Inteltxt support

[TomaszAIR]

Set of patches which adds Intel TXT support in Xen for TrenchBoot.

This is necessary to create Proof of Concept for TrenchBoot Anti Evil
Maid for QubesOS.

Due to the requirements of Intel TXT and how it is utilised, it is
impossible to use the Xen boot protocols defined in the UEFI or
Multiboot2 specifications. Those patches creates a custom Intel TXT
entry point for Xen which would hand-off to the standard Multiboot2
entry point and enable direct launch of Xen by GRUB via DRTM on Intel
hardware. Additionally there was no support for launching Xen with Intel
TXT other than Trusted Boot. Certain parts had to be ported from
Trusted Boot specific code to Xen native code:

• constructing MLE header
• waking up APs
• restoring MTRRs
• reserving the TXT memory
• reenabling SMIs
• handling TXT shutdown and S3 resume/suspend
• TPM event log finding

See: https://lists.xenproject.org/archives/html/xen-devel/2022-10/msg01663.html
for details

Signed-off-by: Tomasz Żyjewski [email protected]

[marmarek]

It doesn't build on fc37-based dom0:
https://gitlab.com/QubesOS/qubes-vmm-xen/-/jobs/3733914032#L282

04:49:26,195 [executor:docker:91e433f5ab] output: DEBUG: ld -melf_i386  -N -T arch/x86/boot/build32.lds -o arch/x86/boot/tpm_early.lnk arch/x86/boot/tpm_early.o
04:49:26,195 [executor:docker:91e433f5ab] output: DEBUG: ld: arch/x86/boot/tpm_early.o: in function `tpm_hash_extend':
04:49:26,196 [executor:docker:91e433f5ab] output: DEBUG: tpm.c:(.text+0x43f): undefined reference to `memcpy'
04:49:26,196 [executor:docker:91e433f5ab] output: DEBUG: make[4]: *** [arch/x86/boot/Makefile:37: arch/x86/boot/tpm_early.lnk] Error 1

[TomaszAIR]

@marmarek Thank you for pointing that out. Will check this. To reproduce this error I need to change DIST_DOM0 to fc37 locally in builder.conf used when I built this package?

Also, should I set you as reviewer of this PR? Got also similar for grub2 QubesOS/qubes-grub2#13

[marmarek]

@marmarek Thank you for pointing that out. Will check this. To reproduce this error I need to change DIST_DOM0 to fc37 locally in builder.conf used when I built this package?

Yes, that should be enough.

Also, should I set you as reviewer of this PR? Got also similar for grub2 QubesOS/qubes-grub2#13

You can if you want, but no need to do that.

[TomaszAIR]

@marmarek sorry it took so long, rebased on latest main and with this change a56c58b the build should not fail anymore on fc37

[marmarek]

Changing initramfs results in changes to both PCR-17 and PCR-18, is that desired? Is it because initramfs size is implicitly measured into PCR-18, while initramfs content is measured into PCR-17?

[marmarek]

It indeed seems to be about the size - if just initramfs content is different but still the same size, then PCR-18 remains unchanged.

This isn't very problematic this way. More problematic would be intended change to PCR-18 also affecting PCR-17. I guess it's about measuring multiboot structure which includes initramfs size, right? Selective measurement is probably not worth the risk, but maybe I'm missing something?

[TomaszAIR]

@krystian-hebel I would say that you are the expert in this regard. Could you answer these questions?

[krystian-hebel]

I guess it's about measuring multiboot structure which includes initramfs size, right?

Exactly. PCR18 contains (among others) measurement of Multiboot2's MBI, which contains size of all modules, including initramfs. Same thing would happen if kernel's size changes, or even if some additional commands are run in GRUB before booting that require allocating memory and kernel/initramfs lands in different place as a consequence. If external, untrusted devices can be memory mapped, this may be relevant. Another important thing that lives in MBI is kernel's command line, I think I don't have to explain what security implications of changing it without measurement would be.

On Intel platforms, PCR18 also contains some other data, as described in TXT specification, I don't remember what exactly. AMD platforms would have full control over PCR18 content, so with current approach it would contain only MBI. To make it a bit more isolated we could move MBI measurement to another PCR (19+), but for reasons mentioned in the previous paragraph it still should be included in any attestation decision.

Selective measurement is probably not worth the risk, but maybe I'm missing something?

This would require parsing (using) structure that is not yet measured (trusted), which may open a way for TOCTOU attacks. This parser would also have to closely follow logic that is used by OS's parser, especially around corner cases like e.g. what happens if there are 2 or more command line tags.

