Hello again,
I've done some analysis and here's where I'm at with measured boot with
OVMF in a QEMU guest:
I've verified that most of the relevant modules that need to be added
according to the instructions at
http://tianocore.sourceforge.net/wiki/How_to_Enable_Security#HOW_TO_ENABLE_TCG_TPM
are being placed in the OVMF image by looking at Ovmf.map. They are
also loaded when OVMF boots, which I've verified from the OVMF debug
output. I believe the only one I've added to OvmfX64.dsc/fdf that does
not appear in the map or debug output is TcgSmm, which handles the ACPI
methods for TCG. I think this is a problem: I do see a TCPA table when
I dump the ACPI tables in my guest, and it has an address to the start
of the Event Log, but I still don't have any measurements recorded in
/sys/kernel/security/tpm0/ascii_bios_measurements. And, the PCR values
from /sys/class/tpm/tpm0/device/pcrs don't change whether I have OVMF
Secure Boot enabled or not (I think it's supposed to extend PCR[07]?).
So, my question about whether or not measured boot with event logging
should be possible in OVMF with a QEMU VM still stands. Additonally, I'm
curious if the way I've added components to the OvmfX64.dsc file is
correct. For example, here's how I added the TcgDxe component:
SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
<LibraryClasses>
TpmCommLib|SecurityPkg/Library/TpmCommLib/TpmCommLib.inf
}
I added the LibraryClasses subsection after the build tool complained
about an instance of that class not being found, and did the same for
the other modules that had the same issue. I see other LibraryClasses
in TcgDxe.inf that don't require an instance in the subsection, why is that?
Finally, where in the code should I do steps 1 and 2 (clear memory,
process request) from the instructions linked above?
Any guidance would be appreciated.
Thanks,
David
On 08/19/2015 05:17 PM, David Van Arnem wrote:
Hello,
Should it be possible to perform measured boot in OVMF to measure a
QEMU guest (extend and log PCRs) using a TPM passed-through from the
host?
I have a host machine with a TPM (v1.2), and a QEMU Linux guest
booting using an OVMF image with the modifications suggested in the
following link (modifications were done to OvmfX64.dsc):
http://tianocore.sourceforge.net/wiki/How_to_Enable_Security (section
"How To Enable TCG TPM"). I've enabled QEMU TPM passthrough from the
host to the guest, and I'm able to query the TPM in the guest using
commands like tpm_version, tpm_getpubek, etc. However, there are no
measurements recorded in
/sys/kernel/security/tpm0/ascii_bios_measurements. Additionally,
though I can view the PCR list from /sys/class/tpm/tpm0/device/pcrs,
the list contains the same values that I saw when looking at the same
file on my host before enabling TPM passthrough. So, it appears
measurement is not happening on the guest, and I wanted to check here
to see if that's a limitation of OVMF/TPM passthrough, or if I just
did something incorrectly when modifying the OVMF package.
Thanks,
David
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
