-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spec updates #25
Spec updates #25
Changes from 7 commits
5a28823
ed37664
8984607
3f885bc
c24e21e
517480f
49b4358
393a51c
b8f4c69
2f89c75
33cfb26
57727c9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,7 +7,7 @@ Secure Launch Specification | |
|
||
.. class:: center | ||
|
||
**Version:** 0.5.0 | ||
**Version:** 0.6.0-draft | ||
|
||
.. class:: center | ||
|
||
|
@@ -138,7 +138,7 @@ Sequence | |
+---------------------------------->| | | | ||
| | | | | ||
| | | | | ||
| Initalize Table | | | ||
| Initialize Table | | | ||
+------------------------------------------------->| | | ||
| | | | ||
| Invoke | | | | | ||
|
@@ -173,7 +173,7 @@ Secure Launch Interfaces | |
======================== | ||
|
||
There are two interfaces to be defined here, the DLE Handler Specifications and | ||
the SLRT Specification. | ||
the SLRT Specification. | ||
|
||
DLE Handler Specification | ||
------------------------- | ||
|
@@ -185,7 +185,7 @@ Platform Requirements | |
|
||
| **1** - x86 Platforms | ||
| **1.1** - The DLE Handler **MAY** be invoked with the CPU in either 32bit | ||
| protected mode or 64bit long mode | ||
| protected mode or 64bit long mode | ||
| **1.2** - The SLRT **SHALL** be passed to the DLE Handler in the EDI/RDI CPU | ||
| register | ||
| **1.3** - All other registers besides EDI/RDI are not guarenteed | ||
|
@@ -217,7 +217,7 @@ Platform Requirements | |
| **1** - General Requirements | ||
| **1.1** - The SLRT **MUST** begin with the magic value `0x4452544d`. | ||
| **1.2** - A properly formatted SLRT **SHALL** consist of a table header, | ||
| zero or more table entries, and an end entry. | ||
| zero or more table entries, and an end entry. | ||
| **1.3** - The SLRT **SHOULD** be in contiguous physical memory. | ||
| **1.3.1** - A preallocated, fixed size table is **OPTIONAL** through the use | ||
| of the `max_size` field. | ||
|
@@ -333,16 +333,16 @@ The list of valid entry tags. | |
.. code-block:: c | ||
:linenos: 1 | ||
|
||
#define SLR_ENTRY_INVALID 0x0000 | ||
#define SLR_ENTRY_DL_INFO 0x0001 | ||
#define SLR_ENTRY_LOG_INFO 0x0002 | ||
#define SLR_ENTRY_DRTM_POLICY 0x0003 | ||
#define SLR_ENTRY_INTEL_INFO 0x0004 | ||
#define SLR_ENTRY_AMD_INFO 0x0005 | ||
#define SLR_ENTRY_ARM_INFO 0x0006 | ||
#define SLR_ENTRY_UEFI_INFO 0x0007 | ||
#define SLR_ENTRY_UEFI_CONFIG 0x0008 | ||
#define SLR_ENTRY_END 0xffff | ||
#define SLR_ENTRY_INVALID 0x0000 | ||
#define SLR_ENTRY_DL_INFO 0x0001 | ||
#define SLR_ENTRY_LOG_INFO 0x0002 | ||
#define SLR_ENTRY_DRTM_POLICY 0x0003 | ||
#define SLR_ENTRY_INTEL_INFO 0x0004 | ||
#define SLR_ENTRY_AMD_INFO 0x0005 | ||
#define SLR_ENTRY_ARM_INFO 0x0006 | ||
#define SLR_ENTRY_UEFI_INFO 0x0007 | ||
#define SLR_ENTRY_UEFI_CONFIG 0x0008 | ||
#define SLR_ENTRY_END 0xffff | ||
|
||
Dynamic Launch Configuration | ||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
@@ -430,14 +430,14 @@ D-RTM Measurement Policy | |
|
||
The measurement policy is for conveying to the SL Entry on what it should | ||
measure, where that entity is located, which PCR the measurement should be | ||
stored, and how the event should be identified in the TPM event log. | ||
stored, and how the event should be identified in the TPM event log. | ||
|
||
.. warning:: | ||
The SL Entry **SHALL** fail if it determines an invalid policy is present. | ||
|
||
:tag: SLR_ENTRY_ENTRY_POLICY | ||
:revision: A revision field to identify the version of policy being used. | ||
:nr_entries: The total number of policy entries available. | ||
:nr_entries: The total number of policy entries in the array. | ||
|
||
.. code-block:: c | ||
:linenos: 1 | ||
|
@@ -448,7 +448,7 @@ stored, and how the event should be identified in the TPM event log. | |
u16 nr_entries; | ||
/* policy_entries[] */ | ||
}; | ||
|
||
|
||
DRTM Policy Entry | ||
""""""""""""""""" | ||
|
@@ -478,6 +478,10 @@ environment, that attribute will be published as an entity type. A generic | |
char evt_info[TPM_EVENT_INFO_LENGTH]; | ||
}; | ||
|
||
In the current version (one) of the specification, `TPM_EVENT_INFO_LENGTH` is | ||
defined as 32 bytes. All unused bytes **MUST** be set to `\0`, but the string | ||
**MAY** not be terminated with `\0` if it fills the whole `evt_info`. | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This block should be moved to above the fields definitions and made into a |
||
D-RTM Policy Entry Entity Types | ||
''''''''''''''''''''''''''''''' | ||
|
||
|
@@ -486,15 +490,25 @@ The list of valid entity types for D-RTM Policy entries. | |
.. code-block:: c | ||
:linenos: 1 | ||
|
||
#define SLR_ET_UNSPECIFIED 0x0000 | ||
#define SLR_ET_SLRT 0x0001 | ||
#define SLR_ET_BOOT_PARAMS 0x0002 | ||
#define SLR_ET_SETUP_DATA 0x0003 | ||
#define SLR_ET_CMDLINE 0x0004 | ||
#define SLR_ET_UEFI_MEMMAP 0x0005 | ||
#define SLR_ET_RAMDISK 0x0006 | ||
#define SLR_ET_TXT_OS2MLE 0x0010 | ||
#define SLR_ET_UNUSED 0xffff | ||
#define SLR_ET_UNSPECIFIED 0x0000 | ||
#define SLR_ET_SLRT 0x0001 | ||
#define SLR_ET_LINUX_BOOT_PARAMS 0x0002 | ||
#define SLR_ET_LINUX_SETUP_DATA 0x0003 | ||
#define SLR_ET_CMDLINE 0x0004 | ||
#define SLR_ET_UEFI_MEMMAP 0x0005 | ||
#define SLR_ET_RAMDISK 0x0006 | ||
#define SLR_ET_MULTIBOOT2_INFO 0x0007 | ||
#define SLR_ET_MULTIBOOT2_MODULE 0x0008 | ||
SergiiDmytruk marked this conversation as resolved.
Show resolved
Hide resolved
|
||
// values 0x0009-0x000f reserved for future use | ||
// TXT-specific: | ||
#define SLR_ET_TXT_OS2MLE 0x0010 | ||
SergiiDmytruk marked this conversation as resolved.
Show resolved
Hide resolved
|
||
#define SLR_ET_UNUSED 0xffff | ||
|
||
`SLR_ET_UNUSED` can be used if an entry in the DRTM Policy is to be ignored. | ||
Note that **RECOMMENDED** solution is to just not include the entry in question, | ||
this entity type is left as a final resort if entry has to be removed after SLRT | ||
was created in memory and defragmenting it after removing an entry isn't | ||
feasible. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I need to go back and review SLR_ET_UNUSED, as I don't think I necessarily agree with this sentiment. |
||
|
||
D-RTM Policy Entry Flags | ||
'''''''''''''''''''''''' | ||
|
@@ -504,8 +518,21 @@ The list of valid flags for D-RTM Policy entries. | |
.. code-block:: c | ||
:linenos: 1 | ||
|
||
#define SLR_POLICY_FLAG_MEASURED 0x1 | ||
#define SLR_POLICY_IMPLICIT_SIZE 0x2 | ||
#define SLR_POLICY_FLAG_MEASURED 0x1 | ||
SergiiDmytruk marked this conversation as resolved.
