On 7/5/22 20:03, Brendan Trotter wrote:
Hi,
Greetings!
Not sure why I got dropped from distro, but no worries.
On Wed, Jul 6, 2022 at 4:52 AM Daniel P. Smith
<dpsmith@xxxxxxxxxxxxxxxxxxxx> wrote:
On 6/10/22 12:40, Ard Biesheuvel wrote:> On Thu, 19 May 2022 at 22:59,
To help provide clarity, consider the following flows for comparison,
Normal/existing efi-stub:
EFI -> efi-stub -> head_64.S
Proposed secure launch:
EFI -> efi-stub -> dl-handler -> [cpu] -> sl_stub ->head_64.S
For more clarity; the entire point is to ensure that the kernel only
has to trust itself and the CPU/TPM hardware (and does not have to
trust a potentially malicious boot loader)..Any attempt to avoid a
one-off solution for Linux is an attempt to weaken security.
Please elaborate so I might understand how this entrypoint allows for
the kernel to only trust itself and the CPU/TPM.
The only correct approach is "efi-stub -> head_64.S -> kernel's own
secure init"; where (on UEFI systems) neither GRUB nor Trenchboot has
a valid reason to exist and should never be installed.
Cheers,
Brendan
v/r,
dps
