doc : add notes about boot options effect on PCR-1

Signed-off-by: Shahriyar Jalayeri <[email protected]>
lf-edge · Oct 9, 2023 · 78f85ea · 78f85ea
1 parent e1538b5
commit 78f85ea
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/docs/BOOTING.md b/docs/BOOTING.md
@@ -266,6 +266,16 @@ You will see a set of files in the current directory to locate into you tftp ser
 dhcp server to `ipxe.efi` (actually, it will use configuration from `ipxe.efi.cfg`). Files `kernel`, `initrd.img` and `initrd.bits`
 should be available via HTTP/HTTPs and you need to modify `ipxe.efi.cfg` with location of those files.
 
+## Boot options effect on TPM measurements (PCR-1)
+
+During the boot process, as stated by the TCG specification, BIOS/UEFI should measure the enumerated boot options into the TPM.
+UEFI measures the list of boot options and their configuration data in PCR-1. EVE is using PCR-1 as one of the sealing
+PCRs to protect the vault key from unauthorized access (check [Encrypted Data Store](security.md) for more details),
+so it is important for the edge node to have a fixed and consistent list of boot options after onboarding. Attaching any
+bootable device, most notably USB devices, will result in a different set of boot options and subsequently change of
+the PCR-1 value. **It is important to make sure the attached USB device has no bootable partition present**,
+if it is used as an extra storage.
+
 ## Console access
 
 Access via console is enabled during initial bootstrap and will be disabled after first reboot of onboarded edge node.