On Mon, 2020-11-02 at 18:06 +0100, Ard Biesheuvel wrote: > This series enables measurement of the initrd data loaded directly by > the EFI stub into the TPM, using the TCG2 protocol exposed by the > firmware (if available). This ensures that the initrd observed and > used by the OS is the same one that got measured into the TPM, which > is more difficult to guarantee in the current situation. > > This is posted as an RFC since it is mostly an invitation to discuss > how we can fit this into a longer term strategy for arch-agnostic > secure and measured boot that does not hinge on the Shim+GRUB tandem, > or on deep knowledge on the part of the bootloader regarding device > trees, bootparams structs, allocation and placement policies of > various artifacts etc etc For background: IBM research is currently working with the Keylime people to get a boot log attestation service for both the cloud and less hyperscale instances. As part of this we're currently working through what the linux boot system (shim + grub + kernel) currently logs today and how useful it actually is to a security enforcing attestation system ... as in do we log useful stuff you can actually make decisions on once we've used the TPM based attestation to verify the correctness of the entire log. > Open questions: > - Should we do this? Well, if you're going to essentially replicate the log events shim and grub currently do, we should really define what we want to go in there. At the moment shim logs mostly with events that are defined in the UEFI spec and grub uses EV_IPL with the contents changing meaning depending on which PCR is being logged through. Shim also is a bit non-standard in that it logs the Mok variables with EV_IPL events as well. > - Are Linux systems in the field using PCR value prediction when > updating the initrd? Does this approach interfere with that? So initrd is the nastiest piece of this because it changes any time anything is updated that triggers an initrd rebuild. Since it's an end to end hash of a cpio file with timestamps, the value is essentially meaningless because the timestamp updates cause it to change on every generation regardless of whether the contents actually changes. Ideally I'd like something that's more characteristic of "this is actually an initrd I created" than some random hash but it's very difficult to generate that securely. > - Which PCR and event type to use Grub logs data (commands and command lines) through PCR 8 with the hash being the hash of the event string. It logs binaries through PCR 9 with the event string being the root relative path and the hash value the end to end hash of the binary. I'm not necessarily a fan of this ... Microsoft uses opaque EV_EFI_TAG events instead. Grub also uses the shim lock protocol to check the kernel signature and that will log both an EV_EFI_BOOT_SERVICES_APPLICATION with a NULL path and EV_EFI_VARIABLE_AUTHORITY. > - Is a separator event needed here, given that the initrd measurement > is recorded even if no initrd was loaded by the stub? Neither grub nor shim currently record separators ... again it's an open question of whether they actually should. James > Note that the EFI stub ignores the initrd provided directly via > bootparams or the device tree, and it would be nice if we could keep > doing that. > > Build tested only. > > Cc: Peter Jones <pjones@xxxxxxxxxx> > Cc: Leif Lindholm <leif@xxxxxxxxxxxx> > Cc: Arvind Sankar <nivedita@xxxxxxxxxxxx> > Cc: Matthew Garrett <mjg59@xxxxxxxxxx> > Cc: Daniel Kiper <daniel.kiper@xxxxxxxxxx> > Cc: Ilias Apalodimas <ilias.apalodimas@xxxxxxxxxx> > > Ard Biesheuvel (7): > efi/libstub: whitespace cleanup > efi/libstub: fix prototype of efi_tcg2_protocol::get_event_log() > efi/libstub: x86/mixed: increase supported argument count > efi/libstub: move TPM related prototypes into efistub.h > efi/libstub: add prototype of > efi_tcg2_protocol::hash_log_extend_event() > efi/libstub: consolidate initrd handling across architectures > efi/libstub: measure loaded initrd info into the TPM > > arch/x86/boot/compressed/efi_thunk_64.S | 17 ++++-- > arch/x86/include/asm/efi.h | 13 +++-- > arch/x86/platform/efi/efi_thunk_64.S | 17 ++++-- > .../firmware/efi/libstub/efi-stub-helper.c | 56 +++++++++++++++ > ---- > drivers/firmware/efi/libstub/efi-stub.c | 10 +--- > drivers/firmware/efi/libstub/efistub.h | 34 ++++++++++- > drivers/firmware/efi/libstub/x86-stub.c | 26 ++++----- > include/linux/efi.h | 13 +---- > 8 files changed, 123 insertions(+), 63 deletions(-) >
