[00/15] libstb: Advance TSS and mbedtls infrastructure.

Message ID	20200125001510.708149-1-maurosr@linux.vnet.ibm.com
Headers	show Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> From: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com> To: skiboot@lists.ozlabs.org Date: Fri, 24 Jan 2020 21:14:55 -0300 Message-Id: <20200125001510.708149-1-maurosr@linux.vnet.ibm.com> MIME-Version: 1.0 Subject: [Skiboot] [PATCH 00/15] libstb: Advance TSS and mbedtls infrastructure. Precedence: list Cc: grimm@linux.ibm.com, nayna@linux.ibm.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	libstb: Advance TSS and mbedtls infrastructure. \| expand [00/15] libstb: Advance TSS and mbedtls infrastructure. [02/15] crypto: add mbedtls build integration via git subtree [03/15] crypto/mbedtls: disable unnecessary features to shrink size [04/15] libstb: remove old mbedtls files [05/15] crypto: add out-of-tree mbedtls pkcs7 parser [07/15] DO NOT MERGE: Remove weror from compilation temporarily [08/15] libstb/tss2: Add Build infrastructure for tss2 [09/15] TPM/TSS: Register TPM chip for further use within TSS [10/15] libstb/tss2: Add multiple TSS wrapping functions [11/15] libstb/trustedboot: Introduce new eventlog implementation [12/15] mbedtls: Compile with MBEDTLS_AES_C and MBEDTLS_CIPHER_MODE_CFB [13/15] Introduce tsscryptombed [14/15] Switchover to new implementation of PCR Read/Extend and Eventlog [15/15] TSS/Trustedboot: Remove old tss implementation

Message ID

20200125001510.708149-1-maurosr@linux.vnet.ibm.com

Headers

From: "Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
To: skiboot@lists.ozlabs.org
Date: Fri, 24 Jan 2020 21:14:55 -0300
Message-Id: <20200125001510.708149-1-maurosr@linux.vnet.ibm.com>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH 00/15] libstb: Advance TSS and mbedtls
	infrastructure.
Precedence: list
Cc: grimm@linux.ibm.com, nayna@linux.ibm.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
	<skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

libstb: Advance TSS and mbedtls infrastructure. | expand

Message

Mauro S. M. Rodrigues Jan. 25, 2020, 12:14 a.m. UTC

The previous TSS infrastructure code in skiboot, although correct, was only
enough for some fundamental TCG software stack operations, like PCR extend and
eventlog, and other TSB work like secvar requires broader infrastructure.

In patches 6 to 14 we introduced and switch to a complete TSS implementation,
supporting the previously existent operations, like PCR Extend, PCR Read and
EventLog for measurement, and including a new set of basic operations, until
we're able to remote the old implementation at patch 15.

For mbedtls it's a similar tale: additional support is necessary, like x509, and
such things are too tight to their original code base which makes too much
complicated to cherry-pick specific bits, and even harder to keep track on the
security aspects of it, like backporting security fixes, so it was decided to
bring the full implementation here.

This patch series introduces both TSS and mbedtls as subtrees, which diminishes
the maintenance burden at skiboot size since we can now rely on external
implementations of TSS and tls.

Note: Right now the following patch:

[PATCH 06/15] Squashed 'libstb/tss2/ibmtpm20tss/' content from commit

creates a subtree based on non-official tree (at
https://github.com/maurorodrigues/ibmtpm20tss branch maurosr/v4-tss-skiboot),
containing additional patches to support eventlog implementaion, which are
currently under review process to be merged in the official tree at
https://git.code.sf.net/p/ibmtpm20tss/tss, we plan to tie this subtree to the
official tree, but for review purposes we can use the temporary non-official
tree mentioned.

For mbedtls subtree it was used the follow git repository
https://github.com/ARMmbed/mbedtls tag: mbedtls-2.16.2

Eric Richter (2):
  crypto/mbedtls: disable unnecessary features to shrink size
  libstb: remove old mbedtls files

Mauro S. M. Rodrigues (12):
  Squashed 'libstb/crypto/mbedtls/' content from commit 7a03e1cbf
  crypto: add mbedtls build integration via git subtree
  Squashed 'libstb/tss2/ibmtpm20tss/' content from commit c0290205e
  DO NOT MERGE: Remove weror from compilation temporarily
  libstb/tss2: Add Build infrastructure for tss2
  TPM/TSS: Register TPM chip for further use within TSS
  libstb/tss2: Add multiple TSS wrapping functions
  libstb/trustedboot: Introduce new eventlog implementation
  mbedtls: Compile with MBEDTLS_AES_C and MBEDTLS_CIPHER_MODE_CFB
  Introduce tsscryptombed
  Switchover to new implementation of PCR Read/Extend and Eventlog
  TSS/Trustedboot: Remove old tss implementation

