Wei, Gang | 28 Dec 08:04 2012
Picon

tboot 1.7.3 released

Source package tboot-1.7.3.tar.gz can be downloaded from sourceforge.net.
And since 1.7.3 the upstream repository was moved to:
http://hg.code.sf.net/p/tboot/code .

Major changes since 1.7.2 (20120929):

	Update README with updated code repository url.
	Fix grub2 scripts to be compatible with more distros.
	Update README for RACM launch support
	Add a new option "call_racm=true|false" for revocation acm(RACM)
launch
	Fix potential buffer overrun & memory leak in crtpconf.c
	Fix a potential buffer overrun in lcptools/lock.c
	Print cmdline in multi-lines
	Optional print TXT.ERRORCODE under level error or info
	Fix side effects of tboot log level macros in tools
	Update readme for the new detail log level
	Classify all logs into different log levels
	Add detail log level and the macros defined for log level
	Fix acmod_error_t type to correctly align all bits in 4bytes

Please help testing it, and enjoy it.

Jimmy
Attachment (smime.p7s): application/pkcs7-signature, 11 KiB
------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
(Continue reading)

Wei, Gang | 27 Dec 10:40 2012
Picon

OpenAttestation project v1.6 released

The major target of this release is to improve code quality based on v1.5,
some important fixes will be back ported into v1.5 branch.

https://github.com/OpenAttestation/OpenAttestation.git

Key Changes in v1.6:
	Enhanced Reference CLI Curl scripts for API access
	Auto testing scripts covered more than 100 test cases for both APIs
& Reference CLI Curl scripts

Fixed issues:
* API related:
 - The HOST API should be
https://${server}:8443/AttestationService/resources/hosts instead of
https://${server}:8443/AttestationService/resources/host. 
 - Enhancement for "MLE_SEARCH" API
 - "POLLHOST" API exception handling
 - Adding MLE successful when "attestation type" is null, it is wrong
 - In source code, MLE "version" string's length limit is not match with
database
 - When attestation type contains special characters, add MLE successful
 - Delete MLE successful which connected to host
 - PCR value should not be null
 - The result of pollhost is unknown due to configuration in "/etc/hosts"
 - The run time of pollhost one machine is more than pollhost 1000 machines,
is unreasonably
* DB related:
 - OpenAttestation hibernate db communication failure
 - The field did not check the capital or lower character (Won't Fix)
 - Cannot add CONSTRAINT into DB on SLES
(Continue reading)

Wei, Gang | 25 Dec 07:06 2012
Picon

tboot project upgraded from classic sourceforge platform to the new Allura platform

As requested by SourceForge Community Manager, tboot just finished upgrade
from classic sourceforge platform to the new platform.

As the result of this upgrade, one major change is that the source code
repository URL got changed to:
	http://hg.code.sf.net/p/tboot/code

Please do a fresh checkout using the new repository location.

Jimmy
Attachment (smime.p7s): application/pkcs7-signature, 11 KiB
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Charles.Fisher | 12 Dec 00:23 2012

Buffer overrun and memory leak problems.

All,

 

While doing a routine update of a security review of the tboot code, I found a couple of minor problems – two potential (but very unlikely) buffer overrun problems, and one minor memory leak – although the program is going to terminate almost immediately, so the memory comes back anyway.

 

At any rate, here is a patch to correct the problem.

 

Signed Off by: Charles Fisher charles.fisher <at> gdc4s.com

 

diff -up tboot-1.7.2/lcptools/crtpconf.c.orig tboot-1.7.2/lcptools/crtpconf.c

--- tboot-1.7.2/lcptools/crtpconf.c.orig  2012-12-11 13:16:12.239464000 -0700

+++ tboot-1.7.2/lcptools/crtpconf.c 2012-12-11 16:00:23.097982000 -0700

<at> <at> -109,14 +109,12 <at> <at> main(int argc, char *argv[])

     uint16_t i = 0;

     uint32_t index[MAX_INDEX] = {0};

     uint32_t idx_num = 0;

-    unsigned char *pcr_num[MAX_INDEX] = {NULL};

     FILE *p_file = NULL;

     unsigned char* srtm_data = NULL;

     uint32_t data_len = 0;

     TPM_LOCALITY_SELECTION local_sel;

     lcp_result_t ret_value = LCP_E_COMD_INTERNAL_ERR;

-    uint32_t temp = 0;

     /*

      * No parameter input will print out the help message.

<at> <at> -151,28 +149,13 <at> <at> main(int argc, char *argv[])

         ret_value = LCP_E_INVALID_PARAMETER;

         goto _error_end;

     }

-

-    for (i = 0; i < MAX_INDEX; i++) {

-        pcr_num[i] = (unsigned char *)malloc(10);

-        if ( pcr_num[i] == NULL ) {

-            ret_value = LCP_E_OUTOFMEMORY;

-            goto _error_end;

-        }

-    }

-    if ( str_split((char *)pcr_val, (char **)&pcr_num, &idx_num) < 0 ) {

-        ret_value = LCP_E_INVALID_PARAMETER;

-        goto _error_end;

-    }

+    idx_num = MAX_INDEX;

+    str_split((char *)pcr_val, index, &idx_num);

     for ( i = 0; i < idx_num; i++ ) {

-      if ( strtonum((char *)pcr_num[i], &temp) < 0 ) {

-            ret_value = LCP_E_INVALID_PARAMETER;

-            goto _error_end;

-        }

-        if ( temp > 23 ) {

+        if ( index[i] > 23 ) {

             ret_value = LCP_E_INVALID_PARAMETER;

             goto _error_end;

-        }

-        index[i] = temp;

+     }

     }

     local_sel = (TPM_LOCALITY_SELECTION)locality;

<at> <at> -200,8 +183,7 <at> <at> main(int argc, char *argv[])

             fclose(p_file);

         } else

             print_hexmsg("the PConf data is:\n", data_len, srtm_data);

-        if(srtm_data)

-            free(srtm_data);

+     free(srtm_data);

     } else

         goto _error_end;

<at> <at> -210,10 +192,10 <at> <at> _error_end:

     /*

      * Error when execute.

