patches/coreboot-4.8.1: Measure firmware into PCR2 #793
Conversation
|
This is a big change for Heads and needs testing. Ill do the x230 right away but it need to be tested for all TPM enforcing boards and the more eyes the better. This is first step changing Heads for coreboot 4.8.1 to move away of it for newer versions. Tagged names taken from #692: xx20: xx30: Thanks |
|
Builds for xx30 will be available here in a little while(+2 hours since musl-cross-make and other boards needs to be rebuild, kernel, coreboot, modules), since I had to change the local cache environment variable from 2 to 3 to build from scratch and create a new cache ( ./build/coreboot-4.8.1 directory is created only per archive decompression on which patches are applied, requiring that directory to be wiped out for the patches to be deployed on top of extracted archive. Planned fix here. Until then, Cache variable inside of builder's CI configuration needs to be changed manually.) |
|
Not functional as is: High level causes:
Patch 0061-measure-to-pcr2.patch modifies the same source code file patches by precedent patches. Which produces the right outcome while 0061 should not exist at all and modify other patches: @PatrickRudolph Will comment directly if needed while #721 (comment) was really clear. |
|
I modified existing patches, built/tested on a Librem 13v2, seems to work properly from the handful of boots I did |
As part of migration to coreboot 4.12, which includes measured boot without additional patches, measure all parts of the firmware and the payload into PCR2. The same is done in coreboot 4.12. This commit ensures that boards not migrated yet will show the same behaviour. TODO: Update heads-wiki. Signed-off-by: Patrick Rudolph <[email protected]>
PatrickRudolph
force-pushed
the
measure_to_pcr2
branch
from
ccebb3e
to
894004e
Compare
|
Merged the changes into existing patches. |
|
clean build happening here: https://app.circleci.com/pipelines/github/tlaurion/heads/281/workflows/b15669a3-5e91-412c-b8bd-060c01e1f99f/jobs/306 ETA 2h. |
|
Ready to merge. |
Documentation changes linked to PCR usage in coreboot 4.8.1 and newer versions, to be applied at the same time as linuxboot/heads#793 is merged. Linked to VBOOT+Measured boot/Measured boot changes applied directly in coreboot so that we have a common base prior of going linuxboot/heads#709 and linuxboot/heads#721 @PatrickRudolph comments welcome
|
@PatrickRudolph would you add anything else to linuxboot/heads-wiki#42 prior of merging both at the same time? |
…#42) * Update Keys.md Documentation changes linked to PCR usage in coreboot 4.8.1 and newer versions, to be applied at the same time as linuxboot/heads#793 is merged. Linked to VBOOT+Measured boot/Measured boot changes applied directly in coreboot so that we have a common base prior of going linuxboot/heads#709 and linuxboot/heads#721 @PatrickRudolph comments welcome * Update Keys.md Removed comment about MRC needing to be measured into different PCR since coreboot is merging them all under PCR2 in newer VBOOT+measured boot/measuredboot Ref:https://doc.coreboot.org/security/vboot/measured_boot.html
As part of migration to coreboot 4.12, which includes measured boot
without additional patches, measure all parts of the firmware and the
payload into PCR2.
The same is done in coreboot 4.12. This commit ensures that boards not
migrated yet will show the same behaviour.
TODO: Update heads-wiki.
Signed-off-by: Patrick Rudolph [email protected]