On Thu, 11 Nov 2021 at 10:33, Mika Westerberg <mika.westerberg@xxxxxxxxxxxxxxx> wrote: > OK, I see from your patch that it uses the direct mapped read-only > region to read this data. Sorry for the delay in replying here. What I like about Hans-Gert's patch is that it's always going to work on x64 -- if the system firmware isn't available at that offset then the platform just isn't going to boot. It's super simple, and means we can read out the hugely complex UEFI blob without asking the user to turn off kernel lockdown and secure boot so we can run the security verification tools. At the moment we're in this strange situation where we ask the user to cripple their platform security to run the platform security tools. > Do we know what information exactly fwupd needs? I mean exposing all of > this might not be good idea from security perspective (but I'm not an > expert). Ideally, fwupd needs the entire IFD partition which contains all the EFI File Volumes. We already parse these when the user is booting without secure boot using the Intel SPI controller and doing *evil* hacks to make the PCI device visible. The reason we want to parse the BIOS can be explained pretty easily; at startup we look at the TPM PCRs and we know very quickly and easily if the system firmware event has changed. If the checksum changed, then the firmware was modified in some way. However, saying to the user that "checksum changed" isn't useful at all. What we want to do is say something like "an EFI binary called RootKitz.efi was added" or "the AmiTcgPlatformPeiAfterMem.efi binary changed" and actually report what was done. At the moment we can do this, but not if /dev/mem cannot be used. > However, we can perhaps expose some of it through intel-spi, > and make that work so that distros can enable it safely. I think, if we're being honest, that Intel has no plans to make intel-spi available as a RO interface of any sort. There's some sort of hardware errata or misdesign that nobody can mention that makes the RO access unsafe. I think it's probably more than missing arbitration. Richard
