All of lore.kernel.org
 help / color / mirror / Atom feed
From: Matthew Garrett <mjg59@srcf.ucam.org>
To: Brendan Trotter <btrotter@gmail.com>
Cc: "Daniel P. Smith" <dpsmith@apertussolutions.com>,
	The development of GNU GRUB <grub-devel@gnu.org>,
	Ard Biesheuvel <ardb@kernel.org>,
	Daniel Kiper <daniel.kiper@oracle.com>,
	Alec Brown <alec.r.brown@oracle.com>,
	Kanth Ghatraju <kanth.ghatraju@oracle.com>,
	Ross Philipson <ross.philipson@oracle.com>,
	"piotr.krol@3mdeb.com" <piotr.krol@3mdeb.com>,
	"krystian.hebel@3mdeb.com" <krystian.hebel@3mdeb.com>,
	"persaur@gmail.com" <persaur@gmail.com>,
	"Yoder, Stuart" <stuart.yoder@arm.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	"michal.zygowski@3mdeb.com" <michal.zygowski@3mdeb.com>,
	James Bottomley <James.Bottomley@hansenpartnership.com>,
	"lukasz@hawrylko.pl" <lukasz@hawrylko.pl>,
	linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org,
	James Morris <jmorris@namei.org>
Subject: Re: Linux DRTM on UEFI platforms
Date: Fri, 8 Jul 2022 05:56:38 +0100	[thread overview]
Message-ID: <20220708045638.GA27939@srcf.ucam.org> (raw)
In-Reply-To: <CAELHeEcEN=4YrPJROvzHoOiqqe5Bk0f8pDCZDnQ6aS=2LdwNow@mail.gmail.com>

On Fri, Jul 08, 2022 at 01:06:19PM +0930, Brendan Trotter wrote:

> This leaves me wondering what your true motivation is. Are you trying
> to benefit GRUB/Trenchboot (at the expense of security, end-user
> convenience, distro installer hassle, etc); or trying to manufacture
> scope for future man-in-the middle attacks (by promoting a solution
> that requires something between firmware and kernel)?

The described mechanism doesn't require trusting the code that's in the 
middle - if the state is perturbed by this code, the measurements will 
be different, and the system will be untrusted. I agree that this 
implementation is more complicated than just leaving it all up to the 
kernel, but I'm having a *lot* of trouble seeing how this has any impact 
on its security. Jumping immediately to impugning the motivation of the 
people involved is entirely inappropriate.


  reply	other threads:[~2022-07-08  4:56 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-29 17:40 Linux DRTM on UEFI platforms Matthew Garrett
2022-03-30  7:02 ` Ard Biesheuvel
2022-03-30  7:11   ` Matthew Garrett
2022-03-30  7:12     ` Ard Biesheuvel
2022-03-30  7:18       ` Matthew Garrett
2022-03-30  7:23         ` Ard Biesheuvel
2022-03-30  7:27           ` Matthew Garrett
2022-03-30  7:39             ` Ard Biesheuvel
2022-03-30 12:46               ` James Bottomley
2022-03-31  0:35   ` Daniel P. Smith
2022-03-31  7:13     ` Ard Biesheuvel
2022-03-31 10:59       ` Heinrich Schuchardt
2022-05-19 20:57       ` Daniel P. Smith
2022-05-19 20:57 ` Daniel P. Smith
2022-06-10 16:40   ` Ard Biesheuvel
2022-07-05 18:35     ` Daniel P. Smith
2022-07-06  0:03       ` Brendan Trotter
2022-07-06  0:12         ` Matthew Garrett
2022-07-07  9:46         ` Daniel P. Smith
2022-07-08  3:36           ` Brendan Trotter
2022-07-08  4:56             ` Matthew Garrett [this message]
2022-07-22 17:23             ` Daniel P. Smith
2022-07-23  5:15               ` Brendan Trotter
2022-08-09 10:53                 ` Daniel P. Smith
2022-08-10  9:07                   ` Brendan Trotter
2022-08-10 17:46                     ` Matthew Garrett
2022-08-11  9:55                       ` Brendan Trotter
2022-08-11 11:34                         ` Daniel Kiper
2022-08-11 18:25                         ` Matthew Garrett
2022-08-12  3:22                           ` Brendan Trotter
2022-08-12  5:54                             ` Matthew Garrett
2022-08-05 12:53       ` Ard Biesheuvel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220708045638.GA27939@srcf.ucam.org \
    --to=mjg59@srcf.ucam.org \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=alec.r.brown@oracle.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=ardb@kernel.org \
    --cc=btrotter@gmail.com \
    --cc=daniel.kiper@oracle.com \
    --cc=dpsmith@apertussolutions.com \
    --cc=grub-devel@gnu.org \
    --cc=jmorris@namei.org \
    --cc=kanth.ghatraju@oracle.com \
    --cc=krystian.hebel@3mdeb.com \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lukasz@hawrylko.pl \
    --cc=michal.zygowski@3mdeb.com \
    --cc=persaur@gmail.com \
    --cc=piotr.krol@3mdeb.com \
    --cc=ross.philipson@oracle.com \
    --cc=stuart.yoder@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.