Intel txt aem 2.06 testing #16
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
krystian-hebel
force-pushed
the
intel-txt-aem-2.06-testing
branch
3 times, most recently
from
fa228ba to
2a10c64
Compare
It does not make sense to have separate headers for separate static functions. Additionally, we have to add some constants with MSR addresses in subsequent patches. So, make one common place to store them. Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
... to grub_rdmsr() and grub_wrmsr() respectively. New names are more obvious than older ones. Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Currently rdmsr and wrmsr commands have own MSR support detection code. This code is the same. So, it is duplicated. Additionally, this code cannot be reused by others. Hence, extract this code to a function and make it public. By the way, improve a code a bit. Additionally, use GRUB_ERR_BAD_DEVICE instead of GRUB_ERR_BUG to signal an error because errors encountered by this new routine are not bugs. Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
...to avoid potential conflicts and confusion. Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Subsequent patches will use that constant. Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
…acros Subsequent patches will use those macros and constant. Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
The functions calculate lowest and highest available RAM addresses respectively. Both functions are needed to calculate PMR boundaries for Intel TXT secure launcher introduced by subsequent patches. Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
...to avoid naming collision with TPM TIS and CRB driver introduced by subsequent patch. Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
It will be used by Intel TXT secure launcher introduced by subsequent patches. Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
krystian-hebel
force-pushed
the
intel-txt-aem-2.06-testing
branch
from
2a10c64 to
66004ae
Compare
krystian-hebel
changed the base branch from
intel-txt-aem-2.06
to
intel-txt-aem-base
DemiMarie
suggested changes
Feb 5, 2024
grub-core/loader/i386/linux.c
Outdated
Comment on lines
184
to
188
| prot_size = ALIGN_UP (prot_size, GRUB_TXT_PMR_ALIGN); | ||
|
|
||
| if (prot_size > GRUB_TXT_MLE_MAX_SIZE) | ||
| { | ||
| err = GRUB_ERR_OUT_OF_RANGE; | ||
| goto fail; | ||
| } |
There was a problem hiding this comment.
Should these be reordered to make sure ALIGN_UP cannot overflow?
grub-core/loader/i386/linux.c
Outdated
Comment on lines
548
to
558
| /* TODO the initrd image and size can have hi bits but for now assume always < 4G */ | ||
| grub_slaunch_add_slrt_policy_entry (17, | ||
| GRUB_SLR_ET_RAMDISK, | ||
| /*flags=*/0, | ||
| boot_params->ramdisk_image, | ||
| boot_params->ramdisk_size, | ||
| "Measured Kernel initrd"); |
grub-core/loader/i386/linux.c
Outdated
| if (! ctx.real_mode_target) | ||
| return grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate real mode pages"); | ||
|
|
||
| { | ||
| grub_relocator_chunk_t ch; | ||
| grub_size_t sz; | ||
|
|
||
| if (grub_add (ctx.real_size, efi_mmap_size, &sz)) | ||
| if (grub_add (ctx.real_size, efi_mmap_size + ap_wake_block_size, &sz)) |
|
|
||
| for (i = 0, cur = modules; i < modcnt; i++, cur = cur->next) | ||
| { | ||
| grub_slaunch_add_slrt_policy_entry (17, |
DemiMarie
reviewed
Feb 8, 2024
Comment on lines
+132
to
+133
| info_table_size = __builtin_offsetof (struct grub_txt_acm_info_table, length) | ||
| + sizeof(ptr->length); |
There was a problem hiding this comment.
I thought stddef.h is available in freestanding code. On my system (GCC with Fedora 39) it is provided by the compiler, not libc, and it only provides definitions for macros, structs, and typedefs that are defined by the compiler.
| return proc_id_list; | ||
| } | ||
|
|
||
| static int |
There was a problem hiding this comment.
typedef _Bool bool? That said, I thought <stdbool.h> was available even in freestanding mode. You don’t get a libc in freestanding mode, but <stdbool.h> is the compiler’s job to provide, not libc’s.
Comment on lines
+246
to
+258
| /* Can read the size field of next entry? */ | ||
| if ( grub_add (addr, sizeof(*next), &addr) ) | ||
| return NULL; | ||
|
|
||
| /* Does next element's header fit within the table? */ | ||
| if (addr >= grub_slr_end_of_entries (table)) | ||
| return NULL; | ||
|
|
||
| next = (struct grub_slr_entry_hdr *) (addr - sizeof(*next)); | ||
|
|
||
| /* Does next element fit within the table? */ | ||
| if (grub_slr_end_of_entries (table) - (addr - sizeof(*next)) < next->size) | ||
| return NULL; |
There was a problem hiding this comment.
Suggested change
| /* Can read the size field of next entry? */ | |
| if ( grub_add (addr, sizeof(*next), &addr) ) | |
| return NULL; | |
| /* Does next element's header fit within the table? */ | |
| if (addr >= grub_slr_end_of_entries (table)) | |
| return NULL; | |
| next = (struct grub_slr_entry_hdr *) (addr - sizeof(*next)); | |
| /* Does next element fit within the table? */ | |
| if (grub_slr_end_of_entries (table) - (addr - sizeof(*next)) < next->size) | |
| return NULL; | |
| /* Does next element's header fit within the table? */ | |
| if (addr >= grub_slr_end_of_entries (table) - sizeof(*next)) | |
| return NULL; | |
| next = (struct grub_slr_entry_hdr *) addr); | |
| /* Does next element fit within the table? */ | |
| if (grub_slr_end_of_entries (table) - addr < next->size) | |
| return NULL; | |
| /* Does next element include a header? */ | |
| if (next->size < sizeof(*next)) | |
| return NULL; |
krystian-hebel
commented
Feb 9, 2024
There was a problem hiding this comment.
@DemiMarie could you mark discussions as resolved wherever you're happy with the change?
Comment on lines
+132
to
+133
| info_table_size = __builtin_offsetof (struct grub_txt_acm_info_table, length) | ||
| + sizeof(ptr->length); |
There was a problem hiding this comment.
You're right, I've mistook it with stdint.h, which in theory is available since C99, but compilers still have problems with it.
In any case, GRUB seems to avoid standard headers in core code, except for stdarg.h. They are used in OS utilities and libraries, but not in the bootloader itself, so I don't feel comfortable including it just for this.
| return proc_id_list; | ||
| } | ||
|
|
||
| static int |
There was a problem hiding this comment.
Same reasoning as above.
DemiMarie
approved these changes
Feb 9, 2024
Comment on lines
+247
to
+273
| if (!entry) /* Start from the beginning */ | ||
| entry = (struct grub_slr_entry_hdr *)((grub_uint8_t *) table + sizeof(*table)); |
There was a problem hiding this comment.
That falls into the “input is known trusted here” case.
Comment on lines
+66
to
+67
| #define GRUB_MSR_EFER_LME (1<<8) /* Enable Long Mode/IA-32e */ | ||
| #define GRUB_MSR_EFER_LMA (1<<10) /* Long Mode/IA-32e Active */ |
There was a problem hiding this comment.
For some reason I could not find this in my copy, probably because I was not looking at the right place. Consider this resolved.
Comment on lines
+281
to
+288
| GRUB_MOD_INIT (slaunch) | ||
| { | ||
| cmd_slaunch = grub_register_command ("slaunch", grub_cmd_slaunch, | ||
| NULL, N_("Enable secure launcher")); | ||
| cmd_slaunch_module = grub_register_command ("slaunch_module", grub_cmd_slaunch_module, | ||
| NULL, N_("Load secure launcher module from file")); | ||
| cmd_slaunch_state = grub_register_command ("slaunch_state", grub_cmd_slaunch_state, | ||
| NULL, N_("Display secure launcher state")); |
Comment on lines
+132
to
+133
| info_table_size = __builtin_offsetof (struct grub_txt_acm_info_table, length) | ||
| + sizeof(ptr->length); |
| return proc_id_list; | ||
| } | ||
|
|
||
| static int |
krystian-hebel
commented
Feb 13, 2024
grub-core/loader/i386/txt/verify.c
Outdated
| N_("TXT heap is not configured correctly")); | ||
|
|
||
| bios_size = grub_txt_bios_data_size (txt_heap); | ||
| /* We support versions >= 4, but bios_data->mle_flags is in versions >= 5. */ |
There was a problem hiding this comment.
Great, SNB_IVB_SINIT_20190708_PW.bin is version 4 but it has mle_flags. Fu Thanks, Intel.
Some of the commands declared in header files will be implemented in the follow-up commits. Signed-off-by: Ross Philipson <ross.philipson@oracle.com> Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
krystian-hebel
force-pushed
the
intel-txt-aem-2.06-testing
branch
from
efdb40d to
d57eb43
Compare
GitHub isn’t allowing it, sadly. |
DemiMarie
approved these changes
Feb 16, 2024
DemiMarie
approved these changes
Feb 19, 2024
|
Those two sneaky errors were breaking boot on Optiplex... I'll redo the same tests on HP just in case before clearing debug output and finally preparing patches for qubes-grub2 |
Provide definitions of structures and basic functions for constructing and parsing of SLRT. Signed-off-by: Ross Philipson <ross.philipson@oracle.com> Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Signed-off-by: Ross Philipson <ross.philipson@oracle.com> Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Ross Philipson <ross.philipson@oracle.com> Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com> Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Signed-off-by: Ross Philipson <ross.philipson@oracle.com> Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Signed-off-by: Ross Philipson <ross.philipson@oracle.com> Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com> Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Signed-off-by: Ross Philipson <ross.philipson@oracle.com> Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Signed-off-by: Ross Philipson <ross.philipson@oracle.com> Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
GRUB_MULTIBOOT(get_mbi_size) doesn't look like an accurate source of the final size, more like a minimal memory buffer size. Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
The code makes sure that MBI entry goes first in DRTM, so the payload can measure it first on launch. SLRT table is allocated on the heap first, size for it is reserved inside TXT heap by TXT code and data is later copied into its final place. Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com> Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com> Signed-off-by: Tomasz Żyjewski <tomasz.zyjewski@3mdeb.com> Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
krystian-hebel
force-pushed
the
intel-txt-aem-2.06-testing
branch
from
9dc582a to
58c9a06
Compare
|
No regression on HP, debug output cleared, fixes squashed to appropriate commits. Running per-commit build test (for bisectability) and will send patches tomorrow. |
krystian-hebel
added a commit
to 3mdeb/qubes-grub2
that referenced
this pull request
Feb 21, 2024
Reviewed on TrenchBoot/grub#16 Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
|
@DemiMarie can you send me signed message with commit ID which you approve (can be pasted clearsigned here, or via email)? |
DemiMarie
approved these changes
Feb 22, 2024
|
Cleanup: @krystian-hebel, so this got upstreamed and we won't need this PR and branches anymore? |
FSVO upstreamed, it was implemented in Qubes GRUB repo. Can be closed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.