On Thu, Jun 21, 2018 at 6:49 PM Andy Lutomirski <luto@xxxxxxxxxx> wrote: > > On Thu, Jun 21, 2018 at 12:11 PM Nathaniel McCallum > <npmccallum@xxxxxxxxxx> wrote: > > > > If this is acceptable for everyone, my hope is the following: > > > > 1. Intel would split the existing code into one of the following > > schemas (I don't care which): > > A. three parts: UEFI module, FLC-only kernel driver and user-space > > launch enclave > > B. two parts: UEFI module (including launch enclave) and FLC-only > > kernel driver > > > > 2. Intel would release a reproducible build of the GPL UEFI module > > sources signed with a SecureBoot trusted key and provide an > > acceptable[0] binary redistribution license. > > > > 3. The kernel community would agree to merge the kernel driver given > > the above criteria (and, obviously, acceptable kernel code). > > > > The question of how to distribute the UEFI module and possible launch > > enclave remains open. I see two options: independent distribution and > > bundling it in linux-firmware. The former may be a better > > technological fit since the UEFI module will likely need to be run > > before the kernel (and the boot loader; and shim). However, the latter > > has the benefit of already being a well-known entity to our downstream > > distributors. I could go either way on this. > > This is a lot of complication and effort for a gain that is not > entirely clear. Root kits and evil maid attacks are two worth considering. > I really really really do *not* want to see Intel or > anyone else start enforcing policy on which programs can and cannot > run using this mechanism. We already do this. It is called SecureBoot. > (This is exactly why non-FLC systems aren't > about to be supported upstream.) So my preference is to not merge > anything that supports this type of use case unless there is > compelling evidence that it is (a) genuinely useful, (b) will be used > to improve security and (c) won't be abused for, say, revenue > purposes. I think there are benefits for (a) and (b). I agree with you about (c). But, again, we already have SecureBoot.
