[SLOF] [PATCH v2 07/20] Perform some initial measurements

Fri Nov 20 03:44:59 AEDT 2015

On 19/11/15 17:28, Stefan Berger wrote:
> On 11/19/2015 05:14 AM, Thomas Huth wrote:
>> On 17/11/15 18:02, Stefan Berger wrote:
>>> From: Stefan Berger <stefanb at linux.vnet.ibm.com>
>>>
>>> This patch puts an 'event' separator into the log that can
>>> then be seen in Linux's
>>> /sys/kernel/security/tpm0/ascii_bios_measurements.
>>> More low-level C functions are added for measuring and logging of disk
>>> related data, along with their FORTH-level counterparts. These functions
>>> will be called in subsequent patches.
>>>
>>> Logging follows the specifications found on the following page:
>>>
>>> http://www.trustedcomputinggroup.org/resources/pc_client_work_group_specific_implementation_specification_for_conventional_bios
>>>
>>>
>>> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
>>> ---
>> [...]
>>> +/*
>>> + * Add a measurement to the log. This function creates two log entries
>>> + * of the Initial Program Load (IPL).
>>> + *
>>> + * Input parameter:
>>> + *  bootcd : 0: MBR of hdd, 1: boot image, 2: boot catalog of El Torito
>>> + *  addr   : address where the IP data are located
>>> + *  length : IP data length in bytes
>>> + */
>>> +uint32_t tpm_measure_ipl(enum ipltype bootcd, const uint8_t *addr,
>>> +             uint32_t length)
>>> +{
>>> +    uint32_t rc;
>>> +    const char *string;
>>> +
>>> +    dprintf("tpm_ipl: bootcd = %d, addr = %p, length = 0x%x\n",
>>> +        bootcd, addr, length);
>>> +
>>> +    if (!has_working_tpm())
>>> +        return TCGBIOS_GENERAL_ERROR;
>>> +
>>> +    switch (bootcd) {
>>> +    case IPL_EL_TORITO_1:
>>> +        /* specs: see section 'El Torito' */
>>> +        string = "EL TORITO IPL";
>>> +        rc = tpm_add_measurement_to_log(4, EV_IPL,
>>> +                        string, strlen(string),
>>> +                        addr, length);
>>> +    break;
>> Again, there is no "El Torito" boot on POWER - so I fail to see why you
>> need this code here ?
> 
> The code is currently not being called. But booting from CDROM is
> supported for OS installed, isn't it?

Yes, you can boot from CD-ROM, but it works differently on PPC, it has
nothing to do with the El Torito standard. IIRC, the El Torito standard
defines how the BIOS could present the CD-ROM drive as a floppy or HD to
the OS that should be booted. This is not done on Power. On sPAPR, we
boot from CD-ROM via the \ppc\bootinfo.txt file instead. See the LoPAPR
spec for details.

So if you just want to log that a CDROM boot has been made, you should
likely just rephrase the texts a little bit? But if these entries really
really should mean "El Torito" and not simply "CD-ROM boot", this maybe
needs to be handled differently? ... I don't know, but talking about "El
Torito" in the source is definitiely wrong here.

 Thomas