On Wed, Mar 30, 2022 at 09:12:19AM +0200, Ard Biesheuvel wrote: > On Wed, 30 Mar 2022 at 09:11, Matthew Garrett <mj...@srcf.ucam.org> wrote: > > The EFI stub carries out a bunch of actions that have meaningful > > security impact, and that's material that should be measured. Having the > > secure launch kernel execute the stub without awareness of what it does > > means it would need to measure the code without measuring the state, > > while the goal of DRTM solutions is to measure state rather than the > > code. > > But how is that any different from the early kernel code?
From a conceptual perspective we've thought of the EFI stub as being logically part of the bootloader rather than the early kernel, and the bootloader is a point where the line is drawn. My guy feeling is that jumping into the secure kernel environment before EBS has been called is likely to end badly. _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
