[PATCH v14 0/8] tpm: Support boot measurements
Ilias Apalodimas
ilias.apalodimas at linaro.org
Wed Oct 25 14:38:59 CEST 2023
Thnaks Eddie,
This works properly on EFI as well
On Tue, 24 Oct 2023 at 18:44, Eddie James <eajames at linux.ibm.com> wrote:
>
> This series adds support for measuring the boot images more generically
> than the existing EFI support. Several EFI functions have been moved to
> the TPM layer. The series includes optional measurement from the bootm
> command.
> A new test case has been added for the bootm measurement to test the new
> path, and the sandbox TPM2 driver has been updated to support this use
> case.
>
> Changes since v13:
> - Rebase without messing up efi_tcg2.c (duplicate functions)
>
> Changes since v12:
> - Rebase on master.
> - Add detail to documentation.
>
> Changes since v11:
> - Rebase on next. Sorry for the delay (been on leave).
>
> Changes since v10:
> - Fix commit message on efi_loader change
> - Drop python test change
> - Squash armv7 fix from Ilias
>
> Changes since v9:
> - Rebase and add Ilias' fixes (thanks!)
>
> Changes since v8:
> - Fix a sandbox driver off-by-one error in checking the property type.
> - Fix log parsing again - any data corruption seen while replaying the
> event log was failing the entire measurement.
> - Added an option to ignore the existing log and a configuration option
> for systems to select that for the bootm measurement. This would only
> be selected for systems that know that U-Boot is the first stage
> bootloader. This is necessary because the reserved memory region may
> persist through resets and so U-Boot attempts to append to the
> previous boot's log.
>
> Changes since v7:
> - Change name of tcg2_init_log and add more documentation
> - Add a check, when parsing the event log header, to ensure that the
> previous stage bootloader used all the active PCRs.
> - Change name of tcg2_log_find_end
> - Fix the greater than or equal to check to exit the log parsing
> - Make sure log_position is 0 if there is any error discovering the log
> - Return errors parsing the log if the data is corrupt so that we don't
> end up with half a log
>
> Changes since v6:
> - Added comment for bootm_measure
> - Fixed line length in bootm_measure
> - Added Linaro copyright for all the EFI moved code
> - Changed tcg2_init_log (and by extension, tcg2_measurement_init) to
> copy any discovered event log to the user's log if passed in.
>
> Changes since v5:
> - Re-ordered the patches to put the sandbox TPM driver patch second
> - Remove unused platform_get_eventlog in efi_tcg2.c
> - First look for tpm_event_log_* properties instead of linux,sml-*
> - Fix efi_tcg2.c compilation
> - Select SHA* configs
> - Remove the !SANDBOX dependency for EFI TCG2
> - Only compile in the measurement u-boot command when CONFIG_MEASURED_BOOT
> is enabled
>
> Changes since v4:
> - Remove tcg2_measure_event function and check for NULL data in
> tcg2_measure_data
> - Use tpm_auto_startup
> - Fix efi_tcg2.c compilation for removing tcg2_pcr_read function
> - Change PCR indexes for initrd and dtb
> - Drop u8 casting in measurement test
> - Use bullets in documentation
>
> Changes since v3:
> - Reordered headers
> - Refactored more of EFI code into common code
> Removed digest_info structure and instead used the common alg_to_mask
> and alg_to_len
> Improved event log parsing in common code to get it equivalent to EFI
> Common code now extends PCR if previous bootloader stage couldn't
> No need to allocate memory in the common code, so EFI copies the
> discovered buffer like it did before
> Rename efi measure_event function
>
> Changes since v2:
> - Add documentation.
> - Changed reserved memory address to the top of the RAM for sandbox dts.
> - Add measure state to booti and bootz.
> - Skip measurement for EFI images that should be measured
>
> Changes since v1:
> - Refactor TPM layer functions to allow EFI system to use them, and
> remove duplicate EFI functions.
> - Add test case
> - Drop #ifdefs for bootm
> - Add devicetree measurement config option
> - Update sandbox TPM driver
>
> Eddie James (6):
> tpm: Fix spelling for tpmu_ha union
> tpm: sandbox: Update for needed TPM2 capabilities
> tpm: Support boot measurements
> bootm: Support boot measurement
> test: Add sandbox TPM boot measurement
> doc: Add measured boot documentation
>
> Ilias Apalodimas (2):
> efi_loader: fix EFI_ENTRY point on get_active_pcr_banks
> test: use a non system PCR for testing PCR extend
>
> arch/sandbox/dts/sandbox.dtsi | 13 +
> arch/sandbox/dts/test.dts | 13 +
> boot/Kconfig | 32 +
> boot/bootm.c | 74 +++
> cmd/booti.c | 1 +
> cmd/bootm.c | 2 +
> cmd/bootz.c | 1 +
> configs/sandbox_defconfig | 1 +
> doc/usage/index.rst | 1 +
> doc/usage/measured_boot.rst | 31 +
> drivers/tpm/tpm2_tis_sandbox.c | 100 ++-
> include/bootm.h | 11 +
> include/efi_tcg2.h | 44 --
> include/image.h | 1 +
> include/test/suites.h | 1 +
> include/tpm-v2.h | 263 +++++++-
> lib/Kconfig | 4 +
> lib/efi_loader/Kconfig | 2 -
> lib/efi_loader/efi_tcg2.c | 1055 +++-----------------------------
> lib/tpm-v2.c | 814 ++++++++++++++++++++++++
> test/boot/Makefile | 1 +
> test/boot/measurement.c | 66 ++
> test/cmd_ut.c | 4 +
> test/py/tests/test_tpm2.py | 16 +-
> 24 files changed, 1490 insertions(+), 1061 deletions(-)
> create mode 100644 doc/usage/measured_boot.rst
> create mode 100644 test/boot/measurement.c
>
> --
> 2.39.3
>
For the API moving around from efi -> u-boot core
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
More information about the U-Boot
mailing list