Skip to content

efi/preinstall: Don't require Platform Secure Boot on AMD#524

Merged
chrisccoulson merged 3 commits intocanonical:masterfrom
chrisccoulson:preinstall-relax-amd-checks
Mar 10, 2026
Merged

efi/preinstall: Don't require Platform Secure Boot on AMD#524
chrisccoulson merged 3 commits intocanonical:masterfrom
chrisccoulson:preinstall-relax-amd-checks

Conversation

@chrisccoulson
Copy link
Collaborator

@chrisccoulson chrisccoulson commented Mar 6, 2026

Based on the understanding that the ASP still acts as the root-of-trust
for measurement when PSB is disabled, permit platforms with an AMD CPU
when PSB is disabled. In this case, as firmware integrity is provided by
measured boot, we require profiles to be locked to PCR0 which is not
necessary when PSB is enabled.

@chrisccoulson chrisccoulson force-pushed the preinstall-relax-amd-checks branch from 9fad968 to 0d943e0 Compare March 6, 2026 17:55
@chrisccoulson chrisccoulson requested a review from pedronis March 6, 2026 17:55
pedronis
pedronis reviewed Mar 9, 2026
View reviewed changes
Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor question

efi/preinstall/check_host_security_intel_test.go Outdated

func (s *hostSecurityIntelSuite) TestCheckHostSecurityIntelCPUDebuggingLockedDisabledCPUID(c *C) {
env := efitest.NewMockHostEnvironmentWithOpts(efitest.WithAMD64Environment("GenuineIntel", nil, 1, map[uint32]uint64{0xc80: 0}))
env := efitest.NewMockHostEnvironmentWithOpts(efitest.WithAMD64Environment("GenuineIntel", 0x12, nil, 1, map[uint32]uint64{0xc80: 0}))
Copy link
Collaborator

@pedronis pedronis Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is 0x12 meant to be a realistic value here? same for other usages of it in the tests

Copy link
Collaborator Author

@chrisccoulson chrisccoulson Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is, although I've updated it to be a more likely value now - not that it matters too much as it's only used for the AMD checks.

@chrisccoulson
efi/preinstall: Don't require Platform Secure Boot on AMD
e55d961 
Based on the understanding that the ASP still acts as the root-of-trust
for measurement when PSB is disabled, permit platforms with an AMD CPU
when PSB is disabled. In this case, as firmware integrity is provided by
measured boot, we require profiles to be locked to PCR0 which is not
necessary when PSB is enabled.
@chrisccoulson chrisccoulson force-pushed the preinstall-relax-amd-checks branch from 0d943e0 to e55d961 Compare March 10, 2026 10:30
@chrisccoulson chrisccoulson requested a review from pedronis March 10, 2026 10:31
pedronis
pedronis approved these changes Mar 10, 2026
View reviewed changes
Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@chrisccoulson chrisccoulson merged commit 357a0e7 into canonical:master Mar 10, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pedronis pedronis pedronis approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chrisccoulson @pedronis