From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6913A2F6907 for ; Wed, 18 Feb 2026 20:03:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=209.85.167.50 ARC-Seal:i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771445022; cv=pass; b=DVpogOHUYPwAWy2G1ZVQRmCnMC+JHqUo6/bcy+wl+64yhuzJS7+i9S+YGLOs8IAmFj0mXGCkRyMSaEuN4ySt1jEUr66zfiXtmrYdD+2t2D7NGXSDbPUtivr8L5XGcAZXnoSiq5jkKQ44Ps68mGzBPayCkRk2pbyhKnvixb60EhM= ARC-Message-Signature:i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771445022; c=relaxed/simple; bh=A9RFDZyZgqlQJkBPPEH0bt0olncW7jJuhWCZ9JoO/s8=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=mp75ljHIVJ52kEn7xS68wE5JuBqwirY9lm+I/3qZ1BGa/6l9tFhr3vanCf/oefOT6jFPxTZ+cjo+CpKPHPU4C+SsFqMQeuOWeaa4St3xHR3gOz4E6/sig+KGCwA3XSpr/T3nUgnGF3AHpQRFC+nQ0s6GpqoBw/p1zqujbSMeiv0= ARC-Authentication-Results:i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=amacapital.net; spf=pass smtp.mailfrom=amacapital.net; dkim=pass (2048-bit key) header.d=amacapital-net.20230601.gappssmtp.com header.i=@amacapital-net.20230601.gappssmtp.com header.b=OpxqkiwA; arc=pass smtp.client-ip=209.85.167.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=amacapital.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amacapital.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=amacapital-net.20230601.gappssmtp.com header.i=@amacapital-net.20230601.gappssmtp.com header.b="OpxqkiwA" Received: by mail-lf1-f50.google.com with SMTP id 2adb3069b0e04-59e60b3ccdfso471953e87.0 for ; Wed, 18 Feb 2026 12:03:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1771445020; cv=none; d=google.com; s=arc-20240605; b=SvRRetWE40qw9rYBPx0IwdotEFHOVjkLF0Q70VPjuwjJbdFiwz8LAg1puqfjk+ze7m hLzWGiMVGW62K4hLlt0AcSjB9Ah2FHPPCJj4MTbypQ4rCstMAAFBh+ss4AFEJ99eZx3d mwVAz/nxH9ayjv2vkqxJCiLXzljN6w3pdEfwLoKOrDXcEv5vo+Ncedh+bzWy/IU2t4Dv Oco9XrZq/HmE6Y1//v5KkRA2KjmISpfbSB1PXdzbTm5sFAXTWiOt1Bn84VuErSLw1RVC 489S2F/yJ9akme5tdvr+tguZR2kkMOzGP1QUkRzOXrKtjc08s9flayeprBX1wDMswcQE 7lTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Vcy7R/11wcjfKOQI7WogUozCzX0mH6u0BCoPreJyb8U=; fh=08cY6oR0WKbvgEb2L+h5FBlPHv015RG/tTph1teXuU0=; b=U9UcT2Q5IOOgmyUBc6qQIq1iK9r52CfsJwymug+3AwGz/Aa50G0woHoIWayNUT9eaB YZcHYGWyqvgDMDxMREHJlNLtFfIt8InLdLvd6Zq/sINIDmEAVFoUsnCSvxxTOOsh1Zxk ayOz5nU7ZPxhG/HMV40ieHJw5Dfy5MjdCwCv7JQ7Qhl9wY3FxrmroPpU5fOROO1Jx+iF UGTiSOKR4S9rA3gV6I8cZi4+u/cttpZ1EuL15QdZS18fENiCss7KUm0lOyJLJaOmgisn kFOs0yXEJq2pcYQfYFd++0/vMGIAoGIyxak9afzyoEsa7uzWV49sxPa83Ok1YYgsGBgQ UgiQ==; darn=vger.kernel.