Use multiple PCR for stboot measurements
Until now stboot measured everything into PCR 8. This has two drawbacks.
- If measurements don't line up with the expected values it's hard to debug where the problem is (stboot, os-pkg, firmware).
- Attester that only care about some measurements (e.g. the server uses stboot, but we don't care about the exact os-pkg) still have understand all measurements.
This patch set changes the measuring code to use the following scheme.
- PCR[12]: Detail measurements, i.e. the ospkg zip archive and json manifest.
- PCR[13]: Authority measurements. This is the config stboot used to validate the ospkg i.e. the trust policy, HTTPS roots and root signing key.
- PCR[14]: Identity measurements. The device and data channel identities. Coming soon.
The new code also maintains an event log that lists all measurements takes during boot. This is used to debug attestation failures.
Edited by Kai Michaelis