Lennart Poettering
Lennart Poettering
hmm, i changed this locally, and it didn't work for. Are you sure this works?
firmware measures all executed code anyway, including drivers. are you seeing things differently in the tpm event log after boot?
we use the uefi driver load apis, and afaik they measure what they load, implicitly. It's a firmware feature, and we don't have to do anything special for that at...
> Firmware specifications can vary much - especially in term of UEFI as it is quite open to vendors to implement it correctly - besides, I cannot find any information...
> @poettering Isnt systemd-boot loading the drivers itself? I infered that by the location of the drivers (`/EFI/systemd/drivers`) ? Depends on what you mean by "load". We just search for...
> Unfortunately systemd-measure does not measure those PCRs yet, so its not possible to link an encrypted partition to the full measurements chain if you expect to check the PCR11+PCR4+PCR7...
> Yes, that sounds good, but indeed is not complete yet, so a measured UKI/USI can unlock properly a partition with those measurements, but we have no possibility to lock...
Anyway, I don't think there's anything actionable here. AFAIK firmwares measure drivers loaded that way, and unless there's proof otherwise I don#t think we should do anything on this.
Well, it seems the firmware in question simply doesn't allow us to allocate this much contiguous memory, which hence means you simply cannot load such large images. THere's not much...
lgtm, just one more suggestion.