[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GRUB RFC PATCH 00/22] i386: Intel TXT and AMD SKINIT secure launcher
From: |
Krystian Hebel |
Subject: |
[GRUB RFC PATCH 00/22] i386: Intel TXT and AMD SKINIT secure launcher |
Date: |
Tue, 10 Nov 2020 15:44:38 +0100 |
Hi,
This is an addition to the RFC patchset which introduced TrenchBoot support for
Intel TXT.
It includes all original patches sent by Daniel Kiper back in May, rebased on
the top of current master so the AMD-specific changes can be applied cleanly.
Additionally, a small bug fix to patch 18 was added - original patch erroneously
passed pre-relocated address of Linux's zero_page instead of the target one. No
other changes were made to the TXT code.
Support for AMD SKINIT was added on top of those patches. Apart from SKINIT
preparations it includes small modification to the relocator and Linux boot
command, in similar matter as was done for TXT.
Original cover letter by Daniel:
Hi,
This is an RFC patchset for the GRUB introducing the Intel TXT secure
launcher.
This is a part of larger work known as the TrenchBoot. Patchset can be split
into two distinct parts:
- 01-12: preparatory patches,
- 13-18: the Intel TXT secure launcher itself.
The initial implementation of the Intel TXT secure launcher works. However,
there are still some missing bits and pieces, e.g.:
- SINIT ACM auto loader,
- lack of RMRR support,
- lack of support for MLEs larger than 1 GiB,
- lack of TPM 1.2 support.
- various fixes and cleanups.
Commands introduced by this patchset: tpm_type, slaunch, slaunch_module (not
required on server platforms) and slaunch_state (useful for checking platform
configuration and state; based on tboot's txt-stat).
Daniel
Krystian Hebel (4):
i386/slaunch: Add code for searching for DRTM event log in ACPI
i386/skinit: Add AMD SKINIT definitions header file
i386/skinit: Add AMD SKINIT core implementation
i386/slaunch: Add support for AMD SKINIT
Norbert Kaminski (18):
i386/msr: Merge rdmsr.h and wrmsr.h into msr.h
i386/msr: Rename grub_msr_read() and grub_msr_write()
i386/msr: Extract and improve MSR support detection code
i386/memory: Rename PAGE_SHIFT to GRUB_PAGE_SHIFT
i386/memory: Rename PAGE_SIZE to GRUB_PAGE_SIZE and make it global
mmap: Add grub_mmap_get_lowest() and grub_mmap_get_highest()
i386/tpm: Rename tpm module to tpm_verifier
i386/tpm: Add TPM TIS and CRB driver
efi: Make shim_lock GUID and protocol type public
efi: Return grub_efi_status_t from grub_efi_get_variable()
efi: Add a function to read EFI variables with attributes
i386/efi: Report UEFI Secure Boot status to the Linux kernel
i386/slaunch: Add basic platform support for secure launch
i386/txt: Add Intel TXT definitions header file
i386/txt: Add Intel TXT core implementation
i386/txt: Add Intel TXT ACM module support
i386/txt: Add Intel TXT verification routines
i386/slaunch: Add secure launch framework and commands
docs/grub.texi | 15 +-
grub-core/Makefile.am | 3 +
grub-core/Makefile.core.def | 18 +-
grub-core/commands/efi/efifwsetup.c | 8 +-
grub-core/commands/efi/shim_lock.c | 12 -
grub-core/commands/i386/rdmsr.c | 25 +-
grub-core/commands/i386/tpm.c | 182 ++++
grub-core/commands/i386/wrmsr.c | 25 +-
grub-core/commands/{tpm.c => tpm_verifier.c} | 6 +-
grub-core/kern/efi/efi.c | 30 +-
grub-core/lib/i386/relocator32.S | 14 +
grub-core/lib/i386/xen/relocator.S | 6 +-
grub-core/lib/x86_64/xen/relocator.S | 4 +-
grub-core/loader/i386/bsd.c | 7 +
grub-core/loader/i386/linux.c | 320 ++++++-
grub-core/loader/i386/skinit.c | 162 ++++
grub-core/loader/i386/slaunch.c | 326 +++++++
grub-core/loader/i386/txt/acmod.c | 575 ++++++++++++
grub-core/loader/i386/txt/txt.c | 886 +++++++++++++++++++
grub-core/loader/i386/txt/verify.c | 297 +++++++
grub-core/loader/i386/xen.c | 61 +-
grub-core/loader/i386/xnu.c | 3 +
grub-core/loader/multiboot.c | 5 +
grub-core/mmap/mmap.c | 64 ++
grub-core/video/efi_gop.c | 2 +-
include/grub/efi/api.h | 19 +-
include/grub/efi/efi.h | 12 +-
include/grub/file.h | 3 +
include/grub/i386/cpuid.h | 13 +
include/grub/i386/crfr.h | 186 ++++
include/grub/i386/linux.h | 28 +-
include/grub/i386/memory.h | 8 +-
include/grub/i386/mmio.h | 90 ++
include/grub/i386/msr.h | 135 +++
include/grub/i386/{wrmsr.h => skinit.h} | 35 +-
include/grub/i386/slaunch.h | 64 ++
include/grub/i386/{rdmsr.h => tpm.h} | 31 +-
include/grub/i386/txt.h | 690 +++++++++++++++
include/grub/memory.h | 3 +
39 files changed, 4212 insertions(+), 161 deletions(-)
create mode 100644 grub-core/commands/i386/tpm.c
rename grub-core/commands/{tpm.c => tpm_verifier.c} (96%)
create mode 100644 grub-core/loader/i386/skinit.c
create mode 100644 grub-core/loader/i386/slaunch.c
create mode 100644 grub-core/loader/i386/txt/acmod.c
create mode 100644 grub-core/loader/i386/txt/txt.c
create mode 100644 grub-core/loader/i386/txt/verify.c
create mode 100644 include/grub/i386/crfr.h
create mode 100644 include/grub/i386/mmio.h
create mode 100644 include/grub/i386/msr.h
rename include/grub/i386/{wrmsr.h => skinit.h} (52%)
create mode 100644 include/grub/i386/slaunch.h
rename include/grub/i386/{rdmsr.h => tpm.h} (59%)
create mode 100644 include/grub/i386/txt.h
--
2.17.1
- [GRUB RFC PATCH 00/22] i386: Intel TXT and AMD SKINIT secure launcher,
Krystian Hebel <=
- [GRUB PATCH RFC 01/22] i386/msr: Merge rdmsr.h and wrmsr.h into msr.h, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 03/22] i386/msr: Extract and improve MSR support detection code, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 02/22] i386/msr: Rename grub_msr_read() and grub_msr_write(), Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 04/22] i386/memory: Rename PAGE_SHIFT to GRUB_PAGE_SHIFT, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 06/22] mmap: Add grub_mmap_get_lowest() and grub_mmap_get_highest(), Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 05/22] i386/memory: Rename PAGE_SIZE to GRUB_PAGE_SIZE and make it global, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 07/22] i386/tpm: Rename tpm module to tpm_verifier, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 08/22] i386/tpm: Add TPM TIS and CRB driver, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 09/22] efi: Make shim_lock GUID and protocol type public, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 12/22] i386/efi: Report UEFI Secure Boot status to the Linux kernel, Krystian Hebel, 2020/11/10