Hi Simon,
On Wed, 21 Jul 2021 at 03:34, Simon Glass sjg@chromium.org wrote:
Hi,
On Wed, 14 Jul 2021 at 06:59, Masahisa Kojima masahisa.kojima@linaro.org wrote:
TCG PC Client PFP spec requires to measure the secure boot policy before validating the UEFI image. This commit adds the secure boot variable measurement of "SecureBoot", "PK", "KEK", "db" and "dbx".
Note that this implementation assumes that secure boot variables are pre-configured and not be set/updated in runtime.
Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org
Changes in v2:
- missing null check for getting variable data
- some minor fix for readability
include/efi_tcg2.h | 20 ++++++ lib/efi_loader/efi_tcg2.c | 139 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 159 insertions(+)
It looks like this code should be in lib/tpm or similar as much of it is not specific to EFI?
Yes, it is not directly related to EFI, but I think very small amount of code will be moved to lib/tpm or similar place. lib/efi_loader/efi_tcg2.c currently implement two specs, TCG EFI Protocol spec and TCG PC Client PFP spec. There are many duplication in these specs, I think it is difficult to split lib/efi_loader/efi_tcg2.c file into separate file. In addition, efi tcg2 eventlog is currently created and initialized during the efi init.
The major purpose of my patch series is extending measurement support, I would like to implement these measurement in efi_tcg2.c for now.
In near future, u-boot must consider to support eventlog handoff from former firmware such as trusted firmware, so current eventlog buffer preparation in efi init will be modified. Then I would like to discuss implementation of lib/efi_loader/efi_tcg2.c at that time.
Thanks, Masahisa Kojima
Regards, Simon