[Concept] [PATCH 00/14] RFC: measure FIT signing keys with the TPM

13 Aug 2025

      (The fork button on the gitlab instance is greyed out and I
don't have privileged to push into a branch of u-boot so trying
mail)

This is a proof of concept for measured boot without EFI. The idea
is to measure the RSA keys contained in the control FDT into PCR#7.
The Linux system can then bind it's full disk encryption to that
value. Assuming that everything up to and including u-boot is
trusted, a devices' original disk content is only accessible then
with the same set of trusted keys active. When adding more or
different keys (not sure how yet) a device could still be booted
with custom software.

The most relevant patches are the three ones with exclamation mark in
the list below. The others are random fixes

Feedback welcome.

Ludwig Nussel (14):
  arm: qemu: fix 64bit initrd_high and fdt_high
  bootm: treat absent load address as zero
  vsnprintf: add hex string dump format modifier
  iminfo: also verify signatures
! qemu: overlay signature nodes
! tpm: allocate tpm event log if missing
! boot: measure FIT signing keys with the TPM
  imx8mm: add ftpm to device tree if enabled
  tools: imx8image: implement printing header
  test: fix build with enabled CONFIG_MEASURED_BOOT
  sandbox: fix booting host images
  bootm: add measure subcommand
  mkimage: define log_err and log_info
  image-fit-sig: require signatures

 arch/arm/dts/imx8mm-u-boot.dtsi               |  5 +
 board/emulation/qemu-arm/qemu-arm.c           | 30 +++++-
 board/emulation/qemu-arm/qemu-arm.env         |  5 +
 boot/Kconfig                                  |  8 ++
 boot/bootm.c                                  | 93 +++++++++++++++---
 boot/image-fdt.c                              | 65 +++++++++++++
 boot/image-fit-sig.c                          | 15 ++-
 boot/image-fit.c                              | 31 ++++++
 boot/image-pre-load.c                         |  3 -
 cmd/bootm.c                                   |  8 ++
 doc/develop/printf.rst                        |  4 +
 drivers/block/Makefile                        |  2 +-
 drivers/block/host_bootdev.c                  | 40 ++++++++
 fs/sandbox/Makefile                           |  2 +-
 .../{host_bootdev.c => sandboxfs_bootdev.c}   | 18 ++--
 include/image.h                               |  1 +
 include/spbuf.h                               | 28 ++++++
 include/tpm-common.h                          |  1 +
 include/tpm_tcg2.h                            |  4 +
 lib/Makefile                                  |  2 +
 lib/spbuf.c                                   | 64 ++++++++++++
 lib/tpm_tcg2.c                                | 97 +++++++++++++++----
 lib/vsprintf.c                                | 18 ++++
 test/boot/measurement.c                       |  1 +
 tools/imx8image.c                             | 93 +++++++++++++++++-
 tools/mkimage.h                               |  2 +
 26 files changed, 582 insertions(+), 58 deletions(-)
 create mode 100644 drivers/block/host_bootdev.c
 rename fs/sandbox/{host_bootdev.c => sandboxfs_bootdev.c} (65%)
 create mode 100644 include/spbuf.h
 create mode 100644 lib/spbuf.c

-- 
2.34.1