Re: Add TPM measured boot support

[Javier Martinez Canillas]

Hello Matthew,

On 07/21/2017 12:41 AM, Matthew Garrett wrote:
> On Wed, Jul 05, 2017 at 02:19:55PM -0700, Matthew Garrett wrote:
>> This patchset extends the verifier framework to support verifying commands
>> executed by Grub, and makes use of this to add support for measuring files
>> and commands executed by grub into the TPM on UEFI-based systems.
> 
> Any feedback on this? Vladimir, are you planning on merging your 
> verifier branch?
> 

I've given a try to this new version of your patches and it worked correctly:

$ tpm2_listpcrs -L 0x4:8,9

Bank/Algorithm: TPM_ALG_SHA1(0x0004)
PCR_08: fb 91 4b bb 62 48 00 7f 5f 32 d0 58 24 23 92 a6 a8 39 7a c4
PCR_09: 78 cc c7 b8 4c 95 dc 21 8e bd a2 07 d9 94 0a 4c 95 e6 44 d2

Without your patches:

$ tpm2_listpcrs -L 0x4:8,9
PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR_09: aa 40 46 af 96 b1 62 d0 8e 9c 10 b2 1a 2f a8 5e ac 84 cd e4

I've also tested changing the linux image, modifying the kernel command line
parameters, inserting other grub modules and changing the grub commands. In
all cases I see that the PCR hashes changed.

Best regards,
-- 
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement
Red Hat