Re: [Qemu-devel] [PATCH v4] hw/misc: Add simple measurement hardware

From: "Stefan Berger" <stefanb@us.ibm.com>
To: Matthew Garrett <mjg59@coreos.com>
Cc: berrange@redhat.com, dgilbert@redhat.com, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v4] hw/misc: Add simple measurement hardware
Date: Sun, 11 Sep 2016 20:05:37 -0400	[thread overview]
Message-ID: <OF5796765A.1F5E0649-ON0025802C.00003AF4-8525802C.00009288@notes.na.collabserv.com> (raw)
In-Reply-To: <1471463332-12274-1-git-send-email-mjg59@coreos.com>

Matthew Garrett <mjg59@coreos.com> wrote on 08/17/2016 03:48:52 PM:

> From: Matthew Garrett <mjg59@coreos.com>
> To: qemu-devel@nongnu.org
> Cc: dgilbert@redhat.com, berrange@redhat.com, Stefan Berger/Watson/
> IBM@IBMUS, Matthew Garrett <mjg59@coreos.com>
> Date: 08/17/2016 03:49 PM
> Subject: [PATCH v4] hw/misc: Add simple measurement hardware
> 
> Trusted Boot is based around having a trusted store of measurement data 
and
> a secure communications channel between that store and an attestation
> target. In actual hardware, that's a TPM. Since the TPM can only be 
accessed
> via the host system, this in turn requires that the TPM be able to 
perform
> reasonably complicated cryptographic functions in order to demonstrate 
its
> trusted state.
> 
> In cloud environments, qemu is inherently trusted and the hypervisor
> infrastructure provides a trusted mechanism for extracting information 
from
> qemu and providing it to another system. This means we can skip the 
crypto
> and stick with the basic functionality - ie, providing a trusted store 
of
> measurement data.
> 
> This driver provides a very small subset of TPM 1.2 functionality in the
> form of a bank of registers that can store SHA1 measurements of boot
> components. Performing a write to one of these registers will append the 
new
> 20 byte hash to the 20 bytes currently stored within the register, take 
a
> SHA1 of this 40 byte value and then replace the existing register 
contents
> with the new value. This ensures that a given value can only be obtained 
by
> performing the same sequence of writes. It also adds a monitor command 
to
> allow an external agent to extract this information from the running 
system
> and provide it over a secure communications channel. Finally, it 
measures
> each of the loaded ROMs into one of the registers at reset time.
> 
> In combination with work in SeaBIOS and the kernel, this permits a fully
> measured boot in a virtualised environment without the overhead of a 
full
> TPM implementation.
> 
> This version of the implementation depends on port io, but if there's
> interest I'll add mmio as well.
> 
> Signed-off-by: Matthew Garrett <mjg59@coreos.com>
> ---
> 
> Updated based on David's feedback.
> 
>  default-configs/x86_64-softmmu.mak |   1 +
>  hmp-commands-info.hx               |  14 ++
>  hmp.c                              |  16 ++
>  hmp.h                              |   1 +
>  hw/core/loader.c                   |  12 ++
>  hw/i386/acpi-build.c               |  29 +++-
>  hw/misc/Makefile.objs              |   1 +
>  hw/misc/measurements.c             | 328 ++++++++++++++++++++++++++
> +++++++++++
>  hw/misc/measurements.h             |   5 +
>  hw/tpm/tpm_tis.c                   |   5 +

There shouldn't be a change to tpm_tis.c since this is just one specific 
front end of possibly different one. I think the mutual exclusion test 
should go into more common code: tpm.c:tpm_init() 