x86, tboot: Add support for S3 memory integrity protection

This patch adds support for S3 memory integrity protection within an Intel(R) TXT launched kernel, for all kernel and userspace memory. All RAM used by the kernel and userspace, as indicated by memory ranges of type E820_RAM and E820_RESERVED_KERN in the e820 table, will be integrity protected. The MAINTAINERS file is also updated to reflect the maintainers of the TXT-related code. All MACing is done in tboot, based on a complexity analysis and tradeoff. v3: Compared with v2, this patch adds a check of array size in tboot.c, and a note to specify which c/s of tboot supports this kind of MACing in intel_txt.txt. Signed-off-by: Shane Wang <shane.wang@intel.com> LKML-Reference: <4B973DDA.6050902@intel.com> Signed-off-by: Joseph Cihula <joseph.cihula@intel.com> Acked-by: Pavel Machek <pavel@ucw.cz> Acked-by: Rafael J. Wysocki <rjw@sisk.pl> Signed-off-by: H. Peter Anvin <hpa@zytor.com>

x86, tboot: Add support for S3 memory integrity protection
This patch adds support for S3 memory integrity protection within an Intel(R) TXT launched kernel, for all kernel and userspace memory. All RAM used by the kernel and userspace, as indicated by memory ranges of type E820_RAM and E820_RESERVED_KERN in the e820 table, will be integrity protected. The MAINTAINERS file is also updated to reflect the maintainers of the TXT-related code. All MACing is done in tboot, based on a complexity analysis and tradeoff. v3: Compared with v2, this patch adds a check of array size in tboot.c, and a note to specify which c/s of tboot supports this kind of MACing in intel_txt.txt. Signed-off-by: Shane Wang <shane.wang@intel.com> LKML-Reference: <4B973DDA.6050902@intel.com> Signed-off-by: Joseph Cihula <joseph.cihula@intel.com> Acked-by: Pavel Machek <pavel@ucw.cz> Acked-by: Rafael J. Wysocki <rjw@sisk.pl> Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Shane Wang · H. Peter Anvin
1 parent a3d3203e4b
Showing 4 changed files with 37 additions and 17 deletions Side-by-side Diff
Documentation/intel_txt.txt
MAINTAINERS
arch/x86/include/asm/e820.h
arch/x86/kernel/tboot.c
@@ -161,13 +161,15 @@
       has been restored, it will restore the TPM PCRs and then
       transfer control back to the kernel's S3 resume vector.
       In order to preserve system integrity across S3, the kernel
-      provides tboot with a set of memory ranges (kernel
-      code/data/bss, S3 resume code, and AP trampoline) that tboot
-      will calculate a MAC (message authentication code) over and then
-      seal with the TPM.  On resume and once the measured environment
-      has been re-established, tboot will re-calculate the MAC and
-      verify it against the sealed value.  Tboot's policy determines
-      what happens if the verification fails.
+      provides tboot with a set of memory ranges (RAM and RESERVED_KERN
+      in the e820 table, but not any memory that BIOS might alter over
+      the S3 transition) that tboot will calculate a MAC (message
+      authentication code) over and then seal with the TPM. On resume
+      and once the measured environment has been re-established, tboot
+      will re-calculate the MAC and verify it against the sealed value.
+      Tboot's policy determines what happens if the verification fails.
+      Note that the c/s 194 of tboot which has the new MAC code supports
+      this.
  
 That's pretty much it for TXT support.
  
@@ -2940,6 +2940,17 @@
 F:	Documentation/networking/README.ipw2200
 F:	drivers/net/wireless/ipw2x00/ipw2200.*
  
+INTEL(R) TRUSTED EXECUTION TECHNOLOGY (TXT)
+M:	Joseph Cihula <joseph.cihula@intel.com>
+M:	Shane Wang <shane.wang@intel.com>
+L:	tboot-devel@lists.sourceforge.net
+W:	http://tboot.sourceforge.net
+T:	Mercurial http://www.bughost.org/repos.hg/tboot.hg
+S:	Supported
+F:	Documentation/intel_txt.txt
+F:	include/linux/tboot.h
+F:	arch/x86/kernel/tboot.c
+
 INTEL WIRELESS WIMAX CONNECTION 2400
 M:	Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
 M:	linux-wimax@intel.com
@@ -45,7 +45,12 @@
 #define E820_NVS	4
 #define E820_UNUSABLE	5
  
-/* reserved RAM used by kernel itself */
+/*
+ * reserved RAM used by kernel itself
+ * if CONFIG_INTEL_TXT is enabled, memory of this type will be
+ * included in the S3 integrity calculation and so should not include
+ * any memory that BIOS might alter over the S3 transition
+ */
 #define E820_RESERVED_KERN        128
  
 #ifndef __ASSEMBLY__
@@ -175,6 +175,9 @@
 	struct tboot_mac_region *mr;
 	phys_addr_t end = start + size;
  
+	if (tboot->num_mac_regions >= MAX_TB_MAC_REGIONS)
+		panic("tboot: Too many MAC regions\n");
+
 	if (start && size) {
 		mr = &tboot->mac_regions[tboot->num_mac_regions++];
 		mr->start = round_down(start, PAGE_SIZE);
  
  
@@ -184,18 +187,17 @@
  
 static int tboot_setup_sleep(void)
 {
+	int i;
+
 	tboot->num_mac_regions = 0;
  
-	/* S3 resume code */
-	add_mac_region(acpi_wakeup_address, WAKEUP_SIZE);
+	for (i = 0; i < e820.nr_map; i++) {
+		if ((e820.map[i].type != E820_RAM)
+		 && (e820.map[i].type != E820_RESERVED_KERN))
+			continue;
  
-#ifdef CONFIG_X86_TRAMPOLINE
-	/* AP trampoline code */
-	add_mac_region(virt_to_phys(trampoline_base), TRAMPOLINE_SIZE);
-#endif
-
-	/* kernel code + data + bss */
-	add_mac_region(virt_to_phys(_text), _end - _text);
+		add_mac_region(e820.map[i].addr, e820.map[i].size);
+	}
  
 	tboot->acpi_sinfo.kernel_s3_resume_vector = acpi_wakeup_address;
...	...	@@ -161,13 +161,15 @@
161	161	has been restored, it will restore the TPM PCRs and then
162	162	transfer control back to the kernel's S3 resume vector.
163	163	In order to preserve system integrity across S3, the kernel
164		- provides tboot with a set of memory ranges (kernel
165		- code/data/bss, S3 resume code, and AP trampoline) that tboot
166		- will calculate a MAC (message authentication code) over and then
167		- seal with the TPM. On resume and once the measured environment
168		- has been re-established, tboot will re-calculate the MAC and
169		- verify it against the sealed value. Tboot's policy determines
170		- what happens if the verification fails.
	164	+ provides tboot with a set of memory ranges (RAM and RESERVED_KERN
	165	+ in the e820 table, but not any memory that BIOS might alter over
	166	+ the S3 transition) that tboot will calculate a MAC (message
	167	+ authentication code) over and then seal with the TPM. On resume
	168	+ and once the measured environment has been re-established, tboot
	169	+ will re-calculate the MAC and verify it against the sealed value.
	170	+ Tboot's policy determines what happens if the verification fails.
	171	+ Note that the c/s 194 of tboot which has the new MAC code supports
	172	+ this.
171	173
172	174	That's pretty much it for TXT support.
173	175
...	...	@@ -2940,6 +2940,17 @@
2940	2940	F: Documentation/networking/README.ipw2200
2941	2941	F: drivers/net/wireless/ipw2x00/ipw2200.*
2942	2942
	2943	+INTEL(R) TRUSTED EXECUTION TECHNOLOGY (TXT)
	2944	+M: Joseph Cihula <joseph.cihula@intel.com>
	2945	+M: Shane Wang <shane.wang@intel.com>
	2946	+L: tboot-devel@lists.sourceforge.net
	2947	+W: http://tboot.sourceforge.net
	2948	+T: Mercurial http://www.bughost.org/repos.hg/tboot.hg
	2949	+S: Supported
	2950	+F: Documentation/intel_txt.txt
	2951	+F: include/linux/tboot.h
	2952	+F: arch/x86/kernel/tboot.c
	2953	+
2943	2954	INTEL WIRELESS WIMAX CONNECTION 2400
2944	2955	M: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
2945	2956	M: linux-wimax@intel.com
...	...	@@ -45,7 +45,12 @@
45	45	#define E820_NVS 4
46	46	#define E820_UNUSABLE 5
47	47
48		-/* reserved RAM used by kernel itself */
	48	+/*
	49	+ * reserved RAM used by kernel itself
	50	+ * if CONFIG_INTEL_TXT is enabled, memory of this type will be
	51	+ * included in the S3 integrity calculation and so should not include
	52	+ * any memory that BIOS might alter over the S3 transition
	53	+ */
49	54	#define E820_RESERVED_KERN 128
50	55
51	56	#ifndef __ASSEMBLY__
...	...	@@ -175,6 +175,9 @@
175	175	struct tboot_mac_region *mr;
176	176	phys_addr_t end = start + size;
177	177
	178	+ if (tboot->num_mac_regions >= MAX_TB_MAC_REGIONS)
	179	+ panic("tboot: Too many MAC regions\n");
	180	+
178	181	if (start && size) {
179	182	mr = &tboot->mac_regions[tboot->num_mac_regions++];
180	183	mr->start = round_down(start, PAGE_SIZE);
181	184
182	185
...	...	@@ -184,18 +187,17 @@
184	187
185	188	static int tboot_setup_sleep(void)
186	189	{
	190	+ int i;
	191	+
187	192	tboot->num_mac_regions = 0;
188	193
189		- /* S3 resume code */
190		- add_mac_region(acpi_wakeup_address, WAKEUP_SIZE);
	194	+ for (i = 0; i < e820.nr_map; i++) {
	195	+ if ((e820.map[i].type != E820_RAM)
	196	+ && (e820.map[i].type != E820_RESERVED_KERN))
	197	+ continue;
191	198
192		-#ifdef CONFIG_X86_TRAMPOLINE
193		- /* AP trampoline code */
194		- add_mac_region(virt_to_phys(trampoline_base), TRAMPOLINE_SIZE);
195		-#endif
196		-
197		- /* kernel code + data + bss */
198		- add_mac_region(virt_to_phys(_text), _end - _text);
	199	+ add_mac_region(e820.map[i].addr, e820.map[i].size);
	200	+ }
199	201
200	202	tboot->acpi_sinfo.kernel_s3_resume_vector = acpi_wakeup_address;
201	203