1*a125c556SJavier Almansa SobrinoInteraction between Measured Boot and an fTPM (PoC) 2*a125c556SJavier Almansa Sobrino=================================================== 3*a125c556SJavier Almansa Sobrino 4*a125c556SJavier Almansa SobrinoMeasured Boot is the process of cryptographically measuring the code and 5*a125c556SJavier Almansa Sobrinocritical data used at boot time, for example using a TPM, so that the 6*a125c556SJavier Almansa Sobrinosecurity state can be attested later. 7*a125c556SJavier Almansa Sobrino 8*a125c556SJavier Almansa SobrinoThe current implementation of the driver included in Trusted Firmware-A 9*a125c556SJavier Almansa Sobrino(TF-A) stores the measurements into a `TGC event log`_ in secure 10*a125c556SJavier Almansa Sobrinomemory. No other means of recording measurements (such as a discrete TPM) is 11*a125c556SJavier Almansa Sobrinosupported right now. 12*a125c556SJavier Almansa Sobrino 13*a125c556SJavier Almansa SobrinoThe driver also provides mechanisms to pass the Event Log to normal world if 14*a125c556SJavier Almansa Sobrinoneeded. 15*a125c556SJavier Almansa Sobrino 16*a125c556SJavier Almansa SobrinoThis manual provides instructions to build a proof of concept (PoC) with the 17*a125c556SJavier Almansa Sobrinosole intention of showing how Measured Boot can be used in conjunction with 18*a125c556SJavier Almansa Sobrinoa firmware TPM (fTPM) service implemented on top of OP-TEE. 19*a125c556SJavier Almansa Sobrino 20*a125c556SJavier Almansa Sobrino.. note:: 21*a125c556SJavier Almansa Sobrino The instructions given in this document are meant to be used to build 22*a125c556SJavier Almansa Sobrino a PoC to show how Measured Boot on TF-A can interact with a third 23*a125c556SJavier Almansa Sobrino party (f)TPM service and they try to be as general as possible. Different 24*a125c556SJavier Almansa Sobrino platforms might have different needs and configurations (e.g. different 25*a125c556SJavier Almansa Sobrino SHA algorithms) and they might also use different types of TPM services 26*a125c556SJavier Almansa Sobrino (or even a different type of service to provide the attestation) 27*a125c556SJavier Almansa Sobrino and therefore the instuctions given here might not apply in such scenarios. 28*a125c556SJavier Almansa Sobrino 29*a125c556SJavier Almansa SobrinoComponents 30*a125c556SJavier Almansa Sobrino~~~~~~~~~~ 31*a125c556SJavier Almansa Sobrino 32*a125c556SJavier Almansa SobrinoThe PoC is built on top of the `OP-TEE Toolkit`_, which has support to build 33*a125c556SJavier Almansa SobrinoTF-A with support for Measured Boot enabled (and run it on a Foundation Model) 34*a125c556SJavier Almansa Sobrinosince commit cf56848. 35*a125c556SJavier Almansa Sobrino 36*a125c556SJavier Almansa SobrinoThe aforementioned toolkit builds a set of images that contain all the components 37*a125c556SJavier Almansa Sobrinoneeded to test that the Event Log was properly created. One of these images will 38*a125c556SJavier Almansa Sobrinocontain a third party fTPM service which in turn will be used to process the 39*a125c556SJavier Almansa SobrinoEvent Log. 40*a125c556SJavier Almansa Sobrino 41*a125c556SJavier Almansa SobrinoThe reason to choose OP-TEE Toolkit to build our PoC around it is mostly 42*a125c556SJavier Almansa Sobrinofor convenience. As the fTPM service used is an OP-TEE TA, it was easy to add 43*a125c556SJavier Almansa Sobrinobuild support for it to the toolkit and then build the PoC around it. 44*a125c556SJavier Almansa Sobrino 45*a125c556SJavier Almansa SobrinoThe most relevant components installed in the image that are closely related to 46*a125c556SJavier Almansa SobrinoMeasured Boot/fTPM functionality are: 47*a125c556SJavier Almansa Sobrino 48*a125c556SJavier Almansa Sobrino - **OP-TEE**: As stated earlier, the fTPM service used in this PoC is built as an 49*a125c556SJavier Almansa Sobrino OP-TEE TA and therefore we need to include the OP-TEE OS image. 50*a125c556SJavier Almansa Sobrino Support to interfacing with Measured Boot was added to version 3.9.0 of 51*a125c556SJavier Almansa Sobrino OP-TEE by implementing the ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` syscall, which 52*a125c556SJavier Almansa Sobrino allows the former to pass a copy of the Event Log to any TA requesting it. 53*a125c556SJavier Almansa Sobrino OP-TEE knows the location of the Event Log by reading the DTB bindings 54*a125c556SJavier Almansa Sobrino received from TF-A. Visit :ref:`DTB binding for Event Log properties` 55*a125c556SJavier Almansa Sobrino for more details on this. 56*a125c556SJavier Almansa Sobrino 57*a125c556SJavier Almansa Sobrino - **fTPM Service**: We use a third party fTPM service in order to validate 58*a125c556SJavier Almansa Sobrino the Measured Boot functionality. The chosen fTPM service is a sample 59*a125c556SJavier Almansa Sobrino implementation for Aarch32 architecture included on the `ms-tpm-20-ref`_ 60*a125c556SJavier Almansa Sobrino reference implementation from Microsoft. The service was updated in order 61*a125c556SJavier Almansa Sobrino to extend the Measured Boot Event Log at boot up and it uses the 62*a125c556SJavier Almansa Sobrino aforementioned ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` call to retrieve a copy 63*a125c556SJavier Almansa Sobrino of the former. 64*a125c556SJavier Almansa Sobrino 65*a125c556SJavier Almansa Sobrino .. note:: 66*a125c556SJavier Almansa Sobrino Arm does not provide an fTPM implementation. The fTPM service used here 67*a125c556SJavier Almansa Sobrino is a third party one which has been updated to support Measured Boot 68*a125c556SJavier Almansa Sobrino service as provided by TF-A. As such, it is beyond the scope of this 69*a125c556SJavier Almansa Sobrino manual to test and verify the correctness of the output generated by the 70*a125c556SJavier Almansa Sobrino fTPM service. 71*a125c556SJavier Almansa Sobrino 72*a125c556SJavier Almansa Sobrino - **TPM Kernel module**: In order to interact with the fTPM service, we need 73*a125c556SJavier Almansa Sobrino a kernel module to forward the request from user space to the secure world. 74*a125c556SJavier Almansa Sobrino 75*a125c556SJavier Almansa Sobrino - `tpm2-tools`_: This is a set of tools that allow to interact with the 76*a125c556SJavier Almansa Sobrino fTPM service. We use this in order to read the PCRs with the measurements. 77*a125c556SJavier Almansa Sobrino 78*a125c556SJavier Almansa SobrinoBuilding the PoC for the Arm FVP platform 79*a125c556SJavier Almansa Sobrino~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 80*a125c556SJavier Almansa Sobrino 81*a125c556SJavier Almansa SobrinoAs mentioned before, this PoC is based on the OP-TEE Toolkit with some 82*a125c556SJavier Almansa Sobrinoextensions to enable Measured Boot and an fTPM service. Therefore, we can rely 83*a125c556SJavier Almansa Sobrinoon the instructions to build the original OP-TEE Toolkit. As a general rule, 84*a125c556SJavier Almansa Sobrinothe following steps should suffice: 85*a125c556SJavier Almansa Sobrino 86*a125c556SJavier Almansa Sobrino(1) Start by following the `Get and build the solution`_ instructions to build 87*a125c556SJavier Almansa Sobrino the OP-TEE toolkit. On step 3, you need to get the manifest for FVP 88*a125c556SJavier Almansa Sobrino platform from the main branch: 89*a125c556SJavier Almansa Sobrino 90*a125c556SJavier Almansa Sobrino .. code:: shell 91*a125c556SJavier Almansa Sobrino 92*a125c556SJavier Almansa Sobrino $ repo init -u https://github.com/OP-TEE/manifest.git -m fvp.xml 93*a125c556SJavier Almansa Sobrino 94*a125c556SJavier Almansa Sobrino Then proceed synching the repos as stated in step 3. Continue following 95*a125c556SJavier Almansa Sobrino the instructions and stop before step 5. 96*a125c556SJavier Almansa Sobrino 97*a125c556SJavier Almansa Sobrino(2) Next you should obtain the `Armv8-A Foundation Platform (For Linux Hosts Only)`_. 98*a125c556SJavier Almansa Sobrino The binary should be untar'ed to the root of the repo tree, i.e., like 99*a125c556SJavier Almansa Sobrino this: ``<fvp-project>/Foundation_Platformpkg``. In the end, after cloning 100*a125c556SJavier Almansa Sobrino all source code, getting the toolchains and "installing" 101*a125c556SJavier Almansa Sobrino Foundation_Platformpkg, you should have a folder structure that looks like 102*a125c556SJavier Almansa Sobrino this: 103*a125c556SJavier Almansa Sobrino 104*a125c556SJavier Almansa Sobrino .. code:: shell 105*a125c556SJavier Almansa Sobrino 106*a125c556SJavier Almansa Sobrino $ ls -la 107*a125c556SJavier Almansa Sobrino total 80 108*a125c556SJavier Almansa Sobrino drwxrwxr-x 20 tf-a_user tf-a_user 4096 Jul 1 12:16 . 109*a125c556SJavier Almansa Sobrino drwxr-xr-x 23 tf-a_user tf-a_user 4096 Jul 1 10:40 .. 