diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2010-05-18 12:28:24 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-05-18 12:28:24 -0400 |
commit | 3ae684e1c48e6deedc9b9faff8fa1c391ca8a652 (patch) | |
tree | 07082b3239c24799e8aaf2e6a8a0ac059870d34a | |
parent | c4fd308ed62f292518363ea9c6c2adb3c2d95f9d (diff) | |
parent | 4bd96a7a8185755b091233b16034c7436cbf57af (diff) |
Merge branch 'x86-txt-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
* 'x86-txt-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
x86, tboot: Add support for S3 memory integrity protection
-rw-r--r-- | Documentation/intel_txt.txt | 16 | ||||
-rw-r--r-- | MAINTAINERS | 11 | ||||
-rw-r--r-- | arch/x86/include/asm/e820.h | 7 | ||||
-rw-r--r-- | arch/x86/kernel/tboot.c | 20 |
4 files changed, 37 insertions, 17 deletions
diff --git a/Documentation/intel_txt.txt b/Documentation/intel_txt.txt index f40a1f030019..87c8990dbbd9 100644 --- a/Documentation/intel_txt.txt +++ b/Documentation/intel_txt.txt | |||
@@ -161,13 +161,15 @@ o In order to put a system into any of the sleep states after a TXT | |||
161 | has been restored, it will restore the TPM PCRs and then | 161 | has been restored, it will restore the TPM PCRs and then |
162 | transfer control back to the kernel's S3 resume vector. | 162 | transfer control back to the kernel's S3 resume vector. |
163 | In order to preserve system integrity across S3, the kernel | 163 | In order to preserve system integrity across S3, the kernel |
164 | provides tboot with a set of memory ranges (kernel | 164 | provides tboot with a set of memory ranges (RAM and RESERVED_KERN |
165 | code/data/bss, S3 resume code, and AP trampoline) that tboot | 165 | in the e820 table, but not any memory that BIOS might alter over |
166 | will calculate a MAC (message authentication code) over and then | 166 | the S3 transition) that tboot will calculate a MAC (message |
167 | seal with the TPM. On resume and once the measured environment | 167 | authentication code) over and then seal with the TPM. On resume |
168 | has been re-established, tboot will re-calculate the MAC and | 168 | and once the measured environment has been re-established, tboot |
169 | verify it against the sealed value. Tboot's policy determines | 169 | will re-calculate the MAC and verify it against the sealed value. |
170 | what happens if the verification fails. | 170 | Tboot's policy determines what happens if the verification fails. |
171 | Note that the c/s 194 of tboot which has the new MAC code supports | ||
172 | this. | ||
171 | 173 | ||
172 | That's pretty much it for TXT support. | 174 | That's pretty much it for TXT support. |
173 | 175 | ||
diff --git a/MAINTAINERS b/MAINTAINERS index 28332e1b0863..3d2651bffadd 100644 --- a/MAINTAINERS +++ b/MAINTAINERS | |||
@@ -2953,6 +2953,17 @@ S: Odd Fixes | |||
2953 | F: Documentation/networking/README.ipw2200 | 2953 | F: Documentation/networking/README.ipw2200 |
2954 | F: drivers/net/wireless/ipw2x00/ipw2200.* | 2954 | F: drivers/net/wireless/ipw2x00/ipw2200.* |
2955 | 2955 | ||
2956 | INTEL(R) TRUSTED EXECUTION TECHNOLOGY (TXT) | ||
2957 | M: Joseph Cihula <joseph.cihula@intel.com> | ||
2958 | M: Shane Wang <shane.wang@intel.com> | ||
2959 | L: tboot-devel@lists.sourceforge.net | ||
2960 | W: http://tboot.sourceforge.net | ||
2961 | T: Mercurial http://www.bughost.org/repos.hg/tboot.hg | ||
2962 | S: Supported | ||
2963 | F: Documentation/intel_txt.txt | ||
2964 | F: include/linux/tboot.h | ||
2965 | F: arch/x86/kernel/tboot.c | ||
2966 | |||
2956 | INTEL WIRELESS WIMAX CONNECTION 2400 | 2967 | INTEL WIRELESS WIMAX CONNECTION 2400 |
2957 | M: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com> | 2968 | M: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com> |
2958 | M: linux-wimax@intel.com | 2969 | M: linux-wimax@intel.com |
diff --git a/arch/x86/include/asm/e820.h b/arch/x86/include/asm/e820.h index 0e22296790d3..ec8a52d14ab1 100644 --- a/arch/x86/include/asm/e820.h +++ b/arch/x86/include/asm/e820.h | |||
@@ -45,7 +45,12 @@ | |||
45 | #define E820_NVS 4 | 45 | #define E820_NVS 4 |
46 | #define E820_UNUSABLE 5 | 46 | #define E820_UNUSABLE 5 |
47 | 47 | ||
48 | /* reserved RAM used by kernel itself */ | 48 | /* |
49 | * reserved RAM used by kernel itself | ||
50 | * if CONFIG_INTEL_TXT is enabled, memory of this type will be | ||
51 | * included in the S3 integrity calculation and so should not include | ||
52 | * any memory that BIOS might alter over the S3 transition | ||
53 | */ | ||
49 | #define E820_RESERVED_KERN 128 | 54 | #define E820_RESERVED_KERN 128 |
50 | 55 | ||
51 | #ifndef __ASSEMBLY__ | 56 | #ifndef __ASSEMBLY__ |
diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c index 86c9f91b48ae..cc2c60474fd0 100644 --- a/arch/x86/kernel/tboot.c +++ b/arch/x86/kernel/tboot.c | |||
@@ -175,6 +175,9 @@ static void add_mac_region(phys_addr_t start, unsigned long size) | |||
175 | struct tboot_mac_region *mr; | 175 | struct tboot_mac_region *mr; |
176 | phys_addr_t end = start + size; | 176 | phys_addr_t end = start + size; |
177 | 177 | ||
178 | if (tboot->num_mac_regions >= MAX_TB_MAC_REGIONS) | ||
179 | panic("tboot: Too many MAC regions\n"); | ||
180 | |||
178 | if (start && size) { | 181 | if (start && size) { |
179 | mr = &tboot->mac_regions[tboot->num_mac_regions++]; | 182 | mr = &tboot->mac_regions[tboot->num_mac_regions++]; |
180 | mr->start = round_down(start, PAGE_SIZE); | 183 | mr->start = round_down(start, PAGE_SIZE); |
@@ -184,18 +187,17 @@ static void add_mac_region(phys_addr_t start, unsigned long size) | |||
184 | 187 | ||
185 | static int tboot_setup_sleep(void) | 188 | static int tboot_setup_sleep(void) |
186 | { | 189 | { |
190 | int i; | ||
191 | |||
187 | tboot->num_mac_regions = 0; | 192 | tboot->num_mac_regions = 0; |
188 | 193 | ||
189 | /* S3 resume code */ | 194 | for (i = 0; i < e820.nr_map; i++) { |
190 | add_mac_region(acpi_wakeup_address, WAKEUP_SIZE); | 195 | if ((e820.map[i].type != E820_RAM) |
196 | && (e820.map[i].type != E820_RESERVED_KERN)) | ||
197 | continue; | ||
191 | 198 | ||
192 | #ifdef CONFIG_X86_TRAMPOLINE | 199 | add_mac_region(e820.map[i].addr, e820.map[i].size); |
193 | /* AP trampoline code */ | 200 | } |
194 | add_mac_region(virt_to_phys(trampoline_base), TRAMPOLINE_SIZE); | ||
195 | #endif | ||
196 | |||
197 | /* kernel code + data + bss */ | ||
198 | add_mac_region(virt_to_phys(_text), _end - _text); | ||
199 | 201 | ||
200 | tboot->acpi_sinfo.kernel_s3_resume_vector = acpi_wakeup_address; | 202 | tboot->acpi_sinfo.kernel_s3_resume_vector = acpi_wakeup_address; |
201 | 203 | ||