verifiers: Add TPM documentation
Describe the behaviour of GRUB when the TPM module is in use. Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
parent
d6ca0a90ca
commit
a791dc0e35
1 changed files with 38 additions and 0 deletions
|
@ -5545,6 +5545,7 @@ environment variables and commands are listed in the same order.
|
||||||
* Authentication and authorisation:: Users and access control
|
* Authentication and authorisation:: Users and access control
|
||||||
* Using digital signatures:: Booting digitally signed code
|
* Using digital signatures:: Booting digitally signed code
|
||||||
* UEFI secure boot and shim:: Booting digitally signed PE files
|
* UEFI secure boot and shim:: Booting digitally signed PE files
|
||||||
|
* Measured Boot:: Measuring boot components
|
||||||
@end menu
|
@end menu
|
||||||
|
|
||||||
@node Authentication and authorisation
|
@node Authentication and authorisation
|
||||||
|
@ -5721,6 +5722,43 @@ mentioned requirements are enforced by the shim_lock module. And itself it
|
||||||
is a persistent module which means that it cannot be unloaded if it was
|
is a persistent module which means that it cannot be unloaded if it was
|
||||||
loaded into the memory.
|
loaded into the memory.
|
||||||
|
|
||||||
|
@node Measured Boot
|
||||||
|
@section Measuring boot components
|
||||||
|
|
||||||
|
If the tpm module is loaded and the platform has a Trusted Platform Module
|
||||||
|
installed, GRUB will log each command executed and each file loaded into the
|
||||||
|
TPM event log and extend the PCR values in the TPM correspondingly. All events
|
||||||
|
will be logged into the PCR described below with a type of EV_IPL and an
|
||||||
|
event description as described below.
|
||||||
|
|
||||||
|
@multitable @columnfractions 0.3 0.1 0.6
|
||||||
|
@headitem Event type @tab PCR @tab Description
|
||||||
|
@item Command
|
||||||
|
@tab 8
|
||||||
|
@tab All executed commands (including those from configuration files) will be
|
||||||
|
logged and measured as entered with a prefix of ``grub_cmd: ``
|
||||||
|
@item Kernel command line
|
||||||
|
@tab 8
|
||||||
|
@tab Any command line passed to a kernel will be logged and measured as entered
|
||||||
|
with a prefix of ``kernel_cmdline: ''
|
||||||
|
@item Module command line
|
||||||
|
@tab 8
|
||||||
|
@tab Any command line passed to a kernel module will be logged and measured as
|
||||||
|
entered with a prefix of ``module_cmdline: ``
|
||||||
|
@item Files
|
||||||
|
@tab 9
|
||||||
|
@tab Any file read by GRUB will be logged and measured with a descriptive text
|
||||||
|
corresponding to the filename.
|
||||||
|
@end multitable
|
||||||
|
|
||||||
|
GRUB will not measure its own @file{core.img} - it is expected that firmware
|
||||||
|
will carry this out. GRUB will also not perform any measurements until the
|
||||||
|
tpm module is loaded. As such it is recommended that the tpm module be built
|
||||||
|
into @file{core.img} in order to avoid a potential gap in measurement between
|
||||||
|
@file{core.img} being loaded and the tpm module being loaded.
|
||||||
|
|
||||||
|
Measured boot is currently only supported on EFI platforms.
|
||||||
|
|
||||||
@node Platform limitations
|
@node Platform limitations
|
||||||
@chapter Platform limitations
|
@chapter Platform limitations
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue