| Jarkko Sakkinen | 2ef5a7f | 2019-07-12 18:44:32 +0300 | [diff] [blame] | 1 | .. SPDX-License-Identifier: GPL-2.0 |
| 2 | |
| 3 | ============= |
| 4 | TPM Event Log |
| 5 | ============= |
| 6 | |
| 7 | This document briefly describes what TPM log is and how it is handed |
| 8 | over from the preboot firmware to the operating system. |
| 9 | |
| 10 | Introduction |
| 11 | ============ |
| 12 | |
| 13 | The preboot firmware maintains an event log that gets new entries every |
| 14 | time something gets hashed by it to any of the PCR registers. The events |
| 15 | are segregated by their type and contain the value of the hashed PCR |
| 16 | register. Typically, the preboot firmware will hash the components to |
| 17 | who execution is to be handed over or actions relevant to the boot |
| 18 | process. |
| 19 | |
| 20 | The main application for this is remote attestation and the reason why |
| 21 | it is useful is nicely put in the very first section of [1]: |
| 22 | |
| 23 | "Attestation is used to provide information about the platform’s state |
| 24 | to a challenger. However, PCR contents are difficult to interpret; |
| 25 | therefore, attestation is typically more useful when the PCR contents |
| 26 | are accompanied by a measurement log. While not trusted on their own, |
| 27 | the measurement log contains a richer set of information than do the PCR |
| 28 | contents. The PCR contents are used to provide the validation of the |
| 29 | measurement log." |
| 30 | |
| 31 | UEFI event log |
| 32 | ============== |
| 33 | |
| 34 | UEFI provided event log has a few somewhat weird quirks. |
| 35 | |
| 36 | Before calling ExitBootServices() Linux EFI stub copies the event log to |
| 37 | a custom configuration table defined by the stub itself. Unfortunately, |
| 38 | the events generated by ExitBootServices() don't end up in the table. |
| 39 | |
| 40 | The firmware provides so called final events configuration table to sort |
| 41 | out this issue. Events gets mirrored to this table after the first time |
| 42 | EFI_TCG2_PROTOCOL.GetEventLog() gets called. |
| 43 | |
| 44 | This introduces another problem: nothing guarantees that it is not called |
| 45 | before the Linux EFI stub gets to run. Thus, it needs to calculate and save the |
| 46 | final events table size while the stub is still running to the custom |
| 47 | configuration table so that the TPM driver can later on skip these events when |
| 48 | concatenating two halves of the event log from the custom configuration table |
| 49 | and the final events table. |
| 50 | |
| 51 | References |
| 52 | ========== |
| 53 | |
| 54 | - [1] https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/ |
| 55 | - [2] The final concatenation is done in drivers/char/tpm/eventlog/efi.c |