[PATCH v2 2/6] efi_loader: add secure boot variable measurement

Simon Glass sjg at chromium.org
Wed Jul 21 04:42:17 CEST 2021 

Hi Masahisa,

On Tue, 20 Jul 2021 at 19:51, Masahisa Kojima
<masahisa.kojima at linaro.org> wrote:
>
> Hi Simon,
>
> On Wed, 21 Jul 2021 at 03:34, Simon Glass <sjg at chromium.org> wrote:
> >
> > Hi,
> >
> > On Wed, 14 Jul 2021 at 06:59, Masahisa Kojima
> > <masahisa.kojima at linaro.org> wrote:
> > >
> > > TCG PC Client PFP spec requires to measure the secure
> > > boot policy before validating the UEFI image.
> > > This commit adds the secure boot variable measurement
> > > of "SecureBoot", "PK", "KEK", "db" and "dbx".
> > >
> > > Note that this implementation assumes that secure boot
> > > variables are pre-configured and not be set/updated in runtime.
> > >
> > > Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
> > > ---
> > >
> > > Changes in v2:
> > > - missing null check for getting variable data
> > > - some minor fix for readability
> > >
> > >  include/efi_tcg2.h        |  20 ++++++
> > >  lib/efi_loader/efi_tcg2.c | 139 ++++++++++++++++++++++++++++++++++++++
> > >  2 files changed, 159 insertions(+)
> >
> > It looks like this code should be in lib/tpm or similar as much of it
> > is not specific to EFI?
>
> Yes, it is not directly related to EFI, but I think very small amount
> of code will
> be moved to lib/tpm or similar place.
> lib/efi_loader/efi_tcg2.c currently implement two specs,
> TCG EFI Protocol spec and TCG PC Client PFP spec.
> There are many duplication in these specs, I think it is difficult to split
> lib/efi_loader/efi_tcg2.c file into separate file.
> In addition, efi tcg2 eventlog is currently created and initialized
> during the efi init.
>
> The major purpose of my patch series is extending measurement support,
> I would like to implement these measurement in efi_tcg2.c for now.
>
> In near future, u-boot must consider to support eventlog handoff from former
> firmware such as trusted firmware, so current eventlog buffer preparation
> in efi init will be modified. Then I would like to discuss implementation of
> lib/efi_loader/efi_tcg2.c at that time.

OK thank you. Let's see how it goes.

Regards,
Simon

More information about the U-Boot mailing list