Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Measure custom Dasharo firmware setting as part of Measured Boot #837

Open
macpijan opened this issue May 19, 2024 · 2 comments
Open

Measure custom Dasharo firmware setting as part of Measured Boot #837

macpijan opened this issue May 19, 2024 · 2 comments
Assignees
@SergiiDmytruk
Labels
enhancement New feature or request

Comments

@macpijan
Copy link
Contributor

The problem you're addressing (if any)

Dasharo options, such as: https://docs.dasharo.com/dasharo-menu-docs/dasharo-system-features/ are not measured as part of Measured Boot process - change in these do not result in any PCR change.

Describe the solution you'd like

Some (PCR1?) PCR reflect change in Dasharo settings

Where is the value to a user, and who might that user be?

Changing crucial options, such as flash lock, should be reflected in PCRs

Describe alternatives you've considered

No response

Additional context

No response
@macpijan macpijan added the enhancement New feature or request label May 19, 2024
@SergiiDmytruk SergiiDmytruk self-assigned this May 27, 2024
@SergiiDmytruk
Copy link
Member

EDK2 PR: Dasharo/edk2#135
DasharoModulePkg PR: Dasharo/DasharoModulePkg#45

Measured variables:

  • IommuConfig
  • LockBios
  • MeMode
  • OptionRomPolicy
  • SmmBwp (SMM BIOS write protection)

They are measured to PCR-1 with event type of 0x00DA0000 (not sure if any was already used for Dasharo). Variable data is hashed and log entry contains variable name, \0 and then variable data.

@macpijan
Copy link
Contributor Author

Above MRs merged, let's keep it open until we have some more input from testing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SergiiDmytruk SergiiDmytruk

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@macpijan @SergiiDmytruk