[PATCH 00/24] my sub

Hello, This is the third installment of sending [TrenchBoot] code changes to this mailing list. Previous ones ([take-1], [take-2]) didn't really go far. This one somewhat differs because 4 years have passed and EFI changes aren't included (there is Linux and Multiboot2). There are a lot of chan

[PATCH 01/24] i386/msr: Merge rdmsr.h and wrmsr.h into msr.h

From: Daniel Kiper It does not make sense to have separate headers for separate static functions. Additionally, we have to add some constants with MSR addresses in subsequent patches. So, make one common place to store them. Signed-off-by: Daniel Kiper --- grub-core/commands/i386/rdmsr.c

[PATCH 07/24] mmap: Add grub_mmap_get_lowest() and grub_mmap_get_highest()

From: Daniel Kiper The functions calculate lowest and highest available RAM addresses respectively. Both functions are needed to calculate PMR boundaries for Intel TXT secure launcher introduced by subsequent patches. Signed-off-by: Daniel Kiper --- grub-core/mmap/mmap.c | 83

[PATCH 00/24] i386: Intel TXT and AMD SKINIT secure launcher

Hello, [Resending cover letter because I messed up the subject on first try.] This is the third installment of sending [TrenchBoot] code changes to this mailing list. Previous ones ([take-1], [take-2]) didn't really go far. This one somewhat differs because 4 years have passed and EFI changes a

[PATCH 05/24] i386/memory: Rename PAGE_SIZE to GRUB_PAGE_SIZE and make it global

From: Daniel Kiper Subsequent patches will use that constant. Signed-off-by: Daniel Kiper --- grub-core/loader/i386/xen.c | 35 +-- include/grub/i386/memory.h | 1 + 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/grub-core/loader/i386/xen.c b

[PATCH 09/24] i386/tpm: Add TPM TIS and CRB driver

From: Daniel Kiper It will be used by Intel TXT secure launcher introduced by subsequent patches. Signed-off-by: Daniel Kiper Signed-off-by: Krystian Hebel --- grub-core/commands/i386/tpm.c | 151 ++ include/grub/i386/tpm.h | 35 2 files changed

[PATCH 02/24] i386/msr: Rename grub_msr_read() and grub_msr_write()

From: Daniel Kiper ... to grub_rdmsr() and grub_wrmsr() respectively. New names are more obvious than older ones. Signed-off-by: Daniel Kiper --- grub-core/commands/i386/rdmsr.c | 2 +- grub-core/commands/i386/wrmsr.c | 2 +- include/grub/i386/msr.h | 4 ++-- 3 files changed, 4 inserti

[PATCH 11/24] i386/slaunch: Add basic platform support for secure launch

From: Ross Philipson Some of the commands declared in header files will be implemented in the follow-up commits. Signed-off-by: Ross Philipson Signed-off-by: Daniel Kiper Signed-off-by: Krystian Hebel Signed-off-by: Sergii Dmytruk --- include/grub/i386/cpuid.h | 12 include/grub/i38

[PATCH 10/24] include/grub: Introduce Secure Launch Resource Table (SLRT)

From: Ross Philipson Provide definitions of structures and basic functions for constructing and parsing of SLRT. Signed-off-by: Ross Philipson Signed-off-by: Sergii Dmytruk Signed-off-by: Krystian Hebel --- include/grub/slr_table.h | 328 +++ 1 file change

[PATCH 06/24] i386/memory: Define GRUB_PAGE_MASK constant and GRUB_PAGE_{UP, DOWN} macros

From: Krystian Hebel Subsequent patches will use those macros and constant. Signed-off-by: Krystian Hebel --- include/grub/i386/memory.h | 5 + 1 file changed, 5 insertions(+) diff --git a/include/grub/i386/memory.h b/include/grub/i386/memory.h index c64529630..56f64855b 100644 --- a/incl

[PATCH 15/24] i386/txt: Add Intel TXT verification routines

From: Ross Philipson Signed-off-by: Ross Philipson Signed-off-by: Daniel Kiper Signed-off-by: Krystian Hebel --- grub-core/loader/i386/txt/verify.c | 277 + 1 file changed, 277 insertions(+) create mode 100644 grub-core/loader/i386/txt/verify.c diff --git a/grub-

[PATCH 14/24] i386/txt: Add Intel TXT ACM module support

From: Ross Philipson Signed-off-by: Ross Philipson Signed-off-by: Daniel Kiper Signed-off-by: Krystian Hebel --- grub-core/loader/i386/txt/acmod.c | 605 ++ 1 file changed, 605 insertions(+) create mode 100644 grub-core/loader/i386/txt/acmod.c diff --git a/grub-c

[PATCH 04/24] i386/memory: Rename PAGE_SHIFT to GRUB_PAGE_SHIFT

From: Daniel Kiper ...to avoid potential conflicts and confusion. Signed-off-by: Daniel Kiper --- grub-core/lib/i386/xen/relocator.S | 6 +++--- grub-core/lib/x86_64/xen/relocator.S | 4 ++-- grub-core/loader/i386/xen.c | 28 ++-- include/grub/i386/memory.h

[PATCH 22/24] i386/slaunch: Add support for AMD SKINIT

From: Krystian Hebel Extend slaunch command to work on AMD CPUs. Signed-off-by: Krystian Hebel Signed-off-by: Sergii Dmytruk --- grub-core/lib/i386/relocator32.S | 6 grub-core/loader/i386/skinit.c | 58 grub-core/loader/i386/slaunch.c | 33 ++

[PATCH 17/24] i386/slaunch: Add secure launch framework and commands

From: Ross Philipson Signed-off-by: Ross Philipson Signed-off-by: Daniel Kiper Signed-off-by: Krystian Hebel Signed-off-by: Sergii Dmytruk --- grub-core/Makefile.am| 6 + grub-core/Makefile.core.def | 15 + grub-core/lib/i386/relocator32.S

[PATCH 18/24] loader/i386/linux.c: Fix cleanup if kernel doesn't support 64-bit addressing

Simply returning didn't free file resource nor called `grub_dl_ref(my_mod)`. Jump to `fail` label instead. Signed-off-by: Sergii Dmytruk --- grub-core/loader/i386/linux.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader

[PATCH 23/24] multiboot2: Support AMD SKINIT

From: Krystian Hebel Signed-off-by: Krystian Hebel Signed-off-by: Sergii Dmytruk --- grub-core/loader/multiboot.c | 11 +-- grub-core/loader/multiboot_elfxx.c | 22 ++--- grub-core/loader/multiboot_mbi2.c | 52 +++--- include/grub/multiboot2.h

[PATCH 16/24] i386/txt: Initialize TPM 1.2 event log in TXT heap

From: Michał Żygowski Signed-off-by: Michał Żygowski Signed-off-by: Krystian Hebel --- grub-core/loader/i386/txt/txt.c | 62 +++-- include/grub/i386/txt.h | 33 ++ 2 files changed, 93 insertions(+), 2 deletions(-) diff --git a/grub-core/load

[PATCH 21/24] i386/skinit: Add AMD SKINIT implementation

From: Krystian Hebel This adds code for placing of SLB and initialization of SLRT for AMD SKINIT. Signed-off-by: Krystian Hebel Signed-off-by: Sergii Dmytruk --- grub-core/Makefile.core.def| 1 + grub-core/loader/i386/skinit.c | 98 ++ include/grub/i386/sk

[PATCH 08/24] i386/tpm: Rename tpm module to tpm_verifier

From: Daniel Kiper ...to avoid naming collision with TPM TIS and CRB driver introduced by subsequent patch. Signed-off-by: Daniel Kiper --- docs/grub.texi | 15 --- grub-core/Makefile.core.def | 4 ++-- grub-core/commands/{tpm.c => tp

[PATCH 24/24] i386/linux: Add support for AMD SKINIT

From: Ross Philipson Signed-off-by: Ross Philipson Signed-off-by: Daniel Kiper Signed-off-by: Sergii Dmytruk --- grub-core/loader/i386/linux.c | 57 --- 1 file changed, 40 insertions(+), 17 deletions(-) diff --git a/grub-core/loader/i386/linux.c b/grub-core/lo

[PATCH 03/24] i386/msr: Extract and improve MSR support detection code

From: Daniel Kiper Currently rdmsr and wrmsr commands have own MSR support detection code. This code is the same. So, it is duplicated. Additionally, this code cannot be reused by others. Hence, extract this code to a function and make it public. By the way, improve a code a bit. Additionally, u

