|
|
8631a2 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
8631a2 |
From: Matthew Garrett <mjg59@coreos.com>
|
|
|
8631a2 |
Date: Sun, 9 Aug 2015 15:48:51 -0700
|
|
|
8631a2 |
Subject: [PATCH] Add BIOS boot measurement
|
|
|
8631a2 |
|
|
|
8631a2 |
Measure the on-disk grub core on BIOS systems - unlike UEFI, the firmware
|
|
|
8631a2 |
can't do this stage for us.
|
|
|
8631a2 |
---
|
|
|
8631a2 |
grub-core/boot/i386/pc/boot.S | 30 +++++++++++++++++++++++++-
|
|
|
8631a2 |
grub-core/boot/i386/pc/diskboot.S | 44 +++++++++++++++++++++++++++++++++++++++
|
|
|
8631a2 |
2 files changed, 73 insertions(+), 1 deletion(-)
|
|
|
8631a2 |
|
|
|
8631a2 |
diff --git a/grub-core/boot/i386/pc/boot.S b/grub-core/boot/i386/pc/boot.S
|
|
|
b32e65 |
index ea167fe12..c1df86dec 100644
|
|
|
8631a2 |
--- a/grub-core/boot/i386/pc/boot.S
|
|
|
8631a2 |
+++ b/grub-core/boot/i386/pc/boot.S
|
|
|
8631a2 |
@@ -24,11 +24,14 @@
|
|
|
8631a2 |
* defines for the code go here
|
|
|
8631a2 |
*/
|
|
|
8631a2 |
|
|
|
8631a2 |
+#define TPM 1
|
|
|
8631a2 |
+
|
|
|
8631a2 |
/* Print message string */
|
|
|
8631a2 |
#define MSG(x) movw $x, %si; call LOCAL(message)
|
|
|
8631a2 |
#define ERR(x) movw $x, %si; jmp LOCAL(error_message)
|
|
|
8631a2 |
|
|
|
8631a2 |
.macro floppy
|
|
|
8631a2 |
+#ifndef TPM
|
|
|
8631a2 |
part_start:
|
|
|
8631a2 |
|
|
|
8631a2 |
LOCAL(probe_values):
|
|
|
8631a2 |
@@ -85,6 +88,7 @@ fd_probe_error_string: .asciz "Floppy"
|
|
|
8631a2 |
movb MACRO_DOLLAR(79), %ch
|
|
|
8631a2 |
|
|
|
8631a2 |
jmp LOCAL(final_init)
|
|
|
8631a2 |
+#endif
|
|
|
8631a2 |
.endm
|
|
|
8631a2 |
|
|
|
8631a2 |
.macro scratch
|
|
|
8631a2 |
@@ -252,6 +256,7 @@ real_start:
|
|
|
8631a2 |
/* set %si to the disk address packet */
|
|
|
8631a2 |
movw $disk_address_packet, %si
|
|
|
8631a2 |
|
|
|
8631a2 |
+#ifndef TPM
|
|
|
8631a2 |
/* check if LBA is supported */
|
|
|
8631a2 |
movb $0x41, %ah
|
|
|
8631a2 |
movw $0x55aa, %bx
|
|
|
8631a2 |
@@ -271,6 +276,7 @@ real_start:
|
|
|
8631a2 |
|
|
|
8631a2 |
andw $1, %cx
|
|
|
8631a2 |
jz LOCAL(chs_mode)
|
|
|
8631a2 |
+#endif
|
|
|
8631a2 |
|
|
|
8631a2 |
LOCAL(lba_mode):
|
|
|
8631a2 |
xorw %ax, %ax
|
|
|
8631a2 |
@@ -314,6 +320,9 @@ LOCAL(lba_mode):
|
|
|
8631a2 |
jmp LOCAL(copy_buffer)
|
|
|
8631a2 |
|
|
|
8631a2 |
LOCAL(chs_mode):
|
|
|
8631a2 |
+#ifdef TPM
|
|
|
8631a2 |
+ jmp LOCAL(general_error)
|
|
|
8631a2 |
+#else
|
|
|
8631a2 |
/*
|
|
|
8631a2 |
* Determine the hard disk geometry from the BIOS!
|
|
|
8631a2 |
* We do this first, so that LS-120 IDE floppies work correctly.
|
|
|
8631a2 |
@@ -425,7 +434,7 @@ setup_sectors:
|
|
|
8631a2 |
jc LOCAL(read_error)
|
|
|
8631a2 |
|
|
|
8631a2 |
movw %es, %bx
|
|
|
8631a2 |
-
|
|
|
8631a2 |
+#endif /* TPM */
|
|
|
8631a2 |
LOCAL(copy_buffer):
|
|
|
8631a2 |
/*
|
|
|
8631a2 |
* We need to save %cx and %si because the startup code in
|
|
|
8631a2 |
@@ -448,6 +457,25 @@ LOCAL(copy_buffer):
|
|
|
8631a2 |
popw %ds
|
|
|
8631a2 |
popa
|
|
|
8631a2 |
|
|
|
8631a2 |
+#ifdef TPM
|
|
|
8631a2 |
+ pusha
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ movw $0xBB00, %ax /* TCG_StatusCheck */
|
|
|
8631a2 |
+ int $0x1A
|
|
|
8631a2 |
+ test %eax, %eax
|
|
|
8631a2 |
+ jnz boot /* No TPM or TPM deactivated */
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ movw $0xBB07, %ax /* TCG_CompactHashLogExtendEvent */
|
|
|
8631a2 |
+ movw $GRUB_BOOT_MACHINE_KERNEL_ADDR, %di
|
|
|
8631a2 |
+ xorl %esi, %esi
|
|
|
8631a2 |
+ movl $0x41504354, %ebx /* TCPA */
|
|
|
8631a2 |
+ movl $0x200, %ecx /* Measure 512 bytes */
|
|
|
8631a2 |
+ movl $0x8, %edx /* PCR 8 */
|
|
|
8631a2 |
+ int $0x1A
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ popa
|
|
|
8631a2 |
+#endif
|
|
|
8631a2 |
+boot:
|
|
|
8631a2 |
/* boot kernel */
|
|
|
8631a2 |
jmp *(LOCAL(kernel_address))
|
|
|
8631a2 |
|
|
|
8631a2 |
diff --git a/grub-core/boot/i386/pc/diskboot.S b/grub-core/boot/i386/pc/diskboot.S
|
|
|
b32e65 |
index 68d31de0c..f4744ec6f 100644
|
|
|
8631a2 |
--- a/grub-core/boot/i386/pc/diskboot.S
|
|
|
8631a2 |
+++ b/grub-core/boot/i386/pc/diskboot.S
|
|
|
8631a2 |
@@ -19,6 +19,8 @@
|
|
|
8631a2 |
#include <grub/symbol.h>
|
|
|
8631a2 |
#include <grub/machine/boot.h>
|
|
|
8631a2 |
|
|
|
8631a2 |
+#define TPM 1
|
|
|
8631a2 |
+
|
|
|
8631a2 |
/*
|
|
|
8631a2 |
* defines for the code go here
|
|
|
8631a2 |
*/
|
|
|
8631a2 |
@@ -53,6 +55,21 @@ _start:
|
|
|
8631a2 |
/* this sets up for the first run through "bootloop" */
|
|
|
8631a2 |
movw $LOCAL(firstlist), %di
|
|
|
8631a2 |
|
|
|
8631a2 |
+#ifdef TPM
|
|
|
8631a2 |
+ /* clear EAX to remove potential garbage */
|
|
|
8631a2 |
+ xorl %eax, %eax
|
|
|
8631a2 |
+ /* 8(%di) = number of sectors to read */
|
|
|
8631a2 |
+ movw 8(%di), %ax
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ /* Multiply number of sectors to read with 512 bytes. EAX is 32bit
|
|
|
8631a2 |
+ * which is large enough to hold values of up to 4GB. I doubt there
|
|
|
8631a2 |
+ * will ever be a core.img larger than that. ;-) */
|
|
|
8631a2 |
+ shll $9, %eax
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ /* write result to bytes_to_measure var */
|
|
|
8631a2 |
+ movl %eax, bytes_to_measure
|
|
|
8631a2 |
+#endif
|
|
|
8631a2 |
+
|
|
|
8631a2 |
/* save the sector number of the second sector in %ebp */
|
|
|
8631a2 |
movl (%di), %ebp
|
|
|
8631a2 |
|
|
|
8631a2 |
@@ -290,6 +307,29 @@ LOCAL(copy_buffer):
|
|
|
8631a2 |
/* END OF MAIN LOOP */
|
|
|
8631a2 |
|
|
|
8631a2 |
LOCAL(bootit):
|
|
|
8631a2 |
+#ifdef TPM
|
|
|
8631a2 |
+ pusha
|
|
|
8631a2 |
+ movw $0xBB07, %ax /* TCG_CompactHashLogExtendEvent */
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ movw $0x0, %bx
|
|
|
8631a2 |
+ movw %bx, %es
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ /* We've already measured the first 512 bytes, now measure the rest */
|
|
|
8631a2 |
+ xorl %edi, %edi
|
|
|
8631a2 |
+ movw $(GRUB_BOOT_MACHINE_KERNEL_ADDR + 0x200), %di
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ movl $0x41504354, %ebx /* EBX = "TCPA" */
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ /* %ecx = The length, in bytes, of the buffer to measure */
|
|
|
8631a2 |
+ movl $bytes_to_measure, %esi
|
|
|
8631a2 |
+ movl (%esi), %ecx
|
|
|
8631a2 |
+ xorl %esi, %esi
|
|
|
8631a2 |
+ movl $0x9, %edx /* PCR 9 */
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ int $0x1A
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ popa
|
|
|
8631a2 |
+#endif
|
|
|
8631a2 |
/* print a newline */
|
|
|
8631a2 |
MSG(notification_done)
|
|
|
8631a2 |
popw %dx /* this makes sure %dl is our "boot" drive */
|
|
|
8631a2 |
@@ -324,6 +364,10 @@ geometry_error_string: .asciz "Geom"
|
|
|
8631a2 |
read_error_string: .asciz "Read"
|
|
|
8631a2 |
general_error_string: .asciz " Error"
|
|
|
8631a2 |
|
|
|
8631a2 |
+#ifdef TPM
|
|
|
8631a2 |
+bytes_to_measure: .long 0
|
|
|
8631a2 |
+#endif
|
|
|
8631a2 |
+
|
|
|
8631a2 |
/*
|
|
|
8631a2 |
* message: write the string pointed to by %si
|
|
|
8631a2 |
*
|