From patchwork Wed Nov 24 13:40:44 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ruchika Gupta <ruchika.gupta@linaro.org>
X-Patchwork-Id: 519349
Delivered-To: patch@linaro.org
Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp10399422imj;
 Wed, 24 Nov 2021 05:41:42 -0800 (PST)
X-Google-Smtp-Source: ABdhPJywXAG4kigyeaWiA1/+esqkFc3mRdmvPhadkJqvDBQsNtVms8rZBdqE6LTp0HKjpTMjZsWc
X-Received: by 2002:a17:906:788:: with SMTP id
 l8mr19641081ejc.548.1637761301466;
 Wed, 24 Nov 2021 05:41:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1637761301; cv=none;
 d=google.com; s=arc-20160816;
 b=pAgP3eA2lrY+ytFVeZPTNN9Gcx/zaoAsKsyFnIc4zAP7wtIVNcFZP0OT2lxHbrAbbk
 4yFHY3NXTn1rcIsG5HGX6pQ0J81Jqa+o4FMdci0dSt+kEWuPZfMDb526Obnx/M6nnyZR
 xmZd95eG8hs5m8LFSyvwC5skwIMo1qJzrUpPWhbGUQZ1hCmI/rGedJEbfnRhj6UEtMo/
 Efsf/AvP46uhSFqH3bFuVm35pQ0XEzyF49VZ7C3ihBsesMtheXxv3N9op9qa+xOlGu1n
 OtfWcc6N3S9PO8tcYupwkn7WVAdiAa2udTf10Fr8eJz+Y4CzNtTNO6fnF+vUKwYnLvZW
 68Qg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from:dkim-signature;
 bh=u5n3detrpfuCj6jSzTCHbV5QKT7ZgU0DGhUz203XtSs=;
 b=UwJqMD4ok2NlstQbmzCDwtLSO6vWKXCxhDs4oOYaNAcUhf4mJsXt51RCsmgj36QQzl
 fFTP7IZhqJxxNR0Nwe4IKRJS1ENKgmbfQlwELXKmiyKCoU8bFKSfqcYIIPIPxlf2yJ+u
 hOhflTF8toAt/h2Z0I1JEG+5wmp21TZ+qGFFMv++FvthsGmUoHs8o6py/Crty7kzy88U
 3umQ2KFxzaKfUnpAUBzKEPFCxSNSWmVhSWZyTE90qyJxwJj9IGSb80znPQQGK/67ZFsj
 9KYr7bWl4onl8OUK7a/PUNFiSVa86KTbZ/ycYX5l2a6KeA37YsaRqv6A2U/Pl3gWbg7m
 vl5g==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=VTJoIN2g;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61])
 by mx.google.com with ESMTPS id
 bq24si33537772edb.290.2021.11.24.05.41.41
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 24 Nov 2021 05:41:41 -0800 (PST)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61;
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=VTJoIN2g;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
 by phobos.denx.de (Postfix) with ESMTP id 1E4C482FB0;
 Wed, 24 Nov 2021 14:41:40 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org header.b="VTJoIN2g";
 dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 37957830E7; Wed, 24 Nov 2021 14:41:38 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
 autolearn=ham autolearn_force=no version=3.4.2
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com
 [IPv6:2607:f8b0:4864:20::635])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id C451880FAE
 for <u-boot@lists.denx.de>; Wed, 24 Nov 2021 14:41:33 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=ruchika.gupta@linaro.org
Received: by mail-pl1-x635.google.com with SMTP id u17so1880420plg.9
 for <u-boot@lists.denx.de>; Wed, 24 Nov 2021 05:41:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=u5n3detrpfuCj6jSzTCHbV5QKT7ZgU0DGhUz203XtSs=;
 b=VTJoIN2gckQcAM/g3b/dxW6+5Tq7eTLMiZWEiBFI8CvctFbH7Lg3J9axHY3ZxuJnQs
 /22uGfH74B5sF66Ufy0e17Py5qB/QEsYcAmVf1nMlMH+7oQW7D4eBGk86p+Sfpsqs5lf
 l/+6DMTdEeUMH9FEN1lMjwFTXhQhU689UWxUYymhm1LqT7VbjimeJoHuzMhF3Q5kwwpb
 Saq9K8O3yvrkceYJ9eyxhzx1nO13fkDVadquH9OC2fIxPZoigIhdaBXoqcuV+bHsB0i9
 rl5JvYC5l7vc/KFYUaExRn13kOKEwISrasJFxwgRgEdGc15WG9G7tgYqpe3SD9KVO4ZE
 ArkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=u5n3detrpfuCj6jSzTCHbV5QKT7ZgU0DGhUz203XtSs=;
 b=a3uMwHi5Z39uNc6uQkZEMzDegoTvnhsk8ynuJ3oUeOIMgRDM7v4YmFpvIf04JFwShx
 4PsNQDVde/a+k1G3DIL2p0BXqduhcEGQRX/UEqdZ//mY9bFEQaUiRyDuoMdt3il/L16U
 GBwJ1uk0NRq2SsjVzAtKp8ZhXoIzebXYUMHcIa7u3NQudFJ2qPrxscts0ROoyUwF2LNS
 Y+9/q8/ljTKoh+SYsIMNsIBrU56AemuwABTdjJgkqXpa+vdo9gRjSq+38tMdLm+wUeUm
 pOnYIJLydFkx8rv590WNxek5j40+28Uy5cB87x1OnHzfJBDof21MhyXmpBfbAldJ2Plz
 ofxw==
X-Gm-Message-State: AOAM530SPITi+dm7WjkWGKvZb423B+xLFu6JxiaXlPUNdnuSDZxh5zTU
 LWySE+0ji/oGT+2pYFMgVQ0zbs6N+vFs6A==
X-Received: by 2002:a17:902:b097:b0:141:ec7d:a055 with SMTP id
 p23-20020a170902b09700b00141ec7da055mr18754187plr.3.1637761291978;
 Wed, 24 Nov 2021 05:41:31 -0800 (PST)
Received: from localhost.localdomain ([106.215.91.18])
 by smtp.gmail.com with ESMTPSA id k19sm16864653pff.20.2021.11.24.05.41.29
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 24 Nov 2021 05:41:31 -0800 (PST)
From: Ruchika Gupta <ruchika.gupta@linaro.org>
To: u-boot@lists.denx.de, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de,
 agraf@csgraf.de, masahisa.kojima@linaro.org
Cc: Ruchika Gupta <ruchika.gupta@linaro.org>
Subject: [PATCH v4 3/3] efi_loader: Extend PCR's for firmware measurements
Date: Wed, 24 Nov 2021 19:10:44 +0530
Message-Id: <20211124134044.454168-3-ruchika.gupta@linaro.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20211124134044.454168-1-ruchika.gupta@linaro.org>
References: <y>
 <20211124134044.454168-1-ruchika.gupta@linaro.org>
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.37
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