      */

-    for (i = 0; i < MAX_INDEX; i++)

-        free(pcr_num[i]);

-    free(srtm_data);

+    if (srtm_data)

+     free(srtm_data);

     log_error("\nCommand CrtPConf failed:\n");

     print_error(ret_value);

     return ret_value;

-}

+    }

+   

diff -up tboot-1.7.2/lcptools/lcputils.c.orig tboot-1.7.2/lcptools/lcputils.c

--- tboot-1.7.2/lcptools/lcputils.c.orig  2012-12-11 13:16:30.352217000 -0700

+++ tboot-1.7.2/lcptools/lcputils.c 2012-12-11 15:44:03.076312000 -0700

<at> <at> -217,42 +217,22 <at> <at> print_hexmsg(const char *header_msg, int

}

 /* split the input string in the format: num1,num2,...,numN

- * into the array = {num1, num2, ... , numN}

+ * into the numeric array = {num1, num2, ... , numN}

*/

-int

-str_split(const char *str_in, char **str_out, unsigned int *number)

+void

+str_split(char *str_in, uint32_t ints[], unsigned int *nr_ints)

{

-    char * temp;

-    int num = 0;

-    const char *sep = ",";

-    size_t str_length = 0;

-    char *string = (char *)malloc(strlen(str_in) + 1);

-

-    if ( string == NULL )

-        return -1;

-    if ( str_in == NULL || str_out == NULL || number == NULL ) {

-        free(string);

-        return -1;

-    }

-    strcpy(string, str_in);

-    temp =strtok(string, sep);

-    if ( temp != NULL && str_out[num] )

-        strcpy(str_out[num], temp);//strtok(string, sep));

-    while (str_out[num] != NULL) {

-        str_length += strlen(str_out[num]);

-        num++;

-        temp = strtok(NULL, sep);

-        if ( temp != NULL )

-            strcpy(str_out[num], temp);

-        else

-            str_out[num] = NULL;

+    unsigned int nr = 0;

+

+    while ( true ) {

+        char *str = strsep(&str_in, ",");

+        if ( str == NULL || nr == *nr_ints )

+            break;

+        ints[nr++] = strtoul(str, NULL, 0);

     }

-    free(string);

-    *number = num;

-    str_length += num - 1;

-    if ( str_length != strlen(str_in) )

-        return -1;

-    return 0;

+    if ( nr == *nr_ints )

+        log_error("Error: too many items in list\n");

+    *nr_ints = nr;

}

 uint16_t

diff -up tboot-1.7.2/lcptools/lcputils.h.orig tboot-1.7.2/lcptools/lcputils.h

--- tboot-1.7.2/lcptools/lcputils.h.orig  2012-12-11 15:20:08.106747000 -0700

+++ tboot-1.7.2/lcptools/lcputils.h 2012-12-11 15:42:34.009610000 -0700

<at> <at> -134,6 +134,6 <at> <at> calc_sizeofselect(uint32_t num_indices,

void print_locality(unsigned char loc);

void print_permissions(UINT32 perms, const char *prefix);

-int str_split(const char *str_in, char **str_out, unsigned int *number);

+void str_split(char *str_in, uint32_t ints[], unsigned int *number);

 #endif

diff -up tboot-1.7.2/lcptools/lock.c.orig tboot-1.7.2/lcptools/lock.c

--- tboot-1.7.2/lcptools/lock.c.orig      2012-12-11 14:57:02.784235000 -0700

+++ tboot-1.7.2/lcptools/lock.c     2012-12-11 15:15:43.532763000 -0700

<at> <at> -91,7 +91,8 <at> <at> parse_cmdline(int argc, const char * arg

int

main (int argc, char *argv[])

{

-    char confirm_lock[1024] = {0};

+    char confirm_lock[4] = {0};

+    char c;

     in_nv_definespace_t in_defspace;

     lcp_result_t ret_value = LCP_E_COMD_INTERNAL_ERR;

<at> <at> -119,12 +120,12 <at> <at> main (int argc, char *argv[])

          */

         do {

             log_info("Really want to lock TPM NV? (Y/N) ");

-            dummy = scanf("%s", confirm_lock);

+            dummy = scanf("%3s", confirm_lock);

             if ( dummy <= 0 )

                 return LCP_E_COMD_INTERNAL_ERR;

-        } while (strcmp(confirm_lock, "N") && strcmp(confirm_lock, "n") &&

-           strcmp(confirm_lock, "Y") && strcmp(confirm_lock, "y"));

-        if ( !strcmp(confirm_lock, "N") || !strcmp(confirm_lock, "n") ) {

+         c = confirm_lock[0] | ' ';

+        } while ( (c != 'n') && (c != 'y') );

+        if ( c == 'n') {

             ret_value = LCP_SUCCESS;

             return ret_value;

         }

 

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Patrick Winchester | 2 Dec 12:02 2012

TBoot setup on Ubuntu 12.10

Hi list,

I am trying to get tboot to run my Ubuntu 12.10 environment on a Dell Latitude 6520 laptop (no Xen / Hypervisor involved).
Sadly, I am a little stuck.

I took the following steps to install tboot:

apt-get install tboot

tpm_takeownership -z

Download SINIT from intel.com and place *.BIN in /boot

update-grub

Now, when I try to boot into tboot from the grub menu, I get two sets of results after seeing the message
Loading SINIT <binname>:
2nd_gen_i5_i7-SINIT_51 - the machine just hangs, no more activity or progress
3nd_gen_i5_i7-SINIT_51 (or any other) - the machine restart immediately

I have enabled all necessary options in BIOS and I am trying to EFI boot from a GPT disk (in case this is relevant).

Can someone point me to some resources on how to set this up properly or provide some insight into what is
going wrong?
Any help is appreciated.

Cheers,
 -- Patrick

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net/
Charles.Fisher | 22 Oct 19:23 2012

USB interrupts and scrubbing e820 memory

Patch [2/2]

 

Signed-off-by: Charles Fisher <Charles.Fisher <at> gdc4s.com

 

There are a couple of problems that occur with tboot. The first is on some Dell

laptops, it is necessary to disable the legacy usb interrupts. This patch

provides a mechanism to enable a developer to do so.

 

The second problem is that in certain circumstances, data owners consider the

contents of memory to be sensitive. In these cases, they require that the e820

map be scrubbed. The other portion of this patch provides a capability to do

that scrub.

 

Both options are invoked via the command line, and both default to the current

behavior - i.e. don't disable the usb interrupts, and don't scrub the memory.

