> > Hi Ard, I think it better let creator to measure instead of consumer to > > measure > like today's implementation in grub[1]. The creator here means who load/create > it. In direct boot, it is OVMF read kernel command line and initrd image. In > grub > boot, it is grub2. Because the number of consumer like Linux kernel could be > more than 1, but the creator is single. > > I agree with this in principle.
So you are not against to do measurement in loader like current does in grub and OVMF, correct? I think it is OK even do twice measurements on cmdline and initrd for the corner case. In past month, I just submit patch in grub to do CC measurement at https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4c76565b6cb885b7e144dc27f3612066844e2d19 > However, there are corner cases that we would like > to cover, such as booting Linux from the EFI shell. I remember Bottomley or someone mentioned to use CONFIG_CMDLINE and CONFIG_INITRAMFS_SOURCE, such as https://blog.decentriq.com/swiss-cheese-to-cheddar-securing-amd-sev-snp-early-boot-2/ for this corner case, especially for confidential container use case without grub. Or in general, any loader that > knows how to load an image and pass a command line, but may not be aware of > whether or which flavor of measured boot is being used by the platform. > This is headache.... but if loader do not know, why kernel know? How to guarantee both loader and kernel know for consistent measurement results? > > In another side, "EFI stub" is bind to EFI boot protocol and "EFI handover > protocol" is deprecated in grub 2.06[2]. (CC to Daniel). > > > > Apologies, I don't understand this sentence. May be I am wrong. I mean whether "EFI stub" code is only valid for "EFI handover protocol", or is it also valid for Linux 32bit/64bit boot? See https://www.kernel.org/doc/html/latest/x86/boot.html If it is only valid for "EFI handover protocol", then it is deprecated. So "EFI stub" code for measurement will not work for Linux 32bit/64bit boot. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#94007): https://edk2.groups.io/g/devel/message/94007 Mute This Topic: https://groups.io/mt/93737108/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
