From: Matthew Garrett <mjg59@google.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: Daniel Kiper <daniel.kiper@oracle.com>,
Ross Philipson <ross.philipson@oracle.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"the arch/x86 maintainers" <x86@kernel.org>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
"Daniel P. Smith" <dpsmith@apertussolutions.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
"H. Peter Anvin" <hpa@zytor.com>,
trenchboot-devel@googlegroups.com,
Ard Biesheuvel <ardb@kernel.org>,
leif@nuviainc.com, eric.snowberg@oracle.com,
piotr.krol@3mdeb.com, krystian.hebel@3mdeb.com,
michal.zygowski@3mdeb.com,
James Bottomley <James.Bottomley@hansenpartnership.com>,
Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [RFC PATCH 00/12] x86: Trenchboot secure late launch Linux kernel support
Date: Thu, 26 Mar 2020 15:59:47 -0700 [thread overview]
Message-ID: <CACdnJuu9sqzUWjPJRPOY6pKDJxTqwwf6NQEWQewXtufPQHikOg@mail.gmail.com> (raw)
In-Reply-To: <CALCETrU4W7q=QyTX_iq_kN4nVK58WoOD0F_NBt7z8p7xiE7hfA@mail.gmail.com>
On Thu, Mar 26, 2020 at 3:52 PM Andy Lutomirski <luto@kernel.org> wrote:
>
> On Thu, Mar 26, 2020 at 2:28 PM Matthew Garrett <mjg59@google.com> wrote:
> > https://trustedcomputinggroup.org/wp-content/uploads/TCG_PlatformResetAttackMitigationSpecification_1.10_published.pdf
> > - you want to protect in-memory secrets from a physically present
> > attacker hitting the reset button, booting something else and just
> > dumping RAM. This is avoided by setting a variable at boot time (in
> > the boot stub), and then clearing it on reboot once the secrets have
> > been cleared from RAM. If the variable isn't cleared, the firmware
> > overwrites all RAM contents before booting anything else.
>
> I admit my information is rather dated, but I'm pretty sure that at
> least some and possibly all TXT implementations solve this more
> directly. In particular, as I understand it, when you TXT-launch
> anything, a nonvolatile flag in the chipset is set. On reboot, the
> chipset will not allow access to memory *at all* until an
> authenticated code module wipes memory and clears that flag.
Mm, yes, this one might be something we can just ignore in the TXT case.
> > When you say "re-launch", you mean perform a second secure launch? I
> > think that would work, as long as we could reconstruct an identical
> > state to ensure that the PCR17 values matched - and that seems like a
> > hard problem.
>
> Exactly. I would hope that performing a second secure launch would
> reproduce the same post-launch PCRs as the first launch. If the
> kernel were wise enough to record all PCR extensions, it could replay
> them.
That presumably depends on how much state is in the measured region -
we can't just measure the code in order to assert that we're secure.
> In any case, I'm kind of with Daniel here. We survived for quite a
> long time without EFI variables at all. The ability to write them is
> nice, and we certainly need some way, however awkward, to write them
> on rare occasions, but I don't think we really need painless runtime
> writes to EFI variables.
I'm fine with a solution that involves jumping through some hoops, but
it feels like simply supporting measuring and passing through the
runtime services would be fine - if you want to keep them outside the
TCB, build a kernel that doesn't have EFI runtime service support and
skip that measurement?