 

+bool get_scrub_e820(void)

+{

+    const char *clean_map = get_option_val(g_tboot_cmdline_options,

+                                           g_tboot_param_values, "scrub_e820");

+    if ( clean_map == NULL || ( strcmp(clean_map, "true") != 0 ))

+        return false;

+    return true;

+}

+   

 bool get_tboot_prefer_da(void)

{

     const char *value = get_option_val(g_tboot_cmdline_options,

diff -up tboot-1.7.2/tboot/common/e820.c.orig tboot-1.7.2/tboot/common/e820.c

--- tboot-1.7.2/tboot/common/e820.c.orig  2012-10-09 14:27:01.578660000 -0700

+++ tboot-1.7.2/tboot/common/e820.c 2012-10-09 14:28:48.030072000 -0700

<at> <at> -36,10 +36,14 <at> <at>

#include <config.h>

#include <types.h>

#include <stdbool.h>

+#include <compiler.h>

+#include <string.h>

#include <printk.h>

+#include <processor.h>

#include <cmdline.h>

#include <multiboot.h>

#include <stdarg.h>

+#include <paging.h>

#include <misc.h>

#include <pci_cfgreg.h>

#include <e820.h>

<at> <at> -553,6 +557,118 <at> <at> bool e820_reserve_ram(uint64_t base, uin

     return true;

}

 

+/* Define the virtual address page used to scrub memory     */

+/* tboot data is in page 0 of virtual and physical memory   */

+/* tboot code is on page 4 of virtual an physical memory    */

+/* These are the only pages that can't be used.             */

+/* Define a page that provides a little distance from these */

+/* ALL usable memory is erased by calling memset with       */

+/* the same virtual address. The virtual address is mapped  */

+/* to the proper physical address prior calling memset      */

+/* Page 8 is used for this version                          */

+/* This page is virtual address space 0x01000000            */

+/* With this address, the address space being erased is     */

+/* always in the range 0x01000000 - 0x011FFFFF              */

+#define SCRUB_VIRUTAL_ADDRESS 0x01000000

+#define SCRUB_BLOCK_SIZE (1 << TB_L1_PAGETABLE_SHIFT)

+#define SCRUB_BLOCK_OFFSET (SCRUB_BLOCK_SIZE - 1)

+

+/*

+ * e820_scrub_usable

+ *

+ * Scrub all e820 memory marked as usable.

+ *

+ */

+void e820_scrub_usable(void)

+{

+    printk("scrubbing memory\n");

+

+    /* Enable paging */

+    enable_paging();

+

+    /* Iterate the e820 map */

+    for ( unsigned int i = 0; i < g_nr_map; i++ ) {

+        /* Get the block start and length */

+        memory_map_t *entry = &g_copy_e820_map[i];

+        uint64_t block_start = e820_base_64(entry);

+        uint64_t block_length = e820_length_64(entry);

+

+        /* Is block a usable block? */

+        if(entry->type == E820_RAM) {

+            /* Erase the block */

+            printk("%016Lx - %016Lx\n",

+               (unsigned long long)block_start,

+               (unsigned long long)(block_start + block_length));

+

+            /* Loop over block by physical 'page' */

+            while(block_length > 0) {

+                /*

+                 *

+                 * Map the physical address at block_start to

+                 * virtual address SCRUB_VIRUTAL_ADDRESS

+                 * Since the physical address is specified as a page

+                 * the block does not need to start on a page boundary.

+                 *

+                 */

+                map_pages_to_tboot(

+                    SCRUB_VIRUTAL_ADDRESS,

+                    block_start>>TB_L1_PAGETABLE_SHIFT,

+                    1);

+

+                /*

+                 *

+                 * If block_start is not on a page boundary,

+                 * erase the block from the offset to the end of page.

+                 *

+                 */

+                uint32_t scrub_block_offset = block_start & SCRUB_BLOCK_OFFSET;

+

+                /*

+                 *

+                 * The starting virtual address is the

+                 * SCRUB_VIRUTAL_ADDRESS plus any offset

+                 *

+                 */

+                uint32_t scrub_block_virtual_address =

+                    SCRUB_VIRUTAL_ADDRESS + scrub_block_offset;

+

+                /*

+                 *

+                 * Determine the block size.

+                 * The block size is from the start address to the

+                 * end of the page or block.

+                 *

+                 */

+                uint32_t scrub_block_length =

+                    SCRUB_BLOCK_SIZE - scrub_block_offset;

+                if(scrub_block_length > block_length)

+                    scrub_block_length = block_length;

+

+                /*

+                 *

+                 * The page is mapped.

+                 * The starting virual address and length have been computed.

+                 * Ready to erase.

+                 *

+                 */

+                memset(

+                    (void*)scrub_block_virtual_address,

+                    0,

+                    scrub_block_length);

+

+                /* Advance to the next page */

+                block_length -= scrub_block_length;

+                block_start  += scrub_block_length;

+

+            }

+        }

+    }

+

+    disable_paging();

+    wbinvd();

+    printk("complete\n");

+}

+

void print_e820_map(void)

{

     print_map(g_copy_e820_map, g_nr_map);

diff -up tboot-1.7.2/tboot/common/tboot.c.orig tboot-1.7.2/tboot/common/tboot.c

--- tboot-1.7.2/tboot/common/tboot.c.orig 2012-10-09 14:26:33.211480000 -0700

+++ tboot-1.7.2/tboot/common/tboot.c      2012-10-09 14:28:59.726554000 -0700

<at> <at> -207,6 +207,14 <at> <at> static void post_launch(void)

         if ( !e820_protect_region(base, size, E820_RESERVED) )

             apply_policy(TB_ERR_FATAL);

     }

+

+    /* protect the e820 map */

+    base = TBOOT_E820_COPY_ADDR;

+    size = TBOOT_E820_COPY_SIZE;

+    printk("reserving tboot e820 memory map (%Lx - %Lx) in e820 table\n", base,

+       (base + size - 1));

+    if ( !e820_protect_region(base, size, E820_RESERVED) )

+        apply_policy(TB_ERR_FATAL);

 

     /* replace map in mbi with copy */

     replace_e820_map(g_mbi);

<at> <at> -346,6 +354,10 <at> <at> void begin_launch(multiboot_info_t *mbi)

     /* make the CPU ready for measured launch */

     if ( !prepare_cpu() )

         apply_policy(TB_ERR_FATAL);

+

+    /* disable legacy USB #SMIs */

+    if (get_tboot_no_usb())

+        disable_smis();

 

     /* do s3 launch directly, if is a s3 resume */

     if ( s3_flag ) {

<at> <at> -525,8 +537,9 <at> <at> void shutdown(void)

             tpm_save_state(2);

 

         /* scrub any secrets by clearing their memory, then flush cache */

-        /* we don't have any secrets to scrub, however */

-        ;

+        /* scrub memory if requested on the command line */

+        if (get_scrub_e820())

+            e820_scrub_usable();

 

         /* in mwait "mode", APs will be in MONITOR/MWAIT and can be left there */

         if ( !use_mwait() ) {

[diff -up tboot-1.7.2/tboot/include/cmdline.h.orig tboot-1.7.2/tboot/include/cmdline.h

--- tboot-1.7.2/tboot/include/cmdline.h.orig    2012-10-09 14:25:28.155780000 -0700

+++ tboot-1.7.2/tboot/include/cmdline.h   2012-10-09 14:28:59.728551000 -0700

<at> <at> -47,6 +47,8 <at> <at> extern bool get_tboot_serial(void);

extern void get_tboot_baud(void);

extern void get_tboot_fmt(void);

extern void get_tboot_vga_delay(void);

+extern bool get_tboot_no_usb(void);

+extern bool get_scrub_e820(void);

extern bool get_tboot_mwait(void);

extern bool get_tboot_prefer_da(void);

extern void get_tboot_min_ram(void);

diff -up tboot-1.7.2/tboot/include/e820.h.orig tboot-1.7.2/tboot/include/e820.h

--- tboot-1.7.2/tboot/include/e820.h.orig 2012-10-09 14:26:00.123106000 -0700

+++ tboot-1.7.2/tboot/include/e820.h      2012-10-09 14:28:48.055068000 -0700

<at> <at> -70,6 +70,7 <at> <at> typedef struct __packed {

 

extern bool copy_e820_map(const multiboot_info_t *mbi);

extern bool e820_protect_region(uint64_t addr, uint64_t size, uint32_t type);

+extern void e820_scrub_usable(void);

extern bool e820_reserve_ram(uint64_t base, uint64_t length);

extern void print_e820_map(void);

extern void replace_e820_map(multiboot_info_t *mbi);

 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Charles.Fisher | 10 Oct 19:10 2012

USB interrupts and scrubbing e820 memory

Signed-off-by: Charles Fisher <Charles.Fisher <at> gdc4s.com

 

There are a couple of problems that occur with tboot. The first is on some Dell

laptops, it is necessary to disable the legacy usb interrupts. This patch

provides a mechanism to enable a developer to do so.

 

The second problem is that in certain circumstances, data owners consider the

contents of memory to be sensitive. In these cases, they require that the e820

map be scrubbed. The other portion of this patch provides a capability to do

that scrub.

 

Both options are invoked via the command line, and both default to the current

behavior - i.e. don't disable the usb interrupts, and don't scrub the memory.

 

diff -up tboot-1.7.2/tboot/common/acpi.c.orig tboot-1.7.2/tboot/common/acpi.c

--- tboot-1.7.2/tboot/common/acpi.c.orig  2012-10-09 14:26:14.279694000 -0700

+++ tboot-1.7.2/tboot/common/acpi.c 2012-10-09 14:28:59.721553000 -0700

<at> <at> -436,6 +436,15 <at> <at> void set_s3_resume_vector(const tboot_ac

     acpi_printk("wakeup_vector_address = %llx\n", acpi_sinfo->wakeup_vector);

     acpi_printk("wakeup_vector_value = %llxx\n", resume_vector);

+}

+

+void disable_smis(void)

+{

+        printk("disabling legacy USB SMIs\n");

+        uint32_t pmbase = pcireg_cfgread(0, 31, 0, 0x40, 4) & ~1;

+        uint32_t smi_en = inl(pmbase + 0x30);

+        smi_en &= ~0x20008;

+        outl(pmbase + 0x30, smi_en);

}

 /*

diff -up tboot-1.7.2/tboot/common/cmdline.c.orig tboot-1.7.2/tboot/common/cmdline.c

--- tboot-1.7.2/tboot/common/cmdline.c.orig     2012-10-09 14:26:23.724083000 -0700

+++ tboot-1.7.2/tboot/common/cmdline.c    2012-10-09 14:28:59.723556000 -0700

<at> <at> -74,6 +74,8 <at> <at> static const cmdline_option_t g_tboot_cm

     { "ap_wake_mwait", "false" },    /* true|false */

     { "pcr_map", "legacy" },         /* legacy|da */

     { "min_ram", "0" },              /* size in bytes | 0 for no min */

+    { "scrub_e820", "false" },       /* true|false */

+    { "no_usb", "false" },           /* true|false */

     { NULL, NULL }

};

static char g_tboot_param_values[ARRAY_SIZE(g_tboot_cmdline_options)][MAX_VALUE_LEN];

<at> <at> -423,6 +425,15 <at> <at> bool get_tboot_serial(void)

     return parse_serial_param(serial);

}

+bool get_tboot_no_usb(void)

+{

+    const char *no_usb = get_option_val(g_tboot_cmdline_options,

+                                        g_tboot_param_values, "no_usb");

+    if ( no_usb == NULL || (strcmp(no_usb, "true") != 0 ))

+        return false;

+    return true;

+}

+

void get_tboot_vga_delay(void)

{

     const char *vga_delay = get_option_val(g_tboot_cmdline_options,

<at> <at> -433,6 +444,15 <at> <at> void get_tboot_vga_delay(void)

     g_vga_delay = strtoul(vga_delay, NULL, 0);

}

+bool get_scrub_e820(void)

+{

+    const char *clean_map = get_option_val(g_tboot_cmdline_options,

+                                           g_tboot_param_values, "scrub_e820");

+    if ( clean_map == NULL || ( strcmp(clean_map, "true") != 0 ))

+        return false;

+    return true;

+}

+   

 bool get_tboot_prefer_da(void)

{

     const char *value = get_option_val(g_tboot_cmdline_options,

diff -up tboot-1.7.2/tboot/common/e820.c.orig tboot-1.7.2/tboot/common/e820.c

--- tboot-1.7.2/tboot/common/e820.c.orig  2012-10-09 14:27:01.578660000 -0700

+++ tboot-1.7.2/tboot/common/e820.c 2012-10-09 14:28:48.030072000 -0700

<at> <at> -36,10 +36,14 <at> <at>

#include <config.h>

#include <types.h>

#include <stdbool.h>

+#include <compiler.h>

+#include <string.h>

#include <printk.h>

+#include <processor.h>

#include <cmdline.h>

#include <multiboot.h>

#include <stdarg.h>

+#include <paging.h>

#include <misc.h>

#include <pci_cfgreg.h>

#include <e820.h>

<at> <at> -553,6 +557,118 <at> <at> bool e820_reserve_ram(uint64_t base, uin

     return true;

}

+/* Define the virtual address page used to scrub memory     */

+/* tboot data is in page 0 of virtual and physical memory   */

+/* tboot code is on page 4 of virtual an physical memory    */

+/* These are the only pages that can't be used.             */

+/* Define a page that provides a little distance from these */

+/* ALL usable memory is erased by calling memset with       */

+/* the same virtual address. The virtual address is mapped  */

+/* to the proper physical address prior calling memset      */

+/* Page 8 is used for this version                          */

+/* This page is virtual address space 0x01000000            */

+/* With this address, the address space being erased is     */

+/* always in the range 0x01000000 - 0x011FFFFF              */

+#define SCRUB_VIRUTAL_ADDRESS 0x01000000

+#define SCRUB_BLOCK_SIZE (1 << TB_L1_PAGETABLE_SHIFT)

+#define SCRUB_BLOCK_OFFSET (SCRUB_BLOCK_SIZE - 1)

+

+/*

+ * e820_scrub_usable

+ *

+ * Scrub all e820 memory marked as usable.

+ *

+ */

+void e820_scrub_usable(void)

+{

+    printk("scrubbing memory\n");

+

+    /* Enable paging */

+    enable_paging();

+

+    /* Iterate the e820 map */

+    for ( unsigned int i = 0; i < g_nr_map; i++ ) {

+        /* Get the block start and length */

+        memory_map_t *entry = &g_copy_e820_map[i];

+        uint64_t block_start = e820_base_64(entry);

+        uint64_t block_length = e820_length_64(entry);

+

+        /* Is block a usable block? */

+        if(entry->type == E820_RAM) {

+            /* Erase the block */

+            printk("%016Lx - %016Lx\n",

+               (unsigned long long)block_start,

+               (unsigned long long)(block_start + block_length));

+

+            /* Loop over block by physical 'page' */

+            while(block_length > 0) {

+                /*

+                 *

+                 * Map the physical address at block_start to

+                 * virtual address SCRUB_VIRUTAL_ADDRESS

+                 * Since the physical address is specified as a page

+                 * the block does not need to start on a page boundary.

+                 *

+                 */

+                map_pages_to_tboot(

+                    SCRUB_VIRUTAL_ADDRESS,

+                    block_start>>TB_L1_PAGETABLE_SHIFT,

+                    1);

+

+                /*

+                 *

+                 * If block_start is not on a page boundary,

+                 * erase the block from the offset to the end of page.

+                 *

+                 */

+                uint32_t scrub_block_offset = block_start & SCRUB_BLOCK_OFFSET;

+

+                /*

+                 *

+                 * The starting virtual address is the

+                 * SCRUB_VIRUTAL_ADDRESS plus any offset

+                 *

+                 */

+                uint32_t scrub_block_virtual_address =

+                    SCRUB_VIRUTAL_ADDRESS + scrub_block_offset;

+

+                /*

+                 *

+                 * Determine the block size.

+                 * The block size is from the start address to the

+                 * end of the page or block.

+                 *

+                 */

+                uint32_t scrub_block_length =

+                    SCRUB_BLOCK_SIZE - scrub_block_offset;

+                if(scrub_block_length > block_length)

+                    scrub_block_length = block_length;

+

+                /*

+                 *

+                 * The page is mapped.

+                 * The starting virual address and length have been computed.

+                 * Ready to erase.

+                 *

+                 */

+                memset(

+                    (void*)scrub_block_virtual_address,

+                    0,

+                    scrub_block_length);

+

+                /* Advance to the next page */

+                block_length -= scrub_block_length;

+                block_start  += scrub_block_length;

+

+            }

+        }

+    }

+

+    disable_paging();

+    wbinvd();

+    printk("complete\n");

+}

+

void print_e820_map(void)

{

     print_map(g_copy_e820_map, g_nr_map);

diff -up tboot-1.7.2/tboot/common/tboot.c.orig tboot-1.7.2/tboot/common/tboot.c

--- tboot-1.7.2/tboot/common/tboot.c.orig 2012-10-09 14:26:33.211480000 -0700

+++ tboot-1.7.2/tboot/common/tboot.c      2012-10-09 14:28:59.726554000 -0700

<at> <at> -207,6 +207,14 <at> <at> static void post_launch(void)

         if ( !e820_protect_region(base, size, E820_RESERVED) )

             apply_policy(TB_ERR_FATAL);

     }

+

+    /* protect the e820 map */

+    base = TBOOT_E820_COPY_ADDR;

+    size = TBOOT_E820_COPY_SIZE;

+    printk("reserving tboot e820 memory map (%Lx - %Lx) in e820 table\n", base,

+       (base + size - 1));

+    if ( !e820_protect_region(base, size, E820_RESERVED) )

+        apply_policy(TB_ERR_FATAL);

     /* replace map in mbi with copy */

     replace_e820_map(g_mbi);

<at> <at> -346,6 +354,10 <at> <at> void begin_launch(multiboot_info_t *mbi)

     /* make the CPU ready for measured launch */

     if ( !prepare_cpu() )

         apply_policy(TB_ERR_FATAL);

+

+    /* disable legacy USB #SMIs */

+    if (get_tboot_no_usb())

+        disable_smis();

     /* do s3 launch directly, if is a s3 resume */

     if ( s3_flag ) {

<at> <at> -525,8 +537,9 <at> <at> void shutdown(void)

             tpm_save_state(2);

         /* scrub any secrets by clearing their memory, then flush cache */

-        /* we don't have any secrets to scrub, however */

-        ;

+        /* scrub memory if requested on the command line */

+        if (get_scrub_e820())

+            e820_scrub_usable();

         /* in mwait "mode", APs will be in MONITOR/MWAIT and can be left there */

         if ( !use_mwait() ) {

[diff -up tboot-1.7.2/tboot/include/cmdline.h.orig tboot-1.7.2/tboot/include/cmdline.h

--- tboot-1.7.2/tboot/include/cmdline.h.orig    2012-10-09 14:25:28.155780000 -0700

+++ tboot-1.7.2/tboot/include/cmdline.h   2012-10-09 14:28:59.728551000 -0700

<at> <at> -47,6 +47,8 <at> <at> extern bool get_tboot_serial(void);

extern void get_tboot_baud(void);

extern void get_tboot_fmt(void);

extern void get_tboot_vga_delay(void);

+extern bool get_tboot_no_usb(void);

+extern bool get_scrub_e820(void);

extern bool get_tboot_mwait(void);

extern bool get_tboot_prefer_da(void);

extern void get_tboot_min_ram(void);

diff -up tboot-1.7.2/tboot/include/e820.h.orig tboot-1.7.2/tboot/include/e820.h

--- tboot-1.7.2/tboot/include/e820.h.orig 2012-10-09 14:26:00.123106000 -0700

+++ tboot-1.7.2/tboot/include/e820.h      2012-10-09 14:28:48.055068000 -0700

<at> <at> -70,6 +70,7 <at> <at> typedef struct __packed {

 extern bool copy_e820_map(const multiboot_info_t *mbi);

extern bool e820_protect_region(uint64_t addr, uint64_t size, uint32_t type);

+extern void e820_scrub_usable(void);

extern bool e820_reserve_ram(uint64_t base, uint64_t length);

extern void print_e820_map(void);

extern void replace_e820_map(multiboot_info_t *mbi);

 

 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Charles.Fisher | 22 Oct 19:06 2012

USB interrupts and scrubbing e820 memory

Patch {1/2]

Signed-off-by: Charles Fisher <Charles.Fisher <at> gdc4s.com

 

There are a couple of problems that occur with tboot. The first is on some Dell

laptops, it is necessary to disable the legacy usb interrupts. This patch

provides a mechanism to enable a developer to do so.

 

The second problem is that in certain circumstances, data owners consider the

contents of memory to be sensitive. In these cases, they require that the e820

map be scrubbed. The other portion of this patch provides a capability to do

that scrub.

 

Both options are invoked via the command line, and both default to the current

behavior - i.e. don't disable the usb interrupts, and don't scrub the memory.

 

diff -up tboot-1.7.2/tboot/common/acpi.c.orig tboot-1.7.2/tboot/common/acpi.c

--- tboot-1.7.2/tboot/common/acpi.c.orig  2012-10-09 14:26:14.279694000 -0700

+++ tboot-1.7.2/tboot/common/acpi.c 2012-10-09 14:28:59.721553000 -0700

<at> <at> -436,6 +436,15 <at> <at> void set_s3_resume_vector(const tboot_ac

 

     acpi_printk("wakeup_vector_address = %llx\n", acpi_sinfo->wakeup_vector);

     acpi_printk("wakeup_vector_value = %llxx\n", resume_vector);

+}

+

+void disable_smis(void)

+{

+        printk("disabling legacy USB SMIs\n");

+        uint32_t pmbase = pcireg_cfgread(0, 31, 0, 0x40, 4) & ~1;

+        uint32_t smi_en = inl(pmbase + 0x30);

+        smi_en &= ~0x20008;

+        outl(pmbase + 0x30, smi_en);

}

 

 /*

diff -up tboot-1.7.2/tboot/common/cmdline.c.orig tboot-1.7.2/tboot/common/cmdline.c

--- tboot-1.7.2/tboot/common/cmdline.c.orig     2012-10-09 14:26:23.724083000 -0700

+++ tboot-1.7.2/tboot/common/cmdline.c    2012-10-09 14:28:59.723556000 -0700

<at> <at> -74,6 +74,8 <at> <at> static const cmdline_option_t g_tboot_cm

     { "ap_wake_mwait", "false" },    /* true|false */

     { "pcr_map", "legacy" },         /* legacy|da */

     { "min_ram", "0" },              /* size in bytes | 0 for no min */

+    { "scrub_e820", "false" },       /* true|false */

+    { "no_usb", "false" },           /* true|false */

     { NULL, NULL }

};

static char g_tboot_param_values[ARRAY_SIZE(g_tboot_cmdline_options)][MAX_VALUE_LEN];

<at> <at> -423,6 +425,15 <at> <at> bool get_tboot_serial(void)

     return parse_serial_param(serial);

}

 

+bool get_tboot_no_usb(void)

+{

+    const char *no_usb = get_option_val(g_tboot_cmdline_options,

+                                        g_tboot_param_values, "no_usb");

+    if ( no_usb == NULL || (strcmp(no_usb, "true") != 0 ))

+        return false;

+    return true;

+}

+

void get_tboot_vga_delay(void)

{

     const char *vga_delay = get_option_val(g_tboot_cmdline_options,

<at> <at> -433,6 +444,15 <at> <at> void get_tboot_vga_delay(void)

     g_vga_delay = strtoul(vga_delay, NULL, 0);

}

 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Charles.Fisher | 22 Oct 19:02 2012

USB interrupts and scrubbing e820 memory

Patch {1/2]

Signed-off-by: Charles Fisher <Charles.Fisher <at> gdc4s.com

 

There are a couple of problems that occur with tboot. The first is on some Dell

laptops, it is necessary to disable the legacy usb interrupts. This patch

provides a mechanism to enable a developer to do so.

 

The second problem is that in certain circumstances, data owners consider the

contents of memory to be sensitive. In these cases, they require that the e820

map be scrubbed. The other portion of this patch provides a capability to do

that scrub.

 

Both options are invoked via the command line, and both default to the current

behavior - i.e. don't disable the usb interrupts, and don't scrub the memory.

 

diff -up tboot-1.7.2/tboot/common/acpi.c.orig tboot-1.7.2/tboot/common/acpi.c

--- tboot-1.7.2/tboot/common/acpi.c.orig  2012-10-09 14:26:14.279694000 -0700

+++ tboot-1.7.2/tboot/common/acpi.c 2012-10-09 14:28:59.721553000 -0700

<at> <at> -436,6 +436,15 <at> <at> void set_s3_resume_vector(const tboot_ac

 

     acpi_printk("wakeup_vector_address = %llx\n", acpi_sinfo->wakeup_vector);

     acpi_printk("wakeup_vector_value = %llxx\n", resume_vector);

+}

+

+void disable_smis(void)

+{

+        printk("disabling legacy USB SMIs\n");

+        uint32_t pmbase = pcireg_cfgread(0, 31, 0, 0x40, 4) & ~1;

+        uint32_t smi_en = inl(pmbase + 0x30);

+        smi_en &= ~0x20008;

+        outl(pmbase + 0x30, smi_en);

}

 

 /*

diff -up tboot-1.7.2/tboot/common/cmdline.c.orig tboot-1.7.2/tboot/common/cmdline.c

--- tboot-1.7.2/tboot/common/cmdline.c.orig     2012-10-09 14:26:23.724083000 -0700

+++ tboot-1.7.2/tboot/common/cmdline.c    2012-10-09 14:28:59.723556000 -0700

<at> <at> -74,6 +74,8 <at> <at> static const cmdline_option_t g_tboot_cm

     { "ap_wake_mwait", "false" },    /* true|false */

     { "pcr_map", "legacy" },         /* legacy|da */

     { "min_ram", "0" },              /* size in bytes | 0 for no min */

+    { "scrub_e820", "false" },       /* true|false */

+    { "no_usb", "false" },           /* true|false */

     { NULL, NULL }

};

static char g_tboot_param_values[ARRAY_SIZE(g_tboot_cmdline_options)][MAX_VALUE_LEN];

<at> <at> -423,6 +425,15 <at> <at> bool get_tboot_serial(void)

     return parse_serial_param(serial);

}

 

+bool get_tboot_no_usb(void)

+{

+    const char *no_usb = get_option_val(g_tboot_cmdline_options,

+                                        g_tboot_param_values, "no_usb");

+    if ( no_usb == NULL || (strcmp(no_usb, "true") != 0 ))

+        return false;

+    return true;

+}

+

void get_tboot_vga_delay(void)

{

     const char *vga_delay = get_option_val(g_tboot_cmdline_options,

<at> <at> -433,6 +444,15 <at> <at> void get_tboot_vga_delay(void)

     g_vga_delay = strtoul(vga_delay, NULL, 0);

}

 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Charles.Fisher | 22 Oct 19:09 2012

FW: USB interrupts and scrubbing e820 memory

Here is the real patch 2/2.

 

Patch [2/2]

 

Signed-off-by: Charles Fisher <Charles.Fisher <at> gdc4s.com

 

There are a couple of problems that occur with tboot. The first is on some Dell

laptops, it is necessary to disable the legacy usb interrupts. This patch

provides a mechanism to enable a developer to do so.

 

The second problem is that in certain circumstances, data owners consider the

contents of memory to be sensitive. In these cases, they require that the e820

map be scrubbed. The other portion of this patch provides a capability to do

that scrub.

 

Both options are invoked via the command line, and both default to the current

behavior - i.e. don't disable the usb interrupts, and don't scrub the memory.

 

+bool get_scrub_e820(void)

+{

+    const char *clean_map = get_option_val(g_tboot_cmdline_options,

+                                           g_tboot_param_values, "scrub_e820");

+    if ( clean_map == NULL || ( strcmp(clean_map, "true") != 0 ))

+        return false;

+    return true;

+}

+   

 bool get_tboot_prefer_da(void)

{

     const char *value = get_option_val(g_tboot_cmdline_options,

diff -up tboot-1.7.2/tboot/common/e820.c.orig tboot-1.7.2/tboot/common/e820.c

--- tboot-1.7.2/tboot/common/e820.c.orig  2012-10-09 14:27:01.578660000 -0700

+++ tboot-1.7.2/tboot/common/e820.c 2012-10-09 14:28:48.030072000 -0700

<at> <at> -36,10 +36,14 <at> <at>

#include <config.h>

#include <types.h>

#include <stdbool.h>

+#include <compiler.h>

+#include <string.h>

#include <printk.h>

+#include <processor.h>

#include <cmdline.h>

#include <multiboot.h>

#include <stdarg.h>

+#include <paging.h>

#include <misc.h>

#include <pci_cfgreg.h>

#include <e820.h>

<at> <at> -553,6 +557,118 <at> <at> bool e820_reserve_ram(uint64_t base, uin

     return true;

}

 

+/* Define the virtual address page used to scrub memory     */

+/* tboot data is in page 0 of virtual and physical memory   */

+/* tboot code is on page 4 of virtual an physical memory    */

+/* These are the only pages that can't be used.             */

+/* Define a page that provides a little distance from these */

+/* ALL usable memory is erased by calling memset with       */

+/* the same virtual address. The virtual address is mapped  */

+/* to the proper physical address prior calling memset      */

+/* Page 8 is used for this version                          */

+/* This page is virtual address space 0x01000000            */

+/* With this address, the address space being erased is     */

+/* always in the range 0x01000000 - 0x011FFFFF              */

+#define SCRUB_VIRUTAL_ADDRESS 0x01000000

+#define SCRUB_BLOCK_SIZE (1 << TB_L1_PAGETABLE_SHIFT)

+#define SCRUB_BLOCK_OFFSET (SCRUB_BLOCK_SIZE - 1)

+

+/*

+ * e820_scrub_usable

+ *

+ * Scrub all e820 memory marked as usable.

+ *

+ */

+void e820_scrub_usable(void)

+{

+    printk("scrubbing memory\n");

+

+    /* Enable paging */

+    enable_paging();

+

+    /* Iterate the e820 map */

+    for ( unsigned int i = 0; i < g_nr_map; i++ ) {

+        /* Get the block start and length */

+        memory_map_t *entry = &g_copy_e820_map[i];

+        uint64_t block_start = e820_base_64(entry);

+        uint64_t block_length = e820_length_64(entry);

+

+        /* Is block a usable block? */

+        if(entry->type == E820_RAM) {

+            /* Erase the block */

+            printk("%016Lx - %016Lx\n",

+               (unsigned long long)block_start,

+               (unsigned long long)(block_start + block_length));

+

+            /* Loop over block by physical 'page' */

+            while(block_length > 0) {

+                /*

+                 *

+                 * Map the physical address at block_start to

+                 * virtual address SCRUB_VIRUTAL_ADDRESS

+                 * Since the physical address is specified as a page

+                 * the block does not need to start on a page boundary.

+                 *

+                 */

+                map_pages_to_tboot(

+                    SCRUB_VIRUTAL_ADDRESS,

+                    block_start>>TB_L1_PAGETABLE_SHIFT,

+                    1);

+

+                /*

+                 *

+                 * If block_start is not on a page boundary,

+                 * erase the block from the offset to the end of page.

+                 *

+                 */

+                uint32_t scrub_block_offset = block_start & SCRUB_BLOCK_OFFSET;

+

+                /*

+                 *

+                 * The starting virtual address is the

+                 * SCRUB_VIRUTAL_ADDRESS plus any offset

+                 *

+                 */

+                uint32_t scrub_block_virtual_address =

+                    SCRUB_VIRUTAL_ADDRESS + scrub_block_offset;

+

+                /*

+                 *

+                 * Determine the block size.

+                 * The block size is from the start address to the

+                 * end of the page or block.

+                 *

+                 */

+                uint32_t scrub_block_length =

+                    SCRUB_BLOCK_SIZE - scrub_block_offset;

+                if(scrub_block_length > block_length)

+                    scrub_block_length = block_length;

+

+                /*

+                 *

+                 * The page is mapped.

+                 * The starting virual address and length have been computed.

+                 * Ready to erase.

