Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp2327665pja; Thu, 26 Mar 2020 13:20:23 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuqPzCk4PmfDux5UYEG6/hKtUMevpIe0xcRE96RpwCmlTEJK54kfCzQWKnVennADe+Ei7lf X-Received: by 2002:aca:d7c3:: with SMTP id o186mr1628402oig.147.1585254022842; Thu, 26 Mar 2020 13:20:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585254022; cv=none; d=google.com; s=arc-20160816; b=sbyEj8Iin2aRr7Juk96ogifLFwXlNfmIsdKbGGb3isnHM4v54bmmQbnmzd+nsWeVwo VfmMtvbWg4NVQDz/FD5u5Ps3I9YoR0GcnvjUmI4qi4IIbC3e0z/Qn3xRxamdvH6zPqzd si2YmtrHk4xknjS0wHDN0RQ5g7jVNSRKjzRYRScsT4RgIZ0gTteeS0tLC+fVizyneR/x XetmF28SYp4BfQj7+QOkXV1523obC1a5mlEfB5oOI2sRgHKrVHOD1XgjDYGOs+Y+QbBv W/UKYy8Hpk1d31GJnyyHAf/8YyzVRf9xRUc6ykIgqthShwlaLIGGALsCamsGlfZP5LH4 1qzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=2dOHIQM15C+8J2rrlogjSwV4spTK3lPNUtfX8p1nrXQ=; b=LlgURGVkY/vOM1fvILdZAkWhpF6s+2kGun9unmICw1SEUyPB3UKChFreoIFQIc1VW3 atk0b2DmjAW+pRcsZCDZX8im3TP0a3eGsOAxk9mKaPQHkB+1D+tyFiO5mZqphyCCjnCh U4L/B0e42hP/mAvs4Skehu5u+LbazjNJyyCbphWfj64PBwruhbTIyoT58v59DHMOwJIb XaURycWvAB8PwAuVan4dZWKA49GhwFyKWRDDxxC3HO4EF/GKnf6+qnIWYmCJMLqOsNO4 apKul4lHjDyA8fWn1ZWcZYiYUILCj4+nLRFG0/hHnIvhxVRTSg7IEbJPTaOrzVZarB1t Q5hA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=mrKSk27Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q126si1431678oia.55.2020.03.26.13.20.08; Thu, 26 Mar 2020 13:20:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=mrKSk27Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728722AbgCZUTp (ORCPT + 99 others); Thu, 26 Mar 2020 16:19:45 -0400 Received: from mail-il1-f196.google.com ([209.85.166.196]:38477 "EHLO mail-il1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728326AbgCZUTn (ORCPT ); Thu, 26 Mar 2020 16:19:43 -0400 Received: by mail-il1-f196.google.com with SMTP id m7so6690738ilg.5 for ; Thu, 26 Mar 2020 13:19:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2dOHIQM15C+8J2rrlogjSwV4spTK3lPNUtfX8p1nrXQ=; b=mrKSk27QeQHjOhXDQ67+/nvXEJW9w0/5zoTq0a3tKFUS5MEt0c8/8hyr9bA/lTtcZc usly1JHNxlla3H/Z/lx62QtQG/yuXx3E9yREvC7YE+KFdrZRa1w2X/3r8Wp0N5W+tQvQ vW9SIOWUhjdDUtyBWGLxhpykQPilXkcZCKd5TuKwpsvC8sgHDQLTfnQ1GOnbgxcj4ocl RbuuOeFwOi4nupN8mAU0KKNF8E996G+GZReVy6dbztLiHFcw6uj3QsnhfmPMgIIztihp EZ/PStOMq+tEGtwYXNLFa1+rqA070AZY6YalKjALb79Nz7mTMn/cKm+rYa3bGpLHMpqp KlOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2dOHIQM15C+8J2rrlogjSwV4spTK3lPNUtfX8p1nrXQ=; b=DvmWzT0SGvawJeS0pzZU8yNZuaxvkrRNW+iPn4ntokDNQUGFtBUwslXmfgnGQSDtOw xr1Zv1GEqZs0f0tv94dOlSoftQrOEAc+VrB6ZSEP9tjJQ79yNiw9wxS/ws8uD/LnlzSH Y8f55bwZYUn1jRPnSeUtjrfP36QHPZ5UxBMI/QRRIiRFIHtmVPmkIypxs7K4iVHOIROD a7nF37PVFo4glFAcjkrJY4t6sqWdKgcdow1/eSDbeDxqVpWAy1yQnX31Zol+7DpPD+ye WkXB3E7ecwFQTd30DUELzlLtGU3RWLT1Ail68WDbbebCQ/hPo/L2u3dVXjXp1etNratZ XSkw== X-Gm-Message-State: ANhLgQ2XRZjDmJKdPesQWbH0cs0uvuFmX1ATqOSdrfemReyP9UfjPyRt UtFysDlT2dWu8Oftfmvo18XMjRK5gXkdZyPPjpHRYQ== X-Received: by 2002:a92:8384:: with SMTP id p4mr10939777ilk.16.1585253982337; Thu, 26 Mar 2020 13:19:42 -0700 (PDT) MIME-Version: 1.0 References: <20200325194317.526492-1-ross.philipson@oracle.com> <20200326134011.c4dswiq2g7eln3qd@tomti.i.net-space.pl> In-Reply-To: <20200326134011.c4dswiq2g7eln3qd@tomti.i.net-space.pl> From: Matthew Garrett Date: Thu, 26 Mar 2020 13:19:30 -0700 Message-ID: Subject: Re: [RFC PATCH 00/12] x86: Trenchboot secure late launch Linux kernel support To: Daniel Kiper Cc: Ross Philipson , Linux Kernel Mailing List , "the arch/x86 maintainers" , linux-doc@vger.kernel.org, dpsmith@apertussolutions.com, Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , trenchboot-devel@googlegroups.com, Ard Biesheuvel , leif@nuviainc.com, eric.snowberg@oracle.com, piotr.krol@3mdeb.com, krystian.hebel@3mdeb.com, michal.zygowski@3mdeb.com, James Bottomley , andrew.cooper3@citrix.