Hello,
Is anybody aware what would be the effort to include TPM measurements in UefiPayloadPkg?
The drivers for TPM seem to be already present for DXE in SecurityPkg and a function to measure the data with TPM and logging. However it does not seem the payload package uses them.
Also I assume that PEI and DXE cannot be measured before execution with current implementation, because drivers are available late in DXE. If my understanding is correct, if I would use vboot+measured boot in coreboot the whole payload is measured still, but the trust chain would be broken after SEC. Can anybody tell if I am wrong?
Best regards,
I remember seeing a guide on Tianocore's wiki on GitHub that I was meaning to follow after porting coreboot to my laptop. From memory, it's a matter of adding some "includes" to the package you plan to build. Hopefully isn't much more than that.
Thank you for response. I already got that working actually yesterdays evening :)
If you mean the white paper A Tour Beyond BIOS with the UEFI TPM2 Support in EDKII and the wiki on GitHub, I have also encountered these guides. They have removed TrEE protocol and rewritten whole TCG2 stack. So most of the guidelines in this white paper are useless unfortunately.
Some modifications to included libraries and components in DSC and few INFs in FDF. At last few PCD fixes and done.
Regards,
On 13.09.2019 02:33, benjamin.doron00@gmail.com wrote:
Hello,
Are there any up-to-date references you're aware of, for those interested?
-Matt
On Fri, Sep 13, 2019 at 8:44 AM Michal Zygowski michal.zygowski@3mdeb.com wrote:
Hi Matt,
Unfortunately not. I just have studied Git log for changes in SecurityPkg to determine whether white paper is valid or not. The only thing that helped me achieve the goal was the OVMF package and its modified modules taken from SecurityPkg on the master branch. So basically nothing in a document format like white paper or similar.
Regards, Michał
On 13.09.2019 23:08, Matt B wrote:
-
benjamin.doron00@gmail.com -
Matt B -
Michal Zygowski