We currently only describe the process to enable measured boot using bootm. Describe the UEFI requirements as well which predate bootm.
Signed-off-by: Ilias Apalodimas <ilias.apalodi...@linaro.org> --- doc/usage/measured_boot.rst | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/doc/usage/measured_boot.rst b/doc/usage/measured_boot.rst index 9691904a9d8a..1b5dd1dcc438 100644 --- a/doc/usage/measured_boot.rst +++ b/doc/usage/measured_boot.rst @@ -7,6 +7,26 @@ U-Boot can perform a measured boot, the process of hashing various components of the boot process, extending the results in the TPM and logging the component's measurement in memory for the operating system to consume. +The functionality is available when booting via the EFI subsystem or 'bootm' +command. + +UEFI subsystem +-------------- +The EFI subsystem implements the `EFI TCG protocol +<https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/>`_ +and the `TCG PC Client Specific Platform Firmware Profile Specification +<https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/>`_ +which defines the binaries to be measured and the corresponding PCRs used. + +UEFI requirements +~~~~~~~~~~~~~~~~~ +* A hardware TPM 2.0 supported by the U-Boot drivers +* CONFIG_EFI_TCG2_PROTOCOL=y +* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y +* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB in PCR 0 + +bootm +----- By default, U-Boot will measure the operating system (linux) image, the initrd image, and the "bootargs" environment variable. By enabling CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image. @@ -15,8 +35,8 @@ The operating system typically would verify that the hashes found in the TPM PCRs match the contents of the event log. This can further be checked against the hash results of previous boots. -Requirements ------------- +bootm requirements +~~~~~~~~~~~~~~~~~~ * A hardware TPM 2.0 supported by the U-Boot drivers * CONFIG_TPM=y -- 2.45.1
