Add support for Measured Boot on ARM32-FirmwareTPM (canonical#53)

Signed-off-by: Javier Almansa Sobrino <[email protected]>

Author: javieralso-arm

Samples/ARM32-FirmwareTPM/README.md

@@ -30,7 +30,7 @@ See the [optee_os documentation](https://github.com/OP-TEE/optee_os/blob/master/
 See instructions [here](https://docs.microsoft.com/en-us/windows/wsl/install-win10):
 
 #### 2. Launch Bash
-Search for "bash" in the start menu, OR press Windows key + 'R', then type bash.  
+Search for "bash" in the start menu, OR press Windows key + 'R', then type bash.
 Update if needed.
 
 In WSL:
@@ -99,3 +99,14 @@ Debugging options you may want to add:
 
 `CFG_TA_DEBUG=y` Turns on debug output from the TAs, and enables extra correctness checks in the fTPM TA.
 
+#### 2. Measured Boot support
+The fTPM Trusted Application includes support for Measured Boot. This feature allows the TA to read a TPM Event Log compatible with the specification in Section 5 of the
+[TCG EFI Protocol Specification](https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf). The event log is read and extended during the TA initialization.
+
+Measure Boot support requires OpTEE System Call ```PTA_SYSTEM_GET_TPM_EVENT_LOG```, available since [OpTEE 3.10.0](https://github.com/OP-TEE/optee_os/tree/3.10.0).
+
+Flags related to Measured Boot support:
+
+`CFG_TA_MEASURED_BOOT`: Controls whether Measured Boot is enabled (`CFG_TA_MEASURED_BOOT=y`) or disabled (by default).
+`CFG_TA_EVENT_LOG_SIZE`: Maximum size in bytes allowed for the Event Log. Defaults to 1024 bytes.
+

Samples/ARM32-FirmwareTPM/optee_ta/fTPM/fTPM.c

@@ -6,6 +6,7 @@
  *  under this license.
  *
  *  Copyright (c) Microsoft Corporation
+ *  Copyright (c) Arm Limited.
  *
  *  All rights reserved.
  *
@@ -38,6 +39,9 @@
 #include <tee_internal_api.h>
 #include <tee_internal_api_extensions.h>
 #include <string.h>
+#include <pta_system.h>
+#include <fTPM_helpers.h>
+#include <fTPM_event_log.h>
 
 #include "fTPM.h"
 
@@ -66,25 +70,6 @@ typedef uint32_t TPM_RC;
 #define TPM_RC_SUCCESS      (TPM_RC) (0x000)
 #define TPM_RC_FAILURE      (TPM_RC) (RC_VER1+0x001)
 
-//
-// Helper functions for byte ordering of TPM commands/responses
-//
-static uint16_t SwapBytes16(uint16_t Value)
-{
-    return (uint16_t)((Value << 8) | (Value >> 8));
-}
-
-static uint32_t SwapBytes32(uint32_t Value)
-{
-    uint32_t  LowerBytes;
-    uint32_t  HigherBytes;
-
-    LowerBytes = (uint32_t)SwapBytes16((uint16_t)Value);
-    HigherBytes = (uint32_t)SwapBytes16((uint16_t)(Value >> 16));
-
-    return (LowerBytes << 16 | HigherBytes);
-}
-
 //
 // Helper function to read response codes from TPM responses
 //
@@ -111,9 +96,42 @@ static uint32_t fTPMResponseCode(uint32_t ResponseSize,
     return ResponseCode;
 }
 
-// 
+#ifdef MEASURED_BOOT
+static TEE_Result get_tpm_event_log(unsigned char *buf, size_t *len)
+{
+    const TEE_UUID system_uuid = PTA_SYSTEM_UUID;
+    TEE_TASessionHandle session = TEE_HANDLE_NULL;
+    TEE_Result res = TEE_ERROR_GENERIC;
+    uint32_t ret_origin = 0;
+    const uint32_t param_types = TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_OUTPUT,
+                                                 TEE_PARAM_TYPE_NONE,
+                                                 TEE_PARAM_TYPE_NONE,
+                                                 TEE_PARAM_TYPE_NONE);
+    TEE_Param params[TEE_NUM_PARAMS] = {0};
+
+    res = TEE_OpenTASession(&system_uuid, TEE_TIMEOUT_INFINITE,
+                            0, NULL, &session, &ret_origin);
+    if (res != TEE_SUCCESS)
+        return res;
+
+    params[0].memref.buffer = (void *)buf;
+    params[0].memref.size = *len;
+
+    res = TEE_InvokeTACommand(session, TEE_TIMEOUT_INFINITE,
+                              PTA_SYSTEM_GET_TPM_EVENT_LOG,
+                              param_types, params, &ret_origin);
+
+    *len = params[0].memref.size;
+
+    TEE_CloseTASession(session);
+
+    return res;
+}
+#endif // MEASURED_BOOT
+
+//
 // Called when TA instance is created. This is the first call to the TA.
-// 
+//
 TEE_Result TA_CreateEntryPoint(void)
 {
     #define STARTUP_SIZE 0x0C
@@ -124,14 +142,18 @@ TEE_Result TA_CreateEntryPoint(void)
                                            0x00, 0x00, 0x01, 0x44, 0x00, 0x01 };
     uint32_t respLen;
     uint8_t *respBuf;
+#ifdef MEASURED_BOOT
+    unsigned char tpm_event_log_buf[EVENT_LOG_SIZE];
+    size_t tpm_event_log_len = EVENT_LOG_SIZE;
+#endif
 
 #ifdef fTPMDebug
     DMSG("Entry Point\n");
 #endif
 
     // If we've been here before, don't init again.
     if (fTPMInitialized) {
-        // We may have had TA_DestroyEntryPoint called but we didn't 
+        // We may have had TA_DestroyEntryPoint called but we didn't
         // actually get torn down. Re-NVEnable, just in case.
         if (_plat__NVEnable(NULL) == 0) {
             TEE_Panic(TEE_ERROR_BAD_STATE);
@@ -209,6 +231,24 @@ TEE_Result TA_CreateEntryPoint(void)
     // Initialization complete
     fTPMInitialized = true;
 
+#ifdef MEASURED_BOOT
+    // Extend existing TPM Event Log.
+    if (get_tpm_event_log(tpm_event_log_buf,
+                          &tpm_event_log_len) == TEE_SUCCESS)
+    {
+
+#ifdef fTPMDebug
+        // Dump the event log
+        unsigned char* buff = tpm_event_log_buf;
+        size_t buff_len = tpm_event_log_len;
+        MSG("Preparing to extend the following TPM Event Log:");
+        dump_event_log(tpm_event_log_buf, tpm_event_log_len);
+#endif
+        process_eventlog(tpm_event_log_buf, tpm_event_log_len);
+
+    }
+#endif
+
     return TEE_SUCCESS;
 }
 
@@ -436,4 +476,4 @@ TEE_Result TA_InvokeCommandEntryPoint(void      *sess_ctx,
             return TEE_ERROR_BAD_PARAMETERS;
         }
     }
-}
+}

Samples/ARM32-FirmwareTPM/optee_ta/fTPM/include/fTPM_event_log.h

@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef _FTPM_EVENT_LOG_
+#define _FTPM_EVENT_LOG_
+
+bool process_eventlog(const unsigned char *const buf, const size_t log_size);
+void dump_event_log(uint8_t *log_addr, size_t log_size);
+
+#endif /* _FTPM_EVENT_LOG_*/