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20230601.gappssmtp.com; s=20230601; t=1771445020; x=1772049820; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Vcy7R/11wcjfKOQI7WogUozCzX0mH6u0BCoPreJyb8U=; b=OpxqkiwAUUWIfdMsKeV4jtOeUyJ54S5Q3gIl6IWomGB28pWLQ43/VZ2PPrPiJLFn6l geHXyDnsYHJCBuvKcKva6n0DQffN04OwxU/4M7eC72DW8P+FW9TGf76yQTqVcGZ39RB9 xSDwuctxDlLpZnWMrM5/OMqLl4fuqhU/Np7zLrUC/rK+nDca8x9sisN+VjggnR/U1YVf BBaMNVWeYHdlS8zYxYiGoqtDsVTeqXx6Ku5JCJYMqYMej/Cvi+xikyOHdKCyULiuHfKS +s/YQnj8cyCckPBiCdB4cJhUF50hvTz95aJYnjMKO+epQEN4w6GWsNcRW1q7xuJ1RV2C VEig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771445020; x=1772049820; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Vcy7R/11wcjfKOQI7WogUozCzX0mH6u0BCoPreJyb8U=; b=aIJCtf7q7gu0dzhzNH61cRL9vKfzY3sERkePcJtCfo9zqSZpIAvUvzs5VCm3Ef1ut6 aIJrBy5qt9xiXEuuwSDwj8BK5n6WWluHMu4UIQLFDKaoMCQmYeePPFAST2WDRYf7JAk7 eXHVFysp9Hp64z2ortv+GM3YodrI4P4IccsfJTpZ+xw38jiF8cS/5g1hezQ51GDEtaIs ibMR9eNKgyRQkIYOYzesDWoB6BY0dXbfaHuNtZDleh1SIKAtjG7eKyGCebx5ORfddk1Q xJwXek/ngFizzNeGYnifOYD7pmQf+W7xEJjEeZwZsSEQMdhgPcexgs1eug/e97ct6T4b QXHw== X-Forwarded-Encrypted: i=1; AJvYcCWXaQvShSSinCe1k4SImo5dnhkbbMBeJ3MaBVfeTO9nOKDTPBsy6YT0LoY0y377OpU+g/UzkUWFJjD2/Zl0kvY=@vger.kernel.org X-Gm-Message-State: AOJu0YysMB42uybK+7d2DXh7Q89TMOpLmXkMyBUF4mvwzQp1eD3koKTV 90Ve5iDu6B6JGR1ygMGGG+4kiHkdP3y3eany2EVpeTZyzo3f0OKmiipQkB18oYFZrq+3NmfZ94s pNfFUm2TAxwGpDXAv9GKAiCVnO2PljArrFrZjNdQ9 X-Gm-Gg: AZuq6aJaPnVyBF46mvVDnbaLHzZne/yCQN2SRAYK3HA0PikX6iDpDIlbrudmyapJepZ vTO7oY9Lyw7TU8Yo16U+O6RFJFM2eHJplXNb/lXcpyb2QTTOtp+Th4cRfHEFZaEEhnq6OYAHQAN rrHPuGOQ02eAornZ3xuDolqx8nUEh2ZI5RvRncHAjaTeY6z78BY56MoWBF/udBUrN40OsWXCuL0 8ppInWYFFye5PyvFpOS2shA/TBbUM+jTXCTKGmp8t58tBE1CYo37GO5/LgnSqkQFB6U6J1gyMQC PvYI1NYXzMeE9uI= X-Received: by 2002:a05:6512:3992:b0:59f:6edb:b7ea with SMTP id 2adb3069b0e04-59f6edbb86bmr4081097e87.42.1771445019417; Wed, 18 Feb 2026 12:03:39 -0800 (PST) Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20251215233316.1076248-1-ross.philipson@oracle.com> <1ffd3cb5-2c76-4371-a067-3e4849907d80@apertussolutions.com> <49d169bf-0ad2-49be-b7d7-fceb9e7f831a@app.fastmail.com> In-Reply-To: <49d169bf-0ad2-49be-b7d7-fceb9e7f831a@app.fastmail.com> From: Andy Lutomirski Date: Wed, 18 Feb 2026 12:03:27 -0800 X-Gm-Features: AaiRm50K0AfYUHogK4D4rjv3z3w5Xga5sdt_IpbZg6dO6uXxKWdtAoPp16KXxJI Message-ID: Subject: Re: [PATCH v15 00/28] x86: Secure Launch support for Intel TXT To: Ard Biesheuvel Cc: "Daniel P. Smith" , Ross Philipson , linux-kernel@vger.kernel.org, x86@kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-crypto@vger.kernel.org, kexec@lists.infradead.org, linux-efi@vger.kernel.org, iommu@lists.linux.dev, dave.hansen@linux.intel.com, Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H . Peter Anvin" , mjg59@srcf.ucam.org, James.Bottomley@hansenpartnership.com, peterhuewe@gmx.de, Jarkko Sakkinen , jgg@ziepe.ca, nivedita@alum.mit.edu, Herbert Xu , davem@davemloft.net, corbet@lwn.net, ebiederm@xmission.com, dwmw2@infradead.org, baolu.lu@linux.intel.com, kanth.ghatraju@oracle.com, andrew.cooper3@citrix.com, trenchboot-devel@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Feb 12, 2026 at 12:40=E2=80=AFPM Ard Biesheuvel w= rote: > > On Thu, 12 Feb 2026, at 20:49, Daniel P. Smith wrote: > > On 2/9/26 09:04, Ard Biesheuvel wrote: > ... > >> Surprisingly, even when doing a secure launch, the EFI runtime service= s still work happily, which means (AIUI) that code that was excluded from t= he D-RTM TCB is still being executed at ring 0? Doesn't this defeat D-RTM e= ntirely in the case some exploit is hidden in the EFI runtime code? Should = we measure the contents of EfiRuntimeServicesCode regions too? > > > > Yes, in fact in the early days I specifically stated that we should > > provide for the ability to measure the RS blocks. Particularly if you > > are not in an environment where you can isolate the calls to RS from th= e > > TCB. While the RS can pose runtime corruption risks, the larger concern > > is integrating the D-RTM validation of the Intel System Resources > > Defense (ISRD), aka SMI isolation/SMM Supervisor, provided by the Intel > > System Security Report (ISSR). Within the ISSR is a list of memory > > regions which the SMM Policy Shim (SPS) restricts a SMI handler's acces= s > > when running. This allows a kernel to restrict what access a SMI handle= r > > are able to reach, thus allowing them to be removed from the TCB when > > the appropriate guards are put in place. > > > > If you are interested in understanding these further, Satoshi Tanda has > > probably the best technical explanation without Intel market speak. > > > > ISRD: https://tandasat.github.io/blog/2024/02/29/ISRD.html > > ISSR: https://tandasat.github.io/blog/2024/03/18/ISSR.html > > > > Thanks, I'll take a look at those. > > But would it be better to disable the runtime services by default when do= ing a secure launch? PREEMPT_RT already does the same. So I have a possible way to disable EFI runtime service without losing the ability to write EFI vars. We come up with a simple file format to store deferred EFI var updates and we come up with a place to put it so that we find it early-ish in boot the next time around. (This could be done via integration with systemd-boot or shim some other boot loader or it could actually be part of the kernel.) And then, instead of writing variables directly, we write them to the deferred list and then update them on reboot (before TXT launch, etc). [0] This would be a distincly nontrivial project and would not work for all configurations. As a maybe less painful option, we could disable EFI runtime services but have a root-writable thing in sysfs that (a) turns them back on but (b) first extends a PCR to say that they're turned back on. (Or someone could try running runtime services at CPL3...) [0] I have thought for years that Intel and AMD should do this on their end, too. Keep the sensitive part of SMI flash entirely locked after boot and, instead of using magic SMM stuff to validate that write attempts have the appropriate permissions and signatures, queue them up as deferred upates and validate the signatures on the next boot before locking flash.