Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-16 09:34:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(drtm): add Event Log driver support for DRTM

Browse source 
Added Event Log driver support for DRTM. This driver
is responsible for the doing the hash measurement of
various DRTM components as per [1], and putting these
measurements in the Event Log buffer.

[1]: https://developer.arm.com/documentation/den0113/a, section 3.16

Change-Id: I9892c313cf6640b82e261738116fe00f7975ee12
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
This commit is contained in:
Manish V Badarkhe 2022-06-17 11:42:17 +01:00
parent 40e1fad69b
commit 40814266d5
5 changed files with 268 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
bl31/bl31.mk
View file

@ -151,6 +151,7 @@ ifeq (${DRTM_SUPPORT},1)
BL31_SOURCES += services/std_svc/drtm/drtm_main.c \
services/std_svc/drtm/drtm_dma_prot.c \
services/std_svc/drtm/drtm_res_address_map.c \
services/std_svc/drtm/drtm_measurements.c \
${MBEDTLS_SOURCES}
endif

8
plat/arm/common/arm_common.mk
View file

@ -406,7 +406,7 @@ endif
# Include Measured Boot makefile before any Crypto library makefile.
# Crypto library makefile may need default definitions of Measured Boot build
# flags present in Measured Boot makefile.
ifeq (${MEASURED_BOOT},1)
ifneq ($(filter 1,${MEASURED_BOOT} ${DRTM_SUPPORT}),)
MEASURED_BOOT_MK := drivers/measured_boot/event_log/event_log.mk
$(info Including ${MEASURED_BOOT_MK})
include ${MEASURED_BOOT_MK}
@ -415,10 +415,16 @@ ifeq (${MEASURED_BOOT},1)
$(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
endif
ifeq (${MEASURED_BOOT},1)
BL1_SOURCES += ${EVENT_LOG_SOURCES}
BL2_SOURCES += ${EVENT_LOG_SOURCES}
endif
ifeq (${DRTM_SUPPORT},1)
BL31_SOURCES += ${EVENT_LOG_SOURCES}
endif
endif
ifneq ($(filter 1,${MEASURED_BOOT} ${TRUSTED_BOARD_BOOT} ${DRTM_SUPPORT}),)
CRYPTO_SOURCES := drivers/auth/crypto_mod.c \
lib/fconf/fconf_tbbr_getter.c

4
services/std_svc/drtm/drtm_main.h
View file

@ -31,6 +31,10 @@
#define DRTM_PAGE_SIZE (4 * (1 << 10))
#define DRTM_PAGE_SIZE_STR "4-KiB"
#define DL_ARGS_GET_PCR_SCHEMA(a) (((a)->features >> 1) & 0x3U)
#define DL_ARGS_GET_DLME_ENTRY_POINT(a) \
(((a)->dlme_paddr + (a)->dlme_img_off + (a)->dlme_img_ep_off))
enum drtm_retc {
SUCCESS = SMC_OK,
NOT_SUPPORTED = SMC_UNK,

214
services/std_svc/drtm/drtm_measurements.c Normal file
View file

@ -0,0 +1,214 @@
/*
* Copyright (c) 2022 Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
* DRTM measurements into TPM PCRs.
*
* Authors:
* Lucian Paul-Trifu <lucian.paultrifu@gmail.com>
*
*/
#include <assert.h>
#include <common/debug.h>
#include <drivers/auth/crypto_mod.h>
#include <drivers/measured_boot/event_log/event_log.h>
#include "drtm_main.h"
#include "drtm_measurements.h"
#include <lib/xlat_tables/xlat_tables_v2.h>
/* Event Log buffer */
static uint8_t drtm_event_log[PLAT_DRTM_EVENT_LOG_MAX_SIZE];
/*
* Calculate and write hash of various payloads as per DRTM specification
* to Event Log.
*
* @param[in] data_base Address of data
* @param[in] data_size Size of data
* @param[in] event_type Type of Event
* @param[in] event_name Name of the Event
* @return:
* 0 = success
* < 0 = error
*/
static int drtm_event_log_measure_and_record(uintptr_t data_base,
uint32_t data_size,
uint32_t event_type,
const char *event_name,
unsigned int pcr)
{
int rc;
unsigned char hash_data[CRYPTO_MD_MAX_SIZE];
event_log_metadata_t metadata = {0};
metadata.name = event_name;
metadata.pcr = pcr;
/*
* Measure the payloads requested by D-CRTM and DCE commponents
* Hash algorithm decided by the Event Log driver at build-time
*/
rc = event_log_measure(data_base, data_size, hash_data);
if (rc != 0) {
return rc;
}
/* Record the mesasurement in the EventLog buffer */
event_log_record(hash_data, event_type, &metadata);
return 0;
}
/*
* Initialise Event Log global variables, used during the recording
* of various payload measurements into the Event Log buffer
*
* @param[in] event_log_start Base address of Event Log buffer
* @param[in] event_log_finish End address of Event Log buffer,
* it is a first byte past end of the
* buffer
*/
static void drtm_event_log_init(uint8_t *event_log_start,
uint8_t *event_log_finish)
{
event_log_buf_init(event_log_start, event_log_finish);
event_log_write_specid_event();
}
enum drtm_retc drtm_take_measurements(const struct_drtm_dl_args *a)
{
int rc;
uintptr_t dlme_img_mapping;
uint64_t dlme_img_ep;
size_t dlme_img_mapping_bytes;
uint8_t drtm_null_data = 0U;
uint8_t pcr_schema = DL_ARGS_GET_PCR_SCHEMA(a);
const char *drtm_event_arm_sep_data = "ARM_DRTM";
/* Initialise the EventLog driver */
drtm_event_log_init(drtm_event_log, drtm_event_log +
sizeof(drtm_event_log));
/**
* Measurements extended into PCR-17.
*
* PCR-17: Measure the DCE image. Extend digest of (char)0 into PCR-17
* since the D-CRTM and the DCE are not separate.
*/
rc = drtm_event_log_measure_and_record((uintptr_t)&drtm_null_data,
sizeof(drtm_null_data),
DRTM_EVENT_ARM_DCE, NULL,
PCR_17);
CHECK_RC(rc, drtm_event_log_measure_and_record(DRTM_EVENT_ARM_DCE));
/* PCR-17: Measure the PCR schema DRTM launch argument. */
rc = drtm_event_log_measure_and_record((uintptr_t)&pcr_schema,
sizeof(pcr_schema),
DRTM_EVENT_ARM_PCR_SCHEMA,
NULL, PCR_17);
CHECK_RC(rc,
drtm_event_log_measure_and_record(DRTM_EVENT_ARM_PCR_SCHEMA));
/* PCR-17: Measure the enable state of external-debug, and trace. */
/*
* TODO: Measure the enable state of external-debug and trace. This should
* be returned through a platform-specific hook.
*/
/* PCR-17: Measure the security lifecycle state. */
/*
* TODO: Measure the security lifecycle state. This is an implementation-
* defined value, retrieved through an implementation-defined mechanisms.
*/
/*
* PCR-17: Optionally measure the NWd DCE.
* It is expected that such subsequent DCE stages are signed and verified.
* Whether they are measured in addition to signing is implementation
* -defined.
* Here the choice is to not measure any NWd DCE, in favour of PCR value
* resilience to any NWd DCE updates.
*/
/* PCR-17: End of DCE measurements. */
rc = drtm_event_log_measure_and_record((uintptr_t)drtm_event_arm_sep_data,
strlen(drtm_event_arm_sep_data),
DRTM_EVENT_ARM_SEPARATOR, NULL,
PCR_17);
CHECK_RC(rc, drtm_event_log_measure_and_record(DRTM_EVENT_ARM_SEPARATOR));
/**
* Measurements extended into PCR-18.
*
* PCR-18: Measure the PCR schema DRTM launch argument.
*/
rc = drtm_event_log_measure_and_record((uintptr_t)&pcr_schema,
sizeof(pcr_schema),
DRTM_EVENT_ARM_PCR_SCHEMA,
NULL, PCR_18);
CHECK_RC(rc,
drtm_event_log_measure_and_record(DRTM_EVENT_ARM_PCR_SCHEMA));
/*
* PCR-18: Measure the public key used to verify DCE image(s) signatures.
* Extend digest of (char)0, since we do not expect the NWd DCE to be
* present.
*/
assert(a->dce_nwd_size == 0);
rc = drtm_event_log_measure_and_record((uintptr_t)&drtm_null_data,
sizeof(drtm_null_data),
DRTM_EVENT_ARM_DCE_PUBKEY,
NULL, PCR_18);
CHECK_RC(rc,
drtm_event_log_measure_and_record(DRTM_EVENT_ARM_DCE_PUBKEY));
/* PCR-18: Measure the DLME image. */
dlme_img_mapping_bytes = page_align(a->dlme_img_size, UP);
rc = mmap_add_dynamic_region_alloc_va(a->dlme_paddr + a->dlme_img_off,
&dlme_img_mapping,
dlme_img_mapping_bytes, MT_RO_DATA | MT_NS);
if (rc) {
WARN("DRTM: %s: mmap_add_dynamic_region() failed rc=%d\n",
__func__, rc);
return INTERNAL_ERROR;
}
rc = drtm_event_log_measure_and_record(dlme_img_mapping, a->dlme_img_size,
DRTM_EVENT_ARM_DLME, NULL,
PCR_18);
CHECK_RC(rc, drtm_event_log_measure_and_record(DRTM_EVENT_ARM_DLME));
rc = mmap_remove_dynamic_region(dlme_img_mapping, dlme_img_mapping_bytes);
CHECK_RC(rc, mmap_remove_dynamic_region);
/* PCR-18: Measure the DLME image entry point. */
dlme_img_ep = DL_ARGS_GET_DLME_ENTRY_POINT(a);
drtm_event_log_measure_and_record((uintptr_t)&dlme_img_ep,
sizeof(dlme_img_ep),
DRTM_EVENT_ARM_DLME_EP, NULL,
PCR_18);
CHECK_RC(rc, drtm_event_log_measure_and_record(DRTM_EVENT_ARM_DLME_EP));
/* PCR-18: End of DCE measurements. */
rc = drtm_event_log_measure_and_record((uintptr_t)drtm_event_arm_sep_data,
strlen(drtm_event_arm_sep_data),
DRTM_EVENT_ARM_SEPARATOR, NULL,
PCR_18);
CHECK_RC(rc,
drtm_event_log_measure_and_record(DRTM_EVENT_ARM_SEPARATOR));
/*
* If the DCE is unable to log a measurement because there is no available
* space in the event log region, the DCE must extend a hash of the value
* 0xFF (1 byte in size) into PCR[17] and PCR[18] and enter remediation.
*/
return SUCCESS;
}
void drtm_serialise_event_log(uint8_t *dst, size_t *event_log_size_out)
{
*event_log_size_out = event_log_get_cur_size(drtm_event_log);
memcpy(dst, drtm_event_log, *event_log_size_out);
}

