Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spec updates #25

Merged
merged 12 commits into from
Apr 24, 2024
Merged
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
174 changes: 143 additions & 31 deletions specifications/secure-launch-specification.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Secure Launch Specification

.. class:: center

**Version:** 0.5.0
**Version:** 0.6.0-draft
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

drop draft

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, but will do after all of #23 are addressed (one way or another)


.. class:: center

Expand Down Expand Up @@ -138,7 +138,7 @@ Sequence
+---------------------------------->| | |
| | | |
| | | |
| Initalize Table | |
| Initialize Table | |
+------------------------------------------------->| |
| | |
| Invoke | | | |
Expand Down Expand Up @@ -173,7 +173,7 @@ Secure Launch Interfaces
========================

There are two interfaces to be defined here, the DLE Handler Specifications and
the SLRT Specification.
the SLRT Specification.

DLE Handler Specification
-------------------------
Expand All @@ -185,7 +185,7 @@ Platform Requirements

| **1** - x86 Platforms
| **1.1** - The DLE Handler **MAY** be invoked with the CPU in either 32bit
| protected mode or 64bit long mode
| protected mode or 64bit long mode
| **1.2** - The SLRT **SHALL** be passed to the DLE Handler in the EDI/RDI CPU
| register
| **1.3** - All other registers besides EDI/RDI are not guarenteed
Expand Down Expand Up @@ -217,7 +217,7 @@ Platform Requirements
| **1** - General Requirements
| **1.1** - The SLRT **MUST** begin with the magic value `0x4452544d`.
| **1.2** - A properly formatted SLRT **SHALL** consist of a table header,
| zero or more table entries, and an end entry.
| zero or more table entries, and an end entry.
| **1.3** - The SLRT **SHOULD** be in contiguous physical memory.
| **1.3.1** - A preallocated, fixed size table is **OPTIONAL** through the use
| of the `max_size` field.
Expand Down Expand Up @@ -333,16 +333,16 @@ The list of valid entry tags.
.. code-block:: c
:linenos: 1

#define SLR_ENTRY_INVALID 0x0000
#define SLR_ENTRY_DL_INFO 0x0001
#define SLR_ENTRY_LOG_INFO 0x0002
#define SLR_ENTRY_DRTM_POLICY 0x0003
#define SLR_ENTRY_INTEL_INFO 0x0004
#define SLR_ENTRY_AMD_INFO 0x0005
#define SLR_ENTRY_ARM_INFO 0x0006
#define SLR_ENTRY_UEFI_INFO 0x0007
#define SLR_ENTRY_UEFI_CONFIG 0x0008
#define SLR_ENTRY_END 0xffff
#define SLR_ENTRY_INVALID 0x0000
#define SLR_ENTRY_DL_INFO 0x0001
#define SLR_ENTRY_LOG_INFO 0x0002
#define SLR_ENTRY_DRTM_POLICY 0x0003
#define SLR_ENTRY_INTEL_INFO 0x0004
#define SLR_ENTRY_AMD_INFO 0x0005
#define SLR_ENTRY_ARM_INFO 0x0006
#define SLR_ENTRY_UEFI_INFO 0x0007
#define SLR_ENTRY_UEFI_CONFIG 0x0008
#define SLR_ENTRY_END 0xffff

Dynamic Launch Configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Expand Down Expand Up @@ -430,14 +430,14 @@ D-RTM Measurement Policy

The measurement policy is for conveying to the SL Entry on what it should
measure, where that entity is located, which PCR the measurement should be
stored, and how the event should be identified in the TPM event log.
stored, and how the event should be identified in the TPM event log.

.. warning::
The SL Entry **SHALL** fail if it determines an invalid policy is present.

:tag: SLR_ENTRY_ENTRY_POLICY
:revision: A revision field to identify the version of policy being used.
:nr_entries: The total number of policy entries available.
:nr_entries: The total number of policy entries in the array.

.. code-block:: c
:linenos: 1
Expand All @@ -448,7 +448,7 @@ stored, and how the event should be identified in the TPM event log.
u16 nr_entries;
/* policy_entries[] */
};


DRTM Policy Entry
"""""""""""""""""
Expand Down Expand Up @@ -478,6 +478,10 @@ environment, that attribute will be published as an entity type. A generic
char evt_info[TPM_EVENT_INFO_LENGTH];
};

In the current version (one) of the specification, `TPM_EVENT_INFO_LENGTH` is
defined as 32 bytes. All unused bytes **MUST** be set to `\0`, but the string
**MAY** not be terminated with `\0` if it fills the whole `evt_info`.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This block should be moved to above the fields definitions and made into a .. note:: block

D-RTM Policy Entry Entity Types
'''''''''''''''''''''''''''''''

Expand All @@ -486,15 +490,25 @@ The list of valid entity types for D-RTM Policy entries.
.. code-block:: c
:linenos: 1

#define SLR_ET_UNSPECIFIED 0x0000
#define SLR_ET_SLRT 0x0001
#define SLR_ET_BOOT_PARAMS 0x0002
#define SLR_ET_SETUP_DATA 0x0003
#define SLR_ET_CMDLINE 0x0004
#define SLR_ET_UEFI_MEMMAP 0x0005
#define SLR_ET_RAMDISK 0x0006
#define SLR_ET_TXT_OS2MLE 0x0010
#define SLR_ET_UNUSED 0xffff
#define SLR_ET_UNSPECIFIED 0x0000
#define SLR_ET_SLRT 0x0001
#define SLR_ET_LINUX_BOOT_PARAMS 0x0002
#define SLR_ET_LINUX_SETUP_DATA 0x0003
#define SLR_ET_CMDLINE 0x0004
#define SLR_ET_UEFI_MEMMAP 0x0005
#define SLR_ET_RAMDISK 0x0006
#define SLR_ET_MULTIBOOT2_INFO 0x0007
#define SLR_ET_MULTIBOOT2_MODULE 0x0008
SergiiDmytruk marked this conversation as resolved.
Show resolved Hide resolved
// values 0x0009-0x000f reserved for future use
// TXT-specific:
#define SLR_ET_TXT_OS2MLE 0x0010
SergiiDmytruk marked this conversation as resolved.
Show resolved Hide resolved
#define SLR_ET_UNUSED 0xffff

`SLR_ET_UNUSED` can be used if an entry in the DRTM Policy is to be ignored.
Note that **RECOMMENDED** solution is to just not include the entry in question,
this entity type is left as a final resort if entry has to be removed after SLRT
was created in memory and defragmenting it after removing an entry isn't
feasible.
Copy link
Contributor

@dpsmith dpsmith Jan 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to go back and review SLR_ET_UNUSED, as I don't think I necessarily agree with this sentiment.


D-RTM Policy Entry Flags
''''''''''''''''''''''''
Expand All @@ -504,8 +518,21 @@ The list of valid flags for D-RTM Policy entries.
.. code-block:: c
:linenos: 1

#define SLR_POLICY_FLAG_MEASURED 0x1
#define SLR_POLICY_IMPLICIT_SIZE 0x2
#define SLR_POLICY_FLAG_MEASURED 0x1
SergiiDmytruk marked this conversation as resolved.
Show resolved Hide resolved
#define SLR_POLICY_IMPLICIT_SIZE 0x2

`SLR_POLICY_FLAG_MEASURED` **MAY** be used by DCE and/or DLME to mark which
entries were measured, in case not all of them are measured at the same time.
For example, limited in size DCE can use TPM commands for hashing instead of
calculating the hashes to save space. DLME usually doesn't have strict size
constraints, so it may include functions that are much faster than sending the
data to be hashed by TPM. In such cases, `SLR_POLICY_FLAG_MEASURED` is set by
DCE for entries it measures, and DLME skips those. Note that all entries still
**MUST** be measured in order.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is specifically to handle the situation caused by the Linux TPM maintainers demanding that the mainline code be used if we wanted to do measurements from the compress kernel. This was not possible since the mainline driver makes use of functionality not available and thus creates a situation where we need to measure structures before they are used but don't have a means to access the TPM at the time.

So the general case is to handle situations where a measurement is needed but TPM access is not available yet. BUT the delay of sending the measurement cannot cross measured entity boundaries. So one component cannot measure another and then put the event in the log to be sent to the TPM by that next component.

This should also be made a note block and place above the definitions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspected that to be the reason, included it as well. My original description was made mostly with SKL in mind.

Only some of the entry types can have `SLR_POLICY_IMPLICIT_SIZE` flag set. Such
entries have their `size` specified as zero, and they **SHALL** be measured as
described in Appendix A.
Copy link
Contributor

@dpsmith dpsmith Jan 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't say "Only some", this is for the measurement of entities with well know sizes and variable sized entities that have size attribute.

