On 6/18/2022 8:08 AM, lukasz hawrylko wrote:
Re: [PATCH] 20_linux_tboot: efi logic was inverted
'noefi' flag tells the kernel that even if current system is EFI based
it must not use EFI services (to be precisely EFI Runtime Services).
This is required because EFI is not a part of TXT TCB. After system
enters TXT environment it must execute only the code that is measured.
As EFI (and BIOS in general) is not measured from TXT perspective you
are not allowed to use it. That's why 'noefi' flag is added.
Logic is correct in the original version. When EFI capable system is
detected it adds 'noefi' flag to prevent kernel from using EFI. On
non-EFI systems this flag is pointless because kernel can't use EFI
services if they do not exist.
If removing 'noefi' flag solves your issue, you should find out why.
Maybe there is some information that kernel retrieves from EFI Runtime
Services that is required to properly boot the platform. If this is the
case, the only way to fix this correctly is to get this information in
tboot, before GETSEC[SENTER], and that in some way pass it to the
kernel.
You are correct. The chain of trust does not include the EFI runtime.
The system having the problem was using VROC. Intel confirms that
VROC cannot operate without EFI. They also confirmed the logical
conclusion that tboot and VROC are incompatible.
So, this is not a bug.
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
