Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp2481736pja; Thu, 26 Mar 2020 16:16:03 -0700 (PDT) X-Google-Smtp-Source: ADFU+vseh4OY9v6wzrN+/ciiHwf1uqc2YaOVVSk4WNIucs757hC1ouX7P9mKCbJFG2kxpZd/evZk X-Received: by 2002:aca:d10:: with SMTP id 16mr2184161oin.142.1585264563130; Thu, 26 Mar 2020 16:16:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585264563; cv=none; d=google.com; s=arc-20160816; b=W+k9ytAVzMgdxiXgWuA72tCeG2Mp/N6/HtIHN1FJjB2DzLk2A1mI1cKlC728I62JDJ O9bnWJ/tUaAvd0N8O960CigsVEIyfJUa0KfQKJLxRMW7kcSfsW5hxv2Hh2+mnD+4lEhe G7xS8OzIBaHVQLZ9IKK73OUCFEidNjtiuKYQ1DSVg8hgLGGLttPzd5QCx71de/LG4Efb HV4cCh6GE0cdcY6EDwwV+GgZ4oJ7jcrFWalp3DDTa7tb5g+Wy1rY8JOE3STBcjS3wnzf OU3J4RuK2MfNCzZiiuHWnXJc2NNp9h7TXxTSjIlLj0p/8CI2br/aZcg6gETDYpXX5gwO yHXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=IoDIV4H5BwpmYNvw9upGBXNZ2B2aSOr0Jcfteg/izSs=; b=lIw5OqbCToyP1qlTE3h7Bse0ZUIn00DMzcyKSXA38fCCorj6BFPCZ8CNQqbse0caQ9 x8nYFcux8NQsx/ryR+2WDDFjdFgsKjGOq4MAlu7de3YaFqDsBGX1xghrHr01Hz8Dweqn 5y+UxwftvsNxXPQlXOTsLT3jv7H0h+i209Rz/zdY+xMSGqHwFkTcTEl9XkKgtOP/qDR5 sT3CrmamBS89HE0PCbyndl4lZN0bSExGrCmIBxusBp/HeQbPLJlXrvWgbrthoewZGBg+ rBL9ZSlkFGaZ4VpR23eaK2JkIAlDzP/GEhTKu3Nl6BCocVEiiPQD91kwtt/Jo9kXnQM6 P+Ug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nNx+mI6A; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t23si438201otm.97.2020.03.26.16.15.49; Thu, 26 Mar 2020 16:16:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nNx+mI6A; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727547AbgCZXOM (ORCPT + 99 others); Thu, 26 Mar 2020 19:14:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:36748 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727347AbgCZXOL (ORCPT ); Thu, 26 Mar 2020 19:14:11 -0400 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 530F020787 for ; Thu, 26 Mar 2020 23:14:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585264450; bh=pBpYKCYnqkY69V5IhWZ/DJiK6T7TRaVaD2ZvmGOEuS4=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=nNx+mI6ABRCHDoPFwj94WyC7rJi0CnjZZMRGH1IMgdPUiiYaDdczR2RYxzmj5F3VY gMHKe5fl7h5UDsvgBHpIe3+tNvgdkfhOdN/0Ivu7iqYlvZwEpbUs1auWaN3fyfFyxn SPwdX0Y64sOV1ufFqHPBZrTcIrsIY5kN69kTiAsc= Received: by mail-wm1-f44.google.com with SMTP id f6so3660054wmj.3 for ; Thu, 26 Mar 2020 16:14:10 -0700 (PDT) X-Gm-Message-State: ANhLgQ1grtehqdXJ0sPiJ2uJOkdwLC+iUEakTtJIcbGsWZjT0H2IWxy0 Pc6sZWLTCk2ZtTUwXYksG0JChG0Mz2DuMyxDry1Fdw== X-Received: by 2002:adf:b641:: with SMTP id i1mr11924938wre.18.1585264448743; Thu, 26 Mar 2020 16:14:08 -0700 (PDT) MIME-Version: 1.0 References: <20200325194317.526492-1-ross.philipson@oracle.com> <6bb09673-292e-b056-3755-ffc51a1d6b59@apertussolutions.com> In-Reply-To: <6bb09673-292e-b056-3755-ffc51a1d6b59@apertussolutions.com> From: Andy Lutomirski Date: Thu, 26 Mar 2020 16:13:56 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH 00/12] x86: Trenchboot secure late launch Linux kernel support To: "Daniel P. Smith" Cc: Andy Lutomirski , Matthew Garrett , Ross Philipson , Linux Kernel Mailing List , "the arch/x86 maintainers" , "open list:DOCUMENTATION" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , trenchboot-devel@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 26, 2020 at 1:51 PM Daniel P. Smith wrote: > > On 3/25/20 6:51 PM, Andy Lutomirski wrote: > > On Wed, Mar 25, 2020 at 1:29 PM Matthew Garrett wrote: > >> > >> On Wed, Mar 25, 2020 at 12:43 PM Ross Philipson > >> wrote: > >>> To enable the kernel to be launched by GETSEC or SKINIT, a stub must be > >>> built into the setup section of the compressed kernel to handle the > >>> specific state that the late launch process leaves the BSP. This is a > >>> lot like the EFI stub that is found in the same area. Also this stub > >>> must measure everything that is going to be used as early as possible. > >>> This stub code and subsequent code must also deal with the specific > >>> state that the late launch leaves the APs in. > >> > >> How does this integrate with the EFI entry point? That's the expected > >> entry point on most modern x86. What's calling ExitBootServices() in > >> this flow, and does the secure launch have to occur after it? It'd be > >> a lot easier if you could still use the firmware's TPM code rather > >> than carrying yet another copy. > > > > I was wondering why the bootloader was involved at all. In other > > words, could you instead hand off control to the kernel just like > > normal and have the kernel itself (in normal code, the EFI stub, or > > wherever it makes sense) do the DRTM launch all by itself? This would > > avoid needing to patch bootloaders, to implement this specially for > > QEMU -kernel, to get the exact right buy-in from all the cloud > > vendors, etc. It would also give you more flexibility to evolve > > exactly what configuration maps to exactly what PCRs in the future. > > > > Partly this is driven by the fact that one of the goals for the > TrenchBoot project is about more universal/unified, cross open source > project adoption of Dynamic Launch. Another aspect is that initiating a > Dynamic Launch requires additional file(s) to be loaded, the platform to > be put into a quiescent state, and the invocation of the SENTER/SKINIT > instruction can be thought of as a soft reset of the CPU that on Intel > even results in the CPU being in a different mode (SMX) which has a > subtle change to its behavior. In the TCG Dynamic Launch design, the > component responsible for this loading, preparing, and Dynamic Launch > Instruction invocation is referred to as the Preamble and IMHO the best > time for dealing with such a disruptive behavior caused by invoking the > instruction is at the boot boundary. It also makes for a good transition > point to enable switching between kernels in control of the system > whereby the integrity will be establish by the hardware instead of the > kernel (UEFI, GRUB, Linux, etc.) that loaded it. I think what helps > address your concern is that one of the next items on the roadmap is to > extend kexec to be able to perform the Preamble. As I just mentioned, > this provides a clean way to transition for one Linux kernel that may or > may not have been started via a Dynamic Launch could relaunch itself, > launch a new Linux kernel, or even launch a non-Linux kernel that is > Dynamic Launch aware. > Hmm. I don't have any real objection to the kernel supporting this type of secure launch, but I do have some more questions first. One of the problems with the old tboot code and the general state of dynamic-root-of-trust is that it's an incredible pain in the neck to even test. I think it would be helpful if I could build a kernel that supported secure launch (Intel or AMD) and just run the thing. I realize that you're planning to integrate this into GRUB, etc, but it might be nice if even existing GRUB and EFI shell can do this. How hard would it be to make the kernel support a mode where whatever blobs are required are in the initrd or built in like firmware and where I could set a command line argument like secure_launch=on and have the kernel secure launch itself? Are you planning on supporting a mode where kernel A kexecs to kernel B, kernel B is secure launched, and then kernel B resumes kernel A and re-launches it? If so, would it work better if the measured state of the kernel were the *uncompressed* text or even the uncompressed and alternative-ified text? Or is the idea that the secure launch entry will figure out that it's actually a resume and not a fresh boot and behave accordingly? What's the situation like in a VM? Can I run the secure launch entry in a VM somehow? Can I actually initiate the dynamic launch from the VM?