From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH 0/3] extend EFI_TCG2_PROTOCOL support
Date: Fri, 27 Nov 2020 18:29:28 +0200 [thread overview]
Message-ID: <20201127162932.1965323-1-ilias.apalodimas@linaro.org> (raw)
A previous patch introduced the basic functionality of the protocol, only
adding support for GetCapability().
In order for the protocol to be useful an eventlog is required.
EFI applications can use the service to extend the TPM PCRs and log the
events on an eventlog, that can be passed into linux for further validation.
This patch adds support for creating the eventlog upon the protocol
registration and registers GetEventLog() and HashLogExtendEvent() as well.
It's currently not adding support for measuring PE/COFF images.
It also doesn't add any specific U-Boot events that would extend the PCRs
and log events as described in PC Client Platform Firmware Profile spec [1].
This can be extended in the future.
An easy way to test this is run Grub2 on top of U-Boot and use it's
tpm module. Once inserted Grub2 extends PCRs for all the commands
and logs the events.
Since events that need logging after GetEventLog() has been called, must be
logged in a different location [2] has been used to test that.
This is how the eventlog looks like when booting a kernel, using grub2 and
with [2] applied, which measures the initrd.
Hex to string on Grub2 events (marked as EV_IPL), will reveal the commands
used.
# Grub2 commands:
insmod tpm
insmod part_msdos
linux (hd0,msdos1)/boot/Image root=/dev/mmcblk1p2
boot
- Event[0]:
pcrIndex: 0
eventType: EV_NO_ACTION
digest: 0000000000000000000000000000000000000000
eventDataSize: 45
SpecID:
- Signature: Spec ID Event03
platformClass: 0
specVersionMinor: 0
specVersionMajor: 2
specErrata: 0
uintnSize: 2
numberOfAlgorithms: 4
Algorithms:
- Algorithm[0]:
algorithmId: sha1
digestSize: 20
- Algorithm[1]:
algorithmId: sha256
digestSize: 32
- Algorithm[2]:
algorithmId: sha384
digestSize: 48
- Algorithm[3]:
algorithmId: sha512
digestSize: 64
vendorInfoSize: 0
- Event[1]:
PCRIndex: 8
EventType: EV_IPL
DigestCount: 4
Digests:
- AlgorithmId: sha1
Digest: 610a881e824bb6fd57bea1c994805116171e3c9f
- AlgorithmId: sha256
Digest: 9e7b6286ce2d38c3a8d09d770ecc476868a0b38d39344e84458a52dbcf7ba6a6
- AlgorithmId: sha384
Digest: bba389f3cef6d483731aea81d96c55ca31e5d11df80c1e047b72b627a77a33bf636508f1479a3f11a18031a08a889a9f
- AlgorithmId: sha512
Digest: 34aa479c642e24905d86e5b00f84fd9d723b1cbb892dcdee1d9fdd016a374ff8d0da6b23a1699d6d3211bd59ae1202292aa0a947a198a9461b6b595bb300a3ce
EventSize: 28
Event: 677275625f636d643a20696e736d6f6420706172745f6d73646f7300
- Event[1]:
PCRIndex: 8
EventType: EV_IPL
DigestCount: 4
Digests:
- AlgorithmId: sha1
Digest: 2e8826950606c091843586479bd88b1fa7e287b0
- AlgorithmId: sha256
Digest: f13c2e564af1a92a14473a38f973b858974ab33c1bd525cd3a75e7ec4f48f718
- AlgorithmId: sha384
Digest: e1bf3f7b2c908fb5e16acf26991fa756ed307fb05315313e1055e0d3766027321db4f44dd6f97f9209cfbf9d5554ee2c
- AlgorithmId: sha512
Digest: 8bb77e6d3bc5c2766dde438f5aa70e2e733cf6cda30ab2274ab0ba4d4a75b764eef8d8fb728e0dc17ba121b3ff9d1885162d66b1376d649d74b1d3631a4d9ead
EventSize: 60
Event: 677275625f636d643a206c696e757820286864302c6d73646f7331292f626f6f742f496d61676520726f6f743d2f6465762f6d6d63626c6b31703200
- Event[1]:
PCRIndex: 9
EventType: EV_IPL
DigestCount: 4
Digests:
- AlgorithmId: sha1
Digest: 26e90b0fbd376b6c1a351da20814ebbd9d3ee8e7
- AlgorithmId: sha256
Digest: dc6cb872d9d2ecadfadb27e13c2b6b3bd1ba47ad992028aea6ca0440f82f5a2e
- AlgorithmId: sha384
Digest: f501cd5cbe7c775e3d39fed75979777a15bcc52f6d91dda3efda8071391104267af4bbeb04696b43f98fd7c47a71c246
- AlgorithmId: sha512
Digest: 30993c55f94163ed538b6d9495e390e1902cc0d376e0e3300101d1a2ae462dd99ae5e52ef3735142d29904ae6efe0d252580637d7ee0ae0d91424ba42aa3f5fc
EventSize: 24
Event: 286864302c6d73646f7331292f626f6f742f496d61676500
- Event[1]:
PCRIndex: 8
EventType: EV_IPL
DigestCount: 4
Digests:
- AlgorithmId: sha1
Digest: 1056664c244c8e8ac9f635c78109d2f57239d8d0
- AlgorithmId: sha256
Digest: 3aebbdb035d70ea02463b766683e40349485103fafc477885872ad0c8cc81dab
- AlgorithmId: sha384
Digest: 78da59e54c901c01df67d237e549d81c3c3af2cf33d1243ca7c2980610ffd2bcaa829a378a6fa33d11d66a8c4153a51a
- AlgorithmId: sha512
Digest: 6df0f14e1c4deefb0a7a2e3c6c0ce6d33df75e4c4707bd56de556ee3d4f4b60862c021ad5e3d1be54dc2b714cc45bbccdeb7fd95329a87f5265251a71e793d58
EventSize: 60
Event: 6b65726e656c5f636d646c696e653a20286864302c6d73646f7331292f626f6f742f496d61676520726f6f743d2f6465762f6d6d63626c6b31703200
- Event[1]:
PCRIndex: 8
EventType: EV_IPL
DigestCount: 4
Digests:
- AlgorithmId: sha1
Digest: 5c73b0c6f476ded38de389f894770f06f4d02b2f
- AlgorithmId: sha256
Digest: 4509beb0ab401d71fa4a5cd94a55c9a74f13332776ae4019c5bfc4c2005157ff
- AlgorithmId: sha384
Digest: 05ddaca1f7569ce3f10b731a040b646b182508b30ffa2daf834b88fe5ec00774edf3b06ad8bd90dde261a4c8e055fa28
- AlgorithmId: sha512
Digest: 2280c97f7da38410772dade5ec9feb005bd6643c8f06260b70619fe8e99da015dc9d2bb302d4762143824bff722541b87f2256d96abdf94d99edb35aa48aa24f
EventSize: 15
Event: 677275625f636d643a20626f6f7400
- Event[1]:
PCRIndex: 0
EventType: EV_EFI_ACTION
DigestCount: 4
Digests:
- AlgorithmId: sha1
Digest: 0c26b18b54c23976e3aa531463e0e8c69463a6b3
- AlgorithmId: sha256
Digest: 8eaa153c7724aac177a845a3a718d66bd61103da8b06c7d3fd453ef2e47ab272
- AlgorithmId: sha384
Digest: 5a56517994f45015105f4dc8f71b2b37cc6a9797a45c55b5edecd9b9dc9ab00966049d5c7ba7eae71347ad16c07cd92a
- AlgorithmId: sha512
Digest: 3c04a5ae692635725db702678883e61b7c458976d27d6424ef7a1ffa77715fa9126ae2e4eee8477ead4320c6124300022288a4c9c6d8afd7bc42b3451767b35a
EventSize: 13
Event: Linux initrd
[1] https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientSpecPlat_TPM_2p0_1p04_pub.pdf
[2] https://lore.kernel.org/linux-efi/20201102170634.20575-1-ardb at kernel.org/
Ilias Apalodimas (3):
tpm: Add tpm2 headers for TCG2 eventlog support
efi_loader: Introduce eventlog support for TCG2_PROTOCOL
cmd: efidebug: Add support for TCG2 final events table
cmd/efidebug.c | 4 +
include/efi_api.h | 4 +
include/efi_tcg2.h | 48 +++-
include/tpm-v2.h | 59 ++++
lib/efi_loader/efi_setup.c | 12 +-
lib/efi_loader/efi_tcg2.c | 554 +++++++++++++++++++++++++++++++++++--
6 files changed, 657 insertions(+), 24 deletions(-)
--
2.29.2
next reply other threads:[~2020-11-27 16:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-27 16:29 Ilias Apalodimas [this message]
2020-11-27 16:29 ` [PATCH 1/3] tpm: Add tpm2 headers for TCG2 eventlog support Ilias Apalodimas
2020-11-29 5:28 ` Heinrich Schuchardt
2020-11-29 13:22 ` Ilias Apalodimas
2020-11-27 16:29 ` [PATCH 2/3] efi_loader: Introduce eventlog support for TCG2_PROTOCOL Ilias Apalodimas
2020-11-29 6:02 ` Heinrich Schuchardt
2020-11-29 13:27 ` Ilias Apalodimas
2020-11-29 13:49 ` Heinrich Schuchardt
2020-11-29 14:02 ` Ilias Apalodimas
2020-11-27 16:29 ` [PATCH 3/3] cmd: efidebug: Add support for TCG2 final events table Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201127162932.1965323-1-ilias.apalodimas@linaro.org \
--to=ilias.apalodimas@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).