search

OP-TEE / optee_os

Trusted side of the TEE
Other
1.58k stars 1.07k forks source link

Measured boot on rk3399: Failed to map TPM log memory #6679

Closed ZhanYF closed 6 months ago

ZhanYF commented 9 months ago

I'm trying to setup measured boot on rk3399 but without much success, I expect TF-A to generate event log when MEASUERD_BOOT is enabled, but this does not happen. I suspect this is due to problems with memory mapping between the secure world and the non-secure world:

I/TC: No non-secure external DT                                                                                                                    
E/TC:0 0 get_tpm_phys_params:84 TPM: No DTB found                                                                                                  
D/TC:0 0 tpm_map_log_area:141 TPM Event log PA: 0                                                                                                  
D/TC:0 0 tpm_map_log_area:142 TPM Event log size: 0 Bytes                                                                                          
E/TC:0 0 tpm_map_log_area:149 TPM: Failed to map TPM log memory

Looking at get_tpm_phys_params it seems like the non-secure memory address and size for storing TPM Event Log is obtained from the arm,tpm_event_log node in the DTB, but I'm not sure:

Make env and flags: (full Makefile: https://github.com/ZhanYF/veritymobile/blob/dev-wip/Makefile)

TF-A:

TFA_FLAGS ?= -j ARCH=aarch64 \
                PLAT=rk3399 \
                SPD=opteed \
                LOG_LEVEL=40 \
                MEASURED_BOOT=1 \
                TRUSTED_BOARD_BOOT=1

fTPM:

FTPM_ENV_FLAGS ?= CFG_ARM64_core=y \
        CFG_FTPM_USE_WOLF=y \
        CFG_TEE_TA_LOG_LEVEL=4 \
        CFG_TA_DEBUG=y \
        CFG_TA_MEASURED_BOOT=y \
        TA_PLATFORM=rockchip-rk3399 \
        TA_CPU=cortex-a53 \
        TA_CROSS_COMPILE=$(CROSS_COMPILE_32) \
        TA_DEV_KIT_DIR=$(OPTEE_OS_TA_DEV_KIT_DIR)

optee with fTPM as early TA:

OPTEE_OS_WITH_TA_FLAGS ?= \
        $(OPTEE_OS_COMMON_EXTRA_FLAGS) \
        PLATFORM=rockchip-rk3399 \
        CROSS_COMPILE=$(CROSS_COMPILE_64) \
        CROSS_COMPILE_core=$(CROSS_COMPILE_64) \
        $(OPTEE_OS_TA_CROSS_COMPILE_FLAGS) \
        EARLY_TA_PATHS=$(FTPM_TA_PATH) \
        CFG_TEE_CORE_LOG_LEVEL=3 \
        CFG_TEE_TA_LOG_LEVEL=3 \
        CFG_EARLY_CONSOLE_BAUDRATE=115200 \
        CFG_CORE_TPM_EVENT_LOG=y

OPTEE_OS_ENV ?= \
        MEASURED_BOOT=y \
        MEASURED_BOOT_FTPM=y

Version info:

Mainline U-Boot SPL 2023.10 BL31: v2.9(release):v2.9.0-788-ga1377a89a OP-TEE version: 3.22.0-233-g69a443d05-dev (gcc version 12.2.0 (Debian 12.2.0-14)) #1 Fri Feb 9 12:36:07 UTC 2024 aarch64
ftpm: https://github.com/ZhanYF/MSRSec/commits/master/

Full log:

U-Boot SPL 2023.10 (Feb 10 2024 - 02:16:34 -0500)                              
Trying to boot from MMC2                                                       
spl_load_fit_image: Skip load 'atf-5': image size is 0!                        
NOTICE:  BL31: v2.9(release):v2.9.0-788-ga1377a89a                             
NOTICE:  BL31: Built : 02:07:06, Feb 10 2024                                   
INFO:    GICv3 with legacy support detected.                                   
INFO:    ARM GICv3 driver initialized in EL3                                   
INFO:    Maximum SPI INTID supported: 287                                      
INFO:    plat_rockchip_pmu_init(1624): pd status 3e                            
INFO:    BL31: Initializing runtime services                                   
INFO:    BL31: Initializing BL32                                               
D/TC:0   get_aslr_seed:1332 No fdt                                             
D/TC:0   plat_get_aslr_seed:108 Warning: no ASLR seed                          
D/TC:0   add_phys_mem:667 VCORE_UNPG_RX_PA type TEE_RAM_RX 0x30000000 size 0x000ae000                                                                          
D/TC:0   add_phys_mem:667 VCORE_UNPG_RW_PA type TEE_RAM_RW 0x300ae000 size 0x00152000                                                                          
D/TC:0   add_phys_mem:667 ta_base type TA_RAM 0x30200000 size 0x01e00000       
D/TC:0   add_phys_mem:667 GIC_BASE type IO_SEC 0xfee00000 size 0x00200000      
D/TC:0   add_phys_mem:667 CFG_EARLY_CONSOLE_BASE type IO_NSEC 0xff000000 size 0x00200000                                                                       
D/TC:0   add_phys_mem:667 SGRF_BASE type IO_SEC 0xff200000 size 0x00200000                                                                                     
D/TC:0   add_phys_mem:667 TEE_SHMEM_START type NSEC_SHM 0x32000000 size 0x00400000                                                                             
D/TC:0   add_va_space:707 type RES_VASPACE size 0x00a00000                     
D/TC:0   add_va_space:707 type SHM_VASPACE size 0x02000000                     
D/TC:0   dump_mmap_table:835 type TEE_RAM_RX   va 0x30000000..0x300adfff pa 0x30000000..0x300adfff size 0x000ae000 (smallpg)                                   
D/TC:0   dump_mmap_table:835 type TEE_RAM_RW   va 0x300ae000..0x301fffff pa 0x300ae000..0x301fffff size 0x00152000 (smallpg)                                   
D/TC:0   dump_mmap_table:835 type SHM_VASPACE  va 0x30200000..0x321fffff pa 0x00000000..0x01ffffff size 0x02000000 (pgdir)                                     
D/TC:0   dump_mmap_table:835 type RES_VASPACE  va 0x32200000..0x32bfffff pa 0x00000000..0x009fffff size 0x00a00000 (pgdir)                                     
D/TC:0   dump_mmap_table:835 type TA_RAM       va 0x32c00000..0x349fffff pa 0x30200000..0x31ffffff size 0x01e00000 (pgdir)                                     
D/TC:0   dump_mmap_table:835 type NSEC_SHM     va 0x34a00000..0x34dfffff pa 0x32000000..0x323fffff size 0x00400000 (pgdir)                                     
D/TC:0   dump_mmap_table:835 type IO_SEC       va 0x34e00000..0x34ffffff pa 0xfee00000..0xfeffffff size 0x00200000 (pgdir)                                     
D/TC:0   dump_mmap_table:835 type IO_NSEC      va 0x35000000..0x351fffff pa 0xff000000..0xff1fffff size 0x00200000 (pgdir)                                     
D/TC:0   dump_mmap_table:835 type IO_SEC       va 0x35200000..0x353fffff pa 0xff200000..0xff3fffff size 0x00200000 (pgdir)                                     
D/TC:0   core_mmu_xlat_table_alloc:526 xlat tables used 1 / 5                  
D/TC:0   core_mmu_xlat_table_alloc:526 xlat tables used 2 / 5                  
I/TC:                                                                          
I/TC: No non-secure external DT                                                
E/TC:0 0 get_tpm_phys_params:84 TPM: No DTB found                              
D/TC:0 0 tpm_map_log_area:141 TPM Event log PA: 0                              
D/TC:0 0 tpm_map_log_area:142 TPM Event log size: 0 Bytes                      
E/TC:0 0 tpm_map_log_area:149 TPM: Failed to map TPM log memory                
D/TC:0 0 get_console_node_from_dt:74 No console directive from DTB             
I/TC: OP-TEE version: 3.22.0-233-g69a443d05 (gcc version 12.2.0 (Debian 12.2.0-14)) #1 Sat Feb 10 07:13:49 UTC 2024 aarch64                                    
I/TC: WARNING: This OP-TEE configuration might be insecure!                    
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html                                                        
I/TC: Primary CPU initializing                                                 
D/TC:0 0 boot_init_primary_late:1200 Executing at offset 0 with virtual load address 0x30000000                                                                
D/TC:0 0 call_preinitcalls:21 level 2 mobj_mapped_shm_init()                   
D/TC:0 0 mobj_mapped_shm_init:470 Shared memory address range: 30200000, 32200000                                                                              
D/TC:0 0 call_initcalls:40 level 1 register_time_source()                      
D/TC:0 0 call_initcalls:40 level 1 teecore_init_pub_ram()                      
D/TC:0 0 call_initcalls:40 level 2 probe_dt_drivers_early()                    
D/TC:0 0 call_initcalls:40 level 3 platform_init()                             
D/TC:0 0 platform_secure_ddr_region:35 protecting region 1: 0x30000000-0x32000000                                                                              
D/TC:0 0 call_initcalls:40 level 3 check_ta_store()                            
D/TC:0 0 check_ta_store:454 TA store: "early TA"                               
D/TC:0 0 check_ta_store:454 TA store: "Secure Storage TA"                      
D/TC:0 0 check_ta_store:454 TA store: "REE"                                    
D/TC:0 0 call_initcalls:40 level 3 early_ta_init()                             
D/TC:0 0 early_ta_init:56 Early TA bc50d971-d4c9-42c4-82cb-343fb7f37896 size 209095 (compressed, uncompressed 441580)                                          
D/TC:0 0 call_initcalls:40 level 3 verify_pseudo_tas_conformance()             
D/TC:0 0 call_initcalls:40 level 3 tee_cryp_init()                             
D/TC:0 0 call_initcalls:40 level 4 tee_fs_init_key_manager()                   
D/TC:0 0 call_initcalls:40 level 5 probe_dt_drivers()                          
D/TC:0 0 call_initcalls:40 level 6 mobj_init()                                 
D/TC:0 0 call_initcalls:40 level 6 default_mobj_init()                         
D/TC:0 0 call_initcalls:40 level 7 release_probe_lists()                       
D/TC:0 0 call_finalcalls:59 level 1 release_external_dt()                      
I/TC: Primary CPU switching to normal world boot                               
INFO:    BL31: Preparing for EL3 exit to normal world                          
INFO:    Entry point address = 0x200000                                        
INFO:    SPSR = 0x3c9                                                          
I/TC: Secondary CPU 1 initializing                                             
I/TC: Secondary CPU 1 switching to normal world boot                           
I/TC: Secondary CPU 2 initializing                                             
I/TC: Secondary CPU 2 switching to normal world boot                           
I/TC: Secondary CPU 3 initializing                                             
I/TC: Secondary CPU 3 switching to normal world boot                           
I/TC: Secondary CPU 4 initializing                                             
D/TC:4   select_vector_wa_spectre_v2:648 SMCCC_ARCH_WORKAROUND_1 (0x80008000) available                                                                        
D/TC:4   select_vector_wa_spectre_v2:650 SMC Workaround for CVE-2017-5715 used                                                                                 
I/TC: Secondary CPU 4 switching to normal world boot                           
I/TC: Secondary CPU 5 initializing                                             
D/TC:5   select_vector_wa_spectre_v2:648 SMCCC_ARCH_WORKAROUND_1 (0x80008000) available                                                                        
D/TC:5   select_vector_wa_spectre_v2:650 SMC Workaround for CVE-2017-5715 used                                                                                 
I/TC: Secondary CPU 5 switching to normal world boot
github-actions[bot] commented 8 months ago

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.

jenswi-linaro commented 8 months ago
  • How do I find the address I can use for storing TPM log?

I guess TF-A already is using an address. Perhaps you can find it in some define or config variable?

  • Should I include the DTB via CFG_DT for OP-TEE? or there is a better approach?

That depends on how TF-A is configured on your platform. If it's configured to pass a DTB to OP-TEE then it should be quite easy to just update the DTB and let OP-TEE take the address from there. If not, then setting it in CFG_TPM_LOG_BASE_ADDR might be an option.

github-actions[bot] commented 7 months ago

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.