[PATCH 2/2] efi_loader: add PE/COFF image measurement
Heinrich Schuchardt
xypron.glpk at gmx.de
Wed Apr 21 13:03:56 CEST 2021
On 4/16/21 10:42 PM, Ilias Apalodimas wrote:
> Hi Heinrich,
>
> On Thu, Apr 15, 2021 at 04:08:55PM +0200, Heinrich Schuchardt wrote:
>> On 15.04.21 15:30, Masahisa Kojima wrote:
>>> "TCG PC Client Platform Firmware Profile Specification"
>>> requires to measure every attempt to load and execute
>>> a OS Loader(a UEFI application) into PCR[4].
>>> This commit adds the PE/COFF image measurement, extends PCR,
>>> and appends measurement into Event Log.
>>>
>>> Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
>>
>> Please, provide a unit test that we can run in Gitlab CI on either the
>> sandbox or QEMU.
>
> The additions to the EFI TCG2 fall under the same category as the initial
> patchset and unfortunately suffer from the same problems wrt to using the
> sandbox TPM2.
> The sandbox capabilities are limited for testing this, starting from the fact
> that that we can't even get the tpm2 capabilities we need to start the
> protocol correctly.
> ./drivers/tpm/tpm2_tis_sandbox.c only supports TPM_CAP_TPM_PROPERTIES which is
> limited compared to what the TCG code in EFI expects. Similar functionality
> is missing from extending and checking PCRs properly etc.
>
>>
>> QEMU allows to use a TPM emulation, cf.
>> https://qemu-project.gitlab.io/qemu/specs/tpm.html#the-qemu-tpm-emulator-device
>> https://github.com/stefanberger/swtpm
>
> Kojima and I will have a look since this is the only viable option in order to
> get useful selftests.
> Imho we should review and maybe accept this patch in parallel though, since
> it's adding more bits of the TCG PC client specification.
>
> Thanks!
> /Ilias
Hello Masahisa,
I am done with my review of the series and waiting for your v2.
Ilias suggested to implement tests in a separate series. I am fine with
this if Ilias supplies a tested-by sign-off for this series.
Best regards
Heinrich
More information about the U-Boot
mailing list