[PATCH v2 2/6] efi_loader: add secure boot variable measurement

[Masahisa Kojima]

Hi Simon,

On Wed, 21 Jul 2021 at 03:34, Simon Glass <sjg at chromium.org> wrote:
>
> Hi,
>
> On Wed, 14 Jul 2021 at 06:59, Masahisa Kojima
> <masahisa.kojima at linaro.org> wrote:
> >
> > TCG PC Client PFP spec requires to measure the secure
> > boot policy before validating the UEFI image.
> > This commit adds the secure boot variable measurement
> > of "SecureBoot", "PK", "KEK", "db" and "dbx".
> >
> > Note that this implementation assumes that secure boot
> > variables are pre-configured and not be set/updated in runtime.
> >
> > Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
> > ---
> >
> > Changes in v2:
> > - missing null check for getting variable data
> > - some minor fix for readability
> >
> >  include/efi_tcg2.h        |  20 ++++++
> >  lib/efi_loader/efi_tcg2.c | 139 ++++++++++++++++++++++++++++++++++++++
> >  2 files changed, 159 insertions(+)
>
> It looks like this code should be in lib/tpm or similar as much of it
> is not specific to EFI?

Yes, it is not directly related to EFI, but I think very small amount
of code will
be moved to lib/tpm or similar place.
lib/efi_loader/efi_tcg2.c currently implement two specs,
TCG EFI Protocol spec and TCG PC Client PFP spec.
There are many duplication in these specs, I think it is difficult to split
lib/efi_loader/efi_tcg2.c file into separate file.
In addition, efi tcg2 eventlog is currently created and initialized
during the efi init.

The major purpose of my patch series is extending measurement support,
I would like to implement these measurement in efi_tcg2.c for now.

In near future, u-boot must consider to support eventlog handoff from former
firmware such as trusted firmware, so current eventlog buffer preparation
in efi init will be modified. Then I would like to discuss implementation of
lib/efi_loader/efi_tcg2.c at that time.

Thanks,
Masahisa Kojima

>
> Regards,
> Simon