Javier Almansa Sobrino | 7c60e31 | 2021-07-05 12:04:22 +0100 | [diff] [blame] | 1 | Interaction between Measured Boot and an fTPM (PoC) |
| 2 | =================================================== |
| 3 | |
| 4 | Measured Boot is the process of cryptographically measuring the code and |
| 5 | critical data used at boot time, for example using a TPM, so that the |
| 6 | security state can be attested later. |
| 7 | |
| 8 | The current implementation of the driver included in Trusted Firmware-A |
Manish V Badarkhe | 13f3b6e | 2023-01-27 13:51:22 +0000 | [diff] [blame] | 9 | (TF-A) stores the measurements into a `TCG event log`_ in secure |
Javier Almansa Sobrino | 7c60e31 | 2021-07-05 12:04:22 +0100 | [diff] [blame] | 10 | memory. No other means of recording measurements (such as a discrete TPM) is |
| 11 | supported right now. |
| 12 | |
| 13 | The driver also provides mechanisms to pass the Event Log to normal world if |
| 14 | needed. |
| 15 | |
| 16 | This manual provides instructions to build a proof of concept (PoC) with the |
| 17 | sole intention of showing how Measured Boot can be used in conjunction with |
| 18 | a firmware TPM (fTPM) service implemented on top of OP-TEE. |
| 19 | |
| 20 | .. note:: |
| 21 | The instructions given in this document are meant to be used to build |
| 22 | a PoC to show how Measured Boot on TF-A can interact with a third |
| 23 | party (f)TPM service and they try to be as general as possible. Different |
| 24 | platforms might have different needs and configurations (e.g. different |
| 25 | SHA algorithms) and they might also use different types of TPM services |
| 26 | (or even a different type of service to provide the attestation) |
Manish V Badarkhe | 13f3b6e | 2023-01-27 13:51:22 +0000 | [diff] [blame] | 27 | and therefore the instructions given here might not apply in such scenarios. |
Javier Almansa Sobrino | 7c60e31 | 2021-07-05 12:04:22 +0100 | [diff] [blame] | 28 | |
| 29 | Components |
| 30 | ~~~~~~~~~~ |
| 31 | |
| 32 | The PoC is built on top of the `OP-TEE Toolkit`_, which has support to build |
| 33 | TF-A with support for Measured Boot enabled (and run it on a Foundation Model) |
| 34 | since commit cf56848. |
| 35 | |
| 36 | The aforementioned toolkit builds a set of images that contain all the components |
| 37 | needed to test that the Event Log was properly created. One of these images will |
| 38 | contain a third party fTPM service which in turn will be used to process the |
| 39 | Event Log. |
| 40 | |
| 41 | The reason to choose OP-TEE Toolkit to build our PoC around it is mostly |
| 42 | for convenience. As the fTPM service used is an OP-TEE TA, it was easy to add |
| 43 | build support for it to the toolkit and then build the PoC around it. |
| 44 | |
| 45 | The most relevant components installed in the image that are closely related to |
| 46 | Measured Boot/fTPM functionality are: |
| 47 | |
| 48 | - **OP-TEE**: As stated earlier, the fTPM service used in this PoC is built as an |
| 49 | OP-TEE TA and therefore we need to include the OP-TEE OS image. |
| 50 | Support to interfacing with Measured Boot was added to version 3.9.0 of |
| 51 | OP-TEE by implementing the ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` syscall, which |
| 52 | allows the former to pass a copy of the Event Log to any TA requesting it. |
| 53 | OP-TEE knows the location of the Event Log by reading the DTB bindings |
| 54 | received from TF-A. Visit :ref:`DTB binding for Event Log properties` |
| 55 | for more details on this. |
| 56 | |
| 57 | - **fTPM Service**: We use a third party fTPM service in order to validate |
| 58 | the Measured Boot functionality. The chosen fTPM service is a sample |
