Expand description
Secure Boot Verification
Verifies the integrity of the boot chain using cryptographic measurements, signature verification, and TPM PCR extensions.
§Boot Measurement Flow
- Compute SHA-256 hash of the kernel image in memory
- Verify kernel signature (if a signature is provided)
- Record measurement in the boot measurement log
- Extend TPM PCR 0 with the kernel measurement
- Return verification status
§PCR Allocation
- PCR 0: Kernel image measurement
- PCR 1: Kernel configuration / command line
- PCR 2: Boot stage measurements (bootloader, early init)
Structs§
- Boot
Measurement - A single boot measurement entry in the measurement log
- Boot
Measurement Log - Boot measurement log recording all measurements taken during boot.
- Boot
Signature - Boot signature for kernel image verification
- Secure
Boot Config - Secure boot configuration
Enums§
- Boot
Status - Boot verification status
- Signature
Algorithm - Supported signature algorithms
Functions§
- compute_
kernel_ hash - Compute a SHA-256 hash of the kernel image in memory.
- disable
- Disable secure boot.
- enable
- Enable secure boot with optional enforcement.
- get_
measurement - Get a recorded boot measurement by index.
- get_
status - Get the current boot verification status.
- measure_
boot_ stage - Record a boot stage measurement.
- measurement_
count - Get the number of recorded boot measurements.
- print_
measurement_ log - Print all boot measurements to the kernel console.
- set_
expected_ hash - Set the expected kernel hash for verification.
- set_
signature - Set the boot signature and signer public key.
- verify
- Verify secure boot chain.