On Thu, 2018-06-21 at 08:32 -0400, Nathaniel McCallum wrote: > This implies that it should be possible to create MSR activation (and > an embedded launch enclave?) entirely as a UEFI module. The kernel > would still get to manage who has access to /dev/sgx and other > important non-cryptographic policy details. Users would still be able > to control the cryptographic policy details (via BIOS Secure Boot > configuration that exists today). Distributions could still control > cryptographic policy details via signing of the UEFI module with their > own Secure Boot key (or using something like shim). The UEFI module > (and possibly the external launch enclave) could be distributed via > linux-firmware. > > Andy/Neil, does this work for you? Nothing against having UEFI module for MSR activation step. And we would move the existing in-kernel LE to firmware so that it is avaible for locked-in-to-non-Intel-values case? /Jarkko
