[systemd-devel] [gummiboot][RFC] Add trusted boot (tboot) support to gummiboot

Minchev, Todor todor.minchev at intel.com
Fri Nov 14 02:31:28 PST 2014 

On Fri, 2014-11-14 at 09:55 +0000, Minchev, Todor wrote:
> > > 10.11.2014 14:10, Minchev, Todor wrote:
> > > > Hello guys,
> > > >
> > > > I have been working on adding trusted boot (tboot) support to
> gummiboot
> > > > and since this requires quite a bit of new code to be added to the
> > > > gummiboot code base I wanted to send it out for review and
> comments.
> 
> May I ask what the use case for this is? Are there any plans to deploy
> such a gummiboot in future products?

Security is quite a hot topic nowadays. Everyone wants to be sure that
the environment which they are using hasn't been tampered with in some
way. The main use case will be data centers where the environment can be
measured/validated uniformly on a large number of machines and certain
action taken if it doesn't match a predefined policy.

> 
> > > > This is the new functionality that these patches add to the
> gummiboot
> > > > master branch:
> > > >
> > > > - trusted boot support via the tboot module and Intel's Trusted
> > > > Execution Technology (TXT)
> > > > - partial multiboot2 support for passing data to the trusted boot
> module
> > > > - booting non efi_stub kernels via tboot
> > > > - no impact on the existing gummiboot functionality
> > >
> > > I have not looked at the code, but looked at the list of commit
> > > messages. In particular:
> > >
> > > >        gummiboot: load the loadable segments of the ELF binary and
> jump
> > > > to its entry point address
> > >
> > > As far as I understand, this goes against the design goals of
> gummiboot
> > > of being a simple wrapper that is able to execute EFI binaries and
> only
> > > them. Would it be feasible to convert tboot into an EFI binary
> instead,
> > > and measure/validate it as such, using the API provided by UEFI for
> that?
> > Yes, this is what I will be looking at next - adding PE/COFF header to
> > tboot so that gummiboot can launch it as an EFI application.
> > BTW, are there any plans to add multiboot2 support to gummiboot in the
> > future?
> 
> There are no such plans so far.
> 
> What actual problem would multiboot2 support solve and where would it
> be actively used?

With multibooot2 support, gummiboot will be able to boot any multiboot2
compliant OS regardless of ifs file format (EFI, EFL or others) in a
fairly simple way. Also some of the data (memory map, framebuffer info
etc.) that every OS extracts in its own way from the firmware can be
extracted by the bootloader once and fed to the kernel through the
multiboot tags.  

--Todor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5229 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20141114/6c65bab9/attachment-0001.bin>

More information about the systemd-devel mailing list