[PATCH 2/5] efi_loader: add secure boot variable measurement
Ilias Apalodimas
ilias.apalodimas at linaro.org
Wed Jul 7 20:44:37 CEST 2021
On Wed, Jul 07, 2021 at 11:49:33AM -0600, Simon Glass wrote:
> Hi Ilias,
>
> On Wed, 7 Jul 2021 at 11:40, Ilias Apalodimas
> <ilias.apalodimas at linaro.org> wrote:
> >
> > Hi Simon,
> >
> > On Wed, Jul 07, 2021 at 11:37:01AM -0600, Simon Glass wrote:
> > > Hi Masahisa,
> > >
> > > On Wed, 7 Jul 2021 at 07:36, Masahisa Kojima <masahisa.kojima at linaro.org> wrote:
> > > >
> > > > TCG PC Client PFP spec requires to measure the secure
> > > > boot policy before validating the UEFI image.
> > > > This commit adds the secure boot variable measurement
> > > > of "SecureBoot", "PK", "KEK", "db" and "dbx".
> > > >
> > > > Note that this implementation assumes that secure boot
> > > > variables are pre-configured and not be set/updated in runtime.
> > > >
> > > > Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
> > > > ---
> > > > include/efi_tcg2.h | 20 ++++++
> > > > lib/efi_loader/efi_tcg2.c | 135 ++++++++++++++++++++++++++++++++++++++
> > > > 2 files changed, 155 insertions(+)
> > >
> > > Where are the tests for this code, please?
> >
> > As we discussed in the past, the EFI TCG code can't be tested with the
> > asndbox as-is. I'll have a look on your sandbox patches in case we can now
> > use those, but in any case, I've sent a TPM mmio based driver. Even if the
> > sandbox is still not enough we can add tests once the mmio TPM driver gets
> > merged
>
> Can you add features to the sandbox driver? I just sent a series that
> added nvdata, for example.
Yea I've seen that, I was going to have a look. I'll try but my schedule
is pretty tight atm.
Thanks
/Ilias
>
> Regards,
> Simon
More information about the U-Boot
mailing list