Hello,
As the prepartion for the series of patches for adding GICv3.1 and GICv4 support,
please review and provide your comments for the patch which introduces GICv3 makefile
and adds configuration options for the driver.
https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3754
Regards.
Alexei
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Raghu,
Thanks for reviewing the proposal. Please find my answers below.
1) The idea was to use the same hash algorithm throughout all TF-A
code for consistency and not introduce any new build flags. One of the
initial implementations even didn't calculate the hash itself but was
reading verified data provided by the Chain of Trust (CoT) for the
purpose of optimisation.
Existing definition of TF_MBEDTLS_HASH_ALG_ID in
'drivers\auth\mbedtls\mbedtls_common.mk' at line #76:
ifeq (${HASH_ALG}, sha384)
TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA384
else ifeq (${HASH_ALG}, sha512)
TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA512
else
TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA256
endif
passed to 'include\drivers\auth\mbedtls\mbedtls_config.h', line #72
#define MBEDTLS_SHA256_C
#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256)
#define MBEDTLS_SHA512_C
#endif
and used in Mbed TLS to define MBEDTLS_MD_MAX_SIZE in 'include\mbedtls\md.h':
#if defined(MBEDTLS_SHA512_C)
#define MBEDTLS_MD_MAX_SIZE 64 /* longest known is SHA512 */
#else
#define MBEDTLS_MD_MAX_SIZE 32 /* longest known is SHA256 or less */
#endif
makes impossible usage HASH_ALG=sha256 for TF-A and sha512 for Measured Boot
calculations, because the following chain of function calls
arm_bl1_set_bl2_hash() ->
crypto_mod_calc_hash() ->
crypto_lib_desc.calc_hash() ->
calc_hash() ->
mbedtls_md_info_from_type()
returns CRYPTO_ERR_HASH error caused by insufficient space in internal Mbed TLS
buffers and fixing this issue needs extra modifications in make and header files.
Upgrading/changing the hash algorithm will require re-building of TF-A and
re-flashing BL1 in ROM, so please explain what you mean by
"potentially break measured boot on old devices in case a hash algorithm is broken"
The functionality for getting the hash algorithm from the platform (e.g. eFuses)
can be added later as a platform build option and requires fixing the issue described
above.
2) Yes, Measured Boot requires TF-A built with TRUSTED_BOARD_BOOT option enabled,
and as BL2 image is a part of CoT it is verified by BL1.
3) Yes. Event Log implementation is based on TCG Specifications.
BL2 loads images, calculates their hashes and writes data into Event Log stored
in Secure memory.
4) It is planned to add fTPM service implementation to TF-A, see Javier's message:
https://lists.trustedfirmware.org/pipermail/tf-a/2020-March/000339.html
Stuart could also comment on the naming convention.
5) N/A
6) Event Log is a complex structure with entries of different lengths, and
TFTF test checks the length of each field against the remaining size of the Event Log's
data to be processed before accessing and printing the actual data.
Thanks.
Alexei.
________________________________
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Raghu Krishnamurthy via TF-A <tf-a(a)lists.trustedfirmware.org>
Sent: 21 March 2020 05:53
To: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>
Subject: Re: [TF-A] Proposal for Measured Boot Implementation
Hi Alexei,
Thanks. This looks good at first glance. However, i do have some
questions that aren't obvious to me by reading the description below and
looking at code. Questions are numbered based on your original email.
Perhaps these can be discussed in the TF-A forum if it is inconvenient
over email.
1) Would be good if the hash alg comes from the config file. This will
make the implementation "crypto agile" from the very beginning. It is
common to want to upgrade/change the hash algorithm and since BL1 is in
ROM, you potentially break measured boot on old devices in case a hash
algorithm is broken. The other option is to get the hash algorithm from
the platform, perhaps a platform gets it from eFuses as opposed to
config files.
2) It looks like you are using memory allocated in the loaded DTB as the
equivalent of a TPM "PCR". How is this protected from direct
modification by BL2? Or is it not protected because BL2 forms a part of
the Root-of-Trust for Measurement(RTM)?(since it's signature is verified
by BL1?)
3) What does "Event Log" refer to? Is it the same event log proposed by
TCG in the platform firmware profile ? As a general question, how close
is the measured boot in TF-A/PSA going to be to TCG ? Will BL2 extend
measurements for other images ?
4) Would be great not to refer to "TPM" in the measured boot
implementation. Here we are implementing measured boot without a TPM,
but it could be implemented with a TPM. Maybe it should be tcg event log?
5) OK.
6) What does validate event log mean here? More details ?
Thanks
-Raghu
On 3/20/20 7:15 AM, Alexei Fedorov via TF-A wrote:
> Hello,
>
> I'm preparing the next set of patches for Measured Boot support in TF-A,
> please find some details on design and implementation below.
>
> 1. SHA256/384/512 hash algorithm for Measured Boot related hash calculations
> is passed as an existing build 'HASH_ALG' build parameter.
>
> 2. BL1 calculates BL2 image hash and passes these data to BL2 via
> FW_CONFIG/TB_FW_CONFIG device tree in new 'bl2_hash_data' byte array
> added
> in 'fvp_fw_config.dts'.
>
> These changes are part of the patch under review, please see
> https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3555
>
> 3. Event Log is calculated by BL2 in Secure Memory and copied to
> Non-secure memory. Address in Non-secure memory is calculated as:
>
> "nt_fw_config_addr + nt_fw_config_max_size"
>
> with values obtained from 'tb_fw_config':
>
> nt_fw_config_addr = <0x0 0x80000000>;
> nt_fw_config_max_size = <0x200>;
>
> 4. Event Log address and size is passed by TOS_FW_CONFIG and NT_FW_CONFIG
> device tree in 2 new added properties:
>
> Property name: 'tpm_event_log_addr'
> Value type is an unsigned 64-bit integer specifying the physical address
> of the Event Log.
>
> Property name: 'tpm_event_log_size'
> Value type is an unsigned 32-bit integer specifying the size of the
> Event Log.
>
> /* TPM Event Log Config */
> tpm_event_log {
> compatible = "arm,nt_fw";
> tpm_event_log_addr = <0x0 0x0>;
> tpm_event_log_size = <0x0>;
> };
>
> 5. TF-A provides Event Log to the BL33 (TFTF/UEFI/U-boot) in 'nt_fw_config'
> device tree, which address is passed by BL31 as 'arg0' parameter,
> see TFTF patch:
>
> https://review.trustedfirmware.org/c/TF-A/tf-a-tests/+/3327
>
> 6. A new test which validates and prints Event Log data passed
> in 'nt_fw_config' to BL33 will be added to TFTF.
>
> Please review and provide your comments on the proposed design.
>
> Regards.
> Alexei.
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy
> the information in any medium. Thank you.
>
--
TF-A mailing list
TF-A(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-a
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hello,
>But I am worried that a self-review is rarely as good as a peer review
On practice, unfortunately, some TF-M tasks are waiting weeks and even months for review and following approvals.
If I were a maintainer & owner of my own TFM area, I do not want to wait & push & remind somebody else.
Better to have a post-merge review for these cases, which does not limit and slow down the development.
Thanks,
Andrej Butok
-----Original Message-----
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Sandrine Bailleux via TF-M
Sent: Thursday, March 26, 2020 10:28 AM
To: Christian Daudt <Christian.Daudt(a)cypress.com>; tf-a <tf-a(a)lists.trustedfirmware.org>; tf-m(a)lists.trustedfirmware.org; tsc(a)lists.trustedfirmware.org; op-tee(a)linaro.org
Cc: nd(a)arm.com
Subject: Re: [TF-M] Project Maintenance Proposal for tf.org Projects
Hi Christian,
Thanks a lot for the read and the comments!
