> > > > Not fundamentally, no. But between the measurement of the image itself (which > the firmware should do) and the measurement of the initrd and command line > (which the EFI stub will do), I'm not sure there is that much left.
> In general, I think the combinatorial explosion of CC attestation protocols > multiplied by the number of boot stages and loaders is going to be a concern. > We really need some abstractions here. [Lu, Ken] I understand your now. It might looks reasonable if think - the LoadImage() is a common abstraction for all EFI application, so image itself should be measured by OVMF/BIOS. - but kernel command and initrd stuff should belong to EFI stub, who has more knowledge of kernel booting than a general image loading. > > > > However, there are corner cases that we would like to cover, such as > > > booting Linux from the EFI shell. > > > > I remember Bottomley or someone mentioned to use CONFIG_CMDLINE and > CONFIG_INITRAMFS_SOURCE, such as https://blog.decentriq.com/swiss- > cheese-to-cheddar-securing-amd-sev-snp-early-boot-2/ for this corner case, > especially for confidential container use case without grub. > > > > Or in general, any loader that > > > knows how to load an image and pass a command line, but may not be > > > aware of whether or which flavor of measured boot is being used by the > platform. > > > > > > > This is headache.... but if loader do not know, why kernel know? How to > guarantee both loader and kernel know for consistent measurement results? > > > > > > In another side, "EFI stub" is bind to EFI boot protocol and "EFI > > > > handover > > > protocol" is deprecated in grub 2.06[2]. (CC to Daniel). > > > > > > > > > > Apologies, I don't understand this sentence. > > > > May be I am wrong. I mean whether "EFI stub" code is only valid for > > "EFI handover protocol", or is it also valid for Linux 32bit/64bit > > boot? See https://www.kernel.org/doc/html/latest/x86/boot.html > > If it is only valid for "EFI handover protocol", then it is deprecated. > > No it is not deprecated. The EFI handover protocol uses LoadImage() but not > StartImage(). Instead, it jumps directly to an alternative entrypoint in the > image > which has a Linux/x86 specific prototype, and passes additional data. > > > So "EFI stub" code for measurement will not work for Linux 32bit/64bit boot. > > No you misunderstood. The EFI stub is an integral part of the boot flow. The > only thing we deprecated is invoking it without going through StartImage(). [Lu, Ken] Thanks your clarification! -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#94010): https://edk2.groups.io/g/devel/message/94010 Mute This Topic: https://groups.io/mt/93737108/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