Nayna Jain (1):
  crypto: add out-of-tree mbedtls pkcs7 parser

--
2.24.1

Comments

Stewart Smith Jan. 26, 2020, 3:18 a.m. UTC | #1

On Fri, Jan 24, 2020, at 4:14 PM, Mauro S. M. Rodrigues wrote:
> The previous TSS infrastructure code in skiboot, although correct, was only
> enough for some fundamental TCG software stack operations, like PCR extend and
> eventlog, and other TSB work like secvar requires broader infrastructure.
> 
> In patches 6 to 14 we introduced and switch to a complete TSS implementation,
> supporting the previously existent operations, like PCR Extend, PCR Read and
> EventLog for measurement, and including a new set of basic operations, until
> we're able to remote the old implementation at patch 15.
> 
> For mbedtls it's a similar tale: additional support is necessary, like x509, and
> such things are too tight to their original code base which makes too much
> complicated to cherry-pick specific bits, and even harder to keep track on the
> security aspects of it, like backporting security fixes, so it was decided to
> bring the full implementation here.
> 
> This patch series introduces both TSS and mbedtls as subtrees, which diminishes
> the maintenance burden at skiboot size since we can now rely on external
> implementations of TSS and tls.
> 
> Note: Right now the following patch:
> 
> [PATCH 06/15] Squashed 'libstb/tss2/ibmtpm20tss/' content from commit
> 
> creates a subtree based on non-official tree (at
> https://github.com/maurorodrigues/ibmtpm20tss branch maurosr/v4-tss-skiboot),
> containing additional patches to support eventlog implementaion, which are
> currently under review process to be merged in the official tree at
> https://git.code.sf.net/p/ibmtpm20tss/tss, we plan to tie this subtree to the
> official tree, but for review purposes we can use the temporary non-official
> tree mentioned.

SF is a bit of a red flag.

Possibly a good idea to mirror it at github.com/open-power/ so no matter what happens with upstream there's a copy.

> For mbedtls subtree it was used the follow git repository
> https://github.com/ARMmbed/mbedtls tag: mbedtls-2.16.2

Probably also a good idea to have an open-power mirror.

Mauro S. M. Rodrigues Jan. 27, 2020, 6:18 p.m. UTC | #2

On Sat, Jan 25, 2020 at 07:18:41PM -0800, Stewart Smith wrote:
> On Fri, Jan 24, 2020, at 4:14 PM, Mauro S. M. Rodrigues wrote:
> > The previous TSS infrastructure code in skiboot, although correct, was only
> > enough for some fundamental TCG software stack operations, like PCR extend and
> > eventlog, and other TSB work like secvar requires broader infrastructure.
> >
> > In patches 6 to 14 we introduced and switch to a complete TSS implementation,
> > supporting the previously existent operations, like PCR Extend, PCR Read and
> > EventLog for measurement, and including a new set of basic operations, until
> > we're able to remote the old implementation at patch 15.
> >
> > For mbedtls it's a similar tale: additional support is necessary, like x509, and
> > such things are too tight to their original code base which makes too much
> > complicated to cherry-pick specific bits, and even harder to keep track on the
> > security aspects of it, like backporting security fixes, so it was decided to
> > bring the full implementation here.
> >
> > This patch series introduces both TSS and mbedtls as subtrees, which diminishes
> > the maintenance burden at skiboot size since we can now rely on external
> > implementations of TSS and tls.
> >
> > Note: Right now the following patch:
> >
> > [PATCH 06/15] Squashed 'libstb/tss2/ibmtpm20tss/' content from commit
> >
> > creates a subtree based on non-official tree (at
> > https://github.com/maurorodrigues/ibmtpm20tss branch maurosr/v4-tss-skiboot),
> > containing additional patches to support eventlog implementaion, which are
> > currently under review process to be merged in the official tree at
> > https://git.code.sf.net/p/ibmtpm20tss/tss, we plan to tie this subtree to the
> > official tree, but for review purposes we can use the temporary non-official
> > tree mentioned.
>
> SF is a bit of a red flag.
>
> Possibly a good idea to mirror it at github.com/open-power/ so no matter what happens with upstream there's a copy.

Thanks for your review. Just out of curiosity, SF can be a red flag by
itself, perhaps because its availability, or we just don't want to rely
on external parties other than github?

Either way, mirroring the repositories is probably a last step before
this series gets merged, right? And it requires one of the open-power
organization's owners in github to perform it, right?

-
Mauro
>
> > For mbedtls subtree it was used the follow git repository
> > https://github.com/ARMmbed/mbedtls tag: mbedtls-2.16.2
>
> Probably also a good idea to have an open-power mirror.
>
> _______________________________________________
> Skiboot mailing list
> Skiboot@lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/skiboot