From patchwork Tue Nov 23 11:53:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ruchika Gupta X-Patchwork-Id: 519313 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp8505294imj; Tue, 23 Nov 2021 03:53:53 -0800 (PST) X-Google-Smtp-Source: ABdhPJyLedQYd03Z3Rmh1egsjuPezfXAKsQSoC/cU/IEmIfV3yVLieeI6ztIoVzeDIX3t/q5xG1H X-Received: by 2002:a17:906:1993:: with SMTP id g19mr7023751ejd.50.1637668432929; Tue, 23 Nov 2021 03:53:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637668432; cv=none; d=google.com; s=arc-20160816; b=UVD9T2YW6x7CW0ysZgS+7WZV5+9rlKsAUM4hFR+9TbO34qjhI+OGf7d1xrpLyi9ZYL Pgo+yqUefT76sRLoQf0xueLF48fxlxDEgAZ5Eac95Jan2Sjo0TH7MWUyhH57TRdRh6HT hbmhEJ/mVej0UnWUIN4b9DqQ7TMGvXyDrYejycZZDSLpwaggfhKuSH6LWnelq/iu7kXM 7sXG8ENga4WMUOURSrVLNPBCpcHaEqujR0IpwIbiTNzG7c66HrUwo90LmHOxU4MhtA1U rLjl34oqTHqxAqDRQqNUDPqCOgDNGH8euZ6/4jA0DrNKZ+KPdYYcPK8quw9SEzQVqSUz TsXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=1fVb8mXPnv36SouLZavCsOwRAwFIWjsDYBLmdQtl2vQ=; b=RxxHH+LwCTdUjWdyilQ6Jd8IhC8+gSm9ombv0fj5sC4WGS7l0FoIfTncyQLbKzf77E ekOPPsBmFiNjKKZxUEkWoCU0edsJV/nZnep2HuudCNVHgYYQnpAtFaCw4K3djTuN4+Om HhDX/1VCZiE9WqYNhOTae5YWA9EOkYb2zE6ZvuYxZpFyd7eVC7Dq3veLSzDbBNRqDYdd 54DhiSEgoHRyvsi8x6QFBkxc8DDB7Wk5OzehOuVDmzqdEIH36Ytyb/8nP6Y8NYjiScG0 Yq1Rsq7lnkfqyEfqOjp/ZsbPpP/W8KhHLjdSrKU8fZcXPpljVFBiQ95KN69ggkNzMW51 Ruug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Vma5vkbx; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id b16si26141526ejj.477.2021.11.23.03.53.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 03:53:52 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Vma5vkbx; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9BA3B82DF6; Tue, 23 Nov 2021 12:53:50 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Vma5vkbx"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 224C0836A8; Tue, 23 Nov 2021 12:53:49 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1B2AA82C6D for ; Tue, 23 Nov 2021 12:53:45 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ruchika.gupta@linaro.org Received: by mail-pl1-x633.google.com with SMTP id b11so16835429pld.12 for ; Tue, 23 Nov 2021 03:53:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1fVb8mXPnv36SouLZavCsOwRAwFIWjsDYBLmdQtl2vQ=; b=Vma5vkbx9g4adB69yWgPj7/9LsOwW6Yd80TTWyV+2U3yhlH+kTYRZ7e3cr44PJMH2E /9WrVycgfO1NG9Rk0o1JveMSZ0YT4KX/J8UpEhguWfcnyCgoCgToqfxtdBGldFjigDp8 NX+u+LLYLu8OITAQ1HGMjYWnSGspjx41Mu0VJvuenxPfxsPs1kKOyJyfdcZdhKTTaIUU ROfIdMJGM0gUuOInEhXTDQCVlC1jakiNpTniINZE9xGomLA2p2Y3AV6ID43ui43rI7HV 3znXC5yXGMxvR5TXi1z6CzTukw1XbzQ9Hn+5cUhal9oau6Np6RaTNEBRsxCSVfwas/ju CIHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1fVb8mXPnv36SouLZavCsOwRAwFIWjsDYBLmdQtl2vQ=; b=siQGBJ2zjY0LaKZuw6GusKl54ECVKXlksJDCJzaKJoyAXzk+LK4ujQuPvbgsFwKpB3 Cnroi1xdjKHpJD1SRU7Qm9cJchfCmVpdaQ6cU+se0VoeYAx4SJcGVczJaEZqZLoUm6hI WN38IKddyvLjvm6798SNrwRU1bK4+xneCyCZLJqUQ5MxVN7kB7umy+eMWLJVc3jo0MsU upluy/wPTzFi9uaUZa62s4biaOTFp3xVi/Viv21x8cC76q5mJRJ/vQnlGrUP4bMWcOap pq8nCdxqWnQ1T5Ttok7+5SvNgO2Em9ACKDk/IfvjFBwtB9YiJv/SygaWNVo4p4RX/PlO cBLw== X-Gm-Message-State: AOAM531EsY/1VsHnlsHshqoDSZ3yZpRHAxazUIGhWrdr5ToAYaHOyQ88 jVk5QkAQc/28b0AVOsWqYQ2sqzPFR/yyNw== X-Received: by 2002:a17:902:7086:b0:143:6ba3:9b27 with SMTP id z6-20020a170902708600b001436ba39b27mr6066066plk.60.1637668423080; Tue, 23 Nov 2021 03:53:43 -0800 (PST) Received: from localhost.localdomain ([106.215.91.146]) by smtp.gmail.com with ESMTPSA id x6sm1115203pga.14.2021.11.23.03.53.