On Mon, May 09, 2022 at 09:40:28PM +0200, Borislav Petkov wrote: > On Mon, May 09, 2022 at 06:41:17PM +0000, Jonathan McDowell wrote: > > I'm not tied to setup_data but given the concerns I raise above with > > device tree on x86 and the need to handle this in the kernel it seemed > > like a reasonable first approach. You seem to be saying it's not and > > either adding the device tree infrastructure or doing a command line > > hack would be preferable? > > All I'm doing is asking more questions to make you give more details as > to why you wanna do it this way. I'll take a detailed look tomorrow but > it looks ok from a quick glance. That's reasonable, thanks for taking the time to do so. I realised another problem with the command line approach is that this is a flow involving attestation and potentially signing across the kexec boundary, so if the command line changes every time due to the memory address we pass the IMA buffer in then we have to recalculate the expected PCR etc values for every kexec after we've done the user space buffer allocation, rather than being able to do so once + offline in advance for a particular kexec across multiple machines. J.