| Message ID | 20240618152314.10140-1-ilias.apalodimas@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] doc: describe UEFI measured boot | expand |
On 18.06.24 17:23, Ilias Apalodimas wrote: > We currently only describe the process to enable measured boot using > bootm. Describe the UEFI requirements as well which predate bootm. > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Please, rebase on 00cac7456125 ("doc: describe UEFI measured boot") Best regards Heinrich > --- > Changes since v2: > - add all bootX commands in the description instead of just bootm > - Remove and extra _ from the header > Changes since v1: > - fixed remarks from Heinrich on titling and DTB measured PCR > doc/usage/measured_boot.rst | 31 +++++++++++++++++++++++++++---- > 1 file changed, 27 insertions(+), 4 deletions(-) > > diff --git a/doc/usage/measured_boot.rst b/doc/usage/measured_boot.rst > index 9691904a9d8a..d31cb05226cd 100644 > --- a/doc/usage/measured_boot.rst > +++ b/doc/usage/measured_boot.rst > @@ -7,19 +7,42 @@ U-Boot can perform a measured boot, the process of hashing various components > of the boot process, extending the results in the TPM and logging the > component's measurement in memory for the operating system to consume. > > +The functionality is available when booting via the EFI subsystem or 'bootm' > +command. > + > +UEFI measured boot > +------------------ > +The EFI subsystem implements the `EFI TCG protocol > +<https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/>`_ > +and the `TCG PC Client Specific Platform Firmware Profile Specification > +<https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/>`_ > +which defines the binaries to be measured and the corresponding PCRs to be used. > + > +Requirements > +~~~~~~~~~~~~ > +* A hardware TPM 2.0 supported by an enabled U-Boot driver > +* CONFIG_EFI_TCG2_PROTOCOL=y > +* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y > +* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB in PCR 1 > + > +Measured legacy boot with bootX command > +--------------------------------------- > +The commands booti, bootm, and bootz can be used for measured boot > +using the legacy entry point of the Linux kernel. > + > By default, U-Boot will measure the operating system (linux) image, the > initrd image, and the "bootargs" environment variable. By enabling > -CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image. > +CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image in PCR1. > > The operating system typically would verify that the hashes found in the > TPM PCRs match the contents of the event log. This can further be checked > against the hash results of previous boots. > > Requirements > ------------- > +~~~~~~~~~~~~ > > -* A hardware TPM 2.0 supported by the U-Boot drivers > -* CONFIG_TPM=y > +* A hardware TPM 2.0 supported by an enabled U-Boot driver > +* CONFIG_TPMv2=y > * CONFIG_MEASURED_BOOT=y > * Device-tree configuration of the TPM device to specify the memory area > for event logging. The TPM device node must either contain a phandle to > -- > 2.45.2 >
Hi Heinrich, On Tue, 18 Jun 2024 at 18:40, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > > On 18.06.24 17:23, Ilias Apalodimas wrote: > > We currently only describe the process to enable measured boot using > > bootm. Describe the UEFI requirements as well which predate bootm. > > > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> > > Please, rebase on 00cac7456125 ("doc: describe UEFI measured boot") No need. That commit already contains the v3 changes. You can ignore this one Thanks /Ilias > > Best regards > > Heinrich > > > --- > > Changes since v2: > > - add all bootX commands in the description instead of just bootm > > - Remove and extra _ from the header > > Changes since v1: > > - fixed remarks from Heinrich on titling and DTB measured PCR > > doc/usage/measured_boot.rst | 31 +++++++++++++++++++++++++++---- > > 1 file changed, 27 insertions(+), 4 deletions(-) > > > > diff --git a/doc/usage/measured_boot.rst b/doc/usage/measured_boot.rst > > index 9691904a9d8a..d31cb05226cd 100644 > > --- a/doc/usage/measured_boot.rst > > +++ b/doc/usage/measured_boot.rst > > @@ -7,19 +7,42 @@ U-Boot can perform a measured boot, the process of hashing various components > > of the boot process, extending the results in the TPM and logging the > > component's measurement in memory for the operating system to consume. > > > > +The functionality is available when booting via the EFI subsystem or 'bootm' > > +command. > > + > > +UEFI measured boot > > +------------------ > > +The EFI subsystem implements the `EFI TCG protocol > > +<https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/>`_ > > +and the `TCG PC Client Specific Platform Firmware Profile Specification > > +<https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/>`_ > > +which defines the binaries to be measured and the corresponding PCRs to be used. > > + > > +Requirements > > +~~~~~~~~~~~~ > > +* A hardware TPM 2.0 supported by an enabled U-Boot driver > > +* CONFIG_EFI_TCG2_PROTOCOL=y > > +* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y > > +* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB in PCR 1 > > + > > +Measured legacy boot with bootX command > > +--------------------------------------- > > +The commands booti, bootm, and bootz can be used for measured boot > > +using the legacy entry point of the Linux kernel. > > + > > By default, U-Boot will measure the operating system (linux) image, the > > initrd image, and the "bootargs" environment variable. By enabling > > -CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image. > > +CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image in PCR1. > > > > The operating system typically would verify that the hashes found in the > > TPM PCRs match the contents of the event log. This can further be checked > > against the hash results of previous boots. > > > > Requirements > > ------------- > > +~~~~~~~~~~~~ > > > > -* A hardware TPM 2.0 supported by the U-Boot drivers > > -* CONFIG_TPM=y > > +* A hardware TPM 2.0 supported by an enabled U-Boot driver > > +* CONFIG_TPMv2=y > > * CONFIG_MEASURED_BOOT=y > > * Device-tree configuration of the TPM device to specify the memory area > > for event logging. The TPM device node must either contain a phandle to > > -- > > 2.45.2 > > >
diff --git a/doc/usage/measured_boot.rst b/doc/usage/measured_boot.rst index 9691904a9d8a..d31cb05226cd 100644 --- a/doc/usage/measured_boot.rst +++ b/doc/usage/measured_boot.rst @@ -7,19 +7,42 @@ U-Boot can perform a measured boot, the process of hashing various components of the boot process, extending the results in the TPM and logging the component's measurement in memory for the operating system to consume. +The functionality is available when booting via the EFI subsystem or 'bootm' +command. + +UEFI measured boot +------------------ +The EFI subsystem implements the `EFI TCG protocol +<https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/>`_ +and the `TCG PC Client Specific Platform Firmware Profile Specification +<https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/>`_ +which defines the binaries to be measured and the corresponding PCRs to be used. + +Requirements +~~~~~~~~~~~~ +* A hardware TPM 2.0 supported by an enabled U-Boot driver +* CONFIG_EFI_TCG2_PROTOCOL=y +* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y +* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB in PCR 1 + +Measured legacy boot with bootX command +--------------------------------------- +The commands booti, bootm, and bootz can be used for measured boot +using the legacy entry point of the Linux kernel. + By default, U-Boot will measure the operating system (linux) image, the initrd image, and the "bootargs" environment variable. By enabling -CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image. +CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image in PCR1. The operating system typically would verify that the hashes found in the TPM PCRs match the contents of the event log. This can further be checked against the hash results of previous boots. Requirements ------------- +~~~~~~~~~~~~ -* A hardware TPM 2.0 supported by the U-Boot drivers -* CONFIG_TPM=y +* A hardware TPM 2.0 supported by an enabled U-Boot driver +* CONFIG_TPMv2=y * CONFIG_MEASURED_BOOT=y * Device-tree configuration of the TPM device to specify the memory area for event logging. The TPM device node must either contain a phandle to
We currently only describe the process to enable measured boot using bootm. Describe the UEFI requirements as well which predate bootm. Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> --- Changes since v2: - add all bootX commands in the description instead of just bootm - Remove and extra _ from the header Changes since v1: - fixed remarks from Heinrich on titling and DTB measured PCR doc/usage/measured_boot.rst | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) -- 2.45.2