Re: [PATCH v13 0/8] tpm: Support boot measurements

20 Oct 2023

      Hi Eddie,
Does the series compile for you against -master?
For qemu_arm64_defonfig I am getting compilation errors both locally
and on the CI
https://source.denx.de/u-boot/custodians/u-boot-tpm/-/jobs/717362#L39
Thanks
/Ilias
On Thu, 19 Oct 2023 at 19:45, Ilias Apalodimas
ilias.apalodimas@linaro.org wrote:
...
Thanks Eddie
I've queued this up on public CI.  I also have an internal one, this
one failed to add the TF-A eventlog, but everything else looks fine.
I'll have a look tomorrow, but since this used to work on earlier
versions I suspect it's going to be trivial to fix
Cheers
/Ilias
On Thu, 19 Oct 2023 at 19:21, Eddie James eajames@linux.ibm.com wrote:
...
This series adds support for measuring the boot images more generically
than the existing EFI support. Several EFI functions have been moved to
the TPM layer. The series includes optional measurement from the bootm
command.
A new test case has been added for the bootm measurement to test the new
path, and the sandbox TPM2 driver has been updated to support this use
case.
Changes since v12:

Rebase on master.
Add detail to documentation.

Changes since v11:

Rebase on next. Sorry for the delay (been on leave).

Changes since v10:

Fix commit message on efi_loader change
Drop python test change
Squash armv7 fix from Ilias

Changes since v9:

Rebase and add Ilias' fixes (thanks!)

Changes since v8:

Fix a sandbox driver off-by-one error in checking the property type.
Fix log parsing again - any data corruption seen while replaying the
event log was failing the entire measurement.
Added an option to ignore the existing log and a configuration option
for systems to select that for the bootm measurement. This would only
be selected for systems that know that U-Boot is the first stage
bootloader. This is necessary because the reserved memory region may
persist through resets and so U-Boot attempts to append to the
previous boot's log.

Changes since v7:

Change name of tcg2_init_log and add more documentation
Add a check, when parsing the event log header, to ensure that the
previous stage bootloader used all the active PCRs.
Change name of tcg2_log_find_end
Fix the greater than or equal to check to exit the log parsing
Make sure log_position is 0 if there is any error discovering the log
Return errors parsing the log if the data is corrupt so that we don't
end up with half a log

Changes since v6:

Added comment for bootm_measure
Fixed line length in bootm_measure
Added Linaro copyright for all the EFI moved code
Changed tcg2_init_log (and by extension, tcg2_measurement_init) to
copy any discovered event log to the user's log if passed in.

Changes since v5:

Re-ordered the patches to put the sandbox TPM driver patch second
Remove unused platform_get_eventlog in efi_tcg2.c
First look for tpm_event_log_* properties instead of linux,sml-*
Fix efi_tcg2.c compilation
Select SHA* configs
Remove the !SANDBOX dependency for EFI TCG2
Only compile in the measurement u-boot command when CONFIG_MEASURED_BOOT
is enabled

Changes since v4:

Remove tcg2_measure_event function and check for NULL data in
tcg2_measure_data
Use tpm_auto_startup
Fix efi_tcg2.c compilation for removing tcg2_pcr_read function
Change PCR indexes for initrd and dtb
Drop u8 casting in measurement test
Use bullets in documentation

Changes since v3:

Reordered headers
Refactored more of EFI code into common code
 Removed digest_info structure and instead used the common alg_to_mask
   and alg_to_len
 Improved event log parsing in common code to get it equivalent to EFI
   Common code now extends PCR if previous bootloader stage couldn't
   No need to allocate memory in the common code, so EFI copies the
   discovered buffer like it did before
 Rename efi measure_event function

Changes since v2:

Add documentation.
Changed reserved memory address to the top of the RAM for sandbox dts.
Add measure state to booti and bootz.
Skip measurement for EFI images that should be measured

Changes since v1:

Refactor TPM layer functions to allow EFI system to use them, and
remove duplicate EFI functions.
Add test case
Drop #ifdefs for bootm
Add devicetree measurement config option
Update sandbox TPM driver

Eddie James (6):
  tpm: Fix spelling for tpmu_ha union
  tpm: sandbox: Update for needed TPM2 capabilities
  tpm: Support boot measurements
  bootm: Support boot measurement
  test: Add sandbox TPM boot measurement
  doc: Add measured boot documentation
Ilias Apalodimas (2):
  efi_loader: fix EFI_ENTRY point on get_active_pcr_banks
  test: use a non system PCR for testing PCR extend
arch/sandbox/dts/sandbox.dtsi  |  13 +
 arch/sandbox/dts/test.dts      |  13 +
 boot/Kconfig                   |  32 ++
 boot/bootm.c                   |  74 +++
 cmd/booti.c                    |   1 +
 cmd/bootm.c                    |   2 +
 cmd/bootz.c                    |   1 +
 configs/sandbox_defconfig      |   1 +
 doc/usage/index.rst            |   1 +
 doc/usage/measured_boot.rst    |  23 +
 drivers/tpm/tpm2_tis_sandbox.c | 100 ++--
 include/bootm.h                |  11 +
 include/efi_tcg2.h             |  44 --
 include/image.h                |   1 +
 include/test/suites.h          |   1 +
 include/tpm-v2.h               | 263 ++++++++++-
 lib/Kconfig                    |   4 +
 lib/efi_loader/Kconfig         |   2 -
 lib/efi_loader/efi_tcg2.c      | 823 ++++-----------------------------
 lib/tpm-v2.c                   | 814 ++++++++++++++++++++++++++++++++
 test/boot/Makefile             |   1 +
 test/boot/measurement.c        |  66 +++
 test/cmd_ut.c                  |   4 +
 test/py/tests/test_tpm2.py     |  16 +-
 24 files changed, 1482 insertions(+), 829 deletions(-)
 create mode 100644 doc/usage/measured_boot.rst
 create mode 100644 test/boot/measurement.c
--
2.39.3