linux-efi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub
@ 2020-11-02 17:06 Ard Biesheuvel
  2020-11-02 17:06 ` [RFC PATCH 1/7] efi/libstub: whitespace cleanup Ard Biesheuvel
                   ` (9 more replies)
  0 siblings, 10 replies; 17+ messages in thread
From: Ard Biesheuvel @ 2020-11-02 17:06 UTC (permalink / raw)
  To: linux-efi
  Cc: Ard Biesheuvel, Peter Jones, Leif Lindholm, Arvind Sankar,
	Matthew Garrett, Daniel Kiper, Ilias Apalodimas

This series enables measurement of the initrd data loaded directly by the
EFI stub into the TPM, using the TCG2 protocol exposed by the firmware (if
available). This ensures that the initrd observed and used by the OS is the
same one that got measured into the TPM, which is more difficult to guarantee
in the current situation.

This is posted as an RFC since it is mostly an invitation to discuss how
we can fit this into a longer term strategy for arch-agnostic secure and
measured boot that does not hinge on the Shim+GRUB tandem, or on deep
knowledge on the part of the bootloader regarding device trees, bootparams
structs, allocation and placement policies of various artifacts etc etc

Open questions:
- Should we do this?
- Are Linux systems in the field using PCR value prediction when updating the
  initrd? Does this approach interfere with that?
- Which PCR and event type to use
- Is a separator event needed here, given that the initrd measurement is
  recorded even if no initrd was loaded by the stub?

Note that the EFI stub ignores the initrd provided directly via bootparams or
the device tree, and it would be nice if we could keep doing that.

Build tested only.

Cc: Peter Jones <pjones@redhat.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Arvind Sankar <nivedita@alum.mit.edu>
Cc: Matthew Garrett <mjg59@google.com>
Cc: Daniel Kiper <daniel.kiper@oracle.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Ard Biesheuvel (7):
  efi/libstub: whitespace cleanup
  efi/libstub: fix prototype of efi_tcg2_protocol::get_event_log()
  efi/libstub: x86/mixed: increase supported argument count
  efi/libstub: move TPM related prototypes into efistub.h
  efi/libstub: add prototype of
    efi_tcg2_protocol::hash_log_extend_event()
  efi/libstub: consolidate initrd handling across architectures
  efi/libstub: measure loaded initrd info into the TPM

 arch/x86/boot/compressed/efi_thunk_64.S       | 17 ++++--
 arch/x86/include/asm/efi.h                    | 13 +++--
 arch/x86/platform/efi/efi_thunk_64.S          | 17 ++++--
 .../firmware/efi/libstub/efi-stub-helper.c    | 56 +++++++++++++++----
 drivers/firmware/efi/libstub/efi-stub.c       | 10 +---
 drivers/firmware/efi/libstub/efistub.h        | 34 ++++++++++-
 drivers/firmware/efi/libstub/x86-stub.c       | 26 ++++-----
 include/linux/efi.h                           | 13 +----
 8 files changed, 123 insertions(+), 63 deletions(-)

-- 
2.17.1


^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, other threads:[~2020-11-03 22:29 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-02 17:06 [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 1/7] efi/libstub: whitespace cleanup Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 2/7] efi/libstub: fix prototype of efi_tcg2_protocol::get_event_log() Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 3/7] efi/libstub: x86/mixed: increase supported argument count Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 4/7] efi/libstub: move TPM related prototypes into efistub.h Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 5/7] efi/libstub: add prototype of efi_tcg2_protocol::hash_log_extend_event() Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 6/7] efi/libstub: consolidate initrd handling across architectures Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 7/7] efi/libstub: measure loaded initrd info into the TPM Ard Biesheuvel
2020-11-03 21:45   ` James Bottomley
2020-11-02 19:39 ` [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub Matthew Garrett
2020-11-02 20:24   ` Ard Biesheuvel
2020-11-02 20:26     ` Matthew Garrett
2020-11-03 21:37       ` James Bottomley
2020-11-03 22:29   ` James Bottomley
2020-11-03  5:51 ` Ilias Apalodimas
2020-11-03  8:18   ` Ard Biesheuvel
2020-11-03 21:22 ` James Bottomley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).