From 78f85ea424970c7d631e184281e159ebdf91e2a6 Mon Sep 17 00:00:00 2001 From: Shahriyar Jalayeri Date: Mon, 9 Oct 2023 09:23:07 +0000 Subject: [PATCH] doc : add notes about boot options effect on PCR-1 Signed-off-by: Shahriyar Jalayeri --- docs/BOOTING.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/BOOTING.md b/docs/BOOTING.md index 246b835dd94..9e638d9d4c2 100644 --- a/docs/BOOTING.md +++ b/docs/BOOTING.md @@ -266,6 +266,16 @@ You will see a set of files in the current directory to locate into you tftp ser dhcp server to `ipxe.efi` (actually, it will use configuration from `ipxe.efi.cfg`). Files `kernel`, `initrd.img` and `initrd.bits` should be available via HTTP/HTTPs and you need to modify `ipxe.efi.cfg` with location of those files. +## Boot options effect on TPM measurements (PCR-1) + +During the boot process, as stated by the TCG specification, BIOS/UEFI should measure the enumerated boot options into the TPM. +UEFI measures the list of boot options and their configuration data in PCR-1. EVE is using PCR-1 as one of the sealing +PCRs to protect the vault key from unauthorized access (check [Encrypted Data Store](security.md) for more details), +so it is important for the edge node to have a fixed and consistent list of boot options after onboarding. Attaching any +bootable device, most notably USB devices, will result in a different set of boot options and subsequently change of +the PCR-1 value. **It is important to make sure the attached USB device has no bootable partition present**, +if it is used as an extra storage. + ## Console access Access via console is enabled during initial bootstrap and will be disabled after first reboot of onboarded edge node.