From 48ba0345f7b42880ec4442d7e90e3e1af95feadd Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Tue, 14 Sep 2021 23:12:42 +0100 Subject: [PATCH] feat(measured_boot): image hash measurement and recording in BL1 It looks safer and cleaner approach to record the measurement taken by BL1 straightaway in TCG Event Log instead of deferring these recordings to BL2. Hence pull in the full-fledged measured boot driver into BL1 that replaces the former ad-hoc platform interfaces i.e. bl1_plat_set_bl2_hash, bl2_plat_get_hash. As a result of this change the BL1 of Arm FVP platform now do the measurements and recordings of below images: 1. FW_CONFIG 2. TB_FW_CONFIG 3. BL2 Change-Id: I798c20336308b5e91b547da4f8ed57c24d490731 Signed-off-by: Manish V Badarkhe --- bl1/bl1_main.c | 8 ++++- common/bl_common.c | 5 ++- drivers/measured_boot/event_log/event_log.mk | 1 + .../measured_boot/event_log/event_log.h | 2 ++ include/plat/common/platform.h | 27 +++++++++++--- plat/arm/board/fvp/fvp_bl1_measured_boot.c | 33 +++++++++++++++++ ...easured_boot.c => fvp_bl2_measured_boot.c} | 29 --------------- plat/arm/board/fvp/fvp_common_measured_boot.c | 35 +++++++++++++++++++ plat/arm/board/fvp/platform.mk | 5 ++- 9 files changed, 106 insertions(+), 39 deletions(-) create mode 100644 plat/arm/board/fvp/fvp_bl1_measured_boot.c rename plat/arm/board/fvp/{fvp_measured_boot.c => fvp_bl2_measured_boot.c} (78%) create mode 100644 plat/arm/board/fvp/fvp_common_measured_boot.c diff --git a/bl1/bl1_main.c b/bl1/bl1_main.c index fd602324f..663ec642b 100644 --- a/bl1/bl1_main.c +++ b/bl1/bl1_main.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -126,6 +126,9 @@ void bl1_main(void) auth_mod_init(); #endif /* TRUSTED_BOARD_BOOT */ + /* Initialize the measured boot */ + bl1_plat_mboot_init(); + /* Perform platform setup in BL1. */ bl1_platform_setup(); @@ -147,6 +150,9 @@ void bl1_main(void) else NOTICE("BL1-FWU: *******FWU Process Started*******\n"); + /* Teardown the measured boot driver */ + bl1_plat_mboot_finish(); + bl1_prepare_next_image(image_id); console_flush(); diff --git a/common/bl_common.c b/common/bl_common.c index 3c37bcfa2..eb2352a77 100644 --- a/common/bl_common.c +++ b/common/bl_common.c @@ -203,7 +203,6 @@ static int load_auth_image_recursive(unsigned int image_id, } if (is_parent_image == 0) { -#if IMAGE_BL2 /* * Measure the image. * We do not measure its parents because these only play a role @@ -212,11 +211,11 @@ static int load_auth_image_recursive(unsigned int image_id, * TODO: Change this code if we change our minds about measuring * certificates. */ - rc = plat_mboot_measure_image(image_id); + rc = plat_mboot_measure_image(image_id, image_data); if (rc != 0) { return rc; } -#endif + /* * Flush the image to main memory so that it can be executed * later by any CPU, regardless of cache and MMU state. This diff --git a/drivers/measured_boot/event_log/event_log.mk b/drivers/measured_boot/event_log/event_log.mk index e42f9c98b..37e5e291d 100644 --- a/drivers/measured_boot/event_log/event_log.mk +++ b/drivers/measured_boot/event_log/event_log.mk @@ -47,3 +47,4 @@ MEASURED_BOOT_SOURCES := ${MEASURED_BOOT_SRC_DIR}event_log.c \ ${MEASURED_BOOT_SRC_DIR}event_print.c BL2_SOURCES += ${MEASURED_BOOT_SOURCES} +BL1_SOURCES += ${MEASURED_BOOT_SOURCES} diff --git a/include/drivers/measured_boot/event_log/event_log.h