Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-04-16 09:54:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

doc: describe UEFI measured boot

Browse source 
We currently only describe the process to enable measured boot using
bootm. Describe the UEFI requirements as well which predate bootm.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This commit is contained in:
Ilias Apalodimas 2024-06-14 15:14:03 +03:00 committed by Heinrich Schuchardt
parent d69759aec2
commit 00cac74561
1 changed files with 31 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
doc/usage/measured_boot.rst
View file

@ -7,19 +7,46 @@ U-Boot can perform a measured boot, the process of hashing various components
of the boot process, extending the results in the TPM and logging the
component's measurement in memory for the operating system to consume.
The functionality is available when booting via the EFI subsystem or 'bootm'
command.
UEFI measured boot
------------------
The EFI subsystem implements the `EFI TCG protocol
<https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/>`_
and the `TCG PC Client Specific Platform Firmware Profile Specification
<https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/>`_
which defines the binaries to be measured and the corresponding PCRs to be used.
Requirements
~~~~~~~~~~~~
* A hardware TPM 2.0 supported by an enabled U-Boot driver
* CONFIG_EFI_TCG2_PROTOCOL=y
* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y
* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB
in PCR 1
Legacy measured boot
--------------------
The commands booti, bootm, and bootz can be used for measured boot
using the legacy entry point of the Linux kernel.
By default, U-Boot will measure the operating system (linux) image, the
initrd image, and the "bootargs" environment variable. By enabling
CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image.
CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image in PCR1.
The operating system typically would verify that the hashes found in the
TPM PCRs match the contents of the event log. This can further be checked
against the hash results of previous boots.
Requirements
------------
~~~~~~~~~~~~
* A hardware TPM 2.0 supported by the U-Boot drivers
* CONFIG_TPM=y
* A hardware TPM 2.0 supported by an enabled U-Boot driver
* CONFIG_TPMv2=y
* CONFIG_MEASURED_BOOT=y
* Device-tree configuration of the TPM device to specify the memory area
for event logging. The TPM device node must either contain a phandle to