Re: [PATCH v8 0/6] tpm: Support boot measurements
On 3/6/23 00:58, Ilias Apalodimas wrote: Hi Eddie, This has a few failures on the CI [0]. Please have a look and let me know if you can't understand the failures Hi, I think I have fixed the sandbox ones for v9. I'm unsure about the EFI selftest one in qemu targets... Thanks, Eddie [0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/15471 Regards /Ilias On Fri, Mar 03, 2023 at 01:25:00PM -0600, Eddie James wrote: This series adds support for measuring the boot images more generically than the existing EFI support. Several EFI functions have been moved to the TPM layer. The series includes optional measurement from the bootm command. A new test case has been added for the bootm measurement to test the new path, and the sandbox TPM2 driver has been updated to support this use case. This series is based on Ilias' auto-startup series and Simon's additions. Changes since v7: - Change name of tcg2_init_log and add more documentation - Add a check, when parsing the event log header, to ensure that the previous stage bootloader used all the active PCRs. - Change name of tcg2_log_find_end - Fix the greater than or equal to check to exit the log parsing - Make sure log_position is 0 if there is any error discovering the log - Return errors parsing the log if the data is corrupt so that we don't end up with half a log Changes since v6: - Added comment for bootm_measure - Fixed line length in bootm_measure - Added Linaro copyright for all the EFI moved code - Changed tcg2_init_log (and by extension, tcg2_measurement_init) to copy any discovered event log to the user's log if passed in. Changes since v5: - Re-ordered the patches to put the sandbox TPM driver patch second - Remove unused platform_get_eventlog in efi_tcg2.c - First look for tpm_event_log_* properties instead of linux,sml-* - Fix efi_tcg2.c compilation - Select SHA* configs - Remove the !SANDBOX dependency for EFI TCG2 - Only compile in the measurement u-boot command when CONFIG_MEASURED_BOOT is enabled Changes since v4: - Remove tcg2_measure_event function and check for NULL data in tcg2_measure_data - Use tpm_auto_startup - Fix efi_tcg2.c compilation for removing tcg2_pcr_read function - Change PCR indexes for initrd and dtb - Drop u8 casting in measurement test - Use bullets in documentation Changes since v3: - Reordered headers - Refactored more of EFI code into common code Removed digest_info structure and instead used the common alg_to_mask and alg_to_len Improved event log parsing in common code to get it equivalent to EFI Common code now extends PCR if previous bootloader stage couldn't No need to allocate memory in the common code, so EFI copies the discovered buffer like it did before Rename efi measure_event function Changes since v2: - Add documentation. - Changed reserved memory address to the top of the RAM for sandbox dts. - Add measure state to booti and bootz. - Skip measurement for EFI images that should be measured Changes since v1: - Refactor TPM layer functions to allow EFI system to use them, and remove duplicate EFI functions. - Add test case - Drop #ifdefs for bootm - Add devicetree measurement config option - Update sandbox TPM driver Eddie James (6): tpm: Fix spelling for tpmu_ha union tpm: sandbox: Update for needed TPM2 capabilities tpm: Support boot measurements bootm: Support boot measurement test: Add sandbox TPM boot measurement doc: Add measured boot documentation arch/sandbox/dts/sandbox.dtsi | 13 + arch/sandbox/dts/test.dts | 13 + boot/Kconfig | 23 + boot/bootm.c | 72 +++ cmd/booti.c|1 + cmd/bootm.c|2 + cmd/bootz.c|1 + configs/sandbox_defconfig |1 + doc/usage/index.rst|1 + doc/usage/measured_boot.rst| 23 + drivers/tpm/tpm2_tis_sandbox.c | 100 ++- include/bootm.h| 11 + include/efi_tcg2.h | 44 -- include/image.h|1 + include/test/suites.h |1 + include/tpm-v2.h | 255 +++- lib/Kconfig|4 + lib/efi_loader/Kconfig |2 - lib/efi_loader/efi_tcg2.c | 1054 +++- lib/tpm-v2.c | 815 test/boot/Makefile |1 + test/boot/measurement.c| 66 ++ test/cmd_ut.c |4 + 23 files changed, 1455 insertions(+), 1053 deletions(-) create mode 100644 doc/usage/measured_boot.rst create mode 100644 test/boot/measurement.c -- 2.31.1
Re: [PATCH v8 0/6] tpm: Support boot measurements
Hi Eddie, This has a few failures on the CI [0]. Please have a look and let me know if you can't understand the failures [0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/15471 Regards /Ilias On Fri, Mar 03, 2023 at 01:25:00PM -0600, Eddie James wrote: > This series adds support for measuring the boot images more generically > than the existing EFI support. Several EFI functions have been moved to > the TPM layer. The series includes optional measurement from the bootm > command. > A new test case has been added for the bootm measurement to test the new > path, and the sandbox TPM2 driver has been updated to support this use > case. > This series is based on Ilias' auto-startup series and Simon's additions. > > Changes since v7: > - Change name of tcg2_init_log and add more documentation > - Add a check, when parsing the event log header, to ensure that the >previous stage bootloader used all the active PCRs. > - Change name of tcg2_log_find_end > - Fix the greater than or equal to check to exit the log parsing > - Make sure log_position is 0 if there is any error discovering the log > - Return errors parsing the log if the data is corrupt so that we don't >end up with half a log > > Changes since v6: > - Added comment for bootm_measure > - Fixed line length in bootm_measure > - Added Linaro copyright for all the EFI moved code > - Changed tcg2_init_log (and by extension, tcg2_measurement_init) to >copy any discovered event log to the user's log if passed in. > > Changes since v5: > - Re-ordered the patches to put the sandbox TPM driver patch second > - Remove unused platform_get_eventlog in efi_tcg2.c > - First look for tpm_event_log_* properties instead of linux,sml-* > - Fix efi_tcg2.c compilation > - Select SHA* configs > - Remove the !SANDBOX dependency for EFI TCG2 > - Only compile in the measurement u-boot command when CONFIG_MEASURED_BOOT >is enabled > > Changes since v4: > - Remove tcg2_measure_event function and check for NULL data in >tcg2_measure_data > - Use tpm_auto_startup > - Fix efi_tcg2.c compilation for removing tcg2_pcr_read function > - Change PCR indexes for initrd and dtb > - Drop u8 casting in measurement test > - Use bullets in documentation > > Changes since v3: > - Reordered headers > - Refactored more of EFI code into common code > Removed digest_info structure and instead used the common alg_to_mask > and alg_to_len > Improved event log parsing in common code to get it equivalent to EFI > Common code now extends PCR if previous bootloader stage couldn't > No need to allocate memory in the common code, so EFI copies the > discovered buffer like it did before > Rename efi measure_event function > > Changes since v2: > - Add documentation. > - Changed reserved memory address to the top of the RAM for sandbox dts. > - Add measure state to booti and bootz. > - Skip measurement for EFI images that should be measured > > Changes since v1: > - Refactor TPM layer functions to allow EFI system to use them, and >remove duplicate EFI functions. > - Add test case > - Drop #ifdefs for bootm > - Add devicetree measurement config option > - Update sandbox TPM driver > > Eddie James (6): > tpm: Fix spelling for tpmu_ha union > tpm: sandbox: Update for needed TPM2 capabilities > tpm: Support boot measurements > bootm: Support boot measurement > test: Add sandbox TPM boot measurement > doc: Add measured boot documentation > > arch/sandbox/dts/sandbox.dtsi | 13 + > arch/sandbox/dts/test.dts | 13 + > boot/Kconfig | 23 + > boot/bootm.c | 72 +++ > cmd/booti.c|1 + > cmd/bootm.c|2 + > cmd/bootz.c|1 + > configs/sandbox_defconfig |1 + > doc/usage/index.rst|1 + > doc/usage/measured_boot.rst| 23 + > drivers/tpm/tpm2_tis_sandbox.c | 100 ++- > include/bootm.h| 11 + > include/efi_tcg2.h | 44 -- > include/image.h|1 + > include/test/suites.h |1 + > include/tpm-v2.h | 255 +++- > lib/Kconfig|4 + > lib/efi_loader/Kconfig |2 - > lib/efi_loader/efi_tcg2.c | 1054 +++- > lib/tpm-v2.c | 815 > test/boot/Makefile |1 + > test/boot/measurement.c| 66 ++ > test/cmd_ut.c |4 + > 23 files changed, 1455 insertions(+), 1053 deletions(-) > create mode 100644 doc/usage/measured_boot.rst > create mode 100644 test/boot/measurement.c > > -- > 2.31.1 >
[PATCH v8 0/6] tpm: Support boot measurements
This series adds support for measuring the boot images more generically than the existing EFI support. Several EFI functions have been moved to the TPM layer. The series includes optional measurement from the bootm command. A new test case has been added for the bootm measurement to test the new path, and the sandbox TPM2 driver has been updated to support this use case. This series is based on Ilias' auto-startup series and Simon's additions. Changes since v7: - Change name of tcg2_init_log and add more documentation - Add a check, when parsing the event log header, to ensure that the previous stage bootloader used all the active PCRs. - Change name of tcg2_log_find_end - Fix the greater than or equal to check to exit the log parsing - Make sure log_position is 0 if there is any error discovering the log - Return errors parsing the log if the data is corrupt so that we don't end up with half a log Changes since v6: - Added comment for bootm_measure - Fixed line length in bootm_measure - Added Linaro copyright for all the EFI moved code - Changed tcg2_init_log (and by extension, tcg2_measurement_init) to copy any discovered event log to the user's log if passed in. Changes since v5: - Re-ordered the patches to put the sandbox TPM driver patch second - Remove unused platform_get_eventlog in efi_tcg2.c - First look for tpm_event_log_* properties instead of linux,sml-* - Fix efi_tcg2.c compilation - Select SHA* configs - Remove the !SANDBOX dependency for EFI TCG2 - Only compile in the measurement u-boot command when CONFIG_MEASURED_BOOT is enabled Changes since v4: - Remove tcg2_measure_event function and check for NULL data in tcg2_measure_data - Use tpm_auto_startup - Fix efi_tcg2.c compilation for removing tcg2_pcr_read function - Change PCR indexes for initrd and dtb - Drop u8 casting in measurement test - Use bullets in documentation Changes since v3: - Reordered headers - Refactored more of EFI code into common code Removed digest_info structure and instead used the common alg_to_mask and alg_to_len Improved event log parsing in common code to get it equivalent to EFI Common code now extends PCR if previous bootloader stage couldn't No need to allocate memory in the common code, so EFI copies the discovered buffer like it did before Rename efi measure_event function Changes since v2: - Add documentation. - Changed reserved memory address to the top of the RAM for sandbox dts. - Add measure state to booti and bootz. - Skip measurement for EFI images that should be measured Changes since v1: - Refactor TPM layer functions to allow EFI system to use them, and remove duplicate EFI functions. - Add test case - Drop #ifdefs for bootm - Add devicetree measurement config option - Update sandbox TPM driver Eddie James (6): tpm: Fix spelling for tpmu_ha union tpm: sandbox: Update for needed TPM2 capabilities tpm: Support boot measurements bootm: Support boot measurement test: Add sandbox TPM boot measurement doc: Add measured boot documentation arch/sandbox/dts/sandbox.dtsi | 13 + arch/sandbox/dts/test.dts | 13 + boot/Kconfig | 23 + boot/bootm.c | 72 +++ cmd/booti.c|1 + cmd/bootm.c|2 + cmd/bootz.c|1 + configs/sandbox_defconfig |1 + doc/usage/index.rst|1 + doc/usage/measured_boot.rst| 23 + drivers/tpm/tpm2_tis_sandbox.c | 100 ++- include/bootm.h| 11 + include/efi_tcg2.h | 44 -- include/image.h|1 + include/test/suites.h |1 + include/tpm-v2.h | 255 +++- lib/Kconfig|4 + lib/efi_loader/Kconfig |2 - lib/efi_loader/efi_tcg2.c | 1054 +++- lib/tpm-v2.c | 815 test/boot/Makefile |1 + test/boot/measurement.c| 66 ++ test/cmd_ut.c |4 + 23 files changed, 1455 insertions(+), 1053 deletions(-) create mode 100644 doc/usage/measured_boot.rst create mode 100644 test/boot/measurement.c -- 2.31.1
