On Wed, 2022-03-30 at 09:39 +0200, Ard Biesheuvel wrote: > On Wed, 30 Mar 2022 at 09:27, Matthew Garrett <mjg59@xxxxxxxxxxxxx> > wrote: > > On Wed, Mar 30, 2022 at 09:23:17AM +0200, Ard Biesheuvel wrote: > > > On Wed, 30 Mar 2022 at 09:19, Matthew Garrett < > > > mjg59@xxxxxxxxxxxxx> wrote: > > > > From a conceptual perspective we've thought of the EFI stub as > > > > being logically part of the bootloader rather than the early > > > > kernel, and the bootloader is a point where the line is drawn. > > > > My guy feeling is that jumping into the secure kernel > > > > environment before EBS has been called is likely to end badly. > > > > > > If you jump back into the system firmware, sure. > > > > > > But the point I was trying to make is that you can replace that > > > with your own minimal implementation of EFI that just exposes a > > > memory map and some protocols and nothing else, and then the > > > secure launch kernel would be entirely in charge of the execution > > > environment. > > > > We can't just replace system firmware with an imitation of the same > > - for instance, configuring the cold boot prevention memory > > overwrite requires us to pass a variable through to the real > > firmware, and that's something that we do in the stub. > > > > But these are exactly the kinds of things the secure launch kernel > wants to be made aware of, no? The secure launch kernel could just > MITM the calls that it chooses to allow, and serve other calls > itself. The problem would become that the MITM firmware has to be evolved in lockstep with the boot stub. The problem isn't really a point in time, figure out what config the boot stub extracts from EFI now and measure it, it's an ongoing one: given an evolving kernel and UEFI subsystem means that over time what configuration the kernel extracts from EFI changes, how do we make sure it's all correctly measured before secure launch? If the MITM doesn't support a capability a newer kernel acquires, that MITM must fail secure launch ... which becomes a nightmare for the user. One possibility might be that the MITM actually does nothing at all except record Boot Service requests and responses up to exit boot services (EBS). We could call that record the boot configuration and measure it, plus we could then intercept EBS, and do the DRTM secure launch to the return point. It's conceptually similar Matthew's idea of a callback except it won't require modification of the boot parameters. James
