tpm / measured boot in u-boot

[Simon Glass]

Hi Stuart,

On Thu, 31 Oct 2019 at 09:29, Stuart Yoder <b08248 at gmail.com> wrote:
>
> On Tue, Oct 29, 2019 at 8:49 PM Simon Glass <sjg at chromium.org> wrote:
> >
> > Hi Stuart,
> >
> > On Mon, 28 Oct 2019 at 17:27, Stuart Yoder <b08248 at gmail.com> wrote:
> > >
> > > I saw Simon's write-up here: https://lwn.net/Articles/571031/, which
> > > references TPM
> > > and trusted boot support using the TPM.
> > >
> > > I've started looking at the TPM support code in u-boot, and am trying
> > > to understand
> > > it.  Before getting too far I wanted to check if there were any
> > > pointers anyone might
> > > have around any documentation or material that provides more detail on what the
> > > u-boot TPM support does and does not do.  I didn't see any .txt files in u-boot.
> > >
> > > The supports seems oriented around using commands and scripts to
> > > measure images.  One
> > > specific thing I'm interested is how the u-boot script itself that takes the TPM
> > > measurements is protected against tampering.
> >
> > Actually verified boot does not use the TPM at all.
> >
> > What do you want the TPM to do? If you want measured boot then you
> > would need to call measure / extend before/after loading each stage.
>
> Yes, interested in the TPM for measured boot.  Right, understand that you
> need to do the measurements and extend for each loaded image.
>
> But, it's critical that you trust the code doing the measurements.  If I
> understand it's the u-boot commands implemented in ./cmd/tpm-v2.c
> that you could use to script the measuring/extending.  How do you
> ensure that the script doing the measurements isn't tampered with
> by an attacker?

Anything loaded must be measured. So if you are using a U-Boot script
this needs to be checked. Or you could write a command that does what
you want that is part of U-Boot itself.

Regards,
Simon