Re: [PATCH v5 0/6] tpm: Support boot measurements

22 Feb 2023

      Hi Eddie,
On Tue, Feb 21, 2023 at 04:38:58PM -0600, Eddie James wrote:
...
On 2/6/23 06:20, Ilias Apalodimas wrote:
...
Thanks Eddie,
I quickly tested this but the EFI subsystem fails to initialize the TCG
protocol properly now.  Unfortunately I am on a business trip and I won't
be able to take a look into why till next week
Hi Ilias,
I haven't had the opportunity to test this, have you?
Thanks,
Eddie
...
Cheers
/Ilias
Still going through the code so bear with me.
It seems that the EFI failure is coming from tcg2_platform_get_log()
specifically if none of linux,sml-base nor tpm_event_log_addr if present in
the dtb.
One thing we should change here is look for tpm_event_log_addr first.  The
reason is that this is a very 'special' case in which TF-A fills in an
eventlog for us, while linux,sml-base is more generic so I'd rather
explicitly prefer TF-A id it prepared an eventlog for us.
On the failure now, if none of the nodes is present we are looking for
'memory-region' within the TPM node?  Looking at the DT specs the tpm
should only support "compatible, label, linux,sml-base/size' am I missing
something?
I also had to apply [0] for this to compile.  You can 'easily' test the EFI
changes by doing a 'printenv -e'.  This will at least initialize the efi
subsystem and install the needed EFI tables (you need CMD_NVEDIT_EFI=y)
[0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/commit/d473596cd690011...
Hope this helps a bit. Let me know if I can help in any other way.
Don't bother *testing* the eventlog for EFI on a full linux boot. I'll run
that on v6
/Ilias
...
...
On Thu, Feb 02, 2023 at 11:05:25AM -0600, Eddie James wrote:
...
This series adds support for measuring the boot images more generically
than the existing EFI support. Several EFI functions have been moved to
the TPM layer. The series includes optional measurement from the bootm
command.
A new test case has been added for the bootm measurement to test the new
path, and the sandbox TPM2 driver has been updated to support this use
case.
This series is based on Ilias' auto-startup series:
https://lore.kernel.org/u-boot/20230126081844.591148-1-ilias.apalodimas@lina...
Changes since v4:

Remove tcg2_measure_event function and check for NULL data in
tcg2_measure_data
Use tpm_auto_startup
Fix efi_tcg2.c compilation for removing tcg2_pcr_read function
Change PCR indexes for initrd and dtb
Drop u8 casting in measurement test
Use bullets in documentation

Changes since v3:

Reordered headers
Refactored more of EFI code into common code
 Removed digest_info structure and instead used the common alg_to_mask
   and alg_to_len
 Improved event log parsing in common code to get it equivalent to EFI
   Common code now extends PCR if previous bootloader stage couldn't
   No need to allocate memory in the common code, so EFI copies the
   discovered buffer like it did before
 Rename efi measure_event function

Changes since v2:

Add documentation.
Changed reserved memory address to the top of the RAM for sandbox dts.
Add measure state to booti and bootz.
Skip measurement for EFI images that should be measured

Changes since v1:

Refactor TPM layer functions to allow EFI system to use them, and
remove duplicate EFI functions.
Add test case
Drop #ifdefs for bootm
Add devicetree measurement config option
Update sandbox TPM driver

Eddie James (6):
   tpm: Fix spelling for tpmu_ha union
   tpm: Support boot measurements
   bootm: Support boot measurement
   tpm: sandbox: Update for needed TPM2 capabilities
   test: Add sandbox TPM boot measurement
   doc: Add measured boot documentation
arch/sandbox/dts/sandbox.dtsi  |   14 +
  arch/sandbox/dts/test.dts      |   13 +
  boot/Kconfig                   |   23 +
  boot/bootm.c                   |   70 +++
  cmd/booti.c                    |    1 +
  cmd/bootm.c                    |    2 +
  cmd/bootz.c                    |    1 +
  configs/sandbox_defconfig      |    1 +
  doc/usage/index.rst            |    1 +
  doc/usage/measured_boot.rst    |   23 +
  drivers/tpm/tpm2_tis_sandbox.c |  100 +++-
  include/bootm.h                |    2 +
  include/efi_tcg2.h             |   44 --
  include/image.h                |    1 +
  include/test/suites.h          |    1 +
  include/tpm-v2.h               |  246 +++++++-
  lib/efi_loader/efi_tcg2.c      | 1010 +++-----------------------------
  lib/tpm-v2.c                   |  771 ++++++++++++++++++++++++
  test/boot/Makefile             |    1 +
  test/boot/measurement.c        |   66 +++
  test/cmd_ut.c                  |    2 +
  21 files changed, 1383 insertions(+), 1010 deletions(-)
  create mode 100644 doc/usage/measured_boot.rst
  create mode 100644 test/boot/measurement.c
--
2.31.1