110*a125c556SJavier Almansa Sobrino drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 10:45 build 111*a125c556SJavier Almansa Sobrino drwxrwxr-x 16 tf-a_user tf-a_user 4096 Jul 1 12:16 buildroot 112*a125c556SJavier Almansa Sobrino drwxrwxr-x 51 tf-a_user tf-a_user 4096 Jul 1 10:45 edk2 113*a125c556SJavier Almansa Sobrino drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 12:14 edk2-platforms 114*a125c556SJavier Almansa Sobrino drwxr-xr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:52 Foundation_Platformpkg 115*a125c556SJavier Almansa Sobrino drwxrwxr-x 17 tf-a_user tf-a_user 4096 Jul 2 10:40 grub 116*a125c556SJavier Almansa Sobrino drwxrwxr-x 25 tf-a_user tf-a_user 4096 Jul 2 10:39 linux 117*a125c556SJavier Almansa Sobrino drwxrwxr-x 15 tf-a_user tf-a_user 4096 Jul 1 10:45 mbedtls 118*a125c556SJavier Almansa Sobrino drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 10:45 ms-tpm-20-ref 119*a125c556SJavier Almansa Sobrino drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_client 120*a125c556SJavier Almansa Sobrino drwxrwxr-x 10 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_examples 121*a125c556SJavier Almansa Sobrino drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 12:13 optee_os 122*a125c556SJavier Almansa Sobrino drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_test 123*a125c556SJavier Almansa Sobrino drwxrwxr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:45 .repo 124*a125c556SJavier Almansa Sobrino drwxrwxr-x 4 tf-a_user tf-a_user 4096 Jul 1 12:12 toolchains 125*a125c556SJavier Almansa Sobrino drwxrwxr-x 21 tf-a_user tf-a_user 4096 Jul 1 12:15 trusted-firmware-a 126*a125c556SJavier Almansa Sobrino 127*a125c556SJavier Almansa Sobrino(3) Now enter into ``ms-tpm-20-ref`` and get its dependencies: 128*a125c556SJavier Almansa Sobrino 129*a125c556SJavier Almansa Sobrino .. code:: shell 130*a125c556SJavier Almansa Sobrino 131*a125c556SJavier Almansa Sobrino $ cd ms-tpm-20-ref 132*a125c556SJavier Almansa Sobrino $ git submodule init 133*a125c556SJavier Almansa Sobrino $ git submodule update 134*a125c556SJavier Almansa Sobrino Submodule path 'external/wolfssl': checked out '9c87f979a7f1d3a6d786b260653d566c1d31a1c4' 135*a125c556SJavier Almansa Sobrino 136*a125c556SJavier Almansa Sobrino(4) Now, you should be able to continue with step 5 in "`Get and build the solution`_" 137*a125c556SJavier Almansa Sobrino instructions. In order to enable support for Measured Boot, you need to 138*a125c556SJavier Almansa Sobrino set the ``MEASURED_BOOT`` build option: 139*a125c556SJavier Almansa Sobrino 140*a125c556SJavier Almansa Sobrino .. code:: shell 141*a125c556SJavier Almansa Sobrino 142*a125c556SJavier Almansa Sobrino $ MEASURED_BOOT=y make -j `nproc` 143*a125c556SJavier Almansa Sobrino 144*a125c556SJavier Almansa Sobrino .. note:: 145*a125c556SJavier Almansa Sobrino The build process will likely take a long time. It is strongly recommended to 146*a125c556SJavier Almansa Sobrino pass the ``-j`` option to make to run the process faster. 147*a125c556SJavier Almansa Sobrino 148*a125c556SJavier Almansa Sobrino After this step, you should be ready to run the image. 149*a125c556SJavier Almansa Sobrino 150*a125c556SJavier Almansa SobrinoRunning and using the PoC on the Armv8-A Foundation AEM FVP 151*a125c556SJavier Almansa Sobrino~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 152*a125c556SJavier Almansa Sobrino 153*a125c556SJavier Almansa SobrinoWith everything built, you can now run the image: 154*a125c556SJavier Almansa Sobrino 155*a125c556SJavier Almansa Sobrino.. code:: shell 156*a125c556SJavier Almansa Sobrino 157*a125c556SJavier Almansa Sobrino $ make run-only 158*a125c556SJavier Almansa Sobrino 159*a125c556SJavier Almansa Sobrino.. note:: 160*a125c556SJavier Almansa Sobrino Using ``make run`` will build and run the image and it can be used instead 161*a125c556SJavier Almansa Sobrino of simply ``make``. However, once the image is built, it is recommended to 162*a125c556SJavier Almansa Sobrino use ``make run-only`` to avoid re-running all the building rules, which 163*a125c556SJavier Almansa Sobrino would take time. 164*a125c556SJavier Almansa Sobrino 165*a125c556SJavier Almansa SobrinoWhen FVP is launched, two terminal windows will appear. ``FVP terminal_0`` 166*a125c556SJavier Almansa Sobrinois the userspace terminal whereas ``FVP terminal_1`` is the counterpart for 167*a125c556SJavier Almansa Sobrinothe secure world (where TAs will print their logs, for instance). 168*a125c556SJavier Almansa Sobrino 169*a125c556SJavier Almansa SobrinoLog into the image shell with user ``root``, no password will be required. 170*a125c556SJavier Almansa SobrinoThen we can issue the ``ftpm`` command, which is an alias that 171*a125c556SJavier Almansa Sobrino 172*a125c556SJavier Almansa Sobrino(1) loads the ftpm kernel module and 173*a125c556SJavier Almansa Sobrino 174*a125c556SJavier Almansa Sobrino(2) calls ``tpm2_pcrread``, which will access the fTPM service to read the 175*a125c556SJavier Almansa Sobrino PCRs. 176*a125c556SJavier Almansa Sobrino 177*a125c556SJavier Almansa SobrinoWhen loading the ftpm kernel module, the fTPM TA is loaded into the secure 178*a125c556SJavier Almansa Sobrinoworld. This TA then requests a copy of the Event Log generated during the 179*a125c556SJavier Almansa Sobrinobooting process so it can retrieve all the entries on the log and record them 180*a125c556SJavier Almansa Sobrinofirst thing. 181*a125c556SJavier Almansa Sobrino 182*a125c556SJavier Almansa Sobrino.. note:: 183*a125c556SJavier Almansa Sobrino For this PoC, nothing loaded after BL33 and NT_FW_CONFIG is recorded 184*a125c556SJavier Almansa Sobrino in the Event Log. 185*a125c556SJavier Almansa Sobrino 186*a125c556SJavier Almansa SobrinoThe secure world terminal should show the debug logs for the fTPM service, 187*a125c556SJavier Almansa Sobrinoincluding all the measurements available in the Event Log as they are being 188*a125c556SJavier Almansa Sobrinoprocessed: 189*a125c556SJavier Almansa Sobrino 190*a125c556SJavier Almansa Sobrino.. code:: shell 191*a125c556SJavier Almansa Sobrino 192*a125c556SJavier Almansa Sobrino M/TA: Preparing to extend the following TPM Event Log: 193*a125c556SJavier Almansa Sobrino M/TA: TCG_EfiSpecIDEvent: 194*a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 195*a125c556SJavier Almansa Sobrino M/TA: EventType : 3 196*a125c556SJavier Almansa Sobrino M/TA: Digest : 00 197*a125c556SJavier Almansa Sobrino M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 198*a125c556SJavier Almansa Sobrino M/TA: : 00 00 00 199*a125c556SJavier Almansa Sobrino M/TA: EventSize : 33 200*a125c556SJavier Almansa Sobrino M/TA: Signature : Spec ID Event03 201*a125c556SJavier Almansa Sobrino M/TA: PlatformClass : 0 202*a125c556SJavier Almansa Sobrino M/TA: SpecVersion : 2.0.2 203*a125c556SJavier Almansa Sobrino M/TA: UintnSize : 1 204*a125c556SJavier Almansa Sobrino M/TA: NumberOfAlgorithms : 1 205*a125c556SJavier Almansa Sobrino M/TA: DigestSizes : 206*a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 207*a125c556SJavier Almansa Sobrino M/TA: DigestSize : 32 208*a125c556SJavier Almansa Sobrino M/TA: VendorInfoSize : 0 209*a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 210*a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 211*a125c556SJavier Almansa Sobrino M/TA: EventType : 3 212*a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 213*a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 214*a125c556SJavier Almansa Sobrino M/TA: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 215*a125c556SJavier Almansa Sobrino M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 216*a125c556SJavier Almansa Sobrino M/TA: EventSize : 17 217*a125c556SJavier Almansa Sobrino M/TA: Signature : StartupLocality 218*a125c556SJavier Almansa Sobrino M/TA: StartupLocality : 0 219*a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 220*a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 221*a125c556SJavier Almansa Sobrino M/TA: EventType : 1 222*a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 223*a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 224*a125c556SJavier Almansa Sobrino M/TA: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63 225*a125c556SJavier Almansa Sobrino M/TA: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5 226*a125c556SJavier Almansa Sobrino M/TA: EventSize : 5 227*a125c556SJavier Almansa Sobrino M/TA: Event : BL_2 228*a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 229*a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 230*a125c556SJavier Almansa Sobrino M/TA: EventType : 1 231*a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 232*a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 233*a125c556SJavier Almansa Sobrino M/TA: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5 234*a125c556SJavier Almansa Sobrino M/TA: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c 235*a125c556SJavier Almansa Sobrino M/TA: EventSize : 6 236*a125c556SJavier Almansa Sobrino M/TA: Event : BL_31 237*a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 238*a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 239*a125c556SJavier Almansa Sobrino M/TA: EventType : 1 240*a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 241*a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 242*a125c556SJavier Almansa Sobrino M/TA: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2 243*a125c556SJavier Almansa Sobrino M/TA: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0 244*a125c556SJavier Almansa Sobrino M/TA: EventSize : 10 245*a125c556SJavier Almansa Sobrino M/TA: Event : HW_CONFIG 246*a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 247*a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 248*a125c556SJavier Almansa Sobrino M/TA: EventType : 1 249*a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 250*a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 251*a125c556SJavier Almansa Sobrino M/TA: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a 252*a125c556SJavier Almansa Sobrino M/TA: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0 253*a125c556SJavier Almansa Sobrino M/TA: EventSize : 14 254*a125c556SJavier Almansa Sobrino M/TA: Event : SOC_FW_CONFIG 255*a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 256*a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 257*a125c556SJavier Almansa Sobrino M/TA: EventType : 1 258*a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 259*a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 260*a125c556SJavier Almansa Sobrino M/TA: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22 261*a125c556SJavier Almansa Sobrino M/TA: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75 262*a125c556SJavier Almansa Sobrino M/TA: EventSize : 6 263*a125c556SJavier Almansa Sobrino M/TA: Event : BL_32 264*a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 265*a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 266*a125c556SJavier Almansa Sobrino M/TA: EventType : 1 267*a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 268*a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 269*a125c556SJavier Almansa Sobrino M/TA: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e 270*a125c556SJavier Almansa Sobrino M/TA: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63 271*a125c556SJavier Almansa Sobrino M/TA: EventSize : 18 272*a125c556SJavier Almansa Sobrino M/TA: Event : BL32_EXTRA1_IMAGE 273*a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 274*a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 275*a125c556SJavier Almansa Sobrino M/TA: EventType : 1 276*a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 277*a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 278*a125c556SJavier Almansa Sobrino M/TA: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25 279*a125c556SJavier Almansa Sobrino M/TA: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2 280*a125c556SJavier Almansa Sobrino M/TA: EventSize : 6 281*a125c556SJavier Almansa Sobrino M/TA: Event : BL_33 282*a125c556SJavier Almansa Sobrino M/TA: PCR_Event2: 283*a125c556SJavier Almansa Sobrino M/TA: PCRIndex : 0 284*a125c556SJavier Almansa Sobrino M/TA: EventType : 1 285*a125c556SJavier Almansa Sobrino M/TA: Digests Count : 1 286*a125c556SJavier Almansa Sobrino M/TA: #0 AlgorithmId : SHA256 287*a125c556SJavier Almansa Sobrino M/TA: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6 288*a125c556SJavier Almansa Sobrino M/TA: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a 289*a125c556SJavier Almansa Sobrino M/TA: EventSize : 13 290*a125c556SJavier Almansa Sobrino M/TA: Event : NT_FW_CONFIG 291*a125c556SJavier Almansa Sobrino 292*a125c556SJavier Almansa SobrinoThese logs correspond to the measurements stored by TF-A during the measured 293*a125c556SJavier Almansa Sobrinoboot process and therefore, they should match the logs dumped by the former 294*a125c556SJavier Almansa Sobrinoduring the boot up process. These can be seen on the terminal_0: 295*a125c556SJavier Almansa Sobrino 296*a125c556SJavier Almansa Sobrino.. code:: shell 297*a125c556SJavier Almansa Sobrino 298*a125c556SJavier Almansa Sobrino NOTICE: Booting Trusted Firmware 299*a125c556SJavier Almansa Sobrino NOTICE: BL1: v2.5(release):v2.5 300*a125c556SJavier Almansa Sobrino NOTICE: BL1: Built : 10:41:20, Jul 2 2021 301*a125c556SJavier Almansa Sobrino NOTICE: BL1: Booting BL2 302*a125c556SJavier Almansa Sobrino NOTICE: BL2: v2.5(release):v2.5 303*a125c556SJavier Almansa Sobrino NOTICE: BL2: Built : 10:41:20, Jul 2 2021 304*a125c556SJavier Almansa Sobrino NOTICE: TCG_EfiSpecIDEvent: 305*a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 306*a125c556SJavier Almansa Sobrino NOTICE: EventType : 3 307*a125c556SJavier Almansa Sobrino NOTICE: Digest : 00 308*a125c556SJavier Almansa Sobrino NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 309*a125c556SJavier Almansa Sobrino NOTICE: : 00 00 00 310*a125c556SJavier Almansa Sobrino NOTICE: EventSize : 33 311*a125c556SJavier Almansa Sobrino NOTICE: Signature : Spec ID Event03 312*a125c556SJavier Almansa Sobrino NOTICE: PlatformClass : 0 313*a125c556SJavier Almansa Sobrino NOTICE: SpecVersion : 2.0.2 314*a125c556SJavier Almansa Sobrino NOTICE: UintnSize : 1 315*a125c556SJavier Almansa Sobrino NOTICE: NumberOfAlgorithms : 1 316*a125c556SJavier Almansa Sobrino NOTICE: DigestSizes : 317*a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 318*a125c556SJavier Almansa Sobrino NOTICE: DigestSize : 32 319*a125c556SJavier Almansa Sobrino NOTICE: VendorInfoSize : 0 320*a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 321*a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 322*a125c556SJavier Almansa Sobrino NOTICE: EventType : 3 323*a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 324*a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 325*a125c556SJavier Almansa Sobrino NOTICE: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 326*a125c556SJavier Almansa Sobrino NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 327*a125c556SJavier Almansa Sobrino NOTICE: EventSize : 17 328*a125c556SJavier Almansa Sobrino NOTICE: Signature : StartupLocality 329*a125c556SJavier Almansa Sobrino NOTICE: StartupLocality : 0 330*a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 331*a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 332*a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 333*a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 334*a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 335*a125c556SJavier Almansa Sobrino NOTICE: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63 336*a125c556SJavier Almansa Sobrino NOTICE: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5 337*a125c556SJavier Almansa Sobrino NOTICE: EventSize : 5 338*a125c556SJavier Almansa Sobrino NOTICE: Event : BL_2 339*a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 340*a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 341*a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 342*a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 343*a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 344*a125c556SJavier Almansa Sobrino NOTICE: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5 345*a125c556SJavier Almansa Sobrino NOTICE: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c 346*a125c556SJavier Almansa Sobrino NOTICE: EventSize : 6 347*a125c556SJavier Almansa Sobrino NOTICE: Event : BL_31 348*a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 349*a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 350*a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 351*a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 352*a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 353*a125c556SJavier Almansa Sobrino NOTICE: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2 354*a125c556SJavier Almansa Sobrino NOTICE: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0 355*a125c556SJavier Almansa Sobrino NOTICE: EventSize : 10 356*a125c556SJavier Almansa Sobrino NOTICE: Event : HW_CONFIG 357*a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 358*a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 359*a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 360*a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 361*a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 362*a125c556SJavier Almansa Sobrino NOTICE: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a 363*a125c556SJavier Almansa Sobrino NOTICE: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0 364*a125c556SJavier Almansa Sobrino NOTICE: EventSize : 14 365*a125c556SJavier Almansa Sobrino NOTICE: Event : SOC_FW_CONFIG 366*a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 367*a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 368*a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 369*a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 370*a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 371*a125c556SJavier Almansa Sobrino NOTICE: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22 372*a125c556SJavier Almansa Sobrino NOTICE: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75 373*a125c556SJavier Almansa Sobrino NOTICE: EventSize : 6 374*a125c556SJavier Almansa Sobrino NOTICE: Event : BL_32 375*a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 376*a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 377*a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 378*a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 379*a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 380*a125c556SJavier Almansa Sobrino NOTICE: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e 381*a125c556SJavier Almansa Sobrino NOTICE: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63 382*a125c556SJavier Almansa Sobrino NOTICE: EventSize : 18 383*a125c556SJavier Almansa Sobrino NOTICE: Event : BL32_EXTRA1_IMAGE 384*a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 385*a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 386*a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 387*a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 388*a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 389*a125c556SJavier Almansa Sobrino NOTICE: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25 390*a125c556SJavier Almansa Sobrino NOTICE: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2 391*a125c556SJavier Almansa Sobrino NOTICE: EventSize : 6 392*a125c556SJavier Almansa Sobrino NOTICE: Event : BL_33 393*a125c556SJavier Almansa Sobrino NOTICE: PCR_Event2: 394*a125c556SJavier Almansa Sobrino NOTICE: PCRIndex : 0 395*a125c556SJavier Almansa Sobrino NOTICE: EventType : 1 396*a125c556SJavier Almansa Sobrino NOTICE: Digests Count : 1 397*a125c556SJavier Almansa Sobrino NOTICE: #0 AlgorithmId : SHA256 398*a125c556SJavier Almansa Sobrino NOTICE: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6 399*a125c556SJavier Almansa Sobrino NOTICE: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a 400*a125c556SJavier Almansa Sobrino NOTICE: EventSize : 13 401*a125c556SJavier Almansa Sobrino NOTICE: Event : NT_FW_CONFIG 402*a125c556SJavier Almansa Sobrino NOTICE: BL1: Booting BL31 403*a125c556SJavier Almansa Sobrino NOTICE: BL31: v2.5(release):v2.5 404*a125c556SJavier Almansa Sobrino NOTICE: BL31: Built : 10:41:20, Jul 2 2021 405*a125c556SJavier Almansa Sobrino 406*a125c556SJavier Almansa SobrinoFollowing up with the fTPM startup process, we can see that all the 407*a125c556SJavier Almansa Sobrinomeasurements in the Event Log are extended and recorded in the appropriate PCR: 408*a125c556SJavier Almansa Sobrino 409*a125c556SJavier Almansa Sobrino.. code:: shell 410*a125c556SJavier Almansa Sobrino 411*a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 412*a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 413*a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 414*a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 415*a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 416*a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 417*a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 418*a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 419*a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 420*a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 421*a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 422*a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 423*a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 424*a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 425*a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 426*a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 427*a125c556SJavier Almansa Sobrino M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 428*a125c556SJavier Almansa Sobrino M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 429*a125c556SJavier Almansa Sobrino M/TA: 9 Event logs processed 430*a125c556SJavier Almansa Sobrino 431*a125c556SJavier Almansa SobrinoAfter the fTPM TA is loaded, the call to ``insmod`` issued by the ``ftpm`` 432*a125c556SJavier Almansa Sobrinoalias to load the ftpm kernel module returns, and then the TPM PCRs are read 433*a125c556SJavier Almansa Sobrinoby means of ``tpm_pcrread`` command. Note that we are only interested in the 434*a125c556SJavier Almansa SobrinoSHA256 logs here, as this is the algorithm we used on TF-A for the measurements 435*a125c556SJavier Almansa Sobrino(see the field ``AlgorithmId`` on the logs above): 436*a125c556SJavier Almansa Sobrino 437*a125c556SJavier Almansa Sobrino.. code:: shell 438*a125c556SJavier Almansa Sobrino 439*a125c556SJavier Almansa Sobrino sha256: 440*a125c556SJavier Almansa Sobrino 0 : 0xA6EB3A7417B8CFA9EBA2E7C22AD5A4C03CDB8F3FBDD7667F9C3EF2EA285A8C9F 441*a125c556SJavier Almansa Sobrino 1 : 0x0000000000000000000000000000000000000000000000000000000000000000 442*a125c556SJavier Almansa Sobrino 2 : 0x0000000000000000000000000000000000000000000000000000000000000000 443*a125c556SJavier Almansa Sobrino 3 : 0x0000000000000000000000000000000000000000000000000000000000000000 444*a125c556SJavier Almansa Sobrino 4 : 0x0000000000000000000000000000000000000000000000000000000000000000 445*a125c556SJavier Almansa Sobrino 5 : 0x0000000000000000000000000000000000000000000000000000000000000000 446*a125c556SJavier Almansa Sobrino 6 : 0x0000000000000000000000000000000000000000000000000000000000000000 447*a125c556SJavier Almansa Sobrino 7 : 0x0000000000000000000000000000000000000000000000000000000000000000 448*a125c556SJavier Almansa Sobrino 8 : 0x0000000000000000000000000000000000000000000000000000000000000000 449*a125c556SJavier Almansa Sobrino 9 : 0x0000000000000000000000000000000000000000000000000000000000000000 450*a125c556SJavier Almansa Sobrino 10: 0x0000000000000000000000000000000000000000000000000000000000000000 451*a125c556SJavier Almansa Sobrino 11: 0x0000000000000000000000000000000000000000000000000000000000000000 452*a125c556SJavier Almansa Sobrino 12: 0x0000000000000000000000000000000000000000000000000000000000000000 453*a125c556SJavier Almansa Sobrino 13: 0x0000000000000000000000000000000000000000000000000000000000000000 454*a125c556SJavier Almansa Sobrino 14: 0x0000000000000000000000000000000000000000000000000000000000000000 455*a125c556SJavier