Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QemuQ35Pkg: Integrate TPM Replay feature #678

Merged
merged 1 commit into from
Aug 29, 2023
Merged

QemuQ35Pkg: Integrate TPM Replay feature #678

merged 1 commit into from
Aug 29, 2023

Conversation

makubacki
Copy link
Member

Closes #677

Description

This feature enables experimentation with controlling the TPM
measurements made by firmware. It allows a developer to craft
a TPM event log and have the replayed during boot. It is disabled
by default.

General feature information is available in its readme:

https://github.com/microsoft/mu_plus/blob/HEAD/TpmTestingPkg/TpmReplayPei/Readme.md

It is currently only planned to be used QemuQ35Pkg. It could be
enabled in QemuSbsaPkg in the future if there is interest.

Details about the feature in the context of QEMU, are described in
Platforms/Docs/Q35/Features/feature_tpm_replay.md in this change.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

How This Was Tested

  • Input YAML to binary
  • Input JSON to binary
  • Input binary to YAML
  • Replay events on QEMU Q35 to PCRs
  • Verify event log in OS against the input file

Integration Instructions

See feature_tpm_replay.md.

Enable the feature in QemuQ35Pkg in the DSC file:

  DEFINE TPM_REPLAY_ENABLED = TRUE

Or, as a stuart_build argument:

> stuart_build -c Platforms/QemuQ35Pkg/PlatformBuild.py --flashrom TOOL_CHAIN_TAG=GCC5 BLD_*_TPM_ENABLE=TRUE \
               BLD_*_TPM_ENABLE=TRUE TPM_DEV=/tmp/mytpm1/swtpm-sock

Then, follow instructions to create the TPM Replay
event log and load it.

@makubacki makubacki added type:enhancement New feature or pull request type:feature-request A new feature proposal labels Aug 25, 2023
@makubacki makubacki self-assigned this Aug 25, 2023
@github-actions github-actions bot added the type:documentation Improvements or additions to documentation label Aug 25, 2023
@makubacki makubacki mentioned this pull request Aug 25, 2023
Closed
@makubacki makubacki force-pushed the integrate_tpm_replay_feature branch 2 times, most recently from 4667180 to 22a75a8 Compare August 25, 2023 03:42
os-d
os-d approved these changes Aug 28, 2023
View reviewed changes
Platforms/Docs/Q35/Features/feature_tpm_replay.md Outdated Show resolved Hide resolved
Platforms/QemuQ35Pkg/QemuQ35Pkg.dsc Show resolved Hide resolved
@makubacki
QemuQ35Pkg: Integrate TPM Replay feature
f7dd15f 
This feature enables experimentation with controlling the TPM
measurements made by firmware. It allows a developer to craft
a TPM event log and have the replayed during boot. It is disabled
by default.

General feature information is available in its readme:

https://github.com/microsoft/mu_plus/blob/HEAD/TpmTestingPkg/TpmReplayPei/Readme.md

It is currently only planned to be used QemuQ35Pkg. It could be
enabled in QemuSbsaPkg in the future if there is interest.

Details about the feature in the context of QEMU, are described in
`Platforms/Docs/Q35/Features/feature_tpm_replay.md` in this change.

Signed-off-by: Michael Kubacki <[email protected]>
@makubacki makubacki enabled auto-merge (squash) August 29, 2023 04:47
@makubacki makubacki merged commit 0ff6479 into microsoft:main Aug 29, 2023
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@os-d os-d os-d approved these changes

@apop5 apop5 apop5 approved these changes

@cfernald cfernald Awaiting requested review from cfernald

Assignees

@makubacki makubacki

Labels
type:documentation Improvements or additions to documentation type:enhancement New feature or pull request type:feature-request A new feature proposal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Feature]: Integrate the TPM Replay feature
3 participants
@makubacki @os-d @apop5