[PATCH v13 0/8] tpm: Support boot measurements
Ilias Apalodimas
ilias.apalodimas at linaro.org
Fri Oct 20 00:49:21 CEST 2023
Hi Eddie,
Does the series compile for you against -master?
For qemu_arm64_defonfig I am getting compilation errors both locally
and on the CI
https://source.denx.de/u-boot/custodians/u-boot-tpm/-/jobs/717362#L39
Thanks
/Ilias
On Thu, 19 Oct 2023 at 19:45, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> Thanks Eddie
>
> I've queued this up on public CI. I also have an internal one, this
> one failed to add the TF-A eventlog, but everything else looks fine.
> I'll have a look tomorrow, but since this used to work on earlier
> versions I suspect it's going to be trivial to fix
>
> Cheers
> /Ilias
>
> On Thu, 19 Oct 2023 at 19:21, Eddie James <eajames at linux.ibm.com> wrote:
> >
> > This series adds support for measuring the boot images more generically
> > than the existing EFI support. Several EFI functions have been moved to
> > the TPM layer. The series includes optional measurement from the bootm
> > command.
> > A new test case has been added for the bootm measurement to test the new
> > path, and the sandbox TPM2 driver has been updated to support this use
> > case.
> >
> > Changes since v12:
> > - Rebase on master.
> > - Add detail to documentation.
> >
> > Changes since v11:
> > - Rebase on next. Sorry for the delay (been on leave).
> >
> > Changes since v10:
> > - Fix commit message on efi_loader change
> > - Drop python test change
> > - Squash armv7 fix from Ilias
> >
> > Changes since v9:
> > - Rebase and add Ilias' fixes (thanks!)
> >
> > Changes since v8:
> > - Fix a sandbox driver off-by-one error in checking the property type.
> > - Fix log parsing again - any data corruption seen while replaying the
> > event log was failing the entire measurement.
> > - Added an option to ignore the existing log and a configuration option
> > for systems to select that for the bootm measurement. This would only
> > be selected for systems that know that U-Boot is the first stage
> > bootloader. This is necessary because the reserved memory region may
> > persist through resets and so U-Boot attempts to append to the
> > previous boot's log.
> >
> > Changes since v7:
> > - Change name of tcg2_init_log and add more documentation
> > - Add a check, when parsing the event log header, to ensure that the
> > previous stage bootloader used all the active PCRs.
> > - Change name of tcg2_log_find_end
> > - Fix the greater than or equal to check to exit the log parsing
> > - Make sure log_position is 0 if there is any error discovering the log
> > - Return errors parsing the log if the data is corrupt so that we don't
> > end up with half a log
> >
> > Changes since v6:
> > - Added comment for bootm_measure
> > - Fixed line length in bootm_measure
> > - Added Linaro copyright for all the EFI moved code
> > - Changed tcg2_init_log (and by extension, tcg2_measurement_init) to
> > copy any discovered event log to the user's log if passed in.
> >
> > Changes since v5:
> > - Re-ordered the patches to put the sandbox TPM driver patch second
> > - Remove unused platform_get_eventlog in efi_tcg2.c
> > - First look for tpm_event_log_* properties instead of linux,sml-*
> > - Fix efi_tcg2.c compilation
> > - Select SHA* configs
> > - Remove the !SANDBOX dependency for EFI TCG2
> > - Only compile in the measurement u-boot command when CONFIG_MEASURED_BOOT
> > is enabled
> >
> > Changes since v4:
> > - Remove tcg2_measure_event function and check for NULL data in
> > tcg2_measure_data
> > - Use tpm_auto_startup
> > - Fix efi_tcg2.c compilation for removing tcg2_pcr_read function
> > - Change PCR indexes for initrd and dtb
> > - Drop u8 casting in measurement test
> > - Use bullets in documentation
> >
> > Changes since v3:
> > - Reordered headers
> > - Refactored more of EFI code into common code
> > Removed digest_info structure and instead used the common alg_to_mask
> > and alg_to_len
> > Improved event log parsing in common code to get it equivalent to EFI
> > Common code now extends PCR if previous bootloader stage couldn't
> > No need to allocate memory in the common code, so EFI copies the
> > discovered buffer like it did before
> > Rename efi measure_event function
> >
> > Changes since v2:
> > - Add documentation.
> > - Changed reserved memory address to the top of the RAM for sandbox dts.
> > - Add measure state to booti and bootz.
> > - Skip measurement for EFI images that should be measured
> >
> > Changes since v1:
> > - Refactor TPM layer functions to allow EFI system to use them, and
> > remove duplicate EFI functions.
> > - Add test case
> > - Drop #ifdefs for bootm
> > - Add devicetree measurement config option
> > - Update sandbox TPM driver
> >
> > Eddie James (6):
> > tpm: Fix spelling for tpmu_ha union
> > tpm: sandbox: Update for needed TPM2 capabilities
> > tpm: Support boot measurements
> > bootm: Support boot measurement
> > test: Add sandbox TPM boot measurement
> > doc: Add measured boot documentation
> >
> > Ilias Apalodimas (2):
> > efi_loader: fix EFI_ENTRY point on get_active_pcr_banks
> > test: use a non system PCR for testing PCR extend
> >
> > arch/sandbox/dts/sandbox.dtsi | 13 +
> > arch/sandbox/dts/test.dts | 13 +
> > boot/Kconfig | 32 ++
> > boot/bootm.c | 74 +++
> > cmd/booti.c | 1 +
> > cmd/bootm.c | 2 +
> > cmd/bootz.c | 1 +
> > configs/sandbox_defconfig | 1 +
> > doc/usage/index.rst | 1 +
> > doc/usage/measured_boot.rst | 23 +
> > drivers/tpm/tpm2_tis_sandbox.c | 100 ++--
> > include/bootm.h | 11 +
> > include/efi_tcg2.h | 44 --
> > include/image.h | 1 +
> > include/test/suites.h | 1 +
> > include/tpm-v2.h | 263 ++++++++++-
> > lib/Kconfig | 4 +
> > lib/efi_loader/Kconfig | 2 -
> > lib/efi_loader/efi_tcg2.c | 823 ++++-----------------------------
> > lib/tpm-v2.c | 814 ++++++++++++++++++++++++++++++++
> > test/boot/Makefile | 1 +
> > test/boot/measurement.c | 66 +++
> > test/cmd_ut.c | 4 +
> > test/py/tests/test_tpm2.py | 16 +-
> > 24 files changed, 1482 insertions(+), 829 deletions(-)
> > create mode 100644 doc/usage/measured_boot.rst
> > create mode 100644 test/boot/measurement.c
> >
> > --
> > 2.39.3
> >
More information about the U-Boot
mailing list