From: Daniel Kiper <daniel.kiper@oracle.com>
To: grub-devel@gnu.org, linux-kernel@vger.kernel.org,
trenchboot-devel@googlegroups.com, x86@kernel.org
Cc: alexander.burmashev@oracle.com, andrew.cooper3@citrix.com,
ard.biesheuvel@linaro.org, dpsmith@apertussolutions.com,
eric.snowberg@oracle.com, javierm@redhat.com,
kanth.ghatraju@oracle.com, konrad.wilk@oracle.com,
krystian.hebel@3mdeb.com, lukasz.hawrylko@linux.intel.com,
michal.zygowski@3mdeb.com, mjg59@google.com, phcoder@gmail.com,
pirot.krol@3mdeb.com, pjones@redhat.com,
ross.philipson@oracle.com
Subject: [GRUB PATCH RFC 13/18] i386/slaunch: Add basic platform support for secure launch
Date: Tue, 5 May 2020 01:21:27 +0200 [thread overview]
Message-ID: <20200504232132.23570-14-daniel.kiper@oracle.com> (raw)
In-Reply-To: <20200504232132.23570-1-daniel.kiper@oracle.com>
From: Ross Philipson <ross.philipson@oracle.com>
Signed-off-by: Ross Philipson <ross.philipson@oracle.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
---
include/grub/i386/cpuid.h | 13 ++++
include/grub/i386/crfr.h | 186 ++++++++++++++++++++++++++++++++++++++++++++++
include/grub/i386/mmio.h | 90 ++++++++++++++++++++++
include/grub/i386/msr.h | 61 +++++++++++++++
4 files changed, 350 insertions(+)
create mode 100644 include/grub/i386/crfr.h
create mode 100644 include/grub/i386/mmio.h
diff --git a/include/grub/i386/cpuid.h b/include/grub/i386/cpuid.h
index f7ae4b0a4..8176e5d11 100644
--- a/include/grub/i386/cpuid.h
+++ b/include/grub/i386/cpuid.h
@@ -19,6 +19,19 @@
#ifndef GRUB_CPU_CPUID_HEADER
#define GRUB_CPU_CPUID_HEADER 1
+/* General */
+#define GRUB_X86_CPUID_VENDOR 0x00000000
+#define GRUB_X86_CPUID_FEATURES 0x00000001
+
+/* Intel */
+#define GRUB_VMX_CPUID_FEATURE (1<<5)
+#define GRUB_SMX_CPUID_FEATURE (1<<6)
+
+/* AMD */
+#define GRUB_AMD_CPUID_FEATURES 0x80000001
+#define GRUB_SVM_CPUID_FEATURE (1<<2)
+#define GRUB_AMD_CPUID_FUNC 0x8000000a
+
extern unsigned char grub_cpuid_has_longmode;
extern unsigned char grub_cpuid_has_pae;
diff --git a/include/grub/i386/crfr.h b/include/grub/i386/crfr.h
new file mode 100644
index 000000000..284d6967b
--- /dev/null
+++ b/include/grub/i386/crfr.h
@@ -0,0 +1,186 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2020 Oracle and/or its affiliates.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_CRFR_H
+#define GRUB_CRFR_H 1
+
+#include <grub/types.h>
+
+/* Routines for R/W of control and flags registers */
+
+#define GRUB_CR0_X86_PE 0x00000001 /* Enable Protected Mode */
+#define GRUB_CR0_X86_MP 0x00000002 /* "Math" (FPU) Present */
+#define GRUB_CR0_X86_EM 0x00000004 /* EMulate FPU */
+#define GRUB_CR0_X86_TS 0x00000008 /* Task Switched */
+#define GRUB_CR0_X86_PG 0x80000000 /* Enable PaGing */
+
+#define GRUB_CR0_X86_NE 0x00000020 /* Numeric Error enable (EX16 vs IRQ13) */
+#define GRUB_CR0_X86_WP 0x00010000 /* Write Protect */
+#define GRUB_CR0_X86_AM 0x00040000 /* Alignment Mask */
+#define GRUB_CR0_X86_NW 0x20000000 /* Not Write-through */
+#define GRUB_CR0_X86_CD 0x40000000 /* Cache Disable */
+
