[RFC PATCH 00/12] x86: Trenchboot secure late launch Linux kernel support
From: Ross Philipson
Date: Wed Mar 25 2020 - 15:44:16 EST
The Trenchboot project focus on boot security has led to the enabling of
the Linux kernel to be directly invocable by the x86 Dynamic Launch
instruction(s) for establishing a Dynamic Root of Trust for Measurement
(DRTM). The dynamic launch will be initiated by a boot loader with
associated support added to it, for example the first targeted boot
loader will be GRUB2. An integral part of establishing the DRTM involves
measuring everything that is intended to be run (kernel image, initrd,
etc) and everything that will configure that kernel to run (command
line, boot params, etc) into specific PCRs, the DRTM PCRs (17-22), in
the TPM. Another key aspect is the dynamic launch is rooted in hardware.
On Intel this is done using the GETSEC instruction set provided by
Intel's TXT and the SKINIT instruction provided by AMD's AMD-V.
Information on these technologies can be readily found online.
To enable the kernel to be launched by GETSEC or SKINIT, a stub must be
built into the setup section of the compressed kernel to handle the
specific state that the late launch process leaves the BSP. This is a
lot like the EFI stub that is found in the same area. Also this stub
must measure everything that is going to be used as early as possible.
This stub code and subsequent code must also deal with the specific
state that the late launch leaves the APs in.
A quick note on terminology. The larger open source project itself is
called Trenchboot, which is hosted on Github (links below). The kernel
feature enabling the use of the x86 technology is referred to as "Secure
Launch" within the kernel code. As such the prefixes sl_/SL_ or
slaunch/SLAUNCH will be seen in the code. The stub code discussed above
is referred to as the SL stub.
The basic flow is:
- Entry from the late launch jumps to the SL stub
- SL stub fixes up the world on the BSP
- For TXT, SL stub wakes the APs, fixes up their worlds
- For TXT, APs are left halted waiting for an NMI to wake them
- SL stub jumps to startup_32
- SL main runs to measure configuration and module information into the
DRTM PCRs. It also locates the TPM event log.
- Kernel boot proceeds normally from this point.
- During early setup, slaunch_setup() runs to finish some validation
and setup tasks.
- The SMP bringup code is modified to wake the waiting APs. APs vector
to rmpiggy and start up normally from that point.
- Kernel boot finishes booting normally
- SL securityfs module is present to allow reading and writing of the
TPM event log.
Outstanding:
- Currently Secure Launch only supports TXT, though there is an AMD
version is in progress.
- The compressed kernel TPM code includes a CRB interface
implementation but is untested due to inability to locate a system
with TXT and a TPM accessible with the CRB interface
- There is a known crash that is difficult to reproduce and is unclear
how the secure launch code is causing the crash. Thread on it here:
https://groups.google.com/forum/#!topic/trenchboot-devel/EZN_4ymrCgs
Links:
The Trenchboot project including documentation:
https://github.com/trenchboot
Intel TXT is documented in its own specification and in the SDM Instruction Set volume:
https://www.intel.com/content/dam/www/public/us/en/documents/guides/intel-txt-software-development-guide.pdf
https://software.intel.com/en-us/articles/intel-sdm
AMD SKINIT is documented in the System Programming manual:
https://www.amd.com/system/files/TechDocs/24593.pdf
Thanks
Ross Philipson and Daniel P. Smith
Daniel P. Smith (5):
x86: Add early SHA support for Secure Launch early measurements
x86: Add early TPM TIS/CRB interface support for Secure Launch
x86: Add early TPM1.2/TPM2.0 interface support for Secure Launch
