| Message ID | 20210806070215.19887-1-masahisa.kojima@linaro.org |
|---|---|
| Headers | show |
| Series | add measurement support | expand |
On 8/6/21 9:02 AM, Masahisa Kojima wrote: > This patch series add the support of measurement > descibed in TCG PC Client PFP spec(Version 1.05 Revision 23). > > Eventlog generated with this patch series are tested on > the aarch64 based machine(Socionext Developerbox) and fTPM > running on OP-TEE. > The eventlog result is almost same result as the one > generated by edk2 running on the Devloperbox and Secure96. > > This patch series does not cover all measurement requirements > described in TCG spec, the remaining items will be supported > in the future. > Major missing items in TCG PC Client PFP spec: > 1) If the secure boot variables are updated after they are > initially measured in PCR[7] and before ExitBootServices() > has completed, the platform MAY be restarted OR the variables > MUST be remeasured into PCR[7]. > 2) SMBIOS structure measurement > 3) "DeployedMode" and "AuditMode" measurement > 4) EV_EFI_GPT_EVENT event > 5) Measurement of U-boot itself. I assume U-boot measurement will be done > by the former firmware such as trusted firmware. Do you plan to measure the devicetree using event type EV_EFI_HANDOFF_TABLES? Or does Linux measure it? Are there cases where devicetrees contain non-static information which would have to be excluded from such measurement (e.g. randomized MAC address)? Best regards Heinrich > > Masahisa Kojima (5): > efi_loader: add secure boot variable measurement > efi_loader: add boot variable measurement > efi_loader: add ExitBootServices() measurement > efi_loader: refactor efi_append_scrtm_version() > efi_loader: add comment for efi_tcg2.h > > include/efi_loader.h | 5 + > include/efi_tcg2.h | 77 +++++++- > include/tpm-v2.h | 18 +- > lib/efi_loader/efi_boottime.c | 25 +++ > lib/efi_loader/efi_tcg2.c | 356 +++++++++++++++++++++++++++++++++- > 5 files changed, 471 insertions(+), 10 deletions(-) >
This patch series add the support of measurement descibed in TCG PC Client PFP spec(Version 1.05 Revision 23). Eventlog generated with this patch series are tested on the aarch64 based machine(Socionext Developerbox) and fTPM running on OP-TEE. The eventlog result is almost same result as the one generated by edk2 running on the Devloperbox and Secure96. This patch series does not cover all measurement requirements described in TCG spec, the remaining items will be supported in the future. Major missing items in TCG PC Client PFP spec: 1) If the secure boot variables are updated after they are initially measured in PCR[7] and before ExitBootServices() has completed, the platform MAY be restarted OR the variables MUST be remeasured into PCR[7]. 2) SMBIOS structure measurement 3) "DeployedMode" and "AuditMode" measurement 4) EV_EFI_GPT_EVENT event 5) Measurement of U-boot itself. I assume U-boot measurement will be done by the former firmware such as trusted firmware. Masahisa Kojima (5): efi_loader: add secure boot variable measurement efi_loader: add boot variable measurement efi_loader: add ExitBootServices() measurement efi_loader: refactor efi_append_scrtm_version() efi_loader: add comment for efi_tcg2.h include/efi_loader.h | 5 + include/efi_tcg2.h | 77 +++++++- include/tpm-v2.h | 18 +- lib/efi_loader/efi_boottime.c | 25 +++ lib/efi_loader/efi_tcg2.c | 356 +++++++++++++++++++++++++++++++++- 5 files changed, 471 insertions(+), 10 deletions(-) -- 2.17.1