From mboxrd@z Thu Jan 1 00:00:00 1970 Received: by 2002:a17:505:a0c:b0:1be9:327d:8ee3 with SMTP id cg12csp2924043njb; Mon, 9 Dec 2024 14:34:18 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCW3IcP1JMYACUEQwR6tzKFq3nJm3nS9RH/82+8XJaOba4IZf+o65wT+tWiIHLBSzTJY0UoC/JtIHCI/gw==@linaro.org X-Google-Smtp-Source: AGHT+IGQLbE3PT1otSnSWv+hon6zY4WusK7xpQrdASBLILoTae/S+13+Xv/OXoKMK57YFyhJT1sD X-Received: by 2002:a05:6e02:240d:b0:3a7:d02b:f653 with SMTP id e9e14a558f8ab-3a9dd2efeadmr13327295ab.0.1733783658338; Mon, 09 Dec 2024 14:34:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1733783658; cv=none; d=google.com; s=arc-20240605; b=eBqyirLjq6nmwk37qmUjCfkm3lXgPGtk5+kluf3LNHuxcdQsIRTVvncelP8MlKv2JB U13Wa0W774LrEqVcY+ryNl9mydu6tnoXheNLiNad6IgnSv77cVPdmqG0xERZB4bbm9Ww EtGnq8ct+ApM6PkAHlTD/ZrUZTkd5peUzlGMiVg9+C95SC67n5mZJrJqPVc6dNWzdr4W z1JhmlubF2UPK7VbMNThD8C+1WMcCMU2J1EuNwePA52AxYz1cYHsh4oJiLKw9VLPpTNl NT9fokZpAUVj8kmtZIIFG5GcRjDjUfPSkOHSxXZDI9SIlaraxQ89kXWqpLxDai0TfrND RE7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :dkim-signature; bh=E4Uk3D9gLZEWufOyfC2YxFHDBaeaLwn5jcvl7eMYNlE=; fh=Dx1sjjFp9BB26a1D0a1CdYq+PQ7jSGG6ce+e13SfTYM=; b=TJgBF8EXD+e02lzLdREDxNyFoNZ7YIEXty14Btq62aJzoTKrA6mzaGuRuH54ZPM4Ep A1WJ/OkrDIY9WTuuaYYmaO/xZIgZRKiHfOjgB0cc5dd+yia0gwhSUZ3z2lWT1VsQlZVw thtlLSyC8nFkxgvRxaicam512W+BhfSenZFxOmtVglyLMctKsUU9GJ/+CCNRXK9pm5Nn mkUJBOfhHcsTWaLFsfTP9wFjDHPy2bI2gchbUgRJcEJj0CZMLw9w1cNRBN9CC5M4p9Jt /xXJXaWmHF+fHH1OXi8Dbs3PjVDOhuciul/792Ue6pzdmF3J1AOJho1I4x27LETASu4B kqEg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=XENRxfEz; spf=pass (google.com: domain of stefanb@linux.ibm.com designates 148.163.156.1 as permitted sender) smtp.mailfrom=stefanb@linux.ibm.com; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com. [148.163.156.1]) by mx.google.com with ESMTPS id e9e14a558f8ab-3a9ca183fd3si27940865ab.28.2024.12.09.14.34.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Dec 2024 14:34:18 -0800 (PST) Received-SPF: pass (google.com: domain of stefanb@linux.ibm.com designates 148.163.156.1 as permitted sender) client-ip=148.163.156.1; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=XENRxfEz; spf=pass (google.com: domain of stefanb@linux.ibm.com designates 148.163.156.1 as permitted sender) smtp.mailfrom=stefanb@linux.ibm.com; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4B9JvaCf002320; Mon, 9 Dec 2024 22:34:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=E4Uk3D 9gLZEWufOyfC2YxFHDBaeaLwn5jcvl7eMYNlE=; b=XENRxfEzyhT6bRpDBzThZF nwbv2SBN7rH39+Ecc2bRol5M6WAsc+HtFSAfnOMqhZ409unB8jDQgw5UDxpjI5Cs xnJFMdrL7ExGHwki6VU0IjMHazamdbbzv3X4Mkoq/u+et1qm/v7wjnDMsCPAde1N X90wcfmbPq/4QVue9oLuMTKBoyK/95rxdm11n+FymYroAzcM7P3asE/UjlnsEshz sNL0/EBveYSR7Ly7Dc6DoClIXjgemp2r3ZIFxbG3KGmFgHghuQb4Q57Cnzi6AE5p ONFrF5DitmrIHDZttHyHsQkgjfqXXn8kc3zToLaL9LZBq3VvpLW/JoUh8V7boXNQ == Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 43ce1vkvew-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 Dec 2024 22:34:17 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 4B9Lda8v032727; Mon, 9 Dec 2024 22:34:16 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 43d0ps8wn1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 Dec 2024 22:34:16 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 4B9MYF8c34472372 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 9 Dec 2024 22:34:15 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4A48E5805D; Mon, 9 Dec 2024 22:34:15 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7C04258058; Mon, 9 Dec 2024 22:34:14 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 9 Dec 2024 22:34:14 +0000 (GMT) Message-ID: <1da8840e-a7be-48c5-bc06-e7a4e111b9e7@linux.ibm.com> Date: Mon, 9 Dec 2024 17:34:13 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC PATCH v3 23/26] hw/tpm: Add TPM event log To: Jean-Philippe Brucker , peter.maydell@linaro.org Cc: richard.henderson@linaro.org, philmd@linaro.org, qemu-arm@nongnu.org, qemu-devel@nongnu.org, alex.bennee@linaro.org, Stefan Berger References: <20241125195626.856992-2-jean-philippe@linaro.org> <20241125195626.856992-25-jean-philippe@linaro.org> Content-Language: en-US From: Stefan Berger In-Reply-To: <20241125195626.856992-25-jean-philippe@linaro.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: M6ujat-5dXQttN6p07xhY9N7b4V4QIjb X-Proofpoint-ORIG-GUID: M6ujat-5dXQttN6p07xhY9N7b4V4QIjb X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-15_01,2024-10-11_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 priorityscore=1501 clxscore=1015 phishscore=0 bulkscore=0 mlxlogscore=999 impostorscore=0 spamscore=0 malwarescore=0 suspectscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2411120000 definitions=main-2412090175 X-TUID: YSLTwe3oKLvm On 11/25/24 2:56 PM, Jean-Philippe Brucker wrote: > Provide a library allowing the VMM to create an event log that describes > what is loaded into memory. During remote attestation in confidential > computing this helps an independent verifier reconstruct the initial > measurements of a VM, which contain the initial state of memory and > CPUs. > > We provide some definitions and structures described by the Trusted > Computing Group (TCG) in "TCG PC Client Platform Firmware Profile > Specification" Level 00 Version 1.06 Revision 52 [1]. This is the same > format used by UEFI, and UEFI could reuse this log after finding it in as used by > DT or ACPI tables, but can also copy its content into a new one. I thought it was going to be a completely independent log. If UEFI would do anything with it, I think it would have to replay the measurements into its own log and extend them into all PCRs of all active PCR banks of the TPM, but if I understand correctly then you do not use the TPM for this log at all since you have a signature over it and defined (somewhere -- where?) that only sha256 and sha512 are to be used for this log. > > [1] https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/ > > Cc: Stefan Berger > Signed-off-by: Jean-Philippe Brucker > --- > v2->v3: New > --- > qapi/tpm.json | 14 ++ > include/hw/tpm/tpm_log.h | 89 +++++++++++ > hw/tpm/tpm_log.c | 325 +++++++++++++++++++++++++++++++++++++++ > hw/tpm/Kconfig | 4 + > hw/tpm/meson.build | 1 + > 5 files changed, 433 insertions(+) > create mode 100644 include/hw/tpm/tpm_log.h > create mode 100644 hw/tpm/tpm_log.c > > diff --git a/qapi/tpm.json b/qapi/tpm.json > index a16a72edb9..697e7150ee 100644 > --- a/qapi/tpm.json > +++ b/qapi/tpm.json > @@ -188,3 +188,17 @@ > ## > { 'command': 'query-tpm', 'returns': ['TPMInfo'], > 'if': 'CONFIG_TPM' } > + > +## > +# @TpmLogDigestAlgo: > +# > +# @sha256: Use the SHA256 algorithm > +# > +# @sha512: Use the SHA512 algorithm > +# > +# Algorithm to use for event log digests > +# > +# Since: 9.3 > +## > +{ 'enum': 'TpmLogDigestAlgo', > + 'data': ['sha256', 'sha512'] } > diff --git a/include/hw/tpm/tpm_log.h b/include/hw/tpm/tpm_log.h > new file mode 100644 > index 0000000000..b3cd2e7563 > --- /dev/null > +++ b/include/hw/tpm/tpm_log.h > @@ -0,0 +1,89 @@ > +#ifndef QEMU_TPM_LOG_H > +#define QEMU_TPM_LOG_H > + > +#include "qom/object.h" > +#include "sysemu/tpm.h" > + > +/* > + * Defined in: TCG Algorithm Registry > + * Family 2.0 Level 00 Revision 01.34 > + * > + * (Here TCG stands for Trusted Computing Group) > + */ > +#define TCG_ALG_SHA256 0xB > +#define TCG_ALG_SHA512 0xD > + > +/* Size of a digest in bytes */ > +#define TCG_ALG_SHA256_DIGEST_SIZE 32 > +#define TCG_ALG_SHA512_DIGEST_SIZE 64 > + > +/* > + * Defined in: TCG PC Client Platform Firmware Profile Specification > + * Version 1.06 revision 52 > + */ > +#define TCG_EV_NO_ACTION 0x00000003 > +#define TCG_EV_EVENT_TAG 0x00000006 > +#define TCG_EV_POST_CODE2 0x00000013 > +#define TCG_EV_EFI_PLATFORM_FIRMWARE_BLOB2 0x8000000A > + > +struct UefiPlatformFirmwareBlob2Head { > + uint8_t blob_description_size; > + uint8_t blob_description[]; > +} __attribute__((packed)); > + > +struct UefiPlatformFirmwareBlob2Tail { > + uint64_t blob_base; > + uint64_t blob_size; > +} __attribute__((packed)); > + > +#define TYPE_TPM_LOG "tpm-log" > + > +OBJECT_DECLARE_SIMPLE_TYPE(TpmLog, TPM_LOG) > + > +/** > + * tpm_log_create - Create the event log > + * @log: the log object > + * @max_size: maximum size of the log. Adding an event past that size will > + * return an error > + * @errp: pointer to a NULL-initialized error object > + * > + * Allocate the event log and create the initial entry (Spec ID Event03) > + * describing the log format. > + * > + * Returns: 0 on success, -1 on error > + */ > +int tpm_log_create(TpmLog *log, size_t max_size, Error **errp); > + > +/** > + * tpm_log_add_event - Append an event to the log > + * @log: the log object > + * @event_type: the `eventType` field in TCG_PCR_EVENT2 > + * @event: the `event` field in TCG_PCR_EVENT2 > + * @event_size: the `eventSize` field in TCG_PCR_EVENT2 > + * @data: content to be hashed into the event digest. May be NULL. > + * @data_size: size of @data. Should be zero when @data is NULL. > + * @errp: pointer to a NULL-initialized error object > + * > + * Add a TCG_PCR_EVENT2 event to the event log. Depending on the event type, a > + * data buffer may be hashed into the event digest (for example > + * TCG_EV_EFI_PLATFORM_FIRMWARE_BLOB2 contains a digest of the blob.) > + * > + * Returns: 0 on success, -1 on error > + */ > +int tpm_log_add_event(TpmLog *log, uint32_t event_type, const uint8_t *event, > + size_t event_size, const uint8_t *data, size_t data_size, > + Error **errp); > + > +/** > + * tpm_log_write_and_close - Move the log to guest memory > + * @log: the log object > + * @errp: pointer to a NULL-initialized error object > + * > + * Write the log into memory, at the address set in the load-addr property. > + * After this operation, the log is not writable anymore. > + * > + * Return: 0 on success, -1 on error > + */ > +int tpm_log_write_and_close(TpmLog *log, Error **errp); > + > +#endif > diff --git a/hw/tpm/tpm_log.c b/hw/tpm/tpm_log.c > new file mode 100644 > index 0000000000..e6183a6e70 > --- /dev/null > +++ b/hw/tpm/tpm_log.c > @@ -0,0 +1,325 @@ > +/* > + * tpm_log.c - Event log as described by the Trusted Computing Group (TCG) > + * > + * Copyright (c) 2024 Linaro Ltd. > + * > + * This work is licensed under the terms of the GNU GPL, version 2 or later. > + * See the COPYING file in the top-level directory. > + * > + * Create an event log in the format specified by: > + * > + * TCG PC Client Platform Firmware Profile Specification > + * Level 00 Version 1.06 Revision 52 > + * Family “2.0” > + */ > + > +#include "qemu/osdep.h" > + > +#include "crypto/hash.h" > +#include "exec/address-spaces.h" > +#include "exec/memory.h" > +#include "hw/tpm/tpm_log.h" > +#include "qapi/error.h" > +#include "qemu/bswap.h" > +#include "qom/object_interfaces.h" > + > +/* > + * Legacy structure used only in the first event in the log, for compatibility > + */ > +struct TcgPcClientPcrEvent { > + uint32_t pcr_index; > + uint32_t event_type; > + uint8_t digest[20]; > + uint32_t event_data_size; > + uint8_t event[]; > +} __attribute__((packed)); > + > +struct TcgEfiSpecIdEvent { > + uint8_t signature[16]; > + uint32_t platform_class; > + uint8_t family_version_minor; > + uint8_t family_version_major; > + uint8_t spec_revision; > + uint8_t uintn_size; > + uint32_t number_of_algorithms; /* 1 */ > + /* > + * For now we declare a single algo, but if we want UEFI to reuse this You mean UEFI would reuse this struct here? I think UEFI will not use it nor will it look at the binary log... > + * header then we'd need to add entries here for all algos supported by > + * UEFI (and expand the digest field for EV_NO_ACTION). > + */ > + uint16_t algorithm_id; > + uint16_t digest_size; > + uint8_t vendor_info_size; > + uint8_t vendor_info[]; > +} __attribute__((packed)); Apart from QEMU_PACKED I have not much else to say here.