Hi,
This change is needed to properly start the Linux kernel in Intel TXT mode and
is a part of the TrenchBoot project (https://github.com/TrenchBoot).
Daniel
Documentation/x86/boot.txt | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
arch/x86/Kconfig | 7 +++++++
arch/x86/boot/Makefile | 2 +-
arch/x86/boot/compressed/Makefile | 5 +++--
arch/x86/boot/compressed/setup_header2.S | 18 ++++++++++++++++++
arch/x86/boot/compressed/sl_stub.S | 28 ++++++++++++++++++++++++++++
arch/x86/boot/header.S | 3 ++-
arch/x86/boot/tools/build.c | 8 ++++++++
arch/x86/include/uapi/asm/bootparam.h | 1 +
9 files changed, 123 insertions(+), 4 deletions(-)
Daniel Kiper (2):
x86/boot: Introduce the setup_header2
x86/boot: Introduce dummy MLE header
DO NOT APPLY!!!
THIS PATCH INTRODUCES DUMMY MLE HEADER AND SIMPLY ILLUSTRATES HOW TO
EXTEND THE setup_header2 PROPERLY.
DO NOT APPLY!!!
Signed-off-by: Ross Philipson <[email protected]>
Signed-off-by: Daniel Kiper <[email protected]>
Reviewed-by: Ross Philipson <[email protected]>
---
Documentation/x86/boot.txt | 6 ++++++
arch/x86/Kconfig | 7 +++++++
arch/x86/boot/compressed/Makefile | 1 +
arch/x86/boot/compressed/setup_header2.S | 6 ++++++
arch/x86/boot/compressed/sl_stub.S | 28 ++++++++++++++++++++++++++++
5 files changed, 48 insertions(+)
create mode 100644 arch/x86/boot/compressed/sl_stub.S
diff --git a/Documentation/x86/boot.txt b/Documentation/x86/boot.txt
index ff10c6116662..09cf50d7dca2 100644
--- a/Documentation/x86/boot.txt
+++ b/Documentation/x86/boot.txt
@@ -793,6 +793,12 @@ Offset/size: 0x0004/4
This field contains the size of the setup_header2 including setup_header2.header.
It should be used by the boot loader to detect supported fields in the setup_header2.
+Field name: mle_header_offset
+Offset/size: 0x0008/4
+
+ This field contains the MLE header offset from the beginning of the kernel image.
+ If it is set to zero then it means that MLE header is not build into the kernel.
+
**** THE IMAGE CHECKSUM
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 5ad92419be19..021e274ede54 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1961,6 +1961,13 @@ config EFI_MIXED
If unsure, say N.
+config SECURE_LAUNCH_STUB
+ bool "Secure Launch stub support"
+ depends on X86_64
+ ---help---
+ This kernel feature allows a bzImage to be loaded directly
+ through Intel TXT or AMD SKINIT measured launch.
+
config SECCOMP
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
index c12ccc2bd923..9722d119e19a 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -78,6 +78,7 @@ vmlinux-objs-y := $(obj)/vmlinux.lds $(obj)/setup_header2.o $(obj)/head_$(BITS).
vmlinux-objs-$(CONFIG_EARLY_PRINTK) += $(obj)/early_serial_console.o
vmlinux-objs-$(CONFIG_RANDOMIZE_BASE) += $(obj)/kaslr.o
+vmlinux-objs-$(CONFIG_SECURE_LAUNCH_STUB) += $(obj)/sl_stub.o
ifdef CONFIG_X86_64
vmlinux-objs-$(CONFIG_RANDOMIZE_BASE) += $(obj)/kaslr_64.o
vmlinux-objs-y += $(obj)/mem_encrypt.o
diff --git a/arch/x86/boot/compressed/setup_header2.S b/arch/x86/boot/compressed/setup_header2.S
index 0b3963296825..eb732626fd22 100644
--- a/arch/x86/boot/compressed/setup_header2.S
+++ b/arch/x86/boot/compressed/setup_header2.S
@@ -9,4 +9,10 @@ setup_header2:
.ascii "hDR2"
/* Size. */
.long setup_header2_end - setup_header2
+ /* MLE header offset. */
+#ifdef CONFIG_SECURE_LAUNCH_STUB
+ .long mle_header
+#else
+ .long 0
+#endif
setup_header2_end:
diff --git a/arch/x86/boot/compressed/sl_stub.S b/arch/x86/boot/compressed/sl_stub.S
new file mode 100644
index 000000000000..34f5000528e4
--- /dev/null
+++ b/arch/x86/boot/compressed/sl_stub.S
@@ -0,0 +1,28 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/*
+ * Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * Author(s):
+ * Ross Philipson <[email protected]>
+ */
+ .code32
+ .text
+
+ /* The MLE Header per the TXT Specification, section 4.1 */
+ .global mle_header
+
+mle_header:
+ .long 0x9082ac5a /* UUID0 */
+ .long 0x74a7476f /* UUID1 */
+ .long 0xa2555c0f /* UUID2 */
+ .long 0x42b651cb /* UUID3 */
+ .long 0x00000034 /* MLE header size */
+ .long 0x00020002 /* MLE version 2.2 */
+ .long 0x01234567 /* Linear entry point of MLE (virt. address) */
+ .long 0x00000000 /* First valid page of MLE */
+ .long 0x00000000 /* Offset within binary of first byte of MLE */
+ .long 0x00000000 /* Offset within binary of last byte + 1 of MLE */
+ .long 0x00000223 /* Bit vector of MLE-supported capabilities */
+ .long 0x00000000 /* Starting linear address of command line */
+ .long 0x00000000 /* Ending linear address of command line */
--
2.11.0
On Fri, May 24, 2019 at 11:55:02AM +0200, Daniel Kiper wrote:
> Hi,
>
> This change is needed to properly start the Linux kernel in Intel TXT mode and
> is a part of the TrenchBoot project (https://github.com/TrenchBoot).
