# HG changeset patch
# User Timo Lindfors <timo.lindf...@iki.fi>
# Date 1647554330 -7200
# Thu Mar 17 23:58:50 2022 +0200
# Node ID 538c14b1428d0625ebb3f9c3cae21656fd4c3b06
# Parent e45ccbe6bf59ba534ad628f7be45e7c34629e19b
Allow selecting only SINIT modules that match platform
This introduces GRUB_TBOOT_SINIT_SELECT_MATCHING that defaults to
false.
Signed-off-by: Timo Lindfors <timo.lindf...@iki.fi>
diff -r e45ccbe6bf59 -r 538c14b1428d tboot/20_linux_tboot
--- a/tboot/20_linux_tboot Thu Mar 17 23:58:45 2022 +0200
+++ b/tboot/20_linux_tboot Thu Mar 17 23:58:50 2022 +0200
@@ -40,6 +40,7 @@
[ -z "${GRUB_CMDLINE_LINUX_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_TBOOT
[ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
[ -z "${GRUB_TBOOT_SINIT_LIST}" ] && unset GRUB_TBOOT_SINIT_LIST
+[ -z "${GRUB_TBOOT_SINIT_SELECT_MATCHING}" ] && unset
GRUB_TBOOT_SINIT_SELECT_MATCHING
# Command line for tboot itself
: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
# Linux kernel parameters to append for tboot
@@ -48,6 +49,8 @@
: ${GRUB_TBOOT_POLICY_DATA=''}
# List of SINIT modules to use, glob patterns are supported
: ${GRUB_TBOOT_SINIT_LIST='/boot/*sinit* /boot/*SINIT*'}
+# Use only SINIT modules that match the current platform
+: ${GRUB_TBOOT_SINIT_SELECT_MATCHING='false'}
export TEXTDOMAIN=grub
export TEXTDOMAINDIR=${prefix}/share/locale
@@ -164,8 +167,16 @@
tboot_list=`for i in /boot/tboot*.gz; do
if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
done`
+if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] && [ ! -e
/dev/cpu/0/msr ]; then
+ modprobe msr
+fi
sinit_list=`for i in ${GRUB_TBOOT_SINIT_LIST}; do
basename=$(basename $i)
+ if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] \
+ && ! txt-acminfo "$i" | grep -qx "ACM matches platform"; then
+ # Skip SINIT that does not match
+ continue
+ fi
if grub_file_is_not_garbage "$i" ; then echo -n "$basename " ; fi
done`
if [ -n "${GRUB_TBOOT_POLICY_DATA}" ]; then
diff -r e45ccbe6bf59 -r 538c14b1428d tboot/20_linux_xen_tboot
--- a/tboot/20_linux_xen_tboot Thu Mar 17 23:58:45 2022 +0200
+++ b/tboot/20_linux_xen_tboot Thu Mar 17 23:58:50 2022 +0200
@@ -41,6 +41,7 @@
[ -z "${GRUB_CMDLINE_LINUX_XEN_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_XEN_TBOOT
[ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
[ -z "${GRUB_TBOOT_SINIT_LIST}" ] && unset GRUB_TBOOT_SINIT_LIST
+[ -z "${GRUB_TBOOT_SINIT_SELECT_MATCHING}" ] && unset
GRUB_TBOOT_SINIT_SELECT_MATCHING
# Command line for tboot itself
: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
# Xen parameters to append for tboot
@@ -51,6 +52,8 @@
: ${GRUB_TBOOT_POLICY_DATA=''}
# List of SINIT modules to use, glob patterns are supported
: ${GRUB_TBOOT_SINIT_LIST='/boot/*sinit* /boot/*SINIT*'}
+# Use only SINIT modules that match the current platform
+: ${GRUB_TBOOT_SINIT_SELECT_MATCHING='false'}
export TEXTDOMAIN=grub
export TEXTDOMAINDIR=${prefix}/share/locale
@@ -194,8 +197,16 @@
tboot_list=`for i in /boot/tboot*.gz; do
if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
done`
+if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] && [ ! -e
/dev/cpu/0/msr ]; then
+ modprobe msr
+fi
sinit_list=`for i in ${GRUB_TBOOT_SINIT_LIST}; do
basename=$(basename $i)
+ if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] \
+ && ! txt-acminfo "$i" | grep -qx "ACM matches platform"; then
+ # Skip SINIT that does not match
+ continue
+ fi
if grub_file_is_not_garbage "$i" ; then echo -n "$basename " ; fi
done`
if [ -n "${GRUB_TBOOT_POLICY_DATA}" ]; then
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
