grub-0.97-fc5-tcg-0.2.0-beta1.patch

可信GRUB的源码

--- /usr/src/redhat/BUILD/grub-0.97-5//ChangeLog	2005-05-08 11:47:02.000000000 +0900
+++ grub-0.97-tcg/ChangeLog	2006-06-24 10:13:51.000000000 +0900
@@ -1,3 +1,70 @@
+2005-06-24  Seiji Munetoh  <munetoh@jp.ibm.com>
+    TBD
+
+2005-05-26  Seiji Munetoh  <munetoh@jp.ibm.com>
+       
+	Added support for TCG Trusted Boot capability.
+	Co-authors:Taiga Nakamura, Yuhji Yamashita and Yoshiaki Funaki.
+		
+	* stage1/stage1.h [TCG_TRUSTED_BOOT]: Added definitions for TCG 
+	measurement.
+	(TCG_GRUB_PCR_INDEX): The TPM PCR index for measuring grub 
+	modules (stage1.5 and 2).
+	(TCG_GRUB_CONF_PCR_INDEX): The TPM PCR index for measuring grub 
+	configuration file.
+	(TCG_FILE_PCR_INDEX): The TPM PCR index for measuring the OS 
+	files.
+	(TCG_GRUB_PCR_EVENTTYPE): The TPM PCR EventType for measuring 
+	grub modules.
+	
+	* stage1/stage1.S [TCG_TRUSTED_BOOT]: Measure stage1.5 after 
+	loading it. CHS support was disabled to make the space.  
+	(tcg_hashall): BIOS call "INT 1Ah, (AH)=BBh,(AL)=05h" TCG_HashAll
+	(tcg_logevent): BIOS call "INT 1Ah, (AH)=BBh,(AL)=04h" TCG_LogEvent
+	
+	* stage2/shared.h [TCG_TRUSTED_BOOT]: Added definitions for 
+	externs and wrapping functions.
+	
+	* stage2/start.S [TCG_TRUSTED_BOOT]: Measure sector 2+ of 
+	stage1.5.
+	
+	* stage2/asm.S [TCG_TRUSTED_BOOT]: Added following functions, 
+	for TCG operations.
+	(tcg_status_check): Check TCG status.
+	(tcg_extend): Send TPM_Extend.
+	(tcg_log_extend): Log PCR event and extend.
+	(tcg_pcr_read): Send TPM_PcrRead.
+	(tcg_hash_all): Hash the data
+	
+	* stage2/stage1_5.c [TCG_TRUSTED_BOOT]: Measure stage2 after 
+	loading it.
+	(cmain): Added measurement of stage 2.
+	
+	* stage2/stage2.c [TCG_TRUSTED_BOOT]: Measure configuration file.
+	(cmain): Added measurement of config file.
+	
+	* stage2/boot.c [TCG_TRUSTED_BOOT]: Added built in commands for TCG 
+	operations.
+	(load_module): Added measurement
+	(load_initrd): Added measurement
+	
+	* stage2/builtins.c [TCG_TRUSTED_BOOT]: Added built in commands for 
+	TCG operations.
+	(chainloader): Added measurement, new option [--pcr=PCRINDEX]
+	(initrd): Added measurement, new option [--pcr=PCRINDEX]
+	(initrd_func): Added measurement, new option [--pcr=PCRINDEX]
+	(kernel): Added measurement, new option [--pcr=PCRINDEX]
+	(module): Added measurement, new option [--pcr=PCRINDEX]
+	(modulenounzip): Added measurement, new option [--pcr=PCRINDEX]
+	(measure_file): Measure given file 
+	(measure_func): New command, Perform TCG measurement operation.
+	(tcglog_func): New command, Display TCG event log.
+	(pcrread_func): New command, Display current value of PCR.
+	
+	* configure.ac: Added --disable-tcg option, in case user 
+	does not want the new TCG interface.
+
+
 2005-05-08  Yoshinori K. Okuji  <okuji@enbug.org>
 
 	* configure.ac (AC_INIT): Upgraded to 0.97.
@@ -2260,7 +2327,7 @@
 
 	VSTa filesystem support is added.
 	
