[Feature]: Integrate the TPM Replay feature #677
Assignees
Labels
Comments
makubacki
added
state:needs-triage
5 tasks
makubacki
removed
the
state:needs-triage
makubacki
added a commit
that referenced
this issue
Aug 29, 2023
Closes #677 ## Description This feature enables experimentation with controlling the TPM measurements made by firmware. It allows a developer to craft a TPM event log and have the replayed during boot. It is disabled by default. General feature information is available in its readme: https://github.com/microsoft/mu_plus/blob/HEAD/TpmTestingPkg/TpmReplayPei/Readme.md It is currently only planned to be used QemuQ35Pkg. It could be enabled in QemuSbsaPkg in the future if there is interest. Details about the feature in the context of QEMU, are described in `Platforms/Docs/Q35/Features/feature_tpm_replay.md` in this change. - [x] Impacts functionality? - **Functionality** - Does the change ultimately impact how firmware functions? - Examples: Add a new library, publish a new PPI, update an algorithm, ... - [ ] Impacts security? - **Security** - Does the change have a direct security impact on an application, flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter validation improvement, ... - [ ] Breaking change? - **Breaking change** - Will anyone consuming this change experience a break in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call a function in a new library class in a pre-existing module, ... - [ ] Includes tests? - **Tests** - Does the change include any explicit test code? - Examples: Unit tests, integration tests, robot tests, ... - [x] Includes documentation? - **Documentation** - Does the change contain explicit documentation additions outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation on an a separate Web page, ... ## How This Was Tested - Input YAML to binary - Input JSON to binary - Input binary to YAML - Replay events on QEMU Q35 to PCRs - Verify event log in OS against the input file ## Integration Instructions See `feature_tpm_replay.md`. Enable the feature in `QemuQ35Pkg` in the DSC file: ```ini DEFINE TPM_REPLAY_ENABLED = TRUE ``` Or, as a `stuart_build` argument: ```bash > stuart_build -c Platforms/QemuQ35Pkg/PlatformBuild.py --flashrom TOOL_CHAIN_TAG=GCC5 BLD_*_TPM_ENABLE=TRUE \ BLD_*_TPM_ENABLE=TRUE TPM_DEV=/tmp/mytpm1/swtpm-sock ``` Then, follow instructions to create the TPM Replay event log and load it. Signed-off-by: Michael Kubacki <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Overview
A new feature was recently added to mu_plus called TPM Replay.
Details are in microsoft/mu_plus#287.
That feature is very useful on a virtual platform like QEMU because it allows rapid testing of TPM Replay event logs replayed by the feature. This issue tracks integrating the feature in
QemuQ35Pkg.Solution Overview
TPM_REPLAY_ENABLEDflag.FvMeasurementExclusionLiblibrary class for the platform.Alternatives Considered
No response
Urgency
Medium
Are you going to implement the feature request?
I will implement the feature
Do you need maintainer feedback?
No maintainer feedback needed
Anything else?
No response
The text was updated successfully, but these errors were encountered: