From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1kcUvv-0005q5-QO for mharc-grub-devel@gnu.org; Tue, 10 Nov 2020 09:47:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40128) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcUvg-0005mL-Lu for grub-devel@gnu.org; Tue, 10 Nov 2020 09:47:31 -0500 Received: from 20.mo4.mail-out.ovh.net ([46.105.33.73]:58666) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcUvZ-00037H-QP for grub-devel@gnu.org; Tue, 10 Nov 2020 09:47:28 -0500 Received: from player770.ha.ovh.net (unknown [10.108.35.232]) by mo4.mail-out.ovh.net (Postfix) with ESMTP id C0673251EAB for ; Tue, 10 Nov 2020 15:47:19 +0100 (CET) Received: from 3mdeb.com (231.85-237-190.tkchopin.pl [85.237.190.231]) (Authenticated sender: krystian.hebel@3mdeb.com) by player770.ha.ovh.net (Postfix) with ESMTPSA id 44967181EAD47; Tue, 10 Nov 2020 14:47:17 +0000 (UTC) Authentication-Results: garm.ovh; auth=pass (GARM-97G00267a8ea85-e3a2-4457-abf5-27f22a1a5aa4, 5ACF1FF395264E632C6C78FAA4B0D4185B0C945F) smtp.auth=krystian.hebel@3mdeb.com From: Krystian Hebel To: grub-devel@gnu.org Cc: Krystian Hebel Subject: [GRUB PATCH RFC 22/22] i386/slaunch: Add support for AMD SKINIT Date: Tue, 10 Nov 2020 15:45:00 +0100 Message-Id: <20201110144500.31606-23-krystian.hebel@3mdeb.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201110144500.31606-1-krystian.hebel@3mdeb.com> References: <20201110144500.31606-1-krystian.hebel@3mdeb.com> X-Ovh-Tracer-Id: 12103142526202600333 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedujedruddujedgieelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhvffufffkofgjfhestddtredtredttdenucfhrhhomhepmfhrhihsthhirghnucfjvggsvghluceokhhrhihsthhirghnrdhhvggsvghlseefmhguvggsrdgtohhmqeenucggtffrrghtthgvrhhnpeeikeffkeeufedtjeeiheevtddvieeijeetgeetkeefvedvhfeiveeggfegheeggeenucffohhmrghinheprhgvlhhotggrthhorhefvddrshgsnecukfhppedtrddtrddtrddtpdekhedrvdefjedrudeltddrvdefudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdqohhuthdphhgvlhhopehplhgrhigvrhejjedtrdhhrgdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomhepkhhrhihsthhirghnrdhhvggsvghlseefmhguvggsrdgtohhmpdhrtghpthhtohepghhruhgsqdguvghvvghlsehgnhhurdhorhhg Received-SPF: pass client-ip=46.105.33.73; envelope-from=krystian.hebel@3mdeb.com; helo=20.mo4.mail-out.ovh.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/10 09:47:20 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2020 14:47:33 -0000 Signed-off-by: Krystian Hebel --- grub-core/Makefile.core.def | 1 + grub-core/lib/i386/relocator32.S | 6 ++++++ grub-core/loader/i386/linux.c | 30 +++++++++++++++++++++++++++++- grub-core/loader/i386/slaunch.c | 21 ++++++++++++++++++++- include/grub/i386/slaunch.h | 11 +++++++++-- 5 files changed, 65 insertions(+), 4 deletions(-) diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def index 204f9794dbce..68de5c07c060 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def @@ -1829,6 +1829,7 @@ module = { x86 = loader/i386/txt/txt.c; x86 = loader/i386/txt/acmod.c; x86 = loader/i386/txt/verify.c; + x86 = loader/i386/skinit.c; enable = x86; }; diff --git a/grub-core/lib/i386/relocator32.S b/grub-core/lib/i386/relocator32.S index a2b377197b16..2bdc07018a78 100644 --- a/grub-core/lib/i386/relocator32.S +++ b/grub-core/lib/i386/relocator32.S @@ -115,6 +115,9 @@ VARIABLE(grub_relocator32_edx) cmpl $SLP_INTEL_TXT, %edi je LOCAL(intel_txt) + cmpl $SLP_AMD_SKINIT, %edi + je LOCAL(amd_skinit) + .byte 0xea VARIABLE(grub_relocator32_eip) .long 0 @@ -123,6 +126,9 @@ VARIABLE(grub_relocator32_eip) LOCAL(intel_txt): getsec +LOCAL(amd_skinit): + skinit + /* GDT. Copied from loader/i386/linux.c. */ .p2align 