1Interaction between Measured Boot and an fTPM (PoC) 2=================================================== 3 4Measured Boot is the process of cryptographically measuring the code and 5critical data used at boot time, for example using a TPM, so that the 6security state can be attested later. 7 8The current implementation of the driver included in |TF-A| supports several 9backends and each has a different means to store the measurements. 10This section focuses on the `TCG event log`_ backend, which stores measurements 11in secure memory. 12 13See details of :ref:`Measured Boot Design`. 14 15The driver also provides mechanisms to pass the Event Log to normal world if 16needed. 17 18This manual provides instructions to build a proof of concept (PoC) with the 19sole intention of showing how Measured Boot can be used in conjunction with 20a firmware TPM (fTPM) service implemented on top of OP-TEE. 21 22.. note:: 23 The instructions given in this document are meant to be used to build 24 a PoC to show how Measured Boot on TF-A can interact with a third 25 party (f)TPM service and they try to be as general as possible. Different 26 platforms might have different needs and configurations (e.g. different 27 SHA algorithms) and they might also use different types of TPM services 28 (or even a different type of service to provide the attestation) 29 and therefore the instructions given here might not apply in such scenarios. 30 31Components 32~~~~~~~~~~ 33 34The PoC is built on top of the `OP-TEE Toolkit`_, which has support to build 35TF-A with support for Measured Boot enabled (and run it on a Foundation Model) 36since commit cf56848. 37 38The aforementioned toolkit builds a set of images that contain all the components 39needed to test that the Event Log was properly created. One of these images will 40contain a third party fTPM service which in turn will be used to process the 41Event Log. 42 43The reason to choose OP-TEE Toolkit to build our PoC around it is mostly 44for convenience. As the fTPM service used is an OP-TEE TA, it was easy to add 45build support for it to the toolkit and then build the PoC around it. 46 47The most relevant components installed in the image that are closely related to 48Measured Boot/fTPM functionality are: 49 50 - **OP-TEE**: As stated earlier, the fTPM service used in this PoC is built as an 51 OP-TEE TA and therefore we need to include the OP-TEE OS image. 52 Support to interfacing with Measured Boot was added to version 3.9.0 of 53 OP-TEE by implementing the ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` syscall, which 54 allows the former to pass a copy of the Event Log to any TA requesting it. 55 OP-TEE knows the location of the Event Log by reading the DTB bindings 56 received from TF-A. Visit :ref:`DTB binding for Event Log properties` 57 for more details on this. 58 59 - **fTPM Service**: We use a third party fTPM service in order to validate 60 the Measured Boot functionality. The chosen fTPM service is a sample 61 implementation for Aarch32 architecture included on the `ms-tpm-20-ref`_ 62 reference implementation from Microsoft. The service was updated in order 63 to extend the Measured Boot Event Log at boot up and it uses the 64 aforementioned ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` call to retrieve a copy 65 of the former. 66 67 .. note:: 68 Arm does not provide an fTPM implementation. The fTPM service used here 69 is a third party one which has been updated to support Measured Boot 70 service as provided by TF-A. As such, it is beyond the scope of this 71 manual to test and verify the correctness of the output generated by the 72 fTPM service. 73 74 - **TPM Kernel module**: In order to interact with the fTPM service, we need 75 a kernel module to forward the request from user space to the secure world. 76 77 - `tpm2-tools`_: This is a set of tools that allow to interact with the 78 fTPM service. We use this in order to read the PCRs with the measurements. 79 80Building the PoC for the Arm FVP platform 81~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 82 83As mentioned before, this PoC is based on the OP-TEE Toolkit with some 84extensions to enable Measured Boot and an fTPM service. Therefore, we can rely 85on the instructions to build the original OP-TEE Toolkit. As a general rule, 86the following steps should suffice: 87 88(1) Start by following the `Get and build the solution`_ instructions to build 89 the OP-TEE toolkit. On step 3, you need to get the manifest for FVP 90 platform from the main branch: 91 92 .. code:: shell 93 94 $ repo init -u https://github.com/OP-TEE/manifest.git -m fvp.xml 95 96 Then proceed synching the repos as stated in step 3. Continue following 97 the instructions and stop before step 5. 98 99(2) Next you should obtain the `Armv8-A Foundation Platform (For Linux Hosts Only)`_. 100 The binary should be untar'ed to the root of the repo tree, i.e., like 101 this: ``<fvp-project>/Foundation_Platformpkg``. In the end, after cloning 102 all source code, getting the toolchains and "installing" 103 Foundation_Platformpkg, you should have a folder structure that looks like 104 this: 105 106 .. code:: shell 107 108 $ ls -la 109 total 80 110 drwxrwxr-x 20 tf-a_user tf-a_user 4096 Jul 1 12:16 . 111 drwxr-xr-x 23 tf-a_user tf-a_user 4096 Jul 1 10:40 .. 112 drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 10:45 build 113 drwxrwxr-x 16 tf-a_user tf-a_user 4096 Jul 1 12:16 buildroot 114 drwxrwxr-x 51 tf-a_user tf-a_user 4096 Jul 1 10:45 edk2 115 drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 12:14 edk2-platforms 116 drwxr-xr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:52 Foundation_Platformpkg 117 drwxrwxr-x 17 tf-a_user tf-a_user 4096 Jul 2 10:40 grub 118 drwxrwxr-x 25 tf-a_user tf-a_user 4096 Jul 2 10:39 linux 119 drwxrwxr-x 15 tf-a_user tf-a_user 4096 Jul 1 10:45 mbedtls 120 drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 10:45 ms-tpm-20-ref 121 drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_client 122 drwxrwxr-x 10 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_examples 123 drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 12:13 optee_os 124 drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_test 125 drwxrwxr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:45 .repo 126 drwxrwxr-x 4 tf-a_user tf-a_user 4096 Jul 1 12:12 toolchains 127 drwxrwxr-x 21 tf-a_user tf-a_user 4096 Jul 1 12:15 trusted-firmware-a 128 129(3) Now enter into ``ms-tpm-20-ref`` and get its dependencies: 130 131 .. code:: shell 132 133 $ cd ms-tpm-20-ref 134 $ git submodule init 135 $ git submodule update 136 Submodule path 'external/wolfssl': checked out '9c87f979a7f1d3a6d786b260653d566c1d31a1c4' 137 138(4) Now, you should be able to continue with step 5 in "`Get and build the solution`_" 139 instructions. In order to enable support for Measured Boot, you need to 140 set the following build options: 141 142 .. code:: shell 143 144 $ MEASURED_BOOT=y MEASURED_BOOT_FTPM=y make -j `nproc` 145 146 .. note:: 147 The build process will likely take a long time. It is strongly recommended to 148 pass the ``-j`` option to make to run the process faster. 149 150 After this step, you should be ready to run the image. 151 152Running and using the PoC on the Armv8-A Foundation AEM FVP 153~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 154 155With everything built, you can now run the image: 156 157.. code:: shell 158 159 $ make run-only 160 161.. note:: 162 Using ``make run`` will build and run the image and it can be used instead 163 of simply ``make``. However, once the image is built, it is recommended to 164 use ``make run-only`` to avoid re-running all the building rules, which 165 would take time. 166 167When FVP is launched, two terminal windows will appear. ``FVP terminal_0`` 168is the userspace terminal whereas ``FVP terminal_1`` is the counterpart for 169the secure world (where TAs will print their logs, for instance). 170 171Log into the image shell with user ``root``, no password will be required. 172Then we can issue the ``ftpm`` command, which is an alias that 173 174(1) loads the ftpm kernel module and 175 176(2) calls ``tpm2_pcrread``, which will access the fTPM service to read the 177 PCRs. 178 179When loading the ftpm kernel module, the fTPM TA is loaded into the secure 180world. This TA then requests a copy of the Event Log generated during the 181booting process so it can retrieve all the entries on the log and record them 182first thing. 183 184.. note:: 185 For this PoC, nothing loaded after BL33 and NT_FW_CONFIG is recorded 186 in the Event Log. 187 188The secure world terminal should show the debug logs for the fTPM service, 189including all the measurements available in the Event Log as they are being 190processed: 191 192.. code:: shell 193 194 M/TA: Preparing to extend the following TPM Event Log: 195 M/TA: TCG_EfiSpecIDEvent: 196 M/TA: PCRIndex : 0 197 M/TA: EventType : 3 198 M/TA: Digest : 00 199 M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 200 M/TA: : 00 00 00 201 M/TA: EventSize : 33 202 M/TA: Signature : Spec ID Event03 203 M/TA: PlatformClass : 0 204 M/TA: SpecVersion : 2.0.2 205 M/TA: UintnSize : 1 206 M/TA: NumberOfAlgorithms : 1 207 M/TA: DigestSizes : 208 M/TA: #0 AlgorithmId : SHA256 209 M/TA: DigestSize : 32 210 M/TA: VendorInfoSize : 0 211 M/TA: PCR_Event2: 212 M/TA: PCRIndex : 0 213 M/TA: EventType : 3 214 M/TA: Digests Count : 1 215 M/TA: #0 AlgorithmId : SHA256 216 M/TA: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 217 M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 218 M/TA: EventSize : 17 219 M/TA: Signature : StartupLocality 220 M/TA: StartupLocality : 0 221 M/TA: PCR_Event2: 222 M/TA: PCRIndex : 0 223 M/TA: EventType : 1 224 M/TA: Digests Count : 1 225 M/TA: #0 AlgorithmId : SHA256 226 M/TA: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63 227 M/TA: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5 228 M/TA: EventSize : 5 229 M/TA: Event : BL_2 230 M/TA: PCR_Event2: 231 M/TA: PCRIndex : 0 232 M/TA: EventType : 1 233 M/TA: Digests Count : 1 234 M/TA: #0 AlgorithmId : SHA256 235 M/TA: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5 236 M/TA: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c 237 M/TA: EventSize : 6 238 M/TA: Event : BL_31 239 M/TA: PCR_Event2: 240 M/TA: PCRIndex : 0 241 M/TA: EventType : 1 242 M/TA: Digests Count : 1 243 M/TA: #0 AlgorithmId : SHA256 244 M/TA: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2 245 M/TA: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0 246 M/TA: EventSize : 10 247 M/TA: Event : HW_CONFIG 248 M/TA: PCR_Event2: 249 M/TA: PCRIndex : 0 250 M/TA: EventType : 1 251 M/TA: Digests Count : 1 252 M/TA: #0 AlgorithmId : SHA256 253 M/TA: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a 254 M/TA: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0 255 M/TA: EventSize : 14 256 M/TA: Event : SOC_FW_CONFIG 257 M/TA: PCR_Event2: 258 M/TA: PCRIndex : 0 259 M/TA: EventType : 1 260 M/TA: Digests Count : 1 261 M/TA: #0 AlgorithmId : SHA256 262 M/TA: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22 263 M/TA: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75 264 M/TA: EventSize : 6 265 M/TA: Event : BL_32 266 M/TA: PCR_Event2: 267 M/TA: PCRIndex : 0 268 M/TA: EventType : 1 269 M/TA: Digests Count : 1 270 M/TA: #0 AlgorithmId : SHA256 271 M/TA: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e 272 M/TA: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63 273 M/TA: EventSize : 18 274 M/TA: Event : BL32_EXTRA1_IMAGE 275 M/TA: PCR_Event2: 276 M/TA: PCRIndex : 0 277 M/TA: EventType : 1 278 M/TA: Digests Count : 1 279 M/TA: #0 AlgorithmId : SHA256 280 M/TA: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25 281 M/TA: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2 282 M/TA: EventSize : 6 283 M/TA: Event : BL_33 284 M/TA: PCR_Event2: 285 M/TA: PCRIndex : 0 286 M/TA: EventType : 1 287 M/TA: Digests Count : 1 288 M/TA: #0 AlgorithmId : SHA256 289 M/TA: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6 290 M/TA: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a 291 M/TA: EventSize : 13 292 M/TA: Event : NT_FW_CONFIG 293 294These logs correspond to the measurements stored by TF-A during the measured 295boot process and therefore, they should match the logs dumped by the former 296during the boot up process. These can be seen on the terminal_0: 297 298.. code:: shell 299 300 NOTICE: Booting Trusted Firmware 301 NOTICE: BL1: v2.5(release):v2.5 302 NOTICE: BL1: Built : 10:41:20, Jul 2 2021 303 NOTICE: BL1: Booting BL2 304 NOTICE: BL2: v2.5(release):v2.5 305 NOTICE: BL2: Built : 10:41:20, Jul 2 2021 306 NOTICE: TCG_EfiSpecIDEvent: 307 NOTICE: PCRIndex : 0 308 NOTICE: EventType : 3 309 NOTICE: Digest : 00 310 NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 311 NOTICE: : 00 00 00 312 NOTICE: EventSize : 33 313 NOTICE: Signature : Spec ID Event03 314 NOTICE: PlatformClass : 0 315 NOTICE: SpecVersion : 2.0.2 316 NOTICE: UintnSize : 1 317 NOTICE: NumberOfAlgorithms : 1 318 NOTICE: DigestSizes : 319 NOTICE: #0 AlgorithmId : SHA256 320 NOTICE: DigestSize : 32 321 NOTICE: VendorInfoSize : 0 322 NOTICE: PCR_Event2: 323 NOTICE: PCRIndex : 0 324 NOTICE: EventType : 3 325 NOTICE: Digests Count : 1 326 NOTICE: #0 AlgorithmId : SHA256 327 NOTICE: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 328 NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 329 NOTICE: EventSize : 17 330 NOTICE: Signature : StartupLocality 331 NOTICE: StartupLocality : 0 332 NOTICE: PCR_Event2: 333 NOTICE: PCRIndex : 0 334 NOTICE: EventType : 1 335 NOTICE: Digests Count : 1 336 NOTICE: #0 AlgorithmId : SHA256 337 NOTICE: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63 338 NOTICE: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5 339 NOTICE: EventSize : 5 340 NOTICE: Event : BL_2 341 NOTICE: PCR_Event2: 342 NOTICE: PCRIndex : 0 343 NOTICE: EventType : 1 344 NOTICE: Digests Count : 1 345 NOTICE: #0 AlgorithmId : SHA256 346 NOTICE: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5 347 NOTICE: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c 348 NOTICE: EventSize : 6 349 NOTICE: Event : BL_31 350 NOTICE: PCR_Event2: 351 NOTICE: PCRIndex : 0 352 NOTICE: EventType : 1 353 NOTICE: Digests Count : 1 354 NOTICE: #0 AlgorithmId : SHA256 355 NOTICE: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2 356 NOTICE: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0 357 NOTICE: EventSize : 10 358 NOTICE: Event : HW_CONFIG 359 NOTICE: PCR_Event2: 360 NOTICE: PCRIndex : 0 361 NOTICE: EventType : 1 362 NOTICE: Digests Count : 1 363 NOTICE: #0 AlgorithmId : SHA256 364 NOTICE: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a 365 NOTICE: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0 366 NOTICE: EventSize : 14 367 NOTICE: Event : SOC_FW_CONFIG 368 NOTICE: PCR_Event2: 369 NOTICE: PCRIndex : 0 370 NOTICE: EventType : 1 371 NOTICE: Digests Count : 1 372 NOTICE: #0 AlgorithmId : SHA256 373 NOTICE: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22 374 NOTICE: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75 375 NOTICE: EventSize : 6 376 NOTICE: Event : BL_32 377 NOTICE: PCR_Event2: 378 NOTICE: PCRIndex : 0 379 NOTICE: EventType : 1 380 NOTICE: Digests Count : 1 381 NOTICE: #0 AlgorithmId : SHA256 382 NOTICE: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e 383 NOTICE: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63 384 NOTICE: EventSize : 18 385 NOTICE: Event : BL32_EXTRA1_IMAGE 386 NOTICE: PCR_Event2: 387 NOTICE: PCRIndex : 0 388 NOTICE: EventType : 1 389 NOTICE: Digests Count : 1 390 NOTICE: #0 AlgorithmId : SHA256 391 NOTICE: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25 392 NOTICE: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2 393 NOTICE: EventSize : 6 394 NOTICE: Event : BL_33 395 NOTICE: PCR_Event2: 396 NOTICE: PCRIndex : 0 397 NOTICE: EventType : 1 398 NOTICE: Digests Count : 1 399 NOTICE: #0 AlgorithmId : SHA256 400 NOTICE: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6 401 NOTICE: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a 402 NOTICE: EventSize : 13 403 NOTICE: Event : NT_FW_CONFIG 404 NOTICE: BL1: Booting BL31 405 NOTICE: BL31: v2.5(release):v2.5 406 NOTICE: BL31: Built : 10:41:20, Jul 2 2021 407 408Following up with the fTPM startup process, we can see that all the 409measurements in the Event Log are extended and recorded in the appropriate PCR: 410 411.. code:: shell 412 413 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 414 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 415 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 416 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 417 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 418 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 419 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 420 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 421 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 422 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 423 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 424 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 425 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 426 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 427 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 428 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 429 M/TA: TPM2_PCR_EXTEND_COMMAND returned value: 430 M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000 431 M/TA: 9 Event logs processed 432 433After the fTPM TA is loaded, the call to ``insmod`` issued by the ``ftpm`` 434alias to load the ftpm kernel module returns, and then the TPM PCRs are read 435by means of ``tpm_pcrread`` command. Note that we are only interested in the 436SHA256 logs here, as this is the algorithm we used on TF-A for the measurements 437(see the field ``AlgorithmId`` on the logs above): 438 439.. code:: shell 440 441 sha256: 442 0 : 0xA6EB3A7417B8CFA9EBA2E7C22AD5A4C03CDB8F3FBDD7667F9C3EF2EA285A8C9F 443 1 : 0x0000000000000000000000000000000000000000000000000000000000000000 444 2 : 0x0000000000000000000000000000000000000000000000000000000000000000 445 3 : 0x0000000000000000000000000000000000000000000000000000000000000000 446 4 : 0x0000000000000000000000000000000000000000000000000000000000000000 447 5 : 0x0000000000000000000000000000000000000000000000000000000000000000 448 6 : 0x0000000000000000000000000000000000000000000000000000000000000000 449 7 : 0x0000000000000000000000000000000000000000000000000000000000000000 450 8 : 0x0000000000000000000000000000000000000000000000000000000000000000 451 9 : 0x0000000000000000000000000000000000000000000000000000000000000000 452 10: 0x0000000000000000000000000000000000000000000000000000000000000000 453 11: 0x0000000000000000000000000000000000000000000000000000000000000000 454 12: 0x0000000000000000000000000000000000000000000000000000000000000000 455 13: 0x0000000000000000000000000000000000000000000000000000000000000000 456 14: 0x0000000000000000000000000000000000000000000000000000000000000000 457 15: 0x0000000000000000000000000000000000000000000000000000000000000000 458 16: 0x0000000000000000000000000000000000000000000000000000000000000000 459 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 460 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 461 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 462 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 463 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 464 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 465 23: 0x0000000000000000000000000000000000000000000000000000000000000000 466 467In this PoC we are only interested in PCR0, which must be non-null. This is 468because the boot process records all the images in this PCR (see field ``PCRIndex`` 469on the Event Log above). The rest of the records must be 0 at this point. 470 471.. note:: 472 The fTPM service used has support only for 16 PCRs, therefore the content 473 of PCRs above 15 can be ignored. 474 475.. note:: 476 As stated earlier, Arm does not provide an fTPM implementation and therefore 477 we do not validate here if the content of PCR0 is correct or not. For this 478 PoC, we are only focused on the fact that the event log could be passed to a third 479 party fTPM and its records were properly extended. 480 481Fine-tuning the fTPM TA 482~~~~~~~~~~~~~~~~~~~~~~~ 483 484As stated earlier, the OP-TEE Toolkit includes support to build a third party fTPM 485service. The build options for this service are tailored for the PoC and defined in 486the build environment variable ``FTPM_FLAGS`` (see ``<toolkit_home>/build/common.mk``) 487but they can be modified if needed to better adapt it to a specific scenario. 488 489The most relevant options for Measured Boot support are: 490 491 - **CFG_TA_DEBUG**: Enables debug logs in the Terminal_1 console. 492 - **CFG_TEE_TA_LOG_LEVEL**: Defines the log level used for the debug messages. 493 - **CFG_TA_MEASURED_BOOT**: Enables support for measured boot on the fTPM. 494 - **CFG_TA_EVENT_LOG_SIZE**: Defines the size, in bytes, of the larger event log that 495 the fTPM is able to store, as this buffer is allocated at build time. This must be at 496 least the same as the size of the event log generated by TF-A. If this build option 497 is not defined, the fTPM falls back to a default value of 1024 bytes, which is enough 498 for this PoC, so this variable is not defined in FTPM_FLAGS. 499 500-------------- 501 502*Copyright (c) 2021-2023, Arm Limited. All rights reserved.* 503 504.. _OP-TEE Toolkit: https://github.com/OP-TEE/build 505.. _ms-tpm-20-ref: https://github.com/microsoft/ms-tpm-20-ref 506.. _Get and build the solution: https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution 507.. _Armv8-A Foundation Platform (For Linux Hosts Only): https://developer.arm.com/tools-and-software/simulation-models/fixed-virtual-platforms/arm-ecosystem-models 508.. _tpm2-tools: https://github.com/tpm2-software/tpm2-tools 509.. _TCG event log: https://trustedcomputinggroup.org/resource/tcg-efi-platform-specification/ 510