Initial commit of tboot

Package-Manager: portage-2.2.18/cvs/Linux x86_64
Manifest-Sign-Key: 0x7EF137EC935B0EAF

7 files changed, 219 insertions, 0 deletions

diff --git a/sys-boot/tboot/ChangeLog b/sys-boot/tboot/ChangeLog
new file mode 100644
index 000000000000..983b45b6cdfa
--- /dev/null
+++ b/sys-boot/tboot/ChangeLog
@@ -0,0 +1,12 @@
+# ChangeLog for sys-boot/tboot
+# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sys-boot/tboot/ChangeLog,v 1.1 2015/05/07 19:41:35 perfinion Exp $
+
+*tboot-1.8.3 (07 May 2015)
+
+  07 May 2015; Jason Zaman <perfinion@gentoo.org> +tboot-1.8.3.ebuild,
+  +files/tboot-1.8.2-disable-pcid.patch,
+  +files/tboot-1.8.2-genkernel_arch.patch,
+  +files/tboot-1.8.2-stack-check-no.patch, +metadata.xml:
+  Initial commit of tboot
+
diff --git a/sys-boot/tboot/Manifest b/sys-boot/tboot/Manifest
new file mode 100644
index 000000000000..f2d46a0b399f
--- /dev/null
+++ b/sys-boot/tboot/Manifest
@@ -0,0 +1,29 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+AUX tboot-1.8.2-disable-pcid.patch 1004 SHA256 89db7965c60f6e269c10063500b940a2afbc8698efd6149acdab3954ed4c6016 SHA512 8ea33ca7d75089b09e4898d82fc0e6e8c93354acfb9908c5e62337158006d53e58cb75339c2efed750e55a2035a6b564995567cf6600fd3753dbabb003510a61 WHIRLPOOL 79cef14a0f6e57d00184767ee65d1323b7aa65acb185c53da8ddfa7937c345afbd710ba1d4f1bdb8468c58c308542110b7feee719a50af1992bf61d569373a13
+AUX tboot-1.8.2-genkernel_arch.patch 2318 SHA256 bb30746f3bed4fc1a3a942938e98e3f47581b2065d0a634bf3854a9489ebae03 SHA512 02af1ee0c31000766d0266c501bd7d1eed2ac338e7e7ef9d825221ec8010d995e3a74ac45be5de636bf946ac63ad593f0a7144a93ba72c8beca7bb3b94d8a711 WHIRLPOOL 9fcedbcc861906a83bc0235a410f69759efc25b7e3e3d70b81c5b7d8df665e5c4e7153377ab5ab80b697211f7396a3e36a0176106824ece09eb620d8bead8dc9
+AUX tboot-1.8.2-stack-check-no.patch 718 SHA256 ed3459b326957f709bc05dbc4de70215913faa74dc6342a1bef2878d8ea9481a SHA512 b7295f4d152e11eb49fa61085b42389e3edf063182ebd8c681e06e2025744516a3386dc5688ce53cd87c024d7fdcdcb54f0f1b04898704613137ed8eaaf7781f WHIRLPOOL afc4564cd6b25e73f26332e6cb436a5284e52622403405b33a605a412039173ee873e13f05cbbf6b551c08c6aa56d28a9e5579b13b5211b2711b0bfc1d2a4c8e
+DIST tboot-1.8.3.tar.gz 554084 SHA256 2f2e0c3865b45691f76b31730c5aaea2f076e7949ee6309e78ed7f80d8c53d39 SHA512 cde961af07c64a7d8b77f64d48e6d9230048135420e78efc6277f32e4df78012b5bbd73e4f2ce1cd6194091ec306cc84c65356865815a7311e140fd2b94f6443 WHIRLPOOL 030ab29ee710c6201e894abfd693944490c157b2607425dd6d476f836a635ee7f82c29180ad13fc80508596dc62148aa1c108bd7aba1c9ca7329f99197d97db6
+EBUILD tboot-1.8.3.ebuild 1844 SHA256 2a3a797aae84238f45c1ae8832589e5a5b244127f5e344a2b77aafafaf63c44a SHA512 9d09353120126b7fa6b0b4f858dd3e4ba1e30f0391becdce3e097438d8868729d283392096e9caf3cdd1c9e30e143e49935ef2d289e9f851cf193cadd2f3962c WHIRLPOOL 4926f46028dc6a7884db3f53c1efc04cbe419ef6798a2124f18926979525b653d566deb664a79c1e0f88fde8386d62e37c07dca475960ef90b6eca79208a0a07
