From patchwork Thu Nov 18 06:17:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ruchika Gupta X-Patchwork-Id: 519237 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp518837imj; Wed, 17 Nov 2021 22:18:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJzJlmU59rfuB65w2esGq2iMsLjvgwvAsMPbgWALgeCnSmRrDOVcXpa1FqzhpzZ5JJTD65kf X-Received: by 2002:a17:906:2cd5:: with SMTP id r21mr30979176ejr.435.1637216335382; Wed, 17 Nov 2021 22:18:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637216335; cv=none; d=google.com; s=arc-20160816; b=fMQeHvVwVox9lq2wFZ2Np5I6bQlC9GwF+8wI3o/xZS/0UBUnWqAAUpe1Bjngtv62FQ HpMRVkPk/C6HdeL/ccejhXa+rWOmNbojK6cTtTX9XGGiHaUsmeTTffUz+cnO7aYHtdn6 bUEBMEdTA12CnADaZoWgUZ7PmlLeC58JVH3/5HueRBJK4AU6Vte52dmgGvYeHPJ6j0pU RisAHSfwkufTD5ZGV2k4WW5eAPhK8/a+0LoDpDEMfvS+H7synAJhzvhacpSfWI3ECUpy idbuI44sV+QQ34Pk+Tx4uV35rGJCWs4bQ4uavGUEswI8nJEHSqLSxJnkL7ldPiYnc1fV kmNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7o0EAogD3XYG2DtV2QJyqPn12wNNge8y6hWsQcDbVkA=; b=yPPBXRgsrjQreJGIIR8+vJReoIW9Dy/2KIhVxJwzfEIKneADeyR0JL6HD6cbgDFyZD hL0PaH6NzS5FT/F3QULuuDSbO73J9ffMuPk5c4A359thzw4qa7MeLRJiBqmN9HD2TREy kb6uHc5piaCoS6nY7s/tV+G4RIyY9ZSaNhd/Qzu+5Zu14cQcSUJBodSqld+B8+j+ehuw JTO7jMjpqchVwFhORrkZFo8/sUsYVqTIwlBstYJhzi+7Ibn9acCAm5KBu/N/HDm5eIRS dAygh/+rUJnK3Chj0Szk0LTFSGr+c1I02ud+aIlrlzFMCMw61zXptUedVZ1SuV0AB9+3 h+XQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Yvw0pown; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id gk1si5877655ejc.699.2021.11.17.22.18.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Nov 2021 22:18:55 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Yvw0pown; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CA74982F78; Thu, 18 Nov 2021 07:18:48 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Yvw0pown"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 44C0582F65; Thu, 18 Nov 2021 07:18:40 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 936E182EC6 for ; Thu, 18 Nov 2021 07:18:33 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ruchika.gupta@linaro.org Received: by mail-pj1-x1030.google.com with SMTP id v23so4270908pjr.5 for ; Wed, 17 Nov 2021 22:18:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=7o0EAogD3XYG2DtV2QJyqPn12wNNge8y6hWsQcDbVkA=; b=Yvw0pown0jXEV5BWgCLy35LpqXlx4N6csVmVeVHo1xsxFht5rg7aLKJ8iuNF0UZh1l w+wnibDxFba3sTOP1vZFXNdTST6yhBOqZ5OEYAjQO3xHakoWw5SRZ2uc96R49z1r5J4J PWMhc9Kpv7sahxhRy8oorKZiaFOsT6RSCKbZ1WQG0U0P/gMvBkMVR2+8G37fgJSi68E4 3Uu4dhAjAtHwezaFJHBF654fQaBnNhgevWMQ7GkHny8Uc/BNSOPkAYs3gdLwV2EON++e Lto9V8fWpgUt8N+vpnQoH0r2QruGhAGUorwrF7+B3GEK9pXFd/f2jxs6F8Cf+eumUM0m 1jLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=7o0EAogD3XYG2DtV2QJyqPn12wNNge8y6hWsQcDbVkA=; b=2D8FBelepZ096+lopbndyTttvB0qc+rrVo3ZWJik6dCkaxSiMlzJ2EnBU9toGuPeBY G8DkrWRZK5Vx1MSr6BLmY+hkmzO8OX95h4fZxTfixNNV8i3law5AXfce9UCTw8r8RfmR aoLCWDgX9xdWbBRdvOfEZfr83mUUhyUqvEJzHi2NOID4hmpXQpeRtes+PrASHq+bicl5 hOExThV8xO0WfPPzx8l3vXJ6eF2Osp4ggav/uzMpgS+skeE/lKIqXfICngMpnfS6cxWd IbXZW932BrBv22e+OagpicNYbNofz6KHdwCnlWzCBWlzgmbaRVq/o5sGxhblY65XFgtu /APw== X-Gm-Message-State: AOAM531+jZMaO4hcpgWql7NWKiHVQvf9GoygPYB1Y6HIK9mHUMweO9tj tDOF8iuNVM+yQoV1MbkouCY+iBBxJx+Fdg== X-Received: by 2002:a17:902:a714:b0:143:d007:412f with SMTP id w20-20020a170902a71400b00143d007412fmr22117194plq.18.1637216311814; Wed, 17 Nov 2021 22:18:31 -0800 (PST) Received: from localhost.localdomain ([122.177.104.97]) by smtp.gmail.com with ESMTPSA id h3sm1745920pfc.204.2021.11.17.22.18.