efi_loader: Measure the loaded DTB

Measures the DTB passed to the EFI application upon new boolean config switch CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB. For platforms where the content of the DTB passed to the OS can change across reboots, there is not point measuring it hence the config switch to allow platform to not embed this feature. Co-developed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org> Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
author: Etienne Carriere <etienne.carriere@linaro.org> 2023-02-16 17:29:48 +0100
committer: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 2023-02-19 21:15:15 +0100
commit: aa2d3945ce6df43903d76cadde1c0669d6d5d43b (patch)
tree: 9a178c2030488c7a67cd99e44beb2b7305724f20 /cmd
parent: a135320b428a09b7856bb06c248eca0ffffb60f5 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/cmd/bootefi.c b/cmd/bootefi.c
index 2a7d42925d..6618335ddf 100644
--- a/cmd/bootefi.c
+++ b/cmd/bootefi.c
@@ -332,6 +332,14 @@ efi_status_t efi_install_fdt(void *fdt)
 
 	efi_try_purge_kaslr_seed(fdt);
 
+	if (CONFIG_IS_ENABLED(EFI_TCG2_PROTOCOL_MEASURE_DTB)) {
+		ret = efi_tcg2_measure_dtb(fdt);
+		if (ret == EFI_SECURITY_VIOLATION) {
+			log_err("ERROR: failed to measure DTB\n");
+			return ret;
+		}
+	}
+
 	/* Install device tree as UEFI table */
 	ret = efi_install_configuration_table(&efi_guid_fdt, fdt);
 	if (ret != EFI_SUCCESS) {
author	Etienne Carriere <etienne.carriere@linaro.org>	2023-02-16 17:29:48 +0100
committer	Heinrich Schuchardt <heinrich.schuchardt@canonical.com>	2023-02-19 21:15:15 +0100
commit	aa2d3945ce6df43903d76cadde1c0669d6d5d43b (patch)
tree	9a178c2030488c7a67cd99e44beb2b7305724f20 /cmd
parent	a135320b428a09b7856bb06c248eca0ffffb60f5 (diff)