+MISC ChangeLog 472 SHA256 89cb089f9ab0625e7faf0b85fd9391125146e9b8a870288e6c20410edbcd2d5a SHA512 5d3882c8a3f4a682b70ea6d8373e6c8c91bd5471bec0b4bdbe074628951c76780726a3d8e73c1d30f1a0a66e961c436016db375e8619e88a67e1c0492e17fbad WHIRLPOOL 9d147ee23ec5b6255ea67ee666fad26afe630d07b4774e0e02e2d9dee007a474aacd34c28daa0362b91ff340b0a9b30cd7d3089207c9ca45a9b9e4b20c6ec8a5
+MISC metadata.xml 419 SHA256 776ffd511903ed035840f13b8a6b6245e6e2300b5a4463bc08679d34c05f23fb SHA512 15307c17ba26bc6db917dc50497115bddfd537d3c3919b1ab39da553379840729d596eed8cc8168bcb660fa292f55916edef3efa2c45a6c7ae65cf755fee3536 WHIRLPOOL 1ad2d3e6d626d4725c465eb96253454e29a55be235ef9e991b1c1c1f0be7f71ac367cede5a8a15f982d6e138859105e4f1b75e2c9cdc91544f07e4448aaeebde
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0
+
+iQJ8BAEBCABmBQJVS7/0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
+ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFMTYyREVBRDFDQ0REMTEzRjA0QjNENDky
+QkJFRDlDQjFBNjhFRjU1AAoJECu+2csaaO9VqYwQALbbn/k1pumHxfwwR/JlThp3
+V/Hzz7TG1ZmWJrJJO1LWbFRBT4igdwgvByXmkxzHMKyl8FxiAZJlF8ImTfNQ8JEt
+ezl4g/DVmWOp8dgUWfvxo4RfaB2IiKusR6ukOOHbJ/+rm8iiP7S0+rqbZjinKpPf
+BqJhwuuJYAM6qkq52MUM7Kr2wxTEAIDC80orxALpDlZrlO5eKxDDjOU3VctzJou7
+XPMCg+O1cShn4gSOHaf+RDp7ECOPL2/nWsnoTgteHpaygXmICfsN0P7RSRKvk4A/
+3kkyrHZAD8BJj2EmbRF5TGNDh1nvAajkUUsnzLxnPThYH8MKqmrnA0fVLGE8Yz3S
+ZQI6Q36wKqFRlhaDbE+rBoP4T5ZqmNeJ2kqB2vpNw7xmY2ssxRhP3fM+7RIAh1hm
+G5EZxYk1iZZZZYJGePb5SK0FWlOGIkp0Y5Z2dm9m7oyQaJgXQqqZ1xDpYIQ1tMGr
+AQ4GOR+OFft8bN33YJT4BBZH6ZNdk8RnbJAlQvyFkQ5sVfPccV8ttUhpdtPaHqam
+HhBhjgGm9u8kBORqgvhb0CfbPgTYycRE8pnOiq2owCglKQXc4NKeqF2y7kDu5Kbt
+1xPmyCEwco/Ij1FyDR2BOE2zzMmiRqMsfShnILv3hoorFrvx7OPTSzCn0Rb+n/TF
+Dcsy8Q23QJPhzO6RS32O
+=DWK2
+-----END PGP SIGNATURE-----
diff --git a/sys-boot/tboot/files/tboot-1.8.2-disable-pcid.patch b/sys-boot/tboot/files/tboot-1.8.2-disable-pcid.patch
new file mode 100644
index 000000000000..383338e69933
--- /dev/null
+++ b/sys-boot/tboot/files/tboot-1.8.2-disable-pcid.patch
@@ -0,0 +1,26 @@
+diff -ur tboot-1.8.2.orig/tboot/common/shutdown.S tboot-1.8.2/tboot/common/shutdown.S
+--- tboot-1.8.2.orig/tboot/common/shutdown.S	2014-07-28 12:24:22.000000000 +0400
++++ tboot-1.8.2/tboot/common/shutdown.S	2015-05-07 03:05:47.300985413 +0400
+@@ -34,6 +34,11 @@
+  */
+ 
+ compat_mode_entry:
++	/* Disable PCID */
++        movl %cr4, %eax
++        andl $~CR4_PCIDE, %eax
++        movl %eax, %cr4
++
+ 	/* Disable paging and therefore leave 64 bit mode. */
+         movl %cr0, %eax
+         andl $~CR0_PG, %eax
+diff -ur tboot-1.8.2.orig/tboot/include/processor.h tboot-1.8.2/tboot/include/processor.h
+--- tboot-1.8.2.orig/tboot/include/processor.h	2014-07-28 12:24:22.000000000 +0400
++++ tboot-1.8.2/tboot/include/processor.h	2015-05-07 03:04:58.721244858 +0400
+@@ -92,6 +92,7 @@
+ #define CR4_XMM 0x00000400 /* enable SIMD/MMX2 to use except 16 */
+ #define CR4_VMXE 0x00002000/* enable VMX */
+ #define CR4_SMXE 0x00004000/* enable SMX */
++#define CR4_PCIDE 0x00020000/* enable PCID */
+ 
+ #ifndef __ASSEMBLY__
+ 
diff --git a/sys-boot/tboot/files/tboot-1.8.2-genkernel_arch.patch b/sys-boot/tboot/files/tboot-1.8.2-genkernel_arch.patch
new file mode 100644
index 000000000000..7fdcad652e03
--- /dev/null
+++ b/sys-boot/tboot/files/tboot-1.8.2-genkernel_arch.patch
@@ -0,0 +1,57 @@
+diff -ru tboot-1.8.2.orig/tboot/20_linux_tboot tboot-1.8.2/tboot/20_linux_tboot
+--- tboot-1.8.2.orig/tboot/20_linux_tboot	2014-08-02 00:18:58.397147454 +0400
++++ tboot-1.8.2/tboot/20_linux_tboot	2014-08-02 00:20:09.766700748 +0400
+@@ -121,6 +121,15 @@
+ EOF
+ }
+ 
++machine=`uname -m`
++case "$machine" in
++    i?86) GENKERNEL_ARCH="x86" ;;
++    mips|mips64) GENKERNEL_ARCH="mips" ;;
++    mipsel|mips64el) GENKERNEL_ARCH="mipsel" ;;
++    arm*) GENKERNEL_ARCH="arm" ;;
++    *) GENKERNEL_ARCH="$machine" ;;
++esac
++
+ linux_list=`for i in /boot/vmlinu[xz]-* /vmlinu[xz]-* ; do
+     	basename=$(basename $i)
+ 	version=$(echo $basename | sed -e "s,^[^0-9]*-,,g")
+@@ -159,6 +168,8 @@
+ 		 "initrd-${version}" "initramfs-${version}.img" \
+ 		 "initrd.img-${alt_version}" "initrd-${alt_version}.img" \
+ 		 "initrd-${alt_version}" "initramfs-${alt_version}.img" \
++		 "initramfs-genkernel-${GENKERNEL_ARCH}-${version}" \
++		 "initramfs-genkernel-${GENKERNEL_ARCH}-${alt_version}" \
+ 		 "initramfs-genkernel-${version}" \
+ 		 "initramfs-genkernel-${alt_version}"; do
+ 	    if test -e "${dirname}/${i}" ; then
+diff -ru tboot-1.8.2.orig/tboot/20_linux_xen_tboot tboot-1.8.2/tboot/20_linux_xen_tboot
+--- tboot-1.8.2.orig/tboot/20_linux_xen_tboot	2014-08-02 00:18:58.397147454 +0400
++++ tboot-1.8.2/tboot/20_linux_xen_tboot	2014-08-02 00:21:12.840438230 +0400
+@@ -147,6 +147,16 @@
+ if [ "x${linux_list}" = "x" ] ; then
+     exit 0
+ fi
++
++machine=`uname -m`
++case "$machine" in
++    i?86) GENKERNEL_ARCH="x86" ;;
++    mips|mips64) GENKERNEL_ARCH="mips" ;;
++    mipsel|mips64el) GENKERNEL_ARCH="mipsel" ;;
++    arm*) GENKERNEL_ARCH="arm" ;;
++    *) GENKERNEL_ARCH="$machine" ;;
++esac
++
+ xen_list=`for i in /boot/xen*; do
+         if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
+       done`
+@@ -188,6 +198,8 @@
+             for i in "initrd.img-${version}" "initrd-${version}.img" \
+                 "initrd-${version}" "initrd.img-${alt_version}" \
+                 "initrd-${alt_version}.img" "initrd-${alt_version}" \
++                "initramfs-genkernel-${GENKERNEL_ARCH}-${version}" \
++                "initramfs-genkernel-${GENKERNEL_ARCH}-${alt_version}" \
+                 "initramfs-genkernel-${version}" \
+                 "initramfs-genkernel-${alt_version}" ; do
+                 if test -e "${dirname}/${i}" ; then
diff --git a/sys-boot/tboot/files/tboot-1.8.2-stack-check-no.patch b/sys-boot/tboot/files/tboot-1.8.2-stack-check-no.patch
new file mode 100644
index 000000000000..5d2ea6296343
--- /dev/null
+++ b/sys-boot/tboot/files/tboot-1.8.2-stack-check-no.patch
@@ -0,0 +1,11 @@
+diff -ur tboot-1.8.2.orig/tboot/Config.mk tboot-1.8.2/tboot/Config.mk
+--- tboot-1.8.2.orig/tboot/Config.mk	2014-07-28 12:24:21.000000000 +0400
++++ tboot-1.8.2/tboot/Config.mk	2015-05-05 02:14:26.333222301 +0400
