<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>This PR adds a new --measure (-m) option to the
chain/imgexec/boot commands that will perform a TPM measurement of
an ipxe script prior to loading of the script on EFI systems. The
code makes use of the EFI_TCG2_PROTOCOL->HashLogExtendEvent()
protocol function provided by the UEFI firmware which will measure
the script and create a TPM log entry for the script. NOTE: Only
TPM2.0 is supported currently. TPM1.2 support is TBD.<br>
<br>
If the UEFI firmware does not support EFI_TCG2_PROTOCOL, the
command is aborted with an error.<br>
</p>
<p>See the TCG PC Client Platform Firmware Profile Specification and
TCG EFI Protocol Specification for details.</p>
<p>iPXE uses UEFI LoadImage() service function to load other image
types which will automatically measure the image as part of the
image load. Script image types are not loaded via LoadImage() and
thus this new command option is needed to measure the scripts
directly prior to load. Scripts need to be measured to comply with
TCG specification which dictate that all binaries and
configuration data must be measured for a complete
measured/trusted boot.</p>
<p>Example usage:</p>
<p>chain -m <a rel="nofollow" href="http://1.2.3.4/script.ipxe">http://1.2.3.4/script.ipxe</a></p>
<p>Testing: I tested this code on a x86_64 server using qemu with a
swtpm emulating TPM2.0. I verified that the proper TPM PCR (5) was
updated and an TPM Event Log entry was created for the script.</p>
<p>Thanks,</p>
<p>-Aaron Young<br>
<a href="mailto:aaron.young@oracle.com">aaron.young@oracle.com</a></p>
<br>
<hr>
<h4>You can view, comment on, or merge this pull request online at:</h4>
<p><a href="https://github.com/ipxe/ipxe/pull/86">https://github.com/ipxe/ipxe/pull/136<br>
</a></p>
<h4>Commit Summary</h4>
<ul>
<li>[efi] Add support for TPM measurement of ipxe scripts on EFI
systems <br>
</li>
</ul>
<h4>File Changes</h4>
<strong></strong>
<ul>
<li> src/config/defaults/efi.h | 5 +</li>
<li> src/config/defaults/linux.h | 6 +</li>
<li> src/config/defaults/pcbios.h | 5 +</li>
<li> src/core/null_measure.c | 33 +++</li>
<li> src/hci/commands/image_cmd.c | 19 +-</li>
<li> src/include/ipxe/efi/Protocol/Tcg2Protocol.h | 343
+++++++++++++++++++++++++++</li>
<li> src/include/ipxe/efi/efi_measure.h | 23 ++</li>
<li> src/include/ipxe/errfile.h | 6 +</li>
<li> src/include/ipxe/measure.h | 61 +++++</li>
<li> src/include/ipxe/null_measure.h | 23 ++</li>
<li> src/interface/efi/efi_measure.c | 170
+++++++++++++</li>
<li> create mode 100644 src/core/null_measure.c</li>
<li> create mode 100644
src/include/ipxe/efi/Protocol/Tcg2Protocol.h</li>
<li> create mode 100644 src/include/ipxe/efi/efi_measure.h</li>
<li> create mode 100644 src/include/ipxe/measure.h</li>
<li> create mode 100644 src/include/ipxe/null_measure.h</li>
<li> create mode 100644 src/interface/efi/efi_measure.c<br>
<br>
</li>
</ul>
<h4>Patch Links:</h4>
<ul>
<li><a href="https://github.com/ipxe/ipxe/pull/86.diff">https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.patch</a></li>
<li><a href="https://github.com/ipxe/ipxe/pull/86.diff">https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.diff</a></li>
</ul>
—<br>
</body>
</html>