Merge branch 'c8' into a8

This commit is contained in:
eabdullin 2023-02-21 10:05:29 +00:00 committed by Stepan Oksanichenko
commit 9ded7eb3db
4 changed files with 266 additions and 2 deletions

View File

@ -0,0 +1,227 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Lu Ken <ken.lu@intel.com>
Date: Sat, 3 Jul 2021 10:50:37 -0400
Subject: [PATCH] Enable TDX measurement to RTMR register
Intel Trust Domain Extensions(Intel TDX) refers to an Intel technology
that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory
Encryption(MK-TME) with a new kind of virtual machine guest called a
Trust Domain(TD)[1]. A TD runs in a CPU mode that protects the confidentiality
of its memory contents and its CPU state from any other software, including
the hosting Virtual Machine Monitor (VMM).
Trust Domain Virtual Firmware (TDVF) is required to provide TD services to
the TD guest OS.[2] Its reference code is available at https://github.com/tianocore/edk2-staging/tree/TDVF.
To support TD measurement/attestation, TDs provide 4 RTMR registers like
TPM/TPM2 PCR as below:
- RTMR[0] is for TDVF configuration
- RTMR[1] is for the TD OS loader and kernel
- RTMR[2] is for the OS application
- RTMR[3] is reserved for special usage only
This patch adds TD Measurement protocol support along with TPM/TPM2 protocol.
References:
[1] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf
[2] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf
Signed-off-by: Lu Ken <ken.lu@intel.com>
(cherry picked from commit 841a0977397cf12a5498d439b8aaf8bf28ff8544)
---
grub-core/Makefile.core.def | 1 +
grub-core/kern/efi/tdx.c | 70 +++++++++++++++++++++++++++++++++++++++++++++
grub-core/kern/tpm.c | 4 +++
include/grub/efi/tdx.h | 26 +++++++++++++++++
include/grub/tdx.h | 36 +++++++++++++++++++++++
5 files changed, 137 insertions(+)
create mode 100644 grub-core/kern/efi/tdx.c
create mode 100644 include/grub/efi/tdx.h
create mode 100644 include/grub/tdx.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 637d7203e3..2787d59c52 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -200,6 +200,7 @@ kernel = {
efi = kern/efi/acpi.c;
efi = kern/lockdown.c;
efi = lib/envblk.c;
+ efi = kern/efi/tdx.c;
efi = kern/efi/tpm.c;
i386_coreboot = kern/i386/pc/acpi.c;
i386_multiboot = kern/i386/pc/acpi.c;
diff --git a/grub-core/kern/efi/tdx.c b/grub-core/kern/efi/tdx.c
new file mode 100644
index 0000000000..3a49f8d117
--- /dev/null
+++ b/grub-core/kern/efi/tdx.c
@@ -0,0 +1,70 @@
+#include <grub/err.h>
+#include <grub/i18n.h>
+#include <grub/efi/api.h>
+#include <grub/efi/efi.h>
+#include <grub/efi/tpm.h>
+#include <grub/efi/tdx.h>
+#include <grub/mm.h>
+#include <grub/tpm.h>
+#include <grub/tdx.h>
+
+static grub_efi_guid_t tdx_guid = EFI_TDX_GUID;
+
+static inline grub_err_t grub_tdx_dprintf(grub_efi_status_t status)
+{
+ switch (status) {
+ case GRUB_EFI_SUCCESS:
+ return 0;
+ case GRUB_EFI_DEVICE_ERROR:
+ grub_dprintf ("tdx", "Command failed: 0x%"PRIxGRUB_EFI_STATUS"\n",
+ status);
+ return GRUB_ERR_IO;
+ case GRUB_EFI_INVALID_PARAMETER:
+ grub_dprintf ("tdx", "Invalid parameter: 0x%"PRIxGRUB_EFI_STATUS"\n",
+ status);
+ return GRUB_ERR_BAD_ARGUMENT;
+ case GRUB_EFI_VOLUME_FULL:
+ grub_dprintf ("tdx", "Volume is full: 0x%"PRIxGRUB_EFI_STATUS"\n",
+ status);
+ return GRUB_ERR_BAD_ARGUMENT;
+ case GRUB_EFI_UNSUPPORTED:
+ grub_dprintf ("tdx", "TDX unavailable: 0x%"PRIxGRUB_EFI_STATUS"\n",
+ status);
+ return GRUB_ERR_UNKNOWN_DEVICE;
+ default:
+ grub_dprintf ("tdx", "Unknown TDX error: 0x%"PRIxGRUB_EFI_STATUS"\n",
+ status);
+ return GRUB_ERR_UNKNOWN_DEVICE;
+ }
+}
+
+grub_err_t
+grub_tdx_log_event(unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+ const char *description)
+{
+ EFI_TCG2_EVENT *event;
+ grub_efi_status_t status;
+ grub_efi_tdx_protocol_t *tdx;
+
+ tdx = grub_efi_locate_protocol (&tdx_guid, NULL);
+
+ if (!tdx)
+ return 0;
+
+ event = grub_zalloc(sizeof (EFI_TCG2_EVENT) + grub_strlen(description) + 1);
+ if (!event)
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
+ N_("cannot allocate TCG2 event buffer"));
+
+ event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
+ event->Header.HeaderVersion = 1;
+ event->Header.PCRIndex = pcr;
+ event->Header.EventType = EV_IPL;
+ event->Size = sizeof(*event) - sizeof(event->Event) + grub_strlen(description) + 1;
+ grub_memcpy(event->Event, description, grub_strlen(description) + 1);
+
+ status = efi_call_5 (tdx->hash_log_extend_event, tdx, 0, (unsigned long) buf,
+ (grub_uint64_t) size, event);
+
+ return grub_tdx_dprintf(status);
+}
\ No newline at end of file
diff --git a/grub-core/kern/tpm.c b/grub-core/kern/tpm.c
index e5e8fced62..71cc4252c1 100644
--- a/grub-core/kern/tpm.c
+++ b/grub-core/kern/tpm.c
@@ -4,6 +4,7 @@
#include <grub/mm.h>
#include <grub/tpm.h>
#include <grub/term.h>
+#include <grub/tdx.h>
grub_err_t
grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
@@ -13,6 +14,9 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
char *desc = grub_xasprintf("%s %s", kind, description);
if (!desc)
return GRUB_ERR_OUT_OF_MEMORY;
+
+ grub_tdx_log_event(buf, size, pcr, desc);
+
ret = grub_tpm_log_event(buf, size, pcr, desc);
grub_free(desc);
return ret;
diff --git a/include/grub/efi/tdx.h b/include/grub/efi/tdx.h
new file mode 100644
index 0000000000..9bdac2a275
--- /dev/null
+++ b/include/grub/efi/tdx.h
@@ -0,0 +1,26 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2015 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_EFI_TDX_HEADER
+#define GRUB_EFI_TDX_HEADER 1
+
+#define EFI_TDX_GUID {0x96751a3d, 0x72f4, 0x41a6, {0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b}};
+
+typedef grub_efi_tpm2_protocol_t grub_efi_tdx_protocol_t;
+
+#endif
\ No newline at end of file
diff --git a/include/grub/tdx.h b/include/grub/tdx.h
new file mode 100644
index 0000000000..4a98008e39
--- /dev/null
+++ b/include/grub/tdx.h
@@ -0,0 +1,36 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2015 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_TDX_HEADER
+#define GRUB_TDX_HEADER 1
+
+#if defined (GRUB_MACHINE_EFI)
+grub_err_t grub_tdx_log_event(unsigned char *buf, grub_size_t size,
+ grub_uint8_t pcr, const char *description);
+#else
+static inline grub_err_t grub_tdx_log_event(
+ unsigned char *buf __attribute__ ((unused)),
+ grub_size_t size __attribute__ ((unused)),
+ grub_uint8_t pcr __attribute__ ((unused)),
+ const char *description __attribute__ ((unused)))
+{
+ return 0;
+};
+#endif
+
+#endif

