On Thu, Mar 26, 2020 at 1:51 PM Daniel P. Smith
[off-list ref] wrote:

On 3/25/20 6:51 PM, Andy Lutomirski wrote:

quoted

On Wed, Mar 25, 2020 at 1:29 PM Matthew Garrett [off-list ref] wrote:

quoted

On Wed, Mar 25, 2020 at 12:43 PM Ross Philipson
[off-list ref] wrote:

quoted

To enable the kernel to be launched by GETSEC or SKINIT, a stub must be
built into the setup section of the compressed kernel to handle the
specific state that the late launch process leaves the BSP. This is a
lot like the EFI stub that is found in the same area. Also this stub
must measure everything that is going to be used as early as possible.
This stub code and subsequent code must also deal with the specific
state that the late launch leaves the APs in.

How does this integrate with the EFI entry point? That's the expected
entry point on most modern x86. What's calling ExitBootServices() in
this flow, and does the secure launch have to occur after it? It'd be
a lot easier if you could still use the firmware's TPM code rather
than carrying yet another copy.

I was wondering why the bootloader was involved at all.  In other
words, could you instead hand off control to the kernel just like
normal and have the kernel itself (in normal code, the EFI stub, or
wherever it makes sense) do the DRTM launch all by itself?  This would
avoid needing to patch bootloaders, to implement this specially for
QEMU -kernel, to get the exact right buy-in from all the cloud
vendors, etc.  It would also give you more flexibility to evolve
exactly what configuration maps to exactly what PCRs in the future.

Partly this is driven by the fact that one of the goals for the
TrenchBoot project is about more universal/unified, cross open source
project adoption of Dynamic Launch. Another aspect is that initiating a
Dynamic Launch requires additional file(s) to be loaded, the platform to
be put into a quiescent state, and the invocation of the SENTER/SKINIT
instruction can be thought of as a soft reset of the CPU that on Intel
even results in the CPU being in a different mode (SMX) which has a
subtle change to its behavior. In the TCG Dynamic Launch design, the
component responsible for this loading, preparing, and Dynamic Launch
Instruction invocation is referred to as the Preamble and IMHO the best
time for dealing with such a disruptive behavior caused by invoking the
instruction is at the boot boundary. It also makes for a good transition
point to enable switching between kernels in control of the system
whereby the integrity will be establish by the hardware instead of the
kernel (UEFI, GRUB, Linux, etc.) that loaded it. I think what helps
address your concern is that one of the next items on the roadmap is to
extend kexec to be able to perform the Preamble. As I just mentioned,
this provides a clean way to transition for one Linux kernel that may or
may not have been started via a Dynamic Launch could relaunch itself,
launch a new Linux kernel, or even launch a non-Linux kernel that is
Dynamic Launch aware.

Hmm.  I don't have any real objection to the kernel supporting this
type of secure launch, but I do have some more questions first.

One of the problems with the old tboot code and the general state of
dynamic-root-of-trust is that it's an incredible pain in the neck to
even test.  I think it would be helpful if I could build a kernel that
supported secure launch (Intel or AMD) and just run the thing.  I
realize that you're planning to integrate this into GRUB, etc, but it
might be nice if even existing GRUB and EFI shell can do this.  How
hard would it be to make the kernel support a mode where whatever
blobs are required are in the initrd or built in like firmware and
where I could set a command line argument like secure_launch=on and
have the kernel secure launch itself?

Are you planning on supporting a mode where kernel A kexecs to kernel
B, kernel B is secure launched, and then kernel B resumes kernel A and
re-launches it?  If so, would it work better if the measured state of
the kernel were the *uncompressed* text or even the uncompressed and
alternative-ified text?  Or is the idea that the secure launch entry
will figure out that it's actually a resume and not a fresh boot and
behave accordingly?

What's the situation like in a VM?  Can I run the secure launch entry
in a VM somehow?  Can I actually initiate the dynamic launch from the
VM?