u-boot: tpm: Enable Measured Boot

Measured Boot is the term used to describe the process of securely recording and computing hashes of code and critical data at each stage in the boot chain prior to their use. These measurements can be employed by other system components to establish a comprehensive attestation system. For example, they could be employed to enforce local attestation policies (such as the release of specific platform keys) or to securely transmit them to a remote challenger, also known as a verifier, post-boot to verify the condition of the code and critical data. Measured launch does not authenticate the code or critical data; rather, it records the code or critical data that was present on the system during boot. Initially, the TPM measures the BIOS/EFI layer in the fundamental flow. This measurement involves the generation of a cryptographic hash of the binary image and the verification of the binary instructions that this layer will execute. The TPM stores the generated hash in one of the numerous "slots" in the Platform Configuration Register (PCR). The TPM or entities external to the TPM can read these portions of memory at a later time; however, they are unalterable once they have been written. These memory pieces are protected by integrity protection from the instant they are first written. This guarantees that the value written to a PCR by the TPM will remain constant for the duration of the system, unless the system is powered off or rebooted. Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Javier Tia <javier.tia@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Javier Tia <javier.tia@linaro.org> 2024-10-25 15:59:58 -0600
committer: Armin Kuster <akuster808@gmail.com> 2024-11-24 20:19:50 -0500
commit: a6d89be0044a11c19fd1a8c6c96f598671a3d680 (patch)
tree: 9626f2e03d93539dfecd7cf3e64e675a87a6f60d
parent: dcb1a9142549b542fe8f7908d267e4338f20c65d (diff)
download: meta-security-a6d89be0044a11c19fd1a8c6c96f598671a3d680.tar.gz
2 files changed, 9 insertions, 0 deletions
diff --git a/meta-tpm/recipes-bsp/u-boot/u-boot/measured-boot.cfg b/meta-tpm/recipes-bsp/u-boot/u-boot/measured-boot.cfg
new file mode 100644
index 0000000..76c51ea
--- /dev/null
+++ b/meta-tpm/recipes-bsp/u-boot/u-boot/measured-boot.cfg
@@ -0,0 +1,6 @@
+CONFIG_TPM=y
+CONFIG_TPM_RNG=y
+CONFIG_CMD_TPM=y
+CONFIG_TPM2_MMIO=y
+CONFIG_TPM2_TIS_SPI=y
+CONFIG_TPM2_FTPM_TEE=y
+\ No newline at end of file
diff --git a/meta-tpm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-tpm/recipes-bsp/u-boot/u-boot_%.bbappend
new file mode 100644
index 0000000..c5d2923
--- /dev/null
+++ b/meta-tpm/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+SRC_URI += "${@bb.utils.contains("MACHINE_FEATURES", "measured-boot", "file://measured-boot.cfg", "", d)}"
+\ No newline at end of file
author	Javier Tia <javier.tia@linaro.org>	2024-10-25 15:59:58 -0600
committer	Armin Kuster <akuster808@gmail.com>	2024-11-24 20:19:50 -0500
commit	a6d89be0044a11c19fd1a8c6c96f598671a3d680 (patch)
tree	9626f2e03d93539dfecd7cf3e64e675a87a6f60d
parent	dcb1a9142549b542fe8f7908d267e4338f20c65d (diff)
download	meta-security-a6d89be0044a11c19fd1a8c6c96f598671a3d680.tar.gz

diff --git a/meta-tpm/recipes-bsp/u-boot/u-boot/measured-boot.cfg b/meta-tpm/recipes-bsp/u-boot/u-boot/measured-boot.cfg new file mode 100644 index 0000000..76c51ea --- /dev/null +++ b/meta-tpm/recipes-bsp/u-boot/u-boot/measured-boot.cfg
@@ -0,0 +1,6 @@
	1	CONFIG_TPM=y
	2	CONFIG_TPM_RNG=y
	3	CONFIG_CMD_TPM=y
	4	CONFIG_TPM2_MMIO=y
	5	CONFIG_TPM2_TIS_SPI=y
	6	CONFIG_TPM2_FTPM_TEE=y \ No newline at end of file


diff --git a/meta-tpm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-tpm/recipes-bsp/u-boot/u-boot_%.bbappend new file mode 100644 index 0000000..c5d2923 --- /dev/null +++ b/meta-tpm/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -0,0 +1,3 @@
	1	FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
	2
	3	SRC_URI += "${@bb.utils.contains("MACHINE_FEATURES", "measured-boot", "file://measured-boot.cfg", "", d)}" \ No newline at end of file