From: Heinrich Schuchardt <xypron.glpk@gmx.de>
To: u-boot@lists.denx.de
Subject: [PATCH 2/2] efi_loader: add PE/COFF image measurement
Date: Wed, 21 Apr 2021 13:03:56 +0200 [thread overview]
Message-ID: <0d61e695-2c7e-f55f-94fa-6810cdcfd92a@gmx.de> (raw)
In-Reply-To: <YHn2twnn05TSzQ6d@apalos.home>
On 4/16/21 10:42 PM, Ilias Apalodimas wrote:
> Hi Heinrich,
>
> On Thu, Apr 15, 2021 at 04:08:55PM +0200, Heinrich Schuchardt wrote:
>> On 15.04.21 15:30, Masahisa Kojima wrote:
>>> "TCG PC Client Platform Firmware Profile Specification"
>>> requires to measure every attempt to load and execute
>>> a OS Loader(a UEFI application) into PCR[4].
>>> This commit adds the PE/COFF image measurement, extends PCR,
>>> and appends measurement into Event Log.
>>>
>>> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
>>
>> Please, provide a unit test that we can run in Gitlab CI on either the
>> sandbox or QEMU.
>
> The additions to the EFI TCG2 fall under the same category as the initial
> patchset and unfortunately suffer from the same problems wrt to using the
> sandbox TPM2.
> The sandbox capabilities are limited for testing this, starting from the fact
> that that we can't even get the tpm2 capabilities we need to start the
> protocol correctly.
> ./drivers/tpm/tpm2_tis_sandbox.c only supports TPM_CAP_TPM_PROPERTIES which is
> limited compared to what the TCG code in EFI expects. Similar functionality
> is missing from extending and checking PCRs properly etc.
>
>>
>> QEMU allows to use a TPM emulation, cf.
>> https://qemu-project.gitlab.io/qemu/specs/tpm.html#the-qemu-tpm-emulator-device
>> https://github.com/stefanberger/swtpm
>
> Kojima and I will have a look since this is the only viable option in order to
> get useful selftests.
> Imho we should review and maybe accept this patch in parallel though, since
> it's adding more bits of the TCG PC client specification.
>
> Thanks!
> /Ilias
Hello Masahisa,
I am done with my review of the series and waiting for your v2.
Ilias suggested to implement tests in a separate series. I am fine with
this if Ilias supplies a tested-by sign-off for this series.
Best regards
Heinrich
next prev parent reply other threads:[~2021-04-21 11:03 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-15 13:30 [PATCH 0/2] PE/COFF measurement support Masahisa Kojima
2021-04-15 13:30 ` [PATCH 1/2] efi_loader: expose efi_image_parse() even if UEFI Secure Boot is disabled Masahisa Kojima
2021-04-15 13:58 ` Heinrich Schuchardt
2021-04-15 13:30 ` [PATCH 2/2] efi_loader: add PE/COFF image measurement Masahisa Kojima
2021-04-15 14:08 ` Heinrich Schuchardt
2021-04-16 20:42 ` Ilias Apalodimas
2021-04-21 11:03 ` Heinrich Schuchardt [this message]
2021-04-21 10:57 ` Heinrich Schuchardt
2021-04-22 5:25 ` Masahisa Kojima
2021-04-22 8:09 ` Ilias Apalodimas
2021-04-22 8:18 ` Heinrich Schuchardt
2021-04-27 14:05 ` Masahisa Kojima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0d61e695-2c7e-f55f-94fa-6810cdcfd92a@gmx.de \
--to=xypron.glpk@gmx.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.