1Interaction between Measured Boot and an fTPM (PoC) 2=================================================== 3 4Measured Boot is the process of cryptographically measuring the code and 5critical data used at boot time, for example using a TPM, so that the 6security state can be attested later. 7 8The current implementation of the driver included in Trusted Firmware-A 9(TF-A) stores the measurements into a `TGC event log`_ in secure 10memory. No other means of recording measurements (such as a discrete TPM) is 11supported right now. 12 13The driver also provides mechanisms to pass the Event Log to normal world if 14needed. 15 16This manual provides instructions to build a proof of concept (PoC) with the 17sole intention of showing how Measured Boot can be used in conjunction with 18a firmware TPM (fTPM) service implemented on top of OP-TEE. 19 20.. note:: 21 The instructions given in this document are meant to be used to build 22 a PoC to show how Measured Boot on TF-A can interact with a third 23 party (f)TPM service and they try to be as general as possible. Different 24 platforms might have different needs and configurations (e.g. different 25 SHA algorithms) and they might also use different types of TPM services 26 (or even a different type of service to provide the attestation) 27 and therefore the instuctions given here might not apply in such scenarios. 28 29Components 30~~~~~~~~~~ 31 32The PoC is built on top of the `OP-TEE Toolkit`_, which has support to build 33TF-A with support for Measured Boot enabled (and run it on a Foundation Model) 34since commit cf56848. 35 36The aforementioned toolkit builds a set of images that contain all the components 37needed to test that the Event Log was properly created. One of these images will 38contain a third party fTPM service which in turn will be used to process the 39Event Log. 40 41The reason to choose OP-TEE Toolkit to build our PoC around it is mostly 42for convenience. As the fTPM service used is an OP-TEE TA, it was easy to add 43build support for it to the toolkit and then build the PoC around it. 44 45The most relevant components installed in the image that are closely related to 46Measured Boot/fTPM functionality are: 47 48 - **OP-TEE**: As stated earlier, the fTPM service used in this PoC is built as an 49 OP-TEE TA and therefore we need to include the OP-TEE OS image. 50 Support to interfacing with Measured Boot was added to version 3.9.0 of 51 OP-TEE by implementing the ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` syscall, which 52 allows the former to pass a copy of the Event Log to any TA requesting it. 53 OP-TEE knows the location of the Event Log by reading the DTB bindings 54 received from TF-A. Visit :ref:`DTB binding for Event Log properties` 55 for more details on this. 56 57 - **fTPM Service**: We use a third party fTPM service in order to validate 58 the Measured Boot functionality. The chosen fTPM service is a sample 59 implementation for Aarch32 architecture included on the `ms-tpm-20-ref`_ 60 reference implementation from Microsoft. The service was updated in order 61 to extend the Measured Boot Event Log at boot up and it uses the 62 aforementioned ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` call to retrieve a copy 63 of the former. 64 65 .. note:: 66 Arm does not provide an fTPM implementation. The fTPM service used here 67 is a third party one which has been updated to support Measured Boot 68 service as provided by TF-A. As such, it is beyond the scope of this 69 manual to test and verify the correctness of the output generated by the 70 fTPM service. 71 72 - **TPM Kernel module**: In order to interact with the fTPM service, we need 73 a kernel module to forward the request from user space to the secure world. 74 75 - `tpm2-tools`_: This is a set of tools that allow to interact with the 76 fTPM service. We use this in order to read the PCRs with the measurements. 77 78Building the PoC for the Arm FVP platform 79~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 80 81As mentioned before, this PoC is based on the OP-TEE Toolkit with some 82extensions to enable Measured Boot and an fTPM service. Therefore, we can rely 83on the instructions to build the original OP-TEE Toolkit. As a general rule, 84the following steps should suffice: 85 86(1) Start by following the `Get and build the solution`_ instructions to build 87 the OP-TEE toolkit. On step 3, you need to get the manifest for FVP 88 platform from the main branch: 89 90 .. code:: shell 91 92 $ repo init -u https://github.com/OP-TEE/manifest.git -m fvp.xml 93 94 Then proceed synching the repos as stated in step 3. Continue following 95 the instructions and stop before step 5. 96 97(2) Next you should obtain the `Armv8-A Foundation Platform (For Linux Hosts Only)`_. 98 The binary should be untar'ed to the root of the repo tree, i.e., like 99 this: ``<fvp-project>/Foundation_Platformpkg``. In the end, after cloning 100 all source code, getting the toolchains and "installing" 101 Foundation_Platformpkg, you should have a folder structure that looks like 102 this: 103 104 .. code:: shell 105 106 $ ls -la 107 total 80 108 drwxrwxr-x 20 tf-a_user tf-a_user 4096 Jul 1 12:16 . 109 drwxr-xr-x 23 tf-a_user tf-a_user 4096 Jul 1 10:40 .. 110 drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 10:45 build 111 drwxrwxr-x 16 tf-a_user tf-a_user 4096 Jul 1 12:16 buildroot 112 drwxrwxr-x 51 tf-a_user tf-a_user 4096 Jul 1 10:45 edk2 113 drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 12:14 edk2-platforms 114 drwxr-xr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:52 Foundation_Platformpkg 115 drwxrwxr-x 17 tf-a_user tf-a_user 4096 Jul 2 10:40 grub 116 drwxrwxr-x 25 tf-a_user tf-a_user 4096 Jul 2 10:39 linux 117 drwxrwxr-x 15 tf-a_user tf-a_user 4096 Jul 1 10:45 mbedtls 118 drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 10:45 ms-tpm-20-ref 119 drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_client 120 drwxrwxr-x 10 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_examples 121 drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 12:13 optee_os 122 drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_test 123 drwxrwxr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:45 .repo 124 drwxrwxr-x 4 tf-a_user tf-a_user 4096 Jul 1 12:12 toolchains 125 drwxrwxr-x 21 tf-a_user tf-a_user 4096 Jul 1 12:15 trusted-firmware-a 126 127(3) Now enter into ``ms-tpm-20-ref`` and get its dependencies: 128 129 .. code:: shell 130 131 $ cd ms-tpm-20-ref 132 $ git submodule init 133 $ git submodule update 134 Submodule path 'external/wolfssl': checked out '9c87f979a7f1d3a6d786b260653d566c1d31a1c4' 135 136(4) Now, you should be able to continue with step 5 in "`Get and build the solution`_" 137 instructions. In order to enable support for Measured Boot, you need to 138 set the ``MEASURED_BOOT`` build option: 139 140 .. code:: shell 141 142 $ MEASURED_BOOT=y make -j `nproc` 143 144 .. note:: 145 The build process will likely take a long time. It is strongly recommended to 146 pass the ``-j`` option to make to run the process faster. 147 148 After this step, you should be ready to run the image. 149 150Running and using the PoC on the Armv8-A Foundation AEM FVP 151~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 152 153With everything built, you can now run the image: 154 155.. code:: shell 156 157 $ make run-only 158 159.. note:: 160 Using ``make run`` will build and run the image and it can be used instead 161 of simply ``make``. However, once the image is built, it is recommended to 162 use ``make run-only`` to avoid re-running all the building rules, which 163 would take time. 164 165When FVP is launched, two terminal windows will appear. ``FVP terminal_0`` 166is the userspace terminal whereas ``FVP terminal_1`` is the counterpart for 167the secure world (where TAs will print their logs, for instance). 168 169Log into the image shell with user ``root``, no password will be required. 170Then we can issue the ``ftpm`` command, which is an alias that 171 172(1) loads the ftpm kernel module and 173 174(2) calls ``tpm2_pcrread``, which will access the fTPM service to read the 175 PCRs. 176 177When loading the ftpm kernel module, the fTPM TA is loaded into the secure 178world. This TA then requests a copy of the Event Log generated during the 179booting process so it can retrieve all the entries on the log and record them 180first thing. 181 182.. note:: 183 For this PoC, nothing loaded after BL33 and NT_FW_CONFIG is recorded 184 in the Event Log. 185 186The secure world terminal should show the debug logs for the fTPM service, 187including all the measurements available in the Event Log as they are being 188processed: 189 190.. code:: shell 191 192 M/TA: Preparing to extend the following TPM Event Log: 193 M/TA: TCG_EfiSpecIDEvent: 194 M/TA: PCRIndex : 0 195 M/TA: EventType : 3 196 M/TA: Digest : 00 197 M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 198 M/TA: : 00 00 00 199 M/TA: EventSize : 33 200 M/TA: Signature : Spec ID Event03 201 M/TA: PlatformClass : 0 202 M/TA: SpecVersion : 2.0.2 203 M/TA: UintnSize : 1 204 M/TA: NumberOfAlgorithms : 1 205 M/TA: DigestSizes : 206 M/TA: #0 AlgorithmId : SHA256 207 M/TA: DigestSize : 32 208 M/TA: VendorInfoSize : 0 209 M/TA: PCR_Event2: 210 M/TA: PCRIndex : 0 211 M/TA: EventType : 3 212 M/TA: Digests Count : 1 213 M/TA: #0 AlgorithmId : SHA256 214 M/TA: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 215 M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 216 M/TA: EventSize : 17 217 M/TA: Signature : StartupLocality 218 M/TA: StartupLocality : 0 219 M/TA: PCR_Event2: 220 M/TA: PCRIndex : 0 221 M/TA: EventType : 1 222 M/TA: Digests Count : 1 223 M/TA: #0 AlgorithmId : SHA256 224 M/TA: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63 225 M/TA: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5 226 M/TA: EventSize : 5 227 M/TA: Event : BL_2 228 M/TA: PCR_Event2: 229 M/TA: PCRIndex : 0 230 M/TA: EventType : 1 231 M/TA: Digests Count : 1 232 M/TA: #0 AlgorithmId : SHA256 233 M/TA: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5 234 M/TA: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c 235 M/TA: EventSize : 6 236 M/TA: Event : BL_31 237 M/TA: PCR_Event2: 238 M/TA: PCRIndex : 0 239 M/TA: EventType : 1 240 M/TA: Digests Count : 1 241 M/TA: #0 AlgorithmId : SHA256 242 M/TA: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2 243 M/TA: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0 244 M/TA: EventSize : 10 245 M/TA: Event : HW_CONFIG 246 M/TA: PCR_Event2: 247 M/TA: PCRIndex : 0 248 M/TA: EventType : 1 249 M/TA: Digests Count : 1 250 M/TA: #0 AlgorithmId : SHA256 251 M/TA: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a 252 M/TA: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0 253 M/TA: EventSize : 14 254 M/TA: Event : SOC_FW_CONFIG 255 M/TA: PCR_Event2: 256 M/TA: PCRIndex : 0 257 M/TA: EventType : 1 258 M/TA: Digests Count : 1 259 M/TA: #0 AlgorithmId : SHA256 260 M/TA: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22 261 M/TA: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75 262 M/TA: EventSize : 6 263 M/TA: Event : BL_32 264 M/TA: PCR_Event2: 265 M/TA: PCRIndex : 0 266 M/TA: EventType : 1 267 M/TA: Digests Count : 1 268 M/TA: #0 AlgorithmId : SHA256 269 M/TA: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e 270 M/TA: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63 271 M/TA: EventSize : 18 272 M/TA: Event : BL32_EXTRA1_IMAGE 273 M/TA: PCR_Event2: 274 M/TA: PCRIndex : 0 275 M/TA: EventType : 1 276 M/TA: Digests Count : 1 277 M/TA: #0 AlgorithmId : SHA256 278 M/TA: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25 279 M/TA: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2 280 M/TA: EventSize : 6 281 M/TA: Event : BL_33 282 M/TA: PCR_Event2: 283 M/TA: PCRIndex : 0 284 M/TA: EventType : 1 285 M/TA: Digests Count : 1 286 M/TA: #0 AlgorithmId : SHA256 287 M/TA: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6 288 M/TA: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a 289 M/TA: EventSize : 13 290 M/TA: Event : NT_FW_CONFIG 291 292These logs correspond to the measurements stored by TF-A during the measured 293boot process and therefore, they should match the logs dumped by the former 294during the boot up process. These can be seen on the terminal_0: 295 296.. code:: shell 297 298 NOTICE: Booting Trusted Firmware 299 NOTICE: BL1: v2.5(release):v2.5 300 NOTICE: BL1: Built : 10:41:20, Jul 2 2021 301 NOTICE: BL1: Booting BL2 302 NOTICE: BL2: v2.5(release):v2.5 303 NOTICE: BL2: Built : 10:41:20, Jul 2 2021 304 NOTICE: TCG_EfiSpecIDEvent: 305 NOTICE: PCRIndex : 0 306 NOTICE: EventType : 3 307 NOTICE: Digest : 00 308 NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 309 NOTICE: : 00 00 00 310 NOTICE: EventSize : 33 311 NOTICE: Signature : Spec ID Event03 312 NOTICE: PlatformClass : 0 313 NOTICE: SpecVersion : 2.0.2 314 NOTICE: UintnSize : 1 315 NOTICE: NumberOfAlgorithms : 1 316 NOTICE: DigestSizes : 317 NOTICE: #0 AlgorithmId : SHA256 318 NOTICE: DigestSize : 32 319 NOTICE: VendorInfoSize : 0 320 NOTICE: PCR_Event2: 321 NOTICE: PCRIndex : 0 322 NOTICE: EventType : 3 323 NOTICE: Digests Count : 1 324 NOTICE: #0 AlgorithmId : SHA256 325 NOTICE: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 326 NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 327 NOTICE: EventSize : 17 328 NOTICE: Signature : StartupLocality 329 NOTICE: StartupLocality : 0 330 NOTICE: PCR_Event2: 331 NOTICE: PCRIndex : 0 332 NOTICE: EventType : 1 333 NOTICE: Digests Count : 1 334 NOTICE: #0 AlgorithmId : SHA256 335 NOTICE: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63 336 NOTICE: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5 337 NOTICE: EventSize : 5 338 NOTICE: Event : BL_2 339 NOTICE: PCR_Event2: 340 NOTICE: PCRIndex : 0 341 NOTICE: EventType : 1 342 NOTICE: Digests Count : 1 343 NOTICE: #0 AlgorithmId : SHA256 344 NOTICE: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5 345 NOTICE: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c 346 NOTICE: EventSize : 6 347 NOTICE: Event : BL_31 348 NOTICE: PCR_Event2: 349 NOTICE: PCRIndex : 0 350 NOTICE: EventType : 1 351 NOTICE: Digests Count : 1 352 NOTICE: #0 AlgorithmId : SHA256 353 NOTICE: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2 354 NOTICE: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0 355 NOTICE: EventSize : 10 356 NOTICE: Event : HW_CONFIG 357 NOTICE: PCR_Event2: 358 NOTICE: PCRIndex : 0 359 NOTICE: EventType : 1 360 NOTICE: Digests Count : 1 361 NOTICE: #0 AlgorithmId : SHA256 362 NOTICE: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a 363 NOTICE: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0 364 NOTICE: EventSize : 14 365 NOTICE: Event : SOC_FW_CONFIG 366 NOTICE: PCR_Event2: 367 NOTICE: PCRIndex : 0 368 NOTICE: EventType : 1 369 NOTICE: Digests Count : 1 370 NOTICE: #0 AlgorithmId : SHA256 371 NOTICE: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22 372 NOTICE: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75 373 NOTICE: EventSize : 6 374 NOTICE: Event : BL_32 375 NOTICE: PCR_Event2: 376 NOTICE: PCRIndex : 0 377 NOTICE: EventType : 1 378 NOTICE: Digests Count : 1 379 NOTICE: #0 AlgorithmId : SHA256 380 NOTICE: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e 381 NOTICE: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63 382 NOTICE: EventSize : 18 383 NOTICE: Event : BL32_EXTRA1_IMAGE 384 NOTICE: PCR_Event2: 385 NOTICE: PCRIndex : 0 386 NOTICE: EventType : 1 387 NOTICE: Digests Count : 1 388 NOTICE: #0 AlgorithmId : SHA256 389 NOTICE: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25 390 NOTICE: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2 391 NOTICE: EventSize : 6 392 NOTICE: Event : BL_33 393 NOTICE: PCR_Event2: 394 NOTICE: PCRIndex : 0 395 NOTICE: EventType : 1 396 NOTICE: Digests Count : 1 397 NOTICE: #0 AlgorithmId : SHA256 398 NOTICE: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6 399 NOTICE: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a 400 NOTICE: EventSize : 13 401 NOTICE: Event : NT_FW_CONFIG 402 NOTICE: BL1: Booting BL31 403 NOTICE: BL31: v2.5(release):v2.5 404 NOTICE: BL31: Built : 10:41:20, Jul 2 2021 405 406Following up with the fTPM startup process, we can see that all the 407measurements in the Event Log are extended and recorded in the appropriate PCR: 408 409.. code:: shell 410 411 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 412 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 413 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 414 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 415 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 416 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 417 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 418 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 419 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 420 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 421 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 422 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 423 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 424 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 425 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 426 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 427 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 428 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 429 M/TA: 9 Event logs processed 430 431After the fTPM TA is loaded, the call to ``insmod`` issued by the ``ftpm`` 432alias to load the ftpm kernel module returns, and then the TPM PCRs are read 433by means of ``tpm_pcrread`` command. Note that we are only interested in the 434SHA256 logs here, as this is the algorithm we used on TF-A for the measurements 435(see the field ``AlgorithmId`` on the logs above): 436 437.. code:: shell 438 439 sha256: 440 0 : 0xA6EB3A7417B8CFA9EBA2E7C22AD5A4C03CDB8F3FBDD7667F9C3EF2EA285A8C9F 441 1 : 0x0000000000000000000000000000000000000000000000000000000000000000 442 2 : 0x0000000000000000000000000000000000000000000000000000000000000000 443 3 : 0x0000000000000000000000000000000000000000000000000000000000000000 444 4 : 0x0000000000000000000000000000000000000000000000000000000000000000 445 5 : 0x0000000000000000000000000000000000000000000000000000000000000000 446 6 : 0x0000000000000000000000000000000000000000000000000000000000000000 447 7 : 0x0000000000000000000000000000000000000000000000000000000000000000 448 8 : 0x0000000000000000000000000000000000000000000000000000000000000000 449 9 : 0x0000000000000000000000000000000000000000000000000000000000000000 450 10: 0x0000000000000000000000000000000000000000000000000000000000000000 451 11: 0x0000000000000000000000000000000000000000000000000000000000000000 452 12: 0x0000000000000000000000000000000000000000000000000000000000000000 453 13: 0x0000000000000000000000000000000000000000000000000000000000000000 454 14: 0x0000000000000000000000000000000000000000000000000000000000000000 455 15: 0x0000000000000000000000000000000000000000000000000000000000000000 456 16: 0x0000000000000000000000000000000000000000000000000000000000000000 457 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 458 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 459 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 460 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 461 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 462 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 463 23: 0x0000000000000000000000000000000000000000000000000000000000000000 464 465In this PoC we are only interested in PCR0, which must be non-null. This is 466because the boot process records all the images in this PCR (see field ``PCRIndex`` 467on the Event Log above). The rest of the records must be 0 at this point. 468 469.. note:: 470 The fTPM service used has support only for 16 PCRs, therefore the content 471 of PCRs above 15 can be ignored. 472 473.. note:: 474 As stated earlier, Arm does not provide an fTPM implementation and therefore 475 we do not validate here if the content of PCR0 is correct or not. For this 476 PoC, we are only focused on the fact that the event log could be passed to a third 477 party fTPM and its records were properly extended. 478 479Fine-tuning the fTPM TA 480~~~~~~~~~~~~~~~~~~~~~~~ 481 482As stated earlier, the OP-TEE Toolkit includes support to build a third party fTPM 483service. The build options for this service are tailored for the PoC and defined in 484the build environment variable ``FTPM_FLAGS`` (see ``<toolkit_home>/build/common.mk``) 485but they can be modified if needed to better adapt it to a specific scenario. 486 487The most relevant options for Measured Boot support are: 488 489 - **CFG_TA_DEBUG**: Enables debug logs in the Terminal_1 console. 490 - **CFG_TEE_TA_LOG_LEVEL**: Defines the log level used for the debug messages. 491 - **CFG_TA_MEASURED_BOOT**: Enables support for measured boot on the fTPM. 492 - **CFG_TA_EVENT_LOG_SIZE**: Defines the size, in bytes, of the larger event log that 493 the fTPM is able to store, as this buffer is allocated at build time. This must be at 494 least the same as the size of the event log generated by TF-A. If this build option 495 is not defined, the fTPM falls back to a default value of 1024 bytes, which is enough 496 for this PoC, so this variable is not defined in FTPM_FLAGS. 497 498-------------- 499 500*Copyright (c) 2021, Arm Limited. All rights reserved.* 501 502.. _OP-TEE Toolkit: https://github.com/OP-TEE/build 503.. _ms-tpm-20-ref: https://github.com/microsoft/ms-tpm-20-ref 504.. _Get and build the solution: https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution 505.. _Armv8-A Foundation Platform (For Linux Hosts Only): https://developer.arm.com/tools-and-software/simulation-models/fixed-virtual-platforms/arm-ecosystem-models 506.. _tpm2-tools: https://github.com/tpm2-software/tpm2-tools 507.. _TGC event log: https://trustedcomputinggroup.org/resource/tcg-efi-platform-specification/ 508