Cihula, Joseph
2006-Sep-22 19:00 UTC
[Xen-devel] [RFC][PATCH][UPDATED] Intel(R) LaGrande Technology support
This patch adds SMP support to the previous version. Since that has not been merged I have included it in this patch. This should apply cleanly to the tip. Below is the text of the original submittal, slightly updated. Attached is a preliminary patch that adds Intel(R) LaGrande Technology (LT) (Safer Mode Extensions - SMX) support to Xen. While there are still several enhancements needed for complete support, we feel that it is sufficiently complete for an initial public posting to expose to the community. LaGrande Technology in Brief: ----------------------------- o Provides dynamic root of trust for measurement (DRTM) o DMA protection o Data protection in case of improper shutdown For more information on LT, see the Intel LaGrande Technology website: http://www.intel.com/technology/security/. This site also has a link to the LT preliminary specification (an updated version that reflects the functionlaity of this code will be available later this week). The LT functionality this code adds is: --------------------------------------- o Measured Launch. If the processor is detected as being LT-capable and enabled then the code will attempt to perform a measured launch. If the processor is (not capable) or (capable but not enabled) or (capable and enabled but the launch process fails (missing SINIT, corrupted data, etc.)) then it will fall-through to a non-LT boot. o Teardown of measured environment. When Xen exits the LT environment will be torn down properly. o Reset data protection. LT HW prevents access to secrets if the system is reset without clearing them from memory (as part of a LT teardown). This code will support this by setting the flag indicating that memory should be so protected during the measured launch and clearing the flag just before teardown. o Protection of LT memory ranges. LT reserves certain regions of RAM for its use and also defines several MMIO regions. These regions are protected from use by any domains (including dom0). Note that there a sub-regions of the MMIO space that are left accessible to dom0 (LT public configuration space, TPM localities 0,1). Patch breakdown: ---------------- Config.mk - add INTEL_SMX build config xen/Rules.mk - adds ''-DCONFIG_SMX'' compile flag if INTEL_SMX=y xen/arch/x86/Makefile - add arch/x86/smx dir to build xen/arch/x86/boot/x86_32.S - hook startup to launch LT environmentxen/arch/x86/setup.c - initialize fixmap entries for LT config reg space xen/arch/x86/domain_build.c - protect LT private config space xen/arch/x86/e820.c - support for E820_PROTECTED mem type xen/arch/x86/hvm/vmx/vmx.c - support new LT/VMX IA32_FEATURE_CONTROL_MSR flag xen/arch/x86/mm.c - support for E820_PROTECTED mem type xen/arch/x86/setup.c - hook to reserve LT RAM regions and initialize fixmap entries for LT config reg space xen/arch/x86/shutdown.c - hook shutdown to teardown LT environment xen/common/domctl.c - prevent XEN_DOMCTL_iomem_permission from being able to map LT private config space xen/include/asm-x86/cpufeature.h - adds new SMX feature flag xen/include/asm-x86/e820.h - export print_e820_memory_map() xen/include/asm-x86/fixmap.h - adds fixmap entries for LT config reg space xen/include/asm-x86/msr.h - adds new VMX and SMX MSR flags xen/include/asm-x86/processor.h - adds new CR4 SMX flag xen/include/public/hvm/e820.h - add E820_PROTECTED mem type xen/arch/x86/smx/Makefile - self explanatory xen/arch/x86/smx/acmod.c - LT Authenticated Code (AC) module support fns xen/arch/x86/smx/early_printk.c - serial printk() for early in boot process xen/arch/x86/smx/errors.c - error parsing/display fns xen/arch/x86/smx/mtrrs.c - MTRR handling for AC module launch xen/arch/x86/smx/smx.c - main LT/SMX fns and entry points xen/arch/x86/smx/tpm.c - basic TPM support fns xen/include/asm-x86/smx/* - headers for SMX/LT fns This code has been developed and tested on Intel Software Development Platform (SDP) 3 systems (available under NDA via the Intel Premier Support channel). It will be updated to work with the LT Technology Enabling Platform (TEP) that will be publicly available this fall. Instructions for use: --------------------- o By default, the functionality is disabled in the build. It can be enabled by changing the INTEL_SMX flag to ''y'' in Config.mk. o The SINIT AC module (available with SDP3 systems) must be added to the grub.conf boot config as the last module, e.g.: ... module /initrd-2.6.16.13-xen.img module /lpg_sinit_20050831_pae.auth.bin o Progress of the LT launch process is indicated via debug printk''s to COM1 (hardcoded). These appear before the normal "(XEN)" output and are prefixed