This series adds support for measuring the boot images more generically than the existing EFI support. Several EFI functions have been moved to the TPM layer. The series includes optional measurement from the bootm command. A new test case has been added for the bootm measurement to test the new path, and the sandbox TPM2 driver has been updated to support this use case.
Changes since v12: - Rebase on master. - Add detail to documentation.
Changes since v11: - Rebase on next. Sorry for the delay (been on leave).
Changes since v10: - Fix commit message on efi_loader change - Drop python test change - Squash armv7 fix from Ilias
Changes since v9: - Rebase and add Ilias' fixes (thanks!)
Changes since v8: - Fix a sandbox driver off-by-one error in checking the property type. - Fix log parsing again - any data corruption seen while replaying the event log was failing the entire measurement. - Added an option to ignore the existing log and a configuration option for systems to select that for the bootm measurement. This would only be selected for systems that know that U-Boot is the first stage bootloader. This is necessary because the reserved memory region may persist through resets and so U-Boot attempts to append to the previous boot's log.
Changes since v7: - Change name of tcg2_init_log and add more documentation - Add a check, when parsing the event log header, to ensure that the previous stage bootloader used all the active PCRs. - Change name of tcg2_log_find_end - Fix the greater than or equal to check to exit the log parsing - Make sure log_position is 0 if there is any error discovering the log - Return errors parsing the log if the data is corrupt so that we don't end up with half a log
Changes since v6: - Added comment for bootm_measure - Fixed line length in bootm_measure - Added Linaro copyright for all the EFI moved code - Changed tcg2_init_log (and by extension, tcg2_measurement_init) to copy any discovered event log to the user's log if passed in.
Changes since v5: - Re-ordered the patches to put the sandbox TPM driver patch second - Remove unused platform_get_eventlog in efi_tcg2.c - First look for tpm_event_log_* properties instead of linux,sml-* - Fix efi_tcg2.c compilation - Select SHA* configs - Remove the !SANDBOX dependency for EFI TCG2 - Only compile in the measurement u-boot command when CONFIG_MEASURED_BOOT is enabled
Changes since v4: - Remove tcg2_measure_event function and check for NULL data in tcg2_measure_data - Use tpm_auto_startup - Fix efi_tcg2.c compilation for removing tcg2_pcr_read function - Change PCR indexes for initrd and dtb - Drop u8 casting in measurement test - Use bullets in documentation
Changes since v3: - Reordered headers - Refactored more of EFI code into common code Removed digest_info structure and instead used the common alg_to_mask and alg_to_len Improved event log parsing in common code to get it equivalent to EFI Common code now extends PCR if previous bootloader stage couldn't No need to allocate memory in the common code, so EFI copies the discovered buffer like it did before Rename efi measure_event function
Changes since v2: - Add documentation. - Changed reserved memory address to the top of the RAM for sandbox dts. - Add measure state to booti and bootz. - Skip measurement for EFI images that should be measured
Changes since v1: - Refactor TPM layer functions to allow EFI system to use them, and remove duplicate EFI functions. - Add test case - Drop #ifdefs for bootm - Add devicetree measurement config option - Update sandbox TPM driver
Eddie James (6): tpm: Fix spelling for tpmu_ha union tpm: sandbox: Update for needed TPM2 capabilities tpm: Support boot measurements bootm: Support boot measurement test: Add sandbox TPM boot measurement doc: Add measured boot documentation
Ilias Apalodimas (2): efi_loader: fix EFI_ENTRY point on get_active_pcr_banks test: use a non system PCR for testing PCR extend
arch/sandbox/dts/sandbox.dtsi | 13 + arch/sandbox/dts/test.dts | 13 + boot/Kconfig | 32 ++ boot/bootm.c | 74 +++ cmd/booti.c | 1 + cmd/bootm.c | 2 + cmd/bootz.c | 1 + configs/sandbox_defconfig | 1 + doc/usage/index.rst | 1 + doc/usage/measured_boot.rst | 23 + drivers/tpm/tpm2_tis_sandbox.c | 100 ++-- include/bootm.h | 11 + include/efi_tcg2.h | 44 -- include/image.h | 1 + include/test/suites.h | 1 + include/tpm-v2.h | 263 ++++++++++- lib/Kconfig | 4 + lib/efi_loader/Kconfig | 2 - lib/efi_loader/efi_tcg2.c | 823 ++++----------------------------- lib/tpm-v2.c | 814 ++++++++++++++++++++++++++++++++ test/boot/Makefile | 1 + test/boot/measurement.c | 66 +++ test/cmd_ut.c | 4 + test/py/tests/test_tpm2.py | 16 +- 24 files changed, 1482 insertions(+), 829 deletions(-) create mode 100644 doc/usage/measured_boot.rst create mode 100644 test/boot/measurement.c