[PATCH v14 4/8] bootm: Support boot measurement
Heinrich Schuchardt
xypron.glpk at gmx.de
Wed Oct 25 15:58:38 CEST 2023
On 25.10.23 15:21, Ilias Apalodimas wrote:
> On Wed, 25 Oct 2023 at 16:08, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>>
>> On 24.10.23 17:43, Eddie James wrote:
>>> Add a configuration option to measure the boot through the bootm
>>> function. Add the measurement state to the booti and bootz paths
>>> as well.
>>>
>>> Signed-off-by: Eddie James <eajames at linux.ibm.com>
>>> Reviewed-by: Simon Glass <sjg at chromium.org>
>>> ---
>>> Changes since v8:
>>> - Added a configuration option to select to ignore any existing
>>> event log. This would only be selected for systems that know
>>> that U-Boot is the first stage bootloader. This is necessary
>>> because the reserved memory region may persist through resets
>>> and so U-Boot attempts to append to the previous boot's log.
>>>
>>> Changes since v6:
>>> - Added comment for bootm_measure
>>> - Fixed line length in bootm_measure
>>>
>>> boot/Kconfig | 32 +++++++++++++++++++++
>>> boot/bootm.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++
>>> cmd/booti.c | 1 +
>>> cmd/bootm.c | 2 ++
>>> cmd/bootz.c | 1 +
>>> include/bootm.h | 11 ++++++++
>>> include/image.h | 1 +
>>> 7 files changed, 122 insertions(+)
>>>
>>> diff --git a/boot/Kconfig b/boot/Kconfig
>>> index a01e6cb8aa..abbc72f4cf 100644
>>> --- a/boot/Kconfig
>>> +++ b/boot/Kconfig
>>> @@ -685,6 +685,38 @@ config LEGACY_IMAGE_FORMAT
>>> loaded. If a board needs the legacy image format support in this
>>> case, enable it here.
>>>
>>> +config MEASURED_BOOT
>>> + bool "Measure boot images and configuration to TPM and event log"
>>> + depends on HASH && TPM_V2
>>> + help
>>> + This option enables measurement of the boot process. Measurement
>>> + involves creating cryptographic hashes of the binary images that
>>> + are booting and storing them in the TPM. In addition, a log of
>>> + these hashes is stored in memory for the OS to verify the booted
>>> + images and configuration. Enable this if the OS has configured
>>> + some memory area for the event log and you intend to use some
>>> + attestation tools on your system.
>>> +
>>> +if MEASURED_BOOT
>>> + config MEASURE_DEVICETREE
>>> + bool "Measure the devicetree image"
>>> + default y if MEASURED_BOOT
>>> + help
>>> + On some platforms, the devicetree is not static as it may contain
>>> + random MAC addresses or other such data that changes each boot.
>>> + Therefore, it should not be measured into the TPM. In that case,
>>> + disable the measurement here.
>>
>> I guess the device-tree should be measured before fix-ups.
>>
>> A main source of randomness is the KASLR seed.
>>
>> @Ilias: How are we handling this in the EFI case?
>
> We unconditionally strip the KASLR node if EFI_RNG is installed.
> efi_try_purge_kaslr_seed() has a useful comment on how the kernel's
> EFI-stub behaves.
> In any case, we measure selected parts of the DTB, not all of it,
> efi_tcg2_measure_dtb() has the details and we keep the DTB measurement
> under a Kconfig node.
efi_tcg2_measure_dtb() measures all nodes but not the blank areas of the
device-tree.
That seems not to be enough to remove randomness:
* On RISC-V the boot hartid is random (needed in DT for kernel < 5.18).
* MAC addresses are random on many boards.
For the boot hartid maybe we should simply not provide it in the
device-tree if measured boot is enabled. We have an EFI protocol that is
used in newer kernels for this purpose.
Do we really need distinct Kconfig settings
CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB and MEASURE_DEVICETREE? Isn't one
enough to rule both cases?
Best regards
Heinrich
More information about the U-Boot
mailing list