Add support to build (and run) an image with Measured Boot and fTPM support.
This patch enables Measured Boot on TF-A and builds the TSS tools
and the TPM Kernel Module for the FVP toolkit.
The functionality is disabled by default. To enable it, build with
MEASURED_BOOT=y.
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
diff --git a/br-ext/Config.in b/br-ext/Config.in
index 276e971..db39e6d 100644
--- a/br-ext/Config.in
+++ b/br-ext/Config.in
@@ -4,3 +4,5 @@
source "$BR2_EXTERNAL_OPTEE_PATH/package/optee_examples_ext/Config.in"
source "$BR2_EXTERNAL_OPTEE_PATH/package/optee_benchmark_ext/Config.in"
source "$BR2_EXTERNAL_OPTEE_PATH/package/opensc/Config.in"
+source "$BR2_EXTERNAL_OPTEE_PATH/package/ftpm_optee_ext/Config.in"
+source "$BR2_EXTERNAL_OPTEE_PATH/package/linux_ftpm_mod_ext/Config.in"
diff --git a/br-ext/board/fvp/overlay/etc/profile.d/ftpm_alias.sh b/br-ext/board/fvp/overlay/etc/profile.d/ftpm_alias.sh
new file mode 100644
index 0000000..9201c4a
--- /dev/null
+++ b/br-ext/board/fvp/overlay/etc/profile.d/ftpm_alias.sh
@@ -0,0 +1,6 @@
+alias ftpm_mod='insmod /lib/modules/extra/tpm_ftpm_tee.ko'
+alias ftpm_getpcr='tpm2_pcrread'
+
+alias ftpm='ftpm_mod && ftpm_getpcr'
+
+alias ll='ls -al'
diff --git a/br-ext/configs/ftpm_optee b/br-ext/configs/ftpm_optee
new file mode 100644
index 0000000..b4a284e
--- /dev/null
+++ b/br-ext/configs/ftpm_optee
@@ -0,0 +1 @@
+BR2_PACKAGE_FTPM_OPTEE_EXT=y
diff --git a/br-ext/configs/linux_ftpm b/br-ext/configs/linux_ftpm
new file mode 100644
index 0000000..82e47bd
--- /dev/null
+++ b/br-ext/configs/linux_ftpm
@@ -0,0 +1 @@
+BR2_PACKAGE_LINUX_FTPM_MOD_EXT=y
diff --git a/br-ext/configs/tss b/br-ext/configs/tss
new file mode 100644
index 0000000..c10abeb
--- /dev/null
+++ b/br-ext/configs/tss
@@ -0,0 +1 @@
+BR2_PACKAGE_TPM2_TOOLS=y
diff --git a/br-ext/package/ftpm_optee_ext/CMakeLists.txt b/br-ext/package/ftpm_optee_ext/CMakeLists.txt
new file mode 100644
index 0000000..907b41d
--- /dev/null
+++ b/br-ext/package/ftpm_optee_ext/CMakeLists.txt
@@ -0,0 +1,3 @@
+# This is a dummy Makefile. When this package is invoked, the fTPM service
+# has been built already.
+install(FILES /dev/null DESTINATION /dev/null)
diff --git a/br-ext/package/ftpm_optee_ext/Config.in b/br-ext/package/ftpm_optee_ext/Config.in
new file mode 100644
index 0000000..105a898
--- /dev/null
+++ b/br-ext/package/ftpm_optee_ext/Config.in
@@ -0,0 +1,29 @@
+config BR2_PACKAGE_FTPM_OPTEE_EXT
+ bool "Enable fTPM based on OPTEE"
+ depends on BR2_PACKAGE_OPTEE_OS_EXT
+ select BR2_PACKAGE_OPTEE_OS_EXT
+ help
+ fTPM, http://github.com/microsoft/ms-tpm-20-ref.
+ NOTE: This package currently only takes care of installing files
+ into the root FS, that have been compiled already.
+ The build of the OPTEE fTPM service is assumed to have been done
+ previously.
+
+config BR2_PACKAGE_FTPM_OPTEE_EXT_SITE
+ string "FTPM_OPTEE installation package path"
+ default ""
+ help
+ The path to this installation package.
+
+config BR2_PACKAGE_FTPM_OPTEE_PACKAGE_SITE
+ string "Path to the TPM 2.0 Reference Implementation"
+ default ""
+ help
+ The path to this installation package.
+
+config BR2_PACKAGE_FTPM_OPTEE_EXT_TA_SRC
+ string "Path of the fTPM sources within the TPM Ref. Implementation"
+ default "Samples/ARM32-FirmwareTPM/optee_ta"
+ help
+ The path, relative to where the TPM 2.0 Reference Implementation
+ is installed, where the sources for the fTPM can be found.
diff --git a/br-ext/package/ftpm_optee_ext/ftpm_optee_ext.mk b/br-ext/package/ftpm_optee_ext/ftpm_optee_ext.mk
new file mode 100644
index 0000000..9473cca
--- /dev/null
+++ b/br-ext/package/ftpm_optee_ext/ftpm_optee_ext.mk
@@ -0,0 +1,18 @@
+FTPM_OPTEE_EXT_VERSION = 1.0
+FTPM_OPTEE_EXT_SOURCE = local
+FTPM_OPTEE_EXT_SITE = $(BR2_PACKAGE_FTPM_OPTEE_EXT_SITE)
+FTPM_OPTEE_EXT_SRC = $(BR2_PACKAGE_FTPM_OPTEE_PACKAGE_SITE)
+FTPM_OPTEE_EXT_SITE_METHOD = local
+FTPM_OPTEE_EXT_TA_SRC = $(BR2_PACKAGE_FTPM_OPTEE_EXT_TA_SRC)
+
+define FTPM_OPTEE_EXT_INSTALL_TA
+ echo "Installing fTPM based on OPTEE" && \
+ mkdir -p $(TARGET_DIR)/lib/optee_armtz && \
+ $(INSTALL) -v -p --mode=444 \
+ --target-directory=$(TARGET_DIR)/lib/optee_armtz \
+ $(FTPM_OPTEE_EXT_SRC)/$(FTPM_OPTEE_EXT_TA_SRC)/out/fTPM/bc50d971-d4c9-42c4-82cb-343fb7f37896.ta
+endef
+
+FTPM_OPTEE_EXT_POST_INSTALL_TARGET_HOOKS += FTPM_OPTEE_EXT_INSTALL_TA
+
+$(eval $(cmake-package))
diff --git a/br-ext/package/linux_ftpm_mod_ext/CMakeLists.txt b/br-ext/package/linux_ftpm_mod_ext/CMakeLists.txt
new file mode 100644
index 0000000..d2a0632
--- /dev/null
+++ b/br-ext/package/linux_ftpm_mod_ext/CMakeLists.txt
@@ -0,0 +1,3 @@
+# This is a dummy Makefile. When this package is invoked, the TPM Kernel
+# module has been built already.
+install(FILES /dev/null DESTINATION /dev/null)
diff --git a/br-ext/package/linux_ftpm_mod_ext/Config.in b/br-ext/package/linux_ftpm_mod_ext/Config.in
new file mode 100644
index 0000000..02d40d5
--- /dev/null
+++ b/br-ext/package/linux_ftpm_mod_ext/Config.in
@@ -0,0 +1,20 @@
+config BR2_PACKAGE_LINUX_FTPM_MOD_EXT
+ bool "Enable TPM Kernel module"
+ help
+ Enable TPM Kernel module.
+ NOTE: This package currently only takes care of installing files
+ into the root FS, that have been compiled already.
+ The build of the TPM Kernel module is assumed to have been done
+ previously.
+
+config BR2_PACKAGE_LINUX_FTPM_MOD_EXT_SITE
+ string "TPM Kernel Module installation package path"
+ default ""
+ help
+ The path to this installation package.
+
+config BR2_PACKAGE_LINUX_FTPM_MOD_EXT_PATH
+ string "Path to the TPM Kernel module"
+ default ""
+ help
+ The path of the TPM Kernel sources.
diff --git a/br-ext/package/linux_ftpm_mod_ext/linux_ftpm_mod_ext.mk b/br-ext/package/linux_ftpm_mod_ext/linux_ftpm_mod_ext.mk
new file mode 100644
index 0000000..6df8a73
--- /dev/null
+++ b/br-ext/package/linux_ftpm_mod_ext/linux_ftpm_mod_ext.mk
@@ -0,0 +1,18 @@
+LINUX_FTPM_MOD_EXT_VERSION = 1.0
+LINUX_FTPM_MOD_EXT_SOURCE = local
+LINUX_FTPM_MOD_EXT_SITE = $(BR2_PACKAGE_LINUX_FTPM_MOD_EXT_SITE)
+LINUX_FTPM_MOD_EXT_PATH = $(BR2_PACKAGE_LINUX_FTPM_MOD_EXT_PATH)
+LINUX_FTPM_MOD_EXT_SITE_METHOD = local
+LINUX_FTPM_MOD_EXT_INSTALL_DIR=$(TARGET_DIR)/lib/modules/extra
+
+define LINUX_FTPM_MOD_EXT_INSTALL
+ echo "Installing TPM kernel module" && \
+ mkdir -p $(LINUX_FTPM_MOD_EXT_INSTALL_DIR)
+ $(INSTALL) -v -p --mode=444 \
+ --target-directory=$(LINUX_FTPM_MOD_EXT_INSTALL_DIR) \
+ $(LINUX_FTPM_MOD_EXT_PATH)/drivers/char/tpm/tpm_ftpm_tee.ko
+endef
+
+LINUX_FTPM_MOD_EXT_POST_INSTALL_TARGET_HOOKS += LINUX_FTPM_MOD_EXT_INSTALL
+
+$(eval $(cmake-package))
diff --git a/common.mk b/common.mk
index f027208..fdda328 100644
--- a/common.mk
+++ b/common.mk
@@ -320,6 +320,9 @@
--br-defconfig build/br-ext/configs/$(BUILDROOT_TOOLCHAIN) \
$(DEFCONFIG_GDBSERVER) \
$(DEFCONFIG_XEN_TOOLS) \
+ $(DEFCONFIG_TSS) \
+ $(DEFCONFIG_TPM_MODULE) \
+ $(DEFCONFIG_FTPM) \
--br-defconfig out-br/extra.conf \
--make-cmd $(MAKE))
@$(MAKE) -C ../out-br all
@@ -498,3 +501,31 @@
.PHONY: optee-os-clean-common
optee-os-clean-common:
$(MAKE) -C $(OPTEE_OS_PATH) $(OPTEE_OS_COMMON_FLAGS) clean
+
+################################################################################
+# fTPM Rules
+################################################################################
+
+# The fTPM implementation is based on ARM32 architecture whereas the rest of the
+# system is built to run on 64-bit mode (COMPILE_S_USER = 64). Therefore set
+# TA_DEV_KIT_DIR manually to the arm32 OPTEE toolkit rather than relying on
+# OPTEE_OS_TA_DEV_KIT_DIR variable.
+FTPM_FLAGS ?= \
+ TA_CPU=cortex-a9 \
+ TA_CROSS_COMPILE=$(AARCH32_CROSS_COMPILE) \
+ TA_DEV_KIT_DIR=$(OPTEE_OS_PATH)/out/arm/export-ta_arm32 \
+ CFG_TA_DEBUG=y CFG_TEE_TA_LOG_LEVEL=4 CFG_TA_MEASURED_BOOT=y
+
+.PHONY: ftpm
+ftpm:
+ifeq ($(MEASURED_BOOT),y)
+ftpm: optee-os
+ $(FTPM_FLAGS) $(MAKE) -C $(FTPM_PATH)
+endif
+
+.PHONY: ftpm-clean
+ftpm-clean:
+ifeq ($(MEASURED_BOOT),y)
+ftpm-clean:
+ -$(FTPM_FLAGS) $(MAKE) -C $(FTPM_PATH) clean
+endif
diff --git a/fvp.mk b/fvp.mk
index db06df9..53c0551 100644
--- a/fvp.mk
+++ b/fvp.mk
@@ -12,11 +12,31 @@
include common.mk
+################################################################################
+# Variables used for TPM configuration.
+################################################################################
+BR2_ROOTFS_OVERLAY = $(ROOT)/build/br-ext/board/fvp/overlay
+BR2_PACKAGE_FTPM_OPTEE_EXT_SITE ?= $(CURDIR)/br-ext/package/ftpm_optee_ext
+BR2_PACKAGE_FTPM_OPTEE_PACKAGE_SITE ?= $(ROOT)/ms-tpm-20-ref
+
+# The fTPM implementation is based on ARM32 architecture whereas the rest of the
+# system is built to run on 64-bit mode (COMPILE_S_USER = 64). Therefore set
+# BR2_PACKAGE_FTPM_OPTEE_EXT_SDK manually to the arm32 OPTEE toolkit rather than
+# relying on OPTEE_OS_TA_DEV_KIT_DIR variable.
+BR2_PACKAGE_FTPM_OPTEE_EXT_SDK ?= $(OPTEE_OS_PATH)/out/arm/export-ta_arm32
+
+BR2_PACKAGE_LINUX_FTPM_MOD_EXT_SITE ?= $(CURDIR)/br-ext/package/linux_ftpm_mod_ext
+BR2_PACKAGE_LINUX_FTPM_MOD_EXT_PATH ?= $(LINUX_PATH)
################################################################################
# Paths to git projects and various binaries
################################################################################
+MEASURED_BOOT ?= n
TF_A_PATH ?= $(ROOT)/trusted-firmware-a
+ifeq ($(MEASURED_BOOT),y)
+# Prefer release mode for TF-A if using Measured Boot, debug may exhaust memory.
+TF_A_BUILD ?= release
+endif
ifeq ($(DEBUG),1)
TF_A_BUILD ?= debug
else
@@ -41,14 +61,21 @@
OUT_PATH ?= $(ROOT)/out
GRUB_BIN ?= $(OUT_PATH)/bootaa64.efi
BOOT_IMG ?= $(OUT_PATH)/boot-fat.uefi.img
+FTPM_PATH ?= $(ROOT)/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta
+
+# Build ancillary components to access fTPM if Measured Boot is enabled.
+ifeq ($(MEASURED_BOOT),y)
+DEFCONFIG_FTPM ?= --br-defconfig build/br-ext/configs/ftpm_optee
+DEFCONFIG_TPM_MODULE ?= --br-defconfig build/br-ext/configs/linux_ftpm
+DEFCONFIG_TSS ?= --br-defconfig build/br-ext/configs/tss
+endif
################################################################################
# Targets
################################################################################
-all: arm-tf boot-img edk2 grub linux optee-os
+all: arm-tf optee-os ftpm boot-img linux edk2
clean: arm-tf-clean boot-img-clean buildroot-clean edk2-clean grub-clean \
- optee-os-clean
-
+ ftpm-clean optee-os-clean
include toolchain.mk
@@ -69,12 +96,25 @@
BL32_EXTRA1=$(OPTEE_OS_PAGER_V2_BIN) \
BL32_EXTRA2=$(OPTEE_OS_PAGEABLE_V2_BIN) \
BL33=$(EDK2_BIN) \
- DEBUG=$(DEBUG) \
ARM_TSP_RAM_LOCATION=tdram \
FVP_USE_GIC_DRIVER=FVP_GICV3 \
PLAT=fvp \
SPD=opteed
+ifneq ($(MEASURED_BOOT),y)
+ TF_A_FLAGS += DEBUG=$(DEBUG)
+else
+ TF_A_FLAGS += DEBUG=0 \
+ MBEDTLS_DIR=$(ROOT)/mbedtls \
+ ARM_ROTPK_LOCATION=devel_rsa \
+ GENERATE_COT=1 \
+ MEASURED_BOOT=1 \
+ ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \
+ TPM_HASH_ALG=sha256 \
+ TRUSTED_BOARD_BOOT=1 \
+ EVENT_LOG_LEVEL=20
+endif
+
arm-tf: optee-os edk2
$(TF_A_EXPORTS) $(MAKE) -C $(TF_A_PATH) $(TF_A_FLAGS) all fip
@@ -106,6 +146,14 @@
$(LINUX_PATH)/arch/arm64/configs/defconfig \
$(CURDIR)/kconfigs/fvp.conf
+.PHONY: linux-ftpm-module
+linux-ftpm-module: linux
+ifeq ($(MEASURED_BOOT),y)
+linux-ftpm-module:
+ $(MAKE) -C $(LINUX_PATH) $(LINUX_COMMON_FLAGS) M=drivers/char/tpm \
+ modules_install INSTALL_MOD_PATH=$(LINUX_PATH)
+endif
+
linux-defconfig: $(LINUX_PATH)/.config
LINUX_COMMON_FLAGS += ARCH=arm64
@@ -126,9 +174,20 @@
# OP-TEE
################################################################################
OPTEE_OS_COMMON_FLAGS += CFG_ARM_GICV3=y
+
+ifeq ($(MEASURED_BOOT),y)
+ OPTEE_OS_COMMON_FLAGS += CFG_DT=y CFG_CORE_TPM_EVENT_LOG=y
+endif
+
optee-os: optee-os-common
-optee-os-clean: optee-os-clean-common
+optee-os-clean: ftpm-clean optee-os-clean-common
+
+################################################################################
+# Buildroot
+################################################################################
+
+buildroot: linux-ftpm-module
################################################################################
# grub
@@ -173,8 +232,9 @@
################################################################################
# Boot Image
################################################################################
+
.PHONY: boot-img
-boot-img: linux grub buildroot
+boot-img: grub buildroot
rm -f $(BOOT_IMG)
mformat -i $(BOOT_IMG) -n 64 -h 255 -T 131072 -v "BOOT IMG" -C ::
mcopy -i $(BOOT_IMG) $(LINUX_PATH)/arch/arm64/boot/Image ::
@@ -207,4 +267,3 @@
--data="$(TF_A_PATH)/build/fvp/$(TF_A_BUILD)/bl1.bin"@0x0 \
--data="$(TF_A_PATH)/build/fvp/$(TF_A_BUILD)/fip.bin"@0x8000000 \
--block-device=$(BOOT_IMG)
-
diff --git a/kconfigs/fvp.conf b/kconfigs/fvp.conf
index 07554cf..29c43f4 100644
--- a/kconfigs/fvp.conf
+++ b/kconfigs/fvp.conf
@@ -1,2 +1,4 @@
CONFIG_TEE=y
CONFIG_OPTEE=y
+CONFIG_TCG_TPM=y
+CONFIG_TCG_FTPM_TEE=m