[v14,02/19] x86: Secure Launch Kconfig

Message ID	20250421162712.77452-3-ross.philipson@oracle.com
State	New
Headers	show Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CCCDD1E501C; Mon, 21 Apr 2025 16:34:40 +0000 (UTC) From: Ross Philipson <ross.philipson@oracle.com> To: linux-kernel@vger.kernel.org, x86@kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-crypto@vger.kernel.org, kexec@lists.infradead.org, linux-efi@vger.kernel.org, iommu@lists.linux.dev Cc: ross.philipson@oracle.com, dpsmith@apertussolutions.com, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, hpa@zytor.com, dave.hansen@linux.intel.com, ardb@kernel.org, mjg59@srcf.ucam.org, James.Bottomley@hansenpartnership.com, peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca, luto@amacapital.net, nivedita@alum.mit.edu, herbert@gondor.apana.org.au, davem@davemloft.net, corbet@lwn.net, ebiederm@xmission.com, dwmw2@infradead.org, baolu.lu@linux.intel.com, kanth.ghatraju@oracle.com, andrew.cooper3@citrix.com, trenchboot-devel@googlegroups.com Subject: [PATCH v14 02/19] x86: Secure Launch Kconfig Date: Mon, 21 Apr 2025 09:26:55 -0700 Message-Id: <20250421162712.77452-3-ross.philipson@oracle.com> In-Reply-To: <20250421162712.77452-1-ross.philipson@oracle.com> References: <20250421162712.77452-1-ross.philipson@oracle.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	x86: Trenchboot secure dynamic launch Linux kernel support \| expand [v14,00/19] x86: Trenchboot secure dynamic launch Linux kernel support [v14,01/19] Documentation/x86: Secure Launch kernel documentation [v14,02/19] x86: Secure Launch Kconfig [v14,03/19] x86: Secure Launch Resource Table header file [v14,04/19] x86: Secure Launch main header file [v14,05/19] x86: Add early SHA-1 support for Secure Launch early measurements [v14,06/19] x86: Add early SHA-256 support for Secure Launch early measurements [v14,07/19] x86/msr: Add variable MTRR base/mask and x2apic ID registers [v14,08/19] x86/boot: Place TXT MLE header in the kernel_info section [v14,09/19] x86: Secure Launch kernel early boot stub [v14,10/19] x86: Secure Launch kernel late boot stub [v14,11/19] x86: Secure Launch SMP bringup support [v14,12/19] kexec: Secure Launch kexec SEXIT support [v14,13/19] x86/reboot: Secure Launch SEXIT support on reboot paths [v14,14/19] tpm, tpm_tis: Close all localities [v14,15/19] tpm, tpm_tis: Address positive localities in tpm_tis_request_locality() [v14,16/19] tpm, tpm_tis: Allow locality to be set to a different value [v14,17/19] tpm, sysfs: Show locality used by kernel [v14,18/19] x86: Secure Launch late initcall platform module [v14,19/19] x86/efi: EFI stub DRTM launch support for Secure Launch

Message ID

20250421162712.77452-3-ross.philipson@oracle.com

State

New

Headers

From: Ross Philipson <ross.philipson@oracle.com>
To: linux-kernel@vger.kernel.org, x86@kernel.org,
        linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org,
        linux-crypto@vger.kernel.org, kexec@lists.infradead.org,
        linux-efi@vger.kernel.org, iommu@lists.linux.dev
Cc: ross.philipson@oracle.com, dpsmith@apertussolutions.com,
        tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, hpa@zytor.com,
        dave.hansen@linux.intel.com, ardb@kernel.org, mjg59@srcf.ucam.org,
        James.Bottomley@hansenpartnership.com, peterhuewe@gmx.de,
        jarkko@kernel.org, jgg@ziepe.ca, luto@amacapital.net,
        nivedita@alum.mit.edu, herbert@gondor.apana.org.au,
        davem@davemloft.net, corbet@lwn.net, ebiederm@xmission.com,
        dwmw2@infradead.org, baolu.lu@linux.intel.com,
        kanth.ghatraju@oracle.com, andrew.cooper3@citrix.com,
        trenchboot-devel@googlegroups.com
Subject: [PATCH v14 02/19] x86: Secure Launch Kconfig
Date: Mon, 21 Apr 2025 09:26:55 -0700
Message-Id: <20250421162712.77452-3-ross.philipson@oracle.com>
In-Reply-To: <20250421162712.77452-1-ross.philipson@oracle.com>
References: <20250421162712.77452-1-ross.philipson@oracle.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

x86: Trenchboot secure dynamic launch Linux kernel support | expand

Commit Message

Ross Philipson April 21, 2025, 4:26 p.m. UTC

Initial bits to bring in Secure Launch functionality. Add Kconfig
options for compiling in/out the Secure Launch code.

Signed-off-by: Ross Philipson <ross.philipson@oracle.com>
---
 arch/x86/Kconfig | 11 +++++++++++
 1 file changed, 11 insertions(+)

Comments

Ross Philipson April 22, 2025, 7:32 p.m. UTC | #1

On 4/21/25 10:41 AM, Randy Dunlap wrote:
> Hi,
> 
> On 4/21/25 9:26 AM, Ross Philipson wrote:
>> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
>> index 4b9f378e05f6..badde1e9742e 100644
>> --- a/arch/x86/Kconfig
>> +++ b/arch/x86/Kconfig
>> @@ -2001,6 +2001,17 @@ config EFI_RUNTIME_MAP
>>   
>>   	  See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map.
>>   
>> +config SECURE_LAUNCH
>> +	bool "Secure Launch support"
>> +	depends on X86_64 && X86_X2APIC && TCG_TIS && TCG_CRB && CRYPTO_LIB_SHA1 && CRYPTO_LIB_SHA256
> 
> It's normal to select needed library symbols instead of depending on them.
> Nothing else in the kernel tree uses depends on for these 2 Kconfig symbols.
> (CRYPTO_LIB_SHAxxx)

Yes good point, we will address this.

Ross

> 
>> +	help
>> +	   The Secure Launch feature allows a kernel to be loaded
>> +	   directly through an Intel TXT measured launch. Intel TXT
>> +	   establishes a Dynamic Root of Trust for Measurement (DRTM)
>> +	   where the CPU measures the kernel image. This feature then
>> +	   continues the measurement chain over kernel configuration
>> +	   information and init images.
>

Mowka, Mateusz June 18, 2025, 8:32 a.m. UTC | #2

On 21-Apr-25 6:26 PM, Ross Philipson wrote:
> Initial bits to bring in Secure Launch functionality. Add Kconfig
> options for compiling in/out the Secure Launch code.
>
> Signed-off-by: Ross Philipson <ross.philipson@oracle.com>

Acked-by: Mateusz Mowka <mateusz.mowka@linux.intel.com>

> ---
>   arch/x86/Kconfig | 11 +++++++++++
>   1 file changed, 11 insertions(+)
>
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 4b9f378e05f6..badde1e9742e 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -2001,6 +2001,17 @@ config EFI_RUNTIME_MAP
>   
>   	  See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map.
>   
> +config SECURE_LAUNCH
> +	bool "Secure Launch support"
> +	depends on X86_64 && X86_X2APIC && TCG_TIS && TCG_CRB && CRYPTO_LIB_SHA1 && CRYPTO_LIB_SHA256
> +	help
> +	   The Secure Launch feature allows a kernel to be loaded
> +	   directly through an Intel TXT measured launch. Intel TXT
> +	   establishes a Dynamic Root of Trust for Measurement (DRTM)
> +	   where the CPU measures the kernel image. This feature then
> +	   continues the measurement chain over kernel configuration
> +	   information and init images.
> +
>   source "kernel/Kconfig.hz"
>   
>   config ARCH_SUPPORTS_KEXEC

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 4b9f378e05f6..badde1e9742e 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2001,6 +2001,17 @@  config EFI_RUNTIME_MAP
 
 	  See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map.
 
+config SECURE_LAUNCH
+	bool "Secure Launch support"
+	depends on X86_64 && X86_X2APIC && TCG_TIS && TCG_CRB && CRYPTO_LIB_SHA1 && CRYPTO_LIB_SHA256
+	help
+	   The Secure Launch feature allows a kernel to be loaded
+	   directly through an Intel TXT measured launch. Intel TXT
+	   establishes a Dynamic Root of Trust for Measurement (DRTM)
+	   where the CPU measures the kernel image. This feature then
+	   continues the measurement chain over kernel configuration
+	   information and init images.
+
 source "kernel/Kconfig.hz"
 
 config ARCH_SUPPORTS_KEXEC

[v14,02/19] x86: Secure Launch Kconfig

Commit Message

Comments

Patch