[SLOF] [PATCH 07/16] Perform some initial measurements
Nikunj A Dadhania
nikunj at linux.vnet.ibm.com
Thu Nov 12 16:10:03 AEDT 2015
Stefan Berger <stefanb at linux.vnet.ibm.com> writes:
> On 11/09/2015 04:22 AM, Nikunj A Dadhania wrote:
>> Stefan Berger <stefanb at linux.vnet.ibm.com> writes:
>> +/*
>> + * Add event separators for PCRs 0 to 7
>> + */
>> +uint32_t tpm_add_event_separators(void)
>> +{
>> + uint32_t rc;
>> + uint32_t pcrindex = 0;
>> +
>> + if (!has_working_tpm())
>> + return TCGBIOS_GENERAL_ERROR;
>> +
>> + while (pcrindex <= 7) {
>> + rc = tpm_add_measurement(pcrindex, EV_SEPARATOR, NULL);
>> + if (rc)
>> + break;
>> + pcrindex ++;
>> + }
>> +
>> + return rc;
>> +}
>> +
>> +/*
>> + * Add a measurement regarding the boot device (CDRom, Floppy, HDD) to
>> + * the list of measurements.
>> Is network boot device supported ?
>
> It may be. I don't have a setup to test it.
This would help:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/chap-installation-server-setup.html#sect-network-boot-setup-ppc-grub2
>>> + default:
>>> + /*
>>> + * equivalent to:
>>> + * dd if=/dev/hda ibs=1 count=440 | sha1sum
>>> + */
>>> + string = "MBR";
>>> + rc = tpm_add_measurement_to_log(4, EV_IPL,
>>> + string, strlen(string),
>>> + addr, 0x1b8);
>>> +
>>> + if (rc)
>>> + break;
>>> +
>>> + /*
>>> + * equivalent to:
>>> + * dd if=/dev/hda ibs=1 count=72 skip=440 | sha1sum
>>> + */
>>> + string = "MBR PARTITION TABLE";
>>> + rc = tpm_add_measurement_to_log(5, EV_IPL_PARTITION_DATA,
>>> + string, strlen(string),
>>> + addr + 0x1b8, 0x48);
>>> + }
>> We also support GPT, dont we need support for that ?
>> Most of the distros are moving to GPT.
>
> If I remember correctly, Fedora 22 still uses MBR. Again, I would need a
> setup to test this. Not sure what specs say about what to measure in
> that case.
AFAIK, Ubuntu defaults to GPT.
>
>
>>
>>> +
>>> + return rc;
>>> +}
>>> +
>>> +uint32_t tpm_add_bcv(uint32_t bootdrv, const uint8_t *addr, uint32_t
>>> length)
>> tpm_add_bcv: what does bcv mean ?
>
> Boot connection vector. I will remove this function.
I thought you were using this function?
>
>>
>>> +{
>>> + uint32_t rc;
>>> +
>>> + if (!has_working_tpm())
>>> + return TCGBIOS_GENERAL_ERROR;
>>> +
>>> + rc = tpm_add_bootdevice(0, bootdrv);
>>> + if (rc)
>>> + return rc;
>>> +
>>> + return tpm_ipl(IPL_BCV, addr, length);
>>> +}
>>> diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h
>>> index b217dd1..9b43ce3 100644
>>> --- a/lib/libtpm/tcgbios.h
>>> +++ b/lib/libtpm/tcgbios.h
>>> @@ -15,9 +15,18 @@
>>>
>>> #include <stdint.h>
>>>
>>> +enum ipltype {
>>> + IPL_BCV = 0,
>>> + IPL_EL_TORITO_1,
>>> + IPL_EL_TORITO_2
>>> +};
>>> +
>>> uint32_t tpm_start(void);
>>> uint32_t tpm_unassert_pp(void);
>>> void tpm_set_log_parameters(void *address, unsigned int size);
>>> uint32_t tpm_get_logsize(void);
>>> +uint32_t tpm_ipl(enum ipltype bootcd, const uint8_t *addr, uint32_t length);
>>> +uint32_t tpm_add_bcv(uint32_t bootdrv, const uint8_t *addr, uint32_t length);
>>> +uint32_t tpm_add_event_separators(void);
>>>
>>> #endif /* TCGBIOS_H */
>>> diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code
>>> index b868ca3..de90717 100644
>>> --- a/lib/libtpm/tpm.code
>>> +++ b/lib/libtpm/tpm.code
>>> @@ -56,3 +56,37 @@ PRIM(tpm_X2d_get_X2d_logsize)
>>> PUSH;
>>> TOS.n = tpm_get_logsize();
>>> MIRP
>>> +
>>> +/************************************************/
>>> +/* Measure and log event separators */
>>> +/* SLOF: tpm-add-event-separators ( -- ) */
>>> +/* LIBTPM: tpm_add_event_separators(void) */
>>> +/************************************************/
>>> +PRIM(tpm_X2d_add_X2d_event_X2d_separators)
>>> + PUSH;
>>> + TOS.n = tpm_add_event_separators();
>>> +MIRP
>>> +
>>> +/************************************************/
>>> +/* Measure and log IPL */
>>> +/* SLOF: tpm-ipl ( ipltype addr length -- ) */
>> Does not return anything, missed in the comment?
>>
>> /* SLOF: tpm-ipl ( ipltype addr length -- return ) */
>>
>>> +/* LIBTPM: tpm_ipl(void) */
>>> +/************************************************/
>>> +PRIM(tpm_X2d_ipl)
>>> + int length = TOS.u; POP;
>>> + void *addr = TOS.a; POP;
>>> + int bootcd = TOS.u;
>>> + TOS.n = tpm_ipl(bootcd, addr, length);
>>> +MIRP
>>> +
>>> +/****************************************************/
>>> +/* Measure and log bcv IPL */
>>> +/* SLOF: tpm-add-bcv ( bootdrv addr length -- ) */
>> ditto, forgot return in comment ?
>>
>>> +/* LIBTPM: tpm_add_bcv(void) */
>>> +/****************************************************/
>>> +PRIM(tpm_X2d_add_X2d_bcv)
>>> + int length = TOS.u; POP;
>>> + void *addr = TOS.a; POP;
>>> + int bootdrv = TOS.u;
>>> + TOS.n = tpm_add_bcv(bootdrv, addr, length);
>>> +MIRP
>>> diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in
>>> index 32d675f..06b0672 100644
>>> --- a/lib/libtpm/tpm.in
>>> +++ b/lib/libtpm/tpm.in
>>> @@ -17,3 +17,6 @@ cod(tpm-start)
>>> cod(tpm-unassert-pp)
>>> cod(tpm-set-log-parameters)
>>> cod(tpm-get-logsize)
>>> +cod(tpm-add-event-separators)
>>> +cod(tpm-ipl)
>>> +cod(tpm-add-bcv)
>>> diff --git a/slof/fs/tpm/tpm-static.fs b/slof/fs/tpm/tpm-static.fs
>>> index 11e4ad5..d425693 100644
>>> --- a/slof/fs/tpm/tpm-static.fs
>>> +++ b/slof/fs/tpm/tpm-static.fs
>>> @@ -22,6 +22,17 @@ false VALUE vtpm-debug?
>>> THEN
>>> ;
>>>
>>> +: vtpm-add-event-separators
>>> + vtpm-available? IF
>>> + tpm-add-event-separators ( -- errcode )
>> Why do we ignore the error code?
>
>
> We can ignore the error on this level. In SeaBIOS we do the same and we
> do not abort the boot. In case of an error we should probably write a
> log entry that indicates an error, assuming that such a log entry has
> been defined.
What I am unable to understand is if this feature is for Secure booting, and
we ignore the errors, how is it that vTPM will ensure secured
images/boot?
Regards,
Nikunj
More information about the SLOF
mailing list