4 LOCAL(gdt): diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c index d83912c17aad..dc4dcaa0a2ef 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include @@ -233,7 +234,7 @@ allocate_pages (grub_size_t prot_size, grub_size_t *align, prot_mode_mem = get_virtual_current_address (ch); prot_mode_target = get_physical_target_address (ch); - if (grub_slaunch_platform_type () == SLP_INTEL_TXT) + if (grub_slaunch_platform_type () != SLP_NONE) { slparams.mle_ptab_mem = prot_mode_mem; slparams.mle_ptab_target = prot_mode_target; @@ -803,6 +804,33 @@ grub_linux_boot (void) state.ecx = slparams.sinit_acm_size; state.edx = 0; } + else if (state.edi == SLP_AMD_SKINIT) + { + grub_relocator_chunk_t ch; + + slparams.params = ctx.real_mode_target; + + /* Contrary to the TXT, on AMD we do not have vendor-provided blobs in + * reserved memory, we are using normal RAM */ + err = grub_relocator_alloc_chunk_align (relocator, &ch, + 0, (0xffffffff - GRUB_SKINIT_SLB_SIZE), + GRUB_SKINIT_SLB_SIZE, + GRUB_SKINIT_SLB_ALIGN, + GRUB_RELOCATOR_PREFERENCE_LOW, 1); + + if (err != GRUB_ERR_NONE) + return err; + + slparams.lz_base = (grub_uint32_t) get_virtual_current_address (ch); + slparams.lz_size = grub_skinit_get_sl_size (); + + err = grub_skinit_boot_prepare (&slparams); + + if (err != GRUB_ERR_NONE) + return err; + + state.eax = get_physical_target_address (ch); + } else { /* FIXME. */ diff --git a/grub-core/loader/i386/slaunch.c b/grub-core/loader/i386/slaunch.c index 3acd177afd3b..9df04ff96538 100644 --- a/grub-core/loader/i386/slaunch.c +++ b/grub-core/loader/i386/slaunch.c @@ -57,7 +57,8 @@ grub_cmd_slaunch (grub_command_t cmd __attribute__ ((unused)), char *argv[] __attribute__ ((unused))) { grub_uint32_t manufacturer[3]; - grub_uint32_t eax; + grub_uint32_t eax, ebx, ecx, edx; + grub_uint64_t msr_value; grub_err_t err; if (!grub_cpu_is_cpuid_supported ()) @@ -79,6 +80,20 @@ grub_cmd_slaunch (grub_command_t cmd __attribute__ ((unused)), slp = SLP_INTEL_TXT; } + else if (!grub_memcmp (manufacturer, "AuthenticAMD", 12)) + { + + grub_cpuid (GRUB_AMD_CPUID_FEATURES, eax, ebx, ecx, edx); + if (! (ecx & GRUB_SVM_CPUID_FEATURE) ) + return grub_error (GRUB_ERR_BAD_DEVICE, N_("CPU does not support AMD SVM")); + + /* Check whether SVM feature is disabled in BIOS */ + msr_value = grub_rdmsr (GRUB_MSR_AMD64_VM_CR); + if (msr_value & GRUB_MSR_SVM_VM_CR_SVM_DISABLE) + return grub_error (GRUB_ERR_BAD_DEVICE, N_("BIOS has AMD SVM disabled")); + + slp = SLP_AMD_SKINIT; + } else return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("CPU is unsupported")); @@ -170,6 +185,10 @@ grub_cmd_slaunch_state (grub_command_t cmd __attribute__ ((unused)), grub_printf ("Secure launcher: Intel TXT\n"); grub_txt_state_show (); } + else if (slp == SLP_AMD_SKINIT) + { + grub_printf ("Secure launcher: AMD SKINIT\n"); + } return GRUB_ERR_NONE; } diff --git a/include/grub/i386/slaunch.h b/include/grub/i386/slaunch.h index e5c32152d285..18e10d82ffc7 100644 --- a/include/grub/i386/slaunch.h +++ b/include/grub/i386/slaunch.h @@ -24,6 +24,7 @@ /* Secure launch platform types. */ #define SLP_NONE 0 #define SLP_INTEL_TXT 1 +#define SLP_AMD_SKINIT 2 #define GRUB_SLAUNCH_TPM_EVT_LOG_SIZE (8 * GRUB_PAGE_SIZE) @@ -42,8 +43,14 @@ struct grub_slaunch_params grub_uint32_t mle_ptab_size; grub_uint32_t mle_header_offset; grub_uint64_t ap_wake_block; - grub_uint32_t sinit_acm_base; - grub_uint32_t sinit_acm_size; + union { + grub_uint32_t sinit_acm_base; + grub_uint32_t lz_base; + }; + union { + grub_uint32_t sinit_acm_size; + grub_uint32_t lz_size; + }; grub_uint64_t tpm_evt_log_base; grub_uint32_t tpm_evt_log_size; }; -- 2.17.1