Aem rebased wip #8
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
krystian-hebel
force-pushed
the
aem-rebased-wip
branch
4 times, most recently
from
22e3ef8
to
e1fc3a9
Compare
…s and heap File contains TXT register spaces base address, registers offsets, error codes and inline functions for accessing structures stored on TXT heap. Signed-off-by: Krystian Hebel <[email protected]>
MLE header is used with Intel TXT, together with MB2 headers. Entrypoint is different, but it is used just to differentiate from other entries by moving a magic number to EAX. Execution environment is similar to that of Multiboot 2 and code falls through to MB2's entry point. Signed-off-by: Kacper Stojek <[email protected]> Signed-off-by: Krystian Hebel <[email protected]>
These tests validate that important parts of memory are protected against DMA attacks, including Xen and MBI. Modules can be tested later, when it is possible to report issues to user before invoking TXT reset. TPM event log validation is temporarily disabled due to issue with its allocation by bootloader. Ultimately event log will also have to be validated early as it is used immediately after these tests to hold MBI measurements. Signed-off-by: Krystian Hebel <[email protected]>
TXT heap is marked as reserved in e820 to protect against being allocated and overwritten. Signed-off-by: Krystian Hebel <[email protected]>
In preparation for TXT SENTER call, GRUB had to modify MTRR settings to be UC for everything except SINIT ACM. Old values are restored from TXT heap where they were saved by the bootloader. Signed-off-by: Krystian Hebel <[email protected]>
File comes from [1] and is licensed under MIT License. Only enough changes to make it compile under Xen and to swap endianness of result were made to the original file. [1] https://www.nayuki.io/page/fast-sha1-hash-implementation-in-x86-assembly Signed-off-by: Krystian Hebel <[email protected]>
This file is built twice: for early 32b mode without paging to measure MBI and for 64b code to measure dom0 kernel and initramfs. Since MBI is small, the first case uses TPM to do the hashing. Kernel and initramfs on the other hand are too big, sending them to the TPM would take multiple minutes. Signed-off-by: Krystian Hebel <[email protected]>
Signed-off-by: Krystian Hebel <[email protected]>
This is made as first step of making parallel AP bring-up possible. It should be enough for pre-C code. Signed-off-by: Krystian Hebel <[email protected]>
On Intel TXT, APs are started in one of two ways, depending on ACM which reports it in its information table. In both cases, all APs are started simultaneously after BSP requests them to do so. Two possible ways are: - GETSEC[WAKEUP] instruction, - MONITOR address. This patch implements just the latter, GETSEC[WAKEUP] support will be added later. With this patch, every AP goes through assembly part, and only when in start_secondary() in C they re-enter MONITOR/MWAIT iff they are not the AP that was asked to boot. The same address is reused for simplicity, and on next wakeup call APs don't have to go through assembly part again (GDT, paging, stack setting). Signed-off-by: Krystian Hebel <[email protected]>
These must be measured before use, and code for choosing proper module does partial reads of all modules until it finds a matching one. This may introduce TOCTOU issues, so until introduction of secdev driver those functionalities are temporarily disabled when Xen is started with slaunch enabled. Signed-off-by: Krystian Hebel <[email protected]>
…_id(cpu) This is done in preparation to move data from x86_cpu_to_apicid[] elsewhere. Signed-off-by: Krystian Hebel <[email protected]>
Both fields held the same data. Signed-off-by: Krystian Hebel <[email protected]>
Signed-off-by: Krystian Hebel <[email protected]>
It used to be called from smp_callin(), however BUG_ON() was invoked on multiple occasions before that. It may end up calling machine_restart() which tries to get APIC ID for CPU running this code. If BSP detected that x2APIC is enabled, get_apic_id() will try to use it for all CPUs. Enabling x2APIC on secondary CPUs earlier protects against an endless loop of #GP exceptions caused by attempts to read IA32_X2APIC_APICID MSR while x2APIC is disabled in IA32_APIC_BASE. Signed-off-by: Krystian Hebel <[email protected]>
If multiple CPUs called machine_restart() before actual restart took place, but after boot CPU declared itself not online, ASSERT in on_selected_cpus() will fail. Few calls later execution would end up in machine_restart() again, with another frame on call stack for new exception. To protect against running out of stack, code checks if boot CPU is still online before calling on_selected_cpus(). Signed-off-by: Krystian Hebel <[email protected]>
CPU id is obtained as a side effect of searching for appropriate stack for AP. It can be used as a parameter to start_secondary(). Coincidentally this also makes further work on making AP bring-up code parallel easier. Signed-off-by: Krystian Hebel <[email protected]>
This will be used for parallel AP bring-up. CPU_STATE_INIT changed direction. It was previously set by BSP and never consumed by AP. Now it signals that AP got through assembly part of initialization and waits for BSP to call notifiers that set up data structures required for further initialization. Signed-off-by: Krystian Hebel <[email protected]>
This is no longer necessary, since AP loops on cpu_state and CPU index is passed as argument. In addition, move TXT JOIN structure to static data. There is no guarantee that it would be consumed before it is overwritten on BSP stack. Signed-off-by: Krystian Hebel <[email protected]>
This is another requirement for parallel AP bringup. Signed-off-by: Krystian Hebel <[email protected]>
Multiple delays are required when sending IPIs and waiting for responses. During boot, 4 such IPIs were sent per each AP. With this change, only one set of broadcast IPIs is sent. This reduces boot time, especially for platforms with large number of cores. Single CPU initialization is still possible, it is used for hotplug. During wakeup from S3 APs are started one by one. It should be possible to enable parallel execution there as well, but I don't have a way of testing it as of now. Signed-off-by: Krystian Hebel <[email protected]>
Signed-off-by: Sergii Dmytruk <[email protected]>
Signed-off-by: Sergii Dmytruk <[email protected]>
Signed-off-by: Sergii Dmytruk <[email protected]>
Signed-off-by: Sergii Dmytruk <[email protected]>
`out_digest` is used during hashing above and thus can't be NULL in tpm_hash_extend12(). Use a throw-away buffer for the computed hash. Signed-off-by: Sergii Dmytruk <[email protected]>
Signed-off-by: Sergii Dmytruk <[email protected]>
Signed-off-by: Sergii Dmytruk <[email protected]>
From xen/arch/x86. Signed-off-by: Sergii Dmytruk <[email protected]>
Not doing this caused an infinite loop waiting for a response after sending STS_TPM_GO when TPM wasn't expecting any input and probably just ignored it. Signed-off-by: Sergii Dmytruk <[email protected]>
Signed-off-by: Sergii Dmytruk <[email protected]>
Align their names with names of other entities (structs and their fields). Signed-off-by: Sergii Dmytruk <[email protected]>
Signed-off-by: Sergii Dmytruk <[email protected]>
This still runs CI twice in a PR. Signed-off-by: Sergii Dmytruk <[email protected]>
Signed-off-by: Krystian Hebel <[email protected]>
krystian-hebel
force-pushed
the
aem-rebased-wip
branch
from
e1fc3a9
to
db732cc
Compare
|
Cleanup: @krystian-hebel, I think there is no need to keep this PR and branch, because more recent branches exist. |
|
Agreed, closing. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.