From d69759aec28ec195bc20e31b5558f99a32e3ab28 Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Fri, 14 Jun 2024 15:09:50 +0300 Subject: [PATCH] tpm: measure DTB in PCR1 instead of PCR0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The PC client spec [0], doesn't describe measurements for DTBs. It does describe what do to for ACPI tables though. There is a description for ACPI in 3.3.4.1 PCR[0] – SRTM, POST BIOS, and Embedded Drivers and they explicitly mention ACPI in there. There's no mention of ACPI in 3.3.4.2 PCR[1] – Host Platform Configuration. However, in Figure 6 -- PCR Mapping of UEFI Components ACPI is shown in PCR1. The general description also mentions PCR0 is for code and PCR1 is for data such as ACPI and SMBIOS. So let's switch over the DTB measurements to PCR1 which seems a better fit. [0] https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification Reported-by: Heinrich Schuchardt Signed-off-by: Ilias Apalodimas Reviewed-by: Eddie James --- boot/bootm.c | 2 +- lib/efi_loader/efi_tcg2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/boot/bootm.c b/boot/bootm.c index 032f5a4a16..9879e1bba4 100644 --- a/boot/bootm.c +++ b/boot/bootm.c @@ -964,7 +964,7 @@ int bootm_measure(struct bootm_headers *images) goto unmap_initrd; if (IS_ENABLED(CONFIG_MEASURE_DEVICETREE)) { - ret = tcg2_measure_data(dev, &elog, 0, images->ft_len, + ret = tcg2_measure_data(dev, &elog, 1, images->ft_len, (u8 *)images->ft_addr, EV_TABLE_OF_DEVICES, strlen("dts") + 1, diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 945aafb847..d56bd5657c 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1331,7 +1331,7 @@ efi_status_t efi_tcg2_measure_dtb(void *dtb) sha256_update(&hash_ctx, (u8 *)dtb + fdt_off_mem_rsvmap(dtb), rsvmap_size); sha256_finish(&hash_ctx, blob->data + blob->blob_description_size); - ret = measure_event(dev, 0, EV_POST_CODE, event_size, (u8 *)blob); + ret = measure_event(dev, 1, EV_POST_CODE, event_size, (u8 *)blob); free(blob); return ret; -- 2.39.5