[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Linux DRTM on UEFI platforms
From: |
Brendan Trotter |
Subject: |
Re: Linux DRTM on UEFI platforms |
Date: |
Wed, 6 Jul 2022 09:33:23 +0930 |
Hi,
On Wed, Jul 6, 2022 at 4:52 AM Daniel P. Smith
<dpsmith@apertussolutions.com> wrote:
> On 6/10/22 12:40, Ard Biesheuvel wrote:> On Thu, 19 May 2022 at 22:59,
> To help provide clarity, consider the following flows for comparison,
>
> Normal/existing efi-stub:
> EFI -> efi-stub -> head_64.S
>
> Proposed secure launch:
> EFI -> efi-stub -> dl-handler -> [cpu] -> sl_stub ->head_64.S
For more clarity; the entire point is to ensure that the kernel only
has to trust itself and the CPU/TPM hardware (and does not have to
trust a potentially malicious boot loader)..Any attempt to avoid a
one-off solution for Linux is an attempt to weaken security.
The only correct approach is "efi-stub -> head_64.S -> kernel's own
secure init"; where (on UEFI systems) neither GRUB nor Trenchboot has
a valid reason to exist and should never be installed.
Cheers,
Brendan