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 03:53:42 -0800 (PST) From: Ruchika Gupta To: u-boot@lists.denx.de, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de, agraf@csgraf.de Cc: Ruchika Gupta Subject: [v2][PATCH 1/3] efi_loader: Add check for event log passed from firmware Date: Tue, 23 Nov 2021 17:23:33 +0530 Message-Id: <20211123115335.125252-1-ruchika.gupta@linaro.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.37 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Platforms may have support to measure their initial firmware components and pass the event log to u-boot. The event log address can be passed in property tpm_event_log_addr and tpm_event_log_size of the tpm node. Platforms may choose their own specific mechanism to do so. A weak function is added to check if even log has been passed to u-boot from earlier firmware components. If available, the eventlog is parsed to check for its correctness and further event logs are appended to the passed log. Signed-off-by: Ruchika Gupta --- v2: Moved firmware eventlog code parsing to tcg2_get_fw_eventlog() lib/efi_loader/efi_tcg2.c | 322 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 308 insertions(+), 14 deletions(-) diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 8c1f22e337..c3ebdf92f5 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -324,6 +324,45 @@ __weak efi_status_t platform_get_tpm2_device(struct udevice **dev) return EFI_NOT_FOUND; } +/** + * platform_get_eventlog() - retrieve the eventlog address and size + * + * This function retrieves the eventlog address and size if the underlying + * firmware has done some measurements and passed them. + * + * This function may be overridden based on platform specific method of + * passing the eventlog address and size. + * + * @dev: udevice + * @addr: eventlog address + * @sz: eventlog size + * Return: status code + */ +__weak efi_status_t platform_get_eventlog(struct udevice *dev, u64 *addr, + u32 *sz) +{ + const u64 *basep; + const u32 *sizep; + + basep = dev_read_prop(dev, "tpm_event_log_addr", NULL); + if (!basep) + return EFI_NOT_FOUND; + + *addr = be64_to_cpup((__force __be64 *)basep); + + sizep = dev_read_prop(dev, "tpm_event_log_size", NULL); + if (!sizep) + return EFI_NOT_FOUND; + + *sz = be32_to_cpup((__force __be32 *)sizep); + if (*sz == 0) { + log_debug("event log empty\n"); + return EFI_NOT_FOUND; + } + + return EFI_SUCCESS; +} + /** * tpm2_get_max_command_size() - get the supported max command size * @@ -1181,6 +1220,249 @@ static const struct efi_tcg2_protocol efi_tcg2_protocol = { .get_result_of_set_active_pcr_banks = efi_tcg2_get_result_of_set_active_pcr_banks, }; +/** + * parse_event_log_header() - Parse and verify the event log header fields + * + * @buffer: Pointer to the event header + * @size: Size of the eventlog + * @pos: Position in buffer after event log header + * + * Return: status code + */ +efi_status_t parse_event_log_header(void *buffer, u32 size, u32 *pos) +{ + struct tcg_pcr_event *event_header = (struct tcg_pcr_event *)buffer; + int i = 0; + + if (size < sizeof(*event_header)) + return EFI_COMPROMISED_DATA; + + if (get_unaligned_le32(&event_header->pcr_index) != 0 || + get_unaligned_le32(&event_header->event_type) != EV_NO_ACTION) + return EFI_COMPROMISED_DATA; + + for (i = 0; i < sizeof(event_header->digest); i++) { + if (event_header->digest[i] != 0) + return EFI_COMPROMISED_DATA; + } + + *pos += sizeof(*event_header); + + return EFI_SUCCESS; +} + +/** + * parse_specid_event() - Parse and verify the specID Event in the eventlog + * + * @dev: udevice + * @buffer: Pointer to the start of the eventlog + * @log_size: Size of the eventlog + * @pos: Offset in the evenlog where specID event starts + * + * Return: status code + * @pos Offset in the eventlog where the specID event ends + * @digest_list: list of digests in the event + */ +efi_status_t parse_specid_event(struct udevice *dev, void *buffer, u32 log_size, + u32 *pos, + struct tpml_digest_values *digest_list) +{ + struct tcg_efi_spec_id_event *spec_event; + struct tcg_pcr_event *event_header = (struct tcg_pcr_event *)buffer; + size_t spec_event_size; + u32 active = 0, supported = 0, pcr_count = 0, alg_count = 0; + u32 spec_active = 0; + u16 hash_alg, hash_sz; + u8 vendor_sz; + int err, i; + + /* Check specID event data */ + spec_event = (struct tcg_efi_spec_id_event *)((uintptr_t)buffer + *pos); + /* Check for signature */ + if (memcmp(spec_event->signature, TCG_EFI_SPEC_ID_EVENT_SIGNATURE_03, + sizeof(TCG_EFI_SPEC_ID_EVENT_SIGNATURE_03))) { + log_err("specID Event: Signature mismatch\n"); + return EFI_COMPROMISED_DATA; + } + + if (spec_event->spec_version_minor != + TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MINOR_TPM2 || + spec_event->spec_version_major != + TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MAJOR_TPM2) + return EFI_COMPROMISED_DATA; + + if (spec_event->number_of_algorithms > MAX_HASH_COUNT || + spec_event->number_of_algorithms < 1) { + log_err("specID Event: Number of algorithms incorrect\n"); + return EFI_COMPROMISED_DATA; + } + + alg_count = spec_event->number_of_algorithms; + + err = tpm2_get_pcr_info(dev, &supported, &active, &pcr_count); + if (err) + return EFI_DEVICE_ERROR; + + digest_list->count = 0; + /* + * We may need to worry about the order of algs in this structure as + * subsequent entries in event should be in same order + */ + for (i = 0; i < alg_count; i++) { + hash_alg = + get_unaligned_le16(&spec_event->digest_sizes[i].algorithm_id); + hash_sz = + get_unaligned_le16(&spec_event->digest_sizes[i].digest_size); + + if (!(supported & alg_to_mask(hash_alg))) { + log_err("specID Event: Unsupported algorithm\n"); + return EFI_COMPROMISED_DATA; + } + digest_list->digests[digest_list->count++].hash_alg = hash_alg; + + spec_active |= alg_to_mask(hash_alg); + } + + /* TCG spec expects the event log to have hashes for all active PCR's */ + if (spec_active != active) { + /* + * Previous stage bootloader should know all the active PCR's + * and use them in the Eventlog. + */ + log_err("specID Event: All active hash alg not present\n"); + return EFI_COMPROMISED_DATA; + } + + /* + * the size of the spec event and placement of vendor_info_size + * depends on supported algoriths + */ + spec_event_size = + offsetof(struct tcg_efi_spec_id_event, digest_sizes) + + alg_count * sizeof(spec_event->digest_sizes[0]); + + vendor_sz = *(uint8_t *)((uintptr_t)buffer + *pos + spec_event_size); + + spec_event_size += sizeof(vendor_sz) + vendor_sz; + *pos += spec_event_size; + + if (get_unaligned_le32(&event_header->event_size) != spec_event_size) { + log_err("specID event: header event size mismatch\n"); + /* Right way to handle this can be to call SetActive PCR's */ + return EFI_COMPROMISED_DATA; + } + + return EFI_SUCCESS; +} + +efi_status_t tcg2_parse_event(struct udevice *dev, void *buffer, u32 log_size, + u32 *offset, struct tpml_digest_values *digest_list, + u32 *pcr) +{ + struct tcg_pcr_event2 *event = NULL; + u32 event_type, count, size, event_size; + size_t pos; + + if (*offset > log_size) + return EFI_COMPROMISED_DATA; + + event = (struct tcg_pcr_event2 *)((uintptr_t)buffer + *offset); + + *pcr = get_unaligned_le32(&event->pcr_index); + + event_size = tcg_event_final_size(digest_list); + + if (*offset + event_size > log_size) { + log_err("Event exceeds log size\n"); + return EFI_COMPROMISED_DATA; + } + + event_type = get_unaligned_le32(&event->event_type); + + /* get the count */ + count = get_unaligned_le32(&event->digests.count); + if (count != digest_list->count) + return EFI_COMPROMISED_DATA; + + pos = offsetof(struct tcg_pcr_event2, digests); + pos += offsetof(struct tpml_digest_values, digests); + + for (int i = 0; i < digest_list->count; i++) { + u16 alg; + u16 hash_alg = digest_list->digests[i].hash_alg; + u8 *digest = (u8 *)&digest_list->digests[i].digest; + + alg = get_unaligned_le16((void *)((uintptr_t)event + pos)); + + if (alg != hash_alg) + return EFI_COMPROMISED_DATA; + + pos += offsetof(struct tpmt_ha, digest); + memcpy(digest, (void *)((uintptr_t)event + pos), alg_to_len(hash_alg)); + pos += alg_to_len(hash_alg); + } + + size = get_unaligned_le32((void *)((uintptr_t)event + pos)); + event_size += size; + pos += sizeof(u32); /* tcg_pcr_event2 event_size*/ + pos += size; + + /* make sure the calculated buffer is what we checked against */ + if (pos != event_size) + return EFI_COMPROMISED_DATA; + + if (pos > log_size) + return EFI_COMPROMISED_DATA; + + *offset += pos; + + return EFI_SUCCESS; +} + +efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, + size_t *log_sz) +{ + struct tpml_digest_values digest_list; + efi_status_t ret; + u32 pcr, pos; + u64 base; + u32 sz; + + ret = platform_get_eventlog(dev, &base, &sz); + if (ret == EFI_SUCCESS) { + void *buffer = (void *)base; + + if (sz > TPM2_EVENT_LOG_SIZE) + return EFI_VOLUME_FULL; + + pos = 0; + /* Parse the eventlog to check for its validity */ + ret = parse_event_log_header(buffer, sz, &pos); + if (ret || pos > sz) + return EFI_COMPROMISED_DATA; + + ret = parse_specid_event(dev, buffer, sz, &pos, &digest_list); + if (ret || pos > sz) { + log_err("Error parsing SPEC ID Event\n"); + return EFI_COMPROMISED_DATA; + } + + while (pos < sz) { + ret = tcg2_parse_event(dev, buffer, sz, &pos, + &digest_list, &pcr); + if (ret) { + log_err("Error parsing event\n"); + return ret; + } + } + + memcpy(log_buffer, buffer, sz); + *log_sz = sz; + } + + return ret; +} + /** * create_specid_event() - Create the first event in the eventlog * @@ -1340,6 +1622,12 @@ static efi_status_t efi_init_event_log(void) * last log entry */ memset(event_log.buffer, 0xff, TPM2_EVENT_LOG_SIZE); + + /* + * The log header is defined to be in SHA1 event log entry format. + * Setup event header + */ + event_header = (struct tcg_pcr_event *)event_log.buffer; event_log.pos = 0; event_log.last_event_size = 0; event_log.get_event_called = false; @@ -1347,22 +1635,28 @@ static efi_status_t efi_init_event_log(void) event_log.truncated = false; /* - * The log header is defined to be in SHA1 event log entry format. - * Setup event header + * Check if earlier firmware have passed any eventlog. Different + * platforms can use different ways to do so */ - event_header = (struct tcg_pcr_event *)event_log.buffer; - put_unaligned_le32(0, &event_header->pcr_index); - put_unaligned_le32(EV_NO_ACTION, &event_header->event_type); - memset(&event_header->digest, 0, sizeof(event_header->digest)); - ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)), - &spec_event_size); - if (ret != EFI_SUCCESS) - goto free_pool; - put_unaligned_le32(spec_event_size, &event_header->event_size); - event_log.pos = spec_event_size + sizeof(*event_header); - event_log.last_event_size = event_log.pos; + ret = tcg2_get_fw_eventlog(dev, event_log.buffer, &event_log.pos); + if (ret == EFI_NOT_FOUND) { + put_unaligned_le32(0, &event_header->pcr_index); + put_unaligned_le32(EV_NO_ACTION, &event_header->event_type); + memset(&event_header->digest, 0, sizeof(event_header->digest)); + ret = create_specid_event(dev, + (void *)((uintptr_t)event_log.buffer + + sizeof(*event_header)), + &spec_event_size); + if (ret != EFI_SUCCESS) + goto free_pool; + put_unaligned_le32(spec_event_size, &event_header->event_size); + event_log.pos = spec_event_size + sizeof(*event_header); + event_log.last_event_size = event_log.pos; + } + + if (ret == EFI_SUCCESS) + ret = create_final_event(); - ret = create_final_event(); if (ret != EFI_SUCCESS) goto free_pool; From patchwork Tue Nov 23 11:53:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ruchika Gupta X-Patchwork-Id: 519314 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp8505444imj; Tue, 23 Nov 2021 03:54:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJw84yxKoHPBIq12s+iQKCREQQ/9r01hwWaB5x0YJ6z3ptlTvU+bVG0zjR9iO+PYoOpUosoy X-Received: by 2002:a17:906:7ccf:: with SMTP id h15mr6851145ejp.386.1637668441510; Tue, 23 Nov 2021 03:54:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637668441; cv=none; d=google.com; s=arc-20160816; b=HJHFgLmde/GxptWWCT8+L4ImFrgbNl5aYMm8kXr33nxnShSWMCkasAV/pzUTYq1ijY fni0IqJtAzBsAsDklBUvFu+1Ou+zWsJUz+L3bkkIKzE+09HEOYcddkOnaFt2B0G9YCpx +93+HXTvPfoATnmgfIQKsAemE43rvEtGZGwfpXO1GgFD4lLg/gb5R+qvOrRUxotBDtDg rTp0mGT6RVSWlBiDrXmeVCYrkvh3wCiHJI7VRtpJ+F4OQCVBPJi179GrsdS+WDofjhfG 5E8tlRIYYW1wfDHUQxfR5ZeBxv/ugIg/BYp1gN54fpHGkCzt0kboNdn6tNZG3vS8uQRu VznQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Bff2wf29QQNRVoQJkjSfdwfzFPR/ux7Xoyrtoc3m6uo=; b=hKWOmAmjyIrg4qJ7oB8Rf2Bv4b72b3RRRpNo5rdkgS05SRiVXZt4Nrhf4gsZr7gH3q /11hop5STTJPuuRyjgdtDKB8vYBrGvbOKYJDg2gjbFuG3grKCA99+KW/0NqMs6hXiH6j bOmLjV/ixjD7zxCRrglaVxHBj/e71UpcYPCduLTRRTo0bHVH3pnG45aJzMbbUwVPoCGi vfI9EyL6dNTF3Q8RO9NNQN/b89B1rVev4he/K5l/XMqorVrUMRC+X3SJxBwzsFTrdY47 ItQE9ZhCbZYCa7W1xvRxTbMs+M+TIJOjqp6FqvMGc5Pr0BUKGuJ5jXuUl8+Yz9645OX6 c21Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZIbnryap; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id fy18si23404812ejb.297.2021.11.23.03.54.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 03:54:01 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZIbnryap; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 22C8883720; Tue, 23 Nov 2021 12:53:58 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ZIbnryap"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BA73C83691; Tue, 23 Nov 2021 12:53:55 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E2397836C5 for ; Tue, 23 Nov 2021 12:53:51 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ruchika.gupta@linaro.org Received: by mail-pj1-x102a.google.com with SMTP id w33-20020a17090a6ba400b001a722a06212so2011955pjj.0 for ; Tue, 23 Nov 2021 03:53:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Bff2wf29QQNRVoQJkjSfdwfzFPR/ux7Xoyrtoc3m6uo=; b=ZIbnryap2HRCsbQlR2/bE2onVHMqd9eO4JLlZe2SekCgkNXSaqiKWpel0G4s04Au3P +lYYxx9IsCX1UAjOB14B5n5+HXhJ3c0A7aJXjzOhF3Ixl8Xk/nLO9Y1T6AN6j2n+1RKP S0jI60zTldxxYlj50V307rLWZZ/L2OBCXBouqOmWTVZdP8YdjGzTas0mG9SezasBMxzs lJlOi6DkyicT1zuP4RaIebSooGNF7mYsSPtHd0IJluQc4kOwv95HXbuXq4TuASVCKnly mi/gLbxigEcbs5bfBJxIPER/cnQanW18TxutSfQttWKc/QaGbsKw+1u5sPJVXY0DZBw5 7iNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Bff2wf29QQNRVoQJkjSfdwfzFPR/ux7Xoyrtoc3m6uo=; b=NxOy/gfCih0wdPeUa5cEj3KHSKGQ3dQTI8uKYSiOsEWsUVz4To0ZyAJaY57njUIzex JQ7z7gm8rH/+On4wO07d4acEhupzXd9UcMzhABUlZd7rlOQ/P3gdtDB48iZ2xoogqhv7 93WC/0I/WlseLLGw7r+xWKVSc0hNdSDYgBZIkgENMuvn6ks/bdAo2Ja4w5r46QHIV255 hkw3SEZp8BNTh1SxCeY164tWkjTpfj9lPEjv6TZnzZ7WVrnHyXWIPqNFv0pCE/tsqsmh ybtsdVoSf94raBGyz3LkbZpUejqMTHISAAQhaxsdcf2OzBRwO5Juqya77E+mUB6LJPS4 IAVA== X-Gm-Message-State: AOAM5308d6xdEW/dal22ANigihfRkgUW8qMFrGFPehlyL8NpBZU+P3f3 8ZY80aV1DyheVgDq4K7Q4IOhWMe4wsSk1A== X-Received: by 2002:a17:902:d703:b0:144:e012:d550 with SMTP id w3-20020a170902d70300b00144e012d550mr5512592ply.38.1637668429958; Tue, 23 Nov 2021 03:53:49 -0800 (PST) Received: from localhost.localdomain ([106.215.91.146]) by smtp.gmail.com with ESMTPSA id x6sm1115203pga.14.2021.11.23.03.53.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 03:53:49 -0800 (PST) From: Ruchika Gupta To: u-boot@lists.denx.de, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de, agraf@csgraf.de Cc: Ruchika Gupta Subject: [v2] [PATCH 2/3] tpm: use more algorithms than sha256 on pcr_read Date: Tue, 23 Nov 2021 17:23:34 +0530 Message-Id: <20211123115335.125252-2-ruchika.gupta@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211123115335.125252-1-ruchika.gupta@linaro.org> References: <20211123115335.125252-1-ruchika.gupta@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.37 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean The current tpm2_pcr_read is hardcoded using SHA256. Make the actual command to TPM configurable to use wider range of algorithms. The current command line is kept as is i.e limited to SHA-256 only. Signed-off-by: Ruchika Gupta Reviewed-by: Ilias Apalodimas Reviewed-by: Ilias Apalodimas --- v2: Change algorithm from u32 to u16 Add parameter description in function declaration cmd/tpm-v2.c | 3 ++- include/tpm-v2.h | 5 ++++- lib/tpm-v2.c | 12 ++++++++---- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c index daae91100a..4ea5f9f094 100644 --- a/cmd/tpm-v2.c +++ b/cmd/tpm-v2.c @@ -151,7 +151,8 @@ static int do_tpm_pcr_read(struct cmd_tbl *cmdtp, int flag, int argc, data = map_sysmem(simple_strtoul(argv[2], NULL, 0), 0); - rc = tpm2_pcr_read(dev, index, priv->pcr_select_min, data, &updates); + rc = tpm2_pcr_read(dev, index, priv->pcr_select_min, TPM2_ALG_SHA256, + data, TPM2_DIGEST_LEN, &updates); if (!rc) { printf("PCR #%u content (%u known updates):\n", index, updates); print_byte_string(data, TPM2_DIGEST_LEN); diff --git a/include/tpm-v2.h b/include/tpm-v2.h index ceff7d245e..4e9dd52cb6 100644 --- a/include/tpm-v2.h +++ b/include/tpm-v2.h @@ -512,13 +512,16 @@ u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data, * @dev TPM device * @idx Index of the PCR * @idx_min_sz Minimum size in bytes of the pcrSelect array + * @algorithm Algorithm used, defined in 'enum tpm2_algorithms' * @data Output buffer for contents of the named PCR + * @digest_len len of the data * @updates Optional out parameter: number of updates for this PCR * * @return code of the operation */ u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz, - void *data, unsigned int *updates); + u16 algorithm, void *data, u32 digest_len, + unsigned int *updates); /** * Issue a TPM2_GetCapability command. This implementation is limited diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c index 2e7b27bd6b..1bf627853a 100644 --- a/lib/tpm-v2.c +++ b/lib/tpm-v2.c @@ -254,7 +254,8 @@ u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data, } u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz, - void *data, unsigned int *updates) + u16 algorithm, void *data, u32 digest_len, + unsigned int *updates) { u8 idx_array_sz = max(idx_min_sz, DIV_ROUND_UP(idx, 8)); u8 command_v2[COMMAND_BUFFER_SIZE] = { @@ -264,7 +265,7 @@ u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz, /* TPML_PCR_SELECTION */ tpm_u32(1), /* Number of selections */ - tpm_u16(TPM2_ALG_SHA256), /* Algorithm of the hash */ + tpm_u16(algorithm), /* Algorithm of the hash */ idx_array_sz, /* Array size for selection */ /* bitmap(idx) Selected PCR bitmap */ }; @@ -283,10 +284,13 @@ u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz, if (ret) return ret; + if (digest_len > response_len) + return TPM_LIB_ERROR; + if (unpack_byte_string(response, response_len, "ds", 10, &counter, - response_len - TPM2_DIGEST_LEN, data, - TPM2_DIGEST_LEN)) + response_len - digest_len, data, + digest_len)) return TPM_LIB_ERROR; if (updates) From patchwork Tue Nov 23 11:53:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ruchika Gupta X-Patchwork-Id: 519315 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp8505638imj; Tue, 23 Nov 2021 03:54:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJwceDA/k7ExDGlyPo4qPc2OU5vt3hh+yLDV6m3Ml6iayTqWe7xKDzBgBGgV2Ow9Kk2zyfWE X-Received: by 2002:a17:907:94d4:: with SMTP id dn20mr6869004ejc.379.1637668450899; Tue, 23 Nov 2021 03:54:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637668450; cv=none; d=google.com; s=arc-20160816; b=uJdfAJqyYNDh1kYu7l758lXt5h7DqtqUiGkPHbNtUjuUvOehrwOzr89j3Oi/PXo7aK Pg5v53V8UjMfxg/Pnfgudu9cBht8InOQEyoIDEO5NpujwOPDfQJHesaVrTqMgvX5iq2I bWmNbPjZvvCjrGUr2WnOy2qZdeaWRWwQzOhQzQ61/pXDUoDx+HJX0K7Pt2A/NU2quCyX ZU3zbJQpQih65zIJ0htn6OTnA8AC+f1Zh+AzQsHhOOOh/QlLOy7HdZdpFreuzt4uRI7/ SyC5WDhdoyF3IhylvXr4RKpIqOXY76Nll62OOx3+gvncmS9vr0uievo7yf6YQH8rynxb Tjmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=THJOraiVv0uCtQt1waG8A1icDvTUH8J71myKCCEdGS4=; b=Vu9t+Ng2zlGoHUi0krLDjXbc04fjw/QQCfzaNei9P1ivrJPtg0Rw0XJRF+QXtxQOJa PuHDLa4yL++eynv8WFcff5Fqv36/+tws41jZA1XXDkkG2Y1OWVgb6YySFHTdMqdWoiEQ 7iiZk9fxuCIxlQYO3ae+6zMLWOeD3lPArLzYE9FOOWgb74iuu0kWRIJttr3AF21nyxdG RF61HXcafe2oNYOeKnISA+sotAhpWtYOwgEdKzyY8JO3CN62gDzU007LIdkncxHKyC6T 8A7o8f9WuzpZpl+FpaUD4tuvbiFJ3j3K6GwGz7FUuj0oqLjeR2Gj8FNM8x5gWnRWrcCk 6cJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="QrXWZ5/y"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id y16si31607207edq.249.2021.11.23.03.54.