Make a note block and place above the definition list


Intel TXT Platforms
~~~~~~~~~~~~~~~~~~~
Expand Down Expand Up @@ -562,6 +589,9 @@ Saved MTRR State
struct txt_mtrr_pair mtrr_pair[TXT_VARIABLE_MTRRS_LENGTH];
};

In the current version (one) of the specification, `TXT_VARIABLE_MTRRS_LENGTH`
is defined as 32 entries. All fields in unused entries **MUST** be set to 0.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note block and move code block

AMD Secure Launch Platforms
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Expand Down Expand Up @@ -633,7 +663,7 @@ measured.
u16 nr_entries;
/* slr_uefi_cfg_entries[] */
};

UEFI Config Entry
""""""""""""""""

Expand All @@ -658,6 +688,10 @@ be measured.
char evt_info[TPM_EVENT_INFO_LENGTH];
} __packed;

In the current version (one) of the specification, `TPM_EVENT_INFO_LENGTH` is
defined as 32 bytes. All unused bytes **MUST** be set to `\0`, but the string
**MAY** not be terminated with `\0` if it fills the whole `evt_info`.

dpsmith marked this conversation as resolved.
Show resolved Hide resolved
Appendix A: Measuring the DRTM Policy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rename to "Recommendations for Measuring"

=====================================

Expand Down Expand Up @@ -686,7 +720,7 @@ H(), the extend operation, is defined as:
| }

Measuring the Policy
---------------------
--------------------

Measuring the policy is not as simple as hashing the block of memory containing
the policy. This will not work as the policy may contain memory addresses that
Expand All @@ -713,6 +747,84 @@ Using this logic, the resulting operation to measure the policy would be as:
The result, `M_policy`, will be a hash of the policy that can then be extended
into one, or more if using as a cap value, PCR(s).

Note that current SLRT specification version doesn't require measuring the
policy, neither does it have appropriate policy entry type for that measurement.

dpsmith marked this conversation as resolved.
Show resolved Hide resolved
Measuring the SLRT
------------------

In revision one of the SLRT, the only table that needs to be measured is the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there is a need to measure the SLRT, the recommendation is that the vendor info table, i.e. one of SLR_ENTRY_INTEL_INFO, SLR_ENTRY_AMD_INFO or SLR_ENTRY_ARM_INFO, is the only one that should be measured. The remainder of the SLRT is meta-data, ......

vendor info table, i.e. one of `SLR_ENTRY_INTEL_INFO`, `SLR_ENTRY_AMD_INFO` or
`SLR_ENTRY_ARM_INFO`. Everything else is meta-data, addresses and sizes. Note
the size of what to measure is not set. The flag `SLR_POLICY_IMPLICIT_SIZE`
leaves it to the measuring code to choose and use proper structure's size.
The structure is measured as a whole, together with its header.

Measuring the Linux setup_data
------------------------------

Single linked list of `struct setup_data` is a way to pass extensible boot
parameters and other data from bootloader to Linux kernel.

:next: Pointer to next `setup_data` structure, or NULL if this is the last one
:type: Type of entry
:len: Length of following data
:data: Parameters passed from bootloader

.. code-block:: c
:linenos: 1

struct setup_data {
u64 next;
u32 type;
u32 len;
u8 data[0];
};

The above structure is limited by maximum size that can be specified, as well as
by the fact that data must be immediately following the header. To handle these
situations, a `setup_indirect` structure was added in later Linux boot protocol:

:type: Type of entry, logically ORed with `SETUP_INDIRECT`
:len: Length of data
:addr: Pointer to data

.. code-block:: c
:linenos: 1

struct setup_indirect {
u32 type;
u32 reserved; /* Reserved, must be set to zero. */
u64 len;
u64 addr;
};

If indirect entries are used, the `setup_indirect` is put as `setup_data->data`,
and `setup_data->type` is set to `SETUP_INDIRECT`.

Pointer to the first `setup_data` is saved in DRTM Policy Entry. As these
structures consist of physical addresses and other metadata that may change
between boots, only the actual data is measured. For direct entries this is
`data`, and for indirect -- memory pointed by `addr`. All `setup_data`s are
measured in order, each as a separate entry in the TPM event log.

Measuring OS to MLE data
------------------------

Version 1 of the OS-MLE heap structure has no fields to measure. It just has
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/Version 1 of the/The SLRT defined/

addresses and sizes and a scratch buffer. As such, this entry is skipped as of
now, but this may change in the future versions.

Measuring Multiboot2 boot information
-------------------------------------

Multiboot2 information data structure contains set of Tag-Length-Value (TLV)
entries, however, for the sake of measurement it can be treated as a consecutive
range of memory. Only the total length of this structure is important, it can be
read from first field of that structure, i.e. `u32 total_size`. This is how the
kernel obtains the size, so measuring code should also use it, hence this entity
has `SLR_POLICY_IMPLICIT_SIZE` flag set.

Appendix B: Intel TXT OS2MLE
============================

Expand Down