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Nov 2021 22:18:31 -0800 (PST) From: Ruchika Gupta To: u-boot@lists.denx.de, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de, agraf@csgraf.de Cc: Ruchika Gupta Subject: [PATCH 3/3] efi_loader: Extend PCR's for firmware measurements Date: Thu, 18 Nov 2021 11:47:51 +0530 Message-Id: <20211118061751.3334620-4-ruchika.gupta@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211118061751.3334620-1-ruchika.gupta@linaro.org> References: <20211118061751.3334620-1-ruchika.gupta@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.35 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Firmwares before U-Boot may be capable of doing tpm measurements and passing them to U-Boot in the form of eventlog. However there may be scenarios where the firmwares don't have TPM driver and are not capable of extending the measurements in the PCRs. To cater to such platforms, read the PCR0 to determine if the previous firmwares have extended the PCR0. If not, then extend the PCR's as the eventlog is parsed. Signed-off-by: Ruchika Gupta --- lib/efi_loader/efi_tcg2.c | 86 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index c97766eae3..cbd0c7d224 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -178,6 +178,43 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index, return EFI_SUCCESS; } +/* tcg2_pcr_read - Read PCRs for a TPM2 device for a given tpml_digest_values + * + * @dev: device + * @digest_list: list of digest algorithms to extend + * + * @Return: status code + */ +static efi_status_t tcg2_pcr_read(struct udevice *dev, u32 pcr_index, + struct tpml_digest_values *digest_list) +{ + struct tpm_chip_priv *priv; + unsigned int updates, pcr_select_min; + u32 rc; + size_t i; + + priv = dev_get_uclass_priv(dev); + if (!priv) + return EFI_DEVICE_ERROR; + + pcr_select_min = priv->pcr_select_min; + + for (i = 0; i < digest_list->count; i++) { + u16 hash_alg = digest_list->digests[i].hash_alg; + u8 *digest = (u8 *)&digest_list->digests[i].digest; + + rc = tpm2_pcr_read(dev, pcr_index, pcr_select_min, + hash_alg, digest, alg_to_len(hash_alg), + &updates); + if (rc) { + EFI_PRINT("Failed to read PCR\n"); + return EFI_DEVICE_ERROR; + } + } + + return EFI_SUCCESS; +} + /* tcg2_agile_log_append - Append an agile event to out eventlog * * @pcr_index: PCR index @@ -1488,10 +1525,12 @@ static efi_status_t efi_init_event_log(struct udevice *dev) struct tcg_pcr_event *event_header = NULL; struct tpml_digest_values digest_list; size_t spec_event_size; + bool extend_pcr = false; efi_status_t ret; u32 pcr, pos; u64 base; u32 sz; + int i; ret = platform_get_tpm2_device(&dev); if (ret != EFI_SUCCESS) @@ -1541,6 +1580,26 @@ static efi_status_t efi_init_event_log(struct udevice *dev) goto free_pool; } + ret = tcg2_pcr_read(dev, 0, &digest_list); + if (ret) { + log_err("Error reading PCR 0\n"); + goto free_pool; + } + + /* + * If PCR0 is 0, previous firmware didn't have the capability + * to extend the PCR. In this scenario, extend the PCR as + * the eventlog is parsed. + */ + for (i = 0; i < digest_list.count; i++) { + u8 buffer[TPM2_DIGEST_LEN] = { 0 }; + u16 hash_alg = digest_list.digests[i].hash_alg; + + if (!memcmp((u8 *)&digest_list.digests[i].digest, + buffer, alg_to_len(hash_alg))) + extend_pcr = true; + } + while (pos < sz) { ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list, &pcr); @@ -1548,6 +1607,33 @@ static efi_status_t efi_init_event_log(struct udevice *dev) log_err("Error parsing event\n"); goto free_pool; } + + if (pcr != 0) { + /* + * Eventlog passed by firmware should extend + * PCR0 only. + */ + log_err("Invalid PCR\n"); + goto free_pool; + } + + if (extend_pcr) { + ret = tcg2_pcr_extend(dev, pcr, &digest_list); + if (ret != EFI_SUCCESS) { + log_err("Error in extending PCR\n"); + goto free_pool; + } + + /* Clear the digest for next event */ + for (i = 0; i < digest_list.count; i++) { + u16 hash_alg = + digest_list.digests[i].hash_alg; + u8 *digest = + (u8 *)&digest_list.digests[i].digest; + + memset(digest, 0, alg_to_len(hash_alg)); + } + } } memcpy(event_log.buffer, buffer, sz);