+#define GRUB_CR4_X86_VME 0x00000001 /* Virtual 8086 mode extensions */
+#define GRUB_CR4_X86_PVI 0x00000002 /* Protected-mode virtual interrupts */
+#define GRUB_CR4_X86_TSD 0x00000004 /* Time stamp disable */
+#define GRUB_CR4_X86_DE 0x00000008 /* Debugging extensions */
+#define GRUB_CR4_X86_PSE 0x00000010 /* Page size extensions */
+#define GRUB_CR4_X86_PAE 0x00000020 /* Physical address extension */
+#define GRUB_CR4_X86_MCE 0x00000040 /* Enable Machine check enable */
+#define GRUB_CR4_X86_PGE 0x00000080 /* Enable Page global */
+#define GRUB_CR4_X86_PCE 0x00000100 /* Enable Performance monitoring counter */
+#define GRUB_CR4_X86_FXSR 0x00000200 /* Fast FPU save/restore */
+#define GRUB_CR4_X86_XMM 0x00000400 /* Enable SIMD/MMX2 to use except 16 */
+#define GRUB_CR4_X86_VMXE 0x00002000 /* Enable VMX */
+#define GRUB_CR4_X86_SMXE 0x00004000 /* Enable SMX */
+#define GRUB_CR4_X86_PCIDE 0x00020000 /* Enable PCID */
+
+static inline unsigned long
+grub_read_cr4 (void)
+{
+ unsigned long val;
+
+ asm volatile ("mov %%cr4, %0" : "=r" (val) : : "memory");
+
+ return val;
+}
+
+static inline void
+grub_write_cr4 (unsigned long val)
+{
+ asm volatile ("mov %0, %%cr4" : : "r" (val) : "memory");
+}
+
+#define GRUB_CR0 0
+#define GRUB_CR1 1
+#define GRUB_CR2 2
+#define GRUB_CR3 3
+#define GRUB_CR4 4
+
+#ifdef __x86_64__
+#define read_cr(r, d) asm volatile ("movq %%cr" r ", %0" : "=r" (d))
+#else
+#define read_cr(r, d) asm volatile ("movl %%cr" r ", %0" : "=r" (d))
+#endif
+
+static inline unsigned long
+grub_read_control_register(grub_uint8_t reg)
+{
+ unsigned long data;
+
+ switch (reg)
+ {
+ case GRUB_CR0:
+ read_cr("0", data);
+ break;
+ case GRUB_CR1:
+ read_cr("1", data);
+ break;
+ case GRUB_CR2:
+ read_cr("2", data);
+ break;
+ case GRUB_CR3:
+ read_cr("3", data);
+ break;
+ case GRUB_CR4:
+ read_cr("4", data);
+ break;
+ default:
+ /* TODO: Loudly complain if this is called. Even some kind of BUG() */
+ data = ~0UL;
+ break;
+ }
+
+ return data;
+}
+
+#ifdef __x86_64__
+#define write_cr(r, d) asm volatile ("movq %0, %%cr" r : : "r" (d))
+#else
+#define write_cr(r, d) asm volatile ("movl %0, %%cr" r : : "r" (d))
+#endif
+
+static inline void
+grub_write_control_register(grub_uint8_t reg, unsigned long data)
+{
+ switch (reg)
+ {
+ case GRUB_CR0:
+ write_cr("0", data);
+ break;
+ case GRUB_CR1:
+ write_cr("1", data);
+ break;
+ case GRUB_CR2:
+ write_cr("2", data);
+ break;
+ case GRUB_CR3:
+ write_cr("3", data);
+ break;
+ case GRUB_CR4:
+ write_cr("4", data);
+ break;
+ default:
+ /* TODO: Loudly complain if this is called. Even some kind of BUG() */
+ ;
+ }
+}
+
+#define GRUB_EFLAGS_X86_CF 0x00000001 /* Carry Flag */
+#define GRUB_EFLAGS_X86_PF 0x00000004 /* Parity Flag */
+#define GRUB_EFLAGS_X86_AF 0x00000010 /* Auxillary carry Flag */
+#define GRUB_EFLAGS_X86_ZF 0x00000040 /* Zero Flag */
+#define GRUB_EFLAGS_X86_SF 0x00000080 /* Sign Flag */
+#define GRUB_EFLAGS_X86_TF 0x00000100 /* Trap Flag */
+#define GRUB_EFLAGS_X86_IF 0x00000200 /* Interrupt Flag */
+#define GRUB_EFLAGS_X86_DF 0x00000400 /* Direction Flag */
+#define GRUB_EFLAGS_X86_OF 0x00000800 /* Overflow Flag */
+#define GRUB_EFLAGS_X86_IOPL 0x00003000 /* IOPL mask */
+#define GRUB_EFLAGS_X86_NT 0x00004000 /* Nested Task */
+#define GRUB_EFLAGS_X86_RF 0x00010000 /* Resume Flag */
+#define GRUB_EFLAGS_X86_VM 0x00020000 /* Virtual Mode */
+#define GRUB_EFLAGS_X86_AC 0x00040000 /* Alignment Check */
+#define GRUB_EFLAGS_X86_VIF 0x00080000 /* Virtual Interrupt Flag */
+#define GRUB_EFLAGS_X86_VIP 0x00100000 /* Virtual Interrupt Pending */
+#define GRUB_EFLAGS_X86_ID 0x00200000 /* CPUID detection flag */
+
+static inline unsigned long
+grub_read_flags_register(void)
+{
+ unsigned long flags;
+
+#ifdef __x86_64__
+ asm volatile ("pushfq; popq %0" : "=r" (flags));
+#else
+ asm volatile ("pushfl; popl %0" : "=r" (flags));
+#endif
+
+ return flags;
+}
+
+static inline void
+grub_write_flags_register(unsigned long flags)
+{
+#ifdef __x86_64__
+ asm volatile ("pushq %0; popfq" : : "r" (flags));
+#else
+ asm volatile ("pushl %0; popfl" : : "r" (flags));
+#endif
+}
+
+#endif
diff --git a/include/grub/i386/mmio.h b/include/grub/i386/mmio.h
new file mode 100644
index 000000000..6f5bf18ce
--- /dev/null
+++ b/include/grub/i386/mmio.h
@@ -0,0 +1,90 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2020 Oracle and/or its affiliates.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_I386_MMIO_H
+#define GRUB_I386_MMIO_H 1
+
+#include <grub/types.h>
+
+/* TODO: Are these barirers really needed??? */
+#define grub_mb() asm volatile ("mfence" : : : "memory")
+#define grub_rmb() asm volatile ("lfence" : : : "memory")
+#define grub_wmb() asm volatile ("sfence" : : : "memory")
+#define grub_barrier() asm volatile ("" : : : "memory")
+
+static inline grub_uint8_t
+grub_readb (const volatile void *addr)
+{
+ grub_uint8_t val;
+
+ grub_barrier ();
+ val = (*(volatile grub_uint8_t *) (addr));
+ grub_rmb ();
+
+ return val;
+}
+
+static inline grub_uint32_t
+grub_readl (const volatile void *addr)
+{
+ grub_uint32_t val;
+
+ grub_barrier ();
+ val = (*(volatile grub_uint32_t *) (addr));
+ grub_rmb ();
+
+ return val;
+}
+
+static inline grub_uint64_t
+grub_readq (const volatile void *addr)
+{
+ grub_uint64_t val;
+
+ grub_barrier ();
+ val = (*(volatile grub_uint64_t *) (addr));
+ grub_rmb ();
+
+ return val;
+}
+
+static inline void
+grub_writeb (grub_uint8_t val, volatile void *addr)
+{
+ grub_wmb ();
+ (*(volatile grub_uint8_t *) (addr)) = val;
+ grub_barrier ();
+}
+
+static inline void
+grub_writel (grub_uint32_t val, volatile void *addr)
+{
+ grub_wmb ();
+ (*(volatile grub_uint32_t *) (addr)) = val;
+ grub_barrier ();
+}
+
+static inline void
+grub_writeq (grub_uint64_t val, volatile void *addr)
+{
+ grub_wmb ();
+ (*(volatile grub_uint64_t *) (addr)) = val;
+ grub_barrier ();
+}
+
+#endif /* GRUB_I386_MMIO_H */
diff --git a/include/grub/i386/msr.h b/include/grub/i386/msr.h
index 1e838c022..f2552ecbc 100644
--- a/include/grub/i386/msr.h
+++ b/include/grub/i386/msr.h
@@ -2,6 +2,9 @@
* GRUB -- GRand Unified Bootloader
* Copyright (C) 2019 Free Software Foundation, Inc.
