Re: [PATCH 07/13] x86: Secure Launch kernel early boot stub

2020-10-19 Thread Ross Philipson
On 10/16/20 4:51 PM, Arvind Sankar wrote: > On Thu, Oct 15, 2020 at 08:26:54PM +0200, Daniel Kiper wrote: >> >> I am discussing with Ross the other option. We can create >> .rodata.mle_header section and put it at fixed offset as >> kernel_info is. So, we would have, e.g.: >> >>

Re: [PATCH 07/13] x86: Secure Launch kernel early boot stub

2020-10-19 Thread Ross Philipson
On 10/19/20 1:06 PM, Arvind Sankar wrote: > On Mon, Oct 19, 2020 at 10:38:08AM -0400, Ross Philipson wrote: >> On 10/16/20 4:51 PM, Arvind Sankar wrote: >>> On Thu, Oct 15, 2020 at 08:26:54PM +0200, Daniel Kiper wrote: >>>> >>>> I am discussing

Re: [PATCH 07/13] x86: Secure Launch kernel early boot stub

2020-09-29 Thread Ross Philipson
On 9/25/20 3:18 PM, Arvind Sankar wrote: > On Fri, Sep 25, 2020 at 10:56:43AM -0400, Ross Philipson wrote: >> On 9/24/20 1:38 PM, Arvind Sankar wrote: >>> On Thu, Sep 24, 2020 at 10:58:35AM -0400, Ross Philipson wrote: >>> >>>> diff --git a/arch/x86/boot/com

Re: [PATCH 07/13] x86: Secure Launch kernel early boot stub

2020-09-25 Thread Ross Philipson
On 9/24/20 1:38 PM, Arvind Sankar wrote: > On Thu, Sep 24, 2020 at 10:58:35AM -0400, Ross Philipson wrote: >> The Secure Launch (SL) stub provides the entry point for Intel TXT (and >> later AMD SKINIT) to vector to during the late launch. The symbol >> sl_stub_entry is tha

Re: [PATCH 01/13] x86: Secure Launch Kconfig

2020-09-25 Thread Ross Philipson
On 9/24/20 10:08 PM, Randy Dunlap wrote: > On 9/24/20 7:58 AM, Ross Philipson wrote: >> Initial bits to bring in Secure Launch functionality. Add Kconfig >> options for compiling in/out the Secure Launch code. >> >> Signed-off-by: Ross Philipson > > Hi, &g

[PATCH 08/13] x86: Secure Launch kernel late boot stub

2020-09-24 Thread Ross Philipson
protections are in place. For TXT, this code also reserves the original compressed kernel setup area where the APs were left looping so that this memory cannot be used. Signed-off-by: Ross Philipson --- arch/x86/kernel/Makefile | 1 + arch/x86/kernel/setup.c| 3 + arch/x86/kernel/slaunch.c

[PATCH 11/13] kexec: Secure Launch kexec SEXIT support

2020-09-24 Thread Ross Philipson
Prior to running the next kernel via kexec, the Secure Launch code closes down private SMX resources and does an SEXIT. This allows the next kernel to start normally without any issues starting the APs etc. Signed-off-by: Ross Philipson --- arch/x86/kernel/slaunch.c | 70

[PATCH 13/13] tpm: Allow locality 2 to be set when initializing the TPM for Secure Launch

2020-09-24 Thread Ross Philipson
The Secure Launch MLE environment uses PCRs that are only accessible from the DRTM locality 2. By default the TPM drivers always initialize the locality to 0. When a Secure Launch is in progress, initialize the locality to 2. Signed-off-by: Ross Philipson --- drivers/char/tpm/tpm-chip.c | 13

[PATCH 12/13] reboot: Secure Launch SEXIT support on reboot paths

2020-09-24 Thread Ross Philipson
callback (into ACPI code) or when an emergency reset is done. In these cases, just the TXT registers are finalized but SEXIT is skipped. Signed-off-by: Ross Philipson --- arch/x86/kernel/reboot.c | 10 ++ 1 file changed, 10 insertions(+) diff --git a/arch/x86/kernel/reboot.c b/arch/x86

[PATCH 06/13] x86: Add early general TPM interface support for Secure Launch

2020-09-24 Thread Ross Philipson
From: "Daniel P. Smith" This commit exposes a minimal general interface for the compressed kernel to request the required TPM operations to send measurements to a TPM. Signed-off-by: Daniel P. Smith Signed-off-by: Ross Philipson --- arch/x86/boot/compressed/Makefile | 2 +- arc