+                 *

+                 */

+                memset(

+                    (void*)scrub_block_virtual_address,

+                    0,

+                    scrub_block_length);

+

+                /* Advance to the next page */

+                block_length -= scrub_block_length;

+                block_start  += scrub_block_length;

+

+            }

+        }

+    }

+

+    disable_paging();

+    wbinvd();

+    printk("complete\n");

+}

+

void print_e820_map(void)

{

     print_map(g_copy_e820_map, g_nr_map);

diff -up tboot-1.7.2/tboot/common/tboot.c.orig tboot-1.7.2/tboot/common/tboot.c

--- tboot-1.7.2/tboot/common/tboot.c.orig 2012-10-09 14:26:33.211480000 -0700

+++ tboot-1.7.2/tboot/common/tboot.c      2012-10-09 14:28:59.726554000 -0700

<at> <at> -207,6 +207,14 <at> <at> static void post_launch(void)

         if ( !e820_protect_region(base, size, E820_RESERVED) )

             apply_policy(TB_ERR_FATAL);

     }

+

+    /* protect the e820 map */

+    base = TBOOT_E820_COPY_ADDR;

+    size = TBOOT_E820_COPY_SIZE;

+    printk("reserving tboot e820 memory map (%Lx - %Lx) in e820 table\n", base,

+       (base + size - 1));

+    if ( !e820_protect_region(base, size, E820_RESERVED) )

+        apply_policy(TB_ERR_FATAL);

 

     /* replace map in mbi with copy */

     replace_e820_map(g_mbi);

<at> <at> -346,6 +354,10 <at> <at> void begin_launch(multiboot_info_t *mbi)

     /* make the CPU ready for measured launch */

     if ( !prepare_cpu() )

         apply_policy(TB_ERR_FATAL);

+

+    /* disable legacy USB #SMIs */

+    if (get_tboot_no_usb())

+        disable_smis();

 

     /* do s3 launch directly, if is a s3 resume */

     if ( s3_flag ) {

<at> <at> -525,8 +537,9 <at> <at> void shutdown(void)

             tpm_save_state(2);

 

         /* scrub any secrets by clearing their memory, then flush cache */

-        /* we don't have any secrets to scrub, however */

-        ;

+        /* scrub memory if requested on the command line */

+        if (get_scrub_e820())

+            e820_scrub_usable();

 

         /* in mwait "mode", APs will be in MONITOR/MWAIT and can be left there */

         if ( !use_mwait() ) {

[diff -up tboot-1.7.2/tboot/include/cmdline.h.orig tboot-1.7.2/tboot/include/cmdline.h

--- tboot-1.7.2/tboot/include/cmdline.h.orig    2012-10-09 14:25:28.155780000 -0700

+++ tboot-1.7.2/tboot/include/cmdline.h   2012-10-09 14:28:59.728551000 -0700

<at> <at> -47,6 +47,8 <at> <at> extern bool get_tboot_serial(void);

extern void get_tboot_baud(void);

extern void get_tboot_fmt(void);

extern void get_tboot_vga_delay(void);

+extern bool get_tboot_no_usb(void);

+extern bool get_scrub_e820(void);

extern bool get_tboot_mwait(void);

extern bool get_tboot_prefer_da(void);

extern void get_tboot_min_ram(void);

diff -up tboot-1.7.2/tboot/include/e820.h.orig tboot-1.7.2/tboot/include/e820.h

--- tboot-1.7.2/tboot/include/e820.h.orig 2012-10-09 14:26:00.123106000 -0700

+++ tboot-1.7.2/tboot/include/e820.h      2012-10-09 14:28:48.055068000 -0700

<at> <at> -70,6 +70,7 <at> <at> typedef struct __packed {

 

extern bool copy_e820_map(const multiboot_info_t *mbi);

extern bool e820_protect_region(uint64_t addr, uint64_t size, uint32_t type);

+extern void e820_scrub_usable(void);

extern bool e820_reserve_ram(uint64_t base, uint64_t length);

extern void print_e820_map(void);

extern void replace_e820_map(multiboot_info_t *mbi);

 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
Charles.Fisher | 22 Oct 19:22 2012

USB interrupts and scrubbing e820 memory

Patch [1/2]

Signed-off-by: Charles Fisher <Charles.Fisher <at> gdc4s.com

 

There are a couple of problems that occur with tboot. The first is on some Dell

laptops, it is necessary to disable the legacy usb interrupts. This patch

provides a mechanism to enable a developer to do so.

 

The second problem is that in certain circumstances, data owners consider the

contents of memory to be sensitive. In these cases, they require that the e820

map be scrubbed. The other portion of this patch provides a capability to do

that scrub.

 

Both options are invoked via the command line, and both default to the current

behavior - i.e. don't disable the usb interrupts, and don't scrub the memory.

 

diff -up tboot-1.7.2/tboot/common/acpi.c.orig tboot-1.7.2/tboot/common/acpi.c

--- tboot-1.7.2/tboot/common/acpi.c.orig  2012-10-09 14:26:14.279694000 -0700

+++ tboot-1.7.2/tboot/common/acpi.c 2012-10-09 14:28:59.721553000 -0700

<at> <at> -436,6 +436,15 <at> <at> void set_s3_resume_vector(const tboot_ac

 

     acpi_printk("wakeup_vector_address = %llx\n", acpi_sinfo->wakeup_vector);

     acpi_printk("wakeup_vector_value = %llxx\n", resume_vector);

+}

+

+void disable_smis(void)

+{

+        printk("disabling legacy USB SMIs\n");

+        uint32_t pmbase = pcireg_cfgread(0, 31, 0, 0x40, 4) & ~1;

+        uint32_t smi_en = inl(pmbase + 0x30);

+        smi_en &= ~0x20008;

+        outl(pmbase + 0x30, smi_en);

}

 

 /*

diff -up tboot-1.7.2/tboot/common/cmdline.c.orig tboot-1.7.2/tboot/common/cmdline.c

--- tboot-1.7.2/tboot/common/cmdline.c.orig     2012-10-09 14:26:23.724083000 -0700

+++ tboot-1.7.2/tboot/common/cmdline.c    2012-10-09 14:28:59.723556000 -0700

<at> <at> -74,6 +74,8 <at> <at> static const cmdline_option_t g_tboot_cm

     { "ap_wake_mwait", "false" },    /* true|false */

     { "pcr_map", "legacy" },         /* legacy|da */

     { "min_ram", "0" },              /* size in bytes | 0 for no min */

+    { "scrub_e820", "false" },       /* true|false */

+    { "no_usb", "false" },           /* true|false */

     { NULL, NULL }

};

static char g_tboot_param_values[ARRAY_SIZE(g_tboot_cmdline_options)][MAX_VALUE_LEN];

<at> <at> -423,6 +425,15 <at> <at> bool get_tboot_serial(void)

     return parse_serial_param(serial);

}

 

+bool get_tboot_no_usb(void)

+{

+    const char *no_usb = get_option_val(g_tboot_cmdline_options,

+                                        g_tboot_param_values, "no_usb");

+    if ( no_usb == NULL || (strcmp(no_usb, "true") != 0 ))

+        return false;

+    return true;

+}

+

void get_tboot_vga_delay(void)

{

     const char *vga_delay = get_option_val(g_tboot_cmdline_options,

<at> <at> -433,6 +444,15 <at> <at> void get_tboot_vga_delay(void)

     g_vga_delay = strtoul(vga_delay, NULL, 0);

}

 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
tboot-devel mailing list
tboot-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Gmane