grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 00/24] i386: Intel TXT and AMD SKINIT secure launcher


From: Sergii Dmytruk
Subject: Re: [PATCH 00/24] i386: Intel TXT and AMD SKINIT secure launcher
Date: Wed, 11 Sep 2024 20:18:57 +0300

Ping.

Tip of the day: patches 01-07 and 18 are no-brainers.

Initial submission with all the patches can be seen in the archive at

    https://lists.gnu.org/archive/html/grub-devel/2024-08/msg00088.html

On Mon, Aug 26, 2024 at 03:44:10PM +0300, Sergii Dmytruk wrote:
> Hello,
>
> [Resending cover letter because I messed up the subject on first try.]
>
> This is the third installment of sending [TrenchBoot] code changes to this
> mailing list.  Previous ones ([take-1], [take-2]) didn't really go far.  This
> one somewhat differs because 4 years have passed and EFI changes aren't
> included (there is Linux and Multiboot2).
>
> There are a lot of changes in here and maybe it will be easier to break 
> patches
> into several series to facilitate review, but posting everything together this
> time.
>
> The patches form several groups:
>  1. [01-07]  Various small code refactoring in preparation for later commits
>              (tiny diffs that should have no functional changes)
>  2. [08-09]  TPM-related part (`tpm` module rename, addition of a simple TPM
>              driver) (relatively small in size)
>  3. [11-12]  SecureLaunch with its SLRT (lots of definitions)
>  4. [13-16]  Support for Intel TXT D-RTM (the bulk of the patches)
>  5. [17]     Implementation of SecureLaunch commands
>  6. [18]     Fix of a leak noticed by accident (tiny)
>  7. [19-20]  Multiboot2 support for Intel TXT (medium)
>  8. [21-24]  Support for AMD SKINIT D-RTM (medium size when combined)
>
> If it's of any use, most of the patches have already seen some review and were
> accepted into GRUB2 package of Qubes OS [qubes-review].  This work in general
> is related to anti-evil-maid used in QubesOS, more details can be found in
> [project-v1] and [project-v2], there is also a series of blog
> posts ([aem-1]..[aem-4]).  Some information about testing is available at
> [testing].
>
> This set of changes can also be viewed on GitHub at [TrenchBoot/grub].
>
> The Linux part is on its ninth version on LKML [linux-v9].  It doesn't have 
> AMD
> changes, but that's a small part and it will be added in the near future.
>
> Best regards,
> Sergii
>
> [TrenchBoot]: https://trenchboot.org/
> [take-1]: https://lists.gnu.org/archive/html/grub-devel/2020-05/msg00011.html
> [take-2]: https://lists.gnu.org/archive/html/grub-devel/2020-11/msg00050.html
>
> [qubes-review]: https://github.com/QubesOS/qubes-grub2/pull/13
>
> [project-v1]: https://docs.dasharo.com/projects/trenchboot-aem/
> [project-v2]: https://docs.dasharo.com/projects/trenchboot-aem-v2/
>
> [aem-1]: https://blog.3mdeb.com/2023/2023-01-31-trenchboot-aem-for-qubesos/
> [aem-2]: https://blog.3mdeb.com/2023/2023-09-27-aem_phase2/
> [aem-3]: https://blog.3mdeb.com/2024/2024-01-12-aem_phase3/
> [aem-4]: https://blog.3mdeb.com/2024/2024-04-11-aem_phase4/
>
> [testing]: https://trenchboot.org/documentation/test_matrix/
> [TrenchBoot/grub]: 
> https://github.com/TrenchBoot/grub/compare/b53ec06...tb-2.12-57-v1
>
> [linux-v9]: https://lkml.org/lkml/2024/5/30/1226
>
> Daniel Kiper (8):
>   i386/msr: Merge rdmsr.h and wrmsr.h into msr.h
>   i386/msr: Rename grub_msr_read() and grub_msr_write()
>   i386/msr: Extract and improve MSR support detection code
>   i386/memory: Rename PAGE_SHIFT to GRUB_PAGE_SHIFT
>   i386/memory: Rename PAGE_SIZE to GRUB_PAGE_SIZE and make it global
>   mmap: Add grub_mmap_get_lowest() and grub_mmap_get_highest()
>   i386/tpm: Rename tpm module to tpm_verifier
>   i386/tpm: Add TPM TIS and CRB driver
>
> Krystian Hebel (4):
>   i386/memory: Define GRUB_PAGE_MASK constant and GRUB_PAGE_{UP,DOWN}
>     macros
>   i386/skinit: Add AMD SKINIT implementation
>   i386/slaunch: Add support for AMD SKINIT
>   multiboot2: Support AMD SKINIT
>
> Michał Żygowski (2):
