Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp3781862rdb; Thu, 14 Sep 2023 02:21:41 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGM+nDjwhTZjt7xza+sKB6use0PW4BfQCowKkBKm7ZhXHJ5t9K0sFubgYaiCgNbcI1wYI0I X-Received: by 2002:a05:6870:c091:b0:1c8:cf1b:feee with SMTP id c17-20020a056870c09100b001c8cf1bfeeemr5298091oad.13.1694683301664; Thu, 14 Sep 2023 02:21:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694683301; cv=none; d=google.com; s=arc-20160816; b=CV/90jBlmYchhnW3m5oUnjUkj6jTrs86LKwVeZyZnTwj1H88HnmPQT7MB6dJVNhnWF K/MXih1r2nLtL/2i0BRPGKQwtOd5RA/m7mD0+b2BEmyHa/BeOeaFYAUbEr+lLwChJUTH 0h9lhxk5f5EU9YwqSjwe4VpnjpSmiP9mJo6pLPJRwt36V0uHvCF5aSwNECADF55KpmJB pkykDNTcQlDRlt2iJHqPsM46+quGJnsgvWajJ9Ds4VQ3GKXW9F/7XJXukM7gk1DQ8U7v 2rOdT2VpIKyUBZZaGNIiK8hYrr8wy6xCK881T39TLHpGDV4vHbpcTU5QZOn4F6wvNV/C KYog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=TH9nzVKFengInf00HgorRWOyLiBe4CPaUuITCy1UzEc=; fh=k9Jnmg1POdUP0inSLVYlUowlblJtPtEUczA1KKJfRMg=; b=cuIdog0z3+W1wGV5ojbMxUA1GCIBqdgHtk+jYMYFPY+b4Syyz9IiFLZjKs6AY9aEes UrBZTGhemuptzD1FKnIWpffTukjbl3N9s3+y1ZeQ/Sx6p78psi49JZzfJChjdBdXJoIb nk3oh0Tzlj+h+XUWdlCbPOSFoTpMdJbz0/9cRmNW2B+cYNHEpOvYFlHIqAIFF20R5Vcq zGa7bQ+ty1tCt4VIyldWob3o11aEGX0Jv/dWv/02NCvINd95tqtM3yy7cKdW2ndowly7 uH7aEvLMBc6g9lf5XMefAQRvQbnflDl0hbAIhsRNlzucuEVKya9iMPTJh6YQ97b9MGoM MJqQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id n25-20020a637219000000b0056c297d163asi1115242pgc.523.2023.09.14.02.21.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 02:21:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 4728F82AE2F1; Thu, 14 Sep 2023 02:11:45 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236571AbjINJLq (ORCPT + 99 others); Thu, 14 Sep 2023 05:11:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54086 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236701AbjINJL0 (ORCPT ); Thu, 14 Sep 2023 05:11:26 -0400 Received: from gardel.0pointer.net (gardel.0pointer.net [85.214.157.71]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3E0471BF9; Thu, 14 Sep 2023 02:11:10 -0700 (PDT) Received: from gardel-login.0pointer.net (gardel-mail [IPv6:2a01:238:43ed:c300:10c3:bcf3:3266:da74]) by gardel.0pointer.net (Postfix) with ESMTP id 41459E801F5; Thu, 14 Sep 2023 11:11:09 +0200 (CEST) Received: by gardel-login.0pointer.net (Postfix, from userid 1000) id C9E14160258; Thu, 14 Sep 2023 11:11:08 +0200 (CEST) Date: Thu, 14 Sep 2023 11:11:08 +0200 From: Lennart Poettering To: Jarkko Sakkinen Cc: Jan Hendrik Farr , linux-kernel@vger.kernel.org, kexec@lists.infradead.org, x86@kernel.org, tglx@linutronix.de, dhowells@redhat.com, vgoyal@redhat.com, keyrings@vger.kernel.org, akpm@linux-foundation.org, Baoquan He , bhelgaas@google.com, Luca Boccassi Subject: Re: [PATCH 0/1] x86/kexec: UKI support Message-ID: References: <20230909161851.223627-1-kernel@jfarr.cc> <1d974586-1bf7-42e8-9dae-e5e41a3dbc9f@app.fastmail.com> <9580df76-c143-4077-8a39-b1fcc0ed37bd@app.fastmail.com> <5a67051d-eb21-4a96-acc4-40f829a59e23@app.fastmail.com> <1c342231-7672-450e-b945-e57cd17b4ae7@app.fastmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 14 Sep 2023 02:11:45 -0700 (PDT) On Mi, 13.09.23 17:45, Jarkko Sakkinen (jarkko@kernel.org) wrote: > On Tue Sep 12, 2023 at 11:49 PM EEST, Jan Hendrik Farr wrote: > > > > > These are sort of "tautological" arguments. There must be some > > > objective reasons why this architecture was chosen instead of > > > other (i.e. using what already pre-exists). > > > > I think I misunderstood you in my earlier reply. I do not understand > > in what way you think my arguments are tautological. Can you > > elaborate? > > current Linux kernel has these features *already* in > place: > > 1. CONFIG_EFI_STUB > 2. CONFIG_CMDLINE > 3. CONFIG_INITRAMFS_SOURCE > 4. Secure boot with MOK keys and .machine keyring to manage them. > > Given that every single feature in IKU does exists in some form > in the Linux kernel, I think it is fair to ask why scrape away > this all existing science and reinvent the wheel? Nah, systemd-stub does considerably more than what you list above. 1. It measures the components of the UKI separately into PCR 11, 12, 13, which makes the mesaurements predictable, and allows vendors to provide a signed PCR policy with can be used to unlock TPM2 secrets that ause a PolicyAuthorize policy. This is a fundamental improvement over mechanisms that bind to literal PCR values, since the "brittleness" goes away. 2. That said signed PCR policy is included in the UKI in another PE section, that is made available to userspace. 3. If you like it brings a boot splash to screen before passing control off to the kernel, which is also contained 4. It can contain a devicetree blob, which it will setup for the kernel it spawns 5. There's a random seed maintained by systemd-stub in the ESP that is updated and passed to the kernel, which includes in in the pool. 6. It picks up "credentials" (which are TPM protected, encrypted, authenticated supported by systemd) that can be used to securely parameterize the invoked system from the backing fs (i.e. the ESP). Similar it can pick up sysext images (which is another systemd thing, i.e. dm-verity protected, signed disk images which can extend the initrd and the host, by being overlayed on /usr). 7. It picks up "add-ons" -- which are PE binaries that actually contain no code, but are SecureBoot signed/shim signed "mules" for carrying addition kernel cmdlines, devictree blobs (and maybe in future initrds) that allow some form of modularity in the UKI model. And there's more. This is just off the top of my head. Now, I can totally see you personally might not need any of this stuff, fine, but a claim that this stuff is redundant is just bogus. Afaics all big distributions are preparing to providing UKIs soonishly. It would be fantastic if kexec would just work with this too, and the dissection would be done on the kernel side instead of userspace. Lennart -- Lennart Poettering, Berlin