On 3/25/20 7:05 PM, Christian Daudt wrote:
> �The maintenance proposal looks great ! I have some feedback on
> specific portions:
> �1. maintainer/owner/author patches. " Note that roles can be
> cumulative, in particular the same individual can be both a code owner
> and a maintainer. In such a scenario, the individual would be able to
> self-merge a patch solely affecting his module, having the authority
> to approve it from both a code owner and maintainer's point of view.":
> I'm always leery of people self-approving their patches. At a minimum,
> all self-patches should be published and a minimum wait time provided
> for feedback. Or preferably that another maintainer does the merge (it
> does not need to be mandated but should be suggested).
Yes, actually this is something that generated some disagreement inside Arm as well and I am glad you're bringing this up here, as I'd like to hear more opinions on this.
I too have concerns about allowing self-reviewing. I am not so much concerned about people potentially abusing of this situation to silently merge patches, as I think we should trust our maintainers. But I am worried that a self-review is rarely as good as a peer review, simply because it is so easy to miss things when it's your own work. I believe several pair of eyes is always better, as different people think differently, have different perspectives and backgrounds, and are able to catch different issues.
But to pull this off, we need enough people to do all these reviews. The proposal currently allows self-review because some of us feared that mandating 2 reviewers for every patch (especially pure platform patches) would be impractical and too heavyweight, especially for the TF-M project in its current contributors organization, as I understand. It would be great to get more feedback from the TF-M community as to whether they think it could work in the end.
It's a difficult balance between having the best possible code review practices, and realistically getting all the review work done in a timely manner, avoiding bottlenecks on specific people and keeping the flow of patches smooth.
I like your idea of a minimum wait time provided for feedback. I think it could be a good middle ground solution.
Your other suggestion of having a different maintainer doing the merge would work as well IMO but requires more workforce. Again this comes down to whether this can realistically be achieved for each project.
This solution was actually suggested within Arm as well (and even called out at the end of the proposal ;) ).
Bottom line is, in an ideal world I would like to condemn self-review because I consider this as bad practice, but I do not know whether this will be practical and will work for TF-M as well.
> �2. 'timely manner': This expectation should be more explicit -
> when the author can start requesting other maintainers to merge on
> assumption that silence == approval (or not). Such timeliness
> expectations are probably best set per project however.
Yes, "timely manner" is definitely too vague and was actually left that way on purpose at this stage to avoid touching upon what I think is a sensitive subject! I am aware that some patches sometimes spend a long time in review, definitely longer than they should and it understandably generates some frustration. This is something we absolutely need to improve on IMO and hopefully a bigger pool of maintainers will help solve this issue. But I agree that the expected review timeline should be clearly established and it is probably best to let each project decides theirs.
> �3. The proposal does not address branching strategies. i.e. will
> there be separate maintainers for dev/master/stable branches? I don't
> think it needs to address it yet - keep it simpler for a start. But a
> todo saying something like "in the future this project maintenance
> proposal might be expanded to address multi-branch maintainership" would be good.
Good point. A todo sounds good, I will add one in the last section of the document.
> �4. The platform lifecycle state machine has too many transitions.
> "Fully maintained" <-> "orphan" -> "out" seems sufficient to me.
Hmm OK. There might be too many transitions but I feel we need something between fully maintained and out, i.e. the limited support one.
Julius Werner also pointed out on Thursday that orphan might be misplaced, as all these other stages deal with some degrees of feature support (what's known to work), whereas orphan is an orthogonal topic that is not directly related to the level of supported features. For example, a platform could have recently become orphan but all features and tests still work for some time.
Regards,
Sandrine
--
TF-M mailing list
TF-M(a)lists.trustedfirmware.org
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru…
Hello,
Following up with the Proposal for Measured Boot Implementation
described in
https://lists.trustedfirmware.org/pipermail/tf-a/2020-March/000332.html
, I am working on the implementation of a test fTPM service to exercise
Measured Boot on TF-A.
Some details about the implementation can be found below:
1.- The service will be based on Microsoft's reference implementation
of the TPM 2.0 Specification by TCG. It will be implemented as an OP-
TEE TA.