[TomaszAIR]

@marmarek WDYT about above? Should we work more about these patches?

[TomaszAIR]

@marmarek How can we help to get this changes merged?

[Pokisiekk]

I'm trying to install the packages and confirm their correctness according to blog post, but I've encountered a problem:

The sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing command ends with an error (I also tried with --skip-broken):

When trying to install any package in dom0, I get the same error as reported here: QubesOS/qubes-issues#6885, so I can't install missing dependencies.

I'm working on an image from https://openqa.qubes-os.org/tests/55506#downloads, where I once completely reproduced the results from a blog post with earlier versions of packages.

I would like to ask for help, what should I do in this situation?

[Pokisiekk]

The reason for the issues from the #160 (comment) was that I received the wrong packages.

I went back to reproduce the results from the blog post and after completing step 6 form Installing Xen and GRUB packages section, I wanted to boot into the system, but it was no longer possible.

I have only one entry in Grub: Qubes, with Xen 4.17.0 and Linux 5.15.81-1.fc32, after selecting which the action is not always the same:

1. Turning on the platform and leaving it alone and waiting 5s seconds in Grub Menu freezes the platform, nothing else happens.
2. Turning on the platform, clicking ESC to enter boot menu, selecting the QubesOS disk and then clicking Enter in the Grub Menu before the timer expires will also freeze the platform.
3. Turning on the platform and clicking Enter in the Grub Menu before the timeout causes the restart of the platform.

[meithecatte]

1304-arch-x86-intel_txt.c-fixes-after-testing.patch

This is definitely not ready for review, please clean up.

[TomaszAIR]

Changed to draft because we want to use CI to check if changes compiled correctly

[TomaszAIR]

Looks like CI ended with success. @meithecatte I kindly re-request for review.

@krystian-hebel cc

[BeataZdunczyk]

@marmarek, @meithecatte We'd really appreciate your review and feedback on these two PRs:

1. Inteltxt support #160
2. Inteltxt support qubes-grub2#13

As these PRs are closing phase one, your input is crucial in determining their merge status. If any blockers exist, please let us know so we can address them together.

[pietrushnic]

@marmarta @meithecatte when you will have time to take a look at those patches?

[HW42]

This is a first batch of comments. Focused on things that make sense on it's own. I'm still reading up on Intel TXT, so review of more involved things are still in progress.

[HW42]

I think naming of things in a global namespace (constants in headers, global variables, etc.) deserve some thought. This is not blocking for usage in Qubes but a good preparation for getting it upstream.

I have seen:

https://lore.kernel.org/all/[email protected]/:

A quick note on terminology. The larger open source project itself is called
TrenchBoot, which is hosted on Github (links below). The kernel feature enabling
the use of Dynamic Launch technology is referred to as "Secure Launch" within
the kernel code. As such the prefixes sl_/SL_ or slaunch/SLAUNCH will be seen
in the code. The stub code discussed above is referred to as the SL stub.

(A similar note should go in the Xen patches somewhere)

I'm not sure why you avoid the Trenchboot name here. I think sl/slaunch is a bit non-ideal choice given that in the same context it could also mean "Secure Loader" (AMD specific) or "static launch" (as in SRTM instead of DRTM), but I guess that ship has sailed.

Consistently using slaunch as prefix at least makes further conflicts less likely since it's not so short like sl.

trenchboot_sl would be pretty clear but maybe too long.

Via @marmarek other ideas from some Xen developers:

• sl seems a bit too short to me; but we have loads of 3-letter abbreviations (e.g., p2m, ept, etc). Could you add another letter to your acronym? Like "tsl" for "Trenchboot Secure Launch"?
• seclaunch_ maybe, if variable names don't get too long

Again, this isn't blocking, but might be worth to think about.

Edit: missed firth paragraph when copy+pasting.

[BeataZdunczyk]

@meithecatte, @HW42 could you please review the changes by @SergiiDmytruk?
@marmarek cc

[HW42]

@SergiiDmytruk, @krystian-hebel: First of all sorry for the long delay on this task. I'm aware that in the meantime you added some fixes and new functionality on your https://github.com/TrenchBoot/xen repo. I already looked at some of them. I see that in the aem-4.17.4 branch you even already rebased them to Xen 4.17.4. Can you please update this PR. GitHub's review features is, in my experience, not good at matching comments between revisions of a PR, so it would be good to have this before adding more comments.

