[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GRUB PATCH RFC 22/22] i386/slaunch: Add support for AMD SKINIT
From: |
Krystian Hebel |
Subject: |
[GRUB PATCH RFC 22/22] i386/slaunch: Add support for AMD SKINIT |
Date: |
Tue, 10 Nov 2020 15:45:00 +0100 |
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
---
grub-core/Makefile.core.def | 1 +
grub-core/lib/i386/relocator32.S | 6 ++++++
grub-core/loader/i386/linux.c | 30 +++++++++++++++++++++++++++++-
grub-core/loader/i386/slaunch.c | 21 ++++++++++++++++++++-
include/grub/i386/slaunch.h | 11 +++++++++--
5 files changed, 65 insertions(+), 4 deletions(-)
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 204f9794dbce..68de5c07c060 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1829,6 +1829,7 @@ module = {
x86 = loader/i386/txt/txt.c;
x86 = loader/i386/txt/acmod.c;
x86 = loader/i386/txt/verify.c;
+ x86 = loader/i386/skinit.c;
enable = x86;
};
diff --git a/grub-core/lib/i386/relocator32.S b/grub-core/lib/i386/relocator32.S
index a2b377197b16..2bdc07018a78 100644
--- a/grub-core/lib/i386/relocator32.S
+++ b/grub-core/lib/i386/relocator32.S
@@ -115,6 +115,9 @@ VARIABLE(grub_relocator32_edx)
cmpl $SLP_INTEL_TXT, %edi
je LOCAL(intel_txt)
+ cmpl $SLP_AMD_SKINIT, %edi
+ je LOCAL(amd_skinit)
+
.byte 0xea
VARIABLE(grub_relocator32_eip)
.long 0
@@ -123,6 +126,9 @@ VARIABLE(grub_relocator32_eip)
LOCAL(intel_txt):
getsec
+LOCAL(amd_skinit):
+ skinit
+
/* GDT. Copied from loader/i386/linux.c. */
.p2align 4
LOCAL(gdt):
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index d83912c17aad..dc4dcaa0a2ef 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -35,6 +35,7 @@
#include <grub/i18n.h>
#include <grub/lib/cmdline.h>
#include <grub/i386/slaunch.h>
+#include <grub/i386/skinit.h>
#include <grub/i386/txt.h>
#include <grub/linux.h>
#include <grub/machine/kernel.h>
@@ -233,7 +234,7 @@ allocate_pages (grub_size_t prot_size, grub_size_t *align,
prot_mode_mem = get_virtual_current_address (ch);
prot_mode_target = get_physical_target_address (ch);
- if (grub_slaunch_platform_type () == SLP_INTEL_TXT)
+ if (grub_slaunch_platform_type () != SLP_NONE)
{
slparams.mle_ptab_mem = prot_mode_mem;
slparams.mle_ptab_target = prot_mode_target;
@@ -803,6 +804,33 @@ grub_linux_boot (void)
state.ecx = slparams.sinit_acm_size;
state.edx = 0;
}
+ else if (state.edi == SLP_AMD_SKINIT)
+ {
+ grub_relocator_chunk_t ch;
+
+ slparams.params = ctx.real_mode_target;
+
+ /* Contrary to the TXT, on AMD we do not have vendor-provided blobs in
+ * reserved memory, we are using normal RAM */
+ err = grub_relocator_alloc_chunk_align (relocator, &ch,
+ 0, (0xffffffff - GRUB_SKINIT_SLB_SIZE),
+ GRUB_SKINIT_SLB_SIZE,
+ GRUB_SKINIT_SLB_ALIGN,
+ GRUB_RELOCATOR_PREFERENCE_LOW, 1);
+
+ if (err != GRUB_ERR_NONE)
+ return err;
+
+ slparams.lz_base = (grub_uint32_t) get_virtual_current_address (ch);
+ slparams.lz_size = grub_skinit_get_sl_size ();
+
+ err = grub_skinit_boot_prepare (&slparams);
+
+ if (err != GRUB_ERR_NONE)
+ return err;
+
+ state.eax = get_physical_target_address (ch);
+ }
else
{
/* FIXME. */
diff --git a/grub-core/loader/i386/slaunch.c b/grub-core/loader/i386/slaunch.c
index 3acd177afd3b..9df04ff96538 100644
--- a/grub-core/loader/i386/slaunch.c
+++ b/grub-core/loader/i386/slaunch.c
@@ -57,7 +57,8 @@ grub_cmd_slaunch (grub_command_t cmd __attribute__ ((unused)),
char *argv[] __attribute__ ((unused)))
{
grub_uint32_t manufacturer[3];
- grub_uint32_t eax;
+ grub_uint32_t eax, ebx, ecx, edx;
+ grub_uint64_t msr_value;
grub_err_t err;
if (!grub_cpu_is_cpuid_supported ())
@@ -79,6 +80,20 @@ grub_cmd_slaunch (grub_command_t cmd __attribute__
((unused)),
slp = SLP_INTEL_TXT;
}
+ else if (!grub_memcmp (manufacturer, "AuthenticAMD", 12))
+ {
+
+ grub_cpuid (GRUB_AMD_CPUID_FEATURES, eax, ebx, ecx, edx);
+ if (! (ecx & GRUB_SVM_CPUID_FEATURE) )
+ return grub_error (GRUB_ERR_BAD_DEVICE, N_("CPU does not support AMD
SVM"));
+
+ /* Check whether SVM feature is disabled in BIOS */
+ msr_value = grub_rdmsr (GRUB_MSR_AMD64_VM_CR);
+ if (msr_value & GRUB_MSR_SVM_VM_CR_SVM_DISABLE)
+ return grub_error (GRUB_ERR_BAD_DEVICE, N_("BIOS has AMD SVM
disabled"));
+
+ slp = SLP_AMD_SKINIT;
+ }
else
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("CPU is unsupported"));
@@ -170,6 +185,10 @@ grub_cmd_slaunch_state (grub_command_t cmd __attribute__
((unused)),
grub_printf ("Secure launcher: Intel TXT\n");
grub_txt_state_show ();
}
+ else if (slp == SLP_AMD_SKINIT)
+ {
+ grub_printf ("Secure launcher: AMD SKINIT\n");
+ }
return GRUB_ERR_NONE;
}
diff --git a/include/grub/i386/slaunch.h b/include/grub/i386/slaunch.h
index e5c32152d285..18e10d82ffc7 100644
--- a/include/grub/i386/slaunch.h
+++ b/include/grub/i386/slaunch.h
@@ -24,6 +24,7 @@
/* Secure launch platform types. */
#define SLP_NONE 0
#define SLP_INTEL_TXT 1
+#define SLP_AMD_SKINIT 2
#define GRUB_SLAUNCH_TPM_EVT_LOG_SIZE (8 * GRUB_PAGE_SIZE)
@@ -42,8 +43,14 @@ struct grub_slaunch_params
grub_uint32_t mle_ptab_size;
grub_uint32_t mle_header_offset;
grub_uint64_t ap_wake_block;
- grub_uint32_t sinit_acm_base;
- grub_uint32_t sinit_acm_size;
+ union {
+ grub_uint32_t sinit_acm_base;
+ grub_uint32_t lz_base;
+ };
+ union {
+ grub_uint32_t sinit_acm_size;
+ grub_uint32_t lz_size;
+ };
grub_uint64_t tpm_evt_log_base;
grub_uint32_t tpm_evt_log_size;
};
--
2.17.1
- [GRUB PATCH RFC 11/22] efi: Add a function to read EFI variables with attributes, (continued)
- [GRUB PATCH RFC 11/22] efi: Add a function to read EFI variables with attributes, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 15/22] i386/txt: Add Intel TXT core implementation, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 17/22] i386/txt: Add Intel TXT verification routines, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 16/22] i386/txt: Add Intel TXT ACM module support, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 14/22] i386/txt: Add Intel TXT definitions header file, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 13/22] i386/slaunch: Add basic platform support for secure launch, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 18/22] i386/slaunch: Add secure launch framework and commands, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 19/22] i386/slaunch: Add code for searching for DRTM event log in ACPI, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 20/22] i386/skinit: Add AMD SKINIT definitions header file, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 21/22] i386/skinit: Add AMD SKINIT core implementation, Krystian Hebel, 2020/11/10
- [GRUB PATCH RFC 22/22] i386/slaunch: Add support for AMD SKINIT,
Krystian Hebel <=
- Re: [GRUB RFC PATCH 00/22] i386: Intel TXT and AMD SKINIT secure launcher, Konrad Rzeszutek Wilk, 2020/11/10