Almansa Sobrino 15: 0x0000000000000000000000000000000000000000000000000000000000000000 456*a125c556SJavier Almansa Sobrino 16: 0x0000000000000000000000000000000000000000000000000000000000000000 457*a125c556SJavier Almansa Sobrino 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 458*a125c556SJavier Almansa Sobrino 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 459*a125c556SJavier Almansa Sobrino 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 460*a125c556SJavier Almansa Sobrino 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 461*a125c556SJavier Almansa Sobrino 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 462*a125c556SJavier Almansa Sobrino 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 463*a125c556SJavier Almansa Sobrino 23: 0x0000000000000000000000000000000000000000000000000000000000000000 464*a125c556SJavier Almansa Sobrino 465*a125c556SJavier Almansa SobrinoIn this PoC we are only interested in PCR0, which must be non-null. This is 466*a125c556SJavier Almansa Sobrinobecause the boot process records all the images in this PCR (see field ``PCRIndex`` 467*a125c556SJavier Almansa Sobrinoon the Event Log above). The rest of the records must be 0 at this point. 468*a125c556SJavier Almansa Sobrino 469*a125c556SJavier Almansa Sobrino.. note:: 470*a125c556SJavier Almansa Sobrino The fTPM service used has support only for 16 PCRs, therefore the content 471*a125c556SJavier Almansa Sobrino of PCRs above 15 can be ignored. 472*a125c556SJavier Almansa Sobrino 473*a125c556SJavier Almansa Sobrino.. note:: 474*a125c556SJavier Almansa Sobrino As stated earlier, Arm does not provide an fTPM implementation and therefore 475*a125c556SJavier Almansa Sobrino we do not validate here if the content of PCR0 is correct or not. For this 476*a125c556SJavier Almansa Sobrino PoC, we are only focused on the fact that the event log could be passed to a third 477*a125c556SJavier Almansa Sobrino party fTPM and its records were properly extended. 478*a125c556SJavier Almansa Sobrino 479*a125c556SJavier Almansa SobrinoFine-tuning the fTPM TA 480*a125c556SJavier Almansa Sobrino~~~~~~~~~~~~~~~~~~~~~~~ 481*a125c556SJavier Almansa Sobrino 482*a125c556SJavier Almansa SobrinoAs stated earlier, the OP-TEE Toolkit includes support to build a third party fTPM 483*a125c556SJavier Almansa Sobrinoservice. The build options for this service are tailored for the PoC and defined in 484*a125c556SJavier Almansa Sobrinothe build environment variable ``FTPM_FLAGS`` (see ``<toolkit_home>/build/common.mk``) 485*a125c556SJavier Almansa Sobrinobut they can be modified if needed to better adapt it to a specific scenario. 486*a125c556SJavier Almansa Sobrino 487*a125c556SJavier Almansa SobrinoThe most relevant options for Measured Boot support are: 488*a125c556SJavier Almansa Sobrino 489*a125c556SJavier Almansa Sobrino - **CFG_TA_DEBUG**: Enables debug logs in the Terminal_1 console. 490*a125c556SJavier Almansa Sobrino - **CFG_TEE_TA_LOG_LEVEL**: Defines the log level used for the debug messages. 491*a125c556SJavier Almansa Sobrino - **CFG_TA_MEASURED_BOOT**: Enables support for measured boot on the fTPM. 492*a125c556SJavier Almansa Sobrino - **CFG_TA_EVENT_LOG_SIZE**: Defines the size, in bytes, of the larger event log that 493*a125c556SJavier Almansa Sobrino the fTPM is able to store, as this buffer is allocated at build time. This must be at 494*a125c556SJavier Almansa Sobrino least the same as the size of the event log generated by TF-A. If this build option 495*a125c556SJavier Almansa Sobrino is not defined, the fTPM falls back to a default value of 1024 bytes, which is enough 496*a125c556SJavier Almansa Sobrino for this PoC, so this variable is not defined in FTPM_FLAGS. 497*a125c556SJavier Almansa Sobrino 498*a125c556SJavier Almansa Sobrino-------------- 499*a125c556SJavier Almansa Sobrino 500*a125c556SJavier Almansa Sobrino*Copyright (c) 2021, Arm Limited. All rights reserved.* 501*a125c556SJavier Almansa Sobrino 502*a125c556SJavier Almansa Sobrino.. _OP-TEE Toolkit: https://github.com/OP-TEE/build 503*a125c556SJavier Almansa Sobrino.. _ms-tpm-20-ref: https://github.com/microsoft/ms-tpm-20-ref 504*a125c556SJavier Almansa Sobrino.. _Get and build the solution: https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution 505*a125c556SJavier Almansa Sobrino.. _Armv8-A Foundation Platform (For Linux Hosts Only): https://developer.arm.com/tools-and-software/simulation-models/fixed-virtual-platforms/arm-ecosystem-models 506*a125c556SJavier Almansa Sobrino.. _tpm2-tools: https://github.com/tpm2-software/tpm2-tools 507*a125c556SJavier Almansa Sobrino.. _TGC event log: https://trustedcomputinggroup.org/resource/tcg-efi-platform-specification/ 508