Re: [PATCH 2/2] efi_selftest: add selftest for EFI_TCG2_PROTOCOL and Measured Boot

Sat Oct 30 08:13:15 CEST 2021

Am 30. Oktober 2021 08:02:02 MESZ schrieb Ilias Apalodimas <ilias.apalodimas at linaro.org>:
>Hi Heinrich
>
>[...]
>
>> >>> +$(obj)/efi_selftest_tcg2.o: $(obj)/efi_miniapp_file_image_measuredboot.h
>> >>> diff --git a/lib/efi_selftest/efi_selftest_miniapp_measuredboot.c b/lib/efi_selftest/efi_selftest_miniapp_measuredboot.c
>> >>
>> >> Thank you for going the extra mile and adding the test.
>> >>
>> >> Which image is actually loaded seems to be irrelevant for the test. Can
>> >> we reuse an existing one, e.g. efi_miniapp_file_image_return.h?
>> >>
>> >> I guess the PCR related to the loaded image is not checked as it will
>> >> depend on the build tools and date.
>> >
>> > Sorry, I'm doing wrong.
>> > Actually this selftest verifies the PE/COFF image measurement, so measuremt
>> > will be different depending on the build tools and date.
>> >   # In my build environment, timestamp is set to all zero.
>> >
>> > To test the PE/COFF image measurement, I must prepare the
>> > static PE/COFF image. I plan to add efi_miniapp_file_image_measuredboot.h
>> > as a pre-compiled small static PE/COFF image for the measurement test,
>> > instead of adding efi_selftest_miniapp_measuredboot.c or reusing existing one.
>>
>> You will need one image per UEFI architecture (ia32, x64, arm, aa64,
>> riscv32, riscv64). You could present the image via the
>> EFI_LOAD_FILE2_PROTOCOL, see lib/efi_selftest/efi_selftest_load_file.c.
>
>The EFI TCG2 is governed by a spec.  What it basically does is extend
>a number of hardware PCRs with a sha1/256/384/512 for a given image.
>Wouldn't performing the selftest for arm/arm64 be enough?  What am I
>missing?

People on other architectures should be able to run the selftest on a real device (not QEMU). If you have trouble building for RISC-V, I can help.

Regards

Heinrich 

>
>[...]
>
>Regards
>/Ilias