[RFC PATCH 0/7] efi/libstub: measurement initrd data loaded by the EFI stub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This series enables measurement of the initrd data loaded directly by the
EFI stub into the TPM, using the TCG2 protocol exposed by the firmware (if
available). This ensures that the initrd observed and used by the OS is the
same one that got measured into the TPM, which is more difficult to guarantee
in the current situation.

This is posted as an RFC since it is mostly an invitation to discuss how
we can fit this into a longer term strategy for arch-agnostic secure and
measured boot that does not hinge on the Shim+GRUB tandem, or on deep
knowledge on the part of the bootloader regarding device trees, bootparams
structs, allocation and placement policies of various artifacts etc etc

Open questions:
- Should we do this?
- Are Linux systems in the field using PCR value prediction when updating the
  initrd? Does this approach interfere with that?
- Which PCR and event type to use
- Is a separator event needed here, given that the initrd measurement is
  recorded even if no initrd was loaded by the stub?

Note that the EFI stub ignores the initrd provided directly via bootparams or
the device tree, and it would be nice if we could keep doing that.

Build tested only.

Cc: Peter Jones <pjones@xxxxxxxxxx>
Cc: Leif Lindholm <leif@xxxxxxxxxxxx>
Cc: Arvind Sankar <nivedita@xxxxxxxxxxxx>
Cc: Matthew Garrett <mjg59@xxxxxxxxxx>
Cc: Daniel Kiper <daniel.kiper@xxxxxxxxxx>
Cc: Ilias Apalodimas <ilias.apalodimas@xxxxxxxxxx>

Ard Biesheuvel (7):
  efi/libstub: whitespace cleanup
  efi/libstub: fix prototype of efi_tcg2_protocol::get_event_log()
  efi/libstub: x86/mixed: increase supported argument count
  efi/libstub: move TPM related prototypes into efistub.h
  efi/libstub: add prototype of
    efi_tcg2_protocol::hash_log_extend_event()
  efi/libstub: consolidate initrd handling across architectures
  efi/libstub: measure loaded initrd info into the TPM

 arch/x86/boot/compressed/efi_thunk_64.S       | 17 ++++--
 arch/x86/include/asm/efi.h                    | 13 +++--
 arch/x86/platform/efi/efi_thunk_64.S          | 17 ++++--
 .../firmware/efi/libstub/efi-stub-helper.c    | 56 +++++++++++++++----
 drivers/firmware/efi/libstub/efi-stub.c       | 10 +---
 drivers/firmware/efi/libstub/efistub.h        | 34 ++++++++++-
 drivers/firmware/efi/libstub/x86-stub.c       | 26 ++++-----
 include/linux/efi.h                           | 13 +----
 8 files changed, 123 insertions(+), 63 deletions(-)

-- 
2.17.1
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux