Update TrenchBoot boot protocol for AMD in Secure Kernel Loader

[BeataZdunczyk]

Is your feature request related to a problem? Please describe.

The current implementation of the TrenchBoot boot protocol for AMD platforms in Secure Kernel Loader needs to be updated and aligned with the TrenchBoot boot protocol being upstreamed to GRUB2 and Linux kernel.

Is your feature request related to a new idea or technology that would benefit the project? Please describe.

This task is required to ensure that the TrenchBoot support for AMD platforms in Secure Kernel Loader is up-to-date and compatible with the latest TrenchBoot boot protocol being upstreamed to GRUB2 and Linux kernel.

Describe the solution you'd like

Update the TrenchBoot boot protocol for AMD platforms in Secure Kernel Loader and align it with the TrenchBoot boot protocol being upstreamed to GRUB2 and Linux kernel.

Describe alternatives you've considered

N/A

Additional context

This feature request is part of Phase 4 in TrenchBoot as Anti Evil Maid project, as outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem-v2/.

Relevant documentation you've consulted

N/A

[krystian-hebel]

We didn’t have enough space for adding anything with enabled debug code, so I started with reworking current approach a bit.

Size of measured part of SLB went down from ~60KB to ~12KB, which should make measuring SLB by TPM much faster. SL header changed its format which will have to be reflected on GRUB side, but other than that code should be ready to implement SLRT, assuming I didn’t broke anything in the process.

[krystian-hebel]

SLRT is implemented (but not tested on hardware yet) in https://github.com/TrenchBoot/secure-kernel-loader/pull/16. It requires modification to struct slr_entry_dl_info, both in GRUB as well as in the specification. New version of this structure conveys information that is passed through OS2SINIT table in TXT, but in less convoluted form.

[krystian-hebel]

Updated https://github.com/TrenchBoot/secure-kernel-loader/pull/16 and https://github.com/TrenchBoot/secure-kernel-loader/pull/15 after testing on hardware (HP t630 and Supermicro M11SDV) with slightly modified GRUB2 (changes mentioned in https://github.com/TrenchBoot/grub/pull/17#pullrequestreview-1903714379, but without https://github.com/TrenchBoot/grub/pull/17/files#r1504701494 yet). SKL is now able to start Xen, but booting stops there, most likely on attempt to read TXT registers.

Xen will have to be updated. Updates include:

• Not assuming TXT for each SL path.
• Searching for SLRT (and data pointed to by it, e.g. event log) on AMD platforms.
  • As we don't have anything resembling TXT registers on AMD, I planned to use IOMMU registers that have pointers to data located inside SLB (command/device tables or event log), from that it should be easy to reserve SLB memory and save pointer to it.
  • We can also save %ebp value, it has SLB base on Xen entry, although it is overwritten early.
• AMD post-SKINIT SMP bring-up is already included in Xen code, although it currently assumes that SL == TXT, this needs to be undone.

[SergiiDmytruk]

• We can also save %ebp value, it has SLB base on Xen entry, although it is overwritten early.

I don't see it being overwritten in head.S explicitly and given that it's a callee-saved register, shouldn't it be preserved by C code? Either way we only need it to survive until Lslaunch_proto:. This seems like a better option over IOMMU because early TPM code needs SLRT to find event log and using %ebp looks much simpler than dealing with IOMMU there.

[SergiiDmytruk]

PR that makes Slaunch support SKINIT in Xen: https://github.com/TrenchBoot/xen/pull/10

[krystian-hebel]

https://github.com/TrenchBoot/xen/pull/10 has been merged, although with some caveats described in this comment.