by "SMX:". The code (in early_printk.c) does not initialize the COM port so this needs to be done by GRUB - grub.conf should have: serial --speed=115200 --unit=0 terminal console serial Caveats / Notes: ---------------- o x86_64 is not supported yet (IA64 does not support LT at this time). o The code only measures the hypervisor (and its command line), which is not the complete TCB. o It doesn''t cap (extend with invalid value) the dynamic TPM PCRs when the LT environment is torn down. Instead it disables the BIOS reboot option so that any shutdown/reboot will have to reset the platform and the TPM. o TPM locality 2 is not protected. The defined behavior for access to unpermitted localities is for reads to return 0xff''s and writes to be dropped. This will require mapping pages from locality 3 or 4 into the locality 2 range. o No DMA protection has been implemented in this patch. SDP3 only supports the NoDMA table for DMA protection and this will be superseded by VT-d. VT-d support for LT will be added after it is added for the general case. These limitations will be addressed in subsequent patches. There was a presentation on the code at the Xen Summit. More information on LT is available at http://www.intel.com/technology/security/. Comments and feedback are welcome at any time. Joseph Cihula (Linux) Software Security Architect Open Source Technology Center Intel Corp. *** These opinions are not necessarily those of my employer *** _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Leendert Van Doorn
2006-Sep-23 17:01 UTC
Re: [Xense-devel] [RFC][PATCH][UPDATED] Intel(R) LaGrande Technology support
I''m not sure how many people experimented with this code yet, but there
is
a dependency that isn''t articulated in its README.
For me to make this work, I had to compile Xen with PAE support (set
XEN_TARGET_X86_PAE=y in Config.mk) and use the PAE version of the SINIT
authenticated code module (lpg_sinit_20050831_pae.auth.bin). Using a
non-PAE version of Xen and lpg_sinit_20050831.auth.bin caused SENTER to
fail and reset the machine.
Some of the comments in the code seem to suggest that it expects the mvmm
to be in PAE mode, so it is probably an assumption in the code.
Leendert
-----------------------
Dr. Leendert van Doorn
Senior Manager - Secure Systems and Tools
IBM T.J. Watson Research Center
"Cihula, Joseph"
<joseph.cihula@in
tel.com> To
Sent by: <xen-devel@lists.xensource.com>,
xense-devel-bounc <xense-devel@lists.xensource.com>
es@lists.xensourc cc
e.com
Subject
[Xense-devel] [RFC][PATCH][UPDATED]
09/22/2006 03:00 Intel(R) LaGrande Technology
PM support
This patch adds SMP support to the previous version. Since that has not
been merged I have included it in this patch. This should apply cleanly
to the tip. Below is the text of the original submittal, slightly
updated.
Attached is a preliminary patch that adds Intel(R) LaGrande Technology
(LT) (Safer Mode Extensions - SMX) support to Xen. While there are
still several enhancements needed for complete support, we feel that it
is sufficiently complete for an initial public posting to expose to the
community.
LaGrande Technology in Brief:
-----------------------------
o Provides dynamic root of trust for measurement (DRTM)
o DMA protection
o Data protection in case of improper shutdown
For more information on LT, see the Intel LaGrande Technology website:
http://www.intel.com/technology/security/.
This site also has a link to the LT preliminary specification (an
updated version that reflects the functionlaity of this code will be
available later this week).
The LT functionality this code adds is:
---------------------------------------
o Measured Launch. If the processor is detected as being LT-capable
and enabled then the code will attempt to perform a measured launch. If
the processor is (not capable) or (capable but not enabled) or (capable
and enabled but the launch process fails (missing SINIT, corrupted data,
etc.)) then it will fall-through to a non-LT boot.
o Teardown of measured environment. When Xen exits the LT environment
will be torn down properly.
o Reset data protection. LT HW prevents access to secrets if the
system is reset without clearing them from memory (as part of a LT
teardown). This code will support this by setting the flag indicating
that memory should be so protected during the measured launch and
clearing the flag just before teardown.
o Protection of LT memory ranges. LT reserves certain regions of RAM
for its use and also defines several MMIO regions. These regions are
protected from use by any domains (including dom0). Note that there a
sub-regions of the MMIO space that are left accessible to dom0 (LT
public configuration space, TPM localities 0,1).