Firmwares before U-Boot may be capable of doing tpm measurements
and passing them to U-Boot in the form of eventlog. However there
may be scenarios where the firmwares don't have TPM driver and
are not capable of extending the measurements in the PCRs.
Based on TCG spec, if previous firnware has extended PCR's, PCR0
would not be 0. So, read the PCR0 to determine if the PCR's need
to be extended as eventlog is parsed or not.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
v4 : No change

v3 : 
Rebase changes on top of changes made in first patch of series

v2 : 
Removed check for PCR0 in eventlog

 lib/efi_loader/efi_tcg2.c | 75 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)

diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 1713cfff70..08b02e9e1f 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -199,6 +199,43 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index,
 	return EFI_SUCCESS;
 }
 
+/* tcg2_pcr_read - Read PCRs for a TPM2 device for a given tpml_digest_values
+ *
+ * @dev:		device
+ * @digest_list:	list of digest algorithms to extend
+ *
+ * @Return: status code
+ */
+static efi_status_t tcg2_pcr_read(struct udevice *dev, u32 pcr_index,
+				  struct tpml_digest_values *digest_list)
+{
+	struct tpm_chip_priv *priv;
+	unsigned int updates, pcr_select_min;
+	u32 rc;
+	size_t i;
+
+	priv = dev_get_uclass_priv(dev);
+	if (!priv)
+		return EFI_DEVICE_ERROR;
+
+	pcr_select_min = priv->pcr_select_min;
+
+	for (i = 0; i < digest_list->count; i++) {
+		u16 hash_alg = digest_list->digests[i].hash_alg;
+		u8 *digest = (u8 *)&digest_list->digests[i].digest;
+
+		rc = tpm2_pcr_read(dev, pcr_index, pcr_select_min,
+				   hash_alg, digest, alg_to_len(hash_alg),
+				   &updates);
+		if (rc) {
+			EFI_PRINT("Failed to read PCR\n");
+			return EFI_DEVICE_ERROR;
+		}
+	}
+
+	return EFI_SUCCESS;
+}
+
 /* put_event - Append an agile event to an eventlog
  *
  * @pcr_index:		PCR index
@@ -1428,6 +1465,8 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer,
 	u32 pcr, pos;
 	u64 base;
 	u32 sz;
+	bool extend_pcr = false;
+	int i;
 
 	ret = platform_get_eventlog(dev, &base, &sz);
 	if (ret != EFI_SUCCESS)
@@ -1449,6 +1488,26 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer,
 		return EFI_COMPROMISED_DATA;
 	}
 
+	ret = tcg2_pcr_read(dev, 0, &digest_list);
+	if (ret) {
+		log_err("Error reading PCR 0\n");
+		return ret;
+	}
+
+	/*
+	 * If PCR0 is 0, previous firmware didn't have the capability
+	 * to extend the PCR. In this scenario, extend the PCR as
+	 * the eventlog is parsed.
+	 */
+	for (i = 0; i < digest_list.count; i++) {
+		u8 buffer[TPM2_DIGEST_LEN] =  { 0 };
+		u16 hash_alg = digest_list.digests[i].hash_alg;
+
+		if (!memcmp((u8 *)&digest_list.digests[i].digest, buffer,
+			    alg_to_len(hash_alg)))
+			extend_pcr = true;
+	}
+
 	while (pos < sz) {
 		ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list,
 				       &pcr);
@@ -1456,6 +1515,22 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer,
 			log_err("Error parsing event\n");
 			return ret;
 		}
+		if (extend_pcr) {
+			ret = tcg2_pcr_extend(dev, pcr, &digest_list);
+			if (ret != EFI_SUCCESS) {
+				log_err("Error in extending PCR\n");
+				return ret;
+			}
+
+			/* Clear the digest for next event */
+			for (i = 0; i < digest_list.count; i++) {
+				u16 hash_alg = digest_list.digests[i].hash_alg;
+				u8 *digest =
+				   (u8 *)&digest_list.digests[i].digest;
+
+				memset(digest, 0, alg_to_len(hash_alg));
+			}
+		}
 	}
 
 	memcpy(log_buffer, buffer, sz);