Re: [PATCH 3/3] Core TPM support

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/3] Core TPM support

From:	Javier Martinez Canillas
Subject:	Re: [PATCH 3/3] Core TPM support
Date:	Fri, 16 Jun 2017 15:51:38 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0

Hello Matthew,

I've tested your patches (plus the verify framework) today on a Lenovo
Thinkpad X1 Carbon with 2 different setups:

a) Infineon TPM1.2 chip

b) Intel PTT firmware-based TPM2.0

It works correctly in both cases, there are measurements made by grub2
on both PCR{8,9} as expected:

(a) $ grep PCR-0[8,9] /sys/devices/pnp0/00:08/pcrs

     PCR-08: 37 71 AD AB A9 10 83 D9 B2 63 B1 27 41 E6 33 F5 42 88 96 94 
     PCR-09: 18 46 A1 D9 31 D0 C4 66 FA 26 78 A2 B2 BA AF 80 E8 0E 8A 5D

(b) $ tpm2_listpcrs -L 0x4:8,9

    Bank/Algorithm: TPM_ALG_SHA1(0x0004)
    PCR_08: 37 71 ad ab a9 10 83 d9 b2 63 b1 27 41 e6 33 f5 42 88 96 94
    PCR_09: 18 46 a1 d9 31 d0 c4 66 fa 26 78 a2 b2 ba af 80 e8 0e 8a 5d

Before your patches, I only saw the measurement made by shim on PCR9:

(a) $ grep PCR-0[8,9] /sys/devices/pnp0/00:08/pcrs

    PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    PCR-09: C9 EC 5F CF D2 1C 25 F0 EA 9D DF 51 FF 0C BE 20 3A 93 4E 2D

(b) $ tpm2_listpcrs -L 0x4:8,9

    Bank/Algorithm: TPM_ALG_SHA1(0x0004)
    PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_09: c9 ec 5f cf d2 1c 25 f0 ea 9d df 51 ff 0c be 20 3a 93 4e 2d

I've a couple of questions though, I'm new to TPM and trusted computing
in general so please forgive me if I say something wrong/silly :)

On 06/15/2017 02:21 AM, Matthew Garrett wrote:

> +
> +static grub_efi_boolean_t grub_tpm2_present(grub_efi_tpm2_protocol_t *tpm)
> +{
> +  grub_efi_status_t status;
> +  EFI_TCG2_BOOT_SERVICE_CAPABILITY caps;
> +
> +  caps.Size = (grub_uint8_t)sizeof(caps);
> +
> +  status = efi_call_2(tpm->get_capability, tpm, &caps);
> +
> +  if (status != GRUB_EFI_SUCCESS || !caps.TPMPresentFlag)
> +    return 0;
> +

The TCG EFI Protocol Specification (rev 00.13, March 2016) mentions that the
tdEFI_TCG2_BOOT_SERVICE_CAPABILITY StructureVersion Major and Minor should
be checked to determine the EFI_TCG2_BOOT_SERVICE_CAPABILITY struct version.

In fact, shim checks for this and instead use tdTREE_BOOT_SERVICE_CAPABILITY
if Major == 1 && Minor == 0. The EFI firmware on my Lenovo X1 Carbon reports
these values for the FW TPM2.0 so I first was expecting the code to fail. But
it works and I now see that the structures layout are equal so doesn't matter.

Do you think that we should be more strict on this? Or instead the shim code
could be simplified as you did here and avoid distinguish between the two?

> +
> +static grub_err_t
> +grub_tpm2_log_event(grub_efi_handle_t tpm_handle, unsigned char *buf,
> +                grub_size_t size, grub_uint8_t pcr,
> +                const char *description)
> +{
> +  EFI_TCG2_EVENT *event;
> +  grub_efi_status_t status;
> +  grub_efi_tpm2_protocol_t *tpm;
> +
> +  tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
> +                             GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
> +
> +  if (!grub_tpm2_present(tpm))
> +    return 0;
> +
> +  event = grub_zalloc(sizeof (EFI_TCG2_EVENT) + grub_strlen(description) + 
> 1);
> +  if (!event)
> +    return grub_error (GRUB_ERR_OUT_OF_MEMORY,
> +                    N_("cannot allocate TPM event buffer"));
> +
> +  event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
> +  event->Header.HeaderVersion = 1;
> +  event->Header.PCRIndex = pcr;
> +  event->Header.EventType = EV_IPL;
> +  event->Size = sizeof(*event) - sizeof(event->Event) + 
> grub_strlen(description) + 1;
> +  grub_memcpy(event->Event, description, grub_strlen(description) + 1);
> +
> +  status = efi_call_5 (tpm->hash_log_extend_event, tpm, 0, buf,
> +                    (grub_uint64_t) size, event);
> +

Have you looked at how to get the TPM2.0 event logs from Linux? The TCG EFI 
Protocol
Specification mentions that all events generated after a EFI_TCG2_GET_EVENT_LOG 
call
shall be stored in a EFI_CONFIGURATION_TABLE that could be retrieved by the OS 
before
a call to ExitBootServices().

I see that shim calls GetEventLogs() to trigger this switch and your patch 
doesn't.
But Linux still doesn't have support to lookup this table anyways, so I think 
it's OK.

It's also mentioned in the TCG ACPI (1.2 rev 8, February 2017) and TCG PC 
Client PFP
(rev 00.49, January 2017) specifications, that the TPM2 ACPI table has optional 
fields
for the Log Area Start Address (LASA) and Log Area Minimum Length (LAML). So 
that would
be similar to the TPM1.2 TCPA ACPI table. I guess Linux should need support for 
both?

Thanks a lot and best regards,
-- 
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement
Red Hat

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 1/3] Move verifiers to the kernel, (continued)
- [PATCH 2/3] Verify commands executed by grub, Matthew Garrett, 2017/06/14
- [PATCH 3/3] Core TPM support, Matthew Garrett, 2017/06/14
- Add TPM support, Matthew Garrett, 2017/06/15
  - [PATCH 1/3] Move verifiers to the kernel, Matthew Garrett, 2017/06/15
  - [PATCH 2/3] Verify commands executed by grub, Matthew Garrett, 2017/06/15
  - [PATCH 3/3] Core TPM support, Matthew Garrett, 2017/06/15
    - Re: [PATCH 3/3] Core TPM support, Javier Martinez Canillas <=
    - Re: [PATCH 3/3] Core TPM support, Matthew Garrett, 2017/06/18
    - Re: [PATCH 3/3] Core TPM support, Javier Martinez Canillas, 2017/06/19
    - Re: [PATCH 3/3] Core TPM support, Javier Martinez Canillas, 2017/06/21

Prev by Date: Re: [PATCH] ext2: support EXT4_FEATURE_INCOMPAT_ENCRYPT
Next by Date: Re: [PATCH 3/3] Core TPM support
Previous by thread: [PATCH 3/3] Core TPM support
Next by thread: Re: [PATCH 3/3] Core TPM support
Index(es):
- Date
- Thread