Hey Trammell,
No not really. Take a look at following patches:
https://review.coreboot.org/#/c/10542/ https://review.coreboot.org/#/c/14038/ https://review.coreboot.org/#/c/14009/ https://review.coreboot.org/#/c/14134/ https://review.coreboot.org/#/c/14137/ https://review.coreboot.org/#/c/14135/
The whole TPM stack needs to be reworked until it can used for a measured boot.
Best Regards Philipp
On 08/11/2016 04:49 PM, Trammell Hudson wrote:
I'd like to add a tlcl_measure() function to hash a region of code and extend a PCR with the result. I see that the Chromebook systems use a verstage that links in src/lib/tlcl.c and there are sha1 functions in 3rdparty/chromeec/common/sha1.c, but neither of these are available from the romstage on other boards.
For testing I've modified my romstage to include lib/tlcl.c and copied sha1.c into lib. This allows me to measure the bootblock and the romstage from the romstage as soon as pch_enable_lpc() has been called, but it's not clear to me how to enable verstage on other mainboards (like the sandybridge in my x230). Is there a guide or more documentation somewhere?
On Thu, Aug 11, 2016 at 05:00:00PM +0200, Zaolin wrote:
The whole TPM stack needs to be reworked until it can used for a measured boot.
Is it necessary to import the entire complexity of TSS for the measured boot task of hashing the various components? Once the Linux payload starts up it can implement the more complex parts, as long as the bootblock (with appropriate WP# and BP bits set on the ROM) can setup the root of trust and the romstage/ramstage/payload loading process can maintain the chain.
-
Trammell Hudson -
Zaolin