DO NOT APPLY!!! THIS PATCH INTRODUCES DUMMY MLE HEADER AND SIMPLY ILLUSTRATES HOW TO EXTEND THE setup_header2 PROPERLY.
DO NOT APPLY!!! Signed-off-by: Ross Philipson <[email protected]> Signed-off-by: Daniel Kiper <[email protected]> Reviewed-by: Ross Philipson <[email protected]> --- Documentation/x86/boot.txt | 6 ++++++ arch/x86/Kconfig | 7 +++++++ arch/x86/boot/compressed/Makefile | 1 + arch/x86/boot/compressed/setup_header2.S | 6 ++++++ arch/x86/boot/compressed/sl_stub.S | 28 ++++++++++++++++++++++++++++ 5 files changed, 48 insertions(+) create mode 100644 arch/x86/boot/compressed/sl_stub.S diff --git a/Documentation/x86/boot.txt b/Documentation/x86/boot.txt index ff10c6116662..09cf50d7dca2 100644 --- a/Documentation/x86/boot.txt +++ b/Documentation/x86/boot.txt @@ -793,6 +793,12 @@ Offset/size: 0x0004/4 This field contains the size of the setup_header2 including setup_header2.header. It should be used by the boot loader to detect supported fields in the setup_header2. +Field name: mle_header_offset +Offset/size: 0x0008/4 + + This field contains the MLE header offset from the beginning of the kernel image. + If it is set to zero then it means that MLE header is not build into the kernel. + **** THE IMAGE CHECKSUM diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 5ad92419be19..021e274ede54 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1961,6 +1961,13 @@ config EFI_MIXED If unsure, say N. +config SECURE_LAUNCH_STUB + bool "Secure Launch stub support" + depends on X86_64 + ---help--- + This kernel feature allows a bzImage to be loaded directly + through Intel TXT or AMD SKINIT measured launch. + config SECCOMP def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile index c12ccc2bd923..9722d119e19a 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile @@ -78,6 +78,7 @@ vmlinux-objs-y := $(obj)/vmlinux.lds $(obj)/setup_header2.o $(obj)/head_$(BITS). vmlinux-objs-$(CONFIG_EARLY_PRINTK) += $(obj)/early_serial_console.o vmlinux-objs-$(CONFIG_RANDOMIZE_BASE) += $(obj)/kaslr.o +vmlinux-objs-$(CONFIG_SECURE_LAUNCH_STUB) += $(obj)/sl_stub.o ifdef CONFIG_X86_64 vmlinux-objs-$(CONFIG_RANDOMIZE_BASE) += $(obj)/kaslr_64.o vmlinux-objs-y += $(obj)/mem_encrypt.o diff --git a/arch/x86/boot/compressed/setup_header2.S b/arch/x86/boot/compressed/setup_header2.S index 0b3963296825..eb732626fd22 100644 --- a/arch/x86/boot/compressed/setup_header2.S +++ b/arch/x86/boot/compressed/setup_header2.S @@ -9,4 +9,10 @@ setup_header2: .ascii "hDR2" /* Size. */ .long setup_header2_end - setup_header2 + /* MLE header offset. */ +#ifdef CONFIG_SECURE_LAUNCH_STUB + .long mle_header +#else + .long 0 +#endif setup_header2_end: diff --git a/arch/x86/boot/compressed/sl_stub.S b/arch/x86/boot/compressed/sl_stub.S new file mode 100644 index 000000000000..34f5000528e4 --- /dev/null +++ b/arch/x86/boot/compressed/sl_stub.S @@ -0,0 +1,28 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +/* + * Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved. + * + * Author(s): + * Ross Philipson <[email protected]> + */ + .code32 + .text + + /* The MLE Header per the TXT Specification, section 4.1 */ + .global mle_header + +mle_header: + .long 0x9082ac5a /* UUID0 */ + .long 0x74a7476f /* UUID1 */ + .long 0xa2555c0f /* UUID2 */ + .long 0x42b651cb /* UUID3 */ + .long 0x00000034 /* MLE header size */ + .long 0x00020002 /* MLE version 2.2 */ + .long 0x01234567 /* Linear entry point of MLE (virt. address) */ + .long 0x00000000 /* First valid page of MLE */ + .long 0x00000000 /* Offset within binary of first byte of MLE */ + .long 0x00000000 /* Offset within binary of last byte + 1 of MLE */ + .long 0x00000223 /* Bit vector of MLE-supported capabilities */ + .long 0x00000000 /* Starting linear address of command line */ + .long 0x00000000 /* Ending linear address of command line */ -- 2.11.0
