@@ -1117,14 +1117,22 @@ efi_status_t efi_tcg2_register(void)
ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol,
(void *)&efi_tcg2_protocol);
- if (ret != EFI_SUCCESS) {
- log_err("Cannot install EFI_TCG2_PROTOCOL\n");
+ if (ret != EFI_SUCCESS)
goto fail;
- }
out:
return ret;
fail:
+ log_err("Cannot install EFI_TCG2_PROTOCOL\n");
tcg2_uninit();
- return ret;
+ /*
+ * Return EFI_SUCCESS and don't stop the EFI subsystem.
+ * That's done for 2 reasons
+ * - If the protocol is not installed the PCRs won't be extended. So
+ * someone later in the boot flow will notice that and take the
+ * necessary actions.
+ * - The TPM sandbox is limited and we won't be able to run any efi
+ * related tests with TCG2 enabled
+ */
+ return EFI_SUCCESS;
}
Up to now we are stopping the EFI subsystem if a TPMv2 exists but the protocol fails to install. Now that we've switched the config to 'default y' the sandbox TPM fails, since it doesn't support all the required capabilities of the protocol. Not installing the protocol is not catastrophic. If the protocol fails to install the PCRs will never be extended to the expected values, so some other entity later in the boot flow will eventually figure it out and take the necessary actions. Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> --- lib/efi_loader/efi_tcg2.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) -- 2.31.0