[PATCH v3 0/5] add measurement support

[Heinrich Schuchardt]

On 8/6/21 9:02 AM, Masahisa Kojima wrote:
> This patch series add the support of measurement
> descibed in TCG PC Client PFP spec(Version 1.05 Revision 23).
> 
> Eventlog generated with this patch series are tested on
> the aarch64 based machine(Socionext Developerbox) and fTPM
> running on OP-TEE.
> The eventlog result is almost same result as the one
> generated by edk2 running on the Devloperbox and Secure96.
> 
> This patch series does not cover all measurement requirements
> described in TCG spec, the remaining items will be supported
> in the future.
> Major missing items in TCG PC Client PFP spec:
>   1) If the secure boot variables are updated after they are
>     initially measured in PCR[7] and before ExitBootServices()
>     has completed, the platform MAY be restarted OR the variables
>     MUST be remeasured into PCR[7].
>   2) SMBIOS structure measurement
>   3) "DeployedMode" and "AuditMode" measurement
>   4) EV_EFI_GPT_EVENT event
>   5) Measurement of U-boot itself. I assume U-boot measurement will be done
>      by the former firmware such as trusted firmware.

Do you plan to measure the devicetree using event type 
EV_EFI_HANDOFF_TABLES? Or does Linux measure it?

Are there cases where devicetrees contain non-static information which 
would have to be excluded from such measurement (e.g. randomized MAC 
address)?

Best regards

Heinrich

> 
> Masahisa Kojima (5):
>    efi_loader: add secure boot variable measurement
>    efi_loader: add boot variable measurement
>    efi_loader: add ExitBootServices() measurement
>    efi_loader: refactor efi_append_scrtm_version()
>    efi_loader: add comment for efi_tcg2.h
> 
>   include/efi_loader.h          |   5 +
>   include/efi_tcg2.h            |  77 +++++++-
>   include/tpm-v2.h              |  18 +-
>   lib/efi_loader/efi_boottime.c |  25 +++
>   lib/efi_loader/efi_tcg2.c     | 356 +++++++++++++++++++++++++++++++++-
>   5 files changed, 471 insertions(+), 10 deletions(-)
>