[Skiboot] [PATCH] trustedboot: Change PCR and event_type for the skiboot events

Claudio Carvalho cclaudio at linux.ibm.com
Wed May 29 07:44:14 AEST 2019 

The existing skiboot events are being logged as EV_ACTION, however, the
TCG PC Client spec says that EV_ACTION events should have one of the
pre-defined strings in the event field recorded in the event log. For
instance:
- "Calling Ready to Boot",
- "Entering ROM Based Setup",
- "User Password Entered", and
- "Start Option ROM Scan.

None of the EV_ACTION pre-defined strings are applicable to the existing
skiboot events. Based on recent discussions with other POWER teams, this
patch proposes a convention on what PCR and event types should be used
for skiboot events. This also changes the skiboot source code to follow
the convention.

The TCG PC Client spec defines several event types, other than
EV_ACTION. However, many of them are specific to UEFI events and some
others are related to platform or CRTM events, which is more applicable
to hostboot events.

Currently, most of the hostboot events are extended to PCR[0,1] and
logged as either EV_PLATFORM_CONFIG_FLAGS, EV_S_CRTM_CONTENTS or
EV_POST_CODE. The "Node Id" and "PAYLOAD" events, though, are extended
to PCR[4,5,6] and logged as EV_COMPACT_HASH.

For the lack of an event type that fits the specific purpose,
EV_COMPACT_HASH seems to be the most adequate one due to its
flexibility. According to the TCG PC Client spec:
- May be used for any PCR except 0, 1, 2 and 3.
- The event field may be informative or may be hashed to generate the
  digest field, depending on the component recording the event.

Additionally, the PCR[4,5] seem to be the most adequate PCRs. They would
be used for skiboot and some skiroot events. According to the TCG PC
Client, PCR[4] is intended to represent the entity that manages the
transition between the pre-OS and OS-present state of the platform.
PCR[4], along with PCR[5], identifies the initial OS loader.

In summary, for skiboot events:
- Events that represents data should be extended to PCR 4.
- Events that represents config should be extended to PCR 5.
- For the lack of an event type that fits the specific purpose,
  both data and config events should be logged as EV_COMPACT_HASH.

Signed-off-by: Claudio Carvalho <cclaudio at linux.ibm.com>
---
 libstb/trustedboot.c | 35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c
index d9bacb2d..f431e338 100644
--- a/libstb/trustedboot.c
+++ b/libstb/trustedboot.c
@@ -25,6 +25,7 @@
 #include "secureboot.h"
 #include "trustedboot.h"
 #include "tpm_chip.h"
+#include "tss/trustedTypes.H"
 
 /* For debugging only */
 //#define STB_DEBUG
@@ -34,19 +35,29 @@ static bool trusted_init = false;
 static bool boot_services_exited = false;
 
 /*
- * This maps a PCR for each resource we can measure. The PCR number is
- * mapped according to the TCG PC Client Platform Firmware Profile
- * specification, Revision 00.21
- * Only resources included in this whitelist can be measured.
+ * Partitions retrieved from PNOR must be extended to the proper PCR and
+ * recorded in the event log. Later, customers may use: the PCR values to attest
+ * the boot security, and the event log to inspect what measurements were
+ * extended to the PCRs.
+ *
+ * The whitelist below should map every skiboot event (or resource) to a PCR
+ * following the TCG PC Client Platform Firmware Profile specification,
+ * Family 2.0, Level 00, Revision 1.03 v51.
+ *
+ * Convention for skiboot events:
+ *	- Events that represents data should be extended to PCR 4.
+ *	- Events that represents config should be extended to PCR 5.
+ *	- For the lack of an event type that fits the specific purpose,
+ *	  both data and config events should be logged as EV_COMPACT_HASH.
  */
 static struct {
 	enum resource_id id;
 	TPM_Pcr pcr;
 } resources[] = {
-	{ RESOURCE_ID_IMA_CATALOG, PCR_2 },
-	{ RESOURCE_ID_KERNEL, PCR_4 },
-	{ RESOURCE_ID_CAPP,   PCR_2 },
-	{ RESOURCE_ID_VERSION, PCR_3 },
+	{ RESOURCE_ID_IMA_CATALOG,	PCR_4},
+	{ RESOURCE_ID_KERNEL,		PCR_4},
+	{ RESOURCE_ID_CAPP,		PCR_4},
+	{ RESOURCE_ID_VERSION,		PCR_4}, /* Also data for Hostboot */
 };
 
 /*
@@ -139,10 +150,8 @@ int trustedboot_exit_boot_services(void)
 	stb_print_data((uint8_t*) ev_separator.sha256, TPM_ALG_SHA256_SIZE);
 #endif
 	/*
-	 * As defined in the TCG Platform Firmware PWe are done. Extending the digest of 0xFFFFFFFF
-	 * in PCR[0-7], and recording an EV_SEPARATOR event in
-	 * event log as defined in the TCG Platform Firmware Profile
-	 * specification, Revision 00.21
+	 * Extend the digest of 0xFFFFFFFF to PCR[0-7] and record it as
+	 * EV_SEPARATOR
 	 */
 	for (pcr = 0; pcr < 8; pcr++) {
 		rc = tpm_extendl(pcr, TPM_ALG_SHA256,
@@ -253,5 +262,5 @@ int trustedboot_measure(enum resource_id id, void *buf, size_t len)
 	return tpm_extendl(pcr,
 			   TPM_ALG_SHA256, digest, TPM_ALG_SHA256_SIZE,
 			   TPM_ALG_SHA1,   digest, TPM_ALG_SHA1_SIZE,
-			   EV_ACTION, name);
+			   EV_COMPACT_HASH, name);
 }
-- 
2.20.1

More information about the Skiboot mailing list