Re: [tboot-devel] [PATCH] 20_linux_tboot: efi logic was inverted

Fri, 17 Jun 2022 14:45:54 -0700 

Hi Tony

On Thu, 2022-06-09 at 15:04 -0400, Tony Camuso wrote:
> # HG changeset patch
> # User Tony Camuso <tcam...@redhhat.com>
> # Date 1654800659 14400
> #      Thu Jun 09 14:50:59 2022 -0400
> # Node ID be868f53407d4460491a0e77e5165025153b0329
> # Parent  206a47f3e9d2c18c8a3db082216ee6fc3c5d475c
> 20_linux_tboot: efi logic was inverted
> 
> There was a RAID0 system that could boot normally, but not through
> a tboot launch. The problem was that the logic in this script
> incorrectly appended 'noefi' to the grub.cfg module2 kernel stanza.
> 
> When 'noefi' was removed from that stanza, the system could boot
> through a tboot launch. This patch corrects the logic in the script.
> 
> diff -r 206a47f3e9d2 -r be868f53407d tboot/20_linux_tboot
> --- a/tboot/20_linux_tboot    Thu Mar 17 23:58:50 2022 +0200
> +++ b/tboot/20_linux_tboot    Thu Jun 09 14:50:59 2022 -0400
> @@ -105,11 +105,11 @@
>     if [ -d /sys/firmware/efi ] ; then
>         mb_directive="multiboot2"
>         mb_mod_directive="module2"
> -      mb_extra_kernel="noefi"
> +      mb_extra_kernel=""
>     else
>         mb_directive="multiboot2"
>         mb_mod_directive="module2"
> -      mb_extra_kernel=""
> +      mb_extra_kernel="noefi"
>     fi
>   
>     printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${tboot_version}" 
> "${version}"
> 

'noefi' flag tells the kernel that even if current system is EFI based
it must not use EFI services (to be precisely EFI Runtime Services).
This is required because EFI is not a part of TXT TCB. After system
enters TXT environment it must execute only the code that is measured.
As EFI (and BIOS in general) is not measured from TXT perspective you
are not allowed to use it. That's why 'noefi' flag is added.

Logic is correct in the original version. When EFI capable system is
detected it adds 'noefi' flag to prevent kernel from using EFI. On 
non-EFI systems this flag is pointless because kernel can't use EFI
services if they do not exist.

If removing 'noefi' flag solves your issue, you should find out why.
Maybe there is some information that kernel retrieves from EFI Runtime
Services that is required to properly boot the platform. If this is the
case, the only way to fix this correctly is to get this information in
tboot, before GETSEC[SENTER], and that in some way pass it to the
kernel.

Thanks,
Lukasz


_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to