[PATCH v2 0/5] tpm: Support boot measurements

Eddie James eajames at linux.ibm.com
Tue Jan 10 22:42:55 CET 2023 

On 1/9/23 17:35, Heinrich Schuchardt wrote:
> On 1/9/23 22:55, Eddie James wrote:
>> This series adds support for measuring the boot images more generically
>> than the existing EFI support. Several EFI functions have been moved to
>> the TPM layer. The series includes optional measurement from the bootm
>> command.
>> A new test case has been added for the bootm measurement to test the new
>> path, and the sandbox TPM2 driver has been updated to support this use
>> case.
>>
>> Changes since v1:
>>   - Refactor TPM layer functions to allow EFI system to use them, and
>>     remove duplicate EFI functions.
>>   - Add test case
>>   - Drop #ifdefs for bootm
>>   - Add devicetree measurement config option
>>   - Update sandbox TPM driver
>
> This looks like a useful feature to me. Some questions remain:
>
> How about the booti and bootz commands. Are they covered by the change?


No, not yet.


>
> What are the consequences of your changes for UEFI FIT images (cf.
> CONFIG_BOOTM_EFI)?


I suppose the image would be measured twice, but only if the user 
selected both of the relevant config options.


>
>>
>> Eddie James (5):
>>    tpm: Fix spelling for tpmu_ha union
>>    tpm: Support boot measurements
>>    bootm: Support boot measurement
>>    tpm: sandbox: Update for needed TPM2 capabilities
>>    test: Add sandbox TPM boot measurement
>
> I am missing the documentation changes. These should describe which
> changes in the device-tree and in the configuration are needed to enable
> measurements. This should be in doc/usage/


Sure.

Thanks,

Eddie


>
> @Ilias:
> Could you contribute the UEFI part for the document, please.
>
> Best regards
>
> Heinrich
>
>>
>>   arch/sandbox/dts/test.dts      |  12 +
>>   boot/Kconfig                   |  23 ++
>>   boot/bootm.c                   |  64 +++
>>   cmd/bootm.c                    |   2 +
>>   configs/sandbox_defconfig      |   1 +
>>   drivers/tpm/tpm2_tis_sandbox.c | 100 +++--
>>   include/bootm.h                |   2 +
>>   include/efi_tcg2.h             |  44 --
>>   include/image.h                |   1 +
>>   include/test/suites.h          |   1 +
>>   include/tpm-v2.h               | 215 +++++++++-
>>   lib/efi_loader/efi_tcg2.c      | 362 +----------------
>>   lib/tpm-v2.c                   | 708 +++++++++++++++++++++++++++++++++
>>   test/boot/Makefile             |   1 +
>>   test/boot/measurement.c        |  66 +++
>>   test/cmd_ut.c                  |   2 +
>>   16 files changed, 1187 insertions(+), 417 deletions(-)
>>   create mode 100644 test/boot/measurement.c
>>
>

More information about the U-Boot mailing list