Improve measured boot support

Author: dgarske

docs/TPM.md

@@ -11,8 +11,9 @@ In wolfBoot we support TPM based root of trust, sealing/unsealing, cryptographic
 | `WOLFBOOT_TPM_KEYSTORE=1` | `WOLFBOOT_TPM_KEYSTORE` | Enables TPM based root of trust. NV Index must store a hash of the trusted public key. |
 | `WOLFBOOT_TPM_KEYSTORE_NV_BASE=0x` | `WOLFBOOT_TPM_KEYSTORE_NV_BASE=0x` | NV index in platform range 0x1400000 - 0x17FFFFF. |
 | `WOLFBOOT_TPM_KEYSTORE_AUTH=secret` | `WOLFBOOT_TPM_KEYSTORE_AUTH` | Password for NV access |
-| `MEASURED_BOOT=1` | `WOLFBOOT_MEASURED_BOOT` | Enable measured boot. Extend PCR with wolfBoot hash. |
+| `MEASURED_BOOT=1` | `WOLFBOOT_MEASURED_BOOT` | Enable measured boot. Extends PCR with a hash of the wolfBoot bootloader code. |
 | `MEASURED_PCR_A=16` | `WOLFBOOT_MEASURED_PCR_A=16` | The PCR index to use. See [docs/measured_boot.md](/docs/measured_boot.md). |
+| `MEASURED_BOOT_APP_PARTITION=1` | `WOLFBOOT_MEASURED_BOOT_APP_PARTITION` | Legacy: measure the boot (application) partition instead of wolfBoot code. |
 | `WOLFBOOT_TPM_SEAL=1` | `WOLFBOOT_TPM_SEAL` | Enables support for sealing/unsealing based on PCR policy signed externally. |
 | `WOLFBOOT_TPM_SEAL_NV_BASE=0x01400300` | `WOLFBOOT_TPM_SEAL_NV_BASE` | To override the default sealed blob storage location in the platform hierarchy. |
 | `WOLFBOOT_TPM_SEAL_AUTH=secret` | `WOLFBOOT_TPM_SEAL_AUTH` | Password for sealing/unsealing secrets, if omitted the PCR policy will be used |
@@ -30,7 +31,9 @@ NOTE: The TPM's RSA verify requires ASN.1 encoding, so use SIGN=RSA2048ENC
 
 ## Measured Boot
 
-The wolfBoot image is hashed and extended to the indicated PCR. This can be used later in the application to prove the boot process was not tampered with. Enabled with `WOLFBOOT_MEASURED_BOOT` and exposes API `wolfBoot_tpm2_extend`.
+The wolfBoot bootloader code is hashed and extended to the indicated PCR. This can be used later in the application to prove the boot process was not tampered with. Enabled with `WOLFBOOT_MEASURED_BOOT` and exposes API `wolfBoot_tpm2_extend`.
+
+By default, the measurement covers wolfBoot's own code region (from `_start_text` to `_stored_data` linker symbols). To use the legacy behavior of measuring the boot (application) partition instead, set `MEASURED_BOOT_APP_PARTITION=1`.
 
 ## Sealing and Unsealing a secret
 

docs/measured_boot.md

@@ -30,8 +30,13 @@ Having TPM measurements provide a way for the firmware or Operating System(OS),
 like Windows or Linux, to know that the software loaded before it gained control
 over system, is trustworthy and not modified.
 
-In wolfBoot the concept is simplified to measuring a single component, the main
-firmware image. However, this can easily be extended by using more PCR registers.
+In wolfBoot the concept is simplified to measuring a single component, the
+wolfBoot bootloader code itself. This ensures the bootloader has not been
+tampered with before it verifies and loads the application. However, this can
+easily be extended by using more PCR registers.
+
+To use the legacy behavior of measuring the boot (application) partition instead
+of wolfBoot's own code, set `MEASURED_BOOT_APP_PARTITION=1` in your config.
 
 ## Configuration
 
@@ -81,6 +86,6 @@ MEASURED_PCR_A?=16
 ### Code
 
 wolfBoot offers out-of-the-box solution. There is zero need of the developer to touch wolfBoot code
-in order to use measured boot. If you would want to check the code, then look in `src/image.c` and
-more specifically the `measure_boot()` function. There you would find several TPM2 native API calls
-to wolfTPM. For more information about wolfTPM you can check its GitHub repository.
+in order to use measured boot. If you would want to check the code, then look in `src/tpm.c` and
+more specifically the `self_hash()` and `measure_boot()` functions. There you would find several TPM2
+native API calls to wolfTPM. For more information about wolfTPM you can check its GitHub repository.

options.mk

@@ -38,6 +38,9 @@ ifeq ($(MEASURED_BOOT),1)
   WOLFTPM:=1
   CFLAGS+=-D"WOLFBOOT_MEASURED_BOOT"
   CFLAGS+=-D"WOLFBOOT_MEASURED_PCR_A=$(MEASURED_PCR_A)"
+  ifeq ($(MEASURED_BOOT_APP_PARTITION),1)
+    CFLAGS+=-D"WOLFBOOT_MEASURED_BOOT_APP_PARTITION"
+  endif
 endif
 
 ## TPM keystore

src/tpm.c

@@ -229,13 +229,29 @@ static int TPM2_IoCb(TPM2_CTX* ctx, const uint8_t* txBuf, uint8_t* rxBuf,
 