-	From Kristoffer Br錸emyr <ztion@swipnet.se>:
+	From Kristoffer Br锟絥emyr <ztion@swipnet.se>:
 	* stage2/configure.in (--disable-vstafs): New option.
 	* stage2/Makefile.am (noinst_HEADERS): Added vstafs.h.
 	(libgrub_a_SOURCES): Added fsys_vstafs.c.
--- /usr/src/redhat/BUILD/grub-0.97-5//configure.ac	2006-08-31 13:58:23.000000000 +0900
+++ grub-0.97-5-tcg//configure.ac	2006-08-24 23:19:33.000000000 +0900
@@ -665,11 +665,37 @@
 CCASFLAGS='$(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(CPPFLAGS) $(CFLAGS)'
 AC_SUBST(CCASFLAGS)
 
+dnl TCG Trusted Boot support is only applyed for Stage1 and Stage2 
+AC_ARG_ENABLE(trustedboot,
+  [  --enable-trustedboot         Enable TCG Trusted Boot])
+
+if test x"$enable_trustedboot" = xyes; then
+  # NG -> OK
+  STAGE1_CFLAGS="$STAGE1_CFLAGS -DTCG_TRUSTED_BOOT=1 -DTCG_IBM_BIOS_RC3=1 -DTCG_HLEE_F2=1"
+  STAGE2_CFLAGS="$STAGE2_CFLAGS -DTCG_TRUSTED_BOOT=1 -DTCG_IBM_BIOS_RC3=1 -DTCG_HLEE_F2=1"
+  # NG -> OK
+  #STAGE1_CFLAGS="$STAGE1_CFLAGS -DTCG_TRUSTED_BOOT=1 -DTCG_IBM_BIOS_RC3=1 -DTCG_INFRA_MODE=1"
+  #STAGE2_CFLAGS="$STAGE2_CFLAGS -DTCG_TRUSTED_BOOT=1 -DTCG_IBM_BIOS_RC3=1 -DTCG_INFRA_MODE=1"
+  # OK
+  #STAGE1_CFLAGS="$STAGE1_CFLAGS -DTCG_TRUSTED_BOOT=1 -DTCG_IBM_BIOS_RC3=1"
+  #STAGE2_CFLAGS="$STAGE2_CFLAGS -DTCG_TRUSTED_BOOT=1 -DTCG_IBM_BIOS_RC3=1"
+  # utils also need this flag
+  CFLAGS="$CFLAGS -DTCG_INFRA_MODE=1"
+fi
+
+
+dnl TCG discovery mode 
+AC_ARG_ENABLE(tcgtest,
+  [  --enable-tcgtest         Enable TCG discovery at Stage2])
+
+if test x"$enable_tcgtest" = xyes; then
+  STAGE2_CFLAGS="$STAGE2_CFLAGS -DTCG_TEST=1"
+fi
 
 dnl Output.
 AC_CONFIG_FILES([Makefile stage1/Makefile stage2/Makefile \
 		 docs/Makefile lib/Makefile util/Makefile \
 		 grub/Makefile netboot/Makefile util/grub-image \
 		 util/grub-install util/grub-md5-crypt \
-		 util/grub-terminfo])
+		 util/grub-terminfo util/grub-verify])
 AC_OUTPUT
--- grub-0.97/stage1/stage1.h	2005-02-16 06:55:15.000000000 +0900
+++ grub-0.97-tcg/stage1/stage1.h	2006-08-28 14:26:27.000000000 +0900
@@ -83,4 +83,28 @@
 /* The drive number of an invalid drive.  */
 #define GRUB_INVALID_DRIVE	0xFF
 
+
+#ifdef TCG_TRUSTED_BOOT
+
+#include "../stage2/tcg.h"
+#if 0
+/* PCR index & event type assignment */
+#define TCG_EV_GRUB_STAGE1_PCR   0x04
+#define TCG_EV_GRUB_STAGE1_TYPE       0x0D
+#define TCG_EV_GRUB_STAGE15_PCR  0x04
+#define TCG_EV_GRUB_STAGE15_TYPE      0x0D
+#define TCG_EV_GRUB_STAGE2_PCR   0x04
+#define TCG_EV_GRUB_STAGE2_TYPE       0x0D
+#define TCG_EV_GRUB_CONFIG_PCR   0x09
+#define TCG_EV_GRUB_CONFIG_TYPE       0x0E
+#endif // 0
+
+/* Ignore IBM BIOS return code (rc=3) 2006-08-15 S.Munetoh */
+//configure.ac #define TCG_IBM_BIOS_RC3
+
+/* Use TCG_HashLogExtendEvent with input Format2. 2006-08-15 S.Munetoh */
+//configure ac #define TCG_HLEE_F2
+
+#endif /* TCG_TRUSTED_BOOT */
+
 #endif /* ! STAGE1_HEADER */
--- grub-0.97/stage1/stage1.S	2005-02-16 06:54:31.000000000 +0900
+++ grub-0.97-tcg/stage1/stage1.S	2006-08-17 21:22:04.000000000 +0900
@@ -18,6 +18,22 @@
  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  */
 
