On 1/9/23 22:55, Eddie James wrote:
This series adds support for measuring the boot images more generically than the existing EFI support. Several EFI functions have been moved to the TPM layer. The series includes optional measurement from the bootm command. A new test case has been added for the bootm measurement to test the new path, and the sandbox TPM2 driver has been updated to support this use case.
Changes since v1:
- Refactor TPM layer functions to allow EFI system to use them, and remove duplicate EFI functions.
- Add test case
- Drop #ifdefs for bootm
- Add devicetree measurement config option
- Update sandbox TPM driver
This looks like a useful feature to me. Some questions remain:
How about the booti and bootz commands. Are they covered by the change?
What are the consequences of your changes for UEFI FIT images (cf. CONFIG_BOOTM_EFI)?
Eddie James (5): tpm: Fix spelling for tpmu_ha union tpm: Support boot measurements bootm: Support boot measurement tpm: sandbox: Update for needed TPM2 capabilities test: Add sandbox TPM boot measurement
I am missing the documentation changes. These should describe which changes in the device-tree and in the configuration are needed to enable measurements. This should be in doc/usage/
@Ilias: Could you contribute the UEFI part for the document, please.
Best regards
Heinrich
arch/sandbox/dts/test.dts | 12 + boot/Kconfig | 23 ++ boot/bootm.c | 64 +++ cmd/bootm.c | 2 + configs/sandbox_defconfig | 1 + drivers/tpm/tpm2_tis_sandbox.c | 100 +++-- include/bootm.h | 2 + include/efi_tcg2.h | 44 -- include/image.h | 1 + include/test/suites.h | 1 + include/tpm-v2.h | 215 +++++++++- lib/efi_loader/efi_tcg2.c | 362 +---------------- lib/tpm-v2.c | 708 +++++++++++++++++++++++++++++++++ test/boot/Makefile | 1 + test/boot/measurement.c | 66 +++ test/cmd_ut.c | 2 + 16 files changed, 1187 insertions(+), 417 deletions(-) create mode 100644 test/boot/measurement.c