Received: by 2002:a05:6512:2355:0:0:0:0 with SMTP id p21csp214229lfu; Wed, 30 Mar 2022 21:18:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxJD0lM/Q4IBbCKUDLd/HIe0s6Tj32y6zFOdto76az6P3o44sHZ2d1aiGkWp2iVL6IeweZw X-Received: by 2002:a63:4417:0:b0:382:add8:71cb with SMTP id r23-20020a634417000000b00382add871cbmr9267688pga.605.1648700301813; Wed, 30 Mar 2022 21:18:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648700301; cv=none; d=google.com; s=arc-20160816; b=oCuMFnQ2Hlat2hGXM7pxIH62i77759iBSZt/9rDWJmePmsqW/VUtgJDJURuF/reAc+ IyI410f3KT4BcUlU912T2fs8FU9Bz6+Y+Bh1rz1axRbYs2EPHfPGuVt0imHCUjzZg2qJ 46IAgYH4slsfsDh9QgHXco4qJSHDHqKE0Ac8lm/dHOAzVT/1qsvAdLiZ/praAPazVMt9 pCta5Y+1IGLwaq22I8OZ33l0b1r04OdhPqO/1kUTvZxZUkQI21MosdFJG8AM/H6ZbB15 AC9mfFqtzmyfwcNsrFpPqUjmXBE7kOFjr43dkPli5kGWjdrQThBBR1W6J5y//5npKIVn vRXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature:dkim-signature; bh=8Pr3WbnaN5W7VM/4JlClZN/RfaQD0cA8vsB7nuK7f2w=; b=c1D2XEFr69OmwR/N9rC1ewM397SkByiyBju/6DNqzF9YOcgEFjyalBNdFIrv0xgtmF A3ovynIbFmz+41HqNHk5n9+vjkgTa113ilyY18VYC1DHLVlYxZ29bCj0wyefwxG15Ni8 iwN/aE0RfXS7skf23Ha+5OXRVMZxosTFnfpOZb1pSZMU13xDNg3TSllsmJRQ5l+9uACn xSpRg1uO1DxAuPqrn+7hpLqXksPn7/gmAldryhHBqu+i3erWcEFtkvqyn5i550UHot/e 6GMDk7397O8FHTPpqJgY0lutK4eaPrJJRDoD3yczww3DDosJAgSefAN9uAbnGlRrt/XI s5Sg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=nn8AAgM0; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=nn8AAgM0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id 23-20020a631957000000b00384334da699si3805006pgz.199.2022.03.30.21.18.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Mar 2022 21:18:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=nn8AAgM0; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=nn8AAgM0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9CCA7EFF92; Wed, 30 Mar 2022 20:13:59 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344708AbiC3MtP (ORCPT + 99 others); Wed, 30 Mar 2022 08:49:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345942AbiC3Msc (ORCPT ); Wed, 30 Mar 2022 08:48:32 -0400 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [IPv6:2607:fcd0:100:8a00::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 766ACDE0BF; Wed, 30 Mar 2022 05:46:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1648644405; bh=KAfrZgKEul9aSsbZ36kPU6Tj18oRXB0dM4HC3xvmmXw=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=nn8AAgM02CcbhIpBEc+LRzvcURan3/dQ3hkEigyO4ktwhNb3MknZmgEA8v2ISWf66 eMqota5PANQaFP/P2ctxTAmBUX9sLJc1dq/gRo/1HQUgIMF279FtC6TlvXRsw0DFby WoqCIRieFcgtb4AgBtxbYQp5x+DKFfwU8NjJNOfI= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 55C651288359; Wed, 30 Mar 2022 08:46:45 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nDP9QrI8rjHM; Wed, 30 Mar 2022 08:46:45 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1648644405; bh=KAfrZgKEul9aSsbZ36kPU6Tj18oRXB0dM4HC3xvmmXw=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=nn8AAgM02CcbhIpBEc+LRzvcURan3/dQ3hkEigyO4ktwhNb3MknZmgEA8v2ISWf66 eMqota5PANQaFP/P2ctxTAmBUX9sLJc1dq/gRo/1HQUgIMF279FtC6TlvXRsw0DFby WoqCIRieFcgtb4AgBtxbYQp5x+DKFfwU8NjJNOfI= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4300:c551::c14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id A54551288358; Wed, 30 Mar 2022 08:46:43 -0400 (EDT) Message-ID: <41521e8ecd2876327cd8dd929b32aa3b7e9daca8.camel@HansenPartnership.com> Subject: Re: Linux DRTM on UEFI platforms From: James Bottomley To: Ard Biesheuvel , Matthew Garrett Cc: Daniel Kiper , Alec Brown , Kanth Ghatraju , Ross Philipson , "dpsmith@apertussolutions.com" , "piotr.krol@3mdeb.com" , "krystian.hebel@3mdeb.com" , "persaur@gmail.com" , "Yoder, Stuart" , Andrew Cooper , "michal.zygowski@3mdeb.com" , "lukasz@hawrylko.pl" , linux-efi , Linux Kernel Mailing List , The development of GNU GRUB , Kees Cook Date: Wed, 30 Mar 2022 08:46:41 -0400 In-Reply-To: References: <20220329174057.GA17778@srcf.ucam.org> <20220330071103.GA809@srcf.ucam.org> <20220330071859.GA992@srcf.ucam.org> <20220330072755.GA1169@srcf.ucam.org> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.4 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2022-03-30 at 09:39 +0200, Ard Biesheuvel wrote: > On Wed, 30 Mar 2022 at 09:27, Matthew Garrett > wrote: > > On Wed, Mar 30, 2022 at 09:23:17AM +0200, Ard Biesheuvel wrote: > > > On Wed, 30 Mar 2022 at 09:19, Matthew Garrett < > > > mjg59@srcf.ucam.org> wrote: > > > > From a conceptual perspective we've thought of the EFI stub as > > > > being logically part of the bootloader rather than the early > > > > kernel, and the bootloader is a point where the line is drawn. > > > > My guy feeling is that jumping into the secure kernel > > > > environment before EBS has been called is likely to end badly. > > > > > > If you jump back into the system firmware, sure. > > > > > > But the point I was trying to make is that you can replace that > > > with your own minimal implementation of EFI that just exposes a > > > memory map and some protocols and nothing else, and then the > > > secure launch kernel would be entirely in charge of the execution > > > environment. > > > > We can't just replace system firmware with an imitation of the same > > - for instance, configuring the cold boot prevention memory > > overwrite requires us to pass a variable through to the real > > firmware, and that's something that we do in the stub. > > > > But these are exactly the kinds of things the secure launch kernel > wants to be made aware of, no? The secure launch kernel could just > MITM the calls that it chooses to allow, and serve other calls > itself. The problem would become that the MITM firmware has to be evolved in lockstep with the boot stub. The problem isn't really a point in time, figure out what config the boot stub extracts from EFI now and measure it, it's an ongoing one: given an evolving kernel and UEFI subsystem means that over time what configuration the kernel extracts from EFI changes, how do we make sure it's all correctly measured before secure launch? If the MITM doesn't support a capability a newer kernel acquires, that MITM must fail secure launch ... which becomes a nightmare for the user. One possibility might be that the MITM actually does nothing at all except record Boot Service requests and responses up to exit boot services (EBS). We could call that record the boot configuration and measure it, plus we could then intercept EBS, and do the DRTM secure launch to the return point. It's conceptually similar Matthew's idea of a callback except it won't require modification of the boot parameters. James