1a125c556SJavier Almansa SobrinoInteraction between Measured Boot and an fTPM (PoC) 2a125c556SJavier Almansa Sobrino=================================================== 3a125c556SJavier Almansa Sobrino 4a125c556SJavier Almansa SobrinoMeasured Boot is the process of cryptographically measuring the code and 5a125c556SJavier Almansa Sobrinocritical data used at boot time, for example using a TPM, so that the 6a125c556SJavier Almansa Sobrinosecurity state can be attested later. 7a125c556SJavier Almansa Sobrino 830ee1b06SManish V BadarkheThe current implementation of the driver included in |TF-A| supports several 930ee1b06SManish V Badarkhebackends and each has a different means to store the measurements. 1030ee1b06SManish V BadarkheThis section focuses on the `TCG event log`_ backend, which stores measurements 1130ee1b06SManish V Badarkhein secure memory. 12a125c556SJavier Almansa Sobrino 13*5038f1f9SManish V BadarkheSee details of :ref:`Measured Boot Design`. 14*5038f1f9SManish V Badarkhe 15a125c556SJavier Almansa SobrinoThe driver also provides mechanisms to pass the Event Log to normal world if 16a125c556SJavier Almansa Sobrinoneeded. 17a125c556SJavier Almansa Sobrino 18a125c556SJavier Almansa SobrinoThis manual provides instructions to build a proof of concept (PoC) with the 19a125c556SJavier Almansa Sobrinosole intention of showing how Measured Boot can be used in conjunction with 20a125c556SJavier Almansa Sobrinoa firmware TPM (fTPM) service implemented on top of OP-TEE. 21a125c556SJavier Almansa Sobrino 22a125c556SJavier Almansa Sobrino.. note:: 23a125c556SJavier Almansa Sobrino The instructions given in this document are meant to be used to build 24a125c556SJavier Almansa Sobrino a PoC to show how Measured Boot on TF-A can interact with a third 25a125c556SJavier Almansa Sobrino party (f)TPM service and they try to be as general as possible. Different 26a125c556SJavier Almansa Sobrino platforms might have different needs and configurations (e.g. different 27a125c556SJavier Almansa Sobrino SHA algorithms) and they might also use different types of TPM services 28a125c556SJavier Almansa Sobrino (or even a different type of service to provide the attestation) 29cca91b7aSManish V Badarkhe and therefore the instructions given here might not apply in such scenarios. 30a125c556SJavier Almansa Sobrino 31a125c556SJavier Almansa SobrinoComponents 32a125c556SJavier Almansa Sobrino~~~~~~~~~~ 33a125c556SJavier Almansa Sobrino 34a125c556SJavier Almansa SobrinoThe PoC is built on top of the `OP-TEE Toolkit`_, which has support to build 35a125c556SJavier Almansa SobrinoTF-A with support for Measured Boot enabled (and run it on a Foundation Model) 36a125c556SJavier Almansa Sobrinosince commit cf56848. 37a125c556SJavier Almansa Sobrino 38a125c556SJavier Almansa SobrinoThe aforementioned toolkit builds a set of images that contain all the components 39a125c556SJavier Almansa Sobrinoneeded to test that the Event Log was properly created. One of these images will 40a125c556SJavier Almansa Sobrinocontain a third party fTPM service which in turn will be used to process the 41a125c556SJavier Almansa SobrinoEvent Log. 42a125c556SJavier Almansa Sobrino 43a125c556SJavier Almansa SobrinoThe reason to choose OP-TEE Toolkit to build our PoC around it is mostly 44a125c556SJavier Almansa Sobrinofor convenience. As the fTPM service used is an OP-TEE TA, it was easy to add 45a125c556SJavier Almansa Sobrinobuild support for it to the toolkit and then build the PoC around it. 46a125c556SJavier Almansa Sobrino 47a125c556SJavier Almansa SobrinoThe most relevant components installed in the image that are closely related to 48a125c556SJavier Almansa SobrinoMeasured Boot/fTPM functionality are: 49a125c556SJavier Almansa Sobrino 50a125c556SJavier Almansa Sobrino - **OP-TEE**: As stated earlier, the fTPM service used in this PoC is built as an 51a125c556SJavier Almansa Sobrino OP-TEE TA and therefore we need to include the OP-TEE OS image. 52a125c556SJavier Almansa Sobrino Support to interfacing with Measured Boot was added to version 3.9.0 of 53a125c556SJavier Almansa Sobrino OP-TEE by implementing the ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` syscall, which 54a125c556SJavier Almansa Sobrino allows the former to pass a copy of the Event Log to any TA requesting it. 55a125c556SJavier Almansa Sobrino OP-TEE knows the location of the Event Log by reading the DTB bindings 56a125c556SJavier Almansa Sobrino received from TF-A. Visit :ref:`DTB binding for Event Log properties` 57a125c556SJavier Almansa Sobrino for more details on this. 58a125c556SJavier Almansa Sobrino 59a125c556SJavier Almansa Sobrino - **fTPM Service**: We use a third party fTPM service in order to validate 60a125c556SJavier Almansa Sobrino the Measured Boot functionality. The chosen fTPM service is a sample 61a125c556SJavier Almansa Sobrino implementation for Aarch32 architecture included on the `ms-tpm-20-ref`_ 62a125c556SJavier Almansa Sobrino reference implementation from Microsoft. The service was updated in order 63a125c556SJavier Almansa Sobrino to extend the Measured Boot Event Log at boot up and it uses the 64a125c556SJavier Almansa Sobrino aforementioned ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` call to retrieve a copy 65a125c556SJavier Almansa Sobrino of the former. 66a125c556SJavier Almansa Sobrino 67a125c556SJavier Almansa Sobrino .. note:: 68a125c556SJavier Almansa Sobrino Arm does not provide an fTPM implementation. The fTPM service used here 69a125c556SJavier Almansa Sobrino is a third party one which has been updated to support Measured Boot 70a125c556SJavier Almansa Sobrino service as provided by TF-A. As such, it is beyond the scope of this 71a125c556SJavier Almansa Sobrino manual to test and verify the correctness of the output generated by the 72a125c556SJavier Almansa Sobrino fTPM service. 73a125c556SJavier Almansa Sobrino 74a125c556SJavier Almansa Sobrino - **TPM Kernel module**: In order to interact with the fTPM service, we need 75a125c556SJavier Almansa Sobrino a kernel module to forward the request from user space to the secure world. 76a125c556SJavier Almansa Sobrino 77a125c556SJavier Almansa Sobrino - `tpm2-tools`_: This is a set of tools that allow to interact with the 78a125c556SJavier Almansa Sobrino fTPM service. We use this in order to read the PCRs with the measurements. 79a125c556SJavier Almansa Sobrino 80a125c556SJavier Almansa SobrinoBuilding the PoC for the Arm FVP platform 81a125c556SJavier Almansa Sobrino~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 82a125c556SJavier Almansa Sobrino 83a125c556SJavier Almansa SobrinoAs mentioned before, this PoC is based on the OP-TEE Toolkit with some 84a125c556SJavier Almansa Sobrinoextensions to enable Measured Boot and an fTPM service. Therefore, we can rely 85a125c556SJavier Almansa Sobrinoon the instructions to build the original OP-TEE Toolkit. As a general rule, 86a125c556SJavier Almansa Sobrinothe following steps should suffice: 87a125c556SJavier Almansa Sobrino 88a125c556SJavier Almansa Sobrino(1) Start by following the `Get and build the solution`_ instructions to build 89a125c556SJavier Almansa Sobrino the OP-TEE toolkit. On step 3, you need to get the manifest for FVP 90a125c556SJavier Almansa Sobrino platform from the main branch: 91a125c556SJavier Almansa Sobrino 92a125c556SJavier Almansa Sobrino .. code:: shell 93a125c556SJavier Almansa Sobrino 94a125c556SJavier Almansa Sobrino $ repo init -u https://github.com/OP-TEE/manifest.git -m fvp.xml 95a125c556SJavier Almansa Sobrino 96a125c556SJavier Almansa Sobrino Then proceed synching the repos as stated in step 3. Continue following 97a125c556SJavier Almansa Sobrino the instructions and stop before step 5. 98a125c556SJavier Almansa Sobrino 99a125c556SJavier Almansa Sobrino(2) Next you should obtain the `Armv8-A Foundation Platform (For Linux Hosts Only)`_. 100a125c556SJavier Almansa Sobrino The binary should be untar'ed to the root of the repo tree, i.e., like 101a125c556SJavier Almansa Sobrino this: ``<fvp-project>/Foundation_Platformpkg``. In the end, after cloning 102a125c556SJavier Almansa Sobrino all source code, getting the toolchains and "installing" 103a125c556SJavier Almansa Sobrino Foundation_Platformpkg, you should have a folder structure that looks like 104a125c556SJavier Almansa Sobrino this: 105a125c556SJavier Almansa Sobrino 106a125c556SJavier Almansa Sobrino .. code:: shell 107a125c556SJavier Almansa Sobrino 108a125c556SJavier Almansa Sobrino $ ls -la 109a125c556SJavier Almansa Sobrino total 80 110a125c556SJavier Almansa Sobrino drwxrwxr-x 20 tf-a_user tf-a_user 4096 Jul 1 12:16 . 111a125c556SJavier Almansa Sobrino drwxr-xr-x 23 tf-a_user tf-a_user 4096 Jul 1 10:40 .. 112a125c556SJavier Almansa Sobrino drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 10:45 build 113a125c556SJavier Almansa Sobrino drwxrwxr-x 16 tf-a_user tf-a_user 4096 Jul 1 12:16 buildroot 114a125c556SJavier Almansa Sobrino drwxrwxr-x 51 tf-a_user tf-a_user 4096 Jul 1 10:45 edk2 115a125c556SJavier Almansa Sobrino drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 12:14 edk2-platforms 116a125c556SJavier Almansa Sobrino drwxr-xr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:52 Foundation_Platformpkg 117a125c556SJavier Almansa Sobrino drwxrwxr-x 17 tf-a_user tf-a_user 4096 Jul 2 10:40 grub 118a125c556SJavier Almansa Sobrino drwxrwxr-x 25 tf-a_user tf-a_user 4096 Jul 2 10:39 linux 119a125c556SJavier Almansa Sobrino drwxrwxr-x 15 tf-a_user tf-a_user 4096 Jul 1 10:45 mbedtls 120a125c556SJavier Almansa Sobrino drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 10:45 ms-tpm-20-ref 121a125c556SJavier Almansa Sobrino drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_client 122a125c556SJavier Almansa Sobrino drwxrwxr-x 10 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_examples 123a125c556SJavier Almansa Sobrino drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 12:13 optee_os 124a125c556SJavier Almansa Sobrino drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_test 125a125c556SJavier Almansa Sobrino drwxrwxr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:45 .repo 126a125c556SJavier Almansa Sobrino drwxrwxr-x 4 tf-a_user tf-a_user 4096 Jul 1 12:12 toolchains 127a125c556SJavier Almansa Sobrino drwxrwxr-x 21 tf-a_user tf-a_user 4096 Jul 1 12:15 trusted-firmware-a 128a125c556SJavier Almansa Sobrino 129a125c556SJavier Almansa Sobrino(3) Now enter into ``ms-tpm-20-ref`` and get its dependencies: 130a125c556SJavier Almansa Sobrino 131a125c556SJavier Almansa Sobrino .. code:: shell 132a125c556SJavier Almansa Sobrino 133a125c556SJavier Almansa Sobrino $ cd ms-tpm-20-ref 134a125c556SJavier Almansa Sobrino $ git submodule init 135a125c556SJavier Almansa Sobrino $ git submodule update 136a125c556SJavier Almansa Sobrino Submodule path 'external/wolfssl': checked out '9c87f979a7f1d3a6d786b260653d566c1d31a1c4' 137a125c556SJavier Almansa Sobrino 138a125c556SJavier Almansa Sobrino(4) Now, you should be able to continue with step 5 in "`Get and build the solution`_" 139a125c556SJavier Almansa Sobrino instructions. In order to enable support for Measured Boot, you need to 140bb5b2632SManish V Badarkhe set the following build options: 141a125c556SJavier Almansa Sobrino 142a125c556SJavier Almansa Sobrino .. code:: shell 143a125c556SJavier Almansa Sobrino 144bb5b2632SManish V Badarkhe $ MEASURED_BOOT=y MEASURED_BOOT_FTPM=y make -j `nproc` 145a125c556SJavier Almansa Sobrino 146a125c556SJavier Almansa Sobrino .. note:: 147a125c556SJavier Almansa Sobrino The build process will likely take a long time. It is strongly recommended to 148a125c556SJavier Almansa Sobrino pass the ``-j`` option to make to run the process faster. 149a125c556SJavier Almansa Sobrino 150a125c556SJavier Almansa Sobrino After this step, you should be ready to run the image. 151a125c556SJavier Almansa Sobrino 152a125c556SJavier Almansa SobrinoRunning and using the PoC on the Armv8-A Foundation AEM FVP 153a125c556SJavier Almansa Sobrino~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 154a125c556SJavier Almansa Sobrino 155a125c556SJavier Almansa SobrinoWith everything built, you can now run the image: 156a125c556SJavier Almansa Sobrino 157a125c556SJavier Almansa Sobrino.. code:: shell 158a125c556SJavier Almansa Sobrino 159a125c556SJavier Almansa Sobrino $ make run-only 160a125c556SJavier Almansa Sobrino 161a125c556SJavier Almansa Sobrino.. note:: 162a125c556SJavier Almansa Sobrino Using ``make run`` will build and run the image and it can be used instead 163a125c556SJavier Almansa Sobrino of simply ``make``. However, once the image is built, it is recommended to 164a125c556SJavier Almansa Sobrino use ``make run-only`` to avoid re-running all the building rules, which 165a125c556SJavier Almansa Sobrino would take time. 166a125c556SJavier Almansa Sobrino 167a125c556SJavier Almansa SobrinoWhen FVP is launched, two terminal windows will appear. ``FVP terminal_0`` 168a125c556SJavier Almansa Sobrinois the userspace terminal whereas ``FVP terminal_1`` is the counterpart for 169a125c556SJavier Almansa Sobrinothe secure world (where TAs will print their logs, for instance). 170a125c556SJavier Almansa Sobrino 171a125c556SJavier Almansa SobrinoLog into the image shell with user ``root``, no password will be required. 172a125c556SJavier Almansa SobrinoThen we can issue the ``ftpm`` command, which is an alias that 173a125c556SJavier Almansa Sobrino 174a125c556SJavier Almansa Sobrino(1) loads the ftpm kernel module and 175a125c556SJavier Almansa Sobrino 176a125c556SJavier Almansa Sobrino(2) calls ``tpm2_pcrread``, which will access the fTPM service to read the 177a125c556SJavier Almansa Sobrino PCRs. 178a125c556SJavier Almansa Sobrino 179a125c556SJavier Almansa SobrinoWhen loading the ftpm kernel module, the fTPM TA is loaded into the secure 180a125c556SJavier Almansa Sobrinoworld. This TA then requests a copy of the Event Log generated during the 181a125c556SJavier Almansa Sobrinobooting process so it can retrieve all the entries on the log and record them 182a125c556SJavier Almansa Sobrinofirst thing. 183a125c556SJavier Almansa Sobrino 184a125c556SJavier Almansa Sobrino.. note:: 185a125c556SJavier Almansa Sobrino For this PoC, nothing loaded after BL33 and NT_FW_CONFIG is recorded 186a125c556SJavier Almansa Sobrino in the Event Log. 187a125c556SJavier Almansa Sobrino 188a125c556SJavier Almansa SobrinoThe secure world terminal should show the debug logs for the fTPM service, 189a125c556SJavier Almansa Sobrinoincluding all the measurements available in the Event Log as they are being 190a125c556SJavier Almansa Sobrinoprocessed: 191a125c556SJavier Almansa Sobrino 192a125c556SJavier Almansa Sobrino.. code:: shell 193a125c556SJavier Almansa Sobrino 194a125c556SJavier Almansa Sobrino M/TA: Preparing to extend the following TPM Event Log: 195a125c556SJavier Almansa Sobrino M/TA: TCG_EfiSpecIDEvent: 196a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 197a125c556SJavier Almansa Sobrino M/TA: EventType : 3 198a125c556SJavier Almansa Sobrino M/TA: Digest : 00 199a125c556SJavier Almansa Sobrino M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 200a125c556SJavier Almansa Sobrino M/TA: : 00 00 00 201a125c556SJavier Almansa Sobrino M/TA: EventSize : 33 202a125c556SJavier Almansa Sobrino M/TA: Signature : Spec ID Event03 203a125c556SJavier Almansa Sobrino M/TA: PlatformClass : 0 204a125c556SJavier Almansa Sobrino M/TA: SpecVersion : 2.0.2 205a125c556SJavier Almansa Sobrino M/TA: UintnSize : 1 206a125c556SJavier Almansa Sobrino M/TA: NumberOfAlgorithms : 1 207a125c556SJavier Almansa Sobrino M/TA: DigestSizes : 208a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 209a125c556SJavier Almansa Sobrino M/TA: DigestSize : 32 210a125c556SJavier Almansa Sobrino M/TA: VendorInfoSize : 0 211a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 212a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 213a125c556SJavier Almansa Sobrino M/TA: EventType : 3 214a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 215a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 216a125c556SJavier Almansa Sobrino M/TA: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 217a125c556SJavier Almansa Sobrino M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 218a125c556SJavier Almansa Sobrino M/TA: EventSize : 17 219a125c556SJavier Almansa Sobrino M/TA: Signature : StartupLocality 220a125c556SJavier Almansa Sobrino M/TA: StartupLocality : 0 221a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 222a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 223a125c556SJavier Almansa Sobrino M/TA: EventType : 1 224a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 225a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 226a125c556SJavier Almansa Sobrino M/TA: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63 227a125c556SJavier Almansa Sobrino M/TA: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5 228a125c556SJavier Almansa Sobrino M/TA: EventSize : 5 229a125c556SJavier Almansa Sobrino M/TA: Event : BL_2 230a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 231a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 232a125c556SJavier Almansa Sobrino M/TA: EventType : 1 233a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 234a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 235a125c556SJavier Almansa Sobrino M/TA: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5 236a125c556SJavier Almansa Sobrino M/TA: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c 237a125c556SJavier Almansa Sobrino M/TA: EventSize : 6 238a125c556SJavier Almansa Sobrino M/TA: Event : BL_31 239a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 240a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 241a125c556SJavier Almansa Sobrino M/TA: EventType : 1 242a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 243a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 244a125c556SJavier Almansa Sobrino M/TA: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2 245a125c556SJavier Almansa Sobrino M/TA: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0 246a125c556SJavier Almansa Sobrino M/TA: EventSize : 10 247a125c556SJavier Almansa Sobrino M/TA: Event : HW_CONFIG 248a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 249a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 250a125c556SJavier Almansa Sobrino M/TA: EventType : 1 251a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 252a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 253a125c556SJavier Almansa Sobrino M/TA: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a 254a125c556SJavier Almansa Sobrino M/TA: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0 255a125c556SJavier Almansa Sobrino M/TA: EventSize : 14 256a125c556SJavier Almansa Sobrino M/TA: Event : SOC_FW_CONFIG 257a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 258a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 259a125c556SJavier Almansa Sobrino M/TA: EventType : 1 260a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 261a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 262a125c556SJavier Almansa Sobrino M/TA: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22 263a125c556SJavier Almansa Sobrino M/TA: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75 264a125c556SJavier Almansa Sobrino M/TA: EventSize : 6 265a125c556SJavier Almansa Sobrino M/TA: Event : BL_32 266a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 267a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 268a125c556SJavier Almansa Sobrino M/TA: EventType : 1 269a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 270a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 271a125c556SJavier Almansa Sobrino M/TA: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e 272a125c556SJavier Almansa Sobrino M/TA: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63 273a125c556SJavier Almansa Sobrino M/TA: EventSize : 18 274a125c556SJavier Almansa Sobrino M/TA: Event : BL32_EXTRA1_IMAGE 275a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 276a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 277a125c556SJavier Almansa Sobrino M/TA: EventType : 1 278a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 279a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 280a125c556SJavier Almansa Sobrino M/TA: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25 281a125c556SJavier Almansa Sobrino M/TA: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2 282a125c556SJavier Almansa Sobrino M/TA: EventSize : 6 283a125c556SJavier Almansa Sobrino M/TA: Event : BL_33 284a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 285a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 286a125c556SJavier Almansa Sobrino M/TA: EventType : 1 287a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 288a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 289a125c556SJavier Almansa Sobrino M/TA: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6 290a125c556SJavier Almansa Sobrino M/TA: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a 291a125c556SJavier Almansa Sobrino M/TA: EventSize : 13 292a125c556SJavier Almansa Sobrino M/TA: Event : NT_FW_CONFIG 293a125c556SJavier Almansa Sobrino 294a125c556SJavier Almansa SobrinoThese logs correspond to the measurements stored by TF-A during the measured 295a125c556SJavier Almansa Sobrinoboot process and therefore, they should match the logs dumped by the former 296a125c556SJavier Almansa Sobrinoduring the boot up process. These can be seen on the terminal_0: 297a125c556SJavier Almansa Sobrino 298a125c556SJavier Almansa Sobrino.. code:: shell 299a125c556SJavier Almansa Sobrino 300a125c556SJavier Almansa Sobrino NOTICE: Booting Trusted Firmware 301a125c556SJavier Almansa Sobrino NOTICE: BL1: v2.5(release):v2.5 302a125c556SJavier Almansa Sobrino NOTICE: BL1: Built : 10:41:20, Jul 2 2021 303a125c556SJavier Almansa Sobrino NOTICE: BL1: Booting BL2 304a125c556SJavier Almansa Sobrino NOTICE: BL2: v2.5(release):v2.5 305a125c556SJavier Almansa Sobrino NOTICE: BL2: Built : 10:41:20, Jul 2 2021 306a125c556SJavier Almansa Sobrino NOTICE: TCG_EfiSpecIDEvent: 307a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 308a125c556SJavier Almansa Sobrino NOTICE: EventType : 3 309a125c556SJavier Almansa Sobrino NOTICE: Digest : 00 310a125c556SJavier Almansa Sobrino NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 311a125c556SJavier Almansa Sobrino NOTICE: : 00 00 00 312a125c556SJavier Almansa Sobrino NOTICE: EventSize : 33 313a125c556SJavier Almansa Sobrino NOTICE: Signature : Spec ID Event03 314a125c556SJavier Almansa Sobrino NOTICE: PlatformClass : 0 315a125c556SJavier Almansa Sobrino NOTICE: SpecVersion : 2.0.2 316a125c556SJavier Almansa Sobrino NOTICE: UintnSize : 1 317a125c556SJavier Almansa Sobrino NOTICE: NumberOfAlgorithms : 1 318a125c556SJavier Almansa Sobrino NOTICE: DigestSizes : 319a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 320a125c556SJavier Almansa Sobrino NOTICE: DigestSize : 32 321a125c556SJavier Almansa Sobrino NOTICE: VendorInfoSize : 0 322a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 323a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 324a125c556SJavier Almansa Sobrino NOTICE: EventType : 3 