40
services/std_svc/drtm/drtm_measurements.h Normal file
View file

@ -0,0 +1,40 @@
/*
* Copyright (c) 2022 Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
*/
#ifndef DRTM_MEASUREMENTS_H
#define DRTM_MEASUREMENTS_H
#include <stdint.h>
#include "drtm_main.h"
#include <platform_def.h>
#define DRTM_EVENT_ARM_BASE 0x9000U
#define DRTM_EVENT_TYPE(n) (DRTM_EVENT_ARM_BASE + (unsigned int)(n))
#define DRTM_EVENT_ARM_PCR_SCHEMA DRTM_EVENT_TYPE(1)
#define DRTM_EVENT_ARM_DCE DRTM_EVENT_TYPE(2)
#define DRTM_EVENT_ARM_DCE_PUBKEY DRTM_EVENT_TYPE(3)
#define DRTM_EVENT_ARM_DLME DRTM_EVENT_TYPE(4)
#define DRTM_EVENT_ARM_DLME_EP DRTM_EVENT_TYPE(5)
#define DRTM_EVENT_ARM_DEBUG_CONFIG DRTM_EVENT_TYPE(6)
#define DRTM_EVENT_ARM_NONSECURE_CONFIG DRTM_EVENT_TYPE(7)
#define DRTM_EVENT_ARM_DCE_SECONDARY DRTM_EVENT_TYPE(8)
#define DRTM_EVENT_ARM_TZFW DRTM_EVENT_TYPE(9)
#define DRTM_EVENT_ARM_SEPARATOR DRTM_EVENT_TYPE(10)
#define CHECK_RC(rc, func_call) { \
if (rc != 0) { \
ERROR("%s(): " #func_call "failed unexpectedly rc=%d\n", \
__func__, rc); \
panic(); \
} \
}
enum drtm_retc drtm_take_measurements(const struct_drtm_dl_args *a);
void drtm_serialise_event_log(uint8_t *dst, size_t *event_log_size_out);
#endif /* DRTM_MEASUREMENTS_H */