| Message ID | 20211104104546.13696-1-masahisa.kojima@linaro.org |
|---|---|
| Headers | show |
| Series | add selftest for EFI_TCG2_PROTOCOL and Measured Boot | expand |
On 11/4/21 11:45, Masahisa Kojima wrote: > This patch adds the selftest for the EFI_TCG2_PROTOCOL and > Measured Boot flow. > This selftest is verified on qemu with swtpm on both 32-bit arm > and arm64. > > This commit adds the pre-build binary for the PE/COFF image It seems that you have been compiling lib/efi_selftest/efi_selftest_miniapp_exit.c and using tools/file2include.c for converting to an include. The information in this header mail should be in the patch itself. Best regards Heinrich > measurement test for each architecture. I have tested only > on 32-bit arm and arm64. > For ia32, x86_64, riscv32 and riscv64, actual selftest behavior > is not yet tested, but the expected PCR values are calculated > on arm64 environment. > > This commit covers most of the functionalities, but there are some > limitations and TODO items. > > [Limitation] > - Verified actual selftest behavior only on arm and arm64. > - Tcg2 selftest must run at the beginning of the efi_selftest because > some measurement occurs in efi_tcg2_register() and boottime->image_load(). > Need to configure the efi_selftest with "setenv efi_selftest tcg2; bootefi selftest" > - Skip ExitBootService measurement test > - EFI application can not read PCR after calling ExitBootService > - Skip EventLog Validation > - Measured Boot measures U-Boot version, so EventLog varies every build having > different commit hash. > - Skip PCR[0] validation > - PCR[0] include U-Boot version measurement, this value varies every build > having different commit hash. > - Skip PCR[7] validation > - Secure Boot Variables can not be updated through efi_selftest. > - The initial PCR value of PCR[17 - 22] is all 0xff. I'm not sure > it is expected or not, but at least Secure96 and swtpm has the same initial value. > > [TODO] > - GPT measurement test > - Secure Boot Variable test > - Eventlog validation > > Masahisa Kojima (1): > efi_selftest: add selftest for EFI_TCG2_PROTOCOL and Measured Boot > > lib/efi_selftest/efi_miniapp_tcg2_arm.h | 152 ++++ > lib/efi_selftest/efi_miniapp_tcg2_arm64.h | 207 +++++ > lib/efi_selftest/efi_miniapp_tcg2_ia32.h | 177 ++++ > lib/efi_selftest/efi_miniapp_tcg2_riscv32.h | 173 ++++ > lib/efi_selftest/efi_miniapp_tcg2_riscv64.h | 189 ++++ > lib/efi_selftest/efi_miniapp_tcg2_x86_64.h | 178 ++++ > lib/efi_selftest/efi_selftest_tcg2.c | 941 +++++++++++++++++++- > 7 files changed, 2016 insertions(+), 1 deletion(-) > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_arm.h > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_arm64.h > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_ia32.h > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_riscv32.h > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_riscv64.h > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_x86_64.h >
Hi Heinrich, On Sun, 7 Nov 2021 at 17:30, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > > On 11/4/21 11:45, Masahisa Kojima wrote: > > This patch adds the selftest for the EFI_TCG2_PROTOCOL and > > Measured Boot flow. > > This selftest is verified on qemu with swtpm on both 32-bit arm > > and arm64. > > > > This commit adds the pre-build binary for the PE/COFF image > > It seems that you have been compiling > lib/efi_selftest/efi_selftest_miniapp_exit.c > and using tools/file2include.c for converting to an include. Yes, you are correct. > > The information in this header mail should be in the patch itself. Thank you for updating the commit message in efi-2022-01 tree. Thanks, Masahisa Kojima > > Best regards > > Heinrich > > > measurement test for each architecture. I have tested only > > on 32-bit arm and arm64. > > For ia32, x86_64, riscv32 and riscv64, actual selftest behavior > > is not yet tested, but the expected PCR values are calculated > > on arm64 environment. > > > > This commit covers most of the functionalities, but there are some > > limitations and TODO items. > > > > [Limitation] > > - Verified actual selftest behavior only on arm and arm64. > > - Tcg2 selftest must run at the beginning of the efi_selftest because > > some measurement occurs in efi_tcg2_register() and