[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 03/22] x86/boot: add MLE header and Secure Launch entry point

  • To: Sergii Dmytruk <sergii.dmytruk@xxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 8 Jul 2025 09:02:55 +0200
  • Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, trenchboot-devel@xxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 08 Jul 2025 07:03:16 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 07.07.2025 23:54, Sergii Dmytruk wrote:
> On Thu, Jul 03, 2025 at 12:25:27PM +0200, Jan Beulich wrote:
>> On 30.05.2025 15:17, Sergii Dmytruk wrote:
>>> From: Kacper Stojek <kacper.stojek@xxxxxxxxx>
>>>
>>> Signed-off-by: Kacper Stojek <kacper.stojek@xxxxxxxxx>
>>> Signed-off-by: Krystian Hebel <krystian.hebel@xxxxxxxxx>
>>> Signed-off-by: Sergii Dmytruk <sergii.dmytruk@xxxxxxxxx>
>>
>> Such a change can hardly come without any description. As just one aspect,
>> neither here nor ...
>>
>>> --- a/docs/hypervisor-guide/x86/how-xen-boots.rst
>>> +++ b/docs/hypervisor-guide/x86/how-xen-boots.rst
>>> @@ -55,6 +55,11 @@ If ``CONFIG_PVH_GUEST`` was selected at build time, an 
>>> Elf note is included
>>>  which indicates the ability to use the PVH boot protocol, and registers
>>>  ``__pvh_start`` as the entrypoint, entered in 32bit mode.
>>>
>>> +A combination of Multiboot 2 and MLE headers is used to implement DRTM for
>>> +legacy (BIOS) boot. The separate entry point is used mainly to 
>>> differentiate
>>
>> ... here the MLE acronym is being deciphered. Same for DRTM here. There's
>> also no reference anywhere as to some kind of spec (except in the cover
>> letter, but that won't land in the tree).
> 
> Will add more details.
> 
>>> +from other kinds of boots. It moves a magic number to EAX before jumping 
>>> into
>>> +common startup code.
>>> +
>>>
>>>  xen.gz
>>>  ~~~~~~
>>
>> Any reason the single blank line is converted to a double one? Generally, in
>> particular for patch context to be more meaningful, we'd prefer to not have
>> double blank lines. In documentation they _sometimes_ may be warranted.
> 
> Take a closer look, the patch just preserves double blank lines which
> are used consistently to separate sections within this file.

Oh, indeed. I'm sorry.

>>> +        .long   0x00020002  /* MLE version 2.2 */
>>> +        .long   (slaunch_stub_entry - start)  /* Linear entry point of MLE 
>>> (SINIT virt. address) */
>>> +        .long   0x00000000  /* First valid page of MLE */
>>> +        .long   0x00000000  /* Offset within binary of first byte of MLE */
>>> +        .long   (_end - start)  /* Offset within binary of last byte + 1 
>>> of MLE */
>>
>> Is the data here describing xen.gz or (rather) xen.efi? In the latter case,
>> does data past _end (in particular the .reloc section) not matter here?
> 
> Eventually, both.  EFI case deals with loaded image which, I believe,
> should have all relocations applied at the time of measurement.

But you're aware of the need to apply relocations a 2nd time? See
efi_arch_relocate_image(), which reads .reloc contents. Hence I assume
that section needs to be included in any measurements.

>>> @@ -332,6 +352,38 @@ cs32_switch:
>>>          /* Jump to earlier loaded address. */
>>>          jmp     *%edi
>>>
>>> +        /*
>>> +         * Entry point for TrenchBoot Secure Launch on Intel TXT platforms.
>>> +         *
>>> +         * CPU is in 32b protected mode with paging disabled. On entry:
>>> +         * - %ebx = %eip = MLE entry point,
>>> +         * - stack pointer is undefined,
>>> +         * - CS is flat 4GB code segment,
>>> +         * - DS, ES, SS, FS and GS are undefined according to TXT SDG, but 
>>> this
>>> +         *   would make it impossible to initialize GDTR, because GDT base 
>>> must
>>> +         *   be relocated in the descriptor, which requires write access 
>>> that
>>> +         *   CS doesn't provide. Instead we have to assume that DS is set 
>>> by
>>> +         *   SINIT ACM as flat 4GB data segment.
>>
>> Do you really _have to_? At least as plausibly SS might be properly set up,
>> while DS might not be.
> 
> "have to" is referring to the fact that making this assumption is forced
> on the implementation.

But that's not really true. The Xen bits could be changed if needed, e.g. ...

>  LGDT instruction uses DS in the code below, hence it's DS.

... these could be made use SS or even CS.

>>> +         * Additional restrictions:
>>> +         * - some MSRs are partially cleared, among them IA32_MISC_ENABLE, 
>>> so
>>> +         *   some capabilities might be reported as disabled even if they 
>>> are
>>> +         *   supported by CPU
>>> +         * - interrupts (including NMIs and SMIs) are disabled and must be
>>> +         *   enabled later
>>> +         * - trying to enter real mode results in reset
>>> +         * - APs must be brought up by MONITOR or GETSEC[WAKEUP], 
>>> depending on
>>> +         *   which is supported by a given SINIT ACM
>>
>> I'm curious: How would MONITOR allow to bring up an AP? That's not even a
>> memory access.
> 
> See patch #15.  BSP sets up TXT.MLE.JOIN and writes to an address
> monitored by APs, this causes APs to become part of dynamic launch by
> continuing execution at TXT-specific entry point.  It's more of a
> redirection rather than waking up, just another case of bad terminology.

Okay, (just ftaod) then my more general request: Please try to be as accurate
as possible in comments (and similarly patch descriptions). "must be brought
up by" is wording that I interpret to describe the action the "active" party
(i.e. the BSP) needs to take. Whereas MONITOR, as you now clarify, is the
action the AP needs to take (and then apparently is further required to
check for false wakeups).

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.