[PATCH v14 4/8] bootm: Support boot measurement

Heinrich Schuchardt xypron.glpk at gmx.de
Wed Oct 25 15:58:38 CEST 2023 

On 25.10.23 15:21, Ilias Apalodimas wrote:
> On Wed, 25 Oct 2023 at 16:08, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>>
>> On 24.10.23 17:43, Eddie James wrote:
>>> Add a configuration option to measure the boot through the bootm
>>> function. Add the measurement state to the booti and bootz paths
>>> as well.
>>>
>>> Signed-off-by: Eddie James <eajames at linux.ibm.com>
>>> Reviewed-by: Simon Glass <sjg at chromium.org>
>>> ---
>>> Changes since v8:
>>>    - Added a configuration option to select to ignore any existing
>>>      event log. This would only be selected for systems that know
>>>      that U-Boot is the first stage bootloader. This is necessary
>>>      because the reserved memory region may persist through resets
>>>      and so U-Boot attempts to append to the previous boot's log.
>>>
>>> Changes since v6:
>>>    - Added comment for bootm_measure
>>>    - Fixed line length in bootm_measure
>>>
>>>    boot/Kconfig    | 32 +++++++++++++++++++++
>>>    boot/bootm.c    | 74 +++++++++++++++++++++++++++++++++++++++++++++++++
>>>    cmd/booti.c     |  1 +
>>>    cmd/bootm.c     |  2 ++
>>>    cmd/bootz.c     |  1 +
>>>    include/bootm.h | 11 ++++++++
>>>    include/image.h |  1 +
>>>    7 files changed, 122 insertions(+)
>>>
>>> diff --git a/boot/Kconfig b/boot/Kconfig
>>> index a01e6cb8aa..abbc72f4cf 100644
>>> --- a/boot/Kconfig
>>> +++ b/boot/Kconfig
>>> @@ -685,6 +685,38 @@ config LEGACY_IMAGE_FORMAT
>>>          loaded. If a board needs the legacy image format support in this
>>>          case, enable it here.
>>>
>>> +config MEASURED_BOOT
>>> +     bool "Measure boot images and configuration to TPM and event log"
>>> +     depends on HASH && TPM_V2
>>> +     help
>>> +       This option enables measurement of the boot process. Measurement
>>> +       involves creating cryptographic hashes of the binary images that
>>> +       are booting and storing them in the TPM. In addition, a log of
>>> +       these hashes is stored in memory for the OS to verify the booted
>>> +       images and configuration. Enable this if the OS has configured
>>> +       some memory area for the event log and you intend to use some
>>> +       attestation tools on your system.
>>> +
>>> +if MEASURED_BOOT
>>> +     config MEASURE_DEVICETREE
>>> +     bool "Measure the devicetree image"
>>> +     default y if MEASURED_BOOT
>>> +     help
>>> +       On some platforms, the devicetree is not static as it may contain
>>> +       random MAC addresses or other such data that changes each boot.
>>> +       Therefore, it should not be measured into the TPM. In that case,
>>> +       disable the measurement here.
>>
>> I guess the device-tree should be measured before fix-ups.
>>
>> A main source of randomness is the KASLR seed.
>>
>> @Ilias: How are we handling this in the EFI case?
>
> We unconditionally strip the KASLR node if EFI_RNG is installed.
> efi_try_purge_kaslr_seed() has a useful comment on how the kernel's
> EFI-stub behaves.
> In any case, we measure selected parts of the DTB, not all of it,
> efi_tcg2_measure_dtb() has the details and we keep the DTB measurement
> under a Kconfig node.

efi_tcg2_measure_dtb() measures all nodes but not the blank areas of the
device-tree.

That seems not to be enough to remove randomness:

* On RISC-V the boot hartid is random (needed in DT for kernel < 5.18).
* MAC addresses are random on many boards.

For the boot hartid maybe we should simply not provide it in the
device-tree if measured boot is enabled. We have an EFI protocol that is
used in newer kernels for this purpose.

Do we really need distinct Kconfig settings
CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB and MEASURE_DEVICETREE? Isn't one
enough to rule both cases?

Best regards

Heinrich

More information about the U-Boot mailing list