diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/board/phytec/phycore-am62x.rst | 2 | ||||
| -rw-r--r-- | doc/board/phytec/phycore-am64x.rst | 4 | ||||
| -rw-r--r-- | doc/usage/fit/signature.rst | 2 | ||||
| -rw-r--r-- | doc/usage/measured_boot.rst | 35 |
4 files changed, 35 insertions, 8 deletions
diff --git a/doc/board/phytec/phycore-am62x.rst b/doc/board/phytec/phycore-am62x.rst index bc6d524..681ac53 100644 --- a/doc/board/phytec/phycore-am62x.rst +++ b/doc/board/phytec/phycore-am62x.rst @@ -155,4 +155,4 @@ Further Information ------------------- Please see :doc:`../ti/am62x_sk` chapter for further AM62 SoC related documentation -and https://docs.phytec.com/phycore-am62x for vendor documentation. +and https://docs.phytec.com/projects/yocto-phycore-am62x/en/latest/ for vendor documentation. diff --git a/doc/board/phytec/phycore-am64x.rst b/doc/board/phytec/phycore-am64x.rst index a27ad01..ad9f47d 100644 --- a/doc/board/phytec/phycore-am64x.rst +++ b/doc/board/phytec/phycore-am64x.rst @@ -9,7 +9,7 @@ SoM (System on Module) featuring TI's AM64x SoC. It can be used in combination with different carrier boards. This module can come with different sizes and models for DDR, eMMC, SPI NOR Flash and various SoCs from the AM64x family. -A development Kit, called `phyBOARD-Lyra <https://www.phytec.com/product/phyboard-am64x>`_ +A development Kit, called `phyBOARD-Electra <https://www.phytec.com/product/phyboard-am64x>`_ is used as a carrier board reference design around the AM64x SoM. Quickstart @@ -156,4 +156,4 @@ Further Information ------------------- Please see :doc:`../ti/am64x_evm` chapter for further AM64 SoC related documentation -and https://docs.phytec.com/phycore-am64x for vendor documentation. +and https://docs.phytec.com/projects/yocto-phycore-am64x/en/latest/ for vendor documentation. diff --git a/doc/usage/fit/signature.rst b/doc/usage/fit/signature.rst index 03a71b5..b868dcb 100644 --- a/doc/usage/fit/signature.rst +++ b/doc/usage/fit/signature.rst @@ -15,7 +15,7 @@ that it can be verified using a public key later. Provided that the private key is kept secret and the public key is stored in a non-volatile place, any image can be verified in this way. -See verified-boot.txt for more general information on verified boot. +See :doc:`verified-boot` for more general information on verified boot. Concepts diff --git a/doc/usage/measured_boot.rst b/doc/usage/measured_boot.rst index 9691904..05c439e 100644 --- a/doc/usage/measured_boot.rst +++ b/doc/usage/measured_boot.rst @@ -7,19 +7,46 @@ U-Boot can perform a measured boot, the process of hashing various components of the boot process, extending the results in the TPM and logging the component's measurement in memory for the operating system to consume. +The functionality is available when booting via the EFI subsystem or 'bootm' +command. + +UEFI measured boot +------------------ + +The EFI subsystem implements the `EFI TCG protocol +<https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/>`_ +and the `TCG PC Client Specific Platform Firmware Profile Specification +<https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/>`_ +which defines the binaries to be measured and the corresponding PCRs to be used. + +Requirements +~~~~~~~~~~~~ + +* A hardware TPM 2.0 supported by an enabled U-Boot driver +* CONFIG_EFI_TCG2_PROTOCOL=y +* CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE=y +* optional CONFIG_EFI_TCG2_PROTOCOL_MEASURE_DTB=y will measure the loaded DTB + in PCR 1 + +Legacy measured boot +-------------------- + +The commands booti, bootm, and bootz can be used for measured boot +using the legacy entry point of the Linux kernel. + By default, U-Boot will measure the operating system (linux) image, the initrd image, and the "bootargs" environment variable. By enabling -CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image. +CONFIG_MEASURE_DEVICETREE, U-Boot will also measure the devicetree image in PCR1. The operating system typically would verify that the hashes found in the TPM PCRs match the contents of the event log. This can further be checked against the hash results of previous boots. Requirements ------------- +~~~~~~~~~~~~ -* A hardware TPM 2.0 supported by the U-Boot drivers -* CONFIG_TPM=y +* A hardware TPM 2.0 supported by an enabled U-Boot driver +* CONFIG_TPMv2=y * CONFIG_MEASURED_BOOT=y * Device-tree configuration of the TPM device to specify the memory area for event logging. The TPM device node must either contain a phandle to |