12ef5a7f1SJarkko Sakkinen.. SPDX-License-Identifier: GPL-2.0 22ef5a7f1SJarkko Sakkinen 32ef5a7f1SJarkko Sakkinen============= 42ef5a7f1SJarkko SakkinenTPM Event Log 52ef5a7f1SJarkko Sakkinen============= 62ef5a7f1SJarkko Sakkinen 72ef5a7f1SJarkko SakkinenThis document briefly describes what TPM log is and how it is handed 82ef5a7f1SJarkko Sakkinenover from the preboot firmware to the operating system. 92ef5a7f1SJarkko Sakkinen 102ef5a7f1SJarkko SakkinenIntroduction 112ef5a7f1SJarkko Sakkinen============ 122ef5a7f1SJarkko Sakkinen 132ef5a7f1SJarkko SakkinenThe preboot firmware maintains an event log that gets new entries every 142ef5a7f1SJarkko Sakkinentime something gets hashed by it to any of the PCR registers. The events 152ef5a7f1SJarkko Sakkinenare segregated by their type and contain the value of the hashed PCR 162ef5a7f1SJarkko Sakkinenregister. Typically, the preboot firmware will hash the components to 172ef5a7f1SJarkko Sakkinenwho execution is to be handed over or actions relevant to the boot 182ef5a7f1SJarkko Sakkinenprocess. 192ef5a7f1SJarkko Sakkinen 202ef5a7f1SJarkko SakkinenThe main application for this is remote attestation and the reason why 212ef5a7f1SJarkko Sakkinenit is useful is nicely put in the very first section of [1]: 222ef5a7f1SJarkko Sakkinen 232ef5a7f1SJarkko Sakkinen"Attestation is used to provide information about the platform’s state 242ef5a7f1SJarkko Sakkinento a challenger. However, PCR contents are difficult to interpret; 252ef5a7f1SJarkko Sakkinentherefore, attestation is typically more useful when the PCR contents 262ef5a7f1SJarkko Sakkinenare accompanied by a measurement log. While not trusted on their own, 272ef5a7f1SJarkko Sakkinenthe measurement log contains a richer set of information than do the PCR 282ef5a7f1SJarkko Sakkinencontents. The PCR contents are used to provide the validation of the 292ef5a7f1SJarkko Sakkinenmeasurement log." 302ef5a7f1SJarkko Sakkinen 312ef5a7f1SJarkko SakkinenUEFI event log 322ef5a7f1SJarkko Sakkinen============== 332ef5a7f1SJarkko Sakkinen 342ef5a7f1SJarkko SakkinenUEFI provided event log has a few somewhat weird quirks. 352ef5a7f1SJarkko Sakkinen 362ef5a7f1SJarkko SakkinenBefore calling ExitBootServices() Linux EFI stub copies the event log to 372ef5a7f1SJarkko Sakkinena custom configuration table defined by the stub itself. Unfortunately, 382ef5a7f1SJarkko Sakkinenthe events generated by ExitBootServices() don't end up in the table. 392ef5a7f1SJarkko Sakkinen 402ef5a7f1SJarkko SakkinenThe firmware provides so called final events configuration table to sort 412ef5a7f1SJarkko Sakkinenout this issue. Events gets mirrored to this table after the first time 422ef5a7f1SJarkko SakkinenEFI_TCG2_PROTOCOL.GetEventLog() gets called. 432ef5a7f1SJarkko Sakkinen 442ef5a7f1SJarkko SakkinenThis introduces another problem: nothing guarantees that it is not called 452ef5a7f1SJarkko Sakkinenbefore the Linux EFI stub gets to run. Thus, it needs to calculate and save the 462ef5a7f1SJarkko Sakkinenfinal events table size while the stub is still running to the custom 472ef5a7f1SJarkko Sakkinenconfiguration table so that the TPM driver can later on skip these events when 482ef5a7f1SJarkko Sakkinenconcatenating two halves of the event log from the custom configuration table 492ef5a7f1SJarkko Sakkinenand the final events table. 502ef5a7f1SJarkko Sakkinen 512ef5a7f1SJarkko SakkinenReferences 522ef5a7f1SJarkko Sakkinen========== 532ef5a7f1SJarkko Sakkinen 542ef5a7f1SJarkko Sakkinen- [1] https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/ 552ef5a7f1SJarkko Sakkinen- [2] The final concatenation is done in drivers/char/tpm/eventlog/efi.c 56