<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<div class="moz-forward-container">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<p> </p>
<div class="moz-forward-container">
<p><RESEND (again) with corrected links below><br>
<br>
This PR adds a new --measure (-m) option to the
chain/imgexec/boot commands that will perform a TPM
measurement of an ipxe script prior to loading of the script
on EFI systems. The code makes use of the
EFI_TCG2_PROTOCOL->HashLogExtendEvent() protocol function
provided by the UEFI firmware which will measure the script
and create a TPM log entry for the script. NOTE: Only TPM2.0
is supported currently. TPM1.2 support is TBD.<br>
<br>
If the UEFI firmware does not support EFI_TCG2_PROTOCOL, the
command is aborted with an error.<br>
</p>
<p>See the TCG PC Client Platform Firmware Profile Specification
and TCG EFI Protocol Specification for details.</p>
<p>iPXE uses UEFI LoadImage() service function to load other
image types which will automatically measure the image as part
of the image load. Script image types are not loaded via
LoadImage() and thus this new command option is needed to
measure the scripts directly prior to load. Scripts need to be
measured to comply with TCG specification which dictate that
all binaries and configuration data must be measured for a
complete measured/trusted boot.</p>
<p>Example usage:</p>
<p>chain -m <a moz-do-not-send="true" rel="nofollow"
href="http://1.2.3.4/script.ipxe">http://1.2.3.4/script.ipxe</a></p>
<p>Testing: I tested this code on a x86_64 server using qemu
with a swtpm emulating TPM2.0. I verified that the proper TPM
PCR (5) was updated and an TPM Event Log entry was created for
the script.</p>
<p>Thanks,</p>
<p>-Aaron Young<br>
<a moz-do-not-send="true" href="mailto:aaron.young@oracle.com">aaron.young@oracle.com</a></p>
<br>
<hr>
<h4>You can view, comment on, or merge this pull request online
at:</h4>
<p><a class="moz-txt-link-freetext" href="https://github.com/ipxe/ipxe/pull/136">https://github.com/ipxe/ipxe/pull/136</a><br>
</p>
<h4>Commit Summary</h4>
<ul>
<li>[efi] Add support for TPM measurement of ipxe scripts on
EFI systems <br>
</li>
</ul>
<h4>File Changes</h4>
<strong></strong>
<ul>
<li> src/config/defaults/efi.h | 5 +</li>
<li> src/config/defaults/linux.h | 6 +</li>
<li> src/config/defaults/pcbios.h | 5 +</li>
<li> src/core/null_measure.c | 33 +++</li>
<li> src/hci/commands/image_cmd.c | 19 +-</li>
<li> src/include/ipxe/efi/Protocol/Tcg2Protocol.h | 343
+++++++++++++++++++++++++++</li>
<li> src/include/ipxe/efi/efi_measure.h | 23 ++</li>
<li> src/include/ipxe/errfile.h | 6 +</li>
<li> src/include/ipxe/measure.h | 61 +++++</li>
<li> src/include/ipxe/null_measure.h | 23 ++</li>
<li> src/interface/efi/efi_measure.c | 170
+++++++++++++</li>
<li> create mode 100644 src/core/null_measure.c</li>
<li> create mode 100644
src/include/ipxe/efi/Protocol/Tcg2Protocol.h</li>
<li> create mode 100644 src/include/ipxe/efi/efi_measure.h</li>
<li> create mode 100644 src/include/ipxe/measure.h</li>
<li> create mode 100644 src/include/ipxe/null_measure.h</li>
<li> create mode 100644 src/interface/efi/efi_measure.c<br>
<br>
</li>
</ul>
<h4>Patch Links:</h4>
<ul>
<li><a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.patch">https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.patch</a><br>
</li>
<li><a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.diff">https://patch-diff.githubusercontent.com/raw/ipxe/ipxe/pull/136.diff</a><br>
</li>
</ul>
—<br>
</div>
</div>
</body>
</html>