[PATCH v11 00/20] x86: Trenchboot secure dynamic launch Linux kernel support

Jarkko Sakkinen jarkko at kernel.org
Fri Nov 1 03:28:38 PDT 2024


On Fri Sep 13, 2024 at 11:04 PM EEST, Ross Philipson wrote:
> The larger focus of the TrenchBoot project (https://github.com/TrenchBoot) is to
> enhance the boot security and integrity in a unified manner. The first area of
> focus has been on the Trusted Computing Group's Dynamic Launch for establishing
> a hardware Root of Trust for Measurement, also know as DRTM (Dynamic Root of
> Trust for Measurement). The project has been and continues to work on providing
> a unified means to Dynamic Launch that is a cross-platform (Intel and AMD) and
> cross-architecture (x86 and Arm), with our recent involvment in the upcoming
> Arm DRTM specification. The order of introducing DRTM to the Linux kernel
> follows the maturity of DRTM in the architectures. Intel's Trusted eXecution
> Technology (TXT) is present today and only requires a preamble loader, e.g. a
> boot loader, and an OS kernel that is TXT-aware. AMD DRTM implementation has
> been present since the introduction of AMD-V but requires an additional
> component that is AMD specific and referred to in the specification as the
> Secure Loader, which the TrenchBoot project has an active prototype in
> development. Finally Arm's implementation is in specification development stage
> and the project is looking to support it when it becomes available.
>
> This patchset provides detailed documentation of DRTM, the approach used for
> adding the capbility, and relevant API/ABI documentation. In addition to the
> documentation the patch set introduces Intel TXT support as the first platform
> for Linux Secure Launch.
>
> A quick note on terminology. The larger open source project itself is called
> TrenchBoot, which is hosted on Github (links below). The kernel feature enabling
> the use of Dynamic Launch technology is referred to as "Secure Launch" within
> the kernel code. As such the prefixes sl_/SL_ or slaunch/SLAUNCH will be seen
> in the code. The stub code discussed above is referred to as the SL stub.

1. I don't see any tags in most of the patches so don't get the rush. This
   includes also patches for x86. Why I would care to review TPM patches
   when there is over a dozen unreviewed and untested patches before it?
2. TPM patches have been in circulation in and out of the patch set
   for some time now with little or no improvement.

Why the sudden buzz? I have not heard much about this since last early
summer.  Have to spend some time recalling what this is about anyway. I
cannot trust that my tags make any sense before more reviewed/tested-by
tags before the TPM patches.

BR, Jarkko



More information about the kexec mailing list