Show resolved
Hide resolved
|
||
#define SLR_POLICY_IMPLICIT_SIZE 0x2 | ||
|
||
`SLR_POLICY_FLAG_MEASURED` **MAY** be used by DCE and/or DLME to mark which | ||
entries were measured, in case not all of them are measured at the same time. | ||
For example, limited in size DCE can use TPM commands for hashing instead of | ||
calculating the hashes to save space. DLME usually doesn't have strict size | ||
constraints, so it may include functions that are much faster than sending the | ||
data to be hashed by TPM. In such cases, `SLR_POLICY_FLAG_MEASURED` is set by | ||
DCE for entries it measures, and DLME skips those. Note that all entries still | ||
**MUST** be measured in order. | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is specifically to handle the situation caused by the Linux TPM maintainers demanding that the mainline code be used if we wanted to do measurements from the compress kernel. This was not possible since the mainline driver makes use of functionality not available and thus creates a situation where we need to measure structures before they are used but don't have a means to access the TPM at the time. So the general case is to handle situations where a measurement is needed but TPM access is not available yet. BUT the delay of sending the measurement cannot cross measured entity boundaries. So one component cannot measure another and then put the event in the log to be sent to the TPM by that next component. This should also be made a note block and place above the definitions. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I suspected that to be the reason, included it as well. My original description was made mostly with SKL in mind. |
||
Only some of the entry types can have `SLR_POLICY_IMPLICIT_SIZE` flag set. Such | ||
entries have their `size` specified as zero, and they **SHALL** be measured as | ||
described in Appendix A. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I wouldn't say "Only some", this is for the measurement of entities with well know sizes and variable sized entities that have size attribute. Make a note block and place above the definition list |
||
|
||
Intel TXT Platforms | ||
~~~~~~~~~~~~~~~~~~~ | ||
|
@@ -562,6 +589,9 @@ Saved MTRR State | |
struct txt_mtrr_pair mtrr_pair[TXT_VARIABLE_MTRRS_LENGTH]; | ||
}; | ||
|
||
In the current version (one) of the specification, `TXT_VARIABLE_MTRRS_LENGTH` | ||
is defined as 32 entries. All fields in unused entries **MUST** be set to 0. | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Note block and move code block |
||
AMD Secure Launch Platforms | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
|
@@ -633,7 +663,7 @@ measured. | |
u16 nr_entries; | ||
/* slr_uefi_cfg_entries[] */ | ||
}; | ||
|
||
UEFI Config Entry | ||
"""""""""""""""" | ||
|
||
|
@@ -658,6 +688,10 @@ be measured. | |
char evt_info[TPM_EVENT_INFO_LENGTH]; | ||
} __packed; | ||
|
||
In the current version (one) of the specification, `TPM_EVENT_INFO_LENGTH` is | ||
defined as 32 bytes. All unused bytes **MUST** be set to `\0`, but the string | ||
**MAY** not be terminated with `\0` if it fills the whole `evt_info`. | ||
|
||
dpsmith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Appendix A: Measuring the DRTM Policy | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Rename to "Recommendations for Measuring" |
||
===================================== | ||
|
||
|
@@ -686,7 +720,7 @@ H(), the extend operation, is defined as: | |
| } | ||
|
||
Measuring the Policy | ||
--------------------- | ||
-------------------- | ||
|
||
Measuring the policy is not as simple as hashing the block of memory containing | ||
the policy. This will not work as the policy may contain memory addresses that | ||
|
@@ -713,6 +747,84 @@ Using this logic, the resulting operation to measure the policy would be as: | |
The result, `M_policy`, will be a hash of the policy that can then be extended | ||
into one, or more if using as a cap value, PCR(s). | ||
|
||
Note that current SLRT specification version doesn't require measuring the | ||
policy, neither does it have appropriate policy entry type for that measurement. | ||
|
||
dpsmith marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Measuring the SLRT | ||
------------------ | ||
|
||
In revision one of the SLRT, the only table that needs to be measured is the | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If there is a need to measure the SLRT, the recommendation is that the vendor info table, i.e. one of |
||
vendor info table, i.e. one of `SLR_ENTRY_INTEL_INFO`, `SLR_ENTRY_AMD_INFO` or | ||
`SLR_ENTRY_ARM_INFO`. Everything else is meta-data, addresses and sizes. Note | ||
the size of what to measure is not set. The flag `SLR_POLICY_IMPLICIT_SIZE` | ||
leaves it to the measuring code to choose and use proper structure's size. | ||
The structure is measured as a whole, together with its header. | ||
|
||
Measuring the Linux setup_data | ||
------------------------------ | ||
|
||
Single linked list of `struct setup_data` is a way to pass extensible boot | ||
parameters and other data from bootloader to Linux kernel. | ||
|
||
:next: Pointer to next `setup_data` structure, or NULL if this is the last one | ||
:type: Type of entry | ||
:len: Length of following data | ||
:data: Parameters passed from bootloader | ||
|
||
.. code-block:: c | ||
:linenos: 1 | ||
|
||
struct setup_data { | ||
u64 next; | ||
u32 type; | ||
u32 len; | ||
u8 data[0]; | ||
}; | ||
|
||
The above structure is limited by maximum size that can be specified, as well as | ||
by the fact that data must be immediately following the header. To handle these | ||
situations, a `setup_indirect` structure was added in later Linux boot protocol: | ||
|
||
:type: Type of entry, logically ORed with `SETUP_INDIRECT` | ||
:len: Length of data | ||
:addr: Pointer to data | ||
|
||
.. code-block:: c | ||
:linenos: 1 | ||
|
||
struct setup_indirect { | ||
u32 type; | ||
u32 reserved; /* Reserved, must be set to zero. */ | ||
u64 len; | ||
u64 addr; | ||
}; | ||
|
||
If indirect entries are used, the `setup_indirect` is put as `setup_data->data`, | ||
and `setup_data->type` is set to `SETUP_INDIRECT`. | ||
|
||
Pointer to the first `setup_data` is saved in DRTM Policy Entry. As these | ||
structures consist of physical addresses and other metadata that may change | ||
between boots, only the actual data is measured. For direct entries this is | ||
`data`, and for indirect -- memory pointed by `addr`. All `setup_data`s are | ||
measured in order, each as a separate entry in the TPM event log. | ||
|
||
Measuring OS to MLE data | ||
------------------------ | ||
|
||
Version 1 of the OS-MLE heap structure has no fields to measure. It just has | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. s/Version 1 of the/The SLRT defined/ |
||
addresses and sizes and a scratch buffer. As such, this entry is skipped as of | ||
now, but this may change in the future versions. | ||
|
||
Measuring Multiboot2 boot information | ||
------------------------------------- | ||
|
||
Multiboot2 information data structure contains set of Tag-Length-Value (TLV) | ||
entries, however, for the sake of measurement it can be treated as a consecutive | ||
range of memory. Only the total length of this structure is important, it can be | ||
read from first field of that structure, i.e. `u32 total_size`. This is how the | ||
kernel obtains the size, so measuring code should also use it, hence this entity | ||
has `SLR_POLICY_IMPLICIT_SIZE` flag set. | ||
|
||
Appendix B: Intel TXT OS2MLE | ||
============================ | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
drop draft
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack, but will do after all of #23 are addressed (one way or another)