Hi Heinrich,
On Tue, 18 Jun 2024 at 18:40, Heinrich Schuchardt <xypron.g...@gmx.de> wrote:
>
> On 18.06.24 17:23, Ilias Apalodimas wrote:
> > We currently only describe the process to enable measured boot using
> > bootm. Describe the UEFI requirements as well which predate bootm.
> >
> > Signed-off-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
>
> Please, rebase on 00cac7456125 ("doc: describe UEFI measured boot")
No need. That commit already contains the v3 changes. You can ignore this one
Thanks
/Ilias
>
> Best regards
>
> Heinrich
>
> > ---
> > Changes since v2:
> > - add all bootX commands in the description instead of just bootm
> > - Remove and extra _ from the header
> > Changes since v1:
> > - fixed remarks from Heinrich on titling and DTB measured PCR
> > doc/usage/measured_boot.rst | 31 +++++++++++++++++++++++++++----
> > 1 file changed, 27 insertions(+), 4 deletions(-)
> >
> > diff --git a/doc/usage/measured_boot.rst b/doc/usage/measured_boot.rst
> > index 9691904a9d8a..d31cb05226cd 100644
> > --- a/doc/usage/measured_boot.rst
> > +++ b/doc/usage/measured_boot.rst
> > @@ -7,19 +7,42 @@ U-Boot can perform a measured boot, the process of
> > hashing various components
> > of the boot process, extending the results in the TPM and logging the
> > component's measurement in memory for the operating system to consume.
> >
> > +The functionality is available when booting via the EFI subsystem or
> > 'bootm'
> > +command.
> > +
> > +UEFI measured boot
> > +------------------
> > +The EFI subsystem implements the `EFI TCG protocol
> > +<https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/>`_
> > +and the `TCG PC Client Specific Platform Firmware Profile Specification
> > +<https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/>`_
> > +which defines the binaries to be measured and the corresponding PCRs to be
> > used.
> > +
> > +Requirements
> > +~~~~~~~~~~~~
> > +* A hardware TPM 2.0 supported by an enabled U-Boot driver
> > +* CONFIG_EFI_TCG2_PROTOCOL=y
> > +* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y
> > +* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded
> > DTB in PCR 1
> > +
> > +Measured legacy boot with bootX command
> > +---------------------------------------
> > +The commands booti, bootm, and bootz can be used for measured boot
> > +using the legacy entry point of the Linux kernel.
> > +
> > By default, U-Boot will measure the operating system (linux) image, the
> > initrd image, and the "bootargs" environment variable. By enabling
> > -CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image.
> > +CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image
> > in PCR1.
> >
> > The operating system typically would verify that the hashes found in the
> > TPM PCRs match the contents of the event log. This can further be checked
> > against the hash results of previous boots.
> >
> > Requirements
> > -------------
> > +~~~~~~~~~~~~
> >
> > -* A hardware TPM 2.0 supported by the U-Boot drivers
> > -* CONFIG_TPM=y
> > +* A hardware TPM 2.0 supported by an enabled U-Boot driver
> > +* CONFIG_TPMv2=y
> > * CONFIG_MEASURED_BOOT=y
> > * Device-tree configuration of the TPM device to specify the memory area
> > for event logging. The TPM device node must either contain a phandle to
> > --
> > 2.45.2
> >
>