x86: Add early general TPM interface support for Secure Launch
x86: Secure Launch adding event log securityfs
Ross Philipson (7):
x86: Secure Launch Kconfig
x86: Secure Launch main header file
x86: Secure Launch kernel early boot stub
x86: Secure Launch kernel late boot stub
x86: Secure Launch SMP bringup support
kexec: Secure Launch kexec SEXIT support
tpm: Allow locality 2 to be set when initializing the TPM for Secure
Launch
Documentation/x86/boot.rst | 9 +
arch/x86/Kconfig | 35 +
arch/x86/boot/compressed/Makefile | 8 +
arch/x86/boot/compressed/early_sha1.c | 104 +++
arch/x86/boot/compressed/early_sha1.h | 17 +
arch/x86/boot/compressed/early_sha256.c | 6 +
arch/x86/boot/compressed/early_sha512.c | 6 +
arch/x86/boot/compressed/head_64.S | 32 +
arch/x86/boot/compressed/kernel_info.S | 3 +
arch/x86/boot/compressed/sl_main.c | 378 ++++++++++
arch/x86/boot/compressed/sl_stub.S | 568 ++++++++++++++
arch/x86/boot/compressed/tpm/crb.c | 302 ++++++++
arch/x86/boot/compressed/tpm/crb.h | 25 +
arch/x86/boot/compressed/tpm/tis.c | 212 ++++++
arch/x86/boot/compressed/tpm/tis.h | 51 ++
arch/x86/boot/compressed/tpm/tpm.c | 190 +++++
arch/x86/boot/compressed/tpm/tpm.h | 42 ++
arch/x86/boot/compressed/tpm/tpm1.h | 112 +++
arch/x86/boot/compressed/tpm/tpm1_cmds.c | 133 ++++
arch/x86/boot/compressed/tpm/tpm2.h | 89 +++
arch/x86/boot/compressed/tpm/tpm2_auth.c | 31 +
arch/x86/boot/compressed/tpm/tpm2_auth.h | 21 +
arch/x86/boot/compressed/tpm/tpm2_cmds.c | 150 ++++
arch/x86/boot/compressed/tpm/tpm2_constants.h | 66 ++
arch/x86/boot/compressed/tpm/tpm_buff.c | 135 ++++
arch/x86/boot/compressed/tpm/tpm_common.h | 127 ++++
arch/x86/boot/compressed/tpm/tpmbuff.h | 34 +
arch/x86/boot/compressed/tpm/tpmio.c | 51 ++
arch/x86/boot/compressed/vmlinux.lds.S | 4 +
arch/x86/include/asm/realmode.h | 3 +
arch/x86/kernel/Makefile | 1 +
arch/x86/kernel/asm-offsets.c | 15 +
arch/x86/kernel/setup.c | 3 +
arch/x86/kernel/slaunch.c | 700 ++++++++++++++++++
arch/x86/kernel/smpboot.c | 86 +++
arch/x86/realmode/rm/header.S | 3 +
arch/x86/realmode/rm/trampoline_64.S | 37 +
drivers/char/tpm/tpm-chip.c | 13 +-
drivers/iommu/dmar.c | 4 +
include/linux/sha512.h | 21 +
include/linux/slaunch.h | 513 +++++++++++++
kernel/kexec_core.c | 3 +
lib/sha1.c | 4 +
lib/sha512.c | 209 ++++++
44 files changed, 4554 insertions(+), 2 deletions(-)
create mode 100644 arch/x86/boot/compressed/early_sha1.c
create mode 100644 arch/x86/boot/compressed/early_sha1.h
create mode 100644 arch/x86/boot/compressed/early_sha256.c
create mode 100644 arch/x86/boot/compressed/early_sha512.c
create mode 100644 arch/x86/boot/compressed/sl_main.c
create mode 100644 arch/x86/boot/compressed/sl_stub.S
create mode 100644 arch/x86/boot/compressed/tpm/crb.c
create mode 100644 arch/x86/boot/compressed/tpm/crb.h
create mode 100644 arch/x86/boot/compressed/tpm/tis.c
create mode 100644 arch/x86/boot/compressed/tpm/tis.h
create mode 100644 arch/x86/boot/compressed/tpm/tpm.c
create mode 100644 arch/x86/boot/compressed/tpm/tpm.h
create mode 100644 arch/x86/boot/compressed/tpm/tpm1.h
create mode 100644 arch/x86/boot/compressed/tpm/tpm1_cmds.c
create mode 100644 arch/x86/boot/compressed/tpm/tpm2.h
create mode 100644 arch/x86/boot/compressed/tpm/tpm2_auth.c
create mode 100644 arch/x86/boot/compressed/tpm/tpm2_auth.h
create mode 100644 arch/x86/boot/compressed/tpm/tpm2_cmds.c
create mode 100644 arch/x86/boot/compressed/tpm/tpm2_constants.h
create mode 100644 arch/x86/boot/compressed/tpm/tpm_buff.c
create mode 100644 arch/x86/boot/compressed/tpm/tpm_common.h
create mode 100644 arch/x86/boot/compressed/tpm/tpmbuff.h
create mode 100644 arch/x86/boot/compressed/tpm/tpmio.c
create mode 100644 arch/x86/kernel/slaunch.c
create mode 100644 include/linux/sha512.h
create mode 100644 include/linux/slaunch.h
create mode 100644 lib/sha512.c
--
2.25.1