[ipxe-devel] <RESEND> [ipxe/ipxe] [efi] Add support for TPM measurement of ipxe scripts on EFI systems (#136)

aaron.young at oracle.com aaron.young at oracle.com
Mon Aug 24 21:14:41 UTC 2020 

<RESEND with corrected links below>

This PR adds a new --measure (-m) option to the chain/imgexec/boot 
commands that will perform a TPM measurement of an ipxe script prior to 
loading of the script on EFI systems. The code makes use of the 
EFI_TCG2_PROTOCOL->HashLogExtendEvent() protocol function provided by 
the UEFI firmware which will measure the script and create a TPM log 
entry for the script. NOTE: Only TPM2.0 is supported currently. TPM1.2 
support is TBD.

If the UEFI firmware does not support EFI_TCG2_PROTOCOL,  the command is 
aborted with an error.

See the TCG PC Client Platform Firmware Profile Specification and TCG 
EFI Protocol Specification for details.

iPXE uses UEFI LoadImage() service function to load other image types 
which will automatically measure the image as part of the image load. 
Script image types are not loaded via LoadImage() and thus this new 
command option is needed to measure the scripts directly prior to load. 
Scripts need to be measured to comply with TCG specification which 
dictate that all binaries and configuration data must be measured for a 
complete measured/trusted boot.

Example usage:

chain -m http://1.2.3.4/script.ipxe

Testing: I tested this code on a x86_64 server using qemu with a swtpm 
emulating TPM2.0. I verified that the proper TPM PCR (5) was updated and 
an TPM Event Log entry was created for the script.

Thanks,

-Aaron Young
aaron.young at oracle.com <mailto:aaron.young at oracle.com>


------------------------------------------------------------------------


        You can view, comment on, or merge this pull request online at:

https://github.com/ipxe/ipxe/pull/136
<https://github.com/ipxe/ipxe/pull/86>


        Commit Summary

  * [efi] Add support for TPM measurement of ipxe scripts on EFI systems


        File Changes

**

  *   src/config/defaults/efi.h                    |   5 +
  *   src/config/defaults/linux.h                  |   6 +
  *   src/config/defaults/pcbios.h                 |   5 +
  *   src/core/null_measure.c                      |  33 +++
  *   src/hci/commands/image_cmd.c                 |  19 +-
  *   src/include/ipxe/efi/Protocol/Tcg2Protocol.h | 343
    +++++++++++++++++++++++++++
  *   src/include/ipxe/efi/efi_measure.h           |  23 ++
  *   src/include/ipxe/errfile.h                   |   6 +
  *   src/include/ipxe/measure.h                   |  61 +++++
  *   src/include/ipxe/null_measure.h              |  23 ++
  *   src/interface/efi/efi_measure.c              | 170 +++++++++++++
  *   create mode 100644 src/core/null_measure.c
  *   create mode 100644 src/include/ipxe/efi/Protocol/Tcg2Protocol.h
  *   create mode 100644 src/include/ipxe/efi/efi_measure.h
  *   create mode 100644 src/include/ipxe/measure.h
  *   create mode 100644 src/include/ipxe/null_measure.h
  *   create mode 100644 src/interface/efi/efi_measure.c


        Patch Links:

  * https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.patch
  * https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.diff

—
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20200824/9643bedf/attachment.htm>

More information about the ipxe-devel mailing list