[PATCH v14 4/8] bootm: Support boot measurement

Ilias Apalodimas ilias.apalodimas at linaro.org
Wed Oct 25 16:27:58 CEST 2023 

Hi Heinrich,

[...]

> >>>
> >>> +config MEASURED_BOOT
> >>> +     bool "Measure boot images and configuration to TPM and event log"
> >>> +     depends on HASH && TPM_V2
> >>> +     help
> >>> +       This option enables measurement of the boot process. Measurement
> >>> +       involves creating cryptographic hashes of the binary images that
> >>> +       are booting and storing them in the TPM. In addition, a log of
> >>> +       these hashes is stored in memory for the OS to verify the booted
> >>> +       images and configuration. Enable this if the OS has configured
> >>> +       some memory area for the event log and you intend to use some
> >>> +       attestation tools on your system.
> >>> +
> >>> +if MEASURED_BOOT
> >>> +     config MEASURE_DEVICETREE
> >>> +     bool "Measure the devicetree image"
> >>> +     default y if MEASURED_BOOT
> >>> +     help
> >>> +       On some platforms, the devicetree is not static as it may contain
> >>> +       random MAC addresses or other such data that changes each boot.
> >>> +       Therefore, it should not be measured into the TPM. In that case,
> >>> +       disable the measurement here.
> >>
> >> I guess the device-tree should be measured before fix-ups.
> >>
> >> A main source of randomness is the KASLR seed.
> >>
> >> @Ilias: How are we handling this in the EFI case?
> >
> > We unconditionally strip the KASLR node if EFI_RNG is installed.
> > efi_try_purge_kaslr_seed() has a useful comment on how the kernel's
> > EFI-stub behaves.
> > In any case, we measure selected parts of the DTB, not all of it,
> > efi_tcg2_measure_dtb() has the details and we keep the DTB measurement
> > under a Kconfig node.
>
> efi_tcg2_measure_dtb() measures all nodes but not the blank areas of the
> device-tree.
>
> That seems not to be enough to remove randomness:
>
> * On RISC-V the boot hartid is random (needed in DT for kernel < 5.18).
> * MAC addresses are random on many boards.

Ah thanks, I wasn't aware of the RISC-V hartid.  I was aware of the
mac address randomness.  The problem with measuring the DTB 'early'
might be a bit tricky. Any idea how early we need to do this? Boards
extend the DT maybe even during their init.  So do we have to copy the
original DT on an address and use that?  Things like that is why we
keep the DT measurement under a Kconfig and it's not unconditional.

> For the boot hartid maybe we should simply not provide it in the
> device-tree if measured boot is enabled. We have an EFI protocol that is
> used in newer kernels for this purpose.
>
> Do we really need distinct Kconfig settings
> CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB and MEASURE_DEVICETREE? Isn't one
> enough to rule both cases?

We don't, but this patchset is complicated enough.  I've done enough
testing and I *think* nothing breaks, but in any case, I don't plan on
landing it in -master.  I prefer -next, so do you mind if we fix that
in a follow-up patch?

FWIW
Tested-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>

Regards
/Ilias

>
> Best regards
>
> Heinrich

More information about the U-Boot mailing list