View File

@ -0,0 +1,28 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Avnish Chouhan <avnish@linux.vnet.ibm.com>
Date: Tue, 24 Jan 2023 08:01:47 -0500
Subject: [PATCH] Enable shared processor mode in vector 5
This patch is to update the vector 5 which is troubling some
machines to bootup properly in shared processor mode.
Signed-off-by: Avnish Chouhan <avnish@linux.vnet.ibm.com>
(cherry picked from commit 30d2ee836649386a336f9437c8a149c8e642a46b)
(cherry picked from commit 7e309d139c5eca1f03659e612a14499213e79c95)
---
grub-core/kern/ieee1275/init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
index 37f3098c39..3ea9b73b2a 100644
--- a/grub-core/kern/ieee1275/init.c
+++ b/grub-core/kern/ieee1275/init.c
@@ -372,7 +372,7 @@ grub_ieee1275_ibm_cas (void)
.vec4 = 0x0001, // set required minimum capacity % to the lowest value
.vec5_size = 1 + sizeof(struct option_vector5) - 2,
.vec5 = {
- 0, 0, 0, 0, 0, 0, 0, 0, 256
+ 0, 192, 0, 128, 0, 0, 0, 0, 256
}
};

View File

@ -571,3 +571,5 @@ Patch0570: 0570-font-Fix-an-integer-underflow-in-blit_comb.patch
Patch0571: 0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch Patch0571: 0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
Patch0572: 0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch Patch0572: 0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
Patch0573: 0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch Patch0573: 0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
Patch0574: 0574-Enable-TDX-measurement-to-RTMR-register.patch
Patch0575: 0575-Enable-shared-processor-mode-in-vector-5.patch

View File

@ -11,7 +11,7 @@
Name: grub2 Name: grub2
Epoch: 1 Epoch: 1
Version: 2.02 Version: 2.02
Release: 142%{?dist}.1.alma Release: 142%{?dist}.3.alma
Summary: Bootloader with support for Linux, Multiboot and more Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base Group: System Environment/Base
License: GPLv3+ License: GPLv3+
@ -526,9 +526,16 @@ fi
%endif %endif
%changelog %changelog
* Mon Jan 09 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 2.06-142.el8_7.1.alma * Tue Feb 21 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 2.02-142.el8_7.3.alma
- Debrand for AlmaLinux - Debrand for AlmaLinux
* Mon Feb 06 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-142.el8_7.3
- Sync with 8.8 (actually 2.02-148)
- Resolves: #2139508
* Thu Jan 19 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-142.el8_7.2
- Sync with 8.8 (actually 2.02-147)
- Resolves: #2162411
* Thu Nov 08 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-142.el8_7.1 * Thu Nov 08 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-142.el8_7.1
- Sync with 8.8 (actually 2.02-145) - Sync with 8.8 (actually 2.02-145)
- Resolves: CVE-2022-2601 - Resolves: CVE-2022-2601