On Wed, Mar 25, 2020 at 1:29 PM Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > > On Wed, Mar 25, 2020 at 12:43 PM Ross Philipson > <ross.philipson@xxxxxxxxxx> wrote: > > To enable the kernel to be launched by GETSEC or SKINIT, a stub must be > > built into the setup section of the compressed kernel to handle the > > specific state that the late launch process leaves the BSP. This is a > > lot like the EFI stub that is found in the same area. Also this stub > > must measure everything that is going to be used as early as possible. > > This stub code and subsequent code must also deal with the specific > > state that the late launch leaves the APs in. > > How does this integrate with the EFI entry point? That's the expected > entry point on most modern x86. What's calling ExitBootServices() in > this flow, and does the secure launch have to occur after it? It'd be > a lot easier if you could still use the firmware's TPM code rather > than carrying yet another copy. I was wondering why the bootloader was involved at all. In other words, could you instead hand off control to the kernel just like normal and have the kernel itself (in normal code, the EFI stub, or wherever it makes sense) do the DRTM launch all by itself? This would avoid needing to patch bootloaders, to implement this specially for QEMU -kernel, to get the exact right buy-in from all the cloud vendors, etc. It would also give you more flexibility to evolve exactly what configuration maps to exactly what PCRs in the future.