| Eddie James | fb1c10e | 2023-10-24 10:43:52 -0500 | [diff] [blame] | 1 | .. SPDX-License-Identifier: GPL-2.0+ |
| 2 | |
| 3 | Measured Boot |
| Heinrich Schuchardt | b72160b | 2023-10-28 11:59:32 +0200 | [diff] [blame] | 4 | ============= |
| Eddie James | fb1c10e | 2023-10-24 10:43:52 -0500 | [diff] [blame] | 5 | |
| 6 | U-Boot can perform a measured boot, the process of hashing various components |
| 7 | of the boot process, extending the results in the TPM and logging the |
| 8 | component's measurement in memory for the operating system to consume. |
| 9 | |
| Ilias Apalodimas | d29e89f | 2024-06-14 15:14:03 +0300 | [diff] [blame] | 10 | The functionality is available when booting via the EFI subsystem or 'bootm' |
| 11 | command. |
| 12 | |
| 13 | UEFI measured boot |
| 14 | ------------------ |
| 15 | |
| 16 | The EFI subsystem implements the `EFI TCG protocol |
| 17 | <https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/>`_ |
| 18 | and the `TCG PC Client Specific Platform Firmware Profile Specification |
| 19 | <https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/>`_ |
| 20 | which defines the binaries to be measured and the corresponding PCRs to be used. |
| 21 | |
| 22 | Requirements |
| 23 | ~~~~~~~~~~~~ |
| 24 | |
| 25 | * A hardware TPM 2.0 supported by an enabled U-Boot driver |
| 26 | * CONFIG_EFI_TCG2_PROTOCOL=y |
| 27 | * CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y |
| 28 | * optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB |
| 29 | in PCR 1 |
| 30 | |
| 31 | Legacy measured boot |
| 32 | -------------------- |
| 33 | |
| 34 | The commands booti, bootm, and bootz can be used for measured boot |
| 35 | using the legacy entry point of the Linux kernel. |
| 36 | |
| Eddie James | fb1c10e | 2023-10-24 10:43:52 -0500 | [diff] [blame] | 37 | By default, U-Boot will measure the operating system (linux) image, the |
| 38 | initrd image, and the "bootargs" environment variable. By enabling |
| Ilias Apalodimas | d29e89f | 2024-06-14 15:14:03 +0300 | [diff] [blame] | 39 | CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image in PCR1. |
| Eddie James | fb1c10e | 2023-10-24 10:43:52 -0500 | [diff] [blame] | 40 | |
| 41 | The operating system typically would verify that the hashes found in the |
| 42 | TPM PCRs match the contents of the event log. This can further be checked |
| 43 | against the hash results of previous boots. |
| 44 | |
| 45 | Requirements |
| Ilias Apalodimas | d29e89f | 2024-06-14 15:14:03 +0300 | [diff] [blame] | 46 | ~~~~~~~~~~~~ |
| Eddie James | fb1c10e | 2023-10-24 10:43:52 -0500 | [diff] [blame] | 47 | |
| Ilias Apalodimas | d29e89f | 2024-06-14 15:14:03 +0300 | [diff] [blame] | 48 | * A hardware TPM 2.0 supported by an enabled U-Boot driver |
| 49 | * CONFIG_TPMv2=y |
| Eddie James | fb1c10e | 2023-10-24 10:43:52 -0500 | [diff] [blame] | 50 | * CONFIG_MEASURED_BOOT=y |
| 51 | * Device-tree configuration of the TPM device to specify the memory area |
| 52 | for event logging. The TPM device node must either contain a phandle to |
| 53 | a reserved memory region or "linux,sml-base" and "linux,sml-size" |
| 54 | indicating the address and size of the memory region. An example can be |
| 55 | found in arch/sandbox/dts/test.dts |
| 56 | * The operating system must also be configured to use the memory regions |
| 57 | specified in the U-Boot device-tree in order to make use of the event |
| 58 | log. |