From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Ard Biesheuvel <ardb@kernel.org>, linux-efi@vger.kernel.org
Cc: Peter Jones <pjones@redhat.com>,
Leif Lindholm <leif@nuviainc.com>,
Arvind Sankar <nivedita@alum.mit.edu>,
Matthew Garrett <mjg59@google.com>,
Daniel Kiper <daniel.kiper@oracle.com>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>
Subject: Re: [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub
Date: Tue, 03 Nov 2020 13:22:12 -0800 [thread overview]
Message-ID: <c84f8664b543d93a380d9710a653da5f99220f3b.camel@HansenPartnership.com> (raw)
In-Reply-To: <20201102170634.20575-1-ardb@kernel.org>
On Mon, 2020-11-02 at 18:06 +0100, Ard Biesheuvel wrote:
> This series enables measurement of the initrd data loaded directly by
> the EFI stub into the TPM, using the TCG2 protocol exposed by the
> firmware (if available). This ensures that the initrd observed and
> used by the OS is the same one that got measured into the TPM, which
> is more difficult to guarantee in the current situation.
>
> This is posted as an RFC since it is mostly an invitation to discuss
> how we can fit this into a longer term strategy for arch-agnostic
> secure and measured boot that does not hinge on the Shim+GRUB tandem,
> or on deep knowledge on the part of the bootloader regarding device
> trees, bootparams structs, allocation and placement policies of
> various artifacts etc etc
For background: IBM research is currently working with the Keylime
people to get a boot log attestation service for both the cloud and
less hyperscale instances. As part of this we're currently working
through what the linux boot system (shim + grub + kernel) currently
logs today and how useful it actually is to a security enforcing
attestation system ... as in do we log useful stuff you can actually
make decisions on once we've used the TPM based attestation to verify
the correctness of the entire log.
> Open questions:
> - Should we do this?
Well, if you're going to essentially replicate the log events shim and
grub currently do, we should really define what we want to go in there.
At the moment shim logs mostly with events that are defined in the UEFI
spec and grub uses EV_IPL with the contents changing meaning depending
on which PCR is being logged through. Shim also is a bit non-standard
in that it logs the Mok variables with EV_IPL events as well.
> - Are Linux systems in the field using PCR value prediction when
> updating the initrd? Does this approach interfere with that?
So initrd is the nastiest piece of this because it changes any time
anything is updated that triggers an initrd rebuild. Since it's an end
to end hash of a cpio file with timestamps, the value is essentially
meaningless because the timestamp updates cause it to change on every
generation regardless of whether the contents actually changes.
Ideally I'd like something that's more characteristic of "this is
actually an initrd I created" than some random hash but it's very
difficult to generate that securely.
> - Which PCR and event type to use
Grub logs data (commands and command lines) through PCR 8 with the hash
being the hash of the event string. It logs binaries through PCR 9
with the event string being the root relative path and the hash value
the end to end hash of the binary. I'm not necessarily a fan of this
... Microsoft uses opaque EV_EFI_TAG events instead.
Grub also uses the shim lock protocol to check the kernel signature and
that will log both an EV_EFI_BOOT_SERVICES_APPLICATION with a NULL path
and EV_EFI_VARIABLE_AUTHORITY.
> - Is a separator event needed here, given that the initrd measurement
> is recorded even if no initrd was loaded by the stub?
Neither grub nor shim currently record separators ... again it's an
open question of whether they actually should.
James
> Note that the EFI stub ignores the initrd provided directly via
> bootparams or the device tree, and it would be nice if we could keep
> doing that.
>
> Build tested only.
>
> Cc: Peter Jones <pjones@redhat.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Arvind Sankar <nivedita@alum.mit.edu>
> Cc: Matthew Garrett <mjg59@google.com>
> Cc: Daniel Kiper <daniel.kiper@oracle.com>
> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
>
> Ard Biesheuvel (7):
> efi/libstub: whitespace cleanup
> efi/libstub: fix prototype of efi_tcg2_protocol::get_event_log()
> efi/libstub: x86/mixed: increase supported argument count
> efi/libstub: move TPM related prototypes into efistub.h
> efi/libstub: add prototype of
> efi_tcg2_protocol::hash_log_extend_event()
> efi/libstub: consolidate initrd handling across architectures
> efi/libstub: measure loaded initrd info into the TPM
>
> arch/x86/boot/compressed/efi_thunk_64.S | 17 ++++--
> arch/x86/include/asm/efi.h | 13 +++--
> arch/x86/platform/efi/efi_thunk_64.S | 17 ++++--
> .../firmware/efi/libstub/efi-stub-helper.c | 56 +++++++++++++++
> ----
> drivers/firmware/efi/libstub/efi-stub.c | 10 +---
> drivers/firmware/efi/libstub/efistub.h | 34 ++++++++++-
> drivers/firmware/efi/libstub/x86-stub.c | 26 ++++-----
> include/linux/efi.h | 13 +----
> 8 files changed, 123 insertions(+), 63 deletions(-)
>
prev parent reply other threads:[~2020-11-03 21:28 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-02 17:06 [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 1/7] efi/libstub: whitespace cleanup Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 2/7] efi/libstub: fix prototype of efi_tcg2_protocol::get_event_log() Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 3/7] efi/libstub: x86/mixed: increase supported argument count Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 4/7] efi/libstub: move TPM related prototypes into efistub.h Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 5/7] efi/libstub: add prototype of efi_tcg2_protocol::hash_log_extend_event() Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 6/7] efi/libstub: consolidate initrd handling across architectures Ard Biesheuvel
2020-11-02 17:06 ` [RFC PATCH 7/7] efi/libstub: measure loaded initrd info into the TPM Ard Biesheuvel
2020-11-03 21:45 ` James Bottomley
2020-11-02 19:39 ` [RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub Matthew Garrett
2020-11-02 20:24 ` Ard Biesheuvel
2020-11-02 20:26 ` Matthew Garrett
2020-11-03 21:37 ` James Bottomley
2020-11-03 22:29 ` James Bottomley
2020-11-03 5:51 ` Ilias Apalodimas
2020-11-03 8:18 ` Ard Biesheuvel
2020-11-03 21:22 ` James Bottomley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c84f8664b543d93a380d9710a653da5f99220f3b.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=ardb@kernel.org \
--cc=daniel.kiper@oracle.com \
--cc=ilias.apalodimas@linaro.org \
--cc=leif@nuviainc.com \
--cc=linux-efi@vger.kernel.org \
--cc=mjg59@google.com \
--cc=nivedita@alum.mit.edu \
--cc=pjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).