Re: Grub menu with 3 kernels by default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 06, 2022 at 01:22:01PM -0400, Robbie Harwood wrote:
> Daniel P. Berrangé <berrange@xxxxxxxxxx> writes:
> 
> > We need PCRs to cover at minimum
> >
> >   1. Machine firmware
> >   2. Bootloader(s)
> >   3. Bootloader configuration
> >   4. Booted kernel
> >   5. Booted initrd
> >   6. Booted cmdline
> 
> > Item 5 and 6 are a problem, because as mentioned thse are not signed
> > by the OS vendor with their secureboot key. The PCRs reflect their
> > contents, but the expected PCR digests will change any time the
> > initrd/cmdline are updated, meaning the LUKS keys needs to be
> > re-sealed. One practical approach to this problem is to use 
> > prebuilt unified kernel images, such that the OS vendor's secureboot
> > signature covers the kernel,initrd and cmdline. Verification now
> > merely involves checking the PCR for SecureBOot state. The flipside
> > is that we loose flexibility that exists today with per-host
> > generated initrd/cmdline. This may matter for some scenarios (bare
> > metal) but not for others (most VMs).
> 
> This isn't a grub2 specific problem, but yes - we've discussed how to
> accomplih signing initrd/cmdline on calls with you before.

Agreed, I just included this to illustrate the overall big picture,
not saying this part is grub's problem.

> > Item 3 is a problem. Grub is highly configurable, via grub.conf, and
> > its contents are tuned for each install.
> >
> > This is a really challenging eventlog when trying to validate the PCR
> > state is matching some expected "known good" state. Given a single
> > grub.conf, you get both a huge number of entries for every boot, plus
> > a combinatorial expansion of possible entries that would be considered
> > valid for a given install over time as kernels and/or grub itself are
> > updated. A tiny change to the way grub2-mkconfig could result in a
> > very different PCR eventlog, but which is semantically identical to
> > what came before.
> >
> > Thus any attempt to validate the the grub.conf PCR eventlog, as it
> > exists in typical distro deployments today, is going to be both
> > complex and fragile, which is a bad combination.
> 
> But this is only a problem if you're assuming grub2-mkconfig is
> nondeterministic, which just isn't the case.  I'll grant that the event
> log isn't terse, but what's valid isn't be hard to precompute.  On
> generally identical systems, what will differ is uuids and partition
> numbers... which is important information to have logged for booting
> because it's part of recording *what* was booted.

It is a problem of complexity. On the one side there's a setup where
you can pre-compute the PCR state once, and it applies to all instances.
On the other side there's a setup where it is neccessary to look at the
config to decide where all the instance specific variable data is. If
the goal is to always use pre-compute valid data on the attestation
service side, it is requried to update it prior to booting any new
instance. If the attestation service can be intelligent, it has to
be able compute the eventlog against templates with the instance
specific pieces masked. Either way is significantly complex, hence
the desire to identify a way to eliminate any instance specific
variation.

> Glibly, if you don't want a config change, don't run grub2-mkconfig :)

It isn't solely about predictability within a single install, but
about handling validation across a varity of installs running different
distros/releases.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux