From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 78E4FC6FA8E for ; Thu, 2 Mar 2023 14:17:35 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 67ED385C70; Thu, 2 Mar 2023 15:17:33 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="LpmF/gkm"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 7742C85C73; Thu, 2 Mar 2023 15:17:31 +0100 (CET) Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2D3D185C64 for ; Thu, 2 Mar 2023 15:17:29 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ed1-x52d.google.com with SMTP id x3so5213354edb.10 for ; Thu, 02 Mar 2023 06:17:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=IFQBWQbfDdPdWq/XQykqodmg1j0+XBG3EpaPBUDj1XA=; b=LpmF/gkmDy/faepf+6NRCjq+iJXLlwQ6pkQUHqnS9e4QZhIwHEq0aAx4Uu9lxYwF+c KIWghJ564rArKlXMQkK+UBehnnjanm2M/35rHJLzvaT+yjV1op5zf8eIHRbYZpwgZRQe oez/NzRv8UlH8e06RBKyFzBbTqcGaeyA3vVvBlHXIW5CWfFndkm1gE00APkbxoqcrClq sIWSQe392J9SMvBZdWlml1uz+XEuUn5jESuiFv7vQJFqXWy9sHUmOcL8xl2JEG1kXRTv v7helAnaaSVO1YweWlnAhUKiPwO8e62d4PTB9xZXk5M1+jYA8XGKGbWQl4VpYSR99IX9 YqvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=IFQBWQbfDdPdWq/XQykqodmg1j0+XBG3EpaPBUDj1XA=; b=yJN/ZyQlM+6HVdLTX38t9ODIb7EFb5Dat3S8vrVUsE7l0n6JDc19EDG4i2gE7Z75JS osgXhZMpC0UCpJtsfHe1+VO8L/1zOdyK9K518bkd6mdEpfx8A5ovHkTB24zfnWtrR6yD x12UfKUYl6Bo6iq/Akx4xSsQFtmBw/UEdiien4w5C5IF70ZBruTDnaI4OwUAQoA6BgIw gEaG7ANaFCePZrW8tEBLoZZanqT16/tuGBFm3kvXC8rIaXyuqpc1vYaOjFKIh2kWlXrG 7Wfj8noSKkCBOZ6kHO/Q6m+xXy4m/dn35sq9YVtUH1TZE8MdG8H5PiWjxfuCFZieMudW MqIA== X-Gm-Message-State: AO0yUKWBoWlJqhV7qWslf4rfETAMWdW73UbhGwkGcap9mPKHQFghbfeA YKHDkQYtf9kEkgYIGUBy3YWxIA== X-Google-Smtp-Source: AK7set9ghXLInmhTDr5CP8LQacvrhMfTqilWEBLijeRa1/JIN8BYGaR6KY+1apg7LfSTGmIStATS9g== X-Received: by 2002:a17:906:48c1:b0:8e9:9e13:9290 with SMTP id d1-20020a17090648c100b008e99e139290mr10640103ejt.27.1677766648646; Thu, 02 Mar 2023 06:17:28 -0800 (PST) Received: from hera (ppp176092130041.access.hol.gr. [176.92.130.41]) by smtp.gmail.com with ESMTPSA id m3-20020a50d7c3000000b004accf3a63cbsm6918796edj.68.2023.03.02.06.17.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Mar 2023 06:17:28 -0800 (PST) Date: Thu, 2 Mar 2023 16:17:26 +0200 From: Ilias Apalodimas To: Eddie James Cc: u-boot@lists.denx.de, sjg@chromium.org, xypron.glpk@gmx.de, joel@jms.id.au Subject: Re: [PATCH v7 3/6] tpm: Support boot measurements Message-ID: References: <20230301225056.1402722-1-eajames@linux.ibm.com> <20230301225056.1402722-4-eajames@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230301225056.1402722-4-eajames@linux.ibm.com> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean Hi Eddie, The good news, is that this generally seems to be working and is really close to what I had in mind on code re-usage. Thanks for the patience! The bad new now is that I think I found one last (famous last words) problem [...] > + } > + > + /* Read PCR0 to check if previous firmware extended the PCRs or not. */ > + rc = tcg2_pcr_read(dev, 0, &digest_list); > + if (rc) > + return rc; > + This is changing how the code used to work and I think the new way of doing it is wrong. First of all the check above doesn't check that PCR0 is indeed 0. It simply checks we can *read* that PCR. > + for (i = 0; i < digest_list.count; ++i) { > + len = tpm2_algorithm_to_len(digest_list.digests[i].hash_alg); > + for (j = 0; j < len; ++j) { > + if (digest_list.digests[i].digest.sha512[j]) > + break; > + } > + > + /* PCR is non-zero; it has been extended, so skip extending. */ I don't think we need this tbh. The previous bootloader would have either extended some of the PCRs along with the EventLog construction or he hasn't. If it did indeed extend the PCRs then PCR0 should be != 0 since it must contain a measurement of EV_S_CRTM_VERSION. So looking at PCR0 should be sufficient to trigger replaying the EventLog or not. If the previous loader managed to mess up somehow, I don't think it should be U-Boot's job to fix the mess :) > + if (j != len) { > + digest_list.count = 0; > + break; > + } > + } > + > + elog->log_position = offsetof(struct tcg_pcr_event, event) + evsz; > + rc = tcg2_log_find_end(elog, dev, &digest_list); > + if (rc) > + return rc; > + > + elog->found = true; > + return 0; > +} > + P.S: I did test this using TF-A and re-using the 'forwarded' EventLog. I can see all the events replayed correctly apart from the last one, so i'll keep looking in case something else is missing Regards /Ilias