On Tue, Oct 29, 2019 at 8:49 PM Simon Glass <s...@chromium.org> wrote: > > Hi Stuart, > > On Mon, 28 Oct 2019 at 17:27, Stuart Yoder <b08...@gmail.com> wrote: > > > > I saw Simon's write-up here: https://lwn.net/Articles/571031/, which > > references TPM > > and trusted boot support using the TPM. > > > > I've started looking at the TPM support code in u-boot, and am trying > > to understand > > it. Before getting too far I wanted to check if there were any > > pointers anyone might > > have around any documentation or material that provides more detail on what > > the > > u-boot TPM support does and does not do. I didn't see any .txt files in > > u-boot. > > > > The supports seems oriented around using commands and scripts to > > measure images. One > > specific thing I'm interested is how the u-boot script itself that takes > > the TPM > > measurements is protected against tampering. > > Actually verified boot does not use the TPM at all. > > What do you want the TPM to do? If you want measured boot then you > would need to call measure / extend before/after loading each stage.
Yes, interested in the TPM for measured boot. Right, understand that you need to do the measurements and extend for each loaded image. But, it's critical that you trust the code doing the measurements. If I understand it's the u-boot commands implemented in ./cmd/tpm-v2.c that you could use to script the measuring/extending. How do you ensure that the script doing the measurements isn't tampered with by an attacker? Thanks, Stuart _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
