|
| From: | Daniel P. Smith |
| Subject: | Re: Linux DRTM on UEFI platforms |
| Date: | Thu, 7 Jul 2022 05:46:40 -0400 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 |
On 7/5/22 20:03, Brendan Trotter wrote:
Hi,
Greetings! Not sure why I got dropped from distro, but no worries.
On Wed, Jul 6, 2022 at 4:52 AM Daniel P. Smith <dpsmith@apertussolutions.com> wrote:On 6/10/22 12:40, Ard Biesheuvel wrote:> On Thu, 19 May 2022 at 22:59, To help provide clarity, consider the following flows for comparison, Normal/existing efi-stub: EFI -> efi-stub -> head_64.S Proposed secure launch: EFI -> efi-stub -> dl-handler -> [cpu] -> sl_stub ->head_64.SFor more clarity; the entire point is to ensure that the kernel only has to trust itself and the CPU/TPM hardware (and does not have to trust a potentially malicious boot loader)..Any attempt to avoid a one-off solution for Linux is an attempt to weaken security.
Please elaborate so I might understand how this entrypoint allows for the kernel to only trust itself and the CPU/TPM.
The only correct approach is "efi-stub -> head_64.S -> kernel's own secure init"; where (on UEFI systems) neither GRUB nor Trenchboot has a valid reason to exist and should never be installed. Cheers, Brendan
v/r, dps
| [Prev in Thread] | Current Thread | [Next in Thread] |