Hi Cedric, > Make use of systemd code to measure the kernel command line for the > selected configuration into PCR#8. This also causes the firmware > to add the measurement for the loaded EFI image into PCR#4 (as per > UEFI specs). With this change both the loaded kernel and command > line options are measured.
Measurement to PCR #4 is done by the EFI firmware for each LoadImage()'d EFI binary. According to the spec, "UEFI Boot Manager Code (usually the MBR) and Boot Attempts" is supposed to be measured to PCR #4. Now, an OS kernel doesn't exactly qualify for this semantically, right? Probably, PCRs #8 - #15 "Defined for use by the Static OS" (according to the spec) are a better match for measuring the OS kernel, additionally. You're measuring the kernel command line to this range already. That said, what's the overarching concept behind this? Just measuring "something" is not an end in itself. How is that supposed to be sensibly used (e.g., by the OS) to actually leverage the measurements? According to this answer, the measurement(s) should be performed by EFI Boot Guard to support the intended idea/concept. As it is now, you have to poke and replay PCR #4 to assess the OS kernel as the OS kernel and the bootloader are mashed up in PCR #4. Otherwise, you can just tell that *some* OS kernel has been booted with the same or different kernel command lines (via PCR #8). > Use of the TPM may be disabled by passing --disable-tpm to the > configure script. Why this distinction? It doesn't harm to have it enabled unconditionally with measurement simply failing in case no TPM is available, does it? What is the reasoning behind making in compile-time conditional? Kind regards, Christian -- Dr. Christian Storm Siemens AG, Technology, T RDA IOT SES-DE Otto-Hahn-Ring 6, 81739 München, Germany -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/efibootguard-dev/20210701190204.3va72ormn3bqft3e%40MD1ZFJVC.ad001.siemens.net.