[PATCH 12/24] i386/txt: Add Intel TXT definitions header file

From: Ross Philipson Signed-off-by: Ross Philipson Signed-off-by: Daniel Kiper Signed-off-by: Sergii Dmytruk --- include/grub/i386/txt.h | 709 1 file changed, 709 insertions(+) create mode 100644 include/grub/i386/txt.h diff --git a/include/grub/i38

[PATCH 20/24] multiboot2: Implement TXT slaunch support

From: Michał Żygowski The code makes sure that MBI entry goes first in DRTM, so the payload can measure it first on launch. SLRT table is allocated on the heap first, size for it is reserved inside TXT heap by TXT code and data is later copied into its final place. To avoid mismatch between OS

[PATCH 13/24] i386/txt: Add Intel TXT core implementation

From: Ross Philipson Signed-off-by: Ross Philipson Signed-off-by: Daniel Kiper Signed-off-by: Michał Żygowski Signed-off-by: Krystian Hebel Signed-off-by: Sergii Dmytruk --- grub-core/loader/i386/txt/txt.c | 1052 +++ include/grub/i386/slaunch.h | 14 +- 2

[PATCH 19/24] multiboot: Make GRUB_MULTIBOOT(make_mbi) return MBI's size

GRUB_MULTIBOOT(get_mbi_size) doesn't look like an accurate source of the final size, more like a minimal memory buffer size. Signed-off-by: Sergii Dmytruk --- grub-core/loader/i386/multiboot_mbi.c | 4 +++- grub-core/loader/multiboot.c | 3 ++- grub-core/loader/multiboot_mbi2.c | 6

Re: [PATCH v18 16/25] key_protector: Add TPM2 Key Protector

On Fri, Jun 28, 2024 at 04:18:59PM +0800, Gary Lin via Grub-devel wrote: > From: Hernan Gatta > > The TPM2 key protector is a module that enables the automatic retrieval > of a fully-encrypted disk's unlocking key from a TPM 2.0. > > The theory of operation is such that the module accepts various

Re: [PATCH v18 00/25] Automatic Disk Unlock with TPM2

On Fri, Jun 28, 2024 at 04:18:43PM +0800, Gary Lin via Grub-devel wrote: > GIT repo for v18: https://github.com/lcp/grub2/tree/tpm2-unlock-v18 > > This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by > Hernan Gatta to introduce the key protector framework and TPM2 stack > to GRUB

Re: [PATCH v18 17/25] cryptodisk: Support key protectors

On Fri, Jun 28, 2024 at 04:19:00PM +0800, Gary Lin via Grub-devel wrote: > From: Hernan Gatta > > Add a new parameter to cryptomount to support the key protectors framework: > -P. > The parameter is used to automatically retrieve a key from specified key > protectors. The parameter may be repeate

Re: [PATCH v18 13/25] tss2: Add TPM2 buffer handling functions

On Thu, Aug 22, 2024 at 03:21:51PM +0200, Daniel Kiper wrote: > On Fri, Jun 28, 2024 at 04:18:56PM +0800, Gary Lin via Grub-devel wrote: > > As the prepartion to support TPM2 Software Stack (TSS2), this commit > > implements the TPM2 buffer handling functions to pack data for the TPM2 > > commands

Re: [PATCH v18 14/25] tss2: Add TPM2 types and Marshal/Unmarshal functions

On Thu, Aug 22, 2024 at 04:03:35PM +0200, Daniel Kiper wrote: > On Fri, Jun 28, 2024 at 04:18:57PM +0800, Gary Lin via Grub-devel wrote: > > This commit adds the necessary TPM2 types and structs as the preparation > > for the TPM2 Software Stack (TSS2) support. The Marshal/Unmarshal > > functions a

Re: [PATCH v18 15/25] tss2: Add TPM2 Software Stack (TSS2) support

On Thu, Aug 22, 2024 at 04:30:46PM +0200, Daniel Kiper wrote: > On Fri, Jun 28, 2024 at 04:18:58PM +0800, Gary Lin via Grub-devel wrote: > > A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to > > compose and submit TPM commands and parse reponses. > > > > A limited number of TPM