Patch breakdown:
----------------
Config.mk - add INTEL_SMX build config
xen/Rules.mk - adds ''-DCONFIG_SMX'' compile flag if INTEL_SMX=y
xen/arch/x86/Makefile - add arch/x86/smx dir to build
xen/arch/x86/boot/x86_32.S - hook startup to launch LT
environmentxen/arch/x86/setup.c - initialize fixmap entries for LT
config reg space
xen/arch/x86/domain_build.c - protect LT private config space
xen/arch/x86/e820.c - support for E820_PROTECTED mem type
xen/arch/x86/hvm/vmx/vmx.c - support new LT/VMX IA32_FEATURE_CONTROL_MSR
flag
xen/arch/x86/mm.c - support for E820_PROTECTED mem type
xen/arch/x86/setup.c - hook to reserve LT RAM regions and initialize
fixmap entries for LT config reg space
xen/arch/x86/shutdown.c - hook shutdown to teardown LT environment
xen/common/domctl.c - prevent XEN_DOMCTL_iomem_permission from being
able to map LT private config space
xen/include/asm-x86/cpufeature.h - adds new SMX feature flag
xen/include/asm-x86/e820.h - export print_e820_memory_map()
xen/include/asm-x86/fixmap.h - adds fixmap entries for LT config reg
space
xen/include/asm-x86/msr.h - adds new VMX and SMX MSR flags
xen/include/asm-x86/processor.h - adds new CR4 SMX flag
xen/include/public/hvm/e820.h - add E820_PROTECTED mem type
xen/arch/x86/smx/Makefile - self explanatory
xen/arch/x86/smx/acmod.c - LT Authenticated Code (AC) module support fns
xen/arch/x86/smx/early_printk.c - serial printk() for early in boot
process
xen/arch/x86/smx/errors.c - error parsing/display fns
xen/arch/x86/smx/mtrrs.c - MTRR handling for AC module launch
xen/arch/x86/smx/smx.c - main LT/SMX fns and entry points
xen/arch/x86/smx/tpm.c - basic TPM support fns
xen/include/asm-x86/smx/* - headers for SMX/LT fns
This code has been developed and tested on Intel Software Development
Platform (SDP) 3 systems (available under NDA via the Intel Premier
Support channel). It will be updated to work with the LT Technology
Enabling Platform (TEP) that will be publicly available this fall.
Instructions for use:
---------------------
o By default, the functionality is disabled in the build. It can be
enabled by changing the INTEL_SMX flag to ''y'' in Config.mk.
o The SINIT AC module (available with SDP3 systems) must be added to
the grub.conf boot config as the last module, e.g.:
...
module /initrd-2.6.16.13-xen.img
module /lpg_sinit_20050831_pae.auth.bin
o Progress of the LT launch process is indicated via debug printk''s to
COM1 (hardcoded). These appear before the normal "(XEN)" output and
are
prefixed by "SMX:". The code (in early_printk.c) does not initialize
the COM port so this needs to be done by GRUB - grub.conf should have:
serial --speed=115200 --unit=0
terminal console serial
Caveats / Notes:
----------------
o x86_64 is not supported yet (IA64 does not support LT at this time).
o The code only measures the hypervisor (and its command line), which
is not the complete TCB.
o It doesn''t cap (extend with invalid value) the dynamic TPM PCRs when
the LT environment is torn down. Instead it disables the BIOS reboot
option so that any shutdown/reboot will have to reset the platform and
the TPM.
o TPM locality 2 is not protected. The defined behavior for access to
unpermitted localities is for reads to return 0xff''s and writes to be
dropped. This will require mapping pages from locality 3 or 4 into the
locality 2 range.
o No DMA protection has been implemented in this patch. SDP3 only
supports the NoDMA table for DMA protection and this will be superseded
by VT-d. VT-d support for LT will be added after it is added for the
general case.
These limitations will be addressed in subsequent patches.
There was a presentation on the code at the Xen Summit. More
information on LT is available at
http://www.intel.com/technology/security/. Comments and feedback are
welcome at any time.
Joseph Cihula
(Linux) Software Security Architect
Open Source Technology Center
Intel Corp.
*** These opinions are not necessarily those of my employer ***
[attachment "intel_lagrande_tech_smp.patch" deleted by Leendert Van
Doorn/Watson/IBM] _______________________________________________
Xense-devel mailing list
Xense-devel@lists.xensource.com
http://lists.xensource.com/xense-devel
_______________________________________________
Xense-devel mailing list
Xense-devel@lists.xensource.com
http://lists.xensource.com/xense-devel
Seemingly Similar Threads
- Re: [Xense-devel] [RFC][PATCH][UPDATED] Intel(R) LaGrande Technology support
- support for hvm
- [PATCH] ACM: adding C-support for policy translation and labeling support for domains
- Live Migration and LibVirt CPU Mode
- 'virsh capabilities' on Debian Wheezy-amd64 reports different cpu to Wheezy-i386 (on same hardware)