On 3/26/20 4:54 PM, Matthew Garrett wrote: > On Thu, Mar 26, 2020 at 1:50 PM Daniel P. Smith > <dpsmith@xxxxxxxxxxxxxxxxxxxx> wrote: >> It is not part of the EFI entry point as we are not entering the kernel >> from EFI but I will address that further in my response to Andy. The >> expectation is that if you are on an UEFI platform then EBS should have >> already been called. > > Ok. In that case should the EFI boot stub optionally be calling this > instead of startup_32? > >> With respect to using the firmware's TPM code, one >> of the purposes of a TCG Dynamic Launch is to remove the firmware from >> the code being trusted in making the integrity measurement of the >> kernel. I trust the firmware to initialize the hardware because I have >> to and it does give a trust chain, aka the SRTM, that can attest to what >> was used during that process. When the OS kernel is being started that >> trust chain has become weak (or even broken). I want a new trust chain >> that can provide better footing for asserting the integrity of the >> kernel and this is what Dynamic Launch gives us. I would like to think I >> did a fair job explaining this at LSS last fall[1][2] and would >> recommend those that are curious to review the slides/watch the >> presentation. > > PCs depend on the availability of EFI runtime services - it's not > possible to just assert that they're untrusted and so unsupported. The > TPM code is part of boot services which (based on your design) are > unavailable at this point, so I agree that you need your own > implementation. > I appreciate this has been a heated area of debate, but with all due respect that might be a slight over statement w.r.t. dependency on runtime services and not what I was saying about the trustworthiness of UEFI. If I have a UEFI platform, I trust EFI to boot the system but that does not mean I have to trust it to measure my OS kernel or manage the running system. Secure Launch provides a means to start a measurement trust chain starting with CPU taking the first measurement and then I can do things like disabling runtime services in the kernel or do crazy things like using the dynamic launch to switch to a minimal temporary kernel that can do high trust operations such as interfacing with entities outside your trust boundary, e.g. runtime services. Please understand I really do not want my own implementation. I tried to see if we could just #include in the minimal needed parts from the in-tree TPM driver but could not find a clean way to do so. Perhaps there might be a future opportunity to collaborate with the TPM driver maintainers to refactor in a way that we can just reuse instead of reimplement.