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 26, 2020 at 6:40 AM Daniel Kiper wrote: > On Wed, Mar 25, 2020 at 01:29:03PM -0700, 'Matthew Garrett' via trenchboot-devel wrote: > > On Wed, Mar 25, 2020 at 12:43 PM Ross Philipson > > wrote: > > > To enable the kernel to be launched by GETSEC or SKINIT, a stub must be > > > built into the setup section of the compressed kernel to handle the > > > specific state that the late launch process leaves the BSP. This is a > > > lot like the EFI stub that is found in the same area. Also this stub > > > must measure everything that is going to be used as early as possible. > > > This stub code and subsequent code must also deal with the specific > > > state that the late launch leaves the APs in. > > > > How does this integrate with the EFI entry point? That's the expected > > It does not. We do not want and need to tie secure launch with UEFI. I agree that it shouldn't be required, but it should be possible. We shouldn't add new entry points that don't integrate with the standard way of booting the kernel. > > What's calling ExitBootServices() in > > Currently it is a bootloader, the GRUB which I am working on... OK, this > is not perfect but if we want to call ExitBootServices() from the kernel > then we have to move all pre-launch code from the bootloader to the > kernel. Not nice because then everybody who wants to implement secure > launch in different kernel, hypervisor, etc. has to re-implement whole > pre-launch code again. We call ExitBootServices() in the EFI stub, so this is fine as long as the EFI stub hands over control to the SL code. But yes, I think it's a requirement that it be kernel-owned code calling ExitBootServices(). > > this flow, and does the secure launch have to occur after it? It'd be > > Yes, it does. Ok. The firmware TPM interfaces are gone after ExitBootServices(), so we're going to need an additional implementation. > I think any post-launch code in the kernel should not call anything from > the gap. And UEFI belongs to the gap. OK, we can potentially re-use UEFI > TPM code in the pre-launch phase but I am not convinced that we should > (I am looking at it right now). And this leads us to other question > which pops up here and there. How to call UEFI runtime services, e.g. to > modify UEFI variables, update firmware, etc., from MLE or even from the > OS started from MLE? In my opinion it is not safe to call anything from > the gap after secure launch. However, on the other hand we have to give > an option to change the boot order or update the firmware. So, how to > do that? I do not have an easy answer yet... How does Windows manage this? Retaining access to EFI runtime services is necessary, and the areas in the memory map marked as runtime services code or data should be considered part of the TCB and measured - they're very much not part of the gap.