Hi Dionna/Qinkun I am not sure if systemd is the last software in guest we need to patch to support coexistence to extend the measurement. Are you aware of any other Linux guest software needs to be updated? Such as Linux IMA (Integrity Measurement Architecture)?
To move this forward. In Intel, we had discussed and we did see the potential security risk. As I mentioned in the first email, "In case that any the guest component only knows one of vTPM or RTMR, and only extends one of vTPM or RTMR, but the other one only verifies the other, then the chain of trust is broken." At same time, we also respect that it might be a valid use case for Google. I would like to ask the opinion in the EDKII community, especially the OVMF and CC maintainer and reviewer. Hi Ard Biesheuvel Do you think Kernel is OK with this coexistence proposal? Are you willing to give "reviewed-by"? Hi Gerd Hoffman Do you think RedHat is OK with this coexistence proposal? Are you willing to give "reviewed-by"? Hi James Bottomley Do you think IBM is OK with this coexistence proposal? Are you willing to give "reviewed-by"? Hi Tom Lendacky/Michael Roth Do you think AMD is OK with this coexistence proposal? Are you willing to give "reviewed-by"? Thank you Yao, Jiewen > -----Original Message----- > From: Dionna Amalie Glaze <dionnagl...@google.com> > Sent: Monday, March 25, 2024 11:29 PM > To: Mikko Ylinen <mikko.yli...@linux.intel.com> > Cc: Gerd Hoffmann <kra...@redhat.com>; Yao, Jiewen <jiewen....@intel.com>; > qinkun Bao <qin...@google.com>; devel@edk2.groups.io; linux- > c...@lists.linux.dev; Aktas, Erdem <erdemak...@google.com>; Ard Biesheuvel > <a...@kernel.org>; Peter Gonda <pgo...@google.com>; James Bottomley > <j...@linux.ibm.com>; Tom Lendacky <thomas.lenda...@amd.com>; Michael > Roth <michael.r...@amd.com> > Subject: Re: [RFC PATCH] OvmfPkg/SecurityPkg: Add build option for coexistance > of vTPM and RTMR. > > On Mon, Mar 25, 2024 at 6:07 AM Mikko Ylinen > <mikko.yli...@linux.intel.com> wrote: > > > > > > > > > > Looking at systemd-boot I see it will likewise not measure to both RTMR > > > > and vTPM, but with reversed priority (use vTPM not RTMR in case both are > > > > present). > > > > > > > > > > Interesting. Thanks for this report. We'll push for the changed > > > semantics here if the spec is indeed changed, and request partner > > > distros in the CCC to include the updated systemd-boot. > > > > FWIW, my RTMRs patch to systemd was merged quite recently so it's not > > included in any systemd release yet. (It was mainly implemented for the > > UKI case that allows TDVF to boot a UKI image directly and then have the > > image sections measured separately.) > > > > Thank you, I've proposed a change in > https://github.com/systemd/systemd/pull/31939 > > > -- > -Dionna Glaze, PhD (she/her) -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117606): https://edk2.groups.io/g/devel/message/117606 Mute This Topic: https://groups.io/mt/105070442/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
