Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp3862159rdb; Thu, 14 Sep 2023 05:13:24 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF/dBSGjIB4kR8RQCW3jnYOFrfCUwu0SEZteECLc4KpmUbuw8qRdKddVAhvO4h1gVH6arfW X-Received: by 2002:a05:6a00:3688:b0:68c:59cb:2dd9 with SMTP id dw8-20020a056a00368800b0068c59cb2dd9mr2643620pfb.1.1694693603721; Thu, 14 Sep 2023 05:13:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694693603; cv=none; d=google.com; s=arc-20160816; b=tJdqFgR6Zccbl4xgkN4oZPRdSH+Ikl0qWJm7F0AJg2dWWG8fslyTtBDJQu+RcPvJkI AAauoWRLM4a6DGulRRyMGwdXTWpQIL/q0OU6wuqxuchiHustTXdIAg1P2hqNIvrOiV+H HCZUagqA7GhYhH0MlA+7CST/VpYfrLw6NYNWU8q3nFlDY1QeIzTeGvTaohvcyIdtDMnD /NPxQu/PdvGxiTpnpfqkk/zv9XFMiKFSCtxykjgp5PCJh/pogS6lsR55JBXwFqMyp3Ng /RcfdNSYds1sejaiv+Vgjz91fYhCos7wgb/HSXnUlXlH7mQJ8DT5ltRRwPw8An/eBIat povg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:references:to:from:subject:cc :message-id:date:content-transfer-encoding:mime-version :dkim-signature; bh=Mx/UqbwM1g7p/jhYBaLNlh8ItorHRZYjQoquVavmH9k=; fh=Nc/rydUHW+9f21WOOX8ddr9Tp8RByYvnPBNHf3faR8E=; b=KjWc03kgxCI+QAGX6aVN7Dfmtcdchf7gjNHYTXZfbaR4EvzJ6l6wJpQO0vnlVpBRHe GlX/s2vdrpjZZ0Hsjol9Yavrr8e4TBsuoDN8oSou96a+pnoDSLTIqeOlLJvzmNUHBRZB ZFi7PNTcp/gIYUjZzdejdEDmVgTm5k5YhJqkTKxyAmoWU20cLly6YKxtYQ3hYlECx8og ODWOpbSKus2H5KmvoS7wblzaLwhXtPnpYR0qBc7291y3r6ukYxLZYLSWulRH7yhKCko8 SfffQfl5ZmSy5X7aGvSD5llW9eqeZhXNdRps3Z1OcPoqQxduv9vtQkb3bTt2PbQV3bt+ qcrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=a4EmMNTf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id d15-20020a056a00198f00b0068ff3a3c9d0si1557156pfl.91.2023.09.14.05.13.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Sep 2023 05:13:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=a4EmMNTf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id D0DF881C46D2; Thu, 14 Sep 2023 05:13:19 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238359AbjINMNI (ORCPT + 99 others); Thu, 14 Sep 2023 08:13:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50968 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238119AbjINMNH (ORCPT ); Thu, 14 Sep 2023 08:13:07 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 144971BF4; Thu, 14 Sep 2023 05:13:03 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 309EBC433C7; Thu, 14 Sep 2023 12:13:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1694693582; bh=RrzfH6UbrmAt6KmTCe5UqLl8JJkSJQZSUuFTonNvkh0=; h=Date:Cc:Subject:From:To:References:In-Reply-To:From; b=a4EmMNTfKpEzhz1VhakLJKRSXwaOcGp5rkN8Tpc5zNgAehu5Ty7hucgLpUnLaYAA6 IBT92FOnlRCVlF1wTIj7LdXT4xP3+PtQtFCrI9P0mTiCPC2ILho8tuis4hJfasnp/o sCx6Sw0X4L5+fLOXMwNqTUolLgyudgo+U0WjvIgjP9n6sw1hu+RVbibennJnhRDwEv l0NsBphimJ48ny85AsQfGMoMmDC3UdxoLgAsxVoulSeNsKgWj3e2F2jQx0kdRV2x9Z /iAVk1TQPFKnuy6/JSR9GH6mQO2vFSWLHdNwL2xBpjEAPtRcVZ2ZQQThgh3gVR1RFv Xzj81y4MchDTw== Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Thu, 14 Sep 2023 15:12:58 +0300 Message-Id: Cc: "Jan Hendrik Farr" , , , , , , , , , "Baoquan He" , , "Luca Boccassi" Subject: Re: [PATCH 0/1] x86/kexec: UKI support From: "Jarkko Sakkinen" To: "Lennart Poettering" X-Mailer: aerc 0.14.0 References: <20230909161851.223627-1-kernel@jfarr.cc> <1d974586-1bf7-42e8-9dae-e5e41a3dbc9f@app.fastmail.com> <9580df76-c143-4077-8a39-b1fcc0ed37bd@app.fastmail.com> <5a67051d-eb21-4a96-acc4-40f829a59e23@app.fastmail.com> <1c342231-7672-450e-b945-e57cd17b4ae7@app.fastmail.com> In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Thu, 14 Sep 2023 05:13:20 -0700 (PDT) X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email On Thu Sep 14, 2023 at 12:11 PM EEST, Lennart Poettering wrote: > On Mi, 13.09.23 17:45, Jarkko Sakkinen (jarkko@kernel.org) wrote: > > > On Tue Sep 12, 2023 at 11:49 PM EEST, Jan Hendrik Farr wrote: > > > > > > > These are sort of "tautological" arguments. There must be