From 713d4867fd0195fabe8551a90c875fda890620fe Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 28 Mar 2017 16:32:58 -0400 Subject: [PATCH] Change ethernet drivers to be modules and measure them when they are loaded. This is a step towards unifying the server and laptop config (issue #139) and also makes it possible to later remove the USB modules from the normal boot path. --- Makefile | 10 +++++++++- config/linux.config | 17 ++++------------- initrd/sbin/insmod-measure.sh | 29 +++++++++++++++++++++++++++++ modules/linux | 6 +++++- 4 files changed, 47 insertions(+), 15 deletions(-) create mode 100755 initrd/sbin/insmod-measure.sh diff --git a/Makefile b/Makefile index 0b9d920e..0a91c0e2 100644 --- a/Makefile +++ b/Makefile @@ -280,7 +280,7 @@ initrd_lib_install: $(initrd_bins) $(initrd_libs) # unlikely that their device file has a different major/minor) # # -initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install +initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install linux_modules cd ./initrd ; \ find . \ | cpio --quiet -H newc -o \ @@ -289,6 +289,14 @@ initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install initrd.intermediate: initrd.cpio +linux_modules: linux.intermediate + @-mkdir initrd/lib/modules + @for mod in $(linux_modules); do \ + echo "$(DATE) Installing $$mod"; \ + cp -a "$(build)/$(linux_dir)/$$mod" initrd/lib/modules; \ + done + + # populate the coreboot initrd image from the one we built. # 4.4 doesn't allow this, but building from head does. diff --git a/config/linux.config b/config/linux.config index a57143ec..d99264d8 100644 --- a/config/linux.config +++ b/config/linux.config @@ -619,9 +619,7 @@ CONFIG_NET_PTP_CLASSIFY=y # CONFIG_L2TP is not set # CONFIG_BRIDGE is not set CONFIG_HAVE_NET_DSA=y -CONFIG_VLAN_8021Q=y -# CONFIG_VLAN_8021Q_GVRP is not set -# CONFIG_VLAN_8021Q_MVRP is not set +# CONFIG_VLAN_8021Q is not set # CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_IPX is not set @@ -661,14 +659,7 @@ CONFIG_NET_FLOW_LIMIT=y # CONFIG_AF_RXRPC is not set # CONFIG_AF_KCM is not set # CONFIG_STREAM_PARSER is not set -CONFIG_WIRELESS=y -# CONFIG_CFG80211 is not set -# CONFIG_LIB80211 is not set - -# -# CFG80211 needs to be enabled for MAC80211 -# -CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +# CONFIG_WIRELESS is not set # CONFIG_WIMAX is not set # CONFIG_RFKILL is not set # CONFIG_NET_9P is not set @@ -1028,8 +1019,8 @@ CONFIG_ETHERNET=y # CONFIG_NET_VENDOR_HP is not set CONFIG_NET_VENDOR_INTEL=y # CONFIG_E100 is not set -CONFIG_E1000=y -CONFIG_E1000E=y +CONFIG_E1000=m +CONFIG_E1000E=m CONFIG_E1000E_HWTS=y # CONFIG_IGB is not set # CONFIG_IGBVF is not set diff --git a/initrd/sbin/insmod-measure.sh b/initrd/sbin/insmod-measure.sh new file mode 100755 index 00000000..53cb3e52 --- /dev/null +++ b/initrd/sbin/insmod-measure.sh @@ -0,0 +1,29 @@ +#!/bin/sh +# extend a TPM PCR with a module and then load it +# any arguments will also be measured + +die() { + echo >&2 "$@" + exit 1 +} + +INDEX="$1"; shift +MODULE="$1"; shift + +if [ -z "$INDEX" -o -z "$MODULE" ]; then + die "Usage: $0 pcr-index module [args...]" +fi + +if [ ! -r "$MODULE" ]; then + die "$MODULE: not found?" +fi + +tpm extend -ix "$INDEX" -if "$MODULE" || die "$MODULE: tpm extend failed" + +if [ ! -z "$@" ]; then + TMPFILE=/tmp/insmod.$$ + echo "$@" > $TMPFILE + tpm extend -ix "$INDEX" -if $TMPFILE || die "$MODULE: tpm extend on arguments failed" +fi + +insmod "$MODULE" "$@" || die "$MODULE: insmod failed" diff --git a/modules/linux b/modules/linux index 075d384d..5f8af068 100644 --- a/modules/linux +++ b/modules/linux @@ -17,6 +17,11 @@ linux_configure := \ linux_output := arch/x86/boot/bzImage linux_config := linux.config +linux_modules := \ + drivers/net/ethernet/intel/e1000/e1000.ko \ + drivers/net/ethernet/intel/e1000e/e1000e.ko \ + + EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches linux_target := \ @@ -29,7 +34,6 @@ linux_target := \ KBUILD_BUILD_TIMESTAMP="1970-00-00" \ KBUILD_BUILD_VERSION=0 \ -j $(MAKE_JOBS) \ - bzImage # We cross compile linux now linux_depends := $(musl_dep)