Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp2389977pja; Thu, 26 Mar 2020 14:29:14 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuJosERSYH9dKMvzG8cC63D6I63GX9740PdXE+1h939fbsg9VWqFgOUEO0HETryx5nb3y7w X-Received: by 2002:a05:6830:1413:: with SMTP id v19mr992062otp.41.1585258153863; Thu, 26 Mar 2020 14:29:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585258153; cv=none; d=google.com; s=arc-20160816; b=EkcwYFuvNcoCWnYsjuWdqiLdWTomqWIW6Z15wEACQlqv+29gyZq1RAmzN0xxNrjg0F hfXOa2xhh4f/904fJ18x7WakJMdnFxZA6yjYi8dxVgn45uQF7NBaOp0SzobhRbCMJP0c wqApvG+LNNpjfv2VWIxEz+FlnkJFoetCyp5kpTf48itAPSZm5pia8f9h71X1Vtzl1JxP UXmqNtKaP7vAFyukPuY43dL79rJxoaCX1oRJv2WVqHchxnArf9YyxHj2kUnKR4/hV+q0 t7lJwKlqq8kKezBiIOasQwyGVX+Nc25iqK1s9Zz89LyEX30zI4o8iEpBhU8vausRdhTF 9H9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Btlqx21eu40zUkcej/V6liXdJs8HK+Dpn/OJAl+X7mA=; b=sWJlTdpUB9p4sP5JFIHh13u6PFaKv84L+buwNn442WO9VKe/UFvmbv8MTk/nn/GTbz 70dq1ZvL3J/QlDh9eF2FKUAa4KbtTXzEFEnXD395oOSCwuqi6rIIJQvXY+IXcDMFomrs x/+D6VNjFgF8+RXlulqWkY7FYOcGPmNNF5RxXyi7BNatowOBOxzaw8/nk/2btqZRxg84 d5GGYSPjWtdcHkbdo/r+/pYH6498eQmbQ1h3J43QDqmaXeQ2oZ8Ft8InSpAD2hcQFKSO PiK5oQ6mKvPbN64lbYo9V3X2U4gT29SYgEb7s1Qr9Wr161gmsZD/ckRJ6Hg5EqQmTVCY S9jQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=M6cg4sv8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 18si1514275oin.182.2020.03.26.14.29.01; Thu, 26 Mar 2020 14:29:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=M6cg4sv8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727495AbgCZV2i (ORCPT + 99 others); Thu, 26 Mar 2020 17:28:38 -0400 Received: from mail-il1-f193.google.com ([209.85.166.193]:42521 "EHLO mail-il1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726363AbgCZV2h (ORCPT ); Thu, 26 Mar 2020 17:28:37 -0400 Received: by mail-il1-f193.google.com with SMTP id f16so6842985ilj.9 for ; Thu, 26 Mar 2020 14:28:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Btlqx21eu40zUkcej/V6liXdJs8HK+Dpn/OJAl+X7mA=; b=M6cg4sv8ajLQueUJZXq4N/kjX221+tiJF3yQSbWclKBVnWsv+Ff2zDfM6Bxb6emo97 LQ1F9sPt3GWYLMPIdeL4dgPAXK5i4ESgbkSvjnUj5ytNaBhoyXlsz6x5It7brFjgReOv n3MYFBCKdFqDEPs2O4hZKMy8DL1bmo9gMFqgPuJ/hsxgK/RcKyParZEVp1UdPgnkc0NK ypUXfY0uVphJ5BknZRjb/x1FhKKT3ZFlCaklkosor2ursaMGsd8dvOP3HzYYhh7Juy2F ayKp0BZ7fvweMRKcyB6i+xLNqNgAu+fvFuiwQOPjis10vBxB9LI0i1il4vufxE3hZufc TXAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Btlqx21eu40zUkcej/V6liXdJs8HK+Dpn/OJAl+X7mA=; b=PqGdELvy36ZE27J5vWvvklFP47m+WmETZXbNtWc48J+YdRhQMD+09FVcpgHLpPe8/o 4358gRnHyMI+6Mqm62WzE6VALp0FZzZ4no51Phca0ZH4Ax93E4EMhaWPUgTzmjg0hGEH Omgz9OpUK85j44rsKTO6DdS+lkSvH0yduQ+tYSF5hJr++xO+lGA8trl34H2fYwyFeBt6 jgwDaqjMRqgtnCRQNxL7e8om0wobBGsMNLn6OVA6YbhWMrBVZy0wn5voS7RazJTwiUbU WTfKSlpp2qGU3eyiYiIkAB1vFOqZxNVMVVnAofBFk1uVibR3DU359lLonAENrbSLVq2b hFkA== X-Gm-Message-State: ANhLgQ1Hv0+mlq1DTczhaB3ohEMFVdnfQ4UVNpMrLKLo8leRxXcCD5Uo ACdODpWt2LyOG3Pxw6LcOEBsjlC54HmtqHuBQqmFMQ== X-Received: by 