From: Ross Philipson <ross.philipson@gmail.com>
To: linux-kernel@vger.kernel.org, x86@kernel.org,
linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org,
linux-crypto@vger.kernel.org, kexec@lists.infradead.org,
linux-efi@vger.kernel.org, iommu@lists.linux.dev
Cc: ross.philipson@gmail.com, dpsmith@apertussolutions.com,
tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
hpa@zytor.com, dave.hansen@linux.intel.com, ardb@kernel.org,
mjg59@srcf.ucam.org, James.Bottomley@hansenpartnership.com,
peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca,
luto@amacapital.net, nivedita@alum.mit.edu,
herbert@gondor.apana.org.au, davem@davemloft.net, corbet@lwn.net,
ebiederm@xmission.com, dwmw2@infradead.org,
baolu.lu@linux.intel.com, kanth.ghatraju@oracle.com,
daniel.kiper@oracle.com, andrew.cooper3@citrix.com,
trenchboot-devel@googlegroups.com
Subject: [PATCH v16 26/38] x86: Add early SHA-1 support for Secure Launch early measurements
Date: Fri, 15 May 2026 14:13:58 -0700 [thread overview]
Message-ID: <20260515211410.31440-27-ross.philipson@gmail.com> (raw)
In-Reply-To: <20260515211410.31440-1-ross.philipson@gmail.com>
From: "Daniel P. Smith" <dpsmith@apertussolutions.com>
Secure Launch is written to be compliant with the Intel TXT Measured
Launch Developer's Guide. The MLE Guide dictates that the system can be
configured to use both the SHA-1 and SHA-2 hashing algorithms.
Regardless of the preference towards SHA-2, if the firmware elected to
start with the SHA-1 and SHA-2 banks active and the dynamic launch was
configured to include SHA-1, Secure Launch is obligated to record
measurements for all algorithms requested in the launch configuration.
The user environment or the integrity management does not desire to use
SHA-1, it is free to just ignore the SHA-1 bank in any integrity operation
with the TPM. If there is a larger concern about the SHA-1 bank being
active, it is free to deliberately cap the SHA-1 PCRs, recording the
event in the DRTM log.
Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
Signed-off-by: Ross Philipson <ross.philipson@gmail.com>
---
arch/x86/boot/startup/Makefile | 4 ++++
arch/x86/boot/startup/lib-sha1.c | 6 ++++++
2 files changed, 10 insertions(+)
create mode 100644 arch/x86/boot/startup/lib-sha1.c
diff --git a/arch/x86/boot/startup/Makefile b/arch/x86/boot/startup/Makefile
index 5e499cfb29b5..e283ee4c1f45 100644
--- a/arch/x86/boot/startup/Makefile
+++ b/arch/x86/boot/startup/Makefile
@@ -20,6 +20,10 @@ KCOV_INSTRUMENT := n
obj-$(CONFIG_X86_64) += gdt_idt.o map_kernel.o
obj-$(CONFIG_AMD_MEM_ENCRYPT) += sme.o sev-startup.o
+
+slaunch-objs += lib-sha1.o
+obj-$(CONFIG_SECURE_LAUNCH) += $(slaunch-objs)
+
pi-objs := $(patsubst %.o,$(obj)/%.o,$(obj-y))
lib-$(CONFIG_X86_64) += la57toggle.o
diff --git a/arch/x86/boot/startup/lib-sha1.c b/arch/x86/boot/startup/lib-sha1.c
new file mode 100644
index 000000000000..8d679d12f6bf
--- /dev/null
+++ b/arch/x86/boot/startup/lib-sha1.c
@@ -0,0 +1,6 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (c) 2026 Apertus Solutions, LLC
+ */
+
+#include "../../../../lib/crypto/sha1.c"
--
2.47.3
next prev parent reply other threads:[~2026-05-15 21:15 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 21:13 [PATCH v16 00/38] x86: Secure Launch support for Intel TXT Ross Philipson
2026-05-15 21:13 ` [PATCH v16 01/38] tpm: Initial step to reorganize TPM public headers Ross Philipson
2026-05-15 23:03 ` Jarkko Sakkinen
2026-05-15 23:05 ` Jason Gunthorpe
2026-05-15 23:10 ` Dave Hansen
2026-05-15 23:51 ` Jarkko Sakkinen
2026-05-15 21:13 ` [PATCH v16 02/38] tpm: Move TPM1 specific definitions to the command header Ross Philipson
2026-05-15 23:14 ` Jarkko Sakkinen
2026-05-15 21:13 ` [PATCH v16 03/38] tpm: Move TPM2 " Ross Philipson
2026-05-15 23:15 ` Jarkko Sakkinen
2026-05-15 21:13 ` [PATCH v16 04/38] tpm: Move TPM common base " Ross Philipson
2026-05-15 23:22 ` Jarkko Sakkinen
2026-05-15 21:13 ` [PATCH v16 05/38] tpm: Move platform specific definitions to the new PTP header Ross Philipson
2026-05-15 21:13 ` [PATCH v16 06/38] tpm: Remove main TPM header from TPM event log header Ross Philipson
2026-05-15 21:13 ` [PATCH v16 07/38] tpm-buf: Merge TPM_BUF_BOUNDARY_ERROR and TPM_BUF_OVERFLOW Ross Philipson
2026-05-15 21:13 ` [PATCH v16 08/38] tpm-buf: Remove chip parameter from tpm_buf_append_handle() Ross Philipson
2026-05-15 21:13 ` [PATCH v16 09/38] tpm-buf: Implement managed allocations Ross Philipson
2026-05-15 21:13 ` [PATCH v16 10/38] tpm-buf: Add TPM buffer support header for standalone reuse Ross Philipson
2026-05-15 21:13 ` [PATCH v16 11/38] tpm/tpm_tis: Close all localities Ross Philipson
2026-05-15 21:13 ` [PATCH v16 12/38] tpm/tpm_tis: Address positive localities in tpm_tis_request_locality() Ross Philipson
2026-05-15 21:13 ` [PATCH v16 13/38] tpm/tpm_tis: Allow locality to be set to a different value Ross Philipson
2026-05-15 21:13 ` [PATCH v16 14/38] tpm/sysfs: Show locality used by kernel Ross Philipson
2026-05-15 21:13 ` [PATCH v16 15/38] Documentation/security: Secure Launch kernel documentation Ross Philipson
2026-05-15 22:02 ` Randy Dunlap
2026-05-15 21:13 ` [PATCH v16 16/38] x86: Secure Launch Kconfig Ross Philipson
2026-05-15 21:13 ` [PATCH v16 17/38] x86: Secure Launch Resource Table header file Ross Philipson
2026-05-15 21:13 ` [PATCH v16 18/38] x86/efi: Secure Launch Resource Table EFI definitions " Ross Philipson
2026-05-15 21:13 ` [PATCH v16 19/38] x86: Secure Launch main " Ross Philipson
2026-05-15 21:13 ` [PATCH v16 20/38] x86/txt: Intel Trusted eXecution Technology (TXT) definitions Ross Philipson
2026-05-15 21:13 ` [PATCH v16 21/38] lib/crypto: Add SHA1 support for pre-boot environments Ross Philipson
2026-05-15 21:13 ` [PATCH v16 22/38] lib/crypto: Add SHA512 " Ross Philipson
2026-05-15 21:13 ` [PATCH v16 23/38] x86: Allow WARN_trap() macro to be included in " Ross Philipson
2026-05-15 21:13 ` [PATCH v16 24/38] x86/msr: Add variable MTRR base/mask and x2apic ID registers Ross Philipson
2026-05-15 21:13 ` [PATCH v16 25/38] x86/boot: Slight refactor of the 5 level paging logic Ross Philipson
2026-05-15 21:13 ` Ross Philipson [this message]
2026-05-15 21:13 ` [PATCH v16 27/38] x86: Add early SHA-256 support for Secure Launch early measurements Ross Philipson
2026-05-15 21:14 ` [PATCH v16 28/38] x86: Add early SHA-384/512 " Ross Philipson
2026-05-15 21:14 ` [PATCH v16 29/38] x86/tpm: Early startup TPM PCR extending driver Ross Philipson
2026-05-15 22:32 ` Dave Hansen
2026-05-15 21:14 ` [PATCH v16 30/38] x86/slaunch: Add MLE header and Secure Launch entrypoint to the core kernel Ross Philipson
2026-05-15 21:14 ` [PATCH v16 31/38] x86/slaunch: Secure Launch kernel early boot initialization Ross Philipson
2026-05-15 21:14 ` [PATCH v16 32/38] x86/slaunch: Secure Launch kernel late " Ross Philipson
2026-05-15 21:14 ` [PATCH v16 33/38] x86/slaunch: Secure Launch SMP bringup support Ross Philipson
2026-05-15 21:14 ` [PATCH v16 34/38] kexec/slaunch: Secure Launch kexec SEXIT support Ross Philipson
2026-05-15 21:14 ` [PATCH v16 35/38] reboot/slaunch: Secure Launch SEXIT support on reboot paths Ross Philipson
2026-05-15 21:14 ` [PATCH v16 36/38] x86/slaunch: Secure Launch late initcall platform module Ross Philipson
2026-05-15 21:14 ` [PATCH v16 37/38] x86/efistub: EFI stub DRTM support for Secure Launch Ross Philipson
2026-05-15 21:14 ` [PATCH v16 38/38] x86/boot: Legacy boot " Ross Philipson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515211410.31440-27-ross.philipson@gmail.com \
--to=ross.philipson@gmail.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=andrew.cooper3@citrix.com \
--cc=ardb@kernel.org \
--cc=baolu.lu@linux.intel.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=daniel.kiper@oracle.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=dpsmith@apertussolutions.com \
--cc=dwmw2@infradead.org \
--cc=ebiederm@xmission.com \
--cc=herbert@gondor.apana.org.au \
--cc=hpa@zytor.com \
--cc=iommu@lists.linux.dev \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=kanth.ghatraju@oracle.com \
--cc=kexec@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@redhat.com \
--cc=mjg59@srcf.ucam.org \
--cc=nivedita@alum.mit.edu \
--cc=peterhuewe@gmx.de \
--cc=tglx@linutronix.de \
--cc=trenchboot-devel@googlegroups.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox