diff options
| author | Tom Rini <[email protected]> | 2025-01-29 08:12:21 -0600 |
|---|---|---|
| committer | Tom Rini <[email protected]> | 2025-01-29 08:12:21 -0600 |
| commit | 021baf7b08cceb58bb850859dba1614424e16a83 (patch) | |
| tree | 9f53a40366eea064bcafbe5b82a3f1245b2671bc /doc/usage | |
| parent | 75125f392de4e672127fe0b092d481e78ff8bdd0 (diff) | |
| parent | 8895ff8ae2186b53b4a073966ef16b09c12a69b8 (diff) | |
Merge tag 'tpm-master-28012025' of https://source.denx.de/u-boot/custodians/u-boot-tpm
CI: https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/24375
We have use cases where a previous stage boot loader doesn't have any
TPM drivers. Instead of extending the hardware PCRs it produces an
EventLog that U-Boot later replays on the hardware.
The only real example we have is TF-A, which produces the EventLog using
hashing algorithms created at compile time. This creates a problem to the
TPM since measurements need to extend all active PCR banks. Up to now
we were exiting refusing the extend measurements.
TPMs can be instructed to change their active PCR banks, as long as the
device resets immediately after a reconfiguration. This PR is adding
that functionality. U-Boot can now scan the currently active TPM PCR
banks, the ones it was compiled to support and the ones present in an
EventLog. It the reconfigures the TPM on the fly with the correct algorithms.
Diffstat (limited to 'doc/usage')
| -rw-r--r-- | doc/usage/measured_boot.rst | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/doc/usage/measured_boot.rst b/doc/usage/measured_boot.rst index 05c439e9ac6..488dd546f13 100644 --- a/doc/usage/measured_boot.rst +++ b/doc/usage/measured_boot.rst @@ -24,7 +24,6 @@ Requirements * A hardware TPM 2.0 supported by an enabled U-Boot driver * CONFIG_EFI_TCG2_PROTOCOL=y -* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y * optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB in PCR 1 |