Hi, Just to double check as I didn't find more after this thread. There was any advance regarding this topic? I might also be interested in help on this.
Thanks, Enric On Tue, Nov 12, 2024 at 4:05 PM Ilias Apalodimas <ilias.apalodi...@linaro.org> wrote: > > On Tue, 12 Nov 2024 at 16:55, Traut Manuel LCPF-CH <manuel.tr...@mt.com> > wrote: > > > > > > > > systemd-boot counting logic requires [0] to be implemented. > > > > > > > > > > If not we plan to add the functionality in fs/fs.c and fs/fat - > > > > > > correct? > > > > > > > > > > We don't have plans for it, but explaining any use cases you have > > > > > might help > > > > > > > > systemd-boot is able to do bootcounting by renaming the UKI image [0] > > > > the code that triggers the not implemented code section is here [1]. > > > > > > > > With this it is possible to have watchdog based A/B switching on systems > > > > without a writeable u-boot environment. And therefore it is a nice > > > > method to implement measured boot. > > > > > > The A/B is ok, but I cant understand how that realted to measured > > > boot. The TPM access, UKI infrastucture etc, will work fine without > > > A/B > > > > Yes, TPM, UKI works fine right now :) > > > > systemd-boot is renaming the UKI before it starts it, by increasing > > the bootcounter that is part of the filename. If the system is fully > > booted the file gets renamed again to reset the bootcounter. > > > > If the bootcounter exceeds systemd-boot tries the next UKI. > > The UKIs can be signed and are still valid after rename. > > > > I expect that changes to the u-boot env will change a PCR measurement. > > No env changes are not and IIRC it isnt necesarry. We measure what's > described in the PC client spec. So the loaded image PCRs would > change, but that's a user decision (which PCRS to use and seal > secrets) > > > At least it should be like this, since it might alter the boot path? > > > > For trusted systems it would be nice to have a meaurement of the EFI > > variables and beside that have no dynamic environment. > > We do measure EFI variables and Boot#### variables in PCR7 > > > > > Hope this explanation is understandable? > > Yes thanks > > /Ilias > > Manuel > > > > > > [0] > > > > https://uapi-group.org/specifications/specs/boot_loader_specification/#boot-counting > > > > [1] > > > > https://github.com/systemd/systemd/blob/3304a029b847e87da51f7a8ad8c118111508e009/src/boot/boot.c#L1407 > > > > > > > > > > > > > > > > [0] > > > > > > https://elixir.bootlin.com/u-boot/v2025.01-rc1/source/lib/efi_loader/efi_file.c#L971 >
