On Wed, Aug 21, 2024 at 10:27 PM Lennart Poettering <mzxreary@xxxxxxxxxxx> wrote: > > On Mo, 19.08.24 22:53, Pingfan Liu (piliu@xxxxxxxxxx) wrote: > > > *** Background *** > > > > As more PE format kernel images are introduced, it post challenge to kexec to > > cope with the new format. > > > > In my attempt to add support for arm64 zboot image in the kernel [1], > > Ard suggested using an emulator to tackle this issue. Last year, when > > Jan tried to introduce UKI support in the kernel [2], Ard mentioned the > > emulator approach again [3] > > Hmm, systemd's systemd-stub code tries to load certain "side-car" > files placed next to the UKI, via the UEFI file system APIs. What's > your intention with the UEFI emulator regarding that? The sidecars are > somewhat important, because that's how we parameterize otherwise > strictly sealed, immutable UKIs. > IIUC, you are referring to UKI addons. > Hence, what's the story there? implement some form of fs driver (for > what fs precisely?) in the emulator too? > As for addon, that is a missing part in this series. I have overlooked this issue. Originally, I thought that there was no need to implement a disk driver and vfat file system, just preload them into memory, and finally present them through the uefi API. I will take a closer look at it and chew on it. > And regarding tpm? tpms require drivers and i guess at the moment uefi > emulator would run those aren't available anymore? but we really > should do a separator measurement then. (also there needs to be some > way to pass over measurement log of that measurement?) > It is a pity that it is a common issue persistent with kexec-reboot kernel nowadays. I am not familiar with TPM and have no clear idea for the time being. (emulating Platform Configuration Registers ?). But since this emulator is held inside a linux kernel image, and the UKI's signature is checked during kexec_file_load. All of them are safe from modification, this security is not an urgent issue. Thanks for sharing your thoughts and insights. Best Regards, Pingfan > Lennart > > -- > Lennart Poettering, Berlin >
