On Thu, Oct 20, 2022 at 11:27 AM Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > On Thu, 20 Oct 2022 at 19:16, Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > > > On Thu, Oct 20, 2022 at 07:06:33PM +0200, Ard Biesheuvel wrote: > > > On Thu, 20 Oct 2022 at 18:37, Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > > > > > > > On Thu, Oct 20, 2022 at 2:40 AM Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > > > > For maximum simplicity, just concatenate the existing seed with the one > > > > > obtained from EFI_RNG_PROTOCOL if both are available, and leave it to > > > > > the core kernel code to mix it in and credit it appropriately. This way, > > > > > we have no need for copies of the Blake2s library in the EFI stub and in > > > > > the zboot decompressor. > > > > > > > > FTR, while I think this is okay for the final stage that the kernel's > > > > EFI loader does, it's less good for earlier stages. So, for example, > > > > systemd-boot should still use the hashing scheme we discussed. > > > > > > Not sure I follow. systemd-boot will put a seed in memory and publish > > > it via the the table. How does hashing come into play here? > > > > If systemd-boot is executed by another bootloader. > > And that bootloader creates the same table, then systemd-boot does it, etc etc? Yea, the idea being all the bootloaders chain things forward by hashing.
