From: "Gerd Hoffmann" <kraxel@redhat.com>
To: "Lu, Ken" <ken.lu@intel.com>
Cc: Ard Biesheuvel <ardb@kernel.org>,
"Xu, Min M" <min.m.xu@intel.com>,
Daniel Kiper <daniel.kiper@oracle.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
"Aktas, Erdem" <erdemaktas@google.com>,
James Bottomley <jejb@linux.ibm.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [edk2-devel] measurement to command-line/initrd for loading kernel via -kernel option
Date: Wed, 21 Sep 2022 14:27:06 +0200 [thread overview]
Message-ID: <20220921122706.itqekzbwmjt6brns@sirius.home.kraxel.org> (raw)
In-Reply-To: <BN8PR11MB3666B670948C83356604869A984F9@BN8PR11MB3666.namprd11.prod.outlook.com>
On Wed, Sep 21, 2022 at 11:24:11AM +0000, Lu, Ken wrote:
> >
> > > But either in GenericQemuLoadImageLib, it can do measurement for
> > command line and initrd, correct?
> >
> > Yes, it could. But why given that the linux kernel efi stub measures anyway?
> If the final decision is the measurement should be done by efi stub in
> Linux kernel.
The reference should be the workflow when you boot linux from efi shell
or using a BootNNNN entry. Which I think is:
(1) linux kernel is loaded + measured via Loadimage().
(2) linux kernel is started via efi stub entry point.
(3) linux kernel efi stub loads and measures the initrd.
Not fully sure about the command line measurement, IIRC Ard described
that in one of the replies.
> Do we also need remove today's measurement in Grub (I
> have submitted some patch for TDX in grub...)?
Those patches are perfectly fine, tpm measurement and tdx measurement
should be consistent. In case the grub measurement workflow needs
changes to avoid double measurements (not sure this is actually the
case) those changes should apply to both tpm and tdx.
> According to Bottomley, the same measurement should not be done twice.
Yes, this is the way it should be, although the current state of affairs
is a bit messy and I think we are a bit away from that ideal.
> Or only the one who use GenericQemuLoadImageLib, will give the Linux
> kernel efi stub for measure?
I think we don't have to do anything special in GenericQemuLoadImageLib
because the lib uses Loadimage() which should handle measurement.
take care,
Gerd
next prev parent reply other threads:[~2022-09-21 12:27 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-17 2:52 measurement to command-line/initrd for loading kernel via -kernel option Min Xu
2022-09-18 12:52 ` Ard Biesheuvel
2022-09-19 2:13 ` [edk2-devel] " Min Xu
2022-09-19 6:58 ` Ard Biesheuvel
2022-09-20 0:20 ` Min Xu
2022-09-20 12:29 ` Ard Biesheuvel
2022-09-20 12:55 ` Lu, Ken
2022-09-20 13:03 ` Ard Biesheuvel
2022-09-20 13:24 ` Lu, Ken
2022-09-20 13:43 ` James Bottomley
2022-09-20 14:34 ` Ard Biesheuvel
2022-09-20 14:51 ` Ard Biesheuvel
2022-09-20 15:14 ` Lu, Ken
2022-09-20 13:20 ` Gerd Hoffmann
2022-09-20 13:38 ` Lu, Ken
2022-09-20 14:18 ` Gerd Hoffmann
2022-09-20 14:30 ` Lu, Ken
2022-09-21 7:14 ` Gerd Hoffmann
2022-09-21 11:24 ` Lu, Ken
2022-09-21 12:27 ` Gerd Hoffmann [this message]
2022-09-21 15:41 ` Ard Biesheuvel
2022-09-23 9:34 ` Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220921122706.itqekzbwmjt6brns@sirius.home.kraxel.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox