From: Rich Persaud <persaur@gmail.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Ross Philipson <ross.philipson@oracle.com>,
linux-kernel@vger.kernel.org, x86@kernel.org,
linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org,
linux-crypto@vger.kernel.org, kexec@lists.infradead.org,
linux-efi@vger.kernel.org, iommu@lists.linux.dev,
dpsmith@apertussolutions.com, tglx@linutronix.de,
mingo@redhat.com, bp@alien8.de, hpa@zytor.com,
dave.hansen@linux.intel.com, ardb@kernel.org,
mjg59@srcf.ucam.org, James.Bottomley@hansenpartnership.com,
peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca,
luto@amacapital.net, nivedita@alum.mit.edu,
herbert@gondor.apana.org.au, davem@davemloft.net, corbet@lwn.net,
ebiederm@xmission.com, dwmw2@infradead.org,
baolu.lu@linux.intel.com, kanth.ghatraju@oracle.com,
andrew.cooper3@citrix.com, trenchboot-devel@googlegroups.com,
Sergii Dmytruk <sergii.dmytruk@3mdeb.com>,
openxt@googlegroups.com
Subject: Re: [PATCH v14 00/19] x86: Trenchboot secure dynamic launch Linux kernel support
Date: Fri, 25 Apr 2025 06:12:46 -0400 [thread overview]
Message-ID: <18F9BD47-282D-4225-AB6B-FDA4AD52D7AE@gmail.com> (raw)
On Apr 24, 2025, at 2:45 PM, Dave Hansen <dave.hansen@intel.com> wrote:
> On 4/21/25 09:26, Ross Philipson wrote:
>> This patchset provides detailed documentation of DRTM, the approach used for
>> adding the capbility, and relevant API/ABI documentation. In addition to the
>> documentation the patch set introduces Intel TXT support as the first platform
>> for Linux Secure Launch.
>
> So, I know some of the story here thanks to Andy Cooper. But the
> elephant in the room is:
>
>> INTEL(R) TRUSTED EXECUTION TECHNOLOGY (TXT)
>> M: Ning Sun <ning.sun@intel.com>
>> L: tboot-devel@lists.sourceforge.net
>> S: Supported
>> W: http://tboot.sourceforge.net
>> T: hg http://tboot.hg.sourceforge.net:8000/hgroot/tboot/tboot
>> F: Documentation/arch/x86/intel_txt.rst
>> F: arch/x86/kernel/tboot.c
>> F: include/linux/tboot.h
>
> Linux already supports TXT. Why do we need TrenchBoot?
One reason is to generalize DRTM support to other platforms.
RFC: Trenchboot Secure Launch DRTM for AMD SKINIT
https://lore.kernel.org/lkml/cover.1734008878.git.sergii.dmytruk@3mdeb.com/
OpenXT.org measured launch usage of tboot originated in 2012, when I was the program manager for XenClient joint development [1][2] by Intel and Citrix. TrenchBoot was proposed in 2018 at Platform Security Summit and evolved [3] based on LKML and conference feedback. The tboot community was introduced [4] to TrenchBoot in 2022.
> I think I know the answer, but it also needs to be a part of the
> documentation, changelogs and cover letter.
>
> Also, honestly, what do you think we should do with the Linux tboot
> code? Is everyone going to be moving over to Trenchboot
OpenXT will migrate development of measured launch from tboot to TrenchBoot Secure Launch, after upstream Linux and Xen have support for both Intel and AMD DRTM. Previously-deployed Intel devices using tboot, derived from OpenXT, will need support until users upgrade their hardware. Qubes is integrating [5] TrenchBoot into AEM (Anti Evil Maid). Since Oracle has spent several years working on this TrenchBoot series, they might use it, hopefully they can comment.
> so that Linux support for TXT/tboot can just go away?
[opinion]
Which one will prevail? That may have less to do with tboot-trenchboot differences and more to do with AMD-Intel product marketing and OEM segmentation of DRTM features, some certified by Microsoft as "Secured Core" clients with SMM attestation (Intel PPAM and AMD SMM Supervisor).
Intel requires client vPro devices for TXT, but has slowly expanded the list of eligible SKUs via "vPro Essentials" segmentation. AMD SKINIT is present on most processors, but DRTM currently requires a dTPM instead of the "mobile" fTPM implementation in AMD PSP firmware, with dTPMs mostly present in AMD OEM "PRO" or Embedded SKUs.
If AMD included the full TPM 2.0 reference code in their PSP fTPM, or if MS Pluton implemented a full TPM 2.0 that was compatible with DRTM, then the number of AMD DRTM-capable devices would be much higher than the number of Intel vPro or AMD PRO devices, expanding the market for DRTM-capable software like Linux (trenchboot) Secure Launch and Windows SystemGuard. That would increase client adoption of trenchboot, as the only option for Linux DRTM on AMD.
On servers, both AMD and Intel hardware support DRTM with dTPM and other roots of trust, but there are other launch considerations, including BMCs, SPDM device attestation & vendor hypervisors.
[/opinion]
In a perfect world, Intel-signed ACM (used in TXT DRTM) binary blobs would be accompanied by public read-only source code, with reproducible builds that generate those ACM blobs. In that perfect world, Intel ACM and tboot developers would review the TrenchBoot Linux series, recommend improvements and guide customers on migration from tboot to upstream-supported Linux DRTM. Neither has yet happened. Both would be welcome.
Rich
[1] https://www.intel.com/content/dam/www/public/us/en/documents/success-stories/3rd-gen-core-vpro-citrix-vendor-spotlight.pdf
[2] http://media12.connectedsocialmedia.com/intel/11/9510/Air_Force_Research_Laboratory_Security_Collaboration_Government.pdf
[3] https://trenchboot.org/events/
[4] https://sourceforge.net/p/tboot/mailman/message/37631560/
[5] https://blog.3mdeb.com/2023/2023-01-31-trenchboot-aem-for-qubesos/
next reply other threads:[~2025-04-25 10:13 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-25 10:12 Rich Persaud [this message]
2025-04-25 14:12 ` [PATCH v14 00/19] x86: Trenchboot secure dynamic launch Linux kernel support Dave Hansen
2025-04-29 0:04 ` Daniel P. Smith
2025-04-29 0:56 ` Dave Hansen
2025-05-18 14:42 ` Mike
-- strict thread matches above, loose matches on Subject: below --
2025-04-21 16:26 Ross Philipson
2025-04-21 20:52 ` Dave Hansen
2025-04-21 21:00 ` Andrew Cooper
2025-04-22 18:17 ` Andrew Cooper
2025-04-22 19:16 ` Dave Hansen
2025-04-22 21:26 ` Ard Biesheuvel
2025-04-22 23:21 ` Dave Hansen
2025-04-24 18:45 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=18F9BD47-282D-4225-AB6B-FDA4AD52D7AE@gmail.com \
--to=persaur@gmail.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=andrew.cooper3@citrix.com \
--cc=ardb@kernel.org \
--cc=baolu.lu@linux.intel.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=dpsmith@apertussolutions.com \
--cc=dwmw2@infradead.org \
--cc=ebiederm@xmission.com \
--cc=herbert@gondor.apana.org.au \
--cc=hpa@zytor.com \
--cc=iommu@lists.linux.dev \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=kanth.ghatraju@oracle.com \
--cc=kexec@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@redhat.com \
--cc=mjg59@srcf.ucam.org \
--cc=nivedita@alum.mit.edu \
--cc=openxt@googlegroups.com \
--cc=peterhuewe@gmx.de \
--cc=ross.philipson@oracle.com \
--cc=sergii.dmytruk@3mdeb.com \
--cc=tglx@linutronix.de \
--cc=trenchboot-devel@googlegroups.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox