Measure custom Dasharo firmware setting as part of Measured Boot

macpijan commented 4 months ago

The problem you're addressing (if any)

Dasharo options, such as: https://docs.dasharo.com/dasharo-menu-docs/dasharo-system-features/ are not measured as part of Measured Boot process - change in these do not result in any PCR change.

Describe the solution you'd like

Some (PCR1?) PCR reflect change in Dasharo settings

Where is the value to a user, and who might that user be?

Changing crucial options, such as flash lock, should be reflected in PCRs

Describe alternatives you've considered

No response

Additional context

No response

SergiiDmytruk commented 4 months ago

EDK2 PR: https://github.com/Dasharo/edk2/pull/135 DasharoModulePkg PR: https://github.com/Dasharo/DasharoModulePkg/pull/45

Measured variables:

IommuConfig
LockBios
MeMode
OptionRomPolicy
SmmBwp (SMM BIOS write protection)

They are measured to PCR-1 with event type of 0x00DA0000 (not sure if any was already used for Dasharo). Variable data is hashed and log entry contains variable name, \0 and then variable data.

macpijan commented 3 months ago

Above MRs merged, let's keep it open until we have some more input from testing

Dasharo / dasharo-issues