github.com/u-root/u-root@v7.0.1-0.20200915234505-ad7babab0a8e+incompatible/docs/securelaunch/README.md

github.com/u-root/u-root@v7.0.1-0.20200915234505-ad7babab0a8e+incompatible/docs/securelaunch/README.md (about)

     1  "default_action": ""
     2  =========
     3  Only "" default action supported at this point.
     4  
     5  "collectors":
     6  =========
     7  Only four collectors supported at this point. They are dmi, file, storage and cpuid.
     8  ## dmi collector:
     9  
    10  measures output of dmidecode based on input
    11  type. input type (like BIOS, processor, system etc) 
    12  can be provided in policy file as shown.
    13  ```
    14  "type": "dmi",
    15  "events": [
    16     {
    17       "label": "BIOS",
    18       "fields": []
    19     },
    20     {
    21       "label": "System",
    22       "fields": []
    23     },
    24     {
    25       "label": "Processor",
    26       "fields": []
    27     }
    28  ```
    29  
    30  ## file collector: 
    31  
    32  measures any file that platform owner
    33  wants to measure. target file to measure is input in the
    34  paths field in policy file as shown
    35  ```
    36  {
    37      "type": "files",
    38      "paths": [ "sda1:/Paul/foo" ]
    39  },
    40  ```
    41  
    42  ## storage collector:
    43  
    44  measures an entire disk. target disk to measure
    45  can be provided in the policy file as shown
    46  ```
    47  {
    48      "type": "storage",
    49      "paths": [ "/dev/sdb1" ]
    50  },
    51  ```
    52  
    53  ## cpuid collector:
    54  
    55  measures (hashes) cpuid data of the platform
    56  and stores the result on a file. target file is input as
    57  location field in policy file.
    58  e.g
    59  ```
    60  {
    61      "type": "cpuid",
    62      "location": "sda1:/Paul/foo"
    63  }
    64  ```
    65  
    66  "attestor": {}
    67  =========
    68  a nil slice is only supported at this point.
    69  
    70  "launcher":
    71  =========
    72  launcher provides ability to kexec into a target kernel.
    73  platform owners can choose which target kernel to kexec into
    74  by setting launcher module in the platform policy file
    75  as shown.
    76  ```
    77  "launcher": {
    78      "type": "kexec",
    79      "params": {
    80      "initrd":"sdc1:/boot/initramfs-4.14.35-1941.el7uek.x86_64.img",
    81      "cmdline":"BOOT_IMAGE=/boot/vmlinuz-4.14.35-1941.el7uek.x86_64
    82  root=/dev/mapper/ol-root ro rd.lvm.lv=ol/root LANG=en_US.UTF-8",
    83      "kernel":"sdc1:/boot/vmlinuz-4.14.35-1941.el7uek.x86_64"
    84      }
    85  ```
    86  "eventlog":
    87  =========
    88  eventlog provides ability to parse event logs generated by
    89  securelaunch kernel and write them to a file.The target file
    90  can be specified in the policy file as shown.
    91  ```
    92  "eventlog": {
    93      "type": "file",
    94      "location": "sda1:/evtlog"
    95  }
    96  ```
    97  
    98  ***
    99  
   100  Path format in policy file
   101  =========
   102  All of our file paths have the format device_identifier:/path/to/file.
   103  device identifier is of the format 
   104  1. sda:/path/to/file OR 
   105  2. UUID:/path/to/file.
   106  
   107  The following examples are acceptable formats for file path.
   108  ```
   109  sda1:/foo/securelaunch.policy
   110  sda2:/bar/evtlog
   111  MWAAB8-Sunz-tRrp-E67t-sbal-xfYk-x9f6PZ:/zyd/cpuid.txt
   112  ```
   113  
   114  SPECIAL NOTE: There is no need to prefix devices with /dev, so sda is sufficient.
   115  Infact, if you enter a path as "/dev/sda", it will not be parsed by sluinit.