[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Linux DRTM on UEFI platforms

From: Daniel P. Smith
Subject: Re: Linux DRTM on UEFI platforms
Date: Thu, 7 Jul 2022 05:46:40 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0

On 7/5/22 20:03, Brendan Trotter wrote:


Not sure why I got dropped from distro, but no worries.

On Wed, Jul 6, 2022 at 4:52 AM Daniel P. Smith
<> wrote:
On 6/10/22 12:40, Ard Biesheuvel wrote:> On Thu, 19 May 2022 at 22:59,
To help provide clarity, consider the following flows for comparison,

Normal/existing efi-stub:
   EFI -> efi-stub -> head_64.S

Proposed secure launch:
   EFI -> efi-stub -> dl-handler -> [cpu] -> sl_stub ->head_64.S

For more clarity; the entire point is to ensure that the kernel only
has to trust itself and the CPU/TPM hardware (and does not have to
trust a potentially malicious boot loader)..Any attempt to avoid a
one-off solution for Linux is an attempt to weaken security.

Please elaborate so I might understand how this entrypoint allows for the kernel to only trust itself and the CPU/TPM.

The only correct approach is "efi-stub -> head_64.S -> kernel's own
secure init"; where (on UEFI systems) neither GRUB nor Trenchboot has
a valid reason to exist and should never be installed.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]