[PATCH 2/2] efi_selftest: add selftest for EFI_TCG2_PROTOCOL and Measured Boot

Ilias Apalodimas ilias.apalodimas at linaro.org
Sat Oct 30 08:02:02 CEST 2021


Hi Heinrich

[...]

> >>> +$(obj)/efi_selftest_tcg2.o: $(obj)/efi_miniapp_file_image_measuredboot.h
> >>> diff --git a/lib/efi_selftest/efi_selftest_miniapp_measuredboot.c b/lib/efi_selftest/efi_selftest_miniapp_measuredboot.c
> >>
> >> Thank you for going the extra mile and adding the test.
> >>
> >> Which image is actually loaded seems to be irrelevant for the test. Can
> >> we reuse an existing one, e.g. efi_miniapp_file_image_return.h?
> >>
> >> I guess the PCR related to the loaded image is not checked as it will
> >> depend on the build tools and date.
> >
> > Sorry, I'm doing wrong.
> > Actually this selftest verifies the PE/COFF image measurement, so measuremt
> > will be different depending on the build tools and date.
> >   # In my build environment, timestamp is set to all zero.
> >
> > To test the PE/COFF image measurement, I must prepare the
> > static PE/COFF image. I plan to add efi_miniapp_file_image_measuredboot.h
> > as a pre-compiled small static PE/COFF image for the measurement test,
> > instead of adding efi_selftest_miniapp_measuredboot.c or reusing existing one.
>
> You will need one image per UEFI architecture (ia32, x64, arm, aa64,
> riscv32, riscv64). You could present the image via the
> EFI_LOAD_FILE2_PROTOCOL, see lib/efi_selftest/efi_selftest_load_file.c.

The EFI TCG2 is governed by a spec.  What it basically does is extend
a number of hardware PCRs with a sha1/256/384/512 for a given image.
Wouldn't performing the selftest for arm/arm64 be enough?  What am I
missing?

[...]

Regards
/Ilias


More information about the U-Boot mailing list