x86: add a tboot Kconfig option

Allows for the conditional inclusion of tboot related functionality
via Kconfig

The default configuration for the new CONFIG_TBOOT option is 'y', so the
behavior out of the box remains unchanged.  The addition of the option allows
advanced users to disable system behaviors associated with tboot at compile
time rather than relying on the run-time detection and configuration.

The CONFIG_CRYPTO option is 'n' by default and selected by the individual users
that require the functionality.  Currently, the only user is tboot.

Signed-off-by: Derek Straka <derek@asterius.io>
Acked-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/Rules.mk b/xen/Rules.mk
index ebe1dc031313e63549a621070e163cbf9c544681..a190ff0ad154879557f8a0b679265d79e7659117 100644 (file)
--- a/xen/Rules.mk
+++ b/xen/Rules.mk
@@ -44,7 +44,7 @@ ALL_OBJS-y               += $(BASEDIR)/common/built_in.o
 ALL_OBJS-y               += $(BASEDIR)/drivers/built_in.o
 ALL_OBJS-y               += $(BASEDIR)/xsm/built_in.o
 ALL_OBJS-y               += $(BASEDIR)/arch/$(TARGET_ARCH)/built_in.o
-ALL_OBJS-$(CONFIG_X86)   += $(BASEDIR)/crypto/built_in.o
+ALL_OBJS-$(CONFIG_CRYPTO)   += $(BASEDIR)/crypto/built_in.o
 
 CFLAGS += -nostdinc -fno-builtin -fno-common
 CFLAGS += -Werror -Wredundant-decls -Wno-pointer-arith

diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
index c1e9279e821a441f7bf43e88587cce90849bfa2c..265fd7907e9edceeb87e3a9960b2e1cd9847e856 100644 (file)
--- a/xen/arch/x86/Kconfig
+++ b/xen/arch/x86/Kconfig
@@ -76,6 +76,17 @@ config HVM_FEP
          for use in production.
 
          If unsure, say N.
+
+config TBOOT
+       def_bool y
+       prompt "Xen tboot support" if EXPERT = "y"
+       depends on X86
+       select CRYPTO
+       ---help---
+         Allows support for Trusted Boot using the Intel(R) Trusted Execution
+         Technology (TXT)
+
+         If unsure, say Y.
 endmenu
 
 source "common/Kconfig"

diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile
index b18f0339f60fa7cd446125a72d1ba6d9e1aa31ac..5b9e9dadf716ecc1357c3e44afacb495f8d94a31 100644 (file)
--- a/xen/arch/x86/Makefile
+++ b/xen/arch/x86/Makefile
@@ -62,7 +62,7 @@ obj-y += trace.o
 obj-y += traps.o
 obj-y += usercopy.o
 obj-y += x86_emulate.o
-obj-y += tboot.o
+obj-$(CONFIG_TBOOT) += tboot.o
 obj-y += hpet.o
 obj-y += vm_event.o
 obj-y += xstate.o

diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index 51afa242b94c93ab2814309ed153f1aa13362a69..befa30e19dbcdcb90a037513aa5762b458744d2d 100644 (file)
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -218,6 +218,9 @@ config SCHED_DEFAULT
 
 endmenu
 
+config CRYPTO
+       bool
+
 # Enable/Disable live patching support
 config LIVEPATCH
        bool "Live patching support (TECH PREVIEW)"

diff --git a/xen/include/asm-x86/tboot.h b/xen/include/asm-x86/tboot.h
index d2428625687730996ae14bb8b57d9e577f87bf4e..bfeed1542fa385fb2dd9aed95af6f4a9e664f18b 100644 (file)
--- a/xen/include/asm-x86/tboot.h
+++ b/xen/include/asm-x86/tboot.h
@@ -119,6 +119,7 @@ typedef struct __packed {
 
 extern tboot_shared_t *g_tboot_shared;
 
+#ifdef CONFIG_TBOOT
 void tboot_probe(void);
 void tboot_shutdown(uint32_t shutdown_type);
 int tboot_in_measured_env(void);
@@ -127,6 +128,24 @@ int tboot_parse_dmar_table(acpi_table_handler dmar_handler);
 int tboot_s3_resume(void);
 void tboot_s3_error(int error);
 int tboot_wake_ap(int apicid, unsigned long sipi_vec);
+#else
+static inline void tboot_probe(void) {}
+static inline void tboot_shutdown(uint32_t shutdown_type) {}
+static inline int tboot_in_measured_env(void) { return 0; }
+static inline int tboot_protect_mem_regions(void) { return 1; }
+
+static inline int tboot_parse_dmar_table(acpi_table_handler dmar_handler)
+{
+    return acpi_table_parse(ACPI_SIG_DMAR, dmar_handler);
+}
+
+static inline int tboot_s3_resume(void) { return 0; }
+static inline void tboot_s3_error(int error) {}
+static inline int tboot_wake_ap(int apicid, unsigned long sipi_vec)
+{
+    return 1;
+}
+#endif /* CONFIG_TBOOT */
 
 #endif /* __TBOOT_H__ */