Re: [PATCH] tpm: measure DTB in PCR1 instead of PCR0

Fri, 14 Jun 2024 23:58:44 -0700 

Thanks Eddie,

On Sat, 15 Jun 2024 at 00:31, Eddie James <eaja...@linux.ibm.com> wrote:
>
>
> On 6/14/24 07:09, Ilias Apalodimas wrote:
> > The PC client spec [0], doesn't describe measurements for DTBs. It does
> > describe what do to for ACPI tables though.
> >
> > There is a description for ACPI in 3.3.4.1 PCR[0] – SRTM, POST BIOS,
> > and Embedded Drivers and they explicitly mention ACPI in there. There's
> > no mention of ACPI in 3.3.4.2 PCR[1] – Host Platform Configuration.
> >
> > However, in Figure 6 --  PCR Mapping of UEFI Components ACPI is shown
> > in PCR1. The general description also mentions PCR0 is for code and PCR1
> > is for data such as ACPI and SMBIOS.
>
>
> Thanks, looks correct.
>
> Reviewed-by: Eddie James <eaja...@linux.ibm.com>

Heinrich, do you want to carry this on the EFI tree, or shall I send a
PR via the TPM tree?

Thanks
/Ilias
>
>
> >
> > So let's switch over the DTB measurements to PCR1 which seems a better
> > fit.
> >
> > [0] 
> > https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification
> >
> > Reported-by: Heinrich Schuchardt <xypron.g...@gmx.de>
> > Signed-off-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
> > ---
> >   boot/bootm.c              | 2 +-
> >   lib/efi_loader/efi_tcg2.c | 2 +-
> >   2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/boot/bootm.c b/boot/bootm.c
> > index 6fa8edab021e..3de87eb185d7 100644
> > --- a/boot/bootm.c
> > +++ b/boot/bootm.c
> > @@ -963,7 +963,7 @@ int bootm_measure(struct bootm_headers *images)
> >                       goto unmap_initrd;
> >
> >               if (IS_ENABLED(CONFIG_MEASURE_DEVICETREE)) {
> > -                     ret = tcg2_measure_data(dev, &elog, 0, images->ft_len,
> > +                     ret = tcg2_measure_data(dev, &elog, 1, images->ft_len,
> >                                               (u8 *)images->ft_addr,
> >                                               EV_TABLE_OF_DEVICES,
> >                                               strlen("dts") + 1,
> > diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> > index 51264c1b998c..a8a54c9f131d 100644
> > --- a/lib/efi_loader/efi_tcg2.c
> > +++ b/lib/efi_loader/efi_tcg2.c
> > @@ -1328,7 +1328,7 @@ efi_status_t efi_tcg2_measure_dtb(void *dtb)
> >       sha256_update(&hash_ctx, (u8 *)dtb + fdt_off_mem_rsvmap(dtb), 
> > rsvmap_size);
> >       sha256_finish(&hash_ctx, blob->data + blob->blob_description_size);
> >
> > -     ret = measure_event(dev, 0, EV_POST_CODE, event_size, (u8 *)blob);
> > +     ret = measure_event(dev, 1, EV_POST_CODE, event_size, (u8 *)blob);
> >
> >       free(blob);
> >       return ret;
> > --
> > 2.45.1
> >

Reply via email to