Support for TPM 2.0 module in Xen

[BeataZdunczyk]

Is your feature request related to a problem? Please describe.

Currently, Qubes OS AEM does not support TPM 2.0 in Xen, preventing the measurement of the Dom0 kernel and initial ram disk before they are executed.

Is your feature request related to a new idea or technology that would benefit the project? Please describe.

This task is required to extend Qubes OS AEM to support TPM 2.0 on Intel hardware.

Describe the solution you'd like

Implement support for the TPM 2.0 module in Xen to enable the measurement of the Dom0 kernel and initial ram disk hashes.

Describe alternatives you've considered

N/A

Additional context

This feature request is part of Phase 2 in TrenchBoot as Anti Evil Maid project, as outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem-v2/.

Relevant documentation you've consulted

N/A

[krystian-hebel]

There is an ongoing effort by @dpsmith on implementing a common driver for both TPM2.0 and event log. Note that there are some comments, they are visible only when opening commits one by one.

Until that is done, I think we can expand current approach with TPM2.0 code. AFAICT secdev wouldn't allow to measure MBI early in the boot process, so it is possible that some simplified implementation will be needed anyway. As for dom0 measurements, Daniel suggested an approach similar to the one we currently use so it should be easy to switch to secdev later.

[SergiiDmytruk]

@krystian-hebel Which hashes need to be supported for TPM2?

[krystian-hebel]

SHA1 and SHA256 should be enough for now, it's still rare for TPM to support anything beyond that. SHA1 is technically deprecated and may no longer be implemented, so preferably code should not treat this as error.

[dpsmith]

There is now a PR on TB's Xen tree with the secdev driver. As noted in the PR, I would not consider the PR to be ready for merge, and that the PR is continue to get review over secdev interface with TPM2 support being the first backend for secdev.

[SergiiDmytruk]

Pushed https://github.com/TrenchBoot/xen/tree/aem-tpm2 with current WIP changes. Non-early version works (but only if locale 0 is enabled/disabled first, maybe that's part of the init?), early hasn't yet been tested. The changes is SHA256 only for now, SHA1 to be added later. Also had trouble with testing this in QEMU, had to map TIS MMIO range to get it working (well, and pretend that SLAUNCH was used).

[SergiiDmytruk]

PR: https://github.com/TrenchBoot/xen/pull/3

[krystian-hebel]

Logs and results from tests can be found in https://github.com/TrenchBoot/trenchboot-issues/issues/11#issuecomment-1734465464