Skip to content

Slaunch support for Xen.efi #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
krystian-hebel merged 15 commits into from
Feb 19, 2025
Merged

Slaunch support for Xen.efi #21

krystian-hebel merged 15 commits into from
Feb 19, 2025

Conversation

@SergiiDmytruk
Copy link
Member

@SergiiDmytruk SergiiDmytruk commented Jan 1, 2025

An upstream fix will be gone on a future rebase. Code improvements and measurement corrections follow. The actual support is added in the penultimate commit, see its commit message for some details. CI has some issues with the latest latest qubes-builderv2 (sudo isn't passwordless in a container which the builder creates), I just pinned its version to an older commit which works.

@SergiiDmytruk
include/xen/slr_table.h: update to v11 version
432f9f6 
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
miczyg1
miczyg1 requested changes Jan 2, 2025
View reviewed changes
krystian-hebel
krystian-hebel requested changes Jan 7, 2025
View reviewed changes
@SergiiDmytruk SergiiDmytruk force-pushed the aem-efi-boot branch 3 times, most recently from 4fcdf5b to 274d462 Compare January 17, 2025 15:04
@SergiiDmytruk
xen/arch/x86/boot/slaunch_early.c: switch to slr_entry_amd_info on AMD
a0974c0 
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
arch/x86/include/asm/intel_txt.h: move include, add SLAUNCH_ERROR_LO_…
e8b5594 
…PMR_SIZE

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
xen/arch/x86/boot/slaunch_early.c: move part to include/asm/intel_txt.h
c950403 
This is to allow reusing the same code from a different place.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
xen/include/xen/slr_table.h: update slr_entry_intel_info
6884c83 
Add boot_params_base field.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
xen/include/xen/slr_table.h: update slr_entry_amd_info
537a467 
Add PSP version and update types for consistency.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
xen/arch/x86/tpm.c: const-correct TPM1.2
475b51e 
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
xen/arch/x86/tpm.c: const-correct TPM2.0
f4147f4 
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
xen/arch/x86/slaunch.c: zero addresses on measuring SLR_ENTRY_INTEL_INFO
057f24d 
To prevent measurements from changing when the only thing that has
changed is some address.  Addresses can vary due to bootloader, firmware
or user doing something differently or just if GRUB gets bigger in size
due to inclusion of more modules and ends up offsetting newly allocated
memory.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
xen/arch/x86/slaunch.c: measure SLR_ENTRY_AMD_INFO
d39b3d0 
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
xen/arch/x86/slaunch.c: make DRTM policy processing more flexible
ff99baf 
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
xen/arch/x86/slaunch.c: improve a panic message
b5c1acc 
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk SergiiDmytruk changed the base branch from aem-staging-18-11-24 to aem-next January 25, 2025 23:13
@SergiiDmytruk
Copy link
Member Author

SergiiDmytruk commented Jan 26, 2025

In addition to force-pushing changes (some of them are new for this PR) I changed the target branch to deal with 4.17.4 (which builder calls 4.17.5 for some reason) instead of staging. This is because Xen staging has different ABI which can't be used on Qubes OS 4.2.

@SergiiDmytruk SergiiDmytruk force-pushed the aem-efi-boot branch 2 times, most recently from 3588c76 to 9eec232 Compare February 11, 2025 18:03
@SergiiDmytruk SergiiDmytruk force-pushed the aem-efi-boot branch 2 times, most recently from faa5bdb to 9c6c3cb Compare February 16, 2025 18:50
@macpijan
Copy link
Member

macpijan commented Feb 18, 2025
edited
Loading

@miczyg1 all your threads are resolved here, can you please approve if you have no more comments?

@miczyg1
Copy link

miczyg1 commented Feb 19, 2025

@miczyg1 all your threads are resolved here, can you please approve if you have no more comments?

I can but there are also @krystian-hebel threads unresolved.

@macpijan
Copy link
Member

macpijan commented Feb 19, 2025

I am aware, @krystian-hebel will do his part as well.

@miczyg1
Copy link

miczyg1 commented Feb 19, 2025

Also, I only tested the legacy boot path of this code and it didn't work so I am not convinced to give approve yet.

miczyg1
miczyg1 approved these changes Feb 19, 2025
View reviewed changes
Copy link

@miczyg1 miczyg1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@macpijan told we will be looking into legacy boot later too. For now I approve my review being addressed.

krystian-hebel
krystian-hebel reviewed Feb 19, 2025
View reviewed changes
@krystian-hebel krystian-hebel mentioned this pull request Feb 19, 2025
Merged
@SergiiDmytruk
x86s/slaunch: support EFI boot
e6ea898 
When running on an EFI-enabled system, Xen needs to have access to Boot
Services in order to initialize itself properly and reach a state in
which a Dom0 kernel can operate without issues.

This means that DRTM must be started in the middle of Xen's
initialization process.  This effect is achieved via a callback into
bootloader (GRUB) which is responsible for initiating DRTM and
continuing Xen's initialization process.  The latter is achieved by
branching in Slaunch entry point on a flag to switch back into long mode
and calling the same function which Xen would execute as the next step
without DRTM.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
xen/arch/x86/include/asm/intel_txt.h: align txt_os_mle_data with GRUB
a306fbf 
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
Drop txt_os_mle_data::boot_params_addr
1278ae8 
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@krystian-hebel krystian-hebel merged commit 1278ae8 into aem-next Feb 19, 2025
1 check passed
@krystian-hebel krystian-hebel deleted the aem-efi-boot branch February 19, 2025 20:20
@macpijan macpijan mentioned this pull request Feb 19, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@miczyg1 miczyg1 miczyg1 approved these changes

@krystian-hebel krystian-hebel krystian-hebel approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@SergiiDmytruk @macpijan @miczyg1 @krystian-hebel