<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p> </p>
<div class="moz-forward-container">
<p><RESEND with corrected links below><br>
<br>
This PR adds a new --measure (-m) option to the
chain/imgexec/boot commands that will perform a TPM measurement
of an ipxe script prior to loading of the script on EFI systems.
The code makes use of the
EFI_TCG2_PROTOCOL->HashLogExtendEvent() protocol function
provided by the UEFI firmware which will measure the script and
create a TPM log entry for the script. NOTE: Only TPM2.0 is
supported currently. TPM1.2 support is TBD.<br>
<br>
If the UEFI firmware does not support EFI_TCG2_PROTOCOL, the
command is aborted with an error.<br>
</p>
<p>See the TCG PC Client Platform Firmware Profile Specification
and TCG EFI Protocol Specification for details.</p>
<p>iPXE uses UEFI LoadImage() service function to load other image
types which will automatically measure the image as part of the
image load. Script image types are not loaded via LoadImage()
and thus this new command option is needed to measure the
scripts directly prior to load. Scripts need to be measured to
comply with TCG specification which dictate that all binaries
and configuration data must be measured for a complete
measured/trusted boot.</p>
<p>Example usage:</p>
<p>chain -m <a moz-do-not-send="true" rel="nofollow"
href="http://1.2.3.4/script.ipxe">http://1.2.3.4/script.ipxe</a></p>
<p>Testing: I tested this code on a x86_64 server using qemu with
a swtpm emulating TPM2.0. I verified that the proper TPM PCR (5)
was updated and an TPM Event Log entry was created for the
script.</p>
<p>Thanks,</p>
<p>-Aaron Young<br>
<a moz-do-not-send="true" href="mailto:aaron.young@oracle.com">aaron.young@oracle.com</a></p>
<br>
<hr>
<h4>You can view, comment on, or merge this pull request online
at:</h4>
<p><a moz-do-not-send="true"
href="https://github.com/ipxe/ipxe/pull/86">https://github.com/ipxe/ipxe/pull/136<br>
</a></p>
<h4>Commit Summary</h4>
<ul>
<li>[efi] Add support for TPM measurement of ipxe scripts on EFI
systems <br>
</li>
</ul>
<h4>File Changes</h4>
<strong></strong>
<ul>
<li> src/config/defaults/efi.h | 5 +</li>
<li> src/config/defaults/linux.h | 6 +</li>
<li> src/config/defaults/pcbios.h | 5 +</li>
<li> src/core/null_measure.c | 33 +++</li>
<li> src/hci/commands/image_cmd.c | 19 +-</li>
<li> src/include/ipxe/efi/Protocol/Tcg2Protocol.h | 343
+++++++++++++++++++++++++++</li>
<li> src/include/ipxe/efi/efi_measure.h | 23 ++</li>
<li> src/include/ipxe/errfile.h | 6 +</li>
<li> src/include/ipxe/measure.h | 61 +++++</li>
<li> src/include/ipxe/null_measure.h | 23 ++</li>
<li> src/interface/efi/efi_measure.c | 170
+++++++++++++</li>
<li> create mode 100644 src/core/null_measure.c</li>
<li> create mode 100644
src/include/ipxe/efi/Protocol/Tcg2Protocol.h</li>
<li> create mode 100644 src/include/ipxe/efi/efi_measure.h</li>
<li> create mode 100644 src/include/ipxe/measure.h</li>
<li> create mode 100644 src/include/ipxe/null_measure.h</li>
<li> create mode 100644 src/interface/efi/efi_measure.c<br>
<br>
</li>
</ul>
<h4>Patch Links:</h4>
<ul>
<li><a class="moz-txt-link-freetext" href="https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.patch">https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.patch</a><br>
</li>
<li><a class="moz-txt-link-freetext" href="https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.diff">https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.diff</a><br>
</li>
</ul>
—<br>
</div>
</body>
</html>