*
+ * Some definitions in this header are extracted from the Trusted Computing
+ * Group's "TPM Main Specification", Parts 1-3.
+ *
* GRUB is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
@@ -19,6 +22,62 @@
#ifndef GRUB_I386_MSR_H
#define GRUB_I386_MSR_H 1
+/* General */
+#define GRUB_MSR_X86_PLATFORM_ID 0x00000017
+
+#define GRUB_MSR_X86_APICBASE 0x0000001b
+#define GRUB_MSR_X86_APICBASE_BSP (1<<8)
+#define GRUB_MSR_X86_APICBASE_ENABLE (1<<11)
+#define GRUB_MSR_X86_APICBASE_BASE (0xfffff<<12)
+
+#define GRUB_MSR_X86_FEATURE_CONTROL 0x0000003a
+#define GRUB_MSR_X86_ENABLE_VMX_IN_SMX (1<<1)
+#define GRUB_MSR_X86_SENTER_FUNCTIONS (0x7f<<8)
+#define GRUB_MSR_X86_SENTER_ENABLE (1<<15)
+
+#define GRUB_MSR_X86_MTRRCAP 0x000000fe
+#define GRUB_MSR_X86_VCNT_MASK 0xff
+
+#define GRUB_MSR_X86_MCG_CAP 0x00000179
+#define GRUB_MSR_MCG_BANKCNT_MASK 0xff /* Number of banks */
+#define GRUB_MSR_X86_MCG_STATUS 0x0000017a
+#define GRUB_MSR_MCG_STATUS_MCIP (1ULL<<2) /* MC in progress */
+
+#define GRUB_MSR_X86_MISC_ENABLE 0x000001a0
+#define GRUB_MSR_X86_ENABLE_MONITOR_FSM (1<<18)
+
+#define GRUB_MSR_X86_MTRR_PHYSBASE0 0x00000200
+#define GRUB_MSR_X86_MTRR_PHYSMASK0 0x00000201
+#define GRUB_MSR_X86_BASE_DEF_TYPE_MASK 0xff
+#define GRUB_MSR_X86_MASK_VALID (1<<11)
+
+#define GRUB_MSR_X86_MTRR_DEF_TYPE 0x000002ff
+#define GRUB_MSR_X86_DEF_TYPE_MASK 0xff
+#define GRUB_MSR_X86_MTRR_ENABLE_FIXED (1<<10)
+#define GRUB_MSR_X86_MTRR_ENABLE (1<<11)
+
+#define GRUB_MSR_X86_MC0_STATUS 0x00000401
+
+#define GRUB_MSR_X86_EFER 0xc0000080 /* Extended features */
+#define GRUB_MSR_EFER_LME (1<<8) /* Enable Long Mode/IA-32e */
+#define GRUB_MSR_EFER_LMA (1<<10) /* Long Mode/IA-32e Actuve */
+#define GRUB_MSR_EFER_SVME (1<<12) /* Enable virtualization */
+
+/* AMD Specific */
+#define GRUB_MSR_AMD64_PATCH_LEVEL 0x0000008b
+#define GRUB_MSR_AMD64_PATCH_CLEAR 0xc0010021 /* AMD-specific microcode patch clear */
+#define GRUB_MSR_AMD64_VM_CR 0xc0010114
+#define GRUB_MSR_SVM_VM_CR_SVM_DISABLE 4
+
+/* MTRR Specific */
+#define GRUB_MTRR_MEMORY_TYPE_UC 0
+#define GRUB_MTRR_MEMORY_TYPE_WC 1
+#define GRUB_MTRR_MEMORY_TYPE_WT 4
+#define GRUB_MTRR_MEMORY_TYPE_WP 5
+#define GRUB_MTRR_MEMORY_TYPE_WB 6
+
+#ifndef ASM_FILE
+
#include <grub/err.h>
#include <grub/i386/cpuid.h>
#include <grub/types.h>
@@ -71,4 +130,6 @@ grub_wrmsr (grub_uint32_t msr_id, grub_uint64_t msr_value)
asm volatile ("wrmsr" : : "c" (msr_id), "a" (low), "d" (high));
}
+#endif /* ASM_FILE */
+
#endif /* GRUB_I386_MSR_H */
--
2.11.0
next prev parent reply other threads:[~2020-05-04 23:24 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-04 23:21 [GRUB PATCH RFC 00/18] i386: Intel TXT secure launcher Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 01/18] i386/msr: Merge rdmsr.h and wrmsr.h into msr.h Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 02/18] i386/msr: Rename grub_msr_read() and grub_msr_write() Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 03/18] i386/msr: Extract and improve MSR support detection code Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 04/18] i386/memory: Rename PAGE_SHIFT to GRUB_PAGE_SHIFT Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 05/18] i386/memory: Rename PAGE_SIZE to GRUB_PAGE_SIZE and make it global Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 06/18] mmap: Add grub_mmap_get_lowest() and grub_mmap_get_highest() Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 07/18] i386/tpm: Rename tpm module to tpm_verifier Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 08/18] i386/tpm: Add TPM TIS and CRB driver Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 09/18] efi: Make shim_lock GUID and protocol type public Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 10/18] efi: Return grub_efi_status_t from grub_efi_get_variable() Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 11/18] efi: Add a function to read EFI variables with attributes Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 12/18] i386/efi: Report UEFI Secure Boot status to the Linux kernel Daniel Kiper
2020-05-05 17:29 ` Matthew Garrett
2020-05-06 13:33 ` Daniel Kiper
2020-05-06 18:36 ` Matthew Garrett
2020-05-07 10:46 ` Daniel Kiper
2020-05-04 23:21 ` Daniel Kiper [this message]
2020-05-04 23:21 ` [GRUB PATCH RFC 14/18] i386/txt: Add Intel TXT definitions header file Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 15/18] i386/txt: Add Intel TXT core implementation Daniel Kiper
2020-05-22 13:24 ` Krystian Hebel
2020-06-01 14:16 ` Ross Philipson
2020-05-04 23:21 ` [GRUB PATCH RFC 16/18] i386/txt: Add Intel TXT ACM module support Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 17/18] i386/txt: Add Intel TXT verification routines Daniel Kiper
2020-05-04 23:21 ` [GRUB PATCH RFC 18/18] i386/slaunch: Add secure launch framework and commands Daniel Kiper
2020-05-05 14:38 ` [GRUB PATCH RFC 00/18] i386: Intel TXT secure launcher Lukasz Hawrylko
2020-05-07 11:06 ` Daniel Kiper
2020-05-13 13:47 ` Lukasz Hawrylko
2020-06-01 15:32 ` Daniel P. Smith
2020-06-01 16:51 ` Andy Lutomirski
2020-06-01 17:56 ` Daniel P. Smith
2020-06-01 18:03 ` Ross Philipson
2020-06-01 19:39 ` Andy Lutomirski
2020-06-02 0:13 ` Daniel P. Smith
2020-06-02 0:49 ` Andy Lutomirski
2020-06-02 1:29 ` Daniel P. Smith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200504232132.23570-14-daniel.kiper@oracle.com \
--to=daniel.kiper@oracle.com \
--cc=alexander.burmashev@oracle.com \
--cc=andrew.cooper3@citrix.com \
--cc=ard.biesheuvel@linaro.org \
--cc=dpsmith@apertussolutions.com \
--cc=eric.snowberg@oracle.com \
--cc=grub-devel@gnu.org \
--cc=javierm@redhat.com \
--cc=kanth.ghatraju@oracle.com \
--cc=konrad.wilk@oracle.com \
--cc=krystian.hebel@3mdeb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lukasz.hawrylko@linux.intel.com \
--cc=michal.zygowski@3mdeb.com \
--cc=mjg59@google.com \
--cc=phcoder@gmail.com \
--cc=pirot.krol@3mdeb.com \
--cc=pjones@redhat.com \
--cc=ross.philipson@oracle.com \
--cc=trenchboot-devel@googlegroups.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox