Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp2466915pja; Thu, 26 Mar 2020 16:00:40 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvx4w23RtW2Fx7Q2eMw6zIVreVE8Yt1aP1KDmt1zIqGCoL0uOLb/Q5fFahl86/yQ0zdXqHZ X-Received: by 2002:a9d:61d6:: with SMTP id h22mr7801716otk.6.1585263640826; Thu, 26 Mar 2020 16:00:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585263640; cv=none; d=google.com; s=arc-20160816; b=BVsxWCtSNEnZkwh7P0ucqjNaZJgMV0g01E+KxpDxROg3XQAo4YckeKeuJeDVa0o4uy cqEmvlhWwzHVq2dl071DGx2/7KXEyjTes5POJiaVsIsGKWCH6Hhl/9E3EH3dT+ZPfrpi bmCFu9P9MfSU2gG+VI5bjl59eww86gmTc4x8a7hbfC8pofA1OQHH68AOGXUujk9bt27F zl/p+aAU1sWkwcE05FwkX6tTP+WH5MN/e3V/SmDbcB3nIpMB9svLSeFI5Ag+wPUBE/s6 8xPn3N7d537jrs1Z+X8FlIBvZ0zc/HET0UWQHthAVfqKWssS4C1H2INNdNu01OL/VpPC DIkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=FYvxodz7d4pB6VdW2wEtyiPcxDIa/w32jDzfvDzkoU8=; b=pyNkmv8tqZOpBwPi600xdjcJtjAn566TXdf5h2MZhChJiPppF4npY9kPpvwOVbo+ad +Vfpl4lltPkYVPuYlG2eJp2T7UybP+MhsH9oPremNY97VzEZx1TqqzT223HHd5QA6RSp enppVFsBol0bXCq/YrMQcexu4veMp0MLgMyu6IvoET2+tUT43L+a46OxDGbfLVutYJX/ IG7+LxNCbpK39xr8tQdO3BAmK8TOr3/f5SI2XFegcNTtMXb1ghS8wP/ZtHL0iPGLMcr5 IZCmHsbb784Bo88MZtU4+MVJ+KwhUbZ059E+2XGMw7Kt2+aIGMj+V+IzzFQt8u6JZrTg ElDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lbSiQuYz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f26si1722753otc.182.2020.03.26.16.00.27; Thu, 26 Mar 2020 16:00:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lbSiQuYz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727473AbgCZXAC (ORCPT + 99 others); Thu, 26 Mar 2020 19:00:02 -0400 Received: from mail-il1-f196.google.com ([209.85.166.196]:46598 "EHLO mail-il1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726067AbgCZXAB (ORCPT ); Thu, 26 Mar 2020 19:00:01 -0400 Received: by mail-il1-f196.google.com with SMTP id e8so7025974ilc.13 for ; Thu, 26 Mar 2020 15:59:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FYvxodz7d4pB6VdW2wEtyiPcxDIa/w32jDzfvDzkoU8=; b=lbSiQuYzsX/YLfN+amKkN7JbC15Gb8HRMWXLvWiCBK258OaPQEQ7d9xfRenumyr08U YcKjxNgsNm/3FM0LY9dxX6E4qwllOE6RUd1Tbiw0IzQBxryQx2UmIQQmhoX2Zv9oPyRU EEZrrO75nib7VAy3lsA/9BP7HHZ/uRgXXcV1lCJBcLT/bwC72VJKZxO4fvIszMKoCotW UtI9ZiiAn9BeiOpisURIzjiSa7pSDbIScdakKPDZ1XO9aJihiQGhVIu6//DNihisrNpg sWHefA17+Q6Jk5zeb3Rr3/2u/YynXU1YfG3L+MUb5k4y2Ee0C54t+20F/mCHyaJiaTl4 AKaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FYvxodz7d4pB6VdW2wEtyiPcxDIa/w32jDzfvDzkoU8=; b=W+pSy0s+svxptbG6WTdufD4pVC0fMNZU4eCsD57QtPKWv6doMdj5Tz1DL1gNQdh6I1 1iCi6ghyGiB0CbDRmPnEBD3Ve/JxEOwS33U9gHjs1yqUItGwVWmUtvxvMWL7z5+nCKOg 24j/3xbKJuMU6JpESNukW0kFSX8neMZU5I5g2xrDjGOZeenLaIkEpQS8Aow1sSnAhJip mDOyF+gX9ob6xYpkWlcZ2ZCte5rb8JDtXULZFzH2XFh3wokNMySTpJ2SGqzMni3eP3Ns t5r2tgqNKZJUxTytep9w2ZoJmjuarCGJ65X7hxdJKTrNVwF0dKRPRHHSq1teILUxjFzg zBoQ== X-Gm-Message-State: ANhLgQ0o51RH9pzJmro+FRW9D3hiqkMfYKCGLrFmG/Ex+v4h++ZW1JY2 5Jx/lqaK/BBsz+F4mRJKLK24wUhxBEWGyC8+z9fOBw== X-Received: by 2002:a92:358b:: with SMTP id c11mr10435037ilf.64.1585263598976; Thu, 26 Mar 2020 15:59:58 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Matthew Garrett Date: Thu, 26 Mar 2020 15:59:47 -0700 Message-ID: Subject: Re: [RFC PATCH 00/12] x86: Trenchboot secure late launch Linux kernel support To: Andy Lutomirski Cc: Daniel Kiper , Ross Philipson , Linux Kernel Mailing List , "the arch/x86 maintainers" , "open list:DOCUMENTATION" , "Daniel P. Smith" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , trenchboot-devel@googlegroups.com, Ard Biesheuvel , leif@nuviainc.com, eric.snowberg@oracle.com, piotr.krol@3mdeb.com, krystian.hebel@3mdeb.com, michal.zygowski@3mdeb.com, James Bottomley , Andrew Cooper Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 26, 2020 at 3:52 PM Andy Lutomirski wrote: > > On Thu, Mar 26, 2020 at 2:28 PM Matthew Garrett wrote: > > https://trustedcomputinggroup.org/wp-content/uploads/TCG_PlatformResetAttackMitigationSpecification_1.10_published.pdf > > - you want to protect in-memory secrets from a physically present > > attacker hitting the reset button, booting something else and just > > dumping RAM. This is avoided by setting a variable at boot time (in > > the boot stub), and then clearing it on reboot once the secrets have > > been cleared from RAM. If the variable isn't cleared, the firmware > > overwrites all RAM contents before booting anything else. > > I admit my information is rather dated, but I'm pretty sure that at > least some and possibly all TXT implementations solve this more > directly. In particular, as I understand it, when you TXT-launch > anything, a nonvolatile flag in the chipset is set. On reboot, the > chipset will not allow access to memory *at all* until an > authenticated code module wipes memory and clears that flag. Mm, yes, this one might be something we can just ignore in the TXT case. > > When you say "re-launch", you mean perform a second secure launch? I > > think that would work, as long as we could reconstruct an identical > > state to ensure that the PCR17 values matched - and that seems like a > > hard problem. > > Exactly. I would hope that performing a second secure launch would > reproduce the same post-launch PCRs as the first launch. If the > kernel were wise enough to record all PCR extensions, it could replay > them. That presumably depends on how much state is in the measured region - we can't just measure the code in order to assert that we're secure. > In any case, I'm kind of with Daniel here. We survived for quite a > long time without EFI variables at all. The ability to write them is > nice, and we certainly need some way, however awkward, to write them > on rare occasions, but I don't think we really need painless runtime > writes to EFI variables. I'm fine with a solution that involves jumping through some hoops, but it feels like simply supporting measuring and passing through the runtime services would be fine - if you want to keep them outside the TCB, build a kernel that doesn't have EFI runtime service support and skip that measurement?