b/include/drivers/measured_boot/event_log/event_log.h index 9aa6dc741..0d22d876d 100644 --- a/include/drivers/measured_boot/event_log/event_log.h +++ b/include/drivers/measured_boot/event_log/event_log.h @@ -48,12 +48,14 @@ #define BL32_EXTRA1_IMAGE_STRING "BL32_EXTRA1_IMAGE" #define BL32_EXTRA2_IMAGE_STRING "BL32_EXTRA2_IMAGE" #define BL33_STRING "BL_33" +#define FW_CONFIG_STRING "FW_CONFIG" #define GPT_IMAGE_STRING "GPT" #define HW_CONFIG_STRING "HW_CONFIG" #define NT_FW_CONFIG_STRING "NT_FW_CONFIG" #define SCP_BL2_IMAGE_STRING "SCP_BL2_IMAGE" #define SOC_FW_CONFIG_STRING "SOC_FW_CONFIG" #define STM32_IMAGE_STRING "STM32" +#define TB_FW_CONFIG_STRING "TB_FW_CONFIG" #define TOS_FW_CONFIG_STRING "TOS_FW_CONFIG" typedef struct { diff --git a/include/plat/common/platform.h b/include/plat/common/platform.h index c7c4dcb39..3fa63f555 100644 --- a/include/plat/common/platform.h +++ b/include/plat/common/platform.h @@ -122,6 +122,16 @@ const char *plat_log_get_prefix(unsigned int log_level); void bl2_plat_preload_setup(void); int plat_try_next_boot_source(void); +#if MEASURED_BOOT +int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data); +#else +static inline int plat_mboot_measure_image(unsigned int image_id __unused, + image_info_t *image_data __unused) +{ + return 0; +} +#endif /* MEASURED_BOOT */ + /******************************************************************************* * Mandatory BL1 functions ******************************************************************************/ @@ -181,6 +191,18 @@ __dead2 void bl1_plat_fwu_done(void *client_cookie, void *reserved); int bl1_plat_handle_pre_image_load(unsigned int image_id); int bl1_plat_handle_post_image_load(unsigned int image_id); +#if MEASURED_BOOT +void bl1_plat_mboot_init(void); +void bl1_plat_mboot_finish(void); +#else +static inline void bl1_plat_mboot_init(void) +{ +} +static inline void bl1_plat_mboot_finish(void) +{ +} +#endif /* MEASURED_BOOT */ + /******************************************************************************* * Mandatory BL2 functions ******************************************************************************/ @@ -202,7 +224,6 @@ int bl2_plat_handle_post_image_load(unsigned int image_id); #if MEASURED_BOOT void bl2_plat_mboot_init(void); void bl2_plat_mboot_finish(void); -int plat_mboot_measure_image(unsigned int image_id); #else static inline void bl2_plat_mboot_init(void) { @@ -210,10 +231,6 @@ static inline void bl2_plat_mboot_init(void) static inline void bl2_plat_mboot_finish(void) { } -static inline int plat_mboot_measure_image(unsigned int image_id __unused) -{ - return 0; -} #endif /* MEASURED_BOOT */ /******************************************************************************* diff --git a/plat/arm/board/fvp/fvp_bl1_measured_boot.c b/plat/arm/board/fvp/fvp_bl1_measured_boot.c new file mode 100644 index 000000000..15ea05997 --- /dev/null +++ b/plat/arm/board/fvp/fvp_bl1_measured_boot.c @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2021, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include + +#include + +/* Event Log data */ +static uint8_t event_log[PLAT_ARM_EVENT_LOG_MAX_SIZE]; + +/* FVP table with platform specific image IDs, names and PCRs */ +const event_log_metadata_t fvp_event_log_metadata[] = { + { FW_CONFIG_ID, FW_CONFIG_STRING, PCR_0 }, + { TB_FW_CONFIG_ID, TB_FW_CONFIG_STRING, PCR_0 }, + { BL2_IMAGE_ID, BL2_STRING, PCR_0 }, + { INVALID_ID, NULL, (unsigned int)(-1) } /* Terminator */ +}; + +void bl1_plat_mboot_init(void) +{ + event_log_init(event_log, PLAT_ARM_EVENT_LOG_MAX_SIZE, 0U); +} + +void bl1_plat_mboot_finish(void) +{ + /* + * ToDo: populate tb_fw_config with Event Log address, its maximum size + * and filled size + */ +} diff --git a/plat/arm/board/fvp/fvp_measured_boot.c b/plat/arm/board/fvp/fvp_bl2_measured_boot.c similarity index 78% rename from plat/arm/board/fvp/fvp_measured_boot.c rename to plat/arm/board/fvp/fvp_bl2_measured_boot.c index 83419b681..f5d829a23 100644 --- a/plat/arm/board/fvp/fvp_measured_boot.c +++ b/plat/arm/board/fvp/fvp_bl2_measured_boot.c @@ -27,11 +27,6 @@ const event_log_metadata_t fvp_event_log_metadata[] = { { INVALID_ID, NULL, (unsigned int)(-1) } /* Terminator */ }; -const event_log_metadata_t *plat_event_log_get_metadata(void) -{ - return fvp_event_log_metadata; -} - void bl2_plat_mboot_init(void) { event_log_init(event_log, event_log + sizeof(event_log)); @@ -88,27 +83,3 @@ void bl2_plat_mboot_finish(void) dump_event_log(event_log, event_log_cur_size); } - -int plat_mboot_measure_image(unsigned int image_id) -{ - const bl_mem_params_node_t *bl_mem_params = - get_bl_mem_params_node(image_id); - - assert(bl_mem_params != NULL); - - image_info_t info = bl_mem_params->image_info; - int err; - - if ((info.h.attr & IMAGE_ATTRIB_SKIP_LOADING) == 0U) { - /* Calculate image hash and record data in Event Log */ - err = event_log_measure_record(info.image_base, - info.image_size, image_id); - if (err != 0) { - ERROR("%s%s image id %u (%i)\n", - "BL2: Failed to ", "record", image_id, err); - return err; - } - } - - return 0; -} diff --git a/plat/arm/board/fvp/fvp_common_measured_boot.c b/plat/arm/board/fvp/fvp_common_measured_boot.c new file mode 100644 index 000000000..6a403d945 --- /dev/null +++ b/plat/arm/board/fvp/fvp_common_measured_boot.c @@ -0,0 +1,35 @@ +/* + * Copyright (c) 2021, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include +#include + +#include +#include +#include +#include + +extern event_log_metadata_t fvp_event_log_metadata[]; + +const event_log_metadata_t *plat_event_log_get_metadata(void) +{ + return fvp_event_log_metadata; +} + +int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data) +{ + /* Calculate image hash and record data in Event Log */ + int err = event_log_measure_and_record(image_data->image_base, + image_data->image_size, + image_id); + if (err != 0) { + ERROR("%s%s image id %u (%i)\n", + "Failed to ", "record", image_id, err); + return err; + } + + return 0; +} diff --git a/plat/arm/board/fvp/platform.mk b/plat/arm/board/fvp/platform.mk index b37514626..70b1051a8 100644 --- a/plat/arm/board/fvp/platform.mk +++ b/plat/arm/board/fvp/platform.mk @@ -376,7 +376,10 @@ BL1_SOURCES += plat/arm/board/fvp/fvp_trusted_boot.c BL2_SOURCES += plat/arm/board/fvp/fvp_trusted_boot.c ifeq (${MEASURED_BOOT},1) -BL2_SOURCES += plat/arm/board/fvp/fvp_measured_boot.c +BL1_SOURCES += plat/arm/board/fvp/fvp_common_measured_boot.c \ + plat/arm/board/fvp/fvp_bl1_measured_boot.c +BL2_SOURCES += plat/arm/board/fvp/fvp_common_measured_boot.c \ + plat/arm/board/fvp/fvp_bl2_measured_boot.c endif # FVP being a development platform, enable capability to disable Authentication