grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 3/3] verifiers: Add TPM documentation

From: Matthew Garrett
Subject: [PATCH 3/3] verifiers: Add TPM documentation
Date: Fri, 9 Nov 2018 15:41:03 -0800 
Describe the behaviour of grub when the TPM module is in use.
---
 docs/grub.texi | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/docs/grub.texi b/docs/grub.texi
index 471d97c95..6bd3783a4 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5545,6 +5545,7 @@ environment variables and commands are listed in the same 
order.
 * Authentication and authorisation:: Users and access control
 * Using digital signatures::         Booting digitally signed code
 * UEFI secure boot and shim::        Booting digitally signed PE files
+* Measured Boot::                    Measuring boot components
 @end menu
 
 @node Authentication and authorisation
@@ -5721,6 +5722,43 @@ mentioned requirements are enforced by the shim_lock 
module. And itself it
 is a persistent module which means that it cannot be unloaded if it was
 loaded into the memory.
 
address@hidden Measured Boot
address@hidden Measuring boot components
+
+If the tpm module is loaded and the platform has a Trusted Platform Module
+installed, GRUB will log each command executed and each file loaded into the
+TPM event log and extend the PCR values in the TPM correspondingly. All events
+will be logged into the PCR described below with a type of EV_IPL and an
+event description as described below.
+
address@hidden @columnfractions 0.3 0.1 0.6
address@hidden Event type @tab PCR @tab Description
address@hidden Command
address@hidden 8
address@hidden All executed commands (including those from configuration files) 
will be
+logged and measured as entered with a prefix of ``grub_cmd: ``
address@hidden Module command line
address@hidden 8
address@hidden Any command line passed to a kernel module will be logged and 
measured as
+entered with a prefix of ``module_cmdline: ``
address@hidden Kernel command line
address@hidden 8
address@hidden Any command line passed to a kernel will be logged and measured 
as entered
+with a prefix of ``kernel_cmdline: ''
address@hidden Files
address@hidden 9
address@hidden Any file read by GRUB will be logged and measured with a 
descriptive text
+corresponding to the filename.
address@hidden multitable
+
+GRUB will not measure its own @file{core.img} - it is expected that firmware
+will carry this out. GRUB will also not perform any measurements until the
+tpm module is loaded. As such it is recommended that the tpm module be built
+into @file{core.img} in order to avoid a potential gap in measurement between
address@hidden being loaded and the tpm module being loaded.
+
+Measured boot is currently only supported on EFI platforms.
+
 @node Platform limitations
 @chapter Platform limitations
 
-- 
2.19.1.930.g4563a0d9d0-goog
reply via email to
[Prev in Thread] Current Thread [Next in Thread]