[PATCH] doc: describe UEFI measured boot
Ilias Apalodimas
ilias.apalodimas at linaro.org
Fri Jun 14 13:20:55 CEST 2024
[...]
>
> > +
> > +UEFI requirements
> > +~~~~~~~~~~~~~~~~~
> > +* A hardware TPM 2.0 supported by the U-Boot drivers
>
> by an enabled U-Boot driver.
>
> > +* CONFIG_EFI_TCG2_PROTOCOL=y
> > +* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y
> > +* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB in PCR 0
>
> Why does this setting not default to yes?
>
Forgot to answer this. Measuring a DTB is far too circumstantial to be
enabled by default. People inject all kind of stuff in there -- kaslr
seeds and random mac addresses are just prime examples. To enable it
by default, we need to do the measurements early and make sure the
random artifacts aren't enabled by a previous stage bootloader. As a
result we leave the decision to measure it per board.
Regards
/Ilias
More information about the U-Boot
mailing list