>
> Daniel
>
> Documentation/x86/boot.txt | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> arch/x86/Kconfig | 7 +++++++
> arch/x86/boot/Makefile | 2 +-
> arch/x86/boot/compressed/Makefile | 5 +++--
> arch/x86/boot/compressed/setup_header2.S | 18 ++++++++++++++++++
> arch/x86/boot/compressed/sl_stub.S | 28 ++++++++++++++++++++++++++++
> arch/x86/boot/header.S | 3 ++-
> arch/x86/boot/tools/build.c | 8 ++++++++
> arch/x86/include/uapi/asm/bootparam.h | 1 +
> 9 files changed, 123 insertions(+), 4 deletions(-)
>
> Daniel Kiper (2):
> x86/boot: Introduce the setup_header2
> x86/boot: Introduce dummy MLE header
Ping?
Daniel
On Wed, Jun 05, 2019 at 03:50:31PM +0200, Daniel Kiper wrote:
> On Fri, May 24, 2019 at 11:55:02AM +0200, Daniel Kiper wrote:
> > Hi,
> >
> > This change is needed to properly start the Linux kernel in Intel TXT mode and
> > is a part of the TrenchBoot project (https://github.com/TrenchBoot).
Can you please expand more on this?
Nice explanation of why, other alternative solutions that didn't work, and so on.
> >
> > Daniel
> >
> > Documentation/x86/boot.txt | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > arch/x86/Kconfig | 7 +++++++
> > arch/x86/boot/Makefile | 2 +-
> > arch/x86/boot/compressed/Makefile | 5 +++--
> > arch/x86/boot/compressed/setup_header2.S | 18 ++++++++++++++++++
> > arch/x86/boot/compressed/sl_stub.S | 28 ++++++++++++++++++++++++++++
> > arch/x86/boot/header.S | 3 ++-
> > arch/x86/boot/tools/build.c | 8 ++++++++
> > arch/x86/include/uapi/asm/bootparam.h | 1 +
> > 9 files changed, 123 insertions(+), 4 deletions(-)
> >
> > Daniel Kiper (2):
> > x86/boot: Introduce the setup_header2
> > x86/boot: Introduce dummy MLE header
>
> Ping?
Can you add Ingo and Thomas to the To: next time please?
Also please drop the second patch.
>
> Daniel
On Wed, Jun 05, 2019 at 10:01:17AM -0400, Konrad Rzeszutek Wilk wrote:
> On Wed, Jun 05, 2019 at 03:50:31PM +0200, Daniel Kiper wrote:
> > On Fri, May 24, 2019 at 11:55:02AM +0200, Daniel Kiper wrote:
> > > Hi,
> > >
> > > This change is needed to properly start the Linux kernel in Intel TXT mode and
> > > is a part of the TrenchBoot project (https://github.com/TrenchBoot).
>
> Can you please expand more on this?
>
> Nice explanation of why, other alternative solutions that didn't work, and so on.
OK.
> > > Daniel
> > >
> > > Documentation/x86/boot.txt | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > arch/x86/Kconfig | 7 +++++++
> > > arch/x86/boot/Makefile | 2 +-
> > > arch/x86/boot/compressed/Makefile | 5 +++--
> > > arch/x86/boot/compressed/setup_header2.S | 18 ++++++++++++++++++
> > > arch/x86/boot/compressed/sl_stub.S | 28 ++++++++++++++++++++++++++++
> > > arch/x86/boot/header.S | 3 ++-
> > > arch/x86/boot/tools/build.c | 8 ++++++++
> > > arch/x86/include/uapi/asm/bootparam.h | 1 +
> > > 9 files changed, 123 insertions(+), 4 deletions(-)
> > >
> > > Daniel Kiper (2):
> > > x86/boot: Introduce the setup_header2
> > > x86/boot: Introduce dummy MLE header
> >
> > Ping?
>
> Can you add Ingo and Thomas to the To: next time please?
OK.
> Also please drop the second patch.
Why? This is an example how to use the setup_header2.
Daniel
On Thu, Jun 06, 2019 at 01:51:08PM +0200, Daniel Kiper wrote:
> On Wed, Jun 05, 2019 at 10:01:17AM -0400, Konrad Rzeszutek Wilk wrote:
> > On Wed, Jun 05, 2019 at 03:50:31PM +0200, Daniel Kiper wrote:
> > > On Fri, May 24, 2019 at 11:55:02AM +0200, Daniel Kiper wrote:
> > > > Hi,
> > > >
> > > > This change is needed to properly start the Linux kernel in Intel TXT mode and
> > > > is a part of the TrenchBoot project (https://github.com/TrenchBoot).
> >
> > Can you please expand more on this?
> >
> > Nice explanation of why, other alternative solutions that didn't work, and so on.
>
> OK.
>
> > > > Daniel
> > > >
> > > > Documentation/x86/boot.txt | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > > arch/x86/Kconfig | 7 +++++++
> > > > arch/x86/boot/Makefile | 2 +-
> > > > arch/x86/boot/compressed/Makefile | 5 +++--
> > > > arch/x86/boot/compressed/setup_header2.S | 18 ++++++++++++++++++
> > > > arch/x86/boot/compressed/sl_stub.S | 28 ++++++++++++++++++++++++++++
> > > > arch/x86/boot/header.S | 3 ++-
> > > > arch/x86/boot/tools/build.c | 8 ++++++++
> > > > arch/x86/include/uapi/asm/bootparam.h | 1 +
> > > > 9 files changed, 123 insertions(+), 4 deletions(-)
> > > >
> > > > Daniel Kiper (2):
> > > > x86/boot: Introduce the setup_header2
> > > > x86/boot: Introduce dummy MLE header
> > >
> > > Ping?
> >
> > Can you add Ingo and Thomas to the To: next time please?
>
> OK.
>
> > Also please drop the second patch.
>
> Why? This is an example how to use the setup_header2.
If you are going to post it as non-RFC (which I suspect you will
for the next), then why post a patch that is not to be checked in?
It just takes people time up.
>
> Daniel
On Thu, Jun 06, 2019 at 01:30:46PM -0400, Konrad Rzeszutek Wilk wrote:
> On Thu, Jun 06, 2019 at 01:51:08PM +0200, Daniel Kiper wrote:
> > On Wed, Jun 05, 2019 at 10:01:17AM -0400, Konrad Rzeszutek Wilk wrote:
> > > On Wed, Jun 05, 2019 at 03:50:31PM +0200, Daniel Kiper wrote:
> > > > On Fri, May 24, 2019 at 11:55:02AM +0200, Daniel Kiper wrote:
> > > > > Hi,
> > > > >
> > > > > This change is needed to properly start the Linux kernel in Intel TXT mode and
> > > > > is a part of the TrenchBoot project (https://github.com/TrenchBoot).
> > >
> > > Can you please expand more on this?
> > >
> > > Nice explanation of why, other alternative solutions that didn't work, and so on.
> >
> > OK.
> >
> > > > > Daniel
> > > > >
> > > > > Documentation/x86/boot.txt | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > > > arch/x86/Kconfig | 7 +++++++
> > > > > arch/x86/boot/Makefile | 2 +-
> > > > > arch/x86/boot/compressed/Makefile | 5 +++--
> > > > > arch/x86/boot/compressed/setup_header2.S | 18 ++++++++++++++++++
> > > > > arch/x86/boot/compressed/sl_stub.S | 28 ++++++++++++++++++++++++++++
> > > > > arch/x86/boot/header.S | 3 ++-
> > > > > arch/x86/boot/tools/build.c | 8 ++++++++
> > > > > arch/x86/include/uapi/asm/bootparam.h | 1 +
> > > > > 9 files changed, 123 insertions(+), 4 deletions(-)
> > > > >
> > > > > Daniel Kiper (2):
> > > > > x86/boot: Introduce the setup_header2
> > > > > x86/boot: Introduce dummy MLE header
> > > >
> > > > Ping?
> > >
> > > Can you add Ingo and Thomas to the To: next time please?
> >
> > OK.
> >
> > > Also please drop the second patch.
> >
> > Why? This is an example how to use the setup_header2.
>
> If you are going to post it as non-RFC (which I suspect you will
> for the next), then why post a patch that is not to be checked in?
Nope, this will be an RFC. And the second patch is an example. I hope
that it eases understanding how all pieces fit together. If the idea
is approved then first patch will be posted with full Intel TXT
implementation and second patch will contain fully fledged MLE header.
Daniel