some > > > > objective reasons why this architecture was chosen instead of > > > > other (i.e. using what already pre-exists). > > > > > > I think I misunderstood you in my earlier reply. I do not understand > > > in what way you think my arguments are tautological. Can you > > > elaborate? > > > > current Linux kernel has these features *already* in > > place: > > > > 1. CONFIG_EFI_STUB > > 2. CONFIG_CMDLINE > > 3. CONFIG_INITRAMFS_SOURCE > > 4. Secure boot with MOK keys and .machine keyring to manage them. > > > > Given that every single feature in IKU does exists in some form > > in the Linux kernel, I think it is fair to ask why scrape away > > this all existing science and reinvent the wheel? > > Nah, systemd-stub does considerably more than what you list above. > > 1. It measures the components of the UKI separately into PCR 11, 12, > 13, which makes the mesaurements predictable, and allows vendors to > provide a signed PCR policy with can be used to unlock TPM2 secrets > that ause a PolicyAuthorize policy. This is a fundamental > improvement over mechanisms that bind to literal PCR values, since > the "brittleness" goes away. I guess this is an appropriate reference: https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/ I quickly checked what sort of use cases we have for PCRs in the kernel. I could spot one: https://www.kernel.org/doc/html/v6.5/security/keys/trusted-encrypted.html Generally, my only concern here is potential conflicts with user space extending the same PCRs as systemd does. Since this all is only used for boot phase I guess this should not be an issue, right? > 2. That said signed PCR policy is included in the UKI in another PE > section, that is made available to userspace. > 3. If you like it brings a boot splash to screen before passing > control off to the kernel, which is also contained > 4. It can contain a devicetree blob, which it will setup for the > kernel it spawns > 5. There's a random seed maintained by systemd-stub in the ESP that is > updated and passed to the kernel, which includes in in the pool. > 6. It picks up "credentials" (which are TPM protected, encrypted, > authenticated supported by systemd) that can be used to securely > parameterize the invoked system from the backing fs (i.e. the > ESP). Similar it can pick up sysext images (which is another > systemd thing, i.e. dm-verity protected, signed disk images which > can extend the initrd and the host, by being overlayed on /usr). > 7. It picks up "add-ons" -- which are PE binaries that actually contain > no code, but are SecureBoot signed/shim signed "mules" for carrying > addition kernel cmdlines, devictree blobs (and maybe in future > initrds) that allow some form of modularity in the UKI model. > > And there's more. This is just off the top of my head. > > Now, I can totally see you personally might not need any of this > stuff, fine, but a claim that this stuff is redundant is just bogus. Backing story was missing completely. Please add this reasoning to the patch set in some form (cover letter and possibly some patch descriptions). It is bogus without proper context, which is totally different than my personal use. The response that I received was more related to personal use. It took quite many emails to learn about PCR usage. IMHO that should have been told here so that we can then e.g. inspect possible conflicts etc. > Afaics all big distributions are preparing to providing UKIs > soonishly. It would be fantastic if kexec would just work with this > too, and the dissection would be done on the kernel side instead of > userspace. I don't see any existential reasons anymore not to include this to the mainline but it takes what it takes in terms of time span of course. > > Lennart > > -- > Lennart Poettering, Berlin BR, Jarkko