EFI File renaming
Ilias Apalodimas
ilias.apalodimas at linaro.org
Tue Nov 12 16:04:55 CET 2024
On Tue, 12 Nov 2024 at 16:55, Traut Manuel LCPF-CH <Manuel.Traut at mt.com> wrote:
>
> > > > > systemd-boot counting logic requires [0] to be implemented.
> > >
> > > > > If not we plan to add the functionality in fs/fs.c and fs/fat - correct?
> > > >
> > > > We don't have plans for it, but explaining any use cases you have might help
> > >
> > > systemd-boot is able to do bootcounting by renaming the UKI image [0]
> > > the code that triggers the not implemented code section is here [1].
> > >
> > > With this it is possible to have watchdog based A/B switching on systems
> > > without a writeable u-boot environment. And therefore it is a nice
> > > method to implement measured boot.
> >
> > The A/B is ok, but I cant understand how that realted to measured
> > boot. The TPM access, UKI infrastucture etc, will work fine without
> > A/B
>
> Yes, TPM, UKI works fine right now :)
>
> systemd-boot is renaming the UKI before it starts it, by increasing
> the bootcounter that is part of the filename. If the system is fully
> booted the file gets renamed again to reset the bootcounter.
>
> If the bootcounter exceeds systemd-boot tries the next UKI.
> The UKIs can be signed and are still valid after rename.
>
> I expect that changes to the u-boot env will change a PCR measurement.
No env changes are not and IIRC it isnt necesarry. We measure what's
described in the PC client spec. So the loaded image PCRs would
change, but that's a user decision (which PCRS to use and seal
secrets)
> At least it should be like this, since it might alter the boot path?
>
> For trusted systems it would be nice to have a meaurement of the EFI
> variables and beside that have no dynamic environment.
We do measure EFI variables and Boot#### variables in PCR7
>
> Hope this explanation is understandable?
Yes thanks
/Ilias
> Manuel
>
> > > [0] https://uapi-group.org/specifications/specs/boot_loader_specification/#boot-counting
> > > [1] https://github.com/systemd/systemd/blob/3304a029b847e87da51f7a8ad8c118111508e009/src/boot/boot.c#L1407
> > >
> > > > >
> > > > > [0] https://elixir.bootlin.com/u-boot/v2025.01-rc1/source/lib/efi_loader/efi_file.c#L971
More information about the U-Boot
mailing list