Re: [PATCH v13 00/19] x86: Trenchboot secure dynamic launch Linux kernel support

From: ross . philipson
Date: Sat Mar 29 2025 - 16:47:46 EST

Next message: Andreas Schwab: "Re: [PATCH 2/2] fs: cache the string generated by reading /proc/filesystems"
Previous message: Vlastimil Babka: "Re: [PATCH 0/4] MAINTAINERS: add my isub-entries to MM part."
In reply to: Jarkko Sakkinen: "Re: [PATCH v13 00/19] x86: Trenchboot secure dynamic launch Linux kernel support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/29/25 4:32 AM, Jarkko Sakkinen wrote:

On Fri, Mar 28, 2025 at 04:07:55PM -0700, Ross Philipson wrote:

The larger focus of the TrenchBoot project (https://urldefense.com/v3/__https://github.com/TrenchBoot__;!!ACWV5N9M2RV99hQ!O3YD_Gg-b5rJB_LxeqAKq7YGMDlmbkk1dUS2khRWPxGpRgR36kf2jpRZPcmqJD83GOvjam2SUAJ1J5iy914$ ) is to
enhance the boot security and integrity in a unified manner. The first area of
focus has been on the Trusted Computing Group's Dynamic Launch for establishing
a hardware Root of Trust for Measurement, also know as DRTM (Dynamic Root of
Trust for Measurement). The project has been and continues to work on providing
a unified means to Dynamic Launch that is a cross-platform (Intel and AMD) and
cross-architecture (x86 and Arm), with our recent involvment in the upcoming
Arm DRTM specification. The order of introducing DRTM to the Linux kernel
follows the maturity of DRTM in the architectures. Intel's Trusted eXecution
Technology (TXT) is present today and only requires a preamble loader, e.g. a
boot loader, and an OS kernel that is TXT-aware. AMD DRTM implementation has
been present since the introduction of AMD-V but requires an additional
component that is AMD specific and referred to in the specification as the
Secure Loader, which the TrenchBoot project has an active prototype in
development. Finally Arm's implementation is in specification development stage
and the project is looking to support it when it becomes available.

This patchset provides detailed documentation of DRTM, the approach used for
adding the capbility, and relevant API/ABI documentation. In addition to the
documentation the patch set introduces Intel TXT support as the first platform
for Linux Secure Launch.

A quick note on terminology. The larger open source project itself is called
TrenchBoot, which is hosted on Github (links below). The kernel feature enabling
the use of Dynamic Launch technology is referred to as "Secure Launch" within
the kernel code. As such the prefixes sl_/SL_ or slaunch/SLAUNCH will be seen
in the code. The stub code discussed above is referred to as the SL stub.

I did a quick recap of TPM patches and still looks good as far as I'm
concerned. Not actively reviewing these anymore but I'll do a sanity
check per patch set version.

Thank you Jarkko for all you feedback and help.

Ross

BR, Jarkko

Next message: Andreas Schwab: "Re: [PATCH 2/2] fs: cache the string generated by reading /proc/filesystems"
Previous message: Vlastimil Babka: "Re: [PATCH 0/4] MAINTAINERS: add my isub-entries to MM part."
In reply to: Jarkko Sakkinen: "Re: [PATCH v13 00/19] x86: Trenchboot secure dynamic launch Linux kernel support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]