multiboot2: Switch to using SLRT interface

The code makes sure that MBI entry goes first in DRTM, so the payload can measure it first on launch. Signed-off-by: Sergii Dmytruk <[email protected]>
TrenchBoot · Nov 30, 2023 · e1bdaf2 · e1bdaf2
1 parent ba8dbc9
commit e1bdaf2
Show file tree

Hide file tree

Showing 6 changed files with 102 additions and 20 deletions.
diff --git a/grub-core/loader/i386/multiboot_mbi.c b/grub-core/loader/i386/multiboot_mbi.c
@@ -756,3 +756,9 @@ grub_multiboot_set_bootdev (void)
     | ((part & 0xff) << 8) | 0xff;
   bootdev_set = 1;
 }
+
+void
+grub_multiboot_add_slrt_policy_entries (void)
+{
+  /* No Secure Launch for this version of Multiboot. */
+}
diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
@@ -50,6 +50,7 @@
 #include <grub/video.h>
 #include <grub/memory.h>
 #include <grub/i18n.h>
+#include <grub/slr_table.h>
 #if defined (__i386__) || defined (__x86_64__)
 #include <grub/i386/slaunch.h>
 #include <grub/i386/txt.h>
@@ -162,25 +163,46 @@ efi_boot (struct grub_relocator *rel __attribute__ ((unused)),
 #endif
 
 #if defined (__i386__) || defined (__x86_64__)
+#ifdef GRUB_USE_MULTIBOOT2
+static grub_err_t
+grub_multiboot2_init_slparams (struct grub_slaunch_params *slparams)
+{
+  grub_uint8_t *txt_heap;
+  struct grub_txt_os_mle_data *os_mle_data;
+  grub_addr_t slrt;
+  grub_err_t err;
+  grub_relocator_chunk_t ch;
+
+  txt_heap = grub_txt_get_heap ();
+  os_mle_data = grub_txt_os_mle_data_start (txt_heap);
+  slrt = ALIGN_UP ((grub_addr_t) os_mle_data + sizeof(*os_mle_data), 4);
+
+  err = grub_relocator_alloc_chunk_addr (GRUB_MULTIBOOT (relocator), &ch,
+                                         slrt, GRUB_PAGE_SIZE);
+  if (err)
+      return grub_error (err, N_("Cannot allocate memory for SLR table"));
+
+  slparams->slr_table_base = get_physical_target_address (ch);
+  slparams->slr_table_size = GRUB_PAGE_SIZE;
+  slparams->slr_table_mem = get_virtual_current_address (ch);
+
+  grub_memset (slparams->slr_table_mem, 0, slparams->slr_table_size);
+
+  grub_dprintf ("multiboot_loader", "slr_table_base = %lx, slr_table_size = %x\n",
+                (unsigned long) slparams->slr_table_base,
+                (unsigned) slparams->slr_table_size);
+  return GRUB_ERR_NONE;
+}
+#endif
+
 static void
 normal_boot (struct grub_relocator *rel, struct grub_relocator32_state state)
 {
-  grub_err_t err;
   struct grub_slaunch_params *slparams = grub_slaunch_params();
   state.edi = grub_slaunch_platform_type ();
 
   if (state.edi == SLP_INTEL_TXT)
     {
-      err = grub_txt_boot_prepare (slparams);
-
-      if (err != GRUB_ERR_NONE)
-	{
-	  grub_printf ("TXT boot preparation failed");
-	  return;
-	}
-
-      grub_slaunch_finish_slr_table ();
-
       /* Configure relocator GETSEC[SENTER] call. */
       state.eax = GRUB_SMX_LEAF_SENTER;
       state.ebx = slparams->dce_base;
@@ -216,6 +238,38 @@ grub_multiboot_boot (void)
   if (err)
     return err;
 
+#ifdef GRUB_USE_MULTIBOOT2
+  if (grub_slaunch_platform_type () == SLP_INTEL_TXT)
+    {
+      struct grub_slaunch_params *slparams = grub_slaunch_params();
+
+      err = grub_multiboot2_init_slparams (slparams);
+      if (err != GRUB_ERR_NONE)
+        {
+          grub_printf ("Initializing slaunch parameters failed");
+          return err;
+        }
+
+      err = grub_txt_boot_prepare (slparams);
+      if (err != GRUB_ERR_NONE)
+        {
+          grub_printf ("TXT boot preparation failed");
+          return err;
+        }
+
+      grub_slaunch_add_slrt_policy_entry (18,
+                                          GRUB_SLR_ET_MULTIBOOT_INFO,
+                                          /*flags=*/0,
+                                          state.MULTIBOOT_MBI_REGISTER,
+                                          mbi_size,
+                                          "Measured MB2 information");
+      grub_slaunch_add_slrt_policy_entries ();
+      grub_txt_add_slrt_policy_entries ();
+      GRUB_MULTIBOOT (add_slrt_policy_entries) ();
+      grub_slaunch_finish_slr_table ();
+    }
+#endif
+
   if (grub_efi_is_finished)
     normal_boot (GRUB_MULTIBOOT (relocator), state);
   else

