Message ID | 20200408221420.1087-1-erichte@linux.ibm.com |
---|---|
State | Rejected |
Headers | show |
Series | core/fast-reboot: disable fast-reboot when firmware secureboot is enabled | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/apply_patch | success | Successfully applied on branch master (e991415a88dbfd6c1690c5c2d8840288f45ec925) |
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot | fail | Test snowpatch/job/snowpatch-skiboot on branch master |
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot-dco | success | Signed-off-by present |
On Thu, Apr 9, 2020 at 8:14 AM Eric Richter <erichte@linux.ibm.com> wrote: > > The possible impact of the current fast-reboot design on secure/trusted > boot is unclear and will likely need additional review and testing. Are you really expecting me to hard disable fast reboot on the basis of "I don't understand what this does"? We looked at it years ago and decided that the interaction with firmware secureboot was fine since a fast-reboot is roughlt the same as a kexec between host kernels. If you think that's wrong (it might be) then provide an actual explanation as to why. Oliver
> On 14 Apr 2020, at 20:54, Oliver O'Halloran <oohall@gmail.com> wrote: > > On Thu, Apr 9, 2020 at 8:14 AM Eric Richter <erichte@linux.ibm.com> wrote: >> >> The possible impact of the current fast-reboot design on secure/trusted >> boot is unclear and will likely need additional review and testing. > > Are you really expecting me to hard disable fast reboot on the basis > of "I don't understand what this does"? > > We looked at it years ago and decided that the interaction with > firmware secureboot was fine since a fast-reboot is roughlt the same > as a kexec between host kernels. If you think that's wrong (it might > be) then provide an actual explanation as to why. In band reboot can’t ever be trusted anyway (how do you prove it did reboot?), so I don’t see how fast reboot is different.
On 4/14/20 10:54 PM, Oliver O'Halloran wrote: > On Thu, Apr 9, 2020 at 8:14 AM Eric Richter <erichte@linux.ibm.com> wrote: >> >> The possible impact of the current fast-reboot design on secure/trusted >> boot is unclear and will likely need additional review and testing. > > Are you really expecting me to hard disable fast reboot on the basis > of "I don't understand what this does"? > > We looked at it years ago and decided that the interaction with > firmware secureboot was fine since a fast-reboot is roughlt the same > as a kexec between host kernels. If you think that's wrong (it might > be) then provide an actual explanation as to why. > > Oliver > We had concerns over OS secure boot, but after further discussions, decided that this is something we will document and potentially address in a later release. There is a potential issue regarding trusted boot -- only the firmware measurement log will be persisted. Any higher-level, non-resettable PCRs will not be able to be recalculated, which is a definite problem with IMA/kexec measurements in skiroot for example. Since this isn't a strong blocking issue however, we will include a strong recommendation against using this feature in our documentation.
diff --git a/core/fast-reboot.c b/core/fast-reboot.c index 02f0ca05..c4361bb1 100644 --- a/core/fast-reboot.c +++ b/core/fast-reboot.c @@ -23,6 +23,8 @@ #include <ipmi.h> #include <direct-controls.h> #include <nvram.h> +#include <types.h> +#include <secureboot.h> /* Flag tested by the OPAL entry code */ static volatile bool fast_boot_release; @@ -109,6 +111,12 @@ void fast_reboot(void) return; } + if (is_fw_secureboot()) { + prlog(PR_DEBUG, + "RESET: Fast reboot disabled by FW secureboot\n"); + return; + } + /* * Ensure all other CPUs have left OPAL calls. */
The possible impact of the current fast-reboot design on secure/trusted boot is unclear, and will likely need additional review and testing. While fast-reboot is disabled by default, it can be enabled by two nvram parameters -- one of which circumvents the built-in disable_fast_reboot() mechanism. This patch prevents all calls to fast_reboot() when firmware secure boot is enabled. Signed-off-by: Eric Richter <erichte@linux.ibm.com> --- core/fast-reboot.c | 8 ++++++++ 1 file changed, 8 insertions(+)