import grub2-2.02-142.el8_7.3
This commit is contained in:
parent
029b453a89
commit
a68fea488e
227
SOURCES/0574-Enable-TDX-measurement-to-RTMR-register.patch
Normal file
227
SOURCES/0574-Enable-TDX-measurement-to-RTMR-register.patch
Normal file
@ -0,0 +1,227 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Lu Ken <ken.lu@intel.com>
|
||||
Date: Sat, 3 Jul 2021 10:50:37 -0400
|
||||
Subject: [PATCH] Enable TDX measurement to RTMR register
|
||||
|
||||
Intel Trust Domain Extensions(Intel TDX) refers to an Intel technology
|
||||
that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory
|
||||
Encryption(MK-TME) with a new kind of virtual machine guest called a
|
||||
Trust Domain(TD)[1]. A TD runs in a CPU mode that protects the confidentiality
|
||||
of its memory contents and its CPU state from any other software, including
|
||||
the hosting Virtual Machine Monitor (VMM).
|
||||
|
||||
Trust Domain Virtual Firmware (TDVF) is required to provide TD services to
|
||||
the TD guest OS.[2] Its reference code is available at https://github.com/tianocore/edk2-staging/tree/TDVF.
|
||||
|
||||
To support TD measurement/attestation, TDs provide 4 RTMR registers like
|
||||
TPM/TPM2 PCR as below:
|
||||
- RTMR[0] is for TDVF configuration
|
||||
- RTMR[1] is for the TD OS loader and kernel
|
||||
- RTMR[2] is for the OS application
|
||||
- RTMR[3] is reserved for special usage only
|
||||
|
||||
This patch adds TD Measurement protocol support along with TPM/TPM2 protocol.
|
||||
|
||||
References:
|
||||
[1] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf
|
||||
[2] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf
|
||||
|
||||
Signed-off-by: Lu Ken <ken.lu@intel.com>
|
||||
(cherry picked from commit 841a0977397cf12a5498d439b8aaf8bf28ff8544)
|
||||
---
|
||||
grub-core/Makefile.core.def | 1 +
|
||||
grub-core/kern/efi/tdx.c | 70 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
grub-core/kern/tpm.c | 4 +++
|
||||
include/grub/efi/tdx.h | 26 +++++++++++++++++
|
||||
include/grub/tdx.h | 36 +++++++++++++++++++++++
|
||||
5 files changed, 137 insertions(+)
|
||||
create mode 100644 grub-core/kern/efi/tdx.c
|
||||
create mode 100644 include/grub/efi/tdx.h
|
||||
create mode 100644 include/grub/tdx.h
|
||||
|
||||
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||
index 637d7203e3..2787d59c52 100644
|
||||
--- a/grub-core/Makefile.core.def
|
||||
+++ b/grub-core/Makefile.core.def
|
||||
@@ -200,6 +200,7 @@ kernel = {
|
||||
efi = kern/efi/acpi.c;
|
||||
efi = kern/lockdown.c;
|
||||
efi = lib/envblk.c;
|
||||
+ efi = kern/efi/tdx.c;
|
||||
efi = kern/efi/tpm.c;
|
||||
i386_coreboot = kern/i386/pc/acpi.c;
|
||||
i386_multiboot = kern/i386/pc/acpi.c;
|
||||
diff --git a/grub-core/kern/efi/tdx.c b/grub-core/kern/efi/tdx.c
|
||||
new file mode 100644
|
||||
index 0000000000..3a49f8d117
|
||||
--- /dev/null
|
||||
+++ b/grub-core/kern/efi/tdx.c
|
||||
@@ -0,0 +1,70 @@
|
||||
+#include <grub/err.h>
|
||||
+#include <grub/i18n.h>
|
||||
+#include <grub/efi/api.h>
|
||||
+#include <grub/efi/efi.h>
|
||||
+#include <grub/efi/tpm.h>
|
||||
+#include <grub/efi/tdx.h>
|
||||
+#include <grub/mm.h>
|
||||
+#include <grub/tpm.h>
|
||||
+#include <grub/tdx.h>
|
||||
+
|
||||
+static grub_efi_guid_t tdx_guid = EFI_TDX_GUID;
|
||||
+
|
||||
+static inline grub_err_t grub_tdx_dprintf(grub_efi_status_t status)
|
||||
+{
|
||||
+ switch (status) {
|
||||
+ case GRUB_EFI_SUCCESS:
|
||||
+ return 0;
|
||||
+ case GRUB_EFI_DEVICE_ERROR:
|
||||
+ grub_dprintf ("tdx", "Command failed: 0x%"PRIxGRUB_EFI_STATUS"\n",
|
||||
+ status);
|
||||
+ return GRUB_ERR_IO;
|
||||
+ case GRUB_EFI_INVALID_PARAMETER:
|
||||
+ grub_dprintf ("tdx", "Invalid parameter: 0x%"PRIxGRUB_EFI_STATUS"\n",
|
||||
+ status);
|
||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
||||
+ case GRUB_EFI_VOLUME_FULL:
