diff --git a/Cargo.toml b/Cargo.toml index 766ce8de..d176e2fd 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,6 +19,7 @@ members = [ "td-shim-enroll-key", "td-shim-ld", "td-shim-sign-payload", + "tdx-bootstrap", "tdx-tdcall", "tests/test-td-exception", "tests/test-td-paging", diff --git a/Makefile b/Makefile index 097603df..acc69975 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ else endif LIB_CRATES = pe-loader td-exception td-layout td-logger td-paging tdx-tdcall -SHIM_CRATES = rust-tdshim td-payload +SHIM_CRATES = rust-tdshim td-payload tdx-bootstrap TEST_CRATES = test-td-exception test-td-paging test-td-payload TOOL_CRATES = td-shim-ld td-shim-enroll-key td-shim-sign-payload diff --git a/doc/design.md b/doc/design.md index 11db4230..99cff60f 100644 --- a/doc/design.md +++ b/doc/design.md @@ -54,7 +54,7 @@ Stack guard is setup at `stack_guard_enable()` in [stack_guard.rs](../rust-tdshi ### Reset vector -[ResetVector](../rust-tdshim/ResetVector) is the reset vector inside of the `td-shim`. It owns the first instruction in the TD at address 0xFFFFFFF0. This is implemented in the IA32 code named [resetVector](../rust-tdshim/ResetVector/Ia32/ResetVectorVtf0.asm). The code then switches to long mode, parks application processors (APs), initializes the stack, copies the `td-shim` core to low memory (1MB) and call to `rust-tdshim` via an indirect call `call rsi` at [main](../rust-tdshim/ResetVector/Main.asm) +[ResetVector](../rust-tdshim/ResetVector) is the reset vector inside of the `td-shim`. It owns the first instruction in the TD at address 0xFFFFFFF0. This is implemented in the IA32 code named [resetVector](../tdx-bootstrap/ResetVector/Ia32/ResetVectorVtf0.asm). The code then switches to long mode, parks application processors (APs), initializes the stack, copies the `td-shim` core to low memory (1MB) and call to `rust-tdshim` via an indirect call `call rsi` at [main](../tdx-bootstrap/ResetVector/Main.asm) ### TDX related lib diff --git a/rust-tdshim/Cargo.toml b/rust-tdshim/Cargo.toml index 41ceaacf..70158cdf 100644 --- a/rust-tdshim/Cargo.toml +++ b/rust-tdshim/Cargo.toml @@ -3,19 +3,11 @@ name = "rust-tdshim" version = "0.1.0" edition = "2018" -# add build process -build = "build.rs" - [features] cet-ss = [] secure-boot = [] boot-kernel = ["td-layout/boot-kernel"] -[build-dependencies] -cc = { git = "https://github.com/jyao1/cc-rs.git", branch = "uefi_support" } -td-layout = { path = "../td-layout" } -tdx-tdcall = { path = "../tdx-tdcall" } - [dependencies] r-efi = "3.2.0" linked_list_allocator = "0.9.0" diff --git a/rust-tdshim/ResetVector/.gitignore b/rust-tdshim/ResetVector/.gitignore deleted file mode 100644 index 66256226..00000000 --- a/rust-tdshim/ResetVector/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -*~ - -# Bin Junk -*.bin diff --git a/tdx-bootstrap/Cargo.toml b/tdx-bootstrap/Cargo.toml new file mode 100644 index 00000000..607ddff5 --- /dev/null +++ b/tdx-bootstrap/Cargo.toml @@ -0,0 +1,14 @@ +[package] +name = "tdx-bootstrap" +version = "0.1.0" +description = "Bootstrap the TDX trusted domain with reset vector" +repository = "https://github.com/confidential-containers/td-shim" +homepage = "https://github.com/confidential-containers" +license = "BSD-2-Clause-Patent" +edition = "2018" +build = "build.rs" + +[build-dependencies] +cc = { git = "https://github.com/jyao1/cc-rs.git", branch = "uefi_support" } +td-layout = { path = "../td-layout" } +tdx-tdcall = { path = "../tdx-tdcall" } diff --git a/rust-tdshim/ResetVector/CommonMacros.inc b/tdx-bootstrap/ResetVector/CommonMacros.inc similarity index 100% rename from rust-tdshim/ResetVector/CommonMacros.inc rename to tdx-bootstrap/ResetVector/CommonMacros.inc diff --git a/rust-tdshim/ResetVector/DebugDisabled.asm b/tdx-bootstrap/ResetVector/DebugDisabled.asm similarity index 100% rename from rust-tdshim/ResetVector/DebugDisabled.asm rename to tdx-bootstrap/ResetVector/DebugDisabled.asm diff --git a/rust-tdshim/ResetVector/Port80Debug.asm b/tdx-bootstrap/ResetVector/DebugPort80.asm similarity index 100% rename from rust-tdshim/ResetVector/Port80Debug.asm rename to tdx-bootstrap/ResetVector/DebugPort80.asm diff --git a/rust-tdshim/ResetVector/SerialDebug.asm b/tdx-bootstrap/ResetVector/DebugSerial.asm similarity index 100% rename from rust-tdshim/ResetVector/SerialDebug.asm rename to tdx-bootstrap/ResetVector/DebugSerial.asm diff --git a/rust-tdshim/ResetVector/Ia32/Flat32ToFlat64.asm b/tdx-bootstrap/ResetVector/Ia32/Flat32ToFlat64.asm similarity index 99% rename from rust-tdshim/ResetVector/Ia32/Flat32ToFlat64.asm rename to tdx-bootstrap/ResetVector/Ia32/Flat32ToFlat64.asm index 99d2b26d..3dea5e48 100644 --- a/rust-tdshim/ResetVector/Ia32/Flat32ToFlat64.asm +++ b/tdx-bootstrap/ResetVector/Ia32/Flat32ToFlat64.asm @@ -44,6 +44,7 @@ Transition32FlatTo64Flat: mov cr0, eax ; enable paging jmp LINEAR_CODE64_SEL:ADDR_OF(jumpTo64BitAndLandHere) + BITS 64 jumpTo64BitAndLandHere: diff --git a/rust-tdshim/ResetVector/Ia32/ReloadFlat32.asm b/tdx-bootstrap/ResetVector/Ia32/ReloadFlat32.asm similarity index 99% rename from rust-tdshim/ResetVector/Ia32/ReloadFlat32.asm rename to tdx-bootstrap/ResetVector/Ia32/ReloadFlat32.asm index 929b55f9..3b080418 100644 --- a/rust-tdshim/ResetVector/Ia32/ReloadFlat32.asm +++ b/tdx-bootstrap/ResetVector/Ia32/ReloadFlat32.asm @@ -16,7 +16,7 @@ BITS 32 ; Modified: EAX, EBX ; ReloadFlat32: - +; It's already in 32 bit mode? debugShowPostCode POSTCODE_16BIT_MODE cli @@ -27,6 +27,7 @@ ReloadFlat32: mov cr0, eax jmp LINEAR_CODE_SEL:dword ADDR_OF(jumpTo32BitAndLandHere) + BITS 32 jumpTo32BitAndLandHere: diff --git a/rust-tdshim/ResetVector/Ia32/ResetVectorVtf0.asm b/tdx-bootstrap/ResetVector/Ia32/ResetVectorVtf0.asm similarity index 100% rename from rust-tdshim/ResetVector/Ia32/ResetVectorVtf0.asm rename to tdx-bootstrap/ResetVector/Ia32/ResetVectorVtf0.asm diff --git a/rust-tdshim/ResetVector/Ia32/ValidateBfvBase.asm b/tdx-bootstrap/ResetVector/Ia32/ValidateBfvBase.asm similarity index 100% rename from rust-tdshim/ResetVector/Ia32/ValidateBfvBase.asm rename to tdx-bootstrap/ResetVector/Ia32/ValidateBfvBase.asm diff --git a/rust-tdshim/ResetVector/Main.asm b/tdx-bootstrap/ResetVector/Main.asm similarity index 97% rename from rust-tdshim/ResetVector/Main.asm rename to tdx-bootstrap/ResetVector/Main.asm index 30265233..6bce1d97 100644 --- a/rust-tdshim/ResetVector/Main.asm +++ b/tdx-bootstrap/ResetVector/Main.asm @@ -55,7 +55,7 @@ Main32: or esp, esi ; - ; Transition the processor from protected to 32-bit flat mode + ; Transition the processor to 32-bit protected flat mode ; OneTimeCall ReloadFlat32 @@ -167,8 +167,8 @@ BITS 64 ;mov rax, TDCALL_TDACCEPTPAGE ;tdcall - mov r14, 0x0 ; start address - mov r15, 0x800000 ; end address TBD + mov r14, 0x0 ; start address + mov r15, INITIALLY_ACCEPTED_MEMORY_SIZE ; end address .accept_pages_for_sec_core_loop mov r8, 0 diff --git a/rust-tdshim/ResetVector/PostCodes.inc b/tdx-bootstrap/ResetVector/PostCodes.inc similarity index 100% rename from rust-tdshim/ResetVector/PostCodes.inc rename to tdx-bootstrap/ResetVector/PostCodes.inc diff --git a/rust-tdshim/ResetVector/ResetVector.nasm b/tdx-bootstrap/ResetVector/ResetVector.nasm similarity index 99% rename from rust-tdshim/ResetVector/ResetVector.nasm rename to tdx-bootstrap/ResetVector/ResetVector.nasm index 08153924..8a72fcd8 100644 --- a/rust-tdshim/ResetVector/ResetVector.nasm +++ b/tdx-bootstrap/ResetVector/ResetVector.nasm @@ -27,8 +27,9 @@ StartOfResetVectorCode: %endif %include "Ia32/ValidateBfvBase.asm" - %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/ReloadFlat32.asm" + %include "Main.asm" + %include "Ia32/ResetVectorVtf0.asm" diff --git a/rust-tdshim/ResetVector/X64/PageTables.asm b/tdx-bootstrap/ResetVector/X64/PageTables.asm similarity index 88% rename from rust-tdshim/ResetVector/X64/PageTables.asm rename to tdx-bootstrap/ResetVector/X64/PageTables.asm index 2a798cc5..f109a567 100644 --- a/rust-tdshim/ResetVector/X64/PageTables.asm +++ b/tdx-bootstrap/ResetVector/X64/PageTables.asm @@ -18,26 +18,29 @@ BITS 64 TopLevelPageDirectory: ; - ; Top level Page Directory Pointers (1 * 512GB entry) + ; Top level/Level 5 Page Directory Pointers (1 * 256TB entry) ; DQ PDP(0x1000) - ; - ; Next level Page Directory Pointers (4 * 1GB entries => 4GB) - ; TIMES 511 DQ 0 + ; + ; Top level/Level 4 Page Directory Pointers (1 * 512GB entry) + ; DQ PDP(0x2000) TIMES 511 DQ 0 + + ; + ; Next level Page Directory Pointers (4 * 1GB entries => 4GB) + ; DQ PDP(0x3000) DQ PDP(0x4000) DQ PDP(0x5000) DQ PDP(0x6000) + TIMES 508 DQ 0 ; ; Page Table Entries (2048 * 2MB entries => 4GB) ; - TIMES 508 DQ 0 - %assign i 0 %rep 0x800 DQ PTE_2MB(i) diff --git a/rust-tdshim/ResetVector/X64/TestHob.asm b/tdx-bootstrap/ResetVector/X64/TestHob.asm similarity index 100% rename from rust-tdshim/ResetVector/X64/TestHob.asm rename to tdx-bootstrap/ResetVector/X64/TestHob.asm diff --git a/rust-tdshim/build.rs b/tdx-bootstrap/build.rs similarity index 94% rename from rust-tdshim/build.rs rename to tdx-bootstrap/build.rs index 7b100fb1..59066213 100644 --- a/rust-tdshim/build.rs +++ b/tdx-bootstrap/build.rs @@ -10,6 +10,9 @@ use std::{ use td_layout::build_time; +// TODO: move it into td-layout +pub const INITIALLY_ACCEPTED_MEMORY_SIZE: u32 = 0x80_0000; + fn nasm(file: &Path, arch: &str, out_file: &Path, args: &[&str]) -> Command { let oformat = match arch { "x86_64" => ("win64"), @@ -89,6 +92,10 @@ fn main() { "-DTD_SHIM_RESET_SEC_CORE_SIZE_ADDR=0x{:X}", build_time::TD_SHIM_RESET_SEC_CORE_SIZE_ADDR ); + let accepted_memory_size = format!( + "-DINITIALLY_ACCEPTED_MEMORY_SIZE=0x{:X}", + crate::INITIALLY_ACCEPTED_MEMORY_SIZE + ); let _ = env::set_current_dir(reset_vector_src_dir.as_path()); run_command(nasm( @@ -109,6 +116,7 @@ fn main() { &loaded_sec_entrypoint_base, &loaded_sec_core_base, &loaded_sec_core_size, + &accepted_memory_size, ], )); } diff --git a/tdx-bootstrap/src/lib.rs b/tdx-bootstrap/src/lib.rs new file mode 100644 index 00000000..77b10565 --- /dev/null +++ b/tdx-bootstrap/src/lib.rs @@ -0,0 +1,5 @@ +// Copyright (c) 2022 Alibaba Cloud +// +// SPDX-License-Identifier: BSD-2-Clause-Patent + +//! A fake crate to build the ResetVector.bin for Intel TDX platforms.