diff mbox series

[v3,1/3] efi_loader: Add check for event log passed from firmware

Message ID 20211124075625.197449-1-ruchika.gupta@linaro.org
State Superseded
Headers show
Series [v3,1/3] efi_loader: Add check for event log passed from firmware | expand

Commit Message

Ruchika Gupta Nov. 24, 2021, 7:56 a.m. UTC 
Platforms may have support to measure their initial firmware components
and pass the event log to u-boot. The event log address can be passed
in property tpm_event_log_addr and tpm_event_log_size of the tpm node.
Platforms may choose their own specific mechanism to do so. A weak
function is added to check if even log has been passed to u-boot
from earlier firmware components. If available, the eventlog is parsed
to check for its correctness and further event logs are appended to the
passed log.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
---
v3:
Return as soon as you detect error

v2:
Moved firmware eventlog code parsing to tcg2_get_fw_eventlog()

 lib/efi_loader/efi_tcg2.c | 322 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 311 insertions(+), 11 deletions(-)

Comments

Ilias Apalodimas Nov. 24, 2021, 11:03 a.m. UTC | #1 
Hi,

> +	ret = tcg2_get_fw_eventlog(dev, event_log.buffer, &event_log.pos);
> +	/*
> +	 * If earlier firmware hasn't passed any eventlog, go ahead and
> +	 * create the eventlog header
> +	 */
> +	if (ret == EFI_NOT_FOUND) {
> +		put_unaligned_le32(0, &event_header->pcr_index);
> +		put_unaligned_le32(EV_NO_ACTION, &event_header->event_type);
> +		memset(&event_header->digest, 0, sizeof(event_header->digest));
> +		ret = create_specid_event(dev,
> +					  (void *)((uintptr_t)event_log.buffer +
> +						   sizeof(*event_header)),
> +					  &spec_event_size);
> +		if (ret != EFI_SUCCESS)
> +			goto free_pool;
> +		put_unaligned_le32(spec_event_size, &event_header->event_size);
> +		event_log.pos = spec_event_size + sizeof(*event_header);
> +		event_log.last_event_size = event_log.pos;
> +	}
> +
>  	if (ret != EFI_SUCCESS)
>  		goto free_pool;
> -	put_unaligned_le32(spec_event_size, &event_header->event_size);
> -	event_log.pos = spec_event_size + sizeof(*event_header);
> -	event_log.last_event_size = event_log.pos;
>  
>  	ret = create_final_event();
>  	if (ret != EFI_SUCCESS)
> -- 
> 2.25.1
> 

I think Kojima-san is right.  I don't think it's a good idea to turn our
startup code into a 'PC client spec' parser and try to reason about
previous events. The Spec is pretty clear on "3.2.3.1 Firmware Boot Block
SRTM".  Specifically it says:

"In this architecture, the Platform Firmware is composed of a Boot Block 
(SEC/PEI/IBB) and a UEFI firmware. Each of these is an independent component
and each can be updated independent of the other. In this architecture, the
Boot Block is the SRTM while the UEFI Firmware is not but is a measured 
component of chain of trust".

So in our case the (SEC/PEI/IBB) is basically TF-A.  So TF-A should compose
the S_CRTM_VERSION event.  If it doesn't we need to go back to TF-A and
fix it.  I think unconditionally removing it from u-boot makes more sense,
rather that parse events and try to figure out if the previous loader has a
bug....


Regards
/Ilias
diff mbox series

Patch

diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 8c1f22e337..ebd7847957 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -324,6 +324,45 @@  __weak efi_status_t platform_get_tpm2_device(struct udevice **dev)
 	return EFI_NOT_FOUND;
 }
 
+/**
+ * platform_get_eventlog() - retrieve the eventlog address and size
+ *
+ * This function retrieves the eventlog address and size if the underlying
+ * firmware has done some measurements and passed them.
+ *
+ * This function may be overridden based on platform specific method of
+ * passing the eventlog address and size.
+ *
+ * @dev:	udevice
+ * @addr:	eventlog address
+ * @sz:		eventlog size
+ * Return:	status code
+ */
+__weak efi_status_t platform_get_eventlog(struct udevice *dev, u64 *addr,
+					  u32 *sz)
+{
+	const u64 *basep;
+	const u32 *sizep;
+
+	basep = dev_read_prop(dev, "tpm_event_log_addr", NULL);
+	if (!basep)
+		return EFI_NOT_FOUND;
+
+	*addr = be64_to_cpup((__force __be64 *)basep);
+
+	sizep = dev_read_prop(dev, "tpm_event_log_size", NULL);
+	if (!sizep)
+		return EFI_NOT_FOUND;
+
+	*sz = be32_to_cpup((__force __be32 *)sizep);
+	if (*sz == 0) {
+		log_debug("event log empty\n");
+		return EFI_NOT_FOUND;
+	}
+
+	return EFI_SUCCESS;
+}
+
 /**
  * tpm2_get_max_command_size() - get the supported max command size
  *
@@ -1181,6 +1220,250 @@  static const struct efi_tcg2_protocol efi_tcg2_protocol = {
 	.get_result_of_set_active_pcr_banks = efi_tcg2_get_result_of_set_active_pcr_banks,
 };
 
+/**
+ * parse_event_log_header() -  Parse and verify the event log header fields
+ *
+ * @buffer:			Pointer to the event header
+ * @size:			Size of the eventlog
+ * @pos:			Position in buffer after event log header
+ *
+ * Return:	status code
+ */
+efi_status_t parse_event_log_header(void *buffer, u32 size, u32 *pos)
+{
+	struct tcg_pcr_event *event_header = (struct tcg_pcr_event *)buffer;
+	int i = 0;
+
+	if (size < sizeof(*event_header))
+		return EFI_COMPROMISED_DATA;
+
+	if (get_unaligned_le32(&event_header->pcr_index) != 0 ||
+	    get_unaligned_le32(&event_header->event_type) != EV_NO_ACTION)
+		return EFI_COMPROMISED_DATA;
+
+	for (i = 0; i < sizeof(event_header->digest); i++) {
+		if (event_header->digest[i] != 0)
+			return EFI_COMPROMISED_DATA;
+	}
+
+	*pos += sizeof(*event_header);
+
+	return EFI_SUCCESS;
+}
+
+/**
+ * parse_specid_event() -  Parse and verify the specID Event in the eventlog
+ *
+ * @dev:		udevice
+ * @buffer:		Pointer to the start of the eventlog
+ * @log_size:		Size of the eventlog
+ * @pos:		Offset in the evenlog where specID event starts
+ *
+ * Return:		status code
+ * @pos			Offset in the eventlog where the specID event ends
+ * @digest_list:	list of digests in the event
+ */
+efi_status_t parse_specid_event(struct udevice *dev, void *buffer, u32 log_size,
+				u32 *pos,
+				struct tpml_digest_values *digest_list)
+{
+	struct tcg_efi_spec_id_event *spec_event;
+	struct tcg_pcr_event *event_header = (struct tcg_pcr_event *)buffer;
+	size_t spec_event_size;
+	u32 active = 0, supported = 0, pcr_count = 0, alg_count = 0;
+	u32 spec_active = 0;
+	u16 hash_alg, hash_sz;
+	u8 vendor_sz;
+	int err, i;
+
+	/* Check specID event data */
+	spec_event = (struct tcg_efi_spec_id_event *)((uintptr_t)buffer + *pos);
+	/* Check for signature */
+	if (memcmp(spec_event->signature, TCG_EFI_SPEC_ID_EVENT_SIGNATURE_03,
+		   sizeof(TCG_EFI_SPEC_ID_EVENT_SIGNATURE_03))) {
+		log_err("specID Event: Signature mismatch\n");
+		return EFI_COMPROMISED_DATA;
+	}
+
+	if (spec_event->spec_version_minor !=
+			TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MINOR_TPM2 ||
+	    spec_event->spec_version_major !=
+			TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MAJOR_TPM2)
+		return EFI_COMPROMISED_DATA;
+
+	if (spec_event->number_of_algorithms > MAX_HASH_COUNT ||
+	    spec_event->number_of_algorithms < 1) {
+		log_err("specID Event: Number of algorithms incorrect\n");
+		return EFI_COMPROMISED_DATA;
+	}
+
+	alg_count = spec_event->number_of_algorithms;
+
+	err = tpm2_get_pcr_info(dev, &supported, &active, &pcr_count);
+	if (err)
+		return EFI_DEVICE_ERROR;
+
+	digest_list->count = 0;
+	/*
+	 * We may need to worry about the order of algs in this structure as
+	 * subsequent entries in event should be in same order
+	 */
+	for (i = 0; i < alg_count; i++) {
+		hash_alg =
+		  get_unaligned_le16(&spec_event->digest_sizes[i].algorithm_id);
+		hash_sz =
+		   get_unaligned_le16(&spec_event->digest_sizes[i].digest_size);
+
+		if (!(supported & alg_to_mask(hash_alg))) {
+			log_err("specID Event: Unsupported algorithm\n");
+			return EFI_COMPROMISED_DATA;
+		}
+		digest_list->digests[digest_list->count++].hash_alg = hash_alg;
+
+		spec_active |= alg_to_mask(hash_alg);
+	}
+
+	/* TCG spec expects the event log to have hashes for all active PCR's */
+	if (spec_active != active) {
+		/*
+		 * Previous stage bootloader should know all the active PCR's
+		 * and use them in the Eventlog.
+		 */
+		log_err("specID Event: All active hash alg not present\n");
+		return EFI_COMPROMISED_DATA;
+	}
+
+	/*
+	 * the size of the spec event and placement of vendor_info_size
+	 * depends on supported algoriths
+	 */
+	spec_event_size =
+		offsetof(struct tcg_efi_spec_id_event, digest_sizes) +
+		alg_count * sizeof(spec_event->digest_sizes[0]);
+
+	vendor_sz = *(uint8_t *)((uintptr_t)buffer + *pos + spec_event_size);
+
+	spec_event_size += sizeof(vendor_sz) + vendor_sz;
+	*pos += spec_event_size;
+
+	if (get_unaligned_le32(&event_header->event_size) != spec_event_size) {
+		log_err("specID event: header event size mismatch\n");
+		/* Right way to handle this can be to call SetActive PCR's */
+		return EFI_COMPROMISED_DATA;
+	}
+
+	return EFI_SUCCESS;
+}
+
+efi_status_t tcg2_parse_event(struct udevice *dev, void *buffer, u32 log_size,
+			      u32 *offset, struct tpml_digest_values *digest_list,
+			      u32 *pcr)
+{
+	struct tcg_pcr_event2 *event = NULL;
+	u32 event_type, count, size, event_size;
+	size_t pos;
+
+	if (*offset > log_size)
+		return EFI_COMPROMISED_DATA;
+
+	event = (struct tcg_pcr_event2 *)((uintptr_t)buffer + *offset);
+
+	*pcr = get_unaligned_le32(&event->pcr_index);
+
+	event_size = tcg_event_final_size(digest_list);
+
+	if (*offset + event_size > log_size) {
+		log_err("Event exceeds log size\n");
+		return EFI_COMPROMISED_DATA;
+	}
+
+	event_type = get_unaligned_le32(&event->event_type);
+
+	/* get the count */
+	count = get_unaligned_le32(&event->digests.count);
+	if (count != digest_list->count)
+		return EFI_COMPROMISED_DATA;
+
+	pos = offsetof(struct tcg_pcr_event2, digests);
+	pos += offsetof(struct tpml_digest_values, digests);
+
+	for (int i = 0; i < digest_list->count; i++) {
+		u16 alg;
+		u16 hash_alg = digest_list->digests[i].hash_alg;
+		u8 *digest = (u8 *)&digest_list->digests[i].digest;
+
+		alg = get_unaligned_le16((void *)((uintptr_t)event + pos));
+
+		if (alg != hash_alg)
+			return EFI_COMPROMISED_DATA;
+
+		pos += offsetof(struct tpmt_ha, digest);
+		memcpy(digest, (void *)((uintptr_t)event + pos), alg_to_len(hash_alg));
+		pos += alg_to_len(hash_alg);
+	}
+
+	size = get_unaligned_le32((void *)((uintptr_t)event + pos));
+	event_size += size;
+	pos += sizeof(u32); /* tcg_pcr_event2 event_size*/
+	pos += size;
+
+	/* make sure the calculated buffer is what we checked against */
+	if (pos != event_size)
+		return EFI_COMPROMISED_DATA;
+
+	if (pos > log_size)
+		return EFI_COMPROMISED_DATA;
+
+	*offset += pos;
+
+	return EFI_SUCCESS;
+}
+
+efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer,
+				  size_t *log_sz)
+{
+	struct tpml_digest_values digest_list;
+	void *buffer;
+	efi_status_t ret;
+	u32 pcr, pos;
+	u64 base;
+	u32 sz;
+
+	ret = platform_get_eventlog(dev, &base, &sz);
+	if (ret != EFI_SUCCESS)
+		return ret;
+
+	if (sz > TPM2_EVENT_LOG_SIZE)
+		return EFI_VOLUME_FULL;
+
+	buffer = (void *)base;
+	pos = 0;
+	/* Parse the eventlog to check for its validity */
+	ret = parse_event_log_header(buffer, sz, &pos);
+	if (ret || pos > sz)
+		return EFI_COMPROMISED_DATA;
+
+	ret = parse_specid_event(dev, buffer, sz, &pos, &digest_list);
+	if (ret || pos > sz) {
+		log_err("Error parsing SPEC ID Event\n");
+		return EFI_COMPROMISED_DATA;
+	}
+
+	while (pos < sz) {
+		ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list,
+				       &pcr);
+		if (ret) {
+			log_err("Error parsing event\n");
+			return ret;
+		}
+	}
+
+	memcpy(log_buffer, buffer, sz);
+	*log_sz = sz;
+
+	return ret;
+}
+
 /**
  * create_specid_event() - Create the first event in the eventlog
  *
@@ -1340,6 +1623,12 @@  static efi_status_t efi_init_event_log(void)
 	 * last log entry
 	 */
 	memset(event_log.buffer, 0xff, TPM2_EVENT_LOG_SIZE);
+
+	/*
+	 * The log header is defined to be in SHA1 event log entry format.
+	 * Setup event header
+	 */
+	event_header =  (struct tcg_pcr_event *)event_log.buffer;
 	event_log.pos = 0;
 	event_log.last_event_size = 0;
 	event_log.get_event_called = false;
@@ -1347,20 +1636,31 @@  static efi_status_t efi_init_event_log(void)
 	event_log.truncated = false;
 
 	/*
-	 * The log header is defined to be in SHA1 event log entry format.
-	 * Setup event header
+	 * Check if earlier firmware have passed any eventlog. Different
+	 * platforms can use different ways to do so
 	 */
-	event_header =  (struct tcg_pcr_event *)event_log.buffer;
-	put_unaligned_le32(0, &event_header->pcr_index);
-	put_unaligned_le32(EV_NO_ACTION, &event_header->event_type);
-	memset(&event_header->digest, 0, sizeof(event_header->digest));
-	ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)),
-				  &spec_event_size);
+	ret = tcg2_get_fw_eventlog(dev, event_log.buffer, &event_log.pos);
+	/*
+	 * If earlier firmware hasn't passed any eventlog, go ahead and
+	 * create the eventlog header
+	 */
+	if (ret == EFI_NOT_FOUND) {
+		put_unaligned_le32(0, &event_header->pcr_index);
+		put_unaligned_le32(EV_NO_ACTION, &event_header->event_type);
+		memset(&event_header->digest, 0, sizeof(event_header->digest));
+		ret = create_specid_event(dev,
+					  (void *)((uintptr_t)event_log.buffer +
+						   sizeof(*event_header)),
+					  &spec_event_size);
+		if (ret != EFI_SUCCESS)
+			goto free_pool;
+		put_unaligned_le32(spec_event_size, &event_header->event_size);
+		event_log.pos = spec_event_size + sizeof(*event_header);
+		event_log.last_event_size = event_log.pos;
+	}
+
 	if (ret != EFI_SUCCESS)
 		goto free_pool;
-	put_unaligned_le32(spec_event_size, &event_header->event_size);
-	event_log.pos = spec_event_size + sizeof(*event_header);
-	event_log.last_event_size = event_log.pos;
 
 	ret = create_final_event();
 	if (ret != EFI_SUCCESS)