[SergiiDmytruk]

@HW42, I guess the next step here depends on how this will get merged:

1. If there is a chance of getting this set of commits in after minor corrections, we could do the review changes and continue here taking rebase into account, then send the rest of the patches (AMD part so far) on top of it and don't get back to this set of patches (even though some new commits move code from them around).
2. If the next round of review requires looking at the whole set of changes basically from scratch, then it might be better to rework commit history, close this PR and open a new one in its place.

[HW42]

@SergiiDmytruk: I think that having a separate set of patches here, and let that diverge from what you plan to upstream is very undesirable. Especially for such a big set of patches. So please update the PR with the latest version you have. If you look at the history here we already had such force pushes. Yes, this makes review harder, but in my opinion clearly outweighs a diverging set of patches.

If you feel like GitHub PR comments here got too messy, you can create a new PR, as you suggested. Works for me either way.

[SergiiDmytruk]

Squashed 6 commits from aem-4.17.4 branch into some of the previous ones to get aem-phase4-rebase, addressed the latest review comments and rebased the branch here.

[HW42]

Commenting in small batches after having lost a unfinished review. Sorry in advance for the multiple notifications.

[HW42]

All users of this constant seems to do * PAGE_SIZE, so maybe change this to be the size in bytes?

[SergiiDmytruk]

• https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-dd4611d055ace3b3c87ffe90aaf480b0d4a0e4098adb6de5026e3144a4821b09L9
• https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-31035528a674298c3fdbc80ca9452ac5a422984a24386556a0729ee18ab93aebL18
• https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-31035528a674298c3fdbc80ca9452ac5a422984a24386556a0729ee18ab93aebL56
• https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-31035528a674298c3fdbc80ca9452ac5a422984a24386556a0729ee18ab93aebL56

[HW42]

Nitpick: Size of ...

[SergiiDmytruk]

https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-dd4611d055ace3b3c87ffe90aaf480b0d4a0e4098adb6de5026e3144a4821b09R237-R253

[HW42]

For high PMR you defined SLAUNCH_ERROR_HI_PMR_SIZE, was this meant to be SLAUNCH_ERROR_LO_PMR_SIZE? (Probably doesn't matter much if you distinguish those cases, but noticed that you already defined an error code for the other region's size)

[SergiiDmytruk]

• https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-dd4611d055ace3b3c87ffe90aaf480b0d4a0e4098adb6de5026e3144a4821b09R63-R74
• https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-584be1f5aaa2f0679e692f6344b2e03670316e2ebdb7f4ba1dc4fbfb513d196cR67

[HW42]

If I'm reading this right, those checks are of by sizeof(uint64_t). I would suggest to let txt_*_data_size return the size of the memory area without the size header (this obviously needs adaption of the math in txt_*_data_start.

[SergiiDmytruk]

Good catch. https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-dd4611d055ace3b3c87ffe90aaf480b0d4a0e4098adb6de5026e3144a4821b09R257-R304

[HW42]

Side note: With having prefix the other stuff with slaunch, slr_ is now a bit inconsistent. But probably better to keep it this way, since then the identifiers match your "Secure Launch Specification".

[HW42]

Missing NULL check of return value.

[SergiiDmytruk]

https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-1d266d1dff9daf02e019100b9c620a099561c98811a05a0b7581363b3c00ac39R65-R66

[HW42]

There's reserve_e820_ram as a short cut for E820_RAM, E820_RESERVED

[SergiiDmytruk]

• https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-31035528a674298c3fdbc80ca9452ac5a422984a24386556a0729ee18ab93aebR38
• https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-31035528a674298c3fdbc80ca9452ac5a422984a24386556a0729ee18ab93aebR51
• https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-1d266d1dff9daf02e019100b9c620a099561c98811a05a0b7581363b3c00ac39R92

[HW42]

Missing return check of here and below. To be fair existing Xen code seems to be inconsistent about it, too.

[SergiiDmytruk]

• https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-31035528a674298c3fdbc80ca9452ac5a422984a24386556a0729ee18ab93aebR31-R61
• https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-1d266d1dff9daf02e019100b9c620a099561c98811a05a0b7581363b3c00ac39R92

[HW42]

Off by sizeof(uint64_t), see comment above.

[SergiiDmytruk]

The same https://github.com/TrenchBoot/xen/compare/dd475a4a76..aem-phase4-rebase#diff-dd4611d055ace3b3c87ffe90aaf480b0d4a0e4098adb6de5026e3144a4821b09R257-R304

[HW42]

After having a look at it, this should to be pretty easy to get lib/crypto/sha{1,256}.c from Linux into Xen. The used macros already exist in Xen, or did I miss something.

Even for less critical cases like here (hashing public data), I think we should use a well reviewed and maintained implementation.