[Skiboot] [PATCH] trustedboot: Change PCR and event_type for the skiboot events
stewart at linux.ibm.com
Mon Jun 3 12:11:28 AEST 2019
Claudio Carvalho <cclaudio at linux.ibm.com> writes:
> The existing skiboot events are being logged as EV_ACTION, however, the
> TCG PC Client spec says that EV_ACTION events should have one of the
> pre-defined strings in the event field recorded in the event log. For
> - "Calling Ready to Boot",
> - "Entering ROM Based Setup",
> - "User Password Entered", and
> - "Start Option ROM Scan.
> None of the EV_ACTION pre-defined strings are applicable to the existing
> skiboot events. Based on recent discussions with other POWER teams, this
> patch proposes a convention on what PCR and event types should be used
> for skiboot events. This also changes the skiboot source code to follow
> the convention.
> The TCG PC Client spec defines several event types, other than
> EV_ACTION. However, many of them are specific to UEFI events and some
> others are related to platform or CRTM events, which is more applicable
> to hostboot events.
> Currently, most of the hostboot events are extended to PCR[0,1] and
> logged as either EV_PLATFORM_CONFIG_FLAGS, EV_S_CRTM_CONTENTS or
> EV_POST_CODE. The "Node Id" and "PAYLOAD" events, though, are extended
> to PCR[4,5,6] and logged as EV_COMPACT_HASH.
> For the lack of an event type that fits the specific purpose,
> EV_COMPACT_HASH seems to be the most adequate one due to its
> flexibility. According to the TCG PC Client spec:
> - May be used for any PCR except 0, 1, 2 and 3.
> - The event field may be informative or may be hashed to generate the
> digest field, depending on the component recording the event.
> Additionally, the PCR[4,5] seem to be the most adequate PCRs. They would
> be used for skiboot and some skiroot events. According to the TCG PC
> Client, PCR is intended to represent the entity that manages the
> transition between the pre-OS and OS-present state of the platform.
> PCR, along with PCR, identifies the initial OS loader.
> In summary, for skiboot events:
> - Events that represents data should be extended to PCR 4.
> - Events that represents config should be extended to PCR 5.
> - For the lack of an event type that fits the specific purpose,
> both data and config events should be logged as EV_COMPACT_HASH.
> Signed-off-by: Claudio Carvalho <cclaudio at linux.ibm.com>
> libstb/trustedboot.c | 35 ++++++++++++++++++++++-------------
> 1 file changed, 22 insertions(+), 13 deletions(-)
Merged to master as of bedb1c2343b2b1a71bee5f1f97e1aa29ace04eb8
OPAL Architect, IBM.
More information about the Skiboot