From: Gang W. <gan...@in...> - 2014-01-30 05:15:27
|
changeset 81c5c6081dce in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=81c5c6081dce description: Update README for TPM NV measuring Signed-off-by: Gang Wei <gan...@in...> diffstat: README | 25 +++++++++++++++++++++++++ 1 files changed, 25 insertions(+), 0 deletions(-) diffs (35 lines): diff -r 464bcebe3b65 -r 81c5c6081dce README --- a/README Thu Jan 30 12:06:39 2014 +0800 +++ b/README Thu Jan 30 12:06:42 2014 +0800 @@ -243,6 +243,31 @@ changes in it -- and then we'll need to make some trivial changes to the 20_xen_tboot file. Grub2 is required for all of this. +o Tboot support TPM NV measuring via extended Verified Launch Tboot Policy. + + This works only for TPM1.2 by far. + + TPM NV measuring is defaultly disabled, need below cmdline option to enable: + measure_nv=true + + When NV measuring is enabled, it will get all NV measuring policy entry from + the tboot policy structure. Every NV policy entry will specify: + nv_index: TPM NV index to measure and verify + pcr: PCR to be extended with the NV measurement + mod_num: Tell how to measure the nv + = TB_POL_MOD_NUM_NV: hash then extend, no size limitation on NV index + = TB_POL_MOD_NUM_NV_RAW: extend w/o hash, size should equal hash size + hash_type: + = any: no verification needed + = image: need verify per hashs list. + hashs: hash list. optional. + + There is one default NV policy entry, which will try to read NV 0x40000010 + and extend it into pcr 22 without hashing. + + The nv_index to be measured must be defined with OWNERWRITE permission, + otherwise the verification will fail, and nothing will be extended into pcr. + PCR Usage: --------- |