[PATCH] tpm: measure DTB in PCR1 instead of PCR0
Ilias Apalodimas
ilias.apalodimas at linaro.org
Sat Jun 15 08:57:53 CEST 2024
Thanks Eddie,
On Sat, 15 Jun 2024 at 00:31, Eddie James <eajames at linux.ibm.com> wrote:
>
>
> On 6/14/24 07:09, Ilias Apalodimas wrote:
> > The PC client spec [0], doesn't describe measurements for DTBs. It does
> > describe what do to for ACPI tables though.
> >
> > There is a description for ACPI in 3.3.4.1 PCR[0] – SRTM, POST BIOS,
> > and Embedded Drivers and they explicitly mention ACPI in there. There's
> > no mention of ACPI in 3.3.4.2 PCR[1] – Host Platform Configuration.
> >
> > However, in Figure 6 -- PCR Mapping of UEFI Components ACPI is shown
> > in PCR1. The general description also mentions PCR0 is for code and PCR1
> > is for data such as ACPI and SMBIOS.
>
>
> Thanks, looks correct.
>
> Reviewed-by: Eddie James <eajames at linux.ibm.com>
Heinrich, do you want to carry this on the EFI tree, or shall I send a
PR via the TPM tree?
Thanks
/Ilias
>
>
> >
> > So let's switch over the DTB measurements to PCR1 which seems a better
> > fit.
> >
> > [0] https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification
> >
> > Reported-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
> > Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > ---
> > boot/bootm.c | 2 +-
> > lib/efi_loader/efi_tcg2.c | 2 +-
> > 2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/boot/bootm.c b/boot/bootm.c
> > index 6fa8edab021e..3de87eb185d7 100644
> > --- a/boot/bootm.c
> > +++ b/boot/bootm.c
> > @@ -963,7 +963,7 @@ int bootm_measure(struct bootm_headers *images)
> > goto unmap_initrd;
> >
> > if (IS_ENABLED(CONFIG_MEASURE_DEVICETREE)) {
> > - ret = tcg2_measure_data(dev, &elog, 0, images->ft_len,
> > + ret = tcg2_measure_data(dev, &elog, 1, images->ft_len,
> > (u8 *)images->ft_addr,
> > EV_TABLE_OF_DEVICES,
> > strlen("dts") + 1,
> > diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> > index 51264c1b998c..a8a54c9f131d 100644
> > --- a/lib/efi_loader/efi_tcg2.c
> > +++ b/lib/efi_loader/efi_tcg2.c
> > @@ -1328,7 +1328,7 @@ efi_status_t efi_tcg2_measure_dtb(void *dtb)
> > sha256_update(&hash_ctx, (u8 *)dtb + fdt_off_mem_rsvmap(dtb), rsvmap_size);
> > sha256_finish(&hash_ctx, blob->data + blob->blob_description_size);
> >
> > - ret = measure_event(dev, 0, EV_POST_CODE, event_size, (u8 *)blob);
> > + ret = measure_event(dev, 1, EV_POST_CODE, event_size, (u8 *)blob);
> >
> > free(blob);
> > return ret;
> > --
> > 2.45.1
> >
More information about the U-Boot
mailing list