diff --git a/grub-core/loader/multiboot_mbi2.c b/grub-core/loader/multiboot_mbi2.c
@@ -39,6 +39,7 @@
 #include <grub/i386/memory.h>
 #include <grub/i386/slaunch.h>
 #include <grub/i386/txt.h>
+#include <grub/slr_table.h>
 
 #if defined (GRUB_MACHINE_EFI)
 #include <grub/efi/efi.h>
@@ -1049,6 +1050,23 @@ grub_multiboot2_make_mbi (grub_uint32_t *target, grub_uint32_t *size)
   return GRUB_ERR_NONE;
 }
 
+void
+grub_multiboot2_add_slrt_policy_entries (void)
+{
+  unsigned i;
+  struct module *cur;
+
+  for (i = 0, cur = modules; i < modcnt; i++, cur = cur->next)
+    {
+      grub_slaunch_add_slrt_policy_entry (17,
+                                          GRUB_SLR_ET_MULTIBOOT_MODULE,
+                                          /*flags=*/0,
+                                          cur->start,
+                                          cur->size,
+                                          "Measured MB2 module");
+    }
+}
+
 void
 grub_multiboot2_free_mbi (void)
 {

diff --git a/include/grub/multiboot.h b/include/grub/multiboot.h
@@ -50,6 +50,7 @@ void grub_multiboot_set_bootdev (void);
 void
 grub_multiboot_add_elfsyms (grub_size_t num, grub_size_t entsize,
 			    unsigned shndx, void *data);
+void grub_multiboot_add_slrt_policy_entries (void);
 
 grub_uint32_t grub_multiboot_get_mmap_count (void);
 grub_err_t grub_multiboot_set_video_mode (void);

diff --git a/include/grub/multiboot2.h b/include/grub/multiboot2.h
@@ -43,6 +43,7 @@ void grub_multiboot2_set_bootdev (void);
 void
 grub_multiboot2_add_elfsyms (grub_size_t num, grub_size_t entsize,
 			    unsigned shndx, void *data);
+void grub_multiboot2_add_slrt_policy_entries (void);
 
 grub_uint32_t grub_multiboot2_get_mmap_count (void);
 grub_err_t grub_multiboot2_set_video_mode (void);

diff --git a/include/grub/slr_table.h b/include/grub/slr_table.h
@@ -65,15 +65,17 @@
 #define GRUB_SLR_ENTRY_END		0xffff
 
 /* Entity Types */
-#define GRUB_SLR_ET_UNSPECIFIED		0x0000
-#define GRUB_SLR_ET_SLRT		0x0001
-#define GRUB_SLR_ET_BOOT_PARAMS		0x0002
-#define GRUB_SLR_ET_SETUP_DATA		0x0003
-#define GRUB_SLR_ET_CMDLINE		0x0004
-#define GRUB_SLR_ET_UEFI_MEMMAP		0x0005
-#define GRUB_SLR_ET_RAMDISK		0x0006
-#define GRUB_SLR_ET_TXT_OS2MLE		0x0010
-#define GRUB_SLR_ET_UNUSED		0xffff
+#define GRUB_SLR_ET_UNSPECIFIED			0x0000
+#define GRUB_SLR_ET_SLRT			0x0001
+#define GRUB_SLR_ET_BOOT_PARAMS			0x0002
+#define GRUB_SLR_ET_SETUP_DATA			0x0003
+#define GRUB_SLR_ET_CMDLINE			0x0004
+#define GRUB_SLR_ET_UEFI_MEMMAP			0x0005
+#define GRUB_SLR_ET_RAMDISK			0x0006
+#define GRUB_SLR_ET_MULTIBOOT_INFO		0x0007
+#define GRUB_SLR_ET_MULTIBOOT_MODULE		0x0008
+#define GRUB_SLR_ET_TXT_OS2MLE			0x0010
+#define GRUB_SLR_ET_UNUSED			0xffff
 
 /*
  * Primary SLR Table Header