 #ifdef WOLFBOOT_MEASURED_BOOT
 
-#ifndef WOLFBOOT_NO_PARTITIONS
+#ifdef WOLFBOOT_MEASURED_BOOT_APP_PARTITION
+    /* Legacy: measure the boot (application) partition */
+    #ifndef WOLFBOOT_NO_PARTITIONS
+        #define SELF_HASH_ADDR  ((uintptr_t)WOLFBOOT_PARTITION_BOOT_ADDRESS)
+        #define SELF_HASH_SZ    ((uint32_t)WOLFBOOT_PARTITION_SIZE)
+    #endif
+#else
+    /* Default: measure wolfBoot's own code region
+     * (from ARCH_FLASH_OFFSET to WOLFBOOT_PARTITION_BOOT_ADDRESS) */
+    #if defined(WOLFBOOT_PARTITION_BOOT_ADDRESS) && defined(ARCH_FLASH_OFFSET)
+        #define SELF_HASH_ADDR  ((uintptr_t)ARCH_FLASH_OFFSET)
+        #define SELF_HASH_SZ    ((uint32_t)((uintptr_t)WOLFBOOT_PARTITION_BOOT_ADDRESS - \
+                                            (uintptr_t)ARCH_FLASH_OFFSET))
+    #endif
+#endif
+
+#ifdef SELF_HASH_ADDR
 #ifdef WOLFBOOT_HASH_SHA256
 #include <wolfssl/wolfcrypt/sha256.h>
 static int self_sha256(uint8_t *hash)
 {
-    uintptr_t p = (uintptr_t)WOLFBOOT_PARTITION_BOOT_ADDRESS;
-    uint32_t sz = (uint32_t)WOLFBOOT_PARTITION_SIZE;
+    uintptr_t p = SELF_HASH_ADDR;
+    uint32_t sz = SELF_HASH_SZ;
     uint32_t blksz, position = 0;
     wc_Sha256 sha256_ctx;
 
@@ -244,7 +260,8 @@ static int self_sha256(uint8_t *hash)
         blksz = WOLFBOOT_SHA_BLOCK_SIZE;
         if (position + blksz > sz)
             blksz = sz - position;
-    #if defined(EXT_FLASH) && defined(NO_XIP)
+    #if defined(EXT_FLASH) && defined(NO_XIP) && \
+        defined(WOLFBOOT_MEASURED_BOOT_APP_PARTITION)
         rc = ext_flash_read(p, ext_hash_block, WOLFBOOT_SHA_BLOCK_SIZE);
         if (rc != WOLFBOOT_SHA_BLOCK_SIZE)
             return -1;
@@ -264,8 +281,8 @@ static int self_sha256(uint8_t *hash)
 #include <wolfssl/wolfcrypt/sha512.h>
 static int self_sha384(uint8_t *hash)
 {
-    uintptr_t p = (uintptr_t)WOLFBOOT_PARTITION_BOOT_ADDRESS;
-    uint32_t sz = (uint32_t)WOLFBOOT_PARTITION_SIZE;
+    uintptr_t p = SELF_HASH_ADDR;
+    uint32_t sz = SELF_HASH_SZ;
     uint32_t blksz, position = 0;
     wc_Sha384 sha384_ctx;
 
@@ -274,7 +291,8 @@ static int self_sha384(uint8_t *hash)
         blksz = WOLFBOOT_SHA_BLOCK_SIZE;
         if (position + blksz > sz)
             blksz = sz - position;
-    #if defined(EXT_FLASH) && defined(NO_XIP)
+    #if defined(EXT_FLASH) && defined(NO_XIP) && \
+        defined(WOLFBOOT_MEASURED_BOOT_APP_PARTITION)
         rc = ext_flash_read(p, ext_hash_block, WOLFBOOT_SHA_BLOCK_SIZE);
         if (rc != WOLFBOOT_SHA_BLOCK_SIZE)
             return -1;
@@ -290,7 +308,7 @@ static int self_sha384(uint8_t *hash)
     return 0;
 }
 #endif /* HASH type */
-#endif /* WOLFBOOT_NO_PARTITIONS */
+#endif /* SELF_HASH_ADDR */
 
 /**
  * @brief Extends a PCR in the TPM with a hash.
@@ -1442,8 +1460,9 @@ int wolfBoot_tpm2_init(void)
     }
 #endif /* WOLFBOOT_TPM_KEYSTORE | WOLFBOOT_TPM_SEAL */
 
-#if defined(WOLFBOOT_MEASURED_BOOT) && !defined(WOLFBOOT_NO_PARTITIONS)
-    /* hash wolfBoot and extend PCR */
+#if defined(WOLFBOOT_MEASURED_BOOT) && defined(SELF_HASH_ADDR)
+    /* measured boot: hash wolfBoot code (or boot partition if
+     * WOLFBOOT_MEASURED_BOOT_APP_PARTITION) and extend PCR */
     if (rc == 0) {
         rc = self_hash(digest);
         if (rc == 0) {
@@ -1453,7 +1472,7 @@ int wolfBoot_tpm2_init(void)
             wolfBoot_printf("Error %d performing wolfBoot measurement!\n", rc);
         }
     }
-#endif /* defined(WOLFBOOT_MEASURED_BOOT) && !defined(WOLFBOOT_NO_PARTITIONS) */
+#endif /* WOLFBOOT_MEASURED_BOOT && SELF_HASH_ADDR */
 
     return rc;
 }