| Abhi Singh | a2dd13c | 2024-10-21 13:21:42 -0500 | [diff] [blame] | 1 | Discrete TPM drivers |
| 2 | ==================== |
| 3 | |
| 4 | This section focuses on the design and functionality of Discrete TPM drivers |
| 5 | in |TF-A|. The |TPM| technology is designed to provide |
| 6 | a dedicated, hardware-based solution for storing cryptographic keys and |
| 7 | performing security-related operations. |
| 8 | |
| 9 | Discrete TPMs are separate, standalone hardware components that are physically |
| 10 | isolated from the system's main processor. This isolation helps protect |
| 11 | sensitive information, such as encryption keys and platform credentials, from |
| 12 | being accessed or tampered with by malicious software or unauthorized users. |
| 13 | When a Discrete TPM interface is implemented correctly, the risk of software |
| 14 | based attacks is reduced, further reducing the attack surface. |
| 15 | |
| 16 | TPM measurements establish the security posture of a system and are used for |
| 17 | attestation. Performing measurements using a TPM in TF-A is beneficial from |
| 18 | a security standpoint because it ensures hardware-backed attestation earlier |
| 19 | in the boot flow, reducing the risk of a compromised root of trust. |
| 20 | |
| 21 | The design implemented in TF-A supports multiple types of TPM hardware interfaces |
| 22 | and hardware bus types in order to be compatible with different platforms. |
| 23 | Platforms opt to use a specific messaging interface, such as |CRB| or |FIFO|, |
| 24 | and a specific hardware bus interface, such as |I2C| or |SPI|. |
| 25 | |
| 26 | Driver architecture |
| 27 | ------------------- |
| 28 | |
| 29 | The Discrete TPM drivers are split up into four layers, each serving a distinct |
| 30 | purpose in the overall architecture: |
| 31 | |
| 32 | - **Command Layer**: This layer provides various TPM commands based on the |
| 33 | `TCG TPM 2.0 Library Specification`_. It allows a system to initialize the |
| 34 | TPM interface, perform a TPM startup, set up a locality for operations like |
| 35 | PCR extend and read, and release the locality when finished. |
| 36 | - **Interface Layer**: This layer handles sending and receiving TPM commands |
| 37 | via a specific TPM interface like FIFO or CRB. It also includes functions |
| 38 | such as getting information, requesting access, and relinquishing access, |
| 39 | tailored to the specific interface. |
| 40 | - **Link Layer**: Discrete TPMs may appear as a SPI, I2C, or memory mapped |
| 41 | device. The link layer maps the command passed from the interface layer to |
| 42 | the appropriate bus type. It includes hardware link read and write functions |
| 43 | that use the platform bus interface to transfer commands. |
| 44 | - **Platform Layer**: The platform layer implements the details of how to |
| 45 | communicate to the TPM chip for a specific platform. The link layer uses the |
| 46 | platform layer to read and write to the TPM. |
| 47 | |
| 48 | .. note:: |
| 49 | The command, interface, and link layers are implemented in common code in |
| 50 | TF-A. The platform layer is implemented in platform specific code. |
| 51 | |
| 52 | The following diagram illustrates the Discrete TPM driver stack for the Raspberry |
| 53 | Pi 3 platform. |
| 54 | |
| 55 | |rpi3 dtpm driver stack| |
| 56 | |
| 57 | Header files |
| 58 | ^^^^^^^^^^^^ |
| 59 | - TPM Drivers: ``include/drivers/tpm`` |
| 60 | |
| 61 | |
| 62 | Source files |
| 63 | ^^^^^^^^^^^^ |
| 64 | - TPM Drivers: ``drivers/tpm`` |
| 65 | |
| 66 | |
| 67 | Build time config options |
| 68 | ------------------------- |
| 69 | |
| 70 | - ``MBOOT_TPM_HASH_ALG``: The hash algorithm to be used by the TPM, currently |
| 71 | the only supported algorithm is ``sha256``. As additional Discrete TPMs are |
| 72 | tested and integrated in TF-A, support for more algorithms will become |
| 73 | available. |
| 74 | - ``DISCRETE_TPM``: Boolean flag to enable Discrete TPM support. Depending |
| 75 | on the selected TPM interface, the appropriate drivers will be built and |
| 76 | packaged into firmware. |
| 77 | - ``TPM_INTERFACE``: This flag is required when ``DISCRETE_TPM=1``, |
| 78 | currently the only supported interface is ``FIFO_SPI``. |
| 79 | Ideally there should be four options: |
| 80 | |
| 81 | .. code:: shell |
| 82 | |
| 83 | FIFO_I2C |
| 84 | FIFO_SPI |
| 85 | FIFO_MMIO |
| 86 | CRB |
| 87 | |
| 88 | .. note:: |
| 89 | ``MBOOT_TPM_HASH_ALG`` will automatically overwrite ``MBOOT_EL_HASH_ALG``. |
| 90 | This is to ensure the event log and the TPM are using the same hash |
| 91 | algorithm. |
| 92 | |
| 93 | |
| 94 | Discrete TPM Initialization |
| 95 | --------------------------- |
| 96 | The TPM needs to be initialized based on the platform, the hardware interfaces |
| 97 | need to be set up independently, and once they are setup, the TPM commands |
| 98 | ``tpm_interface_init()`` and subsequently ``tpm_startup()`` can be called. |
| 99 | ``tpm_startup()`` only needs to be called once after startup, or if the system |
| 100 | is reset. |
| 101 | |
| 102 | An example of platform specific TPM hardware initialization for the rpi3 can be |
| 103 | found in ``plat/rpi/rpi3/rpi3_bl1_setup.c`` and ``plat/rpi/rpi3/rpi3_bl1_mboot.c`` |
| 104 | |
| 105 | |
| 106 | Discrete TPM PCR Extend |
| 107 | ----------------------- |
| 108 | Once the TPM is setup, the TPM ``pcr_extend`` operation can be used to extend |
| 109 | hashes and store them in PCR 0. |
| 110 | |
| 111 | An example of ``pcr_extend`` that is used during rpi3 measured boot can be found |
| 112 | in ``plat/rpi/rpi3/rpi3_bl1_mboot.c`` and ``plat/rpi/rpi3/rpi3_bl2_mboot.c``. |
| 113 | |
| 114 | |
| 115 | *Copyright (c) 2025, Arm Limited. All rights reserved.* |
| 116 | |
| 117 | .. |rpi3 dtpm driver stack| image:: |
| 118 | ../resources/diagrams/rpi3_dtpm_driver.png |
| 119 | .. _TCG TPM 2.0 Library Specification: https://trustedcomputinggroup.org/resource/tpm-library-specification/ |