[tboot-devel] [PATCH 3 of 3] Allow selecting only SINIT modules that match platform

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

# HG changeset patch
# User Timo Lindfors <tim...@ik...>
# Date 1647554330 -7200
#      Thu Mar 17 23:58:50 2022 +0200
# Node ID 538c14b1428d0625ebb3f9c3cae21656fd4c3b06
# Parent  e45ccbe6bf59ba534ad628f7be45e7c34629e19b
Allow selecting only SINIT modules that match platform
This introduces GRUB_TBOOT_SINIT_SELECT_MATCHING that defaults to
false.

Signed-off-by: Timo Lindfors <tim...@ik...>

diff -r e45ccbe6bf59 -r 538c14b1428d tboot/20_linux_tboot

--- a/tboot/20_linux_tboot	Thu Mar 17 23:58:45 2022 +0200
+++ b/tboot/20_linux_tboot	Thu Mar 17 23:58:50 2022 +0200
@@ -40,6 +40,7 @@
 [ -z "${GRUB_CMDLINE_LINUX_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_TBOOT
 [ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
 [ -z "${GRUB_TBOOT_SINIT_LIST}" ] && unset GRUB_TBOOT_SINIT_LIST
+[ -z "${GRUB_TBOOT_SINIT_SELECT_MATCHING}" ] && unset GRUB_TBOOT_SINIT_SELECT_MATCHING
 # Command line for tboot itself
 : ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
 # Linux kernel parameters to append for tboot
@@ -48,6 +49,8 @@
 : ${GRUB_TBOOT_POLICY_DATA=''}
 # List of SINIT modules to use, glob patterns are supported
 : ${GRUB_TBOOT_SINIT_LIST='/boot/*sinit* /boot/*SINIT*'}
+# Use only SINIT modules that match the current platform
+: ${GRUB_TBOOT_SINIT_SELECT_MATCHING='false'}
 
 export TEXTDOMAIN=grub
 export TEXTDOMAINDIR=${prefix}/share/locale
@@ -164,8 +167,16 @@
 tboot_list=`for i in /boot/tboot*.gz; do
         if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
       done`
+if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] && [ ! -e /dev/cpu/0/msr ]; then
+  modprobe msr
+fi
 sinit_list=`for i in ${GRUB_TBOOT_SINIT_LIST}; do
         basename=$(basename $i)
+        if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] \
+            && ! txt-acminfo "$i" | grep -qx "ACM matches platform"; then
+          # Skip SINIT that does not match
+          continue
+        fi
         if grub_file_is_not_garbage "$i" ; then echo -n "$basename " ; fi
       done`
 if [ -n "${GRUB_TBOOT_POLICY_DATA}" ]; then
diff -r e45ccbe6bf59 -r 538c14b1428d tboot/20_linux_xen_tboot
--- a/tboot/20_linux_xen_tboot	Thu Mar 17 23:58:45 2022 +0200
+++ b/tboot/20_linux_xen_tboot	Thu Mar 17 23:58:50 2022 +0200
@@ -41,6 +41,7 @@
 [ -z "${GRUB_CMDLINE_LINUX_XEN_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_XEN_TBOOT
 [ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
 [ -z "${GRUB_TBOOT_SINIT_LIST}" ] && unset GRUB_TBOOT_SINIT_LIST
+[ -z "${GRUB_TBOOT_SINIT_SELECT_MATCHING}" ] && unset GRUB_TBOOT_SINIT_SELECT_MATCHING
 # Command line for tboot itself
 : ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
 # Xen parameters to append for tboot
@@ -51,6 +52,8 @@
 : ${GRUB_TBOOT_POLICY_DATA=''}
 # List of SINIT modules to use, glob patterns are supported
 : ${GRUB_TBOOT_SINIT_LIST='/boot/*sinit* /boot/*SINIT*'}
+# Use only SINIT modules that match the current platform
+: ${GRUB_TBOOT_SINIT_SELECT_MATCHING='false'}
 
 export TEXTDOMAIN=grub
 export TEXTDOMAINDIR=${prefix}/share/locale
@@ -194,8 +197,16 @@
 tboot_list=`for i in /boot/tboot*.gz; do
         if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
       done`
+if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] && [ ! -e /dev/cpu/0/msr ]; then
+  modprobe msr
+fi
 sinit_list=`for i in ${GRUB_TBOOT_SINIT_LIST}; do
         basename=$(basename $i)
+        if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] \
+            && ! txt-acminfo "$i" | grep -qx "ACM matches platform"; then
+          # Skip SINIT that does not match
+          continue
+        fi
         if grub_file_is_not_garbage "$i" ; then echo -n "$basename " ; fi
       done`
 if [ -n "${GRUB_TBOOT_POLICY_DATA}" ]; then



