[PATCH v3] doc: describe UEFI measured boot

Heinrich Schuchardt xypron.glpk at gmx.de
Tue Jun 18 17:35:12 CEST 2024 

On 18.06.24 17:23, Ilias Apalodimas wrote:
> We currently only describe the process to enable measured boot using
> bootm. Describe the UEFI requirements as well which predate bootm.
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>

Please, rebase on 00cac7456125 ("doc: describe UEFI measured boot")

Best regards

Heinrich

> ---
> Changes since v2:
> - add all bootX commands in the description instead of just bootm
> - Remove and extra _ from the header
> Changes since v1:
> - fixed remarks from Heinrich on titling and DTB measured PCR
>   doc/usage/measured_boot.rst | 31 +++++++++++++++++++++++++++----
>   1 file changed, 27 insertions(+), 4 deletions(-)
>
> diff --git a/doc/usage/measured_boot.rst b/doc/usage/measured_boot.rst
> index 9691904a9d8a..d31cb05226cd 100644
> --- a/doc/usage/measured_boot.rst
> +++ b/doc/usage/measured_boot.rst
> @@ -7,19 +7,42 @@ U-Boot can perform a measured boot, the process of hashing various components
>   of the boot process, extending the results in the TPM and logging the
>   component's measurement in memory for the operating system to consume.
>
> +The functionality is available when booting via the EFI subsystem or 'bootm'
> +command.
> +
> +UEFI measured boot
> +------------------
> +The EFI subsystem implements the `EFI TCG protocol
> +<https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/>`_
> +and the `TCG PC Client Specific Platform Firmware Profile Specification
> +<https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/>`_
> +which defines the binaries to be measured and the corresponding PCRs to be used.
> +
> +Requirements
> +~~~~~~~~~~~~
> +* A hardware TPM 2.0 supported by an enabled U-Boot driver
> +* CONFIG_EFI_TCG2_PROTOCOL=y
> +* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y
> +* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB in PCR 1
> +
> +Measured legacy boot with bootX command
> +---------------------------------------
> +The commands booti, bootm, and bootz can be used for measured boot
> +using the legacy entry point of the Linux kernel.
> +
>   By default, U-Boot will measure the operating system (linux) image, the
>   initrd image, and the "bootargs" environment variable. By enabling
> -CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image.
> +CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image in PCR1.
>
>   The operating system typically would verify that the hashes found in the
>   TPM PCRs match the contents of the event log. This can further be checked
>   against the hash results of previous boots.
>
>   Requirements
> -------------
> +~~~~~~~~~~~~
>
> -* A hardware TPM 2.0 supported by the U-Boot drivers
> -* CONFIG_TPM=y
> +* A hardware TPM 2.0 supported by an enabled U-Boot driver
> +* CONFIG_TPMv2=y
>   * CONFIG_MEASURED_BOOT=y
>   * Device-tree configuration of the TPM device to specify the memory area
>     for event logging. The TPM device node must either contain a phandle to
> --
> 2.45.2
>

More information about the U-Boot mailing list