u-boot.lists.denx.de archive mirror
 help / color / mirror / Atom feed
From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH 0/3] extend EFI_TCG2_PROTOCOL support
Date: Fri, 27 Nov 2020 18:29:28 +0200	[thread overview]
Message-ID: <20201127162932.1965323-1-ilias.apalodimas@linaro.org> (raw)

A previous patch introduced the basic functionality of the protocol, only
adding support for GetCapability().
In order for the protocol to be useful an eventlog is required.
EFI applications can use the service to extend the TPM PCRs and log the 
events on an eventlog, that can be passed into linux for further validation.

This patch adds support for creating the eventlog upon the protocol 
registration and registers GetEventLog() and HashLogExtendEvent() as well.

It's currently not adding support for measuring PE/COFF images.
It also doesn't add any specific U-Boot events that would extend the PCRs
and log events as described in PC Client Platform Firmware Profile spec [1].
This can be extended in the future.

An easy way to test this is run Grub2 on top of U-Boot and use it's 
tpm module.  Once inserted Grub2 extends PCRs for all the commands 
and logs the events.
Since events that need logging after GetEventLog() has been called, must be
logged in a different location [2] has been used to test that.

This is how the eventlog looks like when booting a kernel, using grub2 and 
with [2] applied, which measures the initrd.
Hex to string on Grub2 events (marked as EV_IPL), will reveal the commands

# Grub2 commands:
insmod tpm
insmod part_msdos
linux (hd0,msdos1)/boot/Image root=/dev/mmcblk1p2

- Event[0]:
  pcrIndex: 0
  eventType: EV_NO_ACTION
  digest: 0000000000000000000000000000000000000000
  eventDataSize: 45
    - Signature: Spec ID Event03
      platformClass: 0
      specVersionMinor: 0
      specVersionMajor: 2
      specErrata: 0
      uintnSize: 2
      numberOfAlgorithms: 4
        - Algorithm[0]:
          algorithmId: sha1
          digestSize: 20
        - Algorithm[1]:
          algorithmId: sha256
          digestSize: 32
        - Algorithm[2]:
          algorithmId: sha384
          digestSize: 48
        - Algorithm[3]:
          algorithmId: sha512
          digestSize: 64
      vendorInfoSize: 0
- Event[1]:
  PCRIndex: 8
  EventType: EV_IPL
  DigestCount: 4
    - AlgorithmId: sha1
      Digest: 610a881e824bb6fd57bea1c994805116171e3c9f
    - AlgorithmId: sha256
      Digest: 9e7b6286ce2d38c3a8d09d770ecc476868a0b38d39344e84458a52dbcf7ba6a6
    - AlgorithmId: sha384
      Digest: bba389f3cef6d483731aea81d96c55ca31e5d11df80c1e047b72b627a77a33bf636508f1479a3f11a18031a08a889a9f
    - AlgorithmId: sha512
      Digest: 34aa479c642e24905d86e5b00f84fd9d723b1cbb892dcdee1d9fdd016a374ff8d0da6b23a1699d6d3211bd59ae1202292aa0a947a198a9461b6b595bb300a3ce
  EventSize: 28
  Event: 677275625f636d643a20696e736d6f6420706172745f6d73646f7300
- Event[1]:
  PCRIndex: 8
  EventType: EV_IPL
  DigestCount: 4
    - AlgorithmId: sha1
      Digest: 2e8826950606c091843586479bd88b1fa7e287b0
    - AlgorithmId: sha256
      Digest: f13c2e564af1a92a14473a38f973b858974ab33c1bd525cd3a75e7ec4f48f718
    - AlgorithmId: sha384
      Digest: e1bf3f7b2c908fb5e16acf26991fa756ed307fb05315313e1055e0d3766027321db4f44dd6f97f9209cfbf9d5554ee2c
    - AlgorithmId: sha512
      Digest: 8bb77e6d3bc5c2766dde438f5aa70e2e733cf6cda30ab2274ab0ba4d4a75b764eef8d8fb728e0dc17ba121b3ff9d1885162d66b1376d649d74b1d3631a4d9ead
  EventSize: 60
  Event: 677275625f636d643a206c696e757820286864302c6d73646f7331292f626f6f742f496d61676520726f6f743d2f6465762f6d6d63626c6b31703200
- Event[1]:
  PCRIndex: 9
  EventType: EV_IPL
  DigestCount: 4
    - AlgorithmId: sha1
      Digest: 26e90b0fbd376b6c1a351da20814ebbd9d3ee8e7
    - AlgorithmId: sha256
      Digest: dc6cb872d9d2ecadfadb27e13c2b6b3bd1ba47ad992028aea6ca0440f82f5a2e
    - AlgorithmId: sha384
      Digest: f501cd5cbe7c775e3d39fed75979777a15bcc52f6d91dda3efda8071391104267af4bbeb04696b43f98fd7c47a71c246
    - AlgorithmId: sha512
      Digest: 30993c55f94163ed538b6d9495e390e1902cc0d376e0e3300101d1a2ae462dd99ae5e52ef3735142d29904ae6efe0d252580637d7ee0ae0d91424ba42aa3f5fc
  EventSize: 24
  Event: 286864302c6d73646f7331292f626f6f742f496d61676500
- Event[1]:
  PCRIndex: 8
  EventType: EV_IPL
  DigestCount: 4
    - AlgorithmId: sha1
      Digest: 1056664c244c8e8ac9f635c78109d2f57239d8d0
    - AlgorithmId: sha256
      Digest: 3aebbdb035d70ea02463b766683e40349485103fafc477885872ad0c8cc81dab
    - AlgorithmId: sha384
      Digest: 78da59e54c901c01df67d237e549d81c3c3af2cf33d1243ca7c2980610ffd2bcaa829a378a6fa33d11d66a8c4153a51a
    - AlgorithmId: sha512
      Digest: 6df0f14e1c4deefb0a7a2e3c6c0ce6d33df75e4c4707bd56de556ee3d4f4b60862c021ad5e3d1be54dc2b714cc45bbccdeb7fd95329a87f5265251a71e793d58
  EventSize: 60
  Event: 6b65726e656c5f636d646c696e653a20286864302c6d73646f7331292f626f6f742f496d61676520726f6f743d2f6465762f6d6d63626c6b31703200
- Event[1]:
  PCRIndex: 8
  EventType: EV_IPL
  DigestCount: 4
    - AlgorithmId: sha1
      Digest: 5c73b0c6f476ded38de389f894770f06f4d02b2f
    - AlgorithmId: sha256
      Digest: 4509beb0ab401d71fa4a5cd94a55c9a74f13332776ae4019c5bfc4c2005157ff
    - AlgorithmId: sha384
      Digest: 05ddaca1f7569ce3f10b731a040b646b182508b30ffa2daf834b88fe5ec00774edf3b06ad8bd90dde261a4c8e055fa28
    - AlgorithmId: sha512
      Digest: 2280c97f7da38410772dade5ec9feb005bd6643c8f06260b70619fe8e99da015dc9d2bb302d4762143824bff722541b87f2256d96abdf94d99edb35aa48aa24f
  EventSize: 15
  Event: 677275625f636d643a20626f6f7400
- Event[1]:
  PCRIndex: 0
  EventType: EV_EFI_ACTION
  DigestCount: 4
    - AlgorithmId: sha1
      Digest: 0c26b18b54c23976e3aa531463e0e8c69463a6b3
    - AlgorithmId: sha256
      Digest: 8eaa153c7724aac177a845a3a718d66bd61103da8b06c7d3fd453ef2e47ab272
    - AlgorithmId: sha384
      Digest: 5a56517994f45015105f4dc8f71b2b37cc6a9797a45c55b5edecd9b9dc9ab00966049d5c7ba7eae71347ad16c07cd92a
    - AlgorithmId: sha512
      Digest: 3c04a5ae692635725db702678883e61b7c458976d27d6424ef7a1ffa77715fa9126ae2e4eee8477ead4320c6124300022288a4c9c6d8afd7bc42b3451767b35a
  EventSize: 13
  Event: Linux initrd

[1] https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientSpecPlat_TPM_2p0_1p04_pub.pdf
[2] https://lore.kernel.org/linux-efi/20201102170634.20575-1-ardb at kernel.org/

Ilias Apalodimas (3):
  tpm: Add tpm2 headers for TCG2 eventlog support
  efi_loader: Introduce eventlog support for TCG2_PROTOCOL
  cmd: efidebug: Add support for TCG2 final events table

 cmd/efidebug.c             |   4 +
 include/efi_api.h          |   4 +
 include/efi_tcg2.h         |  48 +++-
 include/tpm-v2.h           |  59 ++++
 lib/efi_loader/efi_setup.c |  12 +-
 lib/efi_loader/efi_tcg2.c  | 554 +++++++++++++++++++++++++++++++++++--
 6 files changed, 657 insertions(+), 24 deletions(-)


             reply	other threads:[~2020-11-27 16:29 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-27 16:29 Ilias Apalodimas [this message]
2020-11-27 16:29 ` [PATCH 1/3] tpm: Add tpm2 headers for TCG2 eventlog support Ilias Apalodimas
2020-11-29  5:28   ` Heinrich Schuchardt
2020-11-29 13:22     ` Ilias Apalodimas
2020-11-27 16:29 ` [PATCH 2/3] efi_loader: Introduce eventlog support for TCG2_PROTOCOL Ilias Apalodimas
2020-11-29  6:02   ` Heinrich Schuchardt
2020-11-29 13:27     ` Ilias Apalodimas
2020-11-29 13:49       ` Heinrich Schuchardt
2020-11-29 14:02         ` Ilias Apalodimas
2020-11-27 16:29 ` [PATCH 3/3] cmd: efidebug: Add support for TCG2 final events table Ilias Apalodimas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201127162932.1965323-1-ilias.apalodimas@linaro.org \
    --to=ilias.apalodimas@linaro.org \
    --cc=u-boot@lists.denx.de \
    --subject='Re: [PATCH 0/3] extend EFI_TCG2_PROTOCOL support' \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).