+@@ -30,6 +30,7 @@
+ CFLAGS		+= $(call cc-option,$(CC),-nopie,)
+ CFLAGS		+= $(call cc-option,$(CC),-fno-stack-protector,)
+ CFLAGS		+= $(call cc-option,$(CC),-fno-stack-protector-all,)
++CFLAGS		+= $(call cc-option,$(CC),-fstack-check=no,)
+ 
+ # changeset variable for banner
+ CFLAGS		+= -DTBOOT_CHANGESET=\""$(shell ((hg parents --template "{isodate|isodate} {rev}:{node|short}" >/dev/null && hg parents --template "{isodate|isodate} {rev}:{node|short}") || echo "2014-07-28 12:00 +0800 1.8.2") 2>/dev/null)"\"
diff --git a/sys-boot/tboot/metadata.xml b/sys-boot/tboot/metadata.xml
new file mode 100644
index 000000000000..51ab1be5c3d8
--- /dev/null
+++ b/sys-boot/tboot/metadata.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer>
+		<email>perfinion@gentoo.org</email>
+		<name>Jason Zaman</name>
+	</maintainer>
+
+	<longdescription lang="en">
+	A pre-kernel/VMM module that uses Intel(R) Trusted Execution Technology to perform a measured and verified launch of an OS kernel/VMM.
+	</longdescription>
+</pkgmetadata>
diff --git a/sys-boot/tboot/tboot-1.8.3.ebuild b/sys-boot/tboot/tboot-1.8.3.ebuild
new file mode 100644
index 000000000000..1a00cfc87a89
--- /dev/null
+++ b/sys-boot/tboot/tboot-1.8.3.ebuild
@@ -0,0 +1,72 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-boot/tboot/tboot-1.8.3.ebuild,v 1.1 2015/05/07 19:41:35 perfinion Exp $
+
+EAPI=5
+
+inherit flag-o-matic mount-boot
+
+DESCRIPTION="A module that uses Intel(R) Trusted Execution Technology to perform a measured and verified boot"
+HOMEPAGE="http://sourceforge.net/projects/tboot/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~amd64 ~x86 -*"
+IUSE="custom-cflags"
+
+RESTRICT="test" # test is restricted because it requires patching the kernel src
+
+DEPEND="app-crypt/trousers
+app-crypt/tpm-tools"
+
+RDEPEND="${DEPEND}
+sys-boot/grub:2"
+
+DOCS=(README COPYING CHANGELOG)
+
+src_prepare() {
+	epatch "${FILESDIR}/tboot-1.8.2-genkernel_arch.patch"
+	epatch "${FILESDIR}/tboot-1.8.2-stack-check-no.patch" # breaks with ssp
+	epatch "${FILESDIR}/tboot-1.8.2-disable-pcid.patch" # PaX enables pcid
+
+	sed -i 's/ -Werror//g' Config.mk || die
+	sed -i 's/^INSTALL_STRIP = -s$//' Config.mk || die # QA Errors
+
+	epatch_user
+}
+
+src_compile() {
+	use custom-cflags && export TBOOT_CFLAGS=${CFLAGS} || unset CCASFLAGS CFLAGS CPPFLAGS LDFLAGS
+
+	if use amd64; then
+		MAKEARGS="TARGET_ARCH=x86_64"
+	else
+		MAKEARGS="TARGET_ARCH=i686"
+	fi
+
+	emake debug=y ${MAKEARGS} build
+}
+
+src_install() {
+	emake DISTDIR="${D}" install
+
+	dodoc "${DOCS[@]}"
+	dodoc docs/*.txt lcptools/*.{txt,pdf} || die "docs failed"
+
+	cd "${D}"
+	mkdir -p usr/lib/tboot/ || die
+	mv boot usr/lib/tboot/ || die
+}
+
+pkg_postinst() {
+	mount-boot_mount_boot_partition
+
+	cp ${ROOT%/}/usr/lib/tboot/boot/* ${ROOT%/}/boot/
+
+	mount-boot_pkg_postinst
+
+	ewarn "Please remember to download the SINIT AC Module relevant"
+	ewarn "for your platform from:"
+	ewarn "http://software.intel.com/en-us/articles/intel-trusted-execution-technology/"
+}