Add patches for Intel TXT support #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TomaszAIR
force-pushed
the
inteltxt-support
branch
from
c15b9c5 to
080dbb4
Compare
TomaszAIR
force-pushed
the
inteltxt-support
branch
from
080dbb4 to
5353083
Compare
TomaszAIR
force-pushed
the
inteltxt-support
branch
from
5353083 to
b51adeb
Compare
TomaszAIR
force-pushed
the
inteltxt-support
branch
from
4ca5894 to
a56c58b
Compare
TomaszAIR
force-pushed
the
inteltxt-support
branch
5 times, most recently
from
5adc968 to
0ab3116
Compare
TomaszAIR
force-pushed
the
inteltxt-support
branch
from
0ab3116 to
a46e3e7
Compare
Drop patches included upstream already, update context of some existing patches. Include also XSA-431 patch that was published after 4.17.1 release.
Backport serial console fix, and a build fix with GCC 13 (relevant for Archlinux).
It isn't used anymore, VMs use distribution-native Xen packages fully.
Replace custom patch with proper upstream implementation.
Microcode update is available only for some models at this moment, so include the workaround patch too to cover remaining models.
And drop those already included upstream.
Temporarily use a git snapshot, until upstream provides proper tarballs.
They may grow quite big in some cases, and are very compressible.
This adds some basic support but even if working as intended this doesn't reach satisfactory residency values yet. And more importantly in Qubes' default configuration common devices (at least Intel integrated USB and Thunderbolt) need more work to not completely block residency.
SergiiDmytruk
force-pushed
the
inteltxt-support
branch
from
5bf7fa7 to
d7feb43
Compare
Some of them were already backported, but there are few more relevant fixes. This may also ease applying future patches.
The signing key still uses SHA1, which is rejected by sequoia-sq. Switch to hash file until the key is updated.
* origin/main: Temporarily switch to a hash file for download verification
The patches are conflicting (contextually and semantically) with 1017-Disable-TSX-by-default.patch so drop the latter.
Go back to signatures, as builderv2 was modified to tolerate older keys too. This reverts commit 606f99a.
Remove patches included upstream.
See patch description for details. Fixes QubesOS/qubes-issues#9030
* origin/pr/167: Basic S0ix support
SergiiDmytruk
force-pushed
the
inteltxt-support
branch
2 times, most recently
from
fbe20ec to
8e209dc
Compare
Remove bin86 and dev86 needed only for hypervisor build (not applicable here). Remove yajl as already listed in depends. Add python-setuptools.
/var/log/xen needs to be owned by the package, otherwise xendriverdomain service fails to start.
Remove no longer needed deps - we don't build stubdomain in this package anymore.
* build-deps: Fix Arch build on conflicting _FORTIFY_SOURCE values rpm: cleanup build dependencies
Add patches fixing XHCI DbC console when sys-usb is running. Technically not a backport yet, but this version is very close to beeing committed upstream so should qualify as a backport soon.
Signed-off-by: Tomasz Żyjewski <tomasz.zyjewski@3mdeb.com>
Signed-off-by: Tomasz Żyjewski <tomasz.zyjewski@3mdeb.com> Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
SergiiDmytruk
force-pushed
the
inteltxt-support
branch
from
8e209dc to
413d4c8
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Set of patches which adds Intel TXT support in Xen for TrenchBoot.
This is necessary to create Proof of Concept for TrenchBoot Anti Evil
Maid for QubesOS.
Due to the requirements of Intel TXT and how it is utilised, it is
impossible to use the Xen boot protocols defined in the UEFI or
Multiboot2 specifications. Those patches creates a custom Intel TXT
entry point for Xen which would hand-off to the standard Multiboot2
entry point and enable direct launch of Xen by GRUB via DRTM on Intel
hardware. Additionally there was no support for launching Xen with Intel
TXT other than Trusted Boot. Certain parts had to be ported from
Trusted Boot specific code to Xen native code:
See: https://lists.xenproject.org/archives/html/xen-devel/2022-10/msg01663.html
for details
Signed-off-by: Tomasz Żyjewski tomasz.zyjewski@3mdeb.com