Re: [RFC PATCH 00/12] x86: Trenchboot secure late launch Linux kernel support

From: "Daniel P. Smith" <dpsmith@apertussolutions.com>
To: Matthew Garrett <mjg59@google.com>
Cc: Ross Philipson <ross.philipson@oracle.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	the arch/x86 maintainers <x86@kernel.org>,
	linux-doc@vger.kernel.org, Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	trenchboot-devel@googlegroups.com
Subject: Re: [RFC PATCH 00/12] x86: Trenchboot secure late launch Linux kernel support
Date: Thu, 26 Mar 2020 18:37:20 -0400	[thread overview]
Message-ID: <8199b81d-7230-44d9-bddf-92af562fe6b1@apertussolutions.com> (raw)
In-Reply-To: <CACdnJusRATYv3Une5r14KHJVEg5COVW9B_BNViUXjavSxZ6d5A@mail.gmail.com>

On 3/26/20 4:54 PM, Matthew Garrett wrote:
> On Thu, Mar 26, 2020 at 1:50 PM Daniel P. Smith
> <dpsmith@apertussolutions.com> wrote:
>> It is not part of the EFI entry point as we are not entering the kernel
>> from EFI but I will address that further in my response to Andy. The
>> expectation is that if you are on an UEFI platform then EBS should have
>> already been called.
> 
> Ok. In that case should the EFI boot stub optionally be calling this
> instead of startup_32?
> 
>> With respect to using the firmware's TPM code, one
>> of the purposes of a TCG Dynamic Launch is to remove the firmware from
>> the code being trusted in making the integrity measurement of the
>> kernel. I trust the firmware to initialize the hardware because I have
>> to and it does give a trust chain, aka the SRTM, that can attest to what
>> was used during that process. When the OS kernel is being started that
>> trust chain has become weak (or even broken). I want a new trust chain
>> that can provide better footing for asserting the integrity of the
>> kernel and this is what Dynamic Launch gives us. I would like to think I
>> did a fair job explaining this at LSS last fall[1][2] and would
>> recommend those that are curious to review the slides/watch the
>> presentation.
> 
> PCs depend on the availability of EFI runtime services - it's not
> possible to just assert that they're untrusted and so unsupported. The
> TPM code is part of boot services which (based on your design) are
> unavailable at this point, so I agree that you need your own
> implementation.
> 

I appreciate this has been a heated area of debate, but with all due
respect that might be a slight over statement w.r.t. dependency on
runtime services and not what I was saying about the trustworthiness of
UEFI. If I have a UEFI platform, I trust EFI to boot the system but that
does not mean I have to trust it to measure my OS kernel or manage the
running system. Secure Launch provides a means to start a measurement
trust chain starting with CPU taking the first measurement and then I
can do things like disabling runtime services in the kernel or do crazy
things like using the dynamic launch to switch to a minimal temporary
kernel that can do high trust operations such as interfacing with
entities outside your trust boundary, e.g. runtime services.

Please understand I really do not want my own implementation. I tried to
see if we could just #include in the minimal needed parts from the
in-tree TPM driver but could not find a clean way to do so. Perhaps
there might be a future opportunity to collaborate with the TPM driver
maintainers to refactor in a way that we can just reuse instead of
reimplement.