Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp992166ybb; Wed, 25 Mar 2020 13:29:59 -0700 (PDT) X-Google-Smtp-Source: ADFU+vsklClf/Z+sEIrNqPoe+vesJoULuPfdnk0oZz/0KUAa9U1nPmJQ8ZO8bA+W/Ns0+2Ysf92F X-Received: by 2002:a4a:d1a4:: with SMTP id z4mr2761288oor.52.1585168199481; Wed, 25 Mar 2020 13:29:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585168199; cv=none; d=google.com; s=arc-20160816; b=idO1p0rKSV86qKNJx5qPTVUq1zhuSpI9yMY0gOaPr5ID+zcWM2XmqNESXZ9JsEEEEd fZ2NLS8fuffoTAfysP9bTFJ1WmUGXm9rlxSmZardDGeulPM1ooT7p/gnuLIgOrQho98/ Uim3Hy70JEPVYuMVwbLZOWHlMFkVBCQc/64X8VHLhQq7G7o58y1k8p7Aq552jE5C92NW maz/0LuMtXTw3pE854Ia3qodNEmjGCXmOnw0vmBcZknfalAjBglvV1p/HiToyw7qv/ca ihHjATElMd3iPdj7vZcKmvIwUM53LIxYuRp7oqOIpPspdy6HMxIxrzFiWNjCdsdkTdFX FpRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=PU8MusG8hezkzW5+KO/6eKPDv5BwIZAo7r3U1MyX75U=; b=v5VVE7m/BHadEVObgF86A/86DrzOsf9O08XtT9otiurOybEudFKgkePupfnn4GbZKl mTlUZDZ+JE4gZKiF/Rvi09jVE9Vvt4UpSAHAVnprOCPYsGg3Tr8hXKl5eMZs9V1A1xkD kYGEmXNqjovU9LrbEvkTLvvarJ1o4oRu/RSyO4t7yijcLFKoo28pn5BMzvQdwyeZfqBG hpLEyMEEq69f7VlGBafK25ktsZa6xU21ysupiE9j+is4AIdLDMZfmYVY3PDgLbaF1rsX HeyEybLamrJIbbSrcLHdFA47Nd+JukXPok8soZX+OxM1dm1pPyhFE88EnfgrgJJsjVOw IqjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZI2byf2r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s27si86140otg.229.2020.03.25.13.29.45; Wed, 25 Mar 2020 13:29:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZI2byf2r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727452AbgCYU3Q (ORCPT + 99 others); Wed, 25 Mar 2020 16:29:16 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:44659 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727236AbgCYU3Q (ORCPT ); Wed, 25 Mar 2020 16:29:16 -0400 Received: by mail-io1-f65.google.com with SMTP id v3so3669608iot.11 for ; Wed, 25 Mar 2020 13:29:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PU8MusG8hezkzW5+KO/6eKPDv5BwIZAo7r3U1MyX75U=; b=ZI2byf2rDJAZbfLYIXaAtMe63t/0GZoKwJ4cK63V8WQp6VV2H/N8jjA3QPBc5D27gM kcc5YHnX7hmE9y5h4ERM1pqI8/u7ax3SGdAaz2nzqYK8MIeWO/F5R6sImG+aYjVIjGIe +mJupj1LoVmeoww+WGM9cKjT9YyWnxsVR2gjuo1doh6veivh3sR6gjhHvYV6DyZZY7J/ 6znmOWw1IZ9IKbczFzX4/NakSIY0YPwWONtukKHn45S/NknmbZ6ORd0r2/OoSfxdwlIo +YjNScxCFwoqud/dYZSZiUw66GNobXRASbg8+3OMXxCUD0MHhXmZC1/XDf+frjMWzZtC 61bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PU8MusG8hezkzW5+KO/6eKPDv5BwIZAo7r3U1MyX75U=; b=skuS7ncCiVpsU7ttl0tV/C+zCv6yHk0qp0zX2MEnXv8BhJQGWdhOAfWiOIiZQpdr0t KWqXUpJvD613FlVNQtipFPjcWIn0X24hCpxv7JuIxhoVvzPoswO75FzVP0zAhhDn6O1U taHqQBMjXtqO5k9a5e27PJRVTNmJv9moSN0syroySAG5OgJbJIFh1dqX9c/9l8zRxFTR AZXUKc3ZrDBJteZiOWhb4nLTFzqHXdd2jfm6G1/25tydB9lEG/MDygqWwzGEt4DgFjLX zutV5bH6LyENf19TQmabJVrLsr6P2i0onZaUyxa1dNbBCVQml21q1McJ2h1EGt1OqZa7 OYIw== X-Gm-Message-State: ANhLgQ2v8tbyEuGutOvfP3fiHPJ2vU06D3I1zGxMtfQ2uIUwMrak9w2P QwtMuf/hlCKRnK4di/I2UoU7gGyiy7dpO2YsqOmO6tGRFLw= X-Received: by 2002:a02:93c1:: with SMTP id z59mr4456806jah.11.1585168154776; Wed, 25 Mar 2020 13:29:14 -0700 (PDT) MIME-Version: 1.0 References: <20200325194317.526492-1-ross.philipson@oracle.com> In-Reply-To: <20200325194317.526492-1-ross.philipson@oracle.com> From: Matthew Garrett Date: Wed, 25 Mar 2020 13:29:03 -0700 Message-ID: Subject: Re: [RFC PATCH 00/12] x86: Trenchboot secure late launch Linux kernel support To: Ross Philipson Cc: Linux Kernel Mailing List , "the arch/x86 maintainers" , linux-doc@vger.kernel.org, dpsmith@apertussolutions.com, Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , trenchboot-devel@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 25, 2020 at 12:43 PM Ross Philipson wrote: > To enable the kernel to be launched by GETSEC or SKINIT, a stub must be > built into the setup section of the compressed kernel to handle the > specific state that the late launch process leaves the BSP. This is a > lot like the EFI stub that is found in the same area. Also this stub > must measure everything that is going to be used as early as possible. > This stub code and subsequent code must also deal with the specific > state that the late launch leaves the APs in. How does this integrate with the EFI entry point? That's the expected entry point on most modern x86. What's calling ExitBootServices() in this flow, and does the secure launch have to occur after it? It'd be a lot easier if you could still use the firmware's TPM code rather than carrying yet another copy.