Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make trusted boot work in skiboot #192

Merged
merged 3 commits into from
Jun 17, 2022
Merged

Make trusted boot work in skiboot #192

merged 3 commits into from
Jun 17, 2022

Conversation

SergiiDmytruk
Copy link
Member

This adds an option to change TCPA log format (from coreboot-specific to TPM2 format) and updates device tree to enable trusted boot in skiboot.

Initially used log format from TPM1.2, but skiboot parsed only first entry, so changed it. Linux can handle both formats, not sure how it picks the one to use though. In case of issues with Linux, might modify skiboot to use the other format.

With this PR and corresponding changes in skiboot (Dasharo/skiboot#1), it imports log, appends to it and updates PCRs.

krystian-hebel
krystian-hebel requested changes Jun 13, 2022
View reviewed changes
src/commonlib/include/commonlib/tcpa_log_serialized.h Outdated Show resolved Hide resolved
src/lib/coreboot_table.c Outdated Show resolved Hide resolved
src/security/tpm/Makefile.inc Outdated Show resolved Hide resolved
src/soc/ibm/power9/chip.c Show resolved Hide resolved
src/soc/ibm/power9/chip.c Show resolved Hide resolved
@SergiiDmytruk SergiiDmytruk force-pushed the raptor-cs_talos-2/trusted_boot branch 2 times, most recently from 03638b5 to 6fa614b Compare June 15, 2022 17:17
@SergiiDmytruk
security/tpm/: add support for TCPA log according to TPM2
e81269d 
That is the format expected by skiboot and Linux.

Change-Id: Ic2e8b83316938ca8385afae621b7b1599c74e752
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
@SergiiDmytruk
security/tpm/tspi/crtm.c: fix endianness
2a8a057 
Change-Id: I26bfd2ef07a71c2f02394fccd90a45f73ad07e2c
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk
soc/power9/: enable trustedboot in skiboot
265a977 
Change-Id: I576b7066d682057ef58e2c8bbbd61dd69e45ec20
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
@SergiiDmytruk SergiiDmytruk force-pushed the raptor-cs_talos-2/trusted_boot branch from 6fa614b to 265a977 Compare June 15, 2022 20:42
krystian-hebel
krystian-hebel approved these changes Jun 17, 2022
View reviewed changes
Copy link
Contributor

@krystian-hebel krystian-hebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. I've got a feeling that upstream will want to make it useful for TPM2.0, where e.g. SHA1 is deprecated in the newest revisions of specification.

@krystian-hebel krystian-hebel merged commit 265a977 into raptor-cs_talos-2/develop Jun 17, 2022
@krystian-hebel krystian-hebel deleted the raptor-cs_talos-2/trusted_boot branch June 17, 2022 13:43
@tlaurion tlaurion mentioned this pull request Jul 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krystian-hebel krystian-hebel krystian-hebel approved these changes

@miczyg1 miczyg1 Awaiting requested review from miczyg1

Assignees
No one assigned
Labels
raptor-cs_talos-2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@SergiiDmytruk @krystian-hebel