+#ifdef TCG_TRUSTED_BOOT
+/*
+ *  Changes:
+ *   1) Remove CHS part to get thecode space for TCG Trusted Boot 
+ *   2) Measure the 1st sector of stage 1.5 before jump to them
+ *
+ *   TCG_HashAll & TCG_LogEvent are used insted of the single 
+ *   TCG_HashLogEvent call.
+ *
+ *  2002/12/XX Y. Yamashita  Original Patch
+ *  2004/06/28 S. Munetoh    Modified
+ *  2006/08/15 S. Munetoh    TCG_HLEE_F2 - Last Update
+ */
+#endif /* TCG_TRUSTED_BOOT */
+
+
 #include <stage1.h>
 	
 /*
@@ -153,6 +169,7 @@
 	/* print a notification message on the screen */
 	MSG(notification_string)
 
+#ifndef TCG_TRUSTED_BOOT
 	/* do not probe LBA if the drive is a floppy */
 	testb	$STAGE1_BIOS_HD_FLAG, %dl
 	jz	chs_mode
@@ -180,7 +197,8 @@
 	jnz	lba_mode
 	andw	$1, %cx
 	jz	chs_mode
-	
+#endif /* TCG_TRUSTED_BOOT */
+		
 lba_mode:
 	/* save the total number of sectors */
 	movl	0x10(%si), %ecx
@@ -227,7 +245,11 @@
 	movw	$STAGE1_BUFFERSEG, %bx
 	jmp	copy_buffer
 		
-chs_mode:	
+chs_mode:
+#ifdef TCG_TRUSTED_BOOT
+	MSG(chs_no_support_string)
+	jmp     general_error
+#else /* ! TCG_TRUSTED_BOOT */ 	
 	/*
 	 *  Determine the hard disk geometry from the BIOS!
 	 *  We do this first, so that LS-120 IDE floppies work correctly.
@@ -345,8 +367,158 @@
 	jc	read_error
 
 	movw	%es, %bx
+#endif /* ! TCG_TRUSTED_BOOT */
 	
 copy_buffer:
+
+#ifdef TCG_TRUSTED_BOOT
+
+	pusha
+#ifdef TCG_BIOS_BIGREALMODE_FIX
+	cli
+
+	/* Transit to big-real-mode */
+	DATA32 lgdt gdtdesc
+
+	/* turn on protected mode */
+	movl	%cr0, %eax
+	orb	$0x01, %al 
+	movl	%eax, %cr0
+
+	movw	$0x0008, %bx
+	movw	%bx, %ds
+	movw	%bx, %es
+	
+	/* Back to real mode */
+	decb	%al
+	movl	%eax, %cr0
+	
+	/* Enable A20 gate */
+	movw	$0x2401, %ax
+	int	$0x15
+
+	sti
+#endif /* TCG_BIOS_BIGREALMODE_FIX */
+	push	%cs
+	push	%cs
+	pop	%ds
+	pop	%es
+#ifdef TCG_HLEE_F2
+/*
+ * BIOS call "INT 1Ah, (AH)=BBh,(AL)=00h" TCG_StatusCheck
+ *	Call with	
+ *          %ah = 0xBB
+ *			%al = 0x00
+ *	Return:
+ *			%eax = TCG_STATUS
+ *			%ebx = 'TCPA'
+ *
+ * Ref:	 
+ *  TCG PC Client Specific Implementation Specification for Conventional BIOS v1.2, 
+ *  Section 12.5 (page 85)
+ */
+tcg_statuscheck:
+	movw    $0xbb00, %ax   		/* TCG_LogEvent */
+	int     $0x1a
+	test	%eax, %eax
+	jnz		tcg_end
+/*
+ * BIOS call "INT 1Ah, (AH)=BBh,(AL)=01h" TCG_HashLogExtendEvent
+ *	Call with	
+ *          %ah = 0xBB
+ *			%al = 0x01
+ *			%es:%di = segment:offset of input parametor block
+ *			%ds:%si = segment:offset of output parametor block
+ *			%ebx = 'TCPA'
+ *			%ecx = 0
+ *			%edx = 0
+ *	Return:
+ *			%eax = TCG_STATUS
+ *			%ds:%si = ?
+ *
+ * Ref:	 
+ *  TCG PC Client Specific Implementation Specification for Conventional BIOS v1.2, 
+ *  Section 12.6 (page 86)
+ */
+	/* Set tcg_pcr_event.eventSize = 0 */
+tcg_hashlogextendevent:
+	movl	%eax, ABS(tcg_pcr_event + 28) /* LogDatalen = 0, eax must be zero */
+	movw    $0xbb01, %ax		/* TCG_LogEvent */
+	movw    $ABS(ipb), %di		/* ES:DI = IPB */
+	movw	$0x8E00, %si		/* OPB = 0x8E00 */
+	xorl    %ecx, %ecx			/* ECX = 0 */
+	xorl    %edx, %edx			/* EDX = 0 */	
+	int     $0x1a
+#ifndef TCG_IBM_BIOS_RC3
+	test	%eax, %eax
+	jz	tcg_end
+tcg_error:
+	MSG(tcg_error_string)
+#endif /* TCG_IBM_BIOS_RC3 */
+
+#else /* ! TCG_HLEE_F2 */
+/*
+ * BIOS call "INT 1Ah, (AH)=BBh,(AL)=05h" TCG_HashAll 
+ *	Call with	%ah = 0xBB
+ *			%al = 0x05
+ *			%es:%di = segment:offset of input parametor block
+ *			%ds:%si = segment:offset of output parametor block
+ *			%ebx = 'TCPA'
+ *			%ecx = 0
+ *			%edx = 0
+ *	Return:
+ *			%eax = TCG_STATUS
+ *			%ds:%si = segment:offset of referenced buffer
+ *
+ * Ref:	 TCG PC Specification v1.0, Section 8.1.8 (page 49)
+ */
+tcg_hashall:
+	movw    $0xbb05, %ax				/* TCG_HashAll */
+	movw    $ABS(ipb), %di				/* ES:DI = IPB */
+	movw    $ABS(tcg_pcr_event + 8), %si /* DS:SI = OPB */
+	movl    $0x41504354, %ebx			/* EBX = "TCPA" */
+	xorl    %ecx, %ecx					/* ECX = 0 */
+	xorl    %edx, %edx					/* EDX = 0 */
+	int     $0x1a
+#ifndef TCG_IBM_BIOS_RC3
+	test	%eax, %eax
+	jnz	tcg_error 
+#endif	/* TCG_IBM_BIOS_RC3 */
+/*
+ * BIOS call "INT 1Ah, (AH)=BBh,(AL)=04h" TCG_LogEvent
+ *	Call with	%ah = 0xBB
+ *			%al = 0x04
+ *			%es:%di = segment:offset of input parametor block
+ *			%ds:%si = segment:offset of output parametor block
+ *			%ebx = 'TCPA'
+ *			%ecx = 0
+ *			%edx = 0
+ *	Return:
+ *			%eax = TCG_STATUS
+ *			%ds:%si = ?
+ *
+ * Ref:	 TCG PC Specification v1.0, Section 8.1.7 (page 47)
+ */
+tcg_logevent:
+	/* Set tcg_pcr_event.eventSize = 0 */
+	movl	%eax, ABS(tcg_pcr_event + 28)
+	
+	movb	$(ipb_logevent_end - ipb), ABS(ipb_len)
+	movb	$TCG_EV_GRUB_STAGE15_PCR, ABS(ipb_pcrindex)
+	movw    $0xbb04, %ax   		/* TCG_LogEvent */
+	movw	$0x8E00, %si		/* OPB = 0x8E00 */
+	int     $0x1a
+#ifndef TCG_IBM_BIOS_RC3
+	test	%eax, %eax
+	jz	tcg_end
+tcg_error:
+	MSG(tcg_error_string)
+#endif /* TCG_IBM_BIOS_RC3 */
+#endif /* ! TCG_HLEE_F2 */
+tcg_end:
+	popa
+#endif /* TCG_TRUSTED_BOOT */
+
 	movw	ABS(stage2_segment), %es
 
 	/*
@@ -405,6 +577,10 @@
 hd_probe_error_string:	.string "Hard Disk"
 read_error_string:	.string "Read"
 general_error_string:	.string " Error"
+#ifdef TCG_TRUSTED_BOOT
+chs_no_support_string:	.string "CHSNA"
+tcg_error_string:	.string "TCGERR "
+#endif
 
 /*
  * message: write the string pointed to by %si
@@ -427,6 +603,68 @@
 	jne	1b	/* if not end of string, jmp to display */
 	ret
 
+#ifdef TCG_TRUSTED_BOOT
+#ifdef TCG_BIOS_BIGREALMODE_FIX
+gdtdesc:
+	.word	(gdt_end - gdt - 1)	/* limit */
+	.long	ABS(gdt)		/* addr */
+	.p2align	2	/* force 4-byte alignment */
+gdt:
+	.word	0, 0
+	.byte	0, 0, 0, 0
+	/* 32 bit data segment */
+	.word	0xFFFF, 0
+	.byte	0, 0x92, 0xCF, 0
+gdt_end:
+#endif /* TCG_BIOS_BIGREALMODE_FIX */
+
+/* TCG(TCG) BIOS Input Parameter Block */
+#ifdef TCG_HLEE_F2
+/* TCG_HashLogExtendEvent Input Parameter Block Format 2 */
+ipb: /* 28 bytes */
+	.word	(ipb_end - ipb)	 /*  0 block size   */
+	.word   0                       /*  2 reserved     */
+	.long   STAGE1_BUFFERSEG * 0x10 /*  4 hash data pointer */
+#ifdef TCG_INFRA_MODE
+	.long   496                     /*  8 hash data length (496 bytes) */
+#else
+	.long   512                   	/*  8 hash data length (512 bytes) */
+#endif 	
+	.long   TCG_EV_GRUB_STAGE15_PCR /*  C PCR index */
+	.long   0                       /* 10 reserved */
+	.long   ABS(tcg_pcr_event)      /* 14 LogData Ptr */
+	.long   32                      /* 18 LogData Len */
+ipb_end:
+
+#else /* ! TCG_HLEE_F2 */
+ipb:
+ipb_len: 
+	.word	(ipb_hashall_end - ipb)	/*  0 block size   */
+	.word   0                       /*  2 reserved     */
+	.long   STAGE1_BUFFERSEG * 0x10	/*  4 data pointer */
+#ifdef TCG_INFRA_MODE
+	.long   496                     /*  8 hash data length (496 bytes) */
+#else
+	.long   512                   	/*  8 hash data length (512 bytes) */
+#endif
+ipb_pcrindex:
+ipb_algorithmid:
+	.long   4                       /* AlgorighmID = TCG_ALG_SHA for HashAll*/ 
+					 				/* PCRIndex for LogEvent */
+ipb_hashall_end:
+	.long	TCG_EV_GRUB_STAGE15_TYPE /* event type	*/
+	.long   ABS(tcg_pcr_event)       /* log pointer  */
+	.long   32                       /* log size     */
+ipb_logevent_end:
+#endif /* ! TCG_HLEE_F2 */
+/* TCG_PCR_EVENT structure */
+tcg_pcr_event:                            /* 32 bytes     */
+	.long   TCG_EV_GRUB_STAGE15_PCR   /* PCR index    */
+	.long   TCG_EV_GRUB_STAGE15_TYPE  /* event type   */
+/*      .space  20                        |* PCR value    */
+/*      .long   0                         |* event size   */
+#endif /* TCG_TRUSTED_BOOT  */
+	
 	/*
 	 *  Windows NT breaks compatibility by embedding a magic
 	 *  number here.
@@ -446,6 +684,7 @@
 part_start:	
 	. = _start + STAGE1_PARTSTART
 
+#ifndef TCG_TRUSTED_BOOT
 probe_values:
 	.byte	36, 18, 15, 9, 0
 
@@ -493,6 +732,8 @@
 
 	jmp	final_init
 
+#endif /* ! TCG_TRUSTED_BOOT */
+
 	. = _start + STAGE1_PARTEND
 
 /* the last 2 bytes in the sector 0 contain the signature */
--- grub-0.97/stage2/asm.S	2004-06-20 01:55:22.000000000 +0900
+++ grub-0.97-tcg/stage2/asm.S	2006-08-16 23:46:37.000000000 +0900
@@ -2283,6 +2283,1009 @@
 
 #endif /* STAGE1_5 */
 
+#ifdef TCG_ENABLE
+	
+#define TCG_DIGEST_SIZE     20
+#define TCG_PCR_VALUE_SIZE  20
+#define TCG_EV_GRUB         0x20
+
+/* #define TCG_DEBUG  */
+	
+			
+	.code16
+	.align  4
+tcg_signature:
+	.byte   'T', 'C', 'P', 'A'
+tcg_grub:
+	.byte   'G', 'R', 'U', 'B'
+	
+