EFI File renaming

Enric Balletbo i Serra eballetb at redhat.com
Thu Dec 12 09:03:25 CET 2024 

Hi,

Just to double check as I didn't find more after this thread. There
was any advance regarding this topic? I might also be interested in
help on this.

Thanks,
  Enric

On Tue, Nov 12, 2024 at 4:05 PM Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> On Tue, 12 Nov 2024 at 16:55, Traut Manuel LCPF-CH <Manuel.Traut at mt.com> wrote:
> >
> > > > > > systemd-boot counting logic requires [0] to be implemented.
> > > >
> > > > > > If not we plan to add the functionality in fs/fs.c and fs/fat - correct?
> > > > >
> > > > > We don't have plans for it, but explaining any use cases you have might help
> > > >
> > > > systemd-boot is able to do bootcounting by renaming the UKI image [0]
> > > > the code that triggers the not implemented code section is here [1].
> > > >
> > > > With this it is possible to have watchdog based A/B switching on systems
> > > > without a writeable u-boot environment. And therefore it is a nice
> > > > method to implement measured boot.
> > >
> > > The A/B is ok, but I cant understand how that realted to measured
> > > boot. The TPM access, UKI infrastucture etc, will work fine without
> > > A/B
> >
> > Yes, TPM, UKI works fine right now :)
> >
> > systemd-boot is renaming the UKI before it starts it, by increasing
> > the bootcounter that is part of the filename. If the system is fully
> > booted the file gets renamed again to reset the bootcounter.
> >
> > If the bootcounter exceeds systemd-boot tries the next UKI.
> > The UKIs can be signed and are still valid after rename.
> >
> > I expect that changes to the u-boot env will change a PCR measurement.
>
> No env changes are not and IIRC it isnt necesarry. We measure what's
> described in the PC client spec. So the loaded image PCRs would
> change, but that's a user decision (which PCRS to use and seal
> secrets)
>
> > At least it should be like this, since it might alter the boot path?
> >
> > For trusted systems it would be nice to have a meaurement of the EFI
> > variables and beside that have no dynamic environment.
>
> We do measure EFI variables and Boot#### variables in PCR7
>
> >
> > Hope this explanation is understandable?
>
> Yes thanks
>
> /Ilias
> > Manuel
> >
> > > > [0] https://uapi-group.org/specifications/specs/boot_loader_specification/#boot-counting
> > > > [1] https://github.com/systemd/systemd/blob/3304a029b847e87da51f7a8ad8c118111508e009/src/boot/boot.c#L1407
> > > >
> > > > > >
> > > > > > [0] https://elixir.bootlin.com/u-boot/v2025.01-rc1/source/lib/efi_loader/efi_file.c#L971
>

More information about the U-Boot mailing list