[...] > > > + > > +UEFI requirements > > +~~~~~~~~~~~~~~~~~ > > +* A hardware TPM 2.0 supported by the U-Boot drivers > > by an enabled U-Boot driver. > > > +* CONFIG_EFI_TCG2_PROTOCOL=y > > +* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y > > +* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded > > DTB in PCR 0 > > Why does this setting not default to yes? > > Should EFI_TCG2_PROTOCOL_MEASURE_DTB depend on !GENERATE_ACPI_TABLE as > we won't load the device-tree in this case? > > I can't find any reference to device-trees in `TCG PC Client Platform > Firmware Profile Specification`.
It's not and I've already pointed this out to Arm. We followed what ACPI does there and used "DTB DATA" instead of "ACPI DATA" as the event string. > Where is PCR 0 for the device-tree specified? As I said DT is missing from the spec but look below > I read: > > "In general, the platform firmware measures into PCR[1] the > configuration data that is associated with the code that measured into > PCR[0]". > > This looks like PCR 1 should be the target for the device-tree. There is a description for ACPI in 3.3.4.1 PCR[0] – SRTM, POST BIOS, and Embedded Drivers and they explicitly mention ACPI in there. There's no mention of ACPI in 3.3.4.2 PCR[1] – Host Platform Configuration. However ..... In Figure 6 PCR Mapping of UEFI Components ACPI is shown in PCR1 ..... I am not sure if we should use PCR0 or 1, if anyone has a strong opinion we can easily change the measured PCR. > > Do we already measure ACPI and SMBIOS tables into PCR1 as required by > the specification. We do measure SMBIOS in PCR1. I don't think we do anything for ACPI. > > > + > > +bootm > > Measured legacy boot with bootm command > > Please, consider in your description that the bootm command may be used > to load a FIT image with an EFI binary. I am not entirely sure how this works, someone who has used that needs to update it. What happens in that case? Does bootm end up calling bootefi ? That means we are measuring things twice? > > > +----- > > By default, U-Boot will measure the operating system (linux) image, the > > initrd image, and the "bootargs" environment variable. By enabling > > CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image. > > @@ -15,8 +35,8 @@ The operating system typically would verify that the > > hashes found in the > > TPM PCRs match the contents of the event log. This can further be checked > > against the hash results of previous boots. > > > > -Requirements > > ------------- > > +bootm requirements > > This is already a sub-section of bootm. No need to repeat it. > > > +~~~~~~~~~~~~~~~~~~ > > > > * A hardware TPM 2.0 supported by the U-Boot drivers > > by an enabled U-Boot driver. > > > * CONFIG_TPM=y > > CONFIG_TPM_V2=y is required? > > Best regards > > Heinrich > > Thanks /Ilias >
