Trenchboot Secure Launch Support For Linux Sees New Patches

For a while now Oracle engineers and others have been working on Trenchboot as a means of secure launch/boot support when paired with the likes of Intel TXT and AMD SKINIT for trusted execution and configuring each piece of the software boot chain for trusted/secure handling. The latest kernel patches have been sent out for review for secure launching of the kernel.

Earlier this year Oracle engineers sent out Linux kernel patches for Trenchboot while on Thursday the newest work surfaced.

These patches provide for Trenchboot secure dynamic launching of the Linux kernel. As explained in the patch series, "The Trenchboot project focus on boot security has led to the enabling of the Linux kernel to be directly invocable by the x86 Dynamic Launch instruction(s) for establishing a Dynamic Root of Trust for Measurement (DRTM). The dynamic launch will be initiated by a boot loader with associated support added to it, for example the first targeted boot loader will be GRUB2. An integral part of establishing the DRTM involves measuring everything that is intended to be run (kernel image, initrd, etc) and everything that will configure that kernel to run (command line, boot params, etc) into specific PCRs, the DRTM PCRs (17-22), in the TPM. Another key aspect is the dynamic launch is rooted in hardware, that is to say the hardware (CPU) is what takes the first measurement for the chain of integrity measurements. On Intel this is done using the GETSEC instruction provided by Intel's TXT and the SKINIT instruction provided by AMD's AMD-V."

This work is still coming together along with on the GRUB side, so it will be a while still before seeing such capabilities ready for deployment on the major Linux distributions, but hopefully it will get there in 2021. Those wanting to learn more about the Trenchboot project can do so via the GitHub project.