[PATCH] doc: describe UEFI measured boot

Ilias Apalodimas ilias.apalodimas at linaro.org
Fri Jun 14 12:47:11 CEST 2024 

[...]

>
> > +
> > +UEFI requirements
> > +~~~~~~~~~~~~~~~~~
> > +* A hardware TPM 2.0 supported by the U-Boot drivers
>
> by an enabled U-Boot driver.
>
> > +* CONFIG_EFI_TCG2_PROTOCOL=y
> > +* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y
> > +* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB in PCR 0
>
> Why does this setting not default to yes?
>
> Should EFI_TCG2_PROTOCOL_MEASURE_DTB depend on !GENERATE_ACPI_TABLE as
> we won't load the device-tree in this case?
>
> I can't find any reference to device-trees in `TCG PC Client Platform
> Firmware Profile Specification`.

It's not and I've already pointed this out to Arm. We followed what
ACPI does there and used "DTB DATA" instead of "ACPI DATA" as the
event string.

>  Where is PCR 0 for the device-tree specified?

As I said DT is missing from the spec but look below

> I read:
>
> "In general, the platform firmware measures into PCR[1] the
> configuration data that is associated with the code that measured into
> PCR[0]".
>
> This looks like PCR 1 should be the target for the device-tree.

There is a description for ACPI in 3.3.4.1 PCR[0] – SRTM, POST BIOS,
and Embedded Drivers and they explicitly mention ACPI in there.
There's no mention of ACPI in 3.3.4.2 PCR[1] – Host Platform
Configuration.

However ..... In Figure 6 PCR Mapping of UEFI Components ACPI is shown
in PCR1 .....
I am not sure if we should use PCR0 or 1, if anyone has a strong
opinion we can easily change the measured PCR.

>
> Do we already measure ACPI and SMBIOS tables into PCR1 as required by
> the specification.

We do measure SMBIOS in PCR1. I don't think we do anything for ACPI.

>
> > +
> > +bootm
>
> Measured legacy boot with bootm command
>
> Please, consider in your description that the bootm command may be used
> to load a FIT image with an EFI binary.

I am not entirely sure how this works, someone who has used that needs
to update it. What happens in that case? Does bootm end up calling
bootefi ? That means we are measuring things twice?

>
> > +-----
> >   By default, U-Boot will measure the operating system (linux) image, the
> >   initrd image, and the "bootargs" environment variable. By enabling
> >   CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image.
> > @@ -15,8 +35,8 @@ The operating system typically would verify that the hashes found in the
> >   TPM PCRs match the contents of the event log. This can further be checked
> >   against the hash results of previous boots.
> >
> > -Requirements
> > -------------
> > +bootm requirements
>
> This is already a sub-section of bootm. No need to repeat it.
>
> > +~~~~~~~~~~~~~~~~~~
> >
> >   * A hardware TPM 2.0 supported by the U-Boot drivers
>
> by an enabled U-Boot driver.
>
> >   * CONFIG_TPM=y
>
> CONFIG_TPM_V2=y is required?
>
> Best regards
>
> Heinrich
>
>

Thanks
/Ilias
>

More information about the U-Boot mailing list