14 Jun
2024
14 Jun
'24
1:20 p.m.
[...]
+UEFI requirements +~~~~~~~~~~~~~~~~~ +* A hardware TPM 2.0 supported by the U-Boot drivers
by an enabled U-Boot driver.
+* CONFIG_EFI_TCG2_PROTOCOL=y +* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y +* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB in PCR 0
Why does this setting not default to yes?
Forgot to answer this. Measuring a DTB is far too circumstantial to be enabled by default. People inject all kind of stuff in there -- kaslr seeds and random mac addresses are just prime examples. To enable it by default, we need to do the measurements early and make sure the random artifacts aren't enabled by a previous stage bootloader. As a result we leave the decision to measure it per board.
Regards /Ilias