Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1304831ybb; Wed, 25 Mar 2020 20:48:06 -0700 (PDT) X-Google-Smtp-Source: ADFU+vsea0kVEDnrPaXZU4y8K+n+g0o+SSSTFTt7RUuv+kO77HwdGJR2jdWmsyKhKprfP4LDUSaZ X-Received: by 2002:a4a:bf19:: with SMTP id r25mr3716544oop.3.1585194485863; Wed, 25 Mar 2020 20:48:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585194485; cv=none; d=google.com; s=arc-20160816; b=UNkEZIW6jf8Hm5ozq24TQQGT10FJXjbSnGdt5KfiSBJLDhGGxBv/uQsbVMT4U1effj DSgOs8nPondWEzyC0toDPsrCmW0a2zsds/9fsDzq0sw8GVSrsLFCBJ0EjXzXk5cU5WaB XbO0m4WRHtr7YeWsamP1FQAyy1lHdgKRQF6KhR2sRp4rzXOFDXYC7WYRWSVMvonsnTdP rTc4Nn6ytDA+Nt0SGM7KCQQFEwc787nZ1hLJhybosh7AU+o7v1ElNY3ybfgf5CTrvE6A KXM/yS6EHUowh6YaULFZjznBo2kWwdqRcWq741rL84UhRiZq8bAayedV3wkiHAdx2GOb gw2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=nLreXBEJOIklOXks1ocDZyP90nV94tqab77njj7mJTM=; b=SJTea+GV3E9LyPmbT4ecLZB/05VAh07KQ/A92FfTnq43mrbuZ6nPi9ti0SMzICnfTW KfEMkXsvxOxH4nfstbGBoz7yC8PQb3dFK4bFvU2TojBmT+paSAPSB7DCPgA49zWtDizm I0hagvMBI1OEqhupmyTaUDPB7/wWeuPVEAQkyloB/r/rLCvJtwY2U+cqQp9jRW7TjqWj kWtVb91FfYwU/Fe2Ph8XMCVNWhN1p4yVnoDwv6pYUTcbHr4lr7UNrxgC5h1Xda0uIlOy hXjs4D7VldRnezt/IUnl1D9iA3bd2pDwtdcSUGvTwVrsNtx2/2bXR8girTLOnAXng12W 0d1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OdeBbNi0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v2si457420oov.20.2020.03.25.20.47.38; Wed, 25 Mar 2020 20:48:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OdeBbNi0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727674AbgCZDok (ORCPT + 99 others); Wed, 25 Mar 2020 23:44:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:59574 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727636AbgCZDoj (ORCPT ); Wed, 25 Mar 2020 23:44:39 -0400 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 985BE20838 for ; Thu, 26 Mar 2020 03:44:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585194278; bh=VkmY0zQuX833GQpUGXaOUmvjdZ0nnkB4ejNGiO5v5uU=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=OdeBbNi0UFE6Xf5r9lnfVQhuzp+a/BFXy/IQWDQURZ4DuY9gq+dbEoACf45IaIlCz Iq/SLbxgvTZZrQjifMGcmOZ5WJ1yxvDZoqcPVk/JTIHOdDqwzt0TWnKwG9FErPLnjv 0BMWgiPP8VxMl+NAz3cpZWsYBpwjnBXYv+1nyUTQ= Received: by mail-wr1-f50.google.com with SMTP id p10so6070321wrt.6 for ; Wed, 25 Mar 2020 20:44:38 -0700 (PDT) X-Gm-Message-State: ANhLgQ0XydzChmU1H7q2LeIXgiKrIZmwr407xowSURSi4l8et95nCkHb WzAuYb+AgPslGLpIQrlXuDC32y94/L1qx6y1v+rLnA== X-Received: by 2002:adf:9dc6:: with SMTP id q6mr6773133wre.70.1585194276996; Wed, 25 Mar 2020 20:44:36 -0700 (PDT) MIME-Version: 1.0 References: <20200325194317.526492-1-ross.philipson@oracle.com> <20200325194317.526492-4-ross.philipson@oracle.com> In-Reply-To: <20200325194317.526492-4-ross.philipson@oracle.com> From: Andy Lutomirski Date: Wed, 25 Mar 2020 20:44:25 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH 03/12] x86: Add early SHA support for Secure Launch early measurements To: Ross Philipson Cc: LKML , X86 ML , "open list:DOCUMENTATION" , dpsmith@apertussolutions.com, Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , trenchboot-devel@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 25, 2020 at 12:43 PM Ross Philipson wrote: > > From: "Daniel P. Smith" > > The SHA algorithms are necessary to measure configuration information into > the TPM as early as possible before using the values. This implementation > uses the established approach of #including the SHA libraries directly in > the code since the compressed kernel is not uncompressed at this point. > > The SHA1 code here has its origins in the code in > include/crypto/sha1_base.h. That code could not be pulled directly into > the setup portion of the compressed kernel because of other dependencies > it pulls in. So this is a modified copy of that code that still leverages > the core SHA1 algorithm. > > Signed-off-by: Daniel P. Smith > --- > arch/x86/Kconfig | 24 +++ > arch/x86/boot/compressed/Makefile | 4 + > arch/x86/boot/compressed/early_sha1.c | 104 ++++++++++++ > arch/x86/boot/compressed/early_sha1.h | 17 ++ > arch/x86/boot/compressed/early_sha256.c | 6 + > arch/x86/boot/compressed/early_sha512.c | 6 + > include/linux/sha512.h | 21 +++ > lib/sha1.c | 4 + > lib/sha512.c | 209 ++++++++++++++++++++++++ > 9 files changed, 395 insertions(+) > create mode 100644 arch/x86/boot/compressed/early_sha1.c > create mode 100644 arch/x86/boot/compressed/early_sha1.h > create mode 100644 arch/x86/boot/compressed/early_sha256.c > create mode 100644 arch/x86/boot/compressed/early_sha512.c > create mode 100644 include/linux/sha512.h > create mode 100644 lib/sha512.c > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index 7f3406a9948b..f37057d3ce9f 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -2025,6 +2025,30 @@ config SECURE_LAUNCH > of all the modules and configuration information used for > boooting the operating system. > > +choice > + prompt "Select Secure Launch Algorithm for TPM2" > + depends on SECURE_LAUNCH > + > +config SECURE_LAUNCH_SHA1 > + bool "Secure Launch TPM2 SHA1" > + help > + When using Secure Launch and TPM2 is present, use SHA1 hash > + algorithm for measurements. > + I'm surprised this is supported at all. Why allow SHA1?