|
||||
+ grub_dprintf ("tdx", "Volume is full: 0x%"PRIxGRUB_EFI_STATUS"\n",
|
||||
+ status);
|
||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
||||
+ case GRUB_EFI_UNSUPPORTED:
|
||||
+ grub_dprintf ("tdx", "TDX unavailable: 0x%"PRIxGRUB_EFI_STATUS"\n",
|
||||
+ status);
|
||||
+ return GRUB_ERR_UNKNOWN_DEVICE;
|
||||
+ default:
|
||||
+ grub_dprintf ("tdx", "Unknown TDX error: 0x%"PRIxGRUB_EFI_STATUS"\n",
|
||||
+ status);
|
||||
+ return GRUB_ERR_UNKNOWN_DEVICE;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+grub_err_t
|
||||
+grub_tdx_log_event(unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
|
||||
+ const char *description)
|
||||
+{
|
||||
+ EFI_TCG2_EVENT *event;
|
||||
+ grub_efi_status_t status;
|
||||
+ grub_efi_tdx_protocol_t *tdx;
|
||||
+
|
||||
+ tdx = grub_efi_locate_protocol (&tdx_guid, NULL);
|
||||
+
|
||||
+ if (!tdx)
|
||||
+ return 0;
|
||||
+
|
||||
+ event = grub_zalloc(sizeof (EFI_TCG2_EVENT) + grub_strlen(description) + 1);
|
||||
+ if (!event)
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||
+ N_("cannot allocate TCG2 event buffer"));
|
||||
+
|
||||
+ event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
|
||||
+ event->Header.HeaderVersion = 1;
|
||||
+ event->Header.PCRIndex = pcr;
|
||||
+ event->Header.EventType = EV_IPL;
|
||||
+ event->Size = sizeof(*event) - sizeof(event->Event) + grub_strlen(description) + 1;
|
||||
+ grub_memcpy(event->Event, description, grub_strlen(description) + 1);
|
||||
+
|
||||
+ status = efi_call_5 (tdx->hash_log_extend_event, tdx, 0, (unsigned long) buf,
|
||||
+ (grub_uint64_t) size, event);
|
||||
+
|
||||
+ return grub_tdx_dprintf(status);
|
||||
+}
|
||||
\ No newline at end of file
|
||||
diff --git a/grub-core/kern/tpm.c b/grub-core/kern/tpm.c
|
||||
index e5e8fced62..71cc4252c1 100644
|
||||
--- a/grub-core/kern/tpm.c
|
||||
+++ b/grub-core/kern/tpm.c
|
||||
@@ -4,6 +4,7 @@
|
||||
#include <grub/mm.h>
|
||||
#include <grub/tpm.h>
|
||||
#include <grub/term.h>
|
||||
+#include <grub/tdx.h>
|
||||
|
||||
grub_err_t
|
||||
grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
|
||||
@@ -13,6 +14,9 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
|
||||
char *desc = grub_xasprintf("%s %s", kind, description);
|
||||
if (!desc)
|
||||
return GRUB_ERR_OUT_OF_MEMORY;
|
||||
+
|
||||
+ grub_tdx_log_event(buf, size, pcr, desc);
|
||||
+
|
||||
ret = grub_tpm_log_event(buf, size, pcr, desc);
|
||||
grub_free(desc);
|
||||
return ret;
|
||||
diff --git a/include/grub/efi/tdx.h b/include/grub/efi/tdx.h
|
||||
new file mode 100644
|
||||
index 0000000000..9bdac2a275
|
||||
--- /dev/null
|
||||
+++ b/include/grub/efi/tdx.h
|
||||
@@ -0,0 +1,26 @@
|
||||
+/*
|
||||
+ * GRUB -- GRand Unified Bootloader
|
||||
+ * Copyright (C) 2015 Free Software Foundation, Inc.
|
||||
+ *
|
||||
+ * GRUB is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation, either version 3 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * GRUB is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ * GNU General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License
|
||||
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||
+ */
|
||||
+
|
||||
+#ifndef GRUB_EFI_TDX_HEADER
|
||||
+#define GRUB_EFI_TDX_HEADER 1
|
||||
+
|
||||
+#define EFI_TDX_GUID {0x96751a3d, 0x72f4, 0x41a6, {0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b}};
|
||||
+
|
||||
+typedef grub_efi_tpm2_protocol_t grub_efi_tdx_protocol_t;
|
||||
+
|
||||
+#endif
|
||||
\ No newline at end of file
|
||||
diff --git a/include/grub/tdx.h b/include/grub/tdx.h
|
||||
new file mode 100644
|
||||
index 0000000000..4a98008e39
|
||||
--- /dev/null
|
||||
+++ b/include/grub/tdx.h
|
||||
@@ -0,0 +1,36 @@
|
||||
+/*
|
||||
+ * GRUB -- GRand Unified Bootloader
|
||||
+ * Copyright (C) 2015 Free Software Foundation, Inc.
