Hello,
This is the third installment of sending [TrenchBoot] code changes to this
mailing list. Previous ones ([take-1], [take-2]) didn't really go far. This
one somewhat differs because 4 years have passed and EFI changes aren't
included (there is Linux and Multiboot2).
There are a lot of changes in here and maybe it will be easier to break patches
into several series to facilitate review, but posting everything together this
time.
The patches form several groups:
1. [01-07] Various small code refactoring in preparation for later commits
(tiny diffs that should have no functional changes)
2. [08-09] TPM-related part (`tpm` module rename, addition of a simple TPM
driver) (relatively small in size)
3. [11-12] SecureLaunch with its SLRT (lots of definitions)
4. [13-16] Support for Intel TXT D-RTM (the bulk of the patches)
5. [17] Implementation of SecureLaunch commands
6. [18] Fix of a leak noticed by accident (tiny)
7. [19-20] Multiboot2 support for Intel TXT (medium)
8. [21-24] Support for AMD SKINIT D-RTM (medium size when combined)
If it's of any use, most of the patches have already seen some review and were
accepted into GRUB2 package of Qubes OS [qubes-review]. This work in general
is related to anti-evil-maid used in QubesOS, more details can be found in
[project-v1] and [project-v2], there is also a series of blog
posts ([aem-1]..[aem-4]). Some information about testing is available at
[testing].
This set of changes can also be viewed on GitHub at [TrenchBoot/grub].
The Linux part is on its ninth version on LKML [linux-v9]. It doesn't have AMD
changes, but that's a small part and it will be added in the near future.
Best regards,
Sergii
[TrenchBoot]: https://trenchboot.org/
[take-1]: https://lists.gnu.org/archive/html/grub-devel/2020-05/msg00011.html
[take-2]: https://lists.gnu.org/archive/html/grub-devel/2020-11/msg00050.html
[qubes-review]: https://github.com/QubesOS/qubes-grub2/pull/13
[project-v1]: https://docs.dasharo.com/projects/trenchboot-aem/
[project-v2]: https://docs.dasharo.com/projects/trenchboot-aem-v2/
[aem-1]: https://blog.3mdeb.com/2023/2023-01-31-trenchboot-aem-for-qubesos/
[aem-2]: https://blog.3mdeb.com/2023/2023-09-27-aem_phase2/
[aem-3]: https://blog.3mdeb.com/2024/2024-01-12-aem_phase3/
[aem-4]: https://blog.3mdeb.com/2024/2024-04-11-aem_phase4/
[testing]: https://trenchboot.org/documentation/test_matrix/
[TrenchBoot/grub]:
https://github.com/TrenchBoot/grub/compare/b53ec06...tb-2.12-57-v1
[linux-v9]: https://lkml.org/lkml/2024/5/30/1226
Daniel Kiper (8):
i386/msr: Merge rdmsr.h and wrmsr.h into msr.h
i386/msr: Rename grub_msr_read() and grub_msr_write()
i386/msr: Extract and improve MSR support detection code
i386/memory: Rename PAGE_SHIFT to GRUB_PAGE_SHIFT
i386/memory: Rename PAGE_SIZE to GRUB_PAGE_SIZE and make it global
mmap: Add grub_mmap_get_lowest() and grub_mmap_get_highest()
i386/tpm: Rename tpm module to tpm_verifier
i386/tpm: Add TPM TIS and CRB driver
Krystian Hebel (4):
i386/memory: Define GRUB_PAGE_MASK constant and GRUB_PAGE_{UP,DOWN}
macros
i386/skinit: Add AMD SKINIT implementation
i386/slaunch: Add support for AMD SKINIT
multiboot2: Support AMD SKINIT
Michał Żygowski (2):
i386/txt: Initialize TPM 1.2 event log in TXT heap
multiboot2: Implement TXT slaunch support
Ross Philipson (8):
include/grub: Introduce Secure Launch Resource Table (SLRT)
i386/slaunch: Add basic platform support for secure launch
i386/txt: Add Intel TXT definitions header file
i386/txt: Add Intel TXT core implementation
i386/txt: Add Intel TXT ACM module support
i386/txt: Add Intel TXT verification routines
i386/slaunch: Add secure launch framework and commands
i386/linux: Add support for AMD SKINIT
Sergii Dmytruk (2):
loader/i386/linux.c: Fix cleanup if kernel doesn't support 64-bit
addressing
multiboot: Make GRUB_MULTIBOOT(make_mbi) return MBI's size
docs/grub.texi | 15 +-
grub-core/Makefile.am | 6 +
grub-core/Makefile.core.def | 18 +-
grub-core/commands/i386/rdmsr.c | 25 +-
grub-core/commands/i386/tpm.c | 151 +++
grub-core/commands/i386/wrmsr.c | 25 +-
grub-core/commands/{tpm.c => tpm_verifier.c} | 6 +-
grub-core/lib/i386/relocator32.S | 14 +
grub-core/lib/i386/xen/relocator.S | 6 +-
grub-core/lib/x86_64/xen/relocator.S | 4 +-
grub-core/loader/i386/bsd.c | 4 +
grub-core/loader/i386/coreboot/chainloader.c | 2 +
grub-core/loader/i386/linux.c | 345 +++++-
grub-core/loader/i386/multiboot_mbi.c | 4 +-
grub-core/loader/i386/pc/plan9.c | 3 +-
grub-core/loader/i386/skinit.c | 156 +++
grub-core/loader/i386/slaunch.c | 337 ++++++
grub-core/loader/i386/txt/acmod.c | 605 ++++++++++
grub-core/loader/i386/txt/txt.c | 1110 ++++++++++++++++++
grub-core/loader/i386/txt/verify.c | 277 +++++
grub-core/loader/i386/xen.c | 61 +-
grub-core/loader/i386/xnu.c | 3 +
grub-core/loader/multiboot.c | 34 +-
grub-core/loader/multiboot_elfxx.c | 88 +-
grub-core/loader/multiboot_mbi2.c | 118 +-
grub-core/mmap/mmap.c | 83 ++
include/grub/file.h | 3 +
include/grub/i386/cpuid.h | 12 +
include/grub/i386/crfr.h | 127 ++
include/grub/i386/linux.h | 14 +-
include/grub/i386/memory.h | 8 +-
include/grub/i386/mmio.h | 72 ++
include/grub/i386/msr.h | 137 +++
include/grub/i386/{wrmsr.h => skinit.h} | 29 +-
include/grub/i386/slaunch.h | 90 ++
include/grub/i386/{rdmsr.h => tpm.h} | 30 +-
include/grub/i386/txt.h | 742 ++++++++++++
include/grub/memory.h | 3 +
include/grub/multiboot.h | 2 +-
include/grub/multiboot2.h | 5 +-
include/grub/slr_table.h | 328 ++++++
41 files changed, 4964 insertions(+), 138 deletions(-)
create mode 100644 grub-core/commands/i386/tpm.c
rename grub-core/commands/{tpm.c => tpm_verifier.c} (97%)
create mode 100644 grub-core/loader/i386/skinit.c
create mode 100644 grub-core/loader/i386/slaunch.c
create mode 100644 grub-core/loader/i386/txt/acmod.c
create mode 100644 grub-core/loader/i386/txt/txt.c
create mode 100644 grub-core/loader/i386/txt/verify.c
create mode 100644 include/grub/i386/crfr.h
create mode 100644 include/grub/i386/mmio.h
create mode 100644 include/grub/i386/msr.h
rename include/grub/i386/{wrmsr.h => skinit.h} (54%)
create mode 100644 include/grub/i386/slaunch.h
rename include/grub/i386/{rdmsr.h => tpm.h} (59%)
create mode 100644 include/grub/i386/txt.h
create mode 100644 include/grub/slr_table.h
--
2.46.0
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