boottime->image_load(). > > Need to configure the efi_selftest with "setenv efi_selftest tcg2; bootefi selftest" > > - Skip ExitBootService measurement test > > - EFI application can not read PCR after calling ExitBootService > > - Skip EventLog Validation > > - Measured Boot measures U-Boot version, so EventLog varies every build having > > different commit hash. > > - Skip PCR[0] validation > > - PCR[0] include U-Boot version measurement, this value varies every build > > having different commit hash. > > - Skip PCR[7] validation > > - Secure Boot Variables can not be updated through efi_selftest. > > - The initial PCR value of PCR[17 - 22] is all 0xff. I'm not sure > > it is expected or not, but at least Secure96 and swtpm has the same initial value. > > > > [TODO] > > - GPT measurement test > > - Secure Boot Variable test > > - Eventlog validation > > > > Masahisa Kojima (1): > > efi_selftest: add selftest for EFI_TCG2_PROTOCOL and Measured Boot > > > > lib/efi_selftest/efi_miniapp_tcg2_arm.h | 152 ++++ > > lib/efi_selftest/efi_miniapp_tcg2_arm64.h | 207 +++++ > > lib/efi_selftest/efi_miniapp_tcg2_ia32.h | 177 ++++ > > lib/efi_selftest/efi_miniapp_tcg2_riscv32.h | 173 ++++ > > lib/efi_selftest/efi_miniapp_tcg2_riscv64.h | 189 ++++ > > lib/efi_selftest/efi_miniapp_tcg2_x86_64.h | 178 ++++ > > lib/efi_selftest/efi_selftest_tcg2.c | 941 +++++++++++++++++++- > > 7 files changed, 2016 insertions(+), 1 deletion(-) > > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_arm.h > > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_arm64.h > > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_ia32.h > > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_riscv32.h > > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_riscv64.h > > create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_x86_64.h > >
This patch adds the selftest for the EFI_TCG2_PROTOCOL and Measured Boot flow. This selftest is verified on qemu with swtpm on both 32-bit arm and arm64. This commit adds the pre-build binary for the PE/COFF image measurement test for each architecture. I have tested only on 32-bit arm and arm64. For ia32, x86_64, riscv32 and riscv64, actual selftest behavior is not yet tested, but the expected PCR values are calculated on arm64 environment. This commit covers most of the functionalities, but there are some limitations and TODO items. [Limitation] - Verified actual selftest behavior only on arm and arm64. - Tcg2 selftest must run at the beginning of the efi_selftest because some measurement occurs in efi_tcg2_register() and boottime->image_load(). Need to configure the efi_selftest with "setenv efi_selftest tcg2; bootefi selftest" - Skip ExitBootService measurement test - EFI application can not read PCR after calling ExitBootService - Skip EventLog Validation - Measured Boot measures U-Boot version, so EventLog varies every build having different commit hash. - Skip PCR[0] validation - PCR[0] include U-Boot version measurement, this value varies every build having different commit hash. - Skip PCR[7] validation - Secure Boot Variables can not be updated through efi_selftest. - The initial PCR value of PCR[17 - 22] is all 0xff. I'm not sure it is expected or not, but at least Secure96 and swtpm has the same initial value. [TODO] - GPT measurement test - Secure Boot Variable test - Eventlog validation Masahisa Kojima (1): efi_selftest: add selftest for EFI_TCG2_PROTOCOL and Measured Boot lib/efi_selftest/efi_miniapp_tcg2_arm.h | 152 ++++ lib/efi_selftest/efi_miniapp_tcg2_arm64.h | 207 +++++ lib/efi_selftest/efi_miniapp_tcg2_ia32.h | 177 ++++ lib/efi_selftest/efi_miniapp_tcg2_riscv32.h | 173 ++++ lib/efi_selftest/efi_miniapp_tcg2_riscv64.h | 189 ++++ lib/efi_selftest/efi_miniapp_tcg2_x86_64.h | 178 ++++ lib/efi_selftest/efi_selftest_tcg2.c | 941 +++++++++++++++++++- 7 files changed, 2016 insertions(+), 1 deletion(-) create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_arm.h create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_arm64.h create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_ia32.h create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_riscv32.h create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_riscv64.h create mode 100644 lib/efi_selftest/efi_miniapp_tcg2_x86_64.h -- 2.17.1