[systemd-devel] [gummiboot][RFC] Add trusted boot (tboot) support to gummiboot

Kay Sievers kay at vrfy.org
Wed Nov 12 08:14:39 PST 2014


On Wed, Nov 12, 2014 at 10:30 AM, Minchev, Todor
<todor.minchev at intel.com> wrote:
>
> On Mon, 2014-11-10 at 14:20 +0500, Alexander E. Patrakov wrote:
> > 10.11.2014 14:10, Minchev, Todor wrote:
> > > Hello guys,
> > >
> > > I have been working on adding trusted boot (tboot) support to gummiboot
> > > and since this requires quite a bit of new code to be added to the
> > > gummiboot code base I wanted to send it out for review and comments.

May I ask what the use case for this is? Are there any plans to deploy
such a gummiboot in future products?

> > > This is the new functionality that these patches add to the gummiboot
> > > master branch:
> > >
> > > - trusted boot support via the tboot module and Intel's Trusted
> > > Execution Technology (TXT)
> > > - partial multiboot2 support for passing data to the trusted boot module
> > > - booting non efi_stub kernels via tboot
> > > - no impact on the existing gummiboot functionality
> >
> > I have not looked at the code, but looked at the list of commit
> > messages. In particular:
> >
> > >        gummiboot: load the loadable segments of the ELF binary and jump
> > > to its entry point address
> >
> > As far as I understand, this goes against the design goals of gummiboot
> > of being a simple wrapper that is able to execute EFI binaries and only
> > them. Would it be feasible to convert tboot into an EFI binary instead,
> > and measure/validate it as such, using the API provided by UEFI for that?
> Yes, this is what I will be looking at next - adding PE/COFF header to
> tboot so that gummiboot can launch it as an EFI application.
> BTW, are there any plans to add multiboot2 support to gummiboot in the
> future?

There are no such plans so far.

What actual problem would multiboot2 support solve and where would it
be actively used?

Kay


More information about the systemd-devel mailing list