325a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 326a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 327a125c556SJavier Almansa Sobrino NOTICE: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 328a125c556SJavier Almansa Sobrino NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 329a125c556SJavier Almansa Sobrino NOTICE: EventSize : 17 330a125c556SJavier Almansa Sobrino NOTICE: Signature : StartupLocality 331a125c556SJavier Almansa Sobrino NOTICE: StartupLocality : 0 332a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 333a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 334a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 335a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 336a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 337a125c556SJavier Almansa Sobrino NOTICE: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63 338a125c556SJavier Almansa Sobrino NOTICE: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5 339a125c556SJavier Almansa Sobrino NOTICE: EventSize : 5 340a125c556SJavier Almansa Sobrino NOTICE: Event : BL_2 341a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 342a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 343a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 344a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 345a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 346a125c556SJavier Almansa Sobrino NOTICE: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5 347a125c556SJavier Almansa Sobrino NOTICE: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c 348a125c556SJavier Almansa Sobrino NOTICE: EventSize : 6 349a125c556SJavier Almansa Sobrino NOTICE: Event : BL_31 350a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 351a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 352a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 353a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 354a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 355a125c556SJavier Almansa Sobrino NOTICE: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2 356a125c556SJavier Almansa Sobrino NOTICE: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0 357a125c556SJavier Almansa Sobrino NOTICE: EventSize : 10 358a125c556SJavier Almansa Sobrino NOTICE: Event : HW_CONFIG 359a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 360a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 361a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 362a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 363a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 364a125c556SJavier Almansa Sobrino NOTICE: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a 365a125c556SJavier Almansa Sobrino NOTICE: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0 366a125c556SJavier Almansa Sobrino NOTICE: EventSize : 14 367a125c556SJavier Almansa Sobrino NOTICE: Event : SOC_FW_CONFIG 368a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 369a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 370a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 371a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 372a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 373a125c556SJavier Almansa Sobrino NOTICE: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22 374a125c556SJavier Almansa Sobrino NOTICE: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75 375a125c556SJavier Almansa Sobrino NOTICE: EventSize : 6 376a125c556SJavier Almansa Sobrino NOTICE: Event : BL_32 377a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 378a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 379a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 380a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 381a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 382a125c556SJavier Almansa Sobrino NOTICE: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e 383a125c556SJavier Almansa Sobrino NOTICE: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63 384a125c556SJavier Almansa Sobrino NOTICE: EventSize : 18 385a125c556SJavier Almansa Sobrino NOTICE: Event : BL32_EXTRA1_IMAGE 386a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 387a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 388a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 389a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 390a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 391a125c556SJavier Almansa Sobrino NOTICE: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25 392a125c556SJavier Almansa Sobrino NOTICE: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2 393a125c556SJavier Almansa Sobrino NOTICE: EventSize : 6 394a125c556SJavier Almansa Sobrino NOTICE: Event : BL_33 395a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 396a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 397a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 398a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 399a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 400a125c556SJavier Almansa Sobrino NOTICE: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6 401a125c556SJavier Almansa Sobrino NOTICE: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a 402a125c556SJavier Almansa Sobrino NOTICE: EventSize : 13 403a125c556SJavier Almansa Sobrino NOTICE: Event : NT_FW_CONFIG 404a125c556SJavier Almansa Sobrino NOTICE: BL1: Booting BL31 405a125c556SJavier Almansa Sobrino NOTICE: BL31: v2.5(release):v2.5 406a125c556SJavier Almansa Sobrino NOTICE: BL31: Built : 10:41:20, Jul 2 2021 407a125c556SJavier Almansa Sobrino 408a125c556SJavier Almansa SobrinoFollowing up with the fTPM startup process, we can see that all the 409a125c556SJavier Almansa Sobrinomeasurements in the Event Log are extended and recorded in the appropriate PCR: 410a125c556SJavier Almansa Sobrino 411a125c556SJavier Almansa Sobrino.. code:: shell 412a125c556SJavier Almansa Sobrino 413a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 414a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 415a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 416a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 417a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 418a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 419a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 420a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 421a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 422a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 423a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 424a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 425a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 426a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 427a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 428a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 429a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 430a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 431a125c556SJavier Almansa Sobrino M/TA: 9 Event logs processed 432a125c556SJavier Almansa Sobrino 433a125c556SJavier Almansa SobrinoAfter the fTPM TA is loaded, the call to ``insmod`` issued by the ``ftpm`` 434a125c556SJavier Almansa Sobrinoalias to load the ftpm kernel module returns, and then the TPM PCRs are read 435a125c556SJavier Almansa Sobrinoby means of ``tpm_pcrread`` command. Note that we are only interested in the 436a125c556SJavier Almansa SobrinoSHA256 logs here, as this is the algorithm we used on TF-A for the measurements 437a125c556SJavier Almansa Sobrino(see the field ``AlgorithmId`` on the logs above): 438a125c556SJavier Almansa Sobrino 439a125c556SJavier Almansa Sobrino.. code:: shell 440a125c556SJavier Almansa Sobrino 441a125c556SJavier Almansa Sobrino sha256: 442a125c556SJavier Almansa Sobrino 0 : 0xA6EB3A7417B8CFA9EBA2E7C22AD5A4C03CDB8F3FBDD7667F9C3EF2EA285A8C9F 443a125c556SJavier Almansa Sobrino 1 : 0x0000000000000000000000000000000000000000000000000000000000000000 444a125c556SJavier Almansa Sobrino 2 : 0x0000000000000000000000000000000000000000000000000000000000000000 445a125c556SJavier Almansa Sobrino 3 : 0x0000000000000000000000000000000000000000000000000000000000000000 446a125c556SJavier Almansa Sobrino 4 : 0x0000000000000000000000000000000000000000000000000000000000000000 447a125c556SJavier Almansa Sobrino 5 : 0x0000000000000000000000000000000000000000000000000000000000000000 448a125c556SJavier Almansa Sobrino 6 : 0x0000000000000000000000000000000000000000000000000000000000000000 449a125c556SJavier Almansa Sobrino 7 : 0x0000000000000000000000000000000000000000000000000000000000000000 450a125c556SJavier Almansa Sobrino 8 : 0x0000000000000000000000000000000000000000000000000000000000000000 451a125c556SJavier Almansa Sobrino 9 : 0x0000000000000000000000000000000000000000000000000000000000000000 452a125c556SJavier Almansa Sobrino 10: 0x0000000000000000000000000000000000000000000000000000000000000000 453a125c556SJavier Almansa Sobrino 11: 0x0000000000000000000000000000000000000000000000000000000000000000 454a125c556SJavier Almansa Sobrino 12: 0x0000000000000000000000000000000000000000000000000000000000000000 455a125c556SJavier Almansa Sobrino 13: 0x0000000000000000000000000000000000000000000000000000000000000000 456a125c556SJavier Almansa Sobrino 14: 0x0000000000000000000000000000000000000000000000000000000000000000 457a125c556SJavier Almansa Sobrino 15: 0x0000000000000000000000000000000000000000000000000000000000000000 458a125c556SJavier Almansa Sobrino 16: 0x0000000000000000000000000000000000000000000000000000000000000000 459a125c556SJavier Almansa Sobrino 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 460a125c556SJavier Almansa Sobrino 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 461a125c556SJavier Almansa Sobrino 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 462a125c556SJavier Almansa Sobrino 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 463a125c556SJavier Almansa Sobrino 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 464a125c556SJavier Almansa Sobrino 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 465a125c556SJavier Almansa Sobrino 23: 0x0000000000000000000000000000000000000000000000000000000000000000 466a125c556SJavier Almansa Sobrino 467a125c556SJavier Almansa SobrinoIn this PoC we are only interested in PCR0, which must be non-null. This is 468a125c556SJavier Almansa Sobrinobecause the boot process records all the images in this PCR (see field ``PCRIndex`` 469a125c556SJavier Almansa Sobrinoon the Event Log above). The rest of the records must be 0 at this point. 470a125c556SJavier Almansa Sobrino 471a125c556SJavier Almansa Sobrino.. note:: 472a125c556SJavier Almansa Sobrino The fTPM service used has support only for 16 PCRs, therefore the content 473a125c556SJavier Almansa Sobrino of PCRs above 15 can be ignored. 474a125c556SJavier Almansa Sobrino 475a125c556SJavier Almansa Sobrino.. note:: 476a125c556SJavier Almansa Sobrino As stated earlier, Arm does not provide an fTPM implementation and therefore 477a125c556SJavier Almansa Sobrino we do not validate here if the content of PCR0 is correct or not. For this 478a125c556SJavier Almansa Sobrino PoC, we are only focused on the fact that the event log could be passed to a third 479a125c556SJavier Almansa Sobrino party fTPM and its records were properly extended. 480a125c556SJavier Almansa Sobrino 481a125c556SJavier Almansa SobrinoFine-tuning the fTPM TA 482a125c556SJavier Almansa Sobrino~~~~~~~~~~~~~~~~~~~~~~~ 483a125c556SJavier Almansa Sobrino 484a125c556SJavier Almansa SobrinoAs stated earlier, the OP-TEE Toolkit includes support to build a third party fTPM 485a125c556SJavier Almansa Sobrinoservice. The build options for this service are tailored for the PoC and defined in 486a125c556SJavier Almansa Sobrinothe build environment variable ``FTPM_FLAGS`` (see ``<toolkit_home>/build/common.mk``) 487a125c556SJavier Almansa Sobrinobut they can be modified if needed to better adapt it to a specific scenario. 488a125c556SJavier Almansa Sobrino 489a125c556SJavier Almansa SobrinoThe most relevant options for Measured Boot support are: 490a125c556SJavier Almansa Sobrino 491a125c556SJavier Almansa Sobrino - **CFG_TA_DEBUG**: Enables debug logs in the Terminal_1 console. 492a125c556SJavier Almansa Sobrino - **CFG_TEE_TA_LOG_LEVEL**: Defines the log level used for the debug messages. 493a125c556SJavier Almansa Sobrino - **CFG_TA_MEASURED_BOOT**: Enables support for measured boot on the fTPM. 494a125c556SJavier Almansa Sobrino - **CFG_TA_EVENT_LOG_SIZE**: Defines the size, in bytes, of the larger event log that 495a125c556SJavier Almansa Sobrino the fTPM is able to store, as this buffer is allocated at build time. This must be at 496a125c556SJavier Almansa Sobrino least the same as the size of the event log generated by TF-A. If this build option 497a125c556SJavier Almansa Sobrino is not defined, the fTPM falls back to a default value of 1024 bytes, which is enough 498a125c556SJavier Almansa Sobrino for this PoC, so this variable is not defined in FTPM_FLAGS. 499a125c556SJavier Almansa Sobrino 500a125c556SJavier Almansa Sobrino-------------- 501a125c556SJavier Almansa Sobrino 502cca91b7aSManish V Badarkhe*Copyright (c) 2021-2023, Arm Limited. All rights reserved.* 503a125c556SJavier Almansa Sobrino 504a125c556SJavier Almansa Sobrino.. _OP-TEE Toolkit: https://github.com/OP-TEE/build 505a125c556SJavier Almansa Sobrino.. _ms-tpm-20-ref: https://github.com/microsoft/ms-tpm-20-ref 506a125c556SJavier Almansa Sobrino.. _Get and build the solution: https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution 507a125c556SJavier Almansa Sobrino.. _Armv8-A Foundation Platform (For Linux Hosts Only): https://developer.arm.com/tools-and-software/simulation-models/fixed-virtual-platforms/arm-ecosystem-models 508a125c556SJavier Almansa Sobrino.. _tpm2-tools: https://github.com/tpm2-software/tpm2-tools 509cca91b7aSManish V Badarkhe.. _TCG event log: https://trustedcomputinggroup.org/resource/tcg-efi-platform-specification/ 510