[Lvfs-announce] PCR0 requirement for UEFI Updates

[Lvfs-announce] PCR0 requirement for UEFI Updates

[Richard Hughes]

Hi all,

From September I'd like to make the device checksum a requirement for
UEFI capsules that are identified as system firmware (rather than ME
or EC updates, for example). This requirement would work in the same
way as the update severity, in that the firmware could not be pushed
to testing or stable without the attestation information provided.

The attestation checksum can be used to verify that the installed
firmware matches that supplied by the vendor and means the end user is
confident the firmware has not been modified by a 3rd party. The PCR0
value can easily be found using tpm2_pcrlist if the TPM is in v2.0
mode, or cat /sys/class/tpm/tpm0/pcrs if the TPM is still in v1.2
mode. It is also reported in the "fwupdmgr get-devices" output for
versions of fwupd >= 1.2.2

The device checksums can be included in the metainfo.xml file or added
using the LVFS website manually. It can even be set on the LVFS
automatically if the vendor client certificate is uploaded and a valid
report is uploaded. See
https://blogs.gnome.org/hughsie/2019/04/10/using-a-client-certificate-to-set-the-attestation-checksum/
for more information about the client certificate feature.

More details about setting the attestation checksum in the metadata
can be found here: https://fwupd.org/lvfs/docs/metainfo/protocol

If anyone has any comments or concerns, please let me know. Thanks.

Richard.