Merge tag 'efi-2024-07-rc5-2' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request efi-2024-07-rc5-2
Documentation:
* Correct links and board names in PHYTEC board descriptions.
* Describe UEFI measured boot.
* Fix typos in include/bootmeth.h.
* Fix link reference to general verified boot docs.
UEFI:
* Measure device-tree into PCR1 instead of PCR0
diff --git a/boot/bootm.c b/boot/bootm.c
index 032f5a4..9879e1b 100644
--- a/boot/bootm.c
+++ b/boot/bootm.c
@@ -964,7 +964,7 @@
goto unmap_initrd;
if (IS_ENABLED(CONFIG_MEASURE_DEVICETREE)) {
- ret = tcg2_measure_data(dev, &elog, 0, images->ft_len,
+ ret = tcg2_measure_data(dev, &elog, 1, images->ft_len,
(u8 *)images->ft_addr,
EV_TABLE_OF_DEVICES,
strlen("dts") + 1,
diff --git a/doc/board/phytec/phycore-am62x.rst b/doc/board/phytec/phycore-am62x.rst
index bc6d524..681ac53 100644
--- a/doc/board/phytec/phycore-am62x.rst
+++ b/doc/board/phytec/phycore-am62x.rst
@@ -155,4 +155,4 @@
-------------------
Please see :doc:`../ti/am62x_sk` chapter for further AM62 SoC related documentation
-and https://docs.phytec.com/phycore-am62x for vendor documentation.
+and https://docs.phytec.com/projects/yocto-phycore-am62x/en/latest/ for vendor documentation.
diff --git a/doc/board/phytec/phycore-am64x.rst b/doc/board/phytec/phycore-am64x.rst
index a27ad01..ad9f47d 100644
--- a/doc/board/phytec/phycore-am64x.rst
+++ b/doc/board/phytec/phycore-am64x.rst
@@ -9,7 +9,7 @@
with different carrier boards. This module can come with different sizes and
models for DDR, eMMC, SPI NOR Flash and various SoCs from the AM64x family.
-A development Kit, called `phyBOARD-Lyra <https://www.phytec.com/product/phyboard-am64x>`_
+A development Kit, called `phyBOARD-Electra <https://www.phytec.com/product/phyboard-am64x>`_
is used as a carrier board reference design around the AM64x SoM.
Quickstart
@@ -156,4 +156,4 @@
-------------------
Please see :doc:`../ti/am64x_evm` chapter for further AM64 SoC related documentation
-and https://docs.phytec.com/phycore-am64x for vendor documentation.
+and https://docs.phytec.com/projects/yocto-phycore-am64x/en/latest/ for vendor documentation.
diff --git a/doc/usage/fit/signature.rst b/doc/usage/fit/signature.rst
index 03a71b5..b868dcb 100644
--- a/doc/usage/fit/signature.rst
+++ b/doc/usage/fit/signature.rst
@@ -15,7 +15,7 @@
key is kept secret and the public key is stored in a non-volatile place,
any image can be verified in this way.
-See verified-boot.txt for more general information on verified boot.
+See :doc:`verified-boot` for more general information on verified boot.
Concepts
diff --git a/doc/usage/measured_boot.rst b/doc/usage/measured_boot.rst
index 9691904..05c439e 100644
--- a/doc/usage/measured_boot.rst
+++ b/doc/usage/measured_boot.rst
@@ -7,19 +7,46 @@
of the boot process, extending the results in the TPM and logging the
component's measurement in memory for the operating system to consume.
+The functionality is available when booting via the EFI subsystem or 'bootm'
+command.
+
+UEFI measured boot
+------------------
+
+The EFI subsystem implements the `EFI TCG protocol
+<https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/>`_
+and the `TCG PC Client Specific Platform Firmware Profile Specification
+<https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/>`_
+which defines the binaries to be measured and the corresponding PCRs to be used.
+
+Requirements
+~~~~~~~~~~~~
+
+* A hardware TPM 2.0 supported by an enabled U-Boot driver
+* CONFIG_EFI_TCG2_PROTOCOL=y
+* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y
+* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB
+ in PCR 1
+
+Legacy measured boot
+--------------------
+
+The commands booti, bootm, and bootz can be used for measured boot
+using the legacy entry point of the Linux kernel.
+
By default, U-Boot will measure the operating system (linux) image, the
initrd image, and the "bootargs" environment variable. By enabling
-CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image.
+CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image in PCR1.
The operating system typically would verify that the hashes found in the
TPM PCRs match the contents of the event log. This can further be checked
against the hash results of previous boots.
Requirements
-------------
+~~~~~~~~~~~~
-* A hardware TPM 2.0 supported by the U-Boot drivers
-* CONFIG_TPM=y
+* A hardware TPM 2.0 supported by an enabled U-Boot driver
+* CONFIG_TPMv2=y
* CONFIG_MEASURED_BOOT=y
* Device-tree configuration of the TPM device to specify the memory area
for event logging. The TPM device node must either contain a phandle to
diff --git a/include/bootmeth.h b/include/bootmeth.h
index 0fc3610..9f94f8c 100644
--- a/include/bootmeth.h
+++ b/include/bootmeth.h
@@ -40,7 +40,7 @@
/**
* get_state_desc() - get detailed state information
*
- * Prodecues a textual description of the state of the bootmeth. This
+ * Produces a textual description of the state of the boot method. This
* can include newline characters if it extends to multiple lines. It
* must be a nul-terminated string.
*
@@ -138,7 +138,7 @@
* @dev: Bootmethod device to boot
* @bflow: Bootflow to boot
* Return: does not return on success, since it should boot the
- * Operating Systemn. Returns -EFAULT if that fails, -ENOTSUPP if
+ * operating system. Returns -EFAULT if that fails, -ENOTSUPP if
* trying method resulted in finding out that is not actually
* supported for this boot and should not be tried again unless
* something changes, other -ve on other error
@@ -151,7 +151,7 @@
/**
* bootmeth_get_state_desc() - get detailed state information
*
- * Prodecues a textual description of the state of the bootmeth. This
+ * Produces a textual description of the state of the boot method. This
* can include newline characters if it extends to multiple lines. It
* must be a nul-terminated string.
*
@@ -244,7 +244,7 @@
* @dev: Bootmethod device to use
* @bflow: Bootflow to read
* Return: does not return on success, since it should boot the
- * Operating Systemn. Returns -EFAULT if that fails, other -ve on
+ * operating system. Returns -EFAULT if that fails, other -ve on
* other error
*/
int bootmeth_read_all(struct udevice *dev, struct bootflow *bflow);
@@ -255,7 +255,7 @@
* @dev: Bootmethod device to boot
* @bflow: Bootflow to boot
* Return: does not return on success, since it should boot the
- * Operating Systemn. Returns -EFAULT if that fails, other -ve on
+ * operating system. Returns -EFAULT if that fails, other -ve on
* other error
*/
int bootmeth_boot(struct udevice *dev, struct bootflow *bflow);
@@ -264,7 +264,7 @@
* bootmeth_setup_iter_order() - Set up the ordering of bootmeths to scan
*
* This sets up the ordering information in @iter, based on the selected
- * ordering of the bootmethds in bootstd_priv->bootmeth_order. If there is no
+ * ordering of the boot methods in bootstd_priv->bootmeth_order. If there is no
* ordering there, then all bootmethods are added
*
* @iter: Iterator to update with the order
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 945aafb..d56bd56 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -1331,7 +1331,7 @@
sha256_update(&hash_ctx, (u8 *)dtb + fdt_off_mem_rsvmap(dtb), rsvmap_size);
sha256_finish(&hash_ctx, blob->data + blob->blob_description_size);
- ret = measure_event(dev, 0, EV_POST_CODE, event_size, (u8 *)blob);
+ ret = measure_event(dev, 1, EV_POST_CODE, event_size, (u8 *)blob);
free(blob);
return ret;