| 59 | implementation for Aarch32 architecture included on the `ms-tpm-20-ref`_ |
| 60 | reference implementation from Microsoft. The service was updated in order |
| 61 | to extend the Measured Boot Event Log at boot up and it uses the |
| 62 | aforementioned ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` call to retrieve a copy |
| 63 | of the former. |
| 64 | |
| 65 | .. note:: |
| 66 | Arm does not provide an fTPM implementation. The fTPM service used here |
| 67 | is a third party one which has been updated to support Measured Boot |
| 68 | service as provided by TF-A. As such, it is beyond the scope of this |
| 69 | manual to test and verify the correctness of the output generated by the |
| 70 | fTPM service. |
| 71 | |
| 72 | - **TPM Kernel module**: In order to interact with the fTPM service, we need |
| 73 | a kernel module to forward the request from user space to the secure world. |
| 74 | |
| 75 | - `tpm2-tools`_: This is a set of tools that allow to interact with the |
| 76 | fTPM service. We use this in order to read the PCRs with the measurements. |
| 77 | |
| 78 | Building the PoC for the Arm FVP platform |
| 79 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 80 | |
| 81 | As mentioned before, this PoC is based on the OP-TEE Toolkit with some |
| 82 | extensions to enable Measured Boot and an fTPM service. Therefore, we can rely |
| 83 | on the instructions to build the original OP-TEE Toolkit. As a general rule, |
| 84 | the following steps should suffice: |
| 85 | |
| 86 | (1) Start by following the `Get and build the solution`_ instructions to build |
| 87 | the OP-TEE toolkit. On step 3, you need to get the manifest for FVP |
| 88 | platform from the main branch: |
| 89 | |
| 90 | .. code:: shell |
| 91 | |
| 92 | $ repo init -u https://github.com/OP-TEE/manifest.git -m fvp.xml |
| 93 | |
| 94 | Then proceed synching the repos as stated in step 3. Continue following |
| 95 | the instructions and stop before step 5. |
| 96 | |
| 97 | (2) Next you should obtain the `Armv8-A Foundation Platform (For Linux Hosts Only)`_. |
| 98 | The binary should be untar'ed to the root of the repo tree, i.e., like |
| 99 | this: ``<fvp-project>/Foundation_Platformpkg``. In the end, after cloning |
| 100 | all source code, getting the toolchains and "installing" |
| 101 | Foundation_Platformpkg, you should have a folder structure that looks like |
| 102 | this: |
| 103 | |
| 104 | .. code:: shell |
| 105 | |
| 106 | $ ls -la |
| 107 | total 80 |
| 108 | drwxrwxr-x 20 tf-a_user tf-a_user 4096 Jul 1 12:16 . |
| 109 | drwxr-xr-x 23 tf-a_user tf-a_user 4096 Jul 1 10:40 .. |
| 110 | drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 10:45 build |
| 111 | drwxrwxr-x 16 tf-a_user tf-a_user 4096 Jul 1 12:16 buildroot |
| 112 | drwxrwxr-x 51 tf-a_user tf-a_user 4096 Jul 1 10:45 edk2 |
| 113 | drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 12:14 edk2-platforms |
| 114 | drwxr-xr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:52 Foundation_Platformpkg |
| 115 | drwxrwxr-x 17 tf-a_user tf-a_user 4096 Jul 2 10:40 grub |
| 116 | drwxrwxr-x 25 tf-a_user tf-a_user 4096 Jul 2 10:39 linux |
| 117 | drwxrwxr-x 15 tf-a_user tf-a_user 4096 Jul 1 10:45 mbedtls |
| 118 | drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 10:45 ms-tpm-20-ref |
| 119 | drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_client |
| 120 | drwxrwxr-x 10 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_examples |
| 121 | drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 12:13 optee_os |
| 122 | drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_test |
| 123 | drwxrwxr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:45 .repo |
| 124 | drwxrwxr-x 4 tf-a_user tf-a_user 4096 Jul 1 12:12 toolchains |
| 125 | drwxrwxr-x 21 tf-a_user tf-a_user 4096 Jul 1 12:15 trusted-firmware-a |
| 126 | |
| 127 | (3) Now enter into ``ms-tpm-20-ref`` and get its dependencies: |
| 128 | |
| 129 | .. code:: shell |
| 130 | |
| 131 | $ cd ms-tpm-20-ref |
| 132 | $ git submodule init |
| 133 | $ git submodule update |
| 134 | Submodule path 'external/wolfssl': checked out '9c87f979a7f1d3a6d786b260653d566c1d31a1c4' |
| 135 | |
| 136 | (4) Now, you should be able to continue with step 5 in "`Get and build the solution`_" |
| 137 | instructions. In order to enable support for Measured Boot, you need to |
Manish V Badarkhe | f6ca667 | 2023-04-25 11:08:16 +0100 | [diff] [blame] | 138 | set the following build options: |
Javier Almansa Sobrino | 7c60e31 | 2021-07-05 12:04:22 +0100 | [diff] [blame] | 139 | |
| 140 | .. code:: shell |
| 141 | |
Manish V Badarkhe | f6ca667 | 2023-04-25 11:08:16 +0100 | [diff] [blame] | 142 | $ MEASURED_BOOT=y MEASURED_BOOT_FTPM=y make -j `nproc` |
Javier Almansa Sobrino | 7c60e31 | 2021-07-05 12:04:22 +0100 | [diff] [blame] | 143 | |
| 144 | .. note:: |
| 145 | The build process will likely take a long time. It is strongly recommended to |
| 146 | pass the ``-j`` option to make to run the process faster. |
| 147 | |
| 148 | After this step, you should be ready to run the image. |
| 149 | |
| 150 | Running and using the PoC on the Armv8-A Foundation AEM FVP |
| 151 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 152 | |
| 153 | With everything built, you can now run the image: |
| 154 | |
| 155 | .. code:: shell |
| 156 | |
| 157 | $ make run-only |
| 158 | |
| 159 | .. note:: |
| 160 | Using ``make run`` will build and run the image and it can be used instead |
| 161 | of simply ``make``. However, once the image is built, it is recommended to |
| 162 | use ``make run-only`` to avoid re-running all the building rules, which |
| 163 | would take time. |
| 164 | |
| 165 | When FVP is launched, two terminal windows will appear. ``FVP terminal_0`` |
| 166 | is the userspace terminal whereas ``FVP terminal_1`` is the counterpart for |
| 167 | the secure world (where TAs will print their logs, for instance). |
| 168 | |
| 169 | Log into the image shell with user ``root``, no password will be required. |
| 170 | Then we can issue the ``ftpm`` command, which is an alias that |
| 171 | |
| 172 | (1) loads the ftpm kernel module and |
| 173 | |
| 174 | (2) calls ``tpm2_pcrread``, which will access the fTPM service to read the |
| 175 | PCRs. |
| 176 | |
| 177 | When loading the ftpm kernel module, the fTPM TA is loaded into the secure |
| 178 | world. This TA then requests a copy of the Event Log generated during the |
| 179 | booting process so it can retrieve all the entries on the log and record them |
| 180 | first thing. |
| 181 | |
| 182 | .. note:: |
| 183 | For this PoC, nothing loaded after BL33 and NT_FW_CONFIG is recorded |
| 184 | in the Event Log. |
| 185 | |
| 186 | The secure world terminal should show the debug logs for the fTPM service, |
| 187 | including all the measurements available in the Event Log as they are being |
| 188 | processed: |
| 189 | |
| 190 | .. code:: shell |
| 191 | |
| 192 | M/TA: Preparing to extend the following TPM Event Log: |
| 193 | M/TA: TCG_EfiSpecIDEvent: |
| 194 | M/TA: PCRIndex : 0 |
| 195 | M/TA: EventType : 3 |
| 196 | M/TA: Digest : 00 |
| 197 | M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 198 | M/TA: : 00 00 00 |
| 199 | M/TA: EventSize : 33 |
| 200 | M/TA: Signature : Spec ID Event03 |
| 201 | M/TA: PlatformClass : 0 |
| 202 | M/TA: SpecVersion : 2.0.2 |
| 203 | M/TA: UintnSize : 1 |
| 204 | M/TA: NumberOfAlgorithms : 1 |
| 205 | M/TA: DigestSizes : |
| 206 | M/TA: #0 AlgorithmId : SHA256 |
| 207 | M/TA: DigestSize : 32 |
| 208 | M/TA: VendorInfoSize : 0 |
| 209 | M/TA: PCR_Event2: |
| 210 | M/TA: PCRIndex : 0 |
| 211 | M/TA: EventType : 3 |
| 212 | M/TA: Digests Count : 1 |
| 213 | M/TA: #0 AlgorithmId : SHA256 |
| 214 | M/TA: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 215 | M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 216 | M/TA: EventSize : 17 |
| 217 | M/TA: Signature : StartupLocality |
| 218 | M/TA: StartupLocality : 0 |
| 219 | M/TA: PCR_Event2: |
| 220 | M/TA: PCRIndex : 0 |
| 221 | M/TA: EventType : 1 |
| 222 | M/TA: Digests Count : 1 |
| 223 | M/TA: #0 AlgorithmId : SHA256 |
| 224 | M/TA: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63 |
| 225 | M/TA: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5 |
| 226 | M/TA: EventSize : 5 |
| 227 | M/TA: Event : BL_2 |
| 228 | M/TA: PCR_Event2: |
| 229 | M/TA: PCRIndex : 0 |
| 230 | M/TA: EventType : 1 |
| 231 | M/TA: Digests Count : 1 |
| 232 | M/TA: #0 AlgorithmId : SHA256 |
| 233 | M/TA: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5 |
| 234 | M/TA: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c |
| 235 | M/TA: EventSize : 6 |
| 236 | M/TA: Event : BL_31 |
| 237 | M/TA: PCR_Event2: |
| 238 | M/TA: PCRIndex : 0 |
| 239 | M/TA: EventType : 1 |
| 240 | M/TA: Digests Count : 1 |
| 241 | M/TA: #0 AlgorithmId : SHA256 |
| 242 | M/TA: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2 |
| 243 | M/TA: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0 |
| 244 | M/TA: EventSize : 10 |
| 245 | M/TA: Event : HW_CONFIG |
| 246 | M/TA: PCR_Event2: |
| 247 | M/TA: PCRIndex : 0 |
| 248 | M/TA: EventType : 1 |
| 249 | M/TA: Digests Count : 1 |
| 250 | M/TA: #0 AlgorithmId : SHA256 |
| 251 | M/TA: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a |
| 252 | M/TA: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0 |
| 253 | M/TA: EventSize : 14 |
| 254 | M/TA: Event : SOC_FW_CONFIG |
| 255 | M/TA: PCR_Event2: |
| 256 | M/TA: PCRIndex : 0 |
| 257 | M/TA: EventType : 1 |
| 258 | M/TA: Digests Count : 1 |
| 259 | M/TA: #0 AlgorithmId : SHA256 |
| 260 | M/TA: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22 |
| 261 | M/TA: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75 |
| 262 | M/TA: EventSize : 6 |
| 263 | M/TA: Event : BL_32 |
| 264 | M/TA: PCR_Event2: |
| 265 | M/TA: PCRIndex : 0 |
| 266 | M/TA: EventType : 1 |
| 267 | M/TA: Digests Count : 1 |
| 268 | M/TA: #0 AlgorithmId : SHA256 |
| 269 | M/TA: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e |
| 270 | M/TA: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63 |
| 271 | M/TA: EventSize : 18 |
| 272 | M/TA: Event : BL32_EXTRA1_IMAGE |
| 273 | M/TA: PCR_Event2: |
| 274 | M/TA: PCRIndex : 0 |
| 275 | M/TA: EventType : 1 |
| 276 | M/TA: Digests Count : 1 |
| 277 | M/TA: #0 AlgorithmId : SHA256 |
| 278 | M/TA: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25 |
| 279 | M/TA: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2 |
| 280 | M/TA: EventSize : 6 |
| 281 | M/TA: Event : BL_33 |
| 282 | M/TA: PCR_Event2: |
| 283 | M/TA: PCRIndex : 0 |
| 284 | M/TA: EventType : 1 |
| 285 | M/TA: Digests Count : 1 |
| 286 | M/TA: #0 AlgorithmId : SHA256 |
| 287 | M/TA: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6 |
| 288 | M/TA: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a |
| 289 | M/TA: EventSize : 13 |
| 290 | M/TA: Event : NT_FW_CONFIG |
| 291 | |
| 292 | These logs correspond to the measurements stored by TF-A during the measured |
| 293 | boot process and therefore, they should match the logs dumped by the former |
| 294 | during the boot up process. These can be seen on the terminal_0: |
| 295 | |
| 296 | .. code:: shell |
| 297 | |
| 298 | NOTICE: Booting Trusted Firmware |
| 299 | NOTICE: BL1: v2.5(release):v2.5 |
| 300 | NOTICE: BL1: Built : 10:41:20, Jul 2 2021 |
| 301 | NOTICE: BL1: Booting BL2 |
| 302 | NOTICE: BL2: v2.5(release):v2.5 |
| 303 | NOTICE: BL2: Built : 10:41:20, Jul 2 2021 |
| 304 | NOTICE: TCG_EfiSpecIDEvent: |
| 305 | NOTICE: PCRIndex : 0 |
| 306 | NOTICE: EventType : 3 |
| 307 | NOTICE: Digest : 00 |
| 308 | NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 309 | NOTICE: : 00 00 00 |
| 310 | NOTICE: EventSize : 33 |
| 311 | NOTICE: Signature : Spec ID Event03 |
| 312 | NOTICE: PlatformClass : 0 |
| 313 | NOTICE: SpecVersion : 2.0.2 |
| 314 | NOTICE: UintnSize : 1 |
| 315 | NOTICE: NumberOfAlgorithms : 1 |
| 316 | NOTICE: DigestSizes : |
| 317 | NOTICE: #0 AlgorithmId : SHA256 |
| 318 | NOTICE: DigestSize : 32 |
| 319 | NOTICE: VendorInfoSize : 0 |
| 320 | NOTICE: PCR_Event2: |
| 321 | NOTICE: PCRIndex : 0 |
| 322 | NOTICE: EventType : 3 |
| 323 | NOTICE: Digests Count : 1 |
| 324 | NOTICE: #0 AlgorithmId : SHA256 |
| 325 | NOTICE: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 326 | NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
| 327 | NOTICE: EventSize : 17 |
| 328 | NOTICE: Signature : StartupLocality |
| 329 | NOTICE: StartupLocality : 0 |
| 330 | NOTICE: PCR_Event2: |
| 331 | NOTICE: PCRIndex : 0 |
| 332 | NOTICE: EventType : 1 |
| 333 | NOTICE: Digests Count : 1 |
| 334 | NOTICE: #0 AlgorithmId : SHA256 |
| 335 | NOTICE: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63 |
| 336 | NOTICE: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5 |
| 337 | NOTICE: EventSize : 5 |
| 338 | NOTICE: Event : BL_2 |
| 339 | NOTICE: PCR_Event2: |
| 340 | NOTICE: PCRIndex : 0 |
| 341 | NOTICE: EventType : 1 |
| 342 | NOTICE: Digests Count : 1 |
| 343 | NOTICE: #0 AlgorithmId : SHA256 |
| 344 | NOTICE: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5 |
| 345 | NOTICE: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c |
| 346 | NOTICE: EventSize : 6 |
| 347 | NOTICE: Event : BL_31 |
| 348 | NOTICE: PCR_Event2: |
| 349 | NOTICE: PCRIndex : 0 |
| 350 | NOTICE: EventType : 1 |
| 351 | NOTICE: Digests Count : 1 |
| 352 | NOTICE: #0 AlgorithmId : SHA256 |
| 353 | NOTICE: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2 |
| 354 | NOTICE: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0 |
| 355 | NOTICE: EventSize : 10 |
| 356 | NOTICE: Event : HW_CONFIG |
| 357 | NOTICE: PCR_Event2: |
| 358 | NOTICE: PCRIndex : 0 |
| 359 | NOTICE: EventType : 1 |
| 360 | NOTICE: Digests Count : 1 |
| 361 | NOTICE: #0 AlgorithmId : SHA256 |
| 362 | NOTICE: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a |
| 363 | NOTICE: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0 |
| 364 | NOTICE: EventSize : 14 |
| 365 | NOTICE: Event : SOC_FW_CONFIG |
| 366 | NOTICE: PCR_Event2: |
| 367 | NOTICE: PCRIndex : 0 |
| 368 | NOTICE: EventType : 1 |
| 369 | NOTICE: Digests Count : 1 |
| 370 | NOTICE: #0 AlgorithmId : SHA256 |
| 371 | NOTICE: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22 |
| 372 | NOTICE: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75 |
| 373 | NOTICE: EventSize : 6 |
| 374 | NOTICE: Event : BL_32 |
| 375 | NOTICE: PCR_Event2: |
| 376 | NOTICE: PCRIndex : 0 |
| 377 | NOTICE: EventType : 1 |
| 378 | NOTICE: Digests Count : 1 |
| 379 | NOTICE: #0 AlgorithmId : SHA256 |
| 380 | NOTICE: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e |
| 381 | NOTICE: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63 |
| 382 | NOTICE: EventSize : 18 |
| 383 | NOTICE: Event : BL32_EXTRA1_IMAGE |
| 384 | NOTICE: PCR_Event2: |
| 385 | NOTICE: PCRIndex : 0 |
| 386 | NOTICE: EventType : 1 |
| 387 | NOTICE: Digests Count : 1 |
| 388 | NOTICE: #0 AlgorithmId : SHA256 |
| 389 | NOTICE: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25 |
| 390 | NOTICE: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2 |
| 391 | NOTICE: EventSize : 6 |
| 392 | NOTICE: Event : BL_33 |
| 393 | NOTICE: PCR_Event2: |
| 394 | NOTICE: PCRIndex : 0 |
| 395 | NOTICE: EventType : 1 |
| 396 | NOTICE: Digests Count : 1 |
| 397 | NOTICE: #0 AlgorithmId : SHA256 |
| 398 | NOTICE: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6 |
| 399 | NOTICE: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a |
| 400 | NOTICE: EventSize : 13 |
| 401 | NOTICE: Event : NT_FW_CONFIG |
| 402 | NOTICE: BL1: Booting BL31 |
| 403 | NOTICE: BL31: v2.5(release):v2.5 |
| 404 | NOTICE: BL31: Built : 10:41:20, Jul 2 2021 |
| 405 | |
| 406 | Following up with the fTPM startup process, we can see that all the |
| 407 | measurements in the Event Log are extended and recorded in the appropriate PCR: |
| 408 | |
| 409 | .. code:: shell |
| 410 | |
| 411 | M/TA: TPM2_PCR_EXTEND_COMMAND returned value: |
| 412 | M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 |
| 413 | M/TA: TPM2_PCR_EXTEND_COMMAND returned value: |
| 414 | M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 |
| 415 | M/TA: TPM2_PCR_EXTEND_COMMAND returned value: |
| 416 | M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 |
| 417 | M/TA: TPM2_PCR_EXTEND_COMMAND returned value: |
| 418 | M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 |
| 419 | M/TA: TPM2_PCR_EXTEND_COMMAND returned value: |
| 420 | M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 |
| 421 | M/TA: TPM2_PCR_EXTEND_COMMAND returned value: |
| 422 | M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 |
| 423 | M/TA: TPM2_PCR_EXTEND_COMMAND returned value: |
| 424 | M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 |
| 425 | M/TA: TPM2_PCR_EXTEND_COMMAND returned value: |
| 426 | M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 |
| 427 | M/TA: TPM2_PCR_EXTEND_COMMAND returned value: |
| 428 | M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 |
| 429 | M/TA: 9 Event logs processed |
| 430 | |
| 431 | After the fTPM TA is loaded, the call to ``insmod`` issued by the ``ftpm`` |
| 432 | alias to load the ftpm kernel module returns, and then the TPM PCRs are read |
| 433 | by means of ``tpm_pcrread`` command. Note that we are only interested in the |
| 434 | SHA256 logs here, as this is the algorithm we used on TF-A for the measurements |
| 435 | (see the field ``AlgorithmId`` on the logs above): |
| 436 | |
| 437 | .. code:: shell |
| 438 | |
| 439 | sha256: |
| 440 | 0 : 0xA6EB3A7417B8CFA9EBA2E7C22AD5A4C03CDB8F3FBDD7667F9C3EF2EA285A8C9F |
| 441 | 1 : 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 442 | 2 : 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 443 | 3 : 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 444 | 4 : 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 445 | 5 : 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 446 | 6 : 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 447 | 7 : 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 448 | 8 : 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 449 | 9 : 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 450 | 10: 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 451 | 11: 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 452 | 12: 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 453 | 13: 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 454 | 14: 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 455 | 15: 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 456 | 16: 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 457 | 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF |
| 458 | 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF |
| 459 | 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF |
| 460 | 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF |
| 461 | 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF |
| 462 | 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF |
| 463 | 23: 0x0000000000000000000000000000000000000000000000000000000000000000 |
| 464 | |
| 465 | In this PoC we are only interested in PCR0, which must be non-null. This is |
| 466 | because the boot process records all the images in this PCR (see field ``PCRIndex`` |
| 467 | on the Event Log above). The rest of the records must be 0 at this point. |
| 468 | |
| 469 | .. note:: |
| 470 | The fTPM service used has support only for 16 PCRs, therefore the content |
| 471 | of PCRs above 15 can be ignored. |
| 472 | |
| 473 | .. note:: |
| 474 | As stated earlier, Arm does not provide an fTPM implementation and therefore |
| 475 | we do not validate here if the content of PCR0 is correct or not. For this |
| 476 | PoC, we are only focused on the fact that the event log could be passed to a third |
| 477 | party fTPM and its records were properly extended. |
| 478 | |
| 479 | Fine-tuning the fTPM TA |
| 480 | ~~~~~~~~~~~~~~~~~~~~~~~ |
| 481 | |
| 482 | As stated earlier, the OP-TEE Toolkit includes support to build a third party fTPM |
| 483 | service. The build options for this service are tailored for the PoC and defined in |
| 484 | the build environment variable ``FTPM_FLAGS`` (see ``<toolkit_home>/build/common.mk``) |
| 485 | but they can be modified if needed to better adapt it to a specific scenario. |
| 486 | |
| 487 | The most relevant options for Measured Boot support are: |
| 488 | |
| 489 | - **CFG_TA_DEBUG**: Enables debug logs in the Terminal_1 console. |
| 490 | - **CFG_TEE_TA_LOG_LEVEL**: Defines the log level used for the debug messages. |
| 491 | - **CFG_TA_MEASURED_BOOT**: Enables support for measured boot on the fTPM. |
| 492 | - **CFG_TA_EVENT_LOG_SIZE**: Defines the size, in bytes, of the larger event log that |
| 493 | the fTPM is able to store, as this buffer is allocated at build time. This must be at |
| 494 | least the same as the size of the event log generated by TF-A. If this build option |
| 495 | is not defined, the fTPM falls back to a default value of 1024 bytes, which is enough |
| 496 | for this PoC, so this variable is not defined in FTPM_FLAGS. |
| 497 | |
| 498 | -------------- |
| 499 | |
Manish V Badarkhe | 13f3b6e | 2023-01-27 13:51:22 +0000 | [diff] [blame] | 500 | *Copyright (c) 2021-2023, Arm Limited. All rights reserved.* |
Javier Almansa Sobrino | 7c60e31 | 2021-07-05 12:04:22 +0100 | [diff] [blame] | 501 | |
| 502 | .. _OP-TEE Toolkit: https://github.com/OP-TEE/build |
| 503 | .. _ms-tpm-20-ref: https://github.com/microsoft/ms-tpm-20-ref |
| 504 | .. _Get and build the solution: https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution |
| 505 | .. _Armv8-A Foundation Platform (For Linux Hosts Only): https://developer.arm.com/tools-and-software/simulation-models/fixed-virtual-platforms/arm-ecosystem-models |
| 506 | .. _tpm2-tools: https://github.com/tpm2-software/tpm2-tools |
Manish V Badarkhe | 13f3b6e | 2023-01-27 13:51:22 +0000 | [diff] [blame] | 507 | .. _TCG event log: https://trustedcomputinggroup.org/resource/tcg-efi-platform-specification/ |