search

microsoft / ms-tpm-20-ref

Reference implementation of the TCG Trusted Platform Module 2.0 specification.
Other
343 stars 133 forks source link

How to enable MEASURED_BOOT macro using a yocto recipe #70

Closed kuldeepmarker-eaton closed 2 years ago

kuldeepmarker-eaton commented 2 years ago

I have integrated ftpm TA in OPENSTLINUX distro and I can see the TA in the image /lib/optee_armtz folder. I am interested in getting tpm_event_log for which MACRO (MEASURED_BOOT) should be enable. So I want to know in what way I can enable the macro in my yocto recipe. Below is the recipe I am using.

SUMMARY = "OPTEE fTPM Microsoft TA" DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification." HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"

COMPATIBLE_MACHINE ?= "invalid"

COMPATIBLE_MACHINE:qemuarm64 = "qemuarm64"

COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64"

COMPATIBLE_MACHINE:qemu-generic-arm64 = "qemu-generic-arm64"

FIXME - doesn't currently work with clang

TOOLCHAIN = "gcc"

inherit deploy python3native

LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"

DEPENDS = "python3-pyelftools-native optee-os-stm32mp python3-cryptography-native " DEPENDS += "python3-pycryptodomex-native" FTPM_UUID="bc50d971-d4c9-42c4-82cb-343fb7f37896"

SRC_URI = "gitsm://github.com/Microsoft/ms-tpm-20-ref;branch=master;protocol=https \ file://0001-add-enum-to-ta-flags.patch"

SRCREV = "d638536d0fe01acd5e39ffa1bd100b3da82d92c7"

S = "${WORKDIR}/git"

OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}" TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}" TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"

TA_DEV_KIT_DIR = "/home/eaton/edge-linux-yocto/build-openstlinuxweston-stm32mp1/tmp-glibc/work/stm32mp1-ostl-linux-gnueabi/st-image-userfs/1.0-r0/recipe-sysroot/usr/include/optee/export-user_ta"

EXTRA_OEMAKE += '\ CFG_FTPM_USE_WOLF=y \ CFG_TA_DEBUG=y \ CFG_TEE_TA_LOG_LEVEL=4 \ TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ TA_CROSS_COMPILE=${TARGET_PREFIX} \ CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST} -I${WORKDIR}/optee-os-stm32mp" \ '

EXTRA_OEMAKE:append:aarch64:qemuall = "\ CFG_ARM64_ta_arm64=y \ "

python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the

right path until this is relocated automatically.

export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"

PARALLEL_MAKE = ""

do_compile() {

The internal ${CC} includes the correct -mcpu option

sed -i 's/-mcpu=$(TA_CPU)//' Samples/ARM32-FirmwareTPM/optee_ta/fTPM/sub.mk
# there's also a secure variable storage TA called authvars
cd ${S}/Samples/ARM32-FirmwareTPM/optee_ta
oe_runmake

}

do_install () { mkdir -p ${D}/${nonarch_base_libdir}/optee_armtz install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.ta ${D}/${nonarch_base_libdir}/optee_armtz/ install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${D}/${nonarch_base_libdir}/optee_armtz/ }

do_deploy () { install -d ${DEPLOYDIR}/optee install -D -p -m 0644 ${S}/Samples/ARM32-FirmwareTPM/optee_ta/out/fTPM/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/ }

addtask deploy before do_build after do_install

FILES:${PN} += " \ ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta \ ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.stripped.elf \ "

Imports machine specific configs from staging to build

PACKAGE_ARCH = "${MACHINE_ARCH}" INSANE_SKIP:${PN} += "ldflags"

bradlitterell commented 2 years ago

I'm sorry, you're asking in the wrong place. This repository is dedicated to the TPM specification reference code directly. You appear to be asking a Linux or Yocto specific question. However, the TPM code doesn't directly deal with measured boot logs itself, it just handles PCR extension commands and measurement quotes. The measured boot logs are created and maintained by a particular machine's BIOS and OS.

For Yocto questions I suggest yoctoproject.org. For Linux questions, I suggest the site for the Linux distro you are using.