[PATCH 03/13] x86: Add early SHA support for Secure Launch early measurements

2020-09-24 Thread Ross Philipson
-off-by: Daniel P. Smith Signed-off-by: Ross Philipson --- arch/x86/boot/compressed/Makefile | 4 + arch/x86/boot/compressed/early_sha1.c | 104 arch/x86/boot/compressed/early_sha1.h | 17 +++ arch/x86/boot/compressed/early_sha256.c | 6 + arch/x86/boot/compressed

[PATCH 05/13] x86: Add early TPM1.2/TPM2.0 interface support for Secure Launch

2020-09-24 Thread Ross Philipson
From: "Daniel P. Smith" This commit introduces an abstraction for TPM1.2 and TPM2.0 devices above the TPM hardware interface. Signed-off-by: Daniel P. Smith Signed-off-by: Ross Philipson --- arch/x86/boot/compressed/Makefile | 3 +- arch/x86/boot/compressed/

[PATCH 02/13] x86: Secure Launch main header file

2020-09-24 Thread Ross Philipson
Introduce the main Secure Launch header file used in the early SL stub and the early setup code. Signed-off-by: Ross Philipson --- include/linux/slaunch.h | 544 1 file changed, 544 insertions(+) create mode 100644 include/linux/slaunch.h diff

[PATCH 01/13] x86: Secure Launch Kconfig

2020-09-24 Thread Ross Philipson
Initial bits to bring in Secure Launch functionality. Add Kconfig options for compiling in/out the Secure Launch code. Signed-off-by: Ross Philipson --- arch/x86/Kconfig | 36 1 file changed, 36 insertions(+) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig

[PATCH 07/13] x86: Secure Launch kernel early boot stub

2020-09-24 Thread Ross Philipson
and handling the APs on Intel platforms. The routine sl_main which runs after entering 64b mode is responsible for measuring configuration and module information before it is used like the boot params, the kernel command line, the TXT heap, an external initramfs, etc. Signed-off-by: Ross Philipson

[PATCH 00/13] x86: Trenchboot secure dynamic launch Linux kernel support

2020-09-24 Thread Ross Philipson
chset (WIP): https://lists.gnu.org/archive/html/grub-devel/2020-05/msg00011.html Thanks Ross Philipson and Daniel P. Smith Daniel P. Smith (4): x86: Add early TPM TIS/CRB interface support for Secure Launch x86: Add early TPM1.2/TPM2.0 interface support for Secure Launch x86: Add early g

[PATCH 09/13] x86: Secure Launch SMP bringup support

2020-09-24 Thread Ross Philipson
then jumps the the standard RM piggy protected mode entry point. Signed-off-by: Ross Philipson --- arch/x86/include/asm/realmode.h | 3 ++ arch/x86/kernel/smpboot.c| 86 arch/x86/realmode/rm/header.S| 3 ++ arch/x86/realmode/rm

[PATCH 10/13] x86: Secure Launch adding event log securityfs

2020-09-24 Thread Ross Philipson
From: "Daniel P. Smith" The late init functionality registers securityfs nodes to allow access to TXT register fields on Intel along with the fetching of and writing events to the late launch TPM log. Signed-off-by: Daniel P. Smith Signed-off-by: Ross Philipson Signed-off-by: g

[PATCH 04/13] x86: Add early TPM TIS/CRB interface support for Secure Launch

2020-09-24 Thread Ross Philipson
th Signed-off-by: Ross Philipson --- arch/x86/boot/compressed/Makefile | 2 + arch/x86/boot/compressed/tpm/crb.c| 304 ++ arch/x86/boot/compressed/tpm/crb.h| 20 ++ arch/x86/boot/compressed/tpm/tis.c| 215 + arc

Re: [PATCH 07/13] x86: Secure Launch kernel early boot stub

2020-10-21 Thread Ross Philipson
On 10/21/20 12:18 PM, Arvind Sankar wrote: > On Wed, Oct 21, 2020 at 05:28:33PM +0200, Daniel Kiper wrote: >> On Mon, Oct 19, 2020 at 01:18:22PM -0400, Arvind Sankar wrote: >>> On Mon, Oct 19, 2020 at 04:51:53PM +0200, Daniel Kiper wrote: On Fri, Oct 16, 2020 at 04:51:51PM -0400, Arvind