[PATCH v5 0/6] tpm: Support boot measurements
Eddie James
eajames at linux.ibm.com
Wed Feb 22 18:47:27 CET 2023
On 2/21/23 23:36, Joel Stanley wrote:
> On Thu, 2 Feb 2023 at 17:08, Eddie James <eajames at linux.ibm.com> wrote:
>> This series adds support for measuring the boot images more generically
>> than the existing EFI support. Several EFI functions have been moved to
>> the TPM layer. The series includes optional measurement from the bootm
>> command.
>> A new test case has been added for the bootm measurement to test the new
>> path, and the sandbox TPM2 driver has been updated to support this use
>> case.
>> This series is based on Ilias' auto-startup series:
>> https://lore.kernel.org/u-boot/20230126081844.591148-1-ilias.apalodimas@linaro.org/
> Nice work Eddie. It looks like you're closing in on the issues Ilias
> and Simon have.
>
> I did some testing and found some missing dependencies from running
> 'make check':
>
> sandbox_spl: +make O=/home/joel/dev/u-boot/upstream/build-sandbox_spl
> -s sandbox_spl_defconfig
> +make O=/home/joel/dev/u-boot/upstream/build-sandbox_spl -s -j8
> /usr/bin/ld: warning: test/overlay/test-fdt-overlay-stacked.dtb.o:
> missing .note.GNU-stack section implies executable stack
> /usr/bin/ld: NOTE: This behaviour is deprecated and will be removed in
> a future version of the linker
> /usr/bin/ld: /tmp/cc8cNroX.ltrans22.ltrans.o:(.data.rel+0x440):
> undefined reference to `do_ut_measurement'
> collect2: error: ld returned 1 exit status
> make[2]: *** [/home/joel/dev/u-boot/upstream/Makefile:1752: u-boot] Error 1
>
> There's a few variants of the sandbox defconfig. I'm not sure if we
> want to exclude the measurement code from those configs, or add it to
> the configs.
Thanks Joel. I feel the right thing here would be to only build the
measurement test when CONFIG_MEASURED_BOOT is enabled, so I'll make that
change.
>
> When fixing them up to add CONFIG_MEASURED_BOOT=y we still fail to link:
>
> sandbox_spl: +make O=/home/joel/dev/u-boot/upstream/build-sandbox_spl
> -s sandbox_spl_defconfig
> +make O=/home/joel/dev/u-boot/upstream/build-sandbox_spl -s -j8
> /usr/bin/ld: warning: test/overlay/test-fdt-overlay-stacked.dtb.o:
> missing .note.GNU-stack section implies executable stack
> /usr/bin/ld: NOTE: This behaviour is deprecated and will be removed in
> a future version of the linker
> /usr/bin/ld: /tmp/ccRuOSFi.ltrans17.ltrans.o: in function `tcg2_create_digest':
> /home/joel/dev/u-boot/upstream/build-sandbox_spl/../lib/tpm-v2.c:112:
> undefined reference to `sha512_starts'
> /usr/bin/ld: /home/joel/dev/u-boot/upstream/build-sandbox_spl/../lib/tpm-v2.c:113:
> undefined reference to `sha512_update'
> /usr/bin/ld: /home/joel/dev/u-boot/upstream/build-sandbox_spl/../lib/tpm-v2.c:114:
> undefined reference to `sha512_finish'
> /usr/bin/ld: /home/joel/dev/u-boot/upstream/build-sandbox_spl/../lib/tpm-v2.c:106:
> undefined reference to `sha384_starts'
> /usr/bin/ld: /home/joel/dev/u-boot/upstream/build-sandbox_spl/../lib/tpm-v2.c:107:
> undefined reference to `sha384_update'
> /usr/bin/ld: /home/joel/dev/u-boot/upstream/build-sandbox_spl/../lib/tpm-v2.c:108:
> undefined reference to `sha384_finish'
> collect2: error: ld returned 1 exit status
>
> This sorted that out for me:
>
> --- a/lib/Kconfig
> +++ b/lib/Kconfig
> @@ -411,6 +411,8 @@ config TPM
> bool "Trusted Platform Module (TPM) Support"
> depends on DM
> imply DM_RNG
> + select SHA512
> + select SHA384
>
> The tree I tested with is here:
> https://github.com/shenki/u-boot/commits/measured-boot
Thanks, I'll select those.
Eddie
>
> Cheers,
>
> Joel
>
>> Changes since v4:
>> - Remove tcg2_measure_event function and check for NULL data in
>> tcg2_measure_data
>> - Use tpm_auto_startup
>> - Fix efi_tcg2.c compilation for removing tcg2_pcr_read function
>> - Change PCR indexes for initrd and dtb
>> - Drop u8 casting in measurement test
>> - Use bullets in documentation
>>
>> Changes since v3:
>> - Reordered headers
>> - Refactored more of EFI code into common code
>> Removed digest_info structure and instead used the common alg_to_mask
>> and alg_to_len
>> Improved event log parsing in common code to get it equivalent to EFI
>> Common code now extends PCR if previous bootloader stage couldn't
>> No need to allocate memory in the common code, so EFI copies the
>> discovered buffer like it did before
>> Rename efi measure_event function
>>
>> Changes since v2:
>> - Add documentation.
>> - Changed reserved memory address to the top of the RAM for sandbox dts.
>> - Add measure state to booti and bootz.
>> - Skip measurement for EFI images that should be measured
>>
>> Changes since v1:
>> - Refactor TPM layer functions to allow EFI system to use them, and
>> remove duplicate EFI functions.
>> - Add test case
>> - Drop #ifdefs for bootm
>> - Add devicetree measurement config option
>> - Update sandbox TPM driver
>>
>> Eddie James (6):
>> tpm: Fix spelling for tpmu_ha union
>> tpm: Support boot measurements
>> bootm: Support boot measurement
>> tpm: sandbox: Update for needed TPM2 capabilities
>> test: Add sandbox TPM boot measurement
>> doc: Add measured boot documentation
>>
>> arch/sandbox/dts/sandbox.dtsi | 14 +
>> arch/sandbox/dts/test.dts | 13 +
>> boot/Kconfig | 23 +
>> boot/bootm.c | 70 +++
>> cmd/booti.c | 1 +
>> cmd/bootm.c | 2 +
>> cmd/bootz.c | 1 +
>> configs/sandbox_defconfig | 1 +
>> doc/usage/index.rst | 1 +
>> doc/usage/measured_boot.rst | 23 +
>> drivers/tpm/tpm2_tis_sandbox.c | 100 +++-
>> include/bootm.h | 2 +
>> include/efi_tcg2.h | 44 --
>> include/image.h | 1 +
>> include/test/suites.h | 1 +
>> include/tpm-v2.h | 246 +++++++-
>> lib/efi_loader/efi_tcg2.c | 1010 +++-----------------------------
>> lib/tpm-v2.c | 771 ++++++++++++++++++++++++
>> test/boot/Makefile | 1 +
>> test/boot/measurement.c | 66 +++
>> test/cmd_ut.c | 2 +
>> 21 files changed, 1383 insertions(+), 1010 deletions(-)
>> create mode 100644 doc/usage/measured_boot.rst
>> create mode 100644 test/boot/measurement.c
>>
>> --
>> 2.31.1
>>
More information about the U-Boot
mailing list