[PATCH v13 0/8] tpm: Support boot measurements
Eddie James
eajames at linux.ibm.com
Tue Oct 24 17:06:42 CEST 2023
On 10/19/23 17:49, Ilias Apalodimas wrote:
> Hi Eddie,
>
> Does the series compile for you against -master?
> For qemu_arm64_defonfig I am getting compilation errors both locally
> and on the CI
> https://source.denx.de/u-boot/custodians/u-boot-tpm/-/jobs/717362#L39
Yea it was a problem rebasing. I'll send v14 soon.
Thanks,
Eddie
>
> Thanks
> /Ilias
>
> On Thu, 19 Oct 2023 at 19:45, Ilias Apalodimas
> <ilias.apalodimas at linaro.org> wrote:
>> Thanks Eddie
>>
>> I've queued this up on public CI. I also have an internal one, this
>> one failed to add the TF-A eventlog, but everything else looks fine.
>> I'll have a look tomorrow, but since this used to work on earlier
>> versions I suspect it's going to be trivial to fix
>>
>> Cheers
>> /Ilias
>>
>> On Thu, 19 Oct 2023 at 19:21, Eddie James <eajames at linux.ibm.com> wrote:
>>> This series adds support for measuring the boot images more generically
>>> than the existing EFI support. Several EFI functions have been moved to
>>> the TPM layer. The series includes optional measurement from the bootm
>>> command.
>>> A new test case has been added for the bootm measurement to test the new
>>> path, and the sandbox TPM2 driver has been updated to support this use
>>> case.
>>>
>>> Changes since v12:
>>> - Rebase on master.
>>> - Add detail to documentation.
>>>
>>> Changes since v11:
>>> - Rebase on next. Sorry for the delay (been on leave).
>>>
>>> Changes since v10:
>>> - Fix commit message on efi_loader change
>>> - Drop python test change
>>> - Squash armv7 fix from Ilias
>>>
>>> Changes since v9:
>>> - Rebase and add Ilias' fixes (thanks!)
>>>
>>> Changes since v8:
>>> - Fix a sandbox driver off-by-one error in checking the property type.
>>> - Fix log parsing again - any data corruption seen while replaying the
>>> event log was failing the entire measurement.
>>> - Added an option to ignore the existing log and a configuration option
>>> for systems to select that for the bootm measurement. This would only
>>> be selected for systems that know that U-Boot is the first stage
>>> bootloader. This is necessary because the reserved memory region may
>>> persist through resets and so U-Boot attempts to append to the
>>> previous boot's log.
>>>
>>> Changes since v7:
>>> - Change name of tcg2_init_log and add more documentation
>>> - Add a check, when parsing the event log header, to ensure that the
>>> previous stage bootloader used all the active PCRs.
>>> - Change name of tcg2_log_find_end
>>> - Fix the greater than or equal to check to exit the log parsing
>>> - Make sure log_position is 0 if there is any error discovering the log
>>> - Return errors parsing the log if the data is corrupt so that we don't
>>> end up with half a log
>>>
>>> Changes since v6:
>>> - Added comment for bootm_measure
>>> - Fixed line length in bootm_measure
>>> - Added Linaro copyright for all the EFI moved code
>>> - Changed tcg2_init_log (and by extension, tcg2_measurement_init) to
>>> copy any discovered event log to the user's log if passed in.
>>>
>>> Changes since v5:
>>> - Re-ordered the patches to put the sandbox TPM driver patch second
>>> - Remove unused platform_get_eventlog in efi_tcg2.c
>>> - First look for tpm_event_log_* properties instead of linux,sml-*
>>> - Fix efi_tcg2.c compilation
>>> - Select SHA* configs
>>> - Remove the !SANDBOX dependency for EFI TCG2
>>> - Only compile in the measurement u-boot command when CONFIG_MEASURED_BOOT
>>> is enabled
>>>
>>> Changes since v4:
>>> - Remove tcg2_measure_event function and check for NULL data in
>>> tcg2_measure_data
>>> - Use tpm_auto_startup
>>> - Fix efi_tcg2.c compilation for removing tcg2_pcr_read function
>>> - Change PCR indexes for initrd and dtb
>>> - Drop u8 casting in measurement test
>>> - Use bullets in documentation
>>>
>>> Changes since v3:
>>> - Reordered headers
>>> - Refactored more of EFI code into common code
>>> Removed digest_info structure and instead used the common alg_to_mask
>>> and alg_to_len
>>> Improved event log parsing in common code to get it equivalent to EFI
>>> Common code now extends PCR if previous bootloader stage couldn't
>>> No need to allocate memory in the common code, so EFI copies the
>>> discovered buffer like it did before
>>> Rename efi measure_event function
>>>
>>> Changes since v2:
>>> - Add documentation.
>>> - Changed reserved memory address to the top of the RAM for sandbox dts.
>>> - Add measure state to booti and bootz.
>>> - Skip measurement for EFI images that should be measured
>>>
>>> Changes since v1:
>>> - Refactor TPM layer functions to allow EFI system to use them, and
>>> remove duplicate EFI functions.
>>> - Add test case
>>> - Drop #ifdefs for bootm
>>> - Add devicetree measurement config option
>>> - Update sandbox TPM driver
>>>
>>> Eddie James (6):
>>> tpm: Fix spelling for tpmu_ha union
>>> tpm: sandbox: Update for needed TPM2 capabilities
>>> tpm: Support boot measurements
>>> bootm: Support boot measurement
>>> test: Add sandbox TPM boot measurement
>>> doc: Add measured boot documentation
>>>
>>> Ilias Apalodimas (2):
>>> efi_loader: fix EFI_ENTRY point on get_active_pcr_banks
>>> test: use a non system PCR for testing PCR extend
>>>
>>> arch/sandbox/dts/sandbox.dtsi | 13 +
>>> arch/sandbox/dts/test.dts | 13 +
>>> boot/Kconfig | 32 ++
>>> boot/bootm.c | 74 +++
>>> cmd/booti.c | 1 +
>>> cmd/bootm.c | 2 +
>>> cmd/bootz.c | 1 +
>>> configs/sandbox_defconfig | 1 +
>>> doc/usage/index.rst | 1 +
>>> doc/usage/measured_boot.rst | 23 +
>>> drivers/tpm/tpm2_tis_sandbox.c | 100 ++--
>>> include/bootm.h | 11 +
>>> include/efi_tcg2.h | 44 --
>>> include/image.h | 1 +
>>> include/test/suites.h | 1 +
>>> include/tpm-v2.h | 263 ++++++++++-
>>> lib/Kconfig | 4 +
>>> lib/efi_loader/Kconfig | 2 -
>>> lib/efi_loader/efi_tcg2.c | 823 ++++-----------------------------
>>> lib/tpm-v2.c | 814 ++++++++++++++++++++++++++++++++
>>> test/boot/Makefile | 1 +
>>> test/boot/measurement.c | 66 +++
>>> test/cmd_ut.c | 4 +
>>> test/py/tests/test_tpm2.py | 16 +-
>>> 24 files changed, 1482 insertions(+), 829 deletions(-)
>>> create mode 100644 doc/usage/measured_boot.rst
>>> create mode 100644 test/boot/measurement.c
>>>
>>> --
>>> 2.39.3
>>>
More information about the U-Boot
mailing list