Re: [tboot-devel] [PATCH] 20_linux_tboot: efi logic was inverted

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 6/18/2022 8:08 AM, lukasz hawrylko wrote:
> Re: [PATCH] 20_linux_tboot: efi logic was inverted
> 'noefi' flag tells the kernel that even if current system is EFI based
> it must not use EFI services (to be precisely EFI Runtime Services).
> This is required because EFI is not a part of TXT TCB. After system
> enters TXT environment it must execute only the code that is measured.
> As EFI (and BIOS in general) is not measured from TXT perspective you
> are not allowed to use it. That's why 'noefi' flag is added.
> 
> Logic is correct in the original version. When EFI capable system is
> detected it adds 'noefi' flag to prevent kernel from using EFI. On 
> non-EFI systems this flag is pointless because kernel can't use EFI
> services if they do not exist.
> 
> If removing 'noefi' flag solves your issue, you should find out why.
> Maybe there is some information that kernel retrieves from EFI Runtime
> Services that is required to properly boot the platform. If this is the
> case, the only way to fix this correctly is to get this information in
> tboot, before GETSEC[SENTER], and that in some way pass it to the
> kernel.

You are correct. The chain of trust does not include the EFI runtime.
The system having the problem was using VROC. Intel confirms that
VROC cannot operate without EFI. They also confirmed the logical
conclusion that tboot and VROC are incompatible.

So, this is not a bug.