[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 00/24] i386: Intel TXT and AMD SKINIT secure launcher
From: |
Sergii Dmytruk |
Subject: |
Re: [PATCH 00/24] i386: Intel TXT and AMD SKINIT secure launcher |
Date: |
Wed, 11 Sep 2024 20:18:57 +0300 |
Ping.
Tip of the day: patches 01-07 and 18 are no-brainers.
Initial submission with all the patches can be seen in the archive at
https://lists.gnu.org/archive/html/grub-devel/2024-08/msg00088.html
On Mon, Aug 26, 2024 at 03:44:10PM +0300, Sergii Dmytruk wrote:
> Hello,
>
> [Resending cover letter because I messed up the subject on first try.]
>
> This is the third installment of sending [TrenchBoot] code changes to this
> mailing list. Previous ones ([take-1], [take-2]) didn't really go far. This
> one somewhat differs because 4 years have passed and EFI changes aren't
> included (there is Linux and Multiboot2).
>
> There are a lot of changes in here and maybe it will be easier to break
> patches
> into several series to facilitate review, but posting everything together this
> time.
>
> The patches form several groups:
> 1. [01-07] Various small code refactoring in preparation for later commits
> (tiny diffs that should have no functional changes)
> 2. [08-09] TPM-related part (`tpm` module rename, addition of a simple TPM
> driver) (relatively small in size)
> 3. [11-12] SecureLaunch with its SLRT (lots of definitions)
> 4. [13-16] Support for Intel TXT D-RTM (the bulk of the patches)
> 5. [17] Implementation of SecureLaunch commands
> 6. [18] Fix of a leak noticed by accident (tiny)
> 7. [19-20] Multiboot2 support for Intel TXT (medium)
> 8. [21-24] Support for AMD SKINIT D-RTM (medium size when combined)
>
> If it's of any use, most of the patches have already seen some review and were
> accepted into GRUB2 package of Qubes OS [qubes-review]. This work in general
> is related to anti-evil-maid used in QubesOS, more details can be found in
> [project-v1] and [project-v2], there is also a series of blog
> posts ([aem-1]..[aem-4]). Some information about testing is available at
> [testing].
>
> This set of changes can also be viewed on GitHub at [TrenchBoot/grub].
>
> The Linux part is on its ninth version on LKML [linux-v9]. It doesn't have
> AMD
> changes, but that's a small part and it will be added in the near future.
>
> Best regards,
> Sergii
>
> [TrenchBoot]: https://trenchboot.org/
> [take-1]: https://lists.gnu.org/archive/html/grub-devel/2020-05/msg00011.html
> [take-2]: https://lists.gnu.org/archive/html/grub-devel/2020-11/msg00050.html
>
> [qubes-review]: https://github.com/QubesOS/qubes-grub2/pull/13
>
> [project-v1]: https://docs.dasharo.com/projects/trenchboot-aem/
> [project-v2]: https://docs.dasharo.com/projects/trenchboot-aem-v2/
>
> [aem-1]: https://blog.3mdeb.com/2023/2023-01-31-trenchboot-aem-for-qubesos/
> [aem-2]: https://blog.3mdeb.com/2023/2023-09-27-aem_phase2/
> [aem-3]: https://blog.3mdeb.com/2024/2024-01-12-aem_phase3/
> [aem-4]: https://blog.3mdeb.com/2024/2024-04-11-aem_phase4/
>
> [testing]: https://trenchboot.org/documentation/test_matrix/
> [TrenchBoot/grub]:
> https://github.com/TrenchBoot/grub/compare/b53ec06...tb-2.12-57-v1
>
> [linux-v9]: https://lkml.org/lkml/2024/5/30/1226
>
> Daniel Kiper (8):
> i386/msr: Merge rdmsr.h and wrmsr.h into msr.h
> i386/msr: Rename grub_msr_read() and grub_msr_write()
> i386/msr: Extract and improve MSR support detection code
> i386/memory: Rename PAGE_SHIFT to GRUB_PAGE_SHIFT
> i386/memory: Rename PAGE_SIZE to GRUB_PAGE_SIZE and make it global
> mmap: Add grub_mmap_get_lowest() and grub_mmap_get_highest()
> i386/tpm: Rename tpm module to tpm_verifier