>   i386/txt: Initialize TPM 1.2 event log in TXT heap
>   multiboot2: Implement TXT slaunch support
>
> Ross Philipson (8):
>   include/grub: Introduce Secure Launch Resource Table (SLRT)
>   i386/slaunch: Add basic platform support for secure launch
>   i386/txt: Add Intel TXT definitions header file
>   i386/txt: Add Intel TXT core implementation
>   i386/txt: Add Intel TXT ACM module support
>   i386/txt: Add Intel TXT verification routines
>   i386/slaunch: Add secure launch framework and commands
>   i386/linux: Add support for AMD SKINIT
>
> Sergii Dmytruk (2):
>   loader/i386/linux.c: Fix cleanup if kernel doesn't support 64-bit
>     addressing
>   multiboot: Make GRUB_MULTIBOOT(make_mbi) return MBI's size
>
>  docs/grub.texi                               |   15 +-
>  grub-core/Makefile.am                        |    6 +
>  grub-core/Makefile.core.def                  |   18 +-
>  grub-core/commands/i386/rdmsr.c              |   25 +-
>  grub-core/commands/i386/tpm.c                |  151 +++
>  grub-core/commands/i386/wrmsr.c              |   25 +-
>  grub-core/commands/{tpm.c => tpm_verifier.c} |    6 +-
>  grub-core/lib/i386/relocator32.S             |   14 +
>  grub-core/lib/i386/xen/relocator.S           |    6 +-
>  grub-core/lib/x86_64/xen/relocator.S         |    4 +-
>  grub-core/loader/i386/bsd.c                  |    4 +
>  grub-core/loader/i386/coreboot/chainloader.c |    2 +
>  grub-core/loader/i386/linux.c                |  345 +++++-
>  grub-core/loader/i386/multiboot_mbi.c        |    4 +-
>  grub-core/loader/i386/pc/plan9.c             |    3 +-
>  grub-core/loader/i386/skinit.c               |  156 +++
>  grub-core/loader/i386/slaunch.c              |  337 ++++++
>  grub-core/loader/i386/txt/acmod.c            |  605 ++++++++++
>  grub-core/loader/i386/txt/txt.c              | 1110 ++++++++++++++++++
>  grub-core/loader/i386/txt/verify.c           |  277 +++++
>  grub-core/loader/i386/xen.c                  |   61 +-
>  grub-core/loader/i386/xnu.c                  |    3 +
>  grub-core/loader/multiboot.c                 |   34 +-
>  grub-core/loader/multiboot_elfxx.c           |   88 +-
>  grub-core/loader/multiboot_mbi2.c            |  118 +-
>  grub-core/mmap/mmap.c                        |   83 ++
>  include/grub/file.h                          |    3 +
>  include/grub/i386/cpuid.h                    |   12 +
>  include/grub/i386/crfr.h                     |  127 ++
>  include/grub/i386/linux.h                    |   14 +-
>  include/grub/i386/memory.h                   |    8 +-
>  include/grub/i386/mmio.h                     |   72 ++
>  include/grub/i386/msr.h                      |  137 +++
>  include/grub/i386/{wrmsr.h => skinit.h}      |   29 +-
>  include/grub/i386/slaunch.h                  |   90 ++
>  include/grub/i386/{rdmsr.h => tpm.h}         |   30 +-
>  include/grub/i386/txt.h                      |  742 ++++++++++++
>  include/grub/memory.h                        |    3 +
>  include/grub/multiboot.h                     |    2 +-
>  include/grub/multiboot2.h                    |    5 +-
>  include/grub/slr_table.h                     |  328 ++++++
>  41 files changed, 4964 insertions(+), 138 deletions(-)
>  create mode 100644 grub-core/commands/i386/tpm.c
>  rename grub-core/commands/{tpm.c => tpm_verifier.c} (97%)
>  create mode 100644 grub-core/loader/i386/skinit.c
>  create mode 100644 grub-core/loader/i386/slaunch.c
>  create mode 100644 grub-core/loader/i386/txt/acmod.c
>  create mode 100644 grub-core/loader/i386/txt/txt.c
>  create mode 100644 grub-core/loader/i386/txt/verify.c
>  create mode 100644 include/grub/i386/crfr.h
>  create mode 100644 include/grub/i386/mmio.h
>  create mode 100644 include/grub/i386/msr.h
>  rename include/grub/i386/{wrmsr.h => skinit.h} (54%)
>  create mode 100644 include/grub/i386/slaunch.h
>  rename include/grub/i386/{rdmsr.h => tpm.h} (59%)
>  create mode 100644 include/grub/i386/txt.h
>  create mode 100644 include/grub/slr_table.h
>
> --
> 2.46.0
>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]