2002:a92:8384:: with SMTP id p4mr11224795ilk.16.1585258116250; Thu, 26 Mar 2020 14:28:36 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Matthew Garrett Date: Thu, 26 Mar 2020 14:28:25 -0700 Message-ID: Subject: Re: [RFC PATCH 00/12] x86: Trenchboot secure late launch Linux kernel support To: Andy Lutomirski Cc: Daniel Kiper , Ross Philipson , Linux Kernel Mailing List , "the arch/x86 maintainers" , linux-doc@vger.kernel.org, "Daniel P. Smith" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , trenchboot-devel@googlegroups.com, Ard Biesheuvel , leif@nuviainc.com, eric.snowberg@oracle.com, piotr.krol@3mdeb.com, krystian.hebel@3mdeb.com, michal.zygowski@3mdeb.com, James Bottomley , andrew.cooper3@citrix.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 26, 2020 at 2:07 PM Andy Lutomirski wrote= : > > On Mar 26, 2020, at 1:40 PM, Matthew Garrett wrote: > > > > =EF=BB=BFOn Thu, Mar 26, 2020 at 1:33 PM Andy Lutomirski wrote: > >> As a straw-man approach: make the rule that we never call EFI after se= cure launch. Instead we write out any firmware variables that we want to ch= ange on disk somewhere. When we want to commit those changes, we reboot, c= ommit the changes, and re-launch. Or we deactivate the kernel kexec-style, = seal the image against PCRs, blow away PCRs, call EFI, relaunch, unseal the= PCRs, and continue on our merry way. > > > > That breaks the memory overwrite protection code, where a variable is > > set at boot and cleared on a controlled reboot. > > Can you elaborate? I=E2=80=99m not familiar with this. https://trustedcomputinggroup.org/wp-content/uploads/TCG_PlatformResetAttac= kMitigationSpecification_1.10_published.pdf - you want to protect in-memory secrets from a physically present attacker hitting the reset button, booting something else and just dumping RAM. This is avoided by setting a variable at boot time (in the boot stub), and then clearing it on reboot once the secrets have been cleared from RAM. If the variable isn't cleared, the firmware overwrites all RAM contents before booting anything else. > > As for the second approach - how would we > > verify that the EFI code hadn't modified any user pages? Those > > wouldn't be measured during the second secure launch. If we're calling > > the code at runtime then I think we need to assert that it's trusted. > > Maybe you=E2=80=99re misunderstanding my suggestion. I=E2=80=99m suggest= ing that we hibernate the whole running system to memory (more like kexec j= ump than hibernate) and authenticated-encrypt the whole thing (including us= er memory) with a PCR-sealed key. We jump to a stub that zaps PCRs does EFI= calls. Then we re-launch and decrypt memory. When you say "re-launch", you mean perform a second secure launch? I think that would work, as long as we could reconstruct an identical state to ensure that the PCR17 values matched - and that seems like a hard problem.