next prev parent reply other threads:[~2020-03-26 23:00 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-25 19:43 [RFC PATCH 00/12] x86: Trenchboot secure late launch Linux kernel support Ross Philipson
2020-03-25 19:43 ` [RFC PATCH 01/12] x86: Secure Launch Kconfig Ross Philipson
2020-03-26 18:06 ` Daniel Kiper
2020-03-26 19:42 ` Ross Philipson
2020-03-25 19:43 ` [RFC PATCH 02/12] x86: Secure Launch main header file Ross Philipson
2020-03-26 19:00 ` Daniel Kiper
2020-03-25 19:43 ` [RFC PATCH 03/12] x86: Add early SHA support for Secure Launch early measurements Ross Philipson
2020-03-26 3:44 ` Andy Lutomirski
2020-03-26 22:49 ` Daniel P. Smith
2020-03-25 19:43 ` [RFC PATCH 04/12] x86: Add early TPM TIS/CRB interface support for Secure Launch Ross Philipson
2020-03-25 19:43 ` [RFC PATCH 05/12] x86: Add early TPM1.2/TPM2.0 " Ross Philipson
2020-03-25 19:43 ` [RFC PATCH 06/12] x86: Add early general TPM " Ross Philipson
2020-03-25 19:43 ` [RFC PATCH 07/12] x86: Secure Launch kernel early boot stub Ross Philipson
2020-03-25 19:43 ` [RFC PATCH 08/12] x86: Secure Launch kernel late " Ross Philipson
2020-03-25 19:43 ` [RFC PATCH 09/12] x86: Secure Launch SMP bringup support Ross Philipson
2020-03-25 19:43 ` [RFC PATCH 10/12] x86: Secure Launch adding event log securityfs Ross Philipson
2020-03-25 20:21 ` Matthew Garrett
2020-03-25 21:43 ` Daniel P. Smith
2020-03-25 19:43 ` [RFC PATCH 11/12] kexec: Secure Launch kexec SEXIT support Ross Philipson
2020-03-25 19:43 ` [RFC PATCH 12/12] tpm: Allow locality 2 to be set when initializing the TPM for Secure Launch Ross Philipson
2020-03-25 20:29 ` [RFC PATCH 00/12] x86: Trenchboot secure late launch Linux kernel support Matthew Garrett
2020-03-25 22:51 ` Andy Lutomirski
2020-03-26 20:50 ` Daniel P. Smith
2020-03-26 23:13 ` Andy Lutomirski
2020-05-11 19:00 ` Daniel P. Smith
2020-03-26 13:40 ` Daniel Kiper
2020-03-26 20:19 ` Matthew Garrett
2020-03-26 20:33 ` Andy Lutomirski
2020-03-26 20:40 ` Matthew Garrett
2020-03-26 20:59 ` Daniel P. Smith
2020-03-26 21:07 ` Andy Lutomirski
2020-03-26 21:28 ` Matthew Garrett
2020-03-26 22:52 ` Andy Lutomirski
2020-03-26 22:59 ` Matthew Garrett [this message]
2020-03-26 23:04 ` Andy Lutomirski
2020-03-27 0:01 ` Daniel P. Smith
2020-03-26 23:50 ` Daniel P. Smith
2020-05-11 19:00 ` Daniel P. Smith
2020-03-26 20:50 ` Daniel P. Smith
2020-03-26 20:54 ` Matthew Garrett
2020-03-26 22:37 ` Daniel P. Smith
2020-03-26 22:41 ` Matthew Garrett
2020-03-26 23:55 ` Daniel P. Smith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACdnJuu9sqzUWjPJRPOY6pKDJxTqwwf6NQEWQewXtufPQHikOg@mail.gmail.com \
--to=mjg59@google.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=andrew.cooper3@citrix.com \
--cc=ardb@kernel.org \
--cc=bp@alien8.de \
--cc=daniel.kiper@oracle.com \
--cc=dpsmith@apertussolutions.com \
--cc=eric.snowberg@oracle.com \
--cc=hpa@zytor.com \
--cc=krystian.hebel@3mdeb.com \
--cc=leif@nuviainc.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=michal.zygowski@3mdeb.com \
--cc=mingo@redhat.com \
--cc=piotr.krol@3mdeb.com \
--cc=ross.philipson@oracle.com \
--cc=tglx@linutronix.de \
--cc=trenchboot-devel@googlegroups.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).