> i386/tpm: Add TPM TIS and CRB driver
>
> Krystian Hebel (4):
> i386/memory: Define GRUB_PAGE_MASK constant and GRUB_PAGE_{UP,DOWN}
> macros
> i386/skinit: Add AMD SKINIT implementation
> i386/slaunch: Add support for AMD SKINIT
> multiboot2: Support AMD SKINIT
>
> Michał Żygowski (2):
> i386/txt: Initialize TPM 1.2 event log in TXT heap
> multiboot2: Implement TXT slaunch support
>
> Ross Philipson (8):
> include/grub: Introduce Secure Launch Resource Table (SLRT)
> i386/slaunch: Add basic platform support for secure launch
> i386/txt: Add Intel TXT definitions header file
> i386/txt: Add Intel TXT core implementation
> i386/txt: Add Intel TXT ACM module support
> i386/txt: Add Intel TXT verification routines
> i386/slaunch: Add secure launch framework and commands
> i386/linux: Add support for AMD SKINIT
>
> Sergii Dmytruk (2):
> loader/i386/linux.c: Fix cleanup if kernel doesn't support 64-bit
> addressing
> multiboot: Make GRUB_MULTIBOOT(make_mbi) return MBI's size
>
> docs/grub.texi | 15 +-
> grub-core/Makefile.am | 6 +
> grub-core/Makefile.core.def | 18 +-
> grub-core/commands/i386/rdmsr.c | 25 +-
> grub-core/commands/i386/tpm.c | 151 +++
> grub-core/commands/i386/wrmsr.c | 25 +-
> grub-core/commands/{tpm.c => tpm_verifier.c} | 6 +-
> grub-core/lib/i386/relocator32.S | 14 +
> grub-core/lib/i386/xen/relocator.S | 6 +-
> grub-core/lib/x86_64/xen/relocator.S | 4 +-
> grub-core/loader/i386/bsd.c | 4 +
> grub-core/loader/i386/coreboot/chainloader.c | 2 +
> grub-core/loader/i386/linux.c | 345 +++++-
> grub-core/loader/i386/multiboot_mbi.c | 4 +-
> grub-core/loader/i386/pc/plan9.c | 3 +-
> grub-core/loader/i386/skinit.c | 156 +++
> grub-core/loader/i386/slaunch.c | 337 ++++++
> grub-core/loader/i386/txt/acmod.c | 605 ++++++++++
> grub-core/loader/i386/txt/txt.c | 1110 ++++++++++++++++++
> grub-core/loader/i386/txt/verify.c | 277 +++++
> grub-core/loader/i386/xen.c | 61 +-
> grub-core/loader/i386/xnu.c | 3 +
> grub-core/loader/multiboot.c | 34 +-
> grub-core/loader/multiboot_elfxx.c | 88 +-
> grub-core/loader/multiboot_mbi2.c | 118 +-
> grub-core/mmap/mmap.c | 83 ++
> include/grub/file.h | 3 +
> include/grub/i386/cpuid.h | 12 +
> include/grub/i386/crfr.h | 127 ++
> include/grub/i386/linux.h | 14 +-
> include/grub/i386/memory.h | 8 +-
> include/grub/i386/mmio.h | 72 ++
> include/grub/i386/msr.h | 137 +++
> include/grub/i386/{wrmsr.h => skinit.h} | 29 +-
> include/grub/i386/slaunch.h | 90 ++
> include/grub/i386/{rdmsr.h => tpm.h} | 30 +-
> include/grub/i386/txt.h | 742 ++++++++++++
> include/grub/memory.h | 3 +
> include/grub/multiboot.h | 2 +-
> include/grub/multiboot2.h | 5 +-
> include/grub/slr_table.h | 328 ++++++
> 41 files changed, 4964 insertions(+), 138 deletions(-)
> create mode 100644 grub-core/commands/i386/tpm.c
> rename grub-core/commands/{tpm.c => tpm_verifier.c} (97%)
> create mode 100644 grub-core/loader/i386/skinit.c
> create mode 100644 grub-core/loader/i386/slaunch.c
> create mode 100644 grub-core/loader/i386/txt/acmod.c
> create mode 100644 grub-core/loader/i386/txt/txt.c
> create mode 100644 grub-core/loader/i386/txt/verify.c
> create mode 100644 include/grub/i386/crfr.h
> create mode 100644 include/grub/i386/mmio.h
> create mode 100644 include/grub/i386/msr.h
> rename include/grub/i386/{wrmsr.h => skinit.h} (54%)
> create mode 100644 include/grub/i386/slaunch.h
> rename include/grub/i386/{rdmsr.h => tpm.h} (59%)
> create mode 100644 include/grub/i386/txt.h
> create mode 100644 include/grub/slr_table.h
>
> --
> 2.46.0
>
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [PATCH 00/24] i386: Intel TXT and AMD SKINIT secure launcher,
Sergii Dmytruk <=