|
||||
+ *
|
||||
+ * GRUB is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation, either version 3 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * GRUB is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ * GNU General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License
|
||||
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||
+ */
|
||||
+
|
||||
+#ifndef GRUB_TDX_HEADER
|
||||
+#define GRUB_TDX_HEADER 1
|
||||
+
|
||||
+#if defined (GRUB_MACHINE_EFI)
|
||||
+grub_err_t grub_tdx_log_event(unsigned char *buf, grub_size_t size,
|
||||
+ grub_uint8_t pcr, const char *description);
|
||||
+#else
|
||||
+static inline grub_err_t grub_tdx_log_event(
|
||||
+ unsigned char *buf __attribute__ ((unused)),
|
||||
+ grub_size_t size __attribute__ ((unused)),
|
||||
+ grub_uint8_t pcr __attribute__ ((unused)),
|
||||
+ const char *description __attribute__ ((unused)))
|
||||
+{
|
||||
+ return 0;
|
||||
+};
|
||||
+#endif
|
||||
+
|
||||
+#endif
|
28
SOURCES/0575-Enable-shared-processor-mode-in-vector-5.patch
Normal file
28
SOURCES/0575-Enable-shared-processor-mode-in-vector-5.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Avnish Chouhan <avnish@linux.vnet.ibm.com>
|
||||
Date: Tue, 24 Jan 2023 08:01:47 -0500
|
||||
Subject: [PATCH] Enable shared processor mode in vector 5
|
||||
|
||||
This patch is to update the vector 5 which is troubling some
|
||||
machines to bootup properly in shared processor mode.
|
||||
|
||||
Signed-off-by: Avnish Chouhan <avnish@linux.vnet.ibm.com>
|
||||
(cherry picked from commit 30d2ee836649386a336f9437c8a149c8e642a46b)
|
||||
(cherry picked from commit 7e309d139c5eca1f03659e612a14499213e79c95)
|
||||
---
|
||||
grub-core/kern/ieee1275/init.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
|
||||
index 37f3098c39..3ea9b73b2a 100644
|
||||
--- a/grub-core/kern/ieee1275/init.c
|
||||
+++ b/grub-core/kern/ieee1275/init.c
|
||||
@@ -372,7 +372,7 @@ grub_ieee1275_ibm_cas (void)
|
||||
.vec4 = 0x0001, // set required minimum capacity % to the lowest value
|
||||
.vec5_size = 1 + sizeof(struct option_vector5) - 2,
|
||||
.vec5 = {
|
||||
- 0, 0, 0, 0, 0, 0, 0, 0, 256
|
||||
+ 0, 192, 0, 128, 0, 0, 0, 0, 256
|
||||
}
|
||||
};
|
||||
|
@ -571,3 +571,5 @@ Patch0570: 0570-font-Fix-an-integer-underflow-in-blit_comb.patch
|
||||
Patch0571: 0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
|
||||
Patch0572: 0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
|
||||
Patch0573: 0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
|
||||
Patch0574: 0574-Enable-TDX-measurement-to-RTMR-register.patch
|
||||
Patch0575: 0575-Enable-shared-processor-mode-in-vector-5.patch
|
||||
|
@ -7,7 +7,7 @@
|
||||
Name: grub2
|
||||
Epoch: 1
|
||||
Version: 2.02
|
||||
Release: 142%{?dist}.1
|
||||
Release: 142%{?dist}.3
|
||||
Summary: Bootloader with support for Linux, Multiboot and more
|
||||
Group: System Environment/Base
|
||||
License: GPLv3+
|
||||
@ -510,6 +510,14 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 06 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-142.el8_7.3
|
||||
- Sync with 8.8 (actually 2.02-148)
|
||||
- Resolves: #2139508
|
||||
|
||||
* Thu Jan 19 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-142.el8_7.2
|
||||
- Sync with 8.8 (actually 2.02-147)
|
||||
- Resolves: #2162411
|
||||
|
||||
* Thu Nov 08 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-142.el8_7.1
|
||||
- Sync with 8.8 (actually 2.02-145)
|
||||
- Resolves: CVE-2022-2601
|
||||
|
Loading…
Reference in New Issue
Block a user