2.- During service initialisation, the fTPM service will read the TPM
Event Log stored by Measured Boot in Secure Memory and it will extend
it into the PCR specified by the log header.
3.- Alongside with the fTPM service, a test framework based on OP-TEE
Toolkit is being implemented as well. This test framework will generate
and run a Linux/Buildroot environment over a Foundation Model so the
fTPM's PCRs can be accessed to verify its content.
It is important here to highlight that this fTPM service and the
related test framework are meant to be used only for demonstration
purposes, it is not meant to be used as a production implementation.
Please, let me know any comment or query you might have with regards
this.
Best regards,
Javier
Hi,
This is to notify that we are planning to target the Trusted Firmware-A 2.3 release during the third week of April as part of the regular 6 month cadence. The aim is to consolidate all TF-A work since the 2.2 release. As part of this, a release candidate tag will be created and release activities will commence from Monday April 6th. Essentially we will not merge any major enhancements from this date until the release is made. Please ensure any Pull Requests (PR's) desired to make the 2.2 release are submitted in good time to be complete by Friday April 3rd. Any major enhancement PR's still open after that date will not be merged until after the release.
Thanks & best regards,
[cid:image001.jpg@01D5F78C.8108B010]
Bipin Ravi | Principal Design Enginee
Bipin.ravi(a)arm.com<mailto:Bipin.ravi@arm.com> | Skype: Bipin.Ravi.ARM
Direct: +1-512-225 -1071 | Mobile: +1-214-212-0794
5707 Southwest Parkway, Suite 100, Austin, TX 78735
Hello all,
As the developers community at trustedfirmware.org is growing, there is
an increasing need to have work processes that are clearly documented,
feel smooth and scale well. We think that there is an opportunity to
improve the way the trustedfirmware.org projects are managed today.
That's why we are sharing a project maintenance proposal, focusing on
the TF-A and TF-M projects initially. The aim of this document is to
propose a set of rules, guidelines and processes to try and improve the
way we work together as a community today.
Note that this is an early draft at this stage. This is put up for
further discussion within the trustedfirmware.org community. Nothing is
set in stone yet and it is expected to go under change as feedback from
the community is incorporated.
Please find the initial proposal here:
https://developer.trustedfirmware.org/w/collaboration/project-maintenance-p…
Please provide any feedback you may have by replying to this email
thread, keeping all 4 mailing lists in the recipients list.
I will collate comments from the community and try to incorporate them
in the document, keeping you updated on changes made between revisions.
Regards,
Sandrine
Hi Victor,
There's currently no plan to support Trusted Debug Control, primarily for the lack of an available platform IP component requiring it.
Are you aware of a specific need for a real platform, that could also be available for testing the implementation?
Thanks
Matteo
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Victor Duan via TF-A
Sent: 18 March 2020 01:35
To: tf-a(a)lists.trustedfirmware.org
Subject: [TF-A] Trusted Debug Control
Trusted Debug Control specified by TBBR CLIENT is as not supported in the current TF-A v2.2. Is there any plan to support it in the future?
Thank you!
Hi Alexei,
Thanks. This looks good at first glance. However, i do have some
questions that aren't obvious to me by reading the description below and
looking at code. Questions are numbered based on your original email.
Perhaps these can be discussed in the TF-A forum if it is inconvenient
over email.
1) Would be good if the hash alg comes from the config file. This will
make the implementation "crypto agile" from the very beginning. It is
common to want to upgrade/change the hash algorithm and since BL1 is in
ROM, you potentially break measured boot on old devices in case a hash
algorithm is broken. The other option is to get the hash algorithm from
the platform, perhaps a platform gets it from eFuses as opposed to
config files.
2) It looks like you are using memory allocated in the loaded DTB as the
equivalent of a TPM "PCR". How is this protected from direct
modification by BL2? Or is it not protected because BL2 forms a part of
the Root-of-Trust for Measurement(RTM)?(since it's signature is verified
by BL1?)
3) What does "Event Log" refer to? Is it the same event log proposed by
TCG in the platform firmware profile ? As a general question, how close
is the measured boot in TF-A/PSA going to be to TCG ? Will BL2 extend
measurements for other images ?
4) Would be great not to refer to "TPM" in the measured boot
implementation. Here we are implementing measured boot without a TPM,
but it could be implemented with a TPM. Maybe it should be tcg event log?
5) OK.
6) What does validate event log mean here? More details ?
Thanks
-Raghu
On 3/20/20 7:15 AM, Alexei Fedorov via TF-A wrote:
> Hello,
>
> I'm preparing the next set of patches for Measured Boot support in TF-A,
> please find some details on design and implementation below.
>
> 1. SHA256/384/512 hash algorithm for Measured Boot related hash calculations
> is passed as an existing build 'HASH_ALG' build parameter.
>
> 2. BL1 calculates BL2 image hash and passes these data to BL2 via
> FW_CONFIG/TB_FW_CONFIG device tree in new 'bl2_hash_data' byte array
> added
> in 'fvp_fw_config.dts'.
>
> These changes are part of the patch under review, please see
> https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3555
>
> 3. Event Log is calculated by BL2 in Secure Memory and copied to
> Non-secure memory. Address in Non-secure memory is calculated as:
>
> "nt_fw_config_addr + nt_fw_config_max_size"
>
> with values obtained from 'tb_fw_config':
>
> nt_fw_config_addr = <0x0 0x80000000>;
> nt_fw_config_max_size = <0x200>;
>
> 4. Event Log address and size is passed by TOS_FW_CONFIG and NT_FW_CONFIG
> device tree in 2 new added properties:
>
> Property name: 'tpm_event_log_addr'
> Value type is an unsigned 64-bit integer specifying the physical address
> of the Event Log.
>
> Property name: 'tpm_event_log_size'
> Value type is an unsigned 32-bit integer specifying the size of the
> Event Log.
>
> /* TPM Event Log Config */
> tpm_event_log {
> compatible = "arm,nt_fw";
> tpm_event_log_addr = <0x0 0x0>;
> tpm_event_log_size = <0x0>;
> };
>
> 5. TF-A provides Event Log to the BL33 (TFTF/UEFI/U-boot) in 'nt_fw_config'
> device tree, which address is passed by BL31 as 'arg0' parameter,
> see TFTF patch:
>
> https://review.trustedfirmware.org/c/TF-A/tf-a-tests/+/3327
>
> 6. A new test which validates and prints Event Log data passed
> in 'nt_fw_config' to BL33 will be added to TFTF.
>
> Please review and provide your comments on the proposed design.
>
> Regards.
> Alexei.
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy
> the information in any medium. Thank you.
>
>> As a general reminder, it is up to the developer to document changes in common TF-A code that is relevant in the "Upcoming Change Log" file.
Thanks for highlighting this. For Tegra platforms, we will provide up to date information to the platform change log after 2.3. We will have to live with the current state of the log for 2.3.
>> Reviewers please continue to help determine if documentation is required for a given patch.
Curious, have there been discussions around automating this somehow? E.g. add a tag to the commit message for a script to pick later.
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Lauren Wehrmeister via TF-A
Sent: Tuesday, March 17, 2020 10:51 AM
To: tf-a(a)lists.trustedfirmware.org
Subject: [TF-A] Platforms to maintain their own Change Log files following 2.3 Release
External email: Use caution opening links or attachments
Hi All,
Following the TF-A release planned for April, platforms will be expected to maintain their own Change Log files to document relevant changes in platform specific code. The common TF-A Change Log will no longer document Platform specific updates after the 2.3 release.
As a general reminder, it is up to the developer to document changes in common TF-A code that is relevant in the "Upcoming Change Log" file. Reviewers please continue to help determine if documentation is required for a given patch. During each code freeze for a release the documentation in the upcoming change log will be moved to the change log corresponding to the release.
Thanks,
Lauren Wehrmeister
-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain
confidential information. Any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------