Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for TPM 2.0 module in Xen #10

Closed
BeataZdunczyk opened this issue Apr 3, 2023 · 7 comments
Closed

Support for TPM 2.0 module in Xen #10

BeataZdunczyk opened this issue Apr 3, 2023 · 7 comments
Assignees
@SergiiDmytruk
Labels
P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: feature request Type: feature reguest. A new feature for the project. W: done Workflow: done. This issue is done/close.
Milestone
Phase 2: TPM 2.0 ...

Comments

@BeataZdunczyk
Copy link
Member

Is your feature request related to a problem? Please describe.

Currently, Qubes OS AEM does not support TPM 2.0 in Xen, preventing the measurement of the Dom0 kernel and initial ram disk before they are executed.

Is your feature request related to a new idea or technology that
would benefit the project? Please describe.

This task is required to extend Qubes OS AEM to support TPM 2.0 on Intel hardware.

Describe the solution you'd like

Implement support for the TPM 2.0 module in Xen to enable the measurement of the Dom0 kernel and initial ram disk hashes.

Describe alternatives you've considered

N/A

Additional context

This feature request is part of Phase 2 in TrenchBoot as Anti Evil Maid project, as
outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem-v2/.

Relevant documentation you've consulted

N/A
@BeataZdunczyk BeataZdunczyk added T: feature request Type: feature reguest. A new feature for the project. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. W: todo Workflow: todo. The issue is in the initial to do state. labels Apr 3, 2023
@krystian-hebel
Copy link
Member

There is an ongoing effort by @dpsmith on implementing a common driver for both TPM2.0 and event log. Note that there are some comments, they are visible only when opening commits one by one.

Until that is done, I think we can expand current approach with TPM2.0 code. AFAICT secdev wouldn't allow to measure MBI early in the boot process, so it is possible that some simplified implementation will be needed anyway. As for dom0 measurements, Daniel suggested an approach similar to the one we currently use so it should be easy to switch to secdev later.

@krystian-hebel krystian-hebel mentioned this issue Jun 19, 2023
Closed
@SergiiDmytruk
Copy link
Member

@krystian-hebel Which hashes need to be supported for TPM2?

@krystian-hebel
Copy link
Member

SHA1 and SHA256 should be enough for now, it's still rare for TPM to support anything beyond that. SHA1 is technically deprecated and may no longer be implemented, so preferably code should not treat this as error.

@dpsmith
Copy link
Contributor

dpsmith commented Jun 21, 2023

There is now a PR on TB's Xen tree with the secdev driver. As noted in the PR, I would not consider the PR to be ready for merge, and that the PR is continue to get review over secdev interface with TPM2 support being the first backend for secdev.

@SergiiDmytruk
Copy link
Member

Pushed https://github.com/TrenchBoot/xen/tree/aem-tpm2 with current WIP changes. Non-early version works (but only if locale 0 is enabled/disabled first, maybe that's part of the init?), early hasn't yet been tested. The changes is SHA256 only for now, SHA1 to be added later. Also had trouble with testing this in QEMU, had to map TIS MMIO range to get it working (well, and pretend that SLAUNCH was used).

@SergiiDmytruk
Copy link
Member

PR: TrenchBoot/xen#3

@BeataZdunczyk BeataZdunczyk added W: in review Workflow: in review. The issue is being reviewed for completeness. and removed W: todo Workflow: todo. The issue is in the initial to do state. labels Aug 25, 2023
@krystian-hebel
Copy link
Member

Logs and results from tests can be found in #11 (comment)

@BeataZdunczyk BeataZdunczyk added W: done Workflow: done. This issue is done/close. and removed W: in review Workflow: in review. The issue is being reviewed for completeness. labels Sep 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SergiiDmytruk SergiiDmytruk

Labels
P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: feature request Type: feature reguest. A new feature for the project. W: done Workflow: done. This issue is done/close.
Projects
None yet
Milestone
Phase 2: TPM 2.0 support in Qubes OS ...
Development

No branches or pull requests
4 participants
@dpsmith @krystian-hebel @SergiiDmytruk @BeataZdunczyk