# HG changeset patch # User Timo Lindfors <timo.lindf...@iki.fi> # Date 1647554330 -7200 # Thu Mar 17 23:58:50 2022 +0200 # Node ID 538c14b1428d0625ebb3f9c3cae21656fd4c3b06 # Parent e45ccbe6bf59ba534ad628f7be45e7c34629e19b Allow selecting only SINIT modules that match platform This introduces GRUB_TBOOT_SINIT_SELECT_MATCHING that defaults to false.
Signed-off-by: Timo Lindfors <timo.lindf...@iki.fi> diff -r e45ccbe6bf59 -r 538c14b1428d tboot/20_linux_tboot --- a/tboot/20_linux_tboot Thu Mar 17 23:58:45 2022 +0200 +++ b/tboot/20_linux_tboot Thu Mar 17 23:58:50 2022 +0200 @@ -40,6 +40,7 @@ [ -z "${GRUB_CMDLINE_LINUX_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_TBOOT [ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA [ -z "${GRUB_TBOOT_SINIT_LIST}" ] && unset GRUB_TBOOT_SINIT_LIST +[ -z "${GRUB_TBOOT_SINIT_SELECT_MATCHING}" ] && unset GRUB_TBOOT_SINIT_SELECT_MATCHING # Command line for tboot itself : ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'} # Linux kernel parameters to append for tboot @@ -48,6 +49,8 @@ : ${GRUB_TBOOT_POLICY_DATA=''} # List of SINIT modules to use, glob patterns are supported : ${GRUB_TBOOT_SINIT_LIST='/boot/*sinit* /boot/*SINIT*'} +# Use only SINIT modules that match the current platform +: ${GRUB_TBOOT_SINIT_SELECT_MATCHING='false'} export TEXTDOMAIN=grub export TEXTDOMAINDIR=${prefix}/share/locale @@ -164,8 +167,16 @@ tboot_list=`for i in /boot/tboot*.gz; do if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi done` +if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] && [ ! -e /dev/cpu/0/msr ]; then + modprobe msr +fi sinit_list=`for i in ${GRUB_TBOOT_SINIT_LIST}; do basename=$(basename $i) + if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] \ + && ! txt-acminfo "$i" | grep -qx "ACM matches platform"; then + # Skip SINIT that does not match + continue + fi if grub_file_is_not_garbage "$i" ; then echo -n "$basename " ; fi done` if [ -n "${GRUB_TBOOT_POLICY_DATA}" ]; then diff -r e45ccbe6bf59 -r 538c14b1428d tboot/20_linux_xen_tboot --- a/tboot/20_linux_xen_tboot Thu Mar 17 23:58:45 2022 +0200 +++ b/tboot/20_linux_xen_tboot Thu Mar 17 23:58:50 2022 +0200 @@ -41,6 +41,7 @@ [ -z "${GRUB_CMDLINE_LINUX_XEN_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_XEN_TBOOT [ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA [ -z "${GRUB_TBOOT_SINIT_LIST}" ] && unset GRUB_TBOOT_SINIT_LIST +[ -z "${GRUB_TBOOT_SINIT_SELECT_MATCHING}" ] && unset GRUB_TBOOT_SINIT_SELECT_MATCHING # Command line for tboot itself : ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'} # Xen parameters to append for tboot @@ -51,6 +52,8 @@ : ${GRUB_TBOOT_POLICY_DATA=''} # List of SINIT modules to use, glob patterns are supported : ${GRUB_TBOOT_SINIT_LIST='/boot/*sinit* /boot/*SINIT*'} +# Use only SINIT modules that match the current platform +: ${GRUB_TBOOT_SINIT_SELECT_MATCHING='false'} export TEXTDOMAIN=grub export TEXTDOMAINDIR=${prefix}/share/locale @@ -194,8 +197,16 @@ tboot_list=`for i in /boot/tboot*.gz; do if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi done` +if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] && [ ! -e /dev/cpu/0/msr ]; then + modprobe msr +fi sinit_list=`for i in ${GRUB_TBOOT_SINIT_LIST}; do basename=$(basename $i) + if [ "x${GRUB_TBOOT_SINIT_SELECT_MATCHING}" = "xtrue" ] \ + && ! txt-acminfo "$i" | grep -qx "ACM matches platform"; then + # Skip SINIT that does not match + continue + fi if grub_file_is_not_garbage "$i" ; then echo -n "$basename " ; fi done` if [ -n "${GRUB_TBOOT_POLICY_DATA}" ]; then _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel