feat: minimal poc for TPM measurements à la sd-stub #167
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RaitoBezarius
force-pushed
the
sd-stub-tpm2
branch
2 times, most recently
from
bcdb945
to
1cea27d
Compare
RaitoBezarius
force-pushed
the
sd-stub-tpm2
branch
from
be929f1
to
f2e20a9
Compare
RaitoBezarius
commented
May 1, 2023
|
@RaitoBezarius It would be helpful to have a call one of these days about what's going on in these PRs to give some overview information. :) |
When are you available :) ? |
RaitoBezarius
commented
May 12, 2023
RaitoBezarius
force-pushed
the
sd-stub-tpm2
branch
2 times, most recently
from
3309f45
to
9549253
Compare
|
I met with @nikstur on the last NixOS Munich meetup and we discussed this PR. |
nikstur
previously requested changes
May 17, 2023
|
Awesome, will fix the code formatting. :) |
RaitoBezarius
force-pushed
the
sd-stub-tpm2
branch
2 times, most recently
from
3766b42
to
996a3b6
Compare
|
Should we merge #177 first? This might make formatting easier and the diff easier to read. |
|
Sure thing, this PR has problem with TPM2 protocol being located in UEFI
anyway.
Le jeu. 18 mai 2023 à 16:48, nikstur ***@***.***> a écrit :
… Should we merge #177
<#177> first? This might
make formatting easier and the diff easier to read.
—
Reply to this email directly, view it on GitHub
<#167 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACMZRHSSUUIJGLEBMEEODDXGYZFHANCNFSM6AAAAAAXQLBHZA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
OVMF has no TPM support compiled by default, I am fixing that. |
RaitoBezarius
force-pushed
the
sd-stub-tpm2
branch
2 times, most recently
from
64e32a8
to
bd4e428
Compare
|
Formatted and test fixed now. |
RaitoBezarius
force-pushed
the
sd-stub-tpm2
branch
3 times, most recently
from
3f325bd
to
453ad46
Compare
Test that our measurements exposes a TPM PCR index in the userspace through efivarfs.
RaitoBezarius
force-pushed
the
sd-stub-tpm2
branch
from
453ad46
to
f603e0c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Depends on #166.Implements TPM part of #94.
Note to maintainers & reviewers
Lanzaboote customization requires a special handling of PCR11 measurements to include kernel and initrd properly.
To do this, we need to read the kernel and the initrd guarded with our hashes, then record them as "fake unified section" or measure them somewhere else.
This way, we can slowly recover lanzaboote as a "true UKI" in terms of semantics.
This is out of scope for this PR, but will done in #169 because they do bring the necessary infrastructure wrt to UnifiedSection to perform this.