From: Jan Hendrik Farr <kernel@jfarr.cc>
To: Pingfan Liu <kernelfans@gmail.com>
Cc: linux-arm-kernel@lists.infradead.org, linux-efi@vger.kernel.org,
kexec@lists.infradead.org, Pingfan Liu <piliu@redhat.com>,
Baoquan He <bhe@redhat.com>, Dave Young <dyoung@redhat.com>,
Philipp Rudo <prudo@redhat.com>, Ard Biesheuvel <ardb@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
keyrings@vger.kernel.org, Luca Boccassi <bluca@debian.org>,
lennart@poettering.net, Jarkko Sakkinen <jarkko@kernel.org>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, mjg59@google.com,
James.Bottomley@hansenpartnership.com
Subject: Re: [PATCH 0/2] Sign the Image which is zboot's payload
Date: Fri, 22 Sep 2023 07:19:36 +0200 [thread overview]
Message-ID: <ZQ0j6Es88aR8cjRv@desktop> (raw)
In-Reply-To: <20230921133703.39042-1-kernelfans@gmail.com>
Hi Pingfan!
On 21 21:37:01, Pingfan Liu wrote:
> From: Pingfan Liu <piliu@redhat.com>
>
> For security boot, the vmlinuz.efi will be signed so UEFI boot loader
> can check against it. But at present, there is no signature for kexec
> file load, this series makes a signature on the zboot's payload -- Image
> before it is compressed. As a result, the kexec-tools parses and
> decompresses the Image.gz to get the Image, which has signature and can
> be checked against during kexec file load
I missed some of the earlier discussion about this zboot kexec support.
So just let me know if I'm missing something here. You were exploring
these two options in getting this supported:
1. Making kexec_file_load do all the work.
This option makes the signature verification easy. kexec_file_load
checks the signature on the pe file and then extracts it and does the
kexec.
This is similar to how I'm approaching UKI support in [1].
2. Extract in userspace and pass decompressed kernel to kexec_file_load
This options requires the decompressed kernel to have a valid signature on
it. That's why this patch adds the ability to add that signature to the
kernel contained inside the zboot image.
This option would not make sense for UKI support as it would not
validate the signature with respect to the initrd and cmdline that it
contains. Am I correct in thinking that there is no similar issue with
zboot images? They don't contain any more information besides the kernel
that is intended to be securely signed, right? Do you have a reference
for the zboot image layout somewhere?
> I hesitate to post this series,
I appreciate you sending it, it's helping the discussion along.
> [...] since Ard has recommended using an
> emulated UEFI boot service to resolve the UKI kexec load problem [1].
> since on aarch64, vmlinuz.efi has faced the similar issue at present.
> But anyway, I have a crude outline of it and am sending it out for
> discussion.
The more I'm thinking about it, the more I like Ard's idea. There's now
already two different formats trying to be added to kexec that are
pretty different from each other, yet they both have the UEFI interface
in common. I think if the kernel supported kexec'ing EFI applications
that would be a more flexible and forward-looking approach. It's a
standard that both zboot and UKI as well as all future formats for UEFI
platforms will support anyways. So while it's more work right now to
implement, I think it'll likely pay off.
It is significantly more work than the other options though. So I think
before work is started on it, it would be nice to get some type of
consensus on these things (not an exhaustive list, please feel free to
add to it):
1. Is it the right approach? It adds a significant amount of userspace
API.
2. What subset of the UEFI spec needs/should to be supported?
3. Can we let runtime services still be handled by the firmware after
exiting boot services?
4. How can we debug the stubs that are being invoked?
5. Can we let the EFI binary know that this is a kexec and not a normal
bootup. Potentially systemd-stub would want to change how/if it does TPM
PCR measurements.
...
[1] https://lore.kernel.org/kexec/20230911052535.335770-2-kernel@jfarr.cc/T/
Added some more CCs.
next parent reply other threads:[~2023-09-22 5:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230921133703.39042-1-kernelfans@gmail.com>
2023-09-22 5:19 ` Jan Hendrik Farr [this message]
2023-09-22 5:41 ` [PATCH 0/2] Sign the Image which is zboot's payload Dave Young
2023-09-25 15:24 ` Philipp Rudo
2023-09-25 3:01 ` Pingfan Liu
2023-09-25 8:55 ` Ard Biesheuvel
2023-09-27 23:46 ` Jan Hendrik Farr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZQ0j6Es88aR8cjRv@desktop \
--to=kernel@jfarr.cc \
--cc=James.Bottomley@hansenpartnership.com \
--cc=ardb@kernel.org \
--cc=bhe@redhat.com \
--cc=bluca@debian.org \
--cc=catalin.marinas@arm.com \
--cc=dyoung@redhat.com \
--cc=jarkko@kernel.org \
--cc=kernelfans@gmail.com \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=lennart@poettering.net \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mjg59@google.com \
--cc=piliu@redhat.com \
--cc=prudo@redhat.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox