1Interaction between Measured Boot and an fTPM (PoC)
2===================================================
3
4Measured Boot is the process of cryptographically measuring the code and
5critical data used at boot time, for example using a TPM, so that the
6security state can be attested later.
7
8The current implementation of the driver included in Trusted Firmware-A
9(TF-A) stores the measurements into a `TGC event log`_ in secure
10memory. No other means of recording measurements (such as a discrete TPM) is
11supported right now.
12
13The driver also provides mechanisms to pass the Event Log to normal world if
14needed.
15
16This manual provides instructions to build a proof of concept (PoC) with the
17sole intention of showing how Measured Boot can be used in conjunction with
18a firmware TPM (fTPM) service implemented on top of OP-TEE.
19
20.. note::
21   The instructions given in this document are meant to be used to build
22   a PoC to show how Measured Boot on TF-A can interact with a third
23   party (f)TPM service and they try to be as general as possible. Different
24   platforms might have different needs and configurations (e.g. different
25   SHA algorithms) and they might also use different types of TPM services
26   (or even a different type of service to provide the attestation)
27   and therefore the instuctions given here might not apply in such scenarios.
28
29Components
30~~~~~~~~~~
31
32The PoC is built on top of the `OP-TEE Toolkit`_, which has support to build
33TF-A with support for Measured Boot enabled (and run it on a Foundation Model)
34since commit cf56848.
35
36The aforementioned toolkit builds a set of images that contain all the components
37needed to test that the Event Log was properly created. One of these images will
38contain a third party fTPM service which in turn will be used to process the
39Event Log.
40
41The reason to choose OP-TEE Toolkit to build our PoC around it is mostly
42for convenience. As the fTPM service used is an OP-TEE TA, it was easy to add
43build support for it to the toolkit and then build the PoC around it.
44
45The most relevant components installed in the image that are closely related to
46Measured Boot/fTPM functionality are:
47
48   - **OP-TEE**: As stated earlier, the fTPM service used in this PoC is built as an
49     OP-TEE TA and therefore we need to include the OP-TEE OS image.
50     Support to interfacing with Measured Boot was added to version 3.9.0 of
51     OP-TEE by implementing the ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` syscall, which
52     allows the former to pass a copy of the Event Log to any TA requesting it.
53     OP-TEE knows the location of the Event Log by reading the DTB bindings
54     received from TF-A. Visit :ref:`DTB binding for Event Log properties`
55     for more details on this.
56
57   - **fTPM Service**: We use a third party fTPM service in order to validate
58     the Measured Boot functionality. The chosen fTPM service is a sample
59     implementation for Aarch32 architecture included on the `ms-tpm-20-ref`_
60     reference implementation from Microsoft. The service was updated in order
61     to extend the Measured Boot Event Log at boot up and it uses the
62     aforementioned ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` call to retrieve a copy
63     of the former.
64
65   .. note::
66      Arm does not provide an fTPM implementation. The fTPM service used here
67      is a third party one which has been updated to support Measured Boot
68      service as provided by TF-A. As such, it is beyond the scope of this
69      manual to test and verify the correctness of the output generated by the
70      fTPM service.
71
72   - **TPM Kernel module**: In order to interact with the fTPM service, we need
73     a kernel module to forward the request from user space to the secure world.
74
75   - `tpm2-tools`_: This is a set of tools that allow to interact with the
76     fTPM service. We use this in order to read the PCRs with the measurements.
77
78Building the PoC for the Arm FVP platform
79~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
80
81As mentioned before, this PoC is based on the OP-TEE Toolkit with some
82extensions to enable Measured Boot and an fTPM service. Therefore, we can rely
83on the instructions to build the original OP-TEE Toolkit. As a general rule,
84the following steps should suffice:
85
86(1) Start by following the `Get and build the solution`_ instructions to build
87    the OP-TEE toolkit. On step 3, you need to get the manifest for FVP
88    platform from the main branch:
89
90    .. code:: shell
91
92       $ repo init -u https://github.com/OP-TEE/manifest.git -m fvp.xml
93
94    Then proceed synching the repos as stated in step 3. Continue following
95    the instructions and stop before step 5.
96
97(2) Next you should obtain the `Armv8-A Foundation Platform (For Linux Hosts Only)`_.
98    The binary should be untar'ed to the root of the repo tree, i.e., like
99    this: ``<fvp-project>/Foundation_Platformpkg``. In the end, after cloning
100    all source code, getting the toolchains and "installing"
101    Foundation_Platformpkg, you should have a folder structure that looks like
102    this:
103
104    .. code:: shell
105
106       $ ls -la
107       total 80
108       drwxrwxr-x 20 tf-a_user tf-a_user 4096 Jul  1 12:16 .
109       drwxr-xr-x 23 tf-a_user tf-a_user 4096 Jul  1 10:40 ..
110       drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul  1 10:45 build
111       drwxrwxr-x 16 tf-a_user tf-a_user 4096 Jul  1 12:16 buildroot
112       drwxrwxr-x 51 tf-a_user tf-a_user 4096 Jul  1 10:45 edk2
113       drwxrwxr-x  6 tf-a_user tf-a_user 4096 Jul  1 12:14 edk2-platforms
114       drwxr-xr-x  7 tf-a_user tf-a_user 4096 Jul  1 10:52 Foundation_Platformpkg
115       drwxrwxr-x 17 tf-a_user tf-a_user 4096 Jul  2 10:40 grub
116       drwxrwxr-x 25 tf-a_user tf-a_user 4096 Jul  2 10:39 linux
117       drwxrwxr-x 15 tf-a_user tf-a_user 4096 Jul  1 10:45 mbedtls
118       drwxrwxr-x  6 tf-a_user tf-a_user 4096 Jul  1 10:45 ms-tpm-20-ref
119       drwxrwxr-x  8 tf-a_user tf-a_user 4096 Jul  1 10:45 optee_client
120       drwxrwxr-x 10 tf-a_user tf-a_user 4096 Jul  1 10:45 optee_examples
121       drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul  1 12:13 optee_os
122       drwxrwxr-x  8 tf-a_user tf-a_user 4096 Jul  1 10:45 optee_test
123       drwxrwxr-x  7 tf-a_user tf-a_user 4096 Jul  1 10:45 .repo
124       drwxrwxr-x  4 tf-a_user tf-a_user 4096 Jul  1 12:12 toolchains
125       drwxrwxr-x 21 tf-a_user tf-a_user 4096 Jul  1 12:15 trusted-firmware-a
126
127(3) Now enter into ``ms-tpm-20-ref`` and get its dependencies:
128
129   .. code:: shell
130
131      $ cd ms-tpm-20-ref
132      $ git submodule init
133      $ git submodule update
134      Submodule path 'external/wolfssl': checked out '9c87f979a7f1d3a6d786b260653d566c1d31a1c4'
135
136(4) Now, you should be able to continue with step 5 in "`Get and build the solution`_"
137    instructions. In order to enable support for Measured Boot, you need to
138    set the ``MEASURED_BOOT`` build option:
139
140    .. code:: shell
141
142       $ MEASURED_BOOT=y make -j `nproc`
143
144    .. note::
145       The build process will likely take a long time. It is strongly recommended to
146       pass the ``-j`` option to make to run the process faster.
147
148   After this step, you should be ready to run the image.
149
150Running and using the PoC on the Armv8-A Foundation AEM FVP
151~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
152
153With everything built, you can now run the image:
154
155.. code:: shell
156
157   $ make run-only
158
159.. note::
160   Using ``make run`` will build and run the image and it can be used instead
161   of simply ``make``. However, once the image is built, it is recommended to
162   use ``make run-only`` to avoid re-running all the building rules, which
163   would take time.
164
165When FVP is launched, two terminal windows will appear. ``FVP terminal_0``
166is the userspace terminal whereas ``FVP terminal_1`` is the counterpart for
167the secure world (where TAs will print their logs, for instance).
168
169Log into the image shell with user ``root``, no password will be required.
170Then we can issue the ``ftpm`` command, which is an alias that
171
172(1) loads the ftpm kernel module and
173
174(2) calls ``tpm2_pcrread``, which will access the fTPM service to read the
175    PCRs.
176
177When loading the ftpm kernel module, the fTPM TA is loaded into the secure
178world. This TA then requests a copy of the Event Log generated during the
179booting process so it can retrieve all the entries on the log and record them
180first thing.
181
182.. note::
183   For this PoC, nothing loaded after BL33 and NT_FW_CONFIG is recorded
184   in the Event Log.
185
186The secure world terminal should show the debug logs for the fTPM service,
187including all the measurements available in the Event Log as they are being
188processed:
189
190.. code:: shell
191
192	M/TA: Preparing to extend the following TPM Event Log:
193	M/TA: TCG_EfiSpecIDEvent:
194	M/TA:   PCRIndex           : 0
195	M/TA:   EventType          : 3
196	M/TA:   Digest             : 00
197	M/TA: 			   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
198	M/TA: 			   : 00 00 00
199	M/TA:   EventSize          : 33
200	M/TA:   Signature          : Spec ID Event03
201	M/TA:   PlatformClass      : 0
202	M/TA:   SpecVersion        : 2.0.2
203	M/TA:   UintnSize          : 1
204	M/TA:   NumberOfAlgorithms : 1
205	M/TA:   DigestSizes        :
206	M/TA:     #0 AlgorithmId   : SHA256
207	M/TA:        DigestSize    : 32
208	M/TA:   VendorInfoSize     : 0
209	M/TA: PCR_Event2:
210	M/TA:   PCRIndex           : 0
211	M/TA:   EventType          : 3
212	M/TA:   Digests Count      : 1
213	M/TA:     #0 AlgorithmId   : SHA256
214	M/TA:        Digest        : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
215	M/TA: 			   : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
216	M/TA:   EventSize          : 17
217	M/TA:   Signature          : StartupLocality
218	M/TA:   StartupLocality    : 0
219	M/TA: PCR_Event2:
220	M/TA:   PCRIndex           : 0
221	M/TA:   EventType          : 1
222	M/TA:   Digests Count      : 1
223	M/TA:     #0 AlgorithmId   : SHA256
224	M/TA:        Digest        : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63
225	M/TA: 			   : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5
226	M/TA:   EventSize          : 5
227	M/TA:   Event              : BL_2
228	M/TA: PCR_Event2:
229	M/TA:   PCRIndex           : 0
230	M/TA:   EventType          : 1
231	M/TA:   Digests Count      : 1
232	M/TA:     #0 AlgorithmId   : SHA256
233	M/TA:        Digest        : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5
234	M/TA: 			   : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c
235	M/TA:   EventSize          : 6
236	M/TA:   Event              : BL_31
237	M/TA: PCR_Event2:
238	M/TA:   PCRIndex           : 0
239	M/TA:   EventType          : 1
240	M/TA:   Digests Count      : 1
241	M/TA:     #0 AlgorithmId   : SHA256
242	M/TA:        Digest        : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2
243	M/TA: 			   : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0
244	M/TA:   EventSize          : 10
245	M/TA:   Event              : HW_CONFIG
246	M/TA: PCR_Event2:
247	M/TA:   PCRIndex           : 0
248	M/TA:   EventType          : 1
249	M/TA:   Digests Count      : 1
250	M/TA:     #0 AlgorithmId   : SHA256
251	M/TA:        Digest        : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a
252	M/TA: 			   : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0
253	M/TA:   EventSize          : 14
254	M/TA:   Event              : SOC_FW_CONFIG
255	M/TA: PCR_Event2:
256	M/TA:   PCRIndex           : 0
257	M/TA:   EventType          : 1
258	M/TA:   Digests Count      : 1
259	M/TA:     #0 AlgorithmId   : SHA256
260	M/TA:        Digest        : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22
261	M/TA: 			   : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75
262	M/TA:   EventSize          : 6
263	M/TA:   Event              : BL_32
264	M/TA: PCR_Event2:
265	M/TA:   PCRIndex           : 0
266	M/TA:   EventType          : 1
267	M/TA:   Digests Count      : 1
268	M/TA:     #0 AlgorithmId   : SHA256
269	M/TA:        Digest        : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e
270	M/TA: 			   : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63
271	M/TA:   EventSize          : 18
272	M/TA:   Event              : BL32_EXTRA1_IMAGE
273	M/TA: PCR_Event2:
274	M/TA:   PCRIndex           : 0
275	M/TA:   EventType          : 1
276	M/TA:   Digests Count      : 1
277	M/TA:     #0 AlgorithmId   : SHA256
278	M/TA:        Digest        : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25
279	M/TA: 			   : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2
280	M/TA:   EventSize          : 6
281	M/TA:   Event              : BL_33
282	M/TA: PCR_Event2:
283	M/TA:   PCRIndex           : 0
284	M/TA:   EventType          : 1
285	M/TA:   Digests Count      : 1
286	M/TA:     #0 AlgorithmId   : SHA256
287	M/TA:        Digest        : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6
288	M/TA: 			   : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a
289	M/TA:   EventSize          : 13
290	M/TA:   Event              : NT_FW_CONFIG
291
292These logs correspond to the measurements stored by TF-A during the measured
293boot process and therefore, they should match the logs dumped by the former
294during the boot up process. These can be seen on the terminal_0:
295
296.. code:: shell
297
298	NOTICE:  Booting Trusted Firmware
299	NOTICE:  BL1: v2.5(release):v2.5
300	NOTICE:  BL1: Built : 10:41:20, Jul  2 2021
301	NOTICE:  BL1: Booting BL2
302	NOTICE:  BL2: v2.5(release):v2.5
303	NOTICE:  BL2: Built : 10:41:20, Jul  2 2021
304	NOTICE:  TCG_EfiSpecIDEvent:
305	NOTICE:    PCRIndex           : 0
306	NOTICE:    EventType          : 3
307	NOTICE:    Digest             : 00
308	NOTICE:  		      : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
309	NOTICE:  		      : 00 00 00
310	NOTICE:    EventSize          : 33
311	NOTICE:    Signature          : Spec ID Event03
312	NOTICE:    PlatformClass      : 0
313	NOTICE:    SpecVersion        : 2.0.2
314	NOTICE:    UintnSize          : 1
315	NOTICE:    NumberOfAlgorithms : 1
316	NOTICE:    DigestSizes        :
317	NOTICE:      #0 AlgorithmId   : SHA256
318	NOTICE:         DigestSize    : 32
319	NOTICE:    VendorInfoSize     : 0
320	NOTICE:  PCR_Event2:
321	NOTICE:    PCRIndex           : 0
322	NOTICE:    EventType          : 3
323	NOTICE:    Digests Count      : 1
324	NOTICE:      #0 AlgorithmId   : SHA256
325	NOTICE:         Digest        : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
326	NOTICE:  		      : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
327	NOTICE:    EventSize          : 17
328	NOTICE:    Signature          : StartupLocality
329	NOTICE:    StartupLocality    : 0
330	NOTICE:  PCR_Event2:
331	NOTICE:    PCRIndex           : 0
332	NOTICE:    EventType          : 1
333	NOTICE:    Digests Count      : 1
334	NOTICE:      #0 AlgorithmId   : SHA256
335	NOTICE:         Digest        : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63
336	NOTICE:  		      : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5
337	NOTICE:    EventSize          : 5
338	NOTICE:    Event              : BL_2
339	NOTICE:  PCR_Event2:
340	NOTICE:    PCRIndex           : 0
341	NOTICE:    EventType          : 1
342	NOTICE:    Digests Count      : 1
343	NOTICE:      #0 AlgorithmId   : SHA256
344	NOTICE:         Digest        : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5
345	NOTICE:  		      : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c
346	NOTICE:    EventSize          : 6
347	NOTICE:    Event              : BL_31
348	NOTICE:  PCR_Event2:
349	NOTICE:    PCRIndex           : 0
350	NOTICE:    EventType          : 1
351	NOTICE:    Digests Count      : 1
352	NOTICE:      #0 AlgorithmId   : SHA256
353	NOTICE:         Digest        : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2
354	NOTICE:  		      : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0
355	NOTICE:    EventSize          : 10
356	NOTICE:    Event              : HW_CONFIG
357	NOTICE:  PCR_Event2:
358	NOTICE:    PCRIndex           : 0
359	NOTICE:    EventType          : 1
360	NOTICE:    Digests Count      : 1
361	NOTICE:      #0 AlgorithmId   : SHA256
362	NOTICE:         Digest        : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a
363	NOTICE:  		      : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0
364	NOTICE:    EventSize          : 14
365	NOTICE:    Event              : SOC_FW_CONFIG
366	NOTICE:  PCR_Event2:
367	NOTICE:    PCRIndex           : 0
368	NOTICE:    EventType          : 1
369	NOTICE:    Digests Count      : 1
370	NOTICE:      #0 AlgorithmId   : SHA256
371	NOTICE:         Digest        : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22
372	NOTICE:  		      : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75
373	NOTICE:    EventSize          : 6
374	NOTICE:    Event              : BL_32
375	NOTICE:  PCR_Event2:
376	NOTICE:    PCRIndex           : 0
377	NOTICE:    EventType          : 1
378	NOTICE:    Digests Count      : 1
379	NOTICE:      #0 AlgorithmId   : SHA256
380	NOTICE:         Digest        : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e
381	NOTICE:  		      : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63
382	NOTICE:    EventSize          : 18
383	NOTICE:    Event              : BL32_EXTRA1_IMAGE
384	NOTICE:  PCR_Event2:
385	NOTICE:    PCRIndex           : 0
386	NOTICE:    EventType          : 1
387	NOTICE:    Digests Count      : 1
388	NOTICE:      #0 AlgorithmId   : SHA256
389	NOTICE:         Digest        : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25
390	NOTICE:  		      : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2
391	NOTICE:    EventSize          : 6
392	NOTICE:    Event              : BL_33
393	NOTICE:  PCR_Event2:
394	NOTICE:    PCRIndex           : 0
395	NOTICE:    EventType          : 1
396	NOTICE:    Digests Count      : 1
397	NOTICE:      #0 AlgorithmId   : SHA256
398	NOTICE:         Digest        : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6
399	NOTICE:  		      : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a
400	NOTICE:    EventSize          : 13
401	NOTICE:    Event              : NT_FW_CONFIG
402	NOTICE:  BL1: Booting BL31
403	NOTICE:  BL31: v2.5(release):v2.5
404	NOTICE:  BL31: Built : 10:41:20, Jul  2 2021
405
406Following up with the fTPM startup process, we can see that all the
407measurements in the Event Log are extended and recorded in the appropriate PCR:
408
409.. code:: shell
410
411	M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
412	M/TA: 	ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
413	M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
414	M/TA: 	ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
415	M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
416	M/TA: 	ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
417	M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
418	M/TA: 	ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
419	M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
420	M/TA: 	ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
421	M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
422	M/TA: 	ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
423	M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
424	M/TA: 	ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
425	M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
426	M/TA: 	ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
427	M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
428	M/TA: 	ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
429	M/TA: 9 Event logs processed
430
431After the fTPM TA is loaded, the call to ``insmod`` issued by the ``ftpm``
432alias to load the ftpm kernel module returns, and then the TPM PCRs are read
433by means of ``tpm_pcrread`` command. Note that we are only interested in the
434SHA256 logs here, as this is the algorithm we used on TF-A for the measurements
435(see the field ``AlgorithmId`` on the logs above):
436
437.. code:: shell
438
439	sha256:
440	0 : 0xA6EB3A7417B8CFA9EBA2E7C22AD5A4C03CDB8F3FBDD7667F9C3EF2EA285A8C9F
441	1 : 0x0000000000000000000000000000000000000000000000000000000000000000
442	2 : 0x0000000000000000000000000000000000000000000000000000000000000000
443	3 : 0x0000000000000000000000000000000000000000000000000000000000000000
444	4 : 0x0000000000000000000000000000000000000000000000000000000000000000
445	5 : 0x0000000000000000000000000000000000000000000000000000000000000000
446	6 : 0x0000000000000000000000000000000000000000000000000000000000000000
447	7 : 0x0000000000000000000000000000000000000000000000000000000000000000
448	8 : 0x0000000000000000000000000000000000000000000000000000000000000000
449	9 : 0x0000000000000000000000000000000000000000000000000000000000000000
450	10: 0x0000000000000000000000000000000000000000000000000000000000000000
451	11: 0x0000000000000000000000000000000000000000000000000000000000000000
452	12: 0x0000000000000000000000000000000000000000000000000000000000000000
453	13: 0x0000000000000000000000000000000000000000000000000000000000000000
454	14: 0x0000000000000000000000000000000000000000000000000000000000000000
455	15: 0x0000000000000000000000000000000000000000000000000000000000000000
456	16: 0x0000000000000000000000000000000000000000000000000000000000000000
457	17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
458	18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
459	19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
460	20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
461	21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
462	22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
463	23: 0x0000000000000000000000000000000000000000000000000000000000000000
464
465In this PoC we are only interested in PCR0, which must be non-null. This is
466because the boot process records all the images in this PCR (see field ``PCRIndex``
467on the Event Log above). The rest of the records must be 0 at this point.
468
469.. note::
470   The fTPM service used has support only for 16 PCRs, therefore the content
471   of PCRs above 15 can be ignored.
472
473.. note::
474   As stated earlier, Arm does not provide an fTPM implementation and therefore
475   we do not validate here if the content of PCR0 is correct or not. For this
476   PoC, we are only focused on the fact that the event log could be passed to a third
477   party fTPM and its records were properly extended.
478
479Fine-tuning the fTPM TA
480~~~~~~~~~~~~~~~~~~~~~~~
481
482As stated earlier, the OP-TEE Toolkit includes support to build a third party fTPM
483service. The build options for this service are tailored for the PoC and defined in
484the build environment variable ``FTPM_FLAGS`` (see ``<toolkit_home>/build/common.mk``)
485but they can be modified if needed to better adapt it to a specific scenario.
486
487The most relevant options for Measured Boot support are:
488
489   - **CFG_TA_DEBUG**: Enables debug logs in the Terminal_1 console.
490   - **CFG_TEE_TA_LOG_LEVEL**: Defines the log level used for the debug messages.
491   - **CFG_TA_MEASURED_BOOT**: Enables support for measured boot on the fTPM.
492   - **CFG_TA_EVENT_LOG_SIZE**: Defines the size, in bytes, of the larger event log that
493     the fTPM is able to store, as this buffer is allocated at build time. This must be at
494     least the same as the size of the event log generated by TF-A. If this build option
495     is not defined, the fTPM falls back to a default value of 1024 bytes, which is enough
496     for this PoC, so this variable is not defined in FTPM_FLAGS.
497
498--------------
499
500*Copyright (c) 2021, Arm Limited. All rights reserved.*
501
502.. _OP-TEE Toolkit: https://github.com/OP-TEE/build
503.. _ms-tpm-20-ref: https://github.com/microsoft/ms-tpm-20-ref
504.. _Get and build the solution: https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution
505.. _Armv8-A Foundation Platform (For Linux Hosts Only): https://developer.arm.com/tools-and-software/simulation-models/fixed-virtual-platforms/arm-ecosystem-models
506.. _tpm2-tools: https://github.com/tpm2-software/tpm2-tools
507.. _TGC event log: https://trustedcomputinggroup.org/resource/tcg-efi-platform-specification/
508