[PATCH 0/2] add selftest for EFI_TCG2_PROTOCOL and Measured Boot

Masahisa Kojima masahisa.kojima at linaro.org
Tue Nov 2 09:03:41 CET 2021 

Hi Simon,

On Mon, 25 Oct 2021 at 04:54, Simon Glass <sjg at chromium.org> wrote:
>
> Hi Masahisa,
>
> On Fri, 22 Oct 2021 at 05:23, Masahisa Kojima
> <masahisa.kojima at linaro.org> wrote:
> >
> > This patch series adds the selftest for the EFI_TCG2_PROTOCOL and
> > Measured Boot flow.
> > This selftest is verified on qemu with swtpm.
>
> Is this in CI? Where are the instructions for doing this?

Not yet included in CI.
For the instructions, Ilias is preparing the documentation at:
https://github.com/apalos/u-boot/commit/6edcf3c02996edf8c50a38632aac1091f8bcbf0b

>
> I have expressed my preference for expanding the in-tree emulator to
> handle this.

For the measured boot selftest, I need to access the efi internal data such as
SMBIOS table, that is why I chose the C based efi_selftest.
Tcg2 efi_selftest does not rely on the specific TPM backend.

Thanks,
Masahisa Kojima


>
> Regards,
> Simon
>
>
> >
> > This covers most of the functionalities, but there are some
> > limitations and TODO items.
> >
> > [Limitation]
> > - tcg2 selftest must run at the beginning of the efi_selftest because
> >   some measurement occurs in efi_tcg2_register() and boottime->image_load().
> >   Need to configure the efi_selftest with "setenv efi_selftest tcg2; bootefi selftest"
> > - Skip ExitBootService measurement test
> >    - EFI application can not read PCR after calling ExitBootService
> > - Skip EventLog Validation
> >    - Measured Boot measures U-Boot version, so EventLog varies every build having
> >      different commit hash.
> > - Skip PCR[0] validation
> >    - PCR[0] include U-Boot version measurement, this value varies every build
> >      having different commit hash.
> > - Skip PCR[7] validation
> >    - Secure Boot Variables can not be updated through efi_selftest.
> > - The initial PCR value of PCR[17 - 22] is all 0xff, I'm not sure
> >   it is expected or not.
> >
> > [TODO]
> > - GPT measurement test
> > - Secure Boot Variable test
> > - Eventlog validation
> >
> > Masahisa Kojima (2):
> >   efi_loader: add missing const qualifier
> >   efi_selftest: add selftest for EFI_TCG2_PROTOCOL and Measured Boot
> >
> >  include/efi_api.h                             |   2 +-
> >  lib/efi_loader/efi_boottime.c                 |   5 +-
> >  lib/efi_selftest/Makefile                     |  10 +
> >  .../efi_selftest_miniapp_measuredboot.c       |  93 ++
> >  lib/efi_selftest/efi_selftest_tcg2.c          | 804 +++++++++++++++++-
> >  5 files changed, 910 insertions(+), 4 deletions(-)
> >  create mode 100644 lib/efi_selftest/efi_selftest_miniapp_measuredboot.c
> >
> > --
> > 2.17.1
> >

More information about the U-Boot mailing list