO mail.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725852AbfC1TKH (ORCPT ); Thu, 28 Mar 2019 15:10:07 -0400 Received: from carbon-x1.hos.anvin.org ([IPv6:2601:646:8680:2bb1:1b64:2c6c:6ec3:aa41]) (authenticated bits=0) by mail.zytor.com (8.15.2/8.15.2) with ESMTPSA id x2SIFwYJ3433405 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 28 Mar 2019 11:15:59 -0700 Subject: Re: [PATCH 0/1] [RFC] Secure Launch boot protocol To: Ross Philipson , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org Cc: x86@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, corbet@lwn.net, konrad.wilk@oracle.com, kanth.ghatraju@oracle.com, daniel.kiper@oracle.com, boris.ostrovsky@oracle.com, dpsmith@apertussolutions.com References: <20190311150423.15979-1-ross.philipson@oracle.com> From: "H. Peter Anvin" Message-ID: <54a6bc26-584f-322a-2089-be96472e2d4f@zytor.com> Date: Thu, 28 Mar 2019 11:15:53 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0 MIME-Version: 1.0 In-Reply-To: <20190311150423.15979-1-ross.philipson@oracle.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org So, per our conversation today, lets create a new, readonly, data structure pointed to by a single field in setup_header, in order to preserve what little space we have left in that structure (a whopping 24 bytes...) The new data structure will have a header consisting of a magic number and a length field; if we want to be really paranoid we could add a checksum/crc. The existence of this new readonly structure will be announced by bumping the boot protocol to 2.15. The presence of your new boot launch capability (trenchboot) will be indicated by a new bit in xloadflags. I thought hard about this, and I have come to the conclusion that the new structure is better off in the .rodata section of the compressed kernel rather than in the setup area, for the following reasons, some of which are theoretical and unlikely to apply anywhere in the near future, but don't actually hurt to address right off the bat: a. The future size of the structure would not be artificially constrained by the 32K hard limit on the setup area; b. It is one less level of indirection in the build tools; c. It adds a possibly unnecessary dependency on the setup area, which could possibly be awkward for some boot loaders (unlikely, but...); d. It would allow this new structure to also carry information that might be useful to the decompressor for whatever reason. -hpa