From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Stefan Berger" Subject: Re: [PATCH v3 0/7] tpm: TPM2.0 eventlog securityfs support Date: Tue, 20 Sep 2016 08:27:11 -0400 Message-ID: References: <1472532619-22170-1-git-send-email-nayna@linux.vnet.ibm.com> <20160830101611.GA11819@intel.com> <20160920100423.GB32433@intel.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1879645544885283469==" Return-path: In-Reply-To: <20160920100423.GB32433-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org To: Jarkko Sakkinen Cc: tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org List-Id: tpmdd-devel@lists.sourceforge.net --===============1879645544885283469== Content-Type: multipart/alternative; boundary="=_alternative 004479CA85258034_=" --=_alternative 004479CA85258034_= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="US-ASCII" Jarkko Sakkinen wrote on 09/20/2016=20 06:04:23 AM: >=20 > On Mon, Sep 19, 2016 at 10:50:15AM -0400, Stefan Berger wrote: > > > You also fail to explain how this should work with ACPI even=20 though > > > we know that there does not exist any kind for event log through=20 ACPI > > > with TPM 2.0 hardware. I.e. just by reading the commits I=20 canobviously > > > see that you are doing major untested code path changes. > >=20 > > That's true there there's not spec for a BIOS at the moment and I=20 would > > expect that TCG will likely not write one. Likely all vendors have=20 moved > > on to (U)EFI. We realized this also while implementing TPM 2=20 support for > > SeaBIOS and I ended up reusing the ACPI TCPA table but adopted the=20 EFI > > specified log format with that special first entry. Can we=20 > accomodate that > > ? >=20 > Does that match to "SHA1 Event Log Entry Format" defined in [1]? In > addition "Crypto Agile Log Entry Format" must be supported. SeaBIOS supports the SHA1 Event Log Entry Format [5.1 in that spec]. It=20 uses it for TPM 1.2. https://code.coreboot.org/p/seabios/source/tree/master/src/std/tcg.h#L521 In case of TPM 2 it will write the first log entry in the format of the=20 Event Log Header [5.3]. https://code.coreboot.org/p/seabios/source/tree/master/src/std/tcg.h#L521 All subsequent entries in the log will be written in Crypto Agile Log=20 Entry Format [5.2]. Again:=20 https://code.coreboot.org/p/seabios/source/tree/master/src/std/tcg.h#L521 UEFI may write into some special buffer that the OS can get to via an API=20 call. In case of SeaBIOS this buffer is just in the TCPA ACPI table, as in = TPM 1.2. >=20 > Philip: what was the UEFI handover procedure that was discussed in > TPM BoF at LSS 2016? >=20 > > Stefan >=20 > [1] http://www.trustedcomputinggroup.org/wp-content/uploads/EFI- > Protocol-Specification-rev13-160330final.pdf >=20 > /Jarkko >=20 --=_alternative 004479CA85258034_= Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="US-ASCII" Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org> wrote on 09/20/2016 06:04:23 AM:


= >
> On Mon, Sep 19, 2016 at 10:50:15AM -0400, Stefan Berger wrote= :
> >    > You also fail to explain how this should w= ork with ACPI even though
> >    > we know that there doe= s not exist any kind for event log through ACPI
> >    > with TPM 2.0 hard= ware. I.e. just by reading the commits I canobviously
> >    > see that you are = doing major untested code path changes.
> >
> >    That's true there the= re's not spec for a BIOS at the moment and I would
> >    expect that TCG will likel= y not write one. Likely all vendors have moved
> >    on to (U)EFI. We realized = this also while implementing TPM 2 support for
> >    SeaBIOS and I ended up reusing = the ACPI TCPA table but adopted the EFI
> >    specified log format with tha= t special first entry. Can we
> accomodate that
> >    ?
>
>= ; Does that match to "SHA1 Event Log Entry Format" defined in [1]? In
> addition "Crypto Agile Log Entry Format" must = be supported.

SeaBIOS supports the SH= A1 Event Log Entry Format [5.1 in that spec]. It uses it for TPM 1.2.

https://code.coreboot.org/p/seabios/source/tree/mas= ter/src/std/tcg.h#L521

In case of= TPM 2 it will write the first log entry in the format of the Event Log Header [5.3].

https://code.coreboot.org/p/seabios/source/tr= ee/master/src/std/tcg.h#L521

All = subsequent entries in the log will be written in Crypto Agile Log Entry Format [5.2].

Again: https://co= de.coreboot.org/p/seabios/source/tree/master/src/std/tcg.h#L521=

UEFI may write into some special buffer that= the OS can get to via an API call. In case of SeaBIOS this buffer is just in the TCPA ACPI table, as in TPM 1.2.


&= gt;
> Philip: what was the UEFI handover procedure that was discusse= d in
> TPM BoF at LSS 2016?
>
> >      = ; Stefan
>
> [1] http://www.trust= edcomputinggroup.org/wp-content/uploads/EFI-
> Protocol-Specification-rev13-160330final.pdf
>
>= /Jarkko
>

--=_alternative 004479CA85258034_=-- --===============1879645544885283469== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------------ --===============1879645544885283469== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ tpmdd-devel mailing list tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org https://lists.sourceforge.net/lists/listinfo/tpmdd-devel --===============1879645544885283469==--