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 03:54:10 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="QrXWZ5/y"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9E9D88373A; Tue, 23 Nov 2021 12:54:07 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="QrXWZ5/y"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E710F836C5; Tue, 23 Nov 2021 12:54:04 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7A2988372E for ; Tue, 23 Nov 2021 12:53:58 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ruchika.gupta@linaro.org Received: by mail-pl1-x62c.google.com with SMTP id b13so16892641plg.2 for ; Tue, 23 Nov 2021 03:53:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=THJOraiVv0uCtQt1waG8A1icDvTUH8J71myKCCEdGS4=; b=QrXWZ5/yI4/sZb3ZovjxP9CUBRL6c6/EZivD2yHKm2vs6zzGvsoK3dpIq+rr7hIrIC VKCyZE9rXb6edJ5ppbXEUrnM3xPsSuZBYqE7y52t5AfXUWQismVdi719WUmQ+FaNRtAx OCABVst8FkI9yaGqykn3SkQzB3LcSHNQ2IJDOG7GTANmK4RKRuCHfwfuaez1kUX+yh+3 O4pKmBCwdq8UngpKTjJavktUjeCtJXV3cazjiHeireq6IuZ+cKUSzaaMbYj4/LWYGrGm Ib4p4l6OeihNeV+okomjB+l8qwdQeLZwLQ8SnSSmCCOoZn9rpSGg1/fepCiK/gQ4174M Ltow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=THJOraiVv0uCtQt1waG8A1icDvTUH8J71myKCCEdGS4=; b=IoYZtKzx81rjSR9ZMX+wkaoVdfsd/BadGXGwVYvVw/mZNjhGAcXmAR5JCNQ51acEDU UPK6KQY49GXaWXasOonKyP5eEmmaxPPlS5ZUQYifu+rTgA7dOs4R9t+CsIrC2iAfJJeS f2Ct6+KQ9LJ/74gl48rybtJKBlV0a66dUp73KKTswnpVD394Hh/cJxyn78y6trHb3GFI uGD5uDbSnjHqAAxWRzV6sEjESJNU62GTfFbJNVCGnUE8sONkqIox2WulLROZC3FssSLP nH377y5M7Uw165YrMLtuiCtkphQSpQT8LKtsoU5oy09W9NPs/CH6ZBZqtYz/M5HAibaS Cv4A== X-Gm-Message-State: AOAM533GaVB8EjqZjs5SHXGNeE3QYgWTFXYSY/QU/KpImj5sxma55uPI VshQVDVFj8/Bwypn/YqdnPJegvj6NbzZ7g== X-Received: by 2002:a17:902:be06:b0:142:5a21:9e8a with SMTP id r6-20020a170902be0600b001425a219e8amr6259615pls.17.1637668436564; Tue, 23 Nov 2021 03:53:56 -0800 (PST) Received: from localhost.localdomain ([106.215.91.146]) by smtp.gmail.com with ESMTPSA id x6sm1115203pga.14.2021.11.23.03.53.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 03:53:56 -0800 (PST) From: Ruchika Gupta To: u-boot@lists.denx.de, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de, agraf@csgraf.de Cc: Ruchika Gupta Subject: [v2] [PATCH 3/3] efi_loader: Extend PCR's for firmware measurements Date: Tue, 23 Nov 2021 17:23:35 +0530 Message-Id: <20211123115335.125252-3-ruchika.gupta@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211123115335.125252-1-ruchika.gupta@linaro.org> References: <20211123115335.125252-1-ruchika.gupta@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.37 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Firmwares before U-Boot may be capable of doing tpm measurements and passing them to U-Boot in the form of eventlog. However there may be scenarios where the firmwares don't have TPM driver and are not capable of extending the measurements in the PCRs. Based on TCG spec, if previous firnware has extended PCR's, PCR0 would not be 0. So, read the PCR0 to determine if the PCR's need to be extended as eventlog is parsed or not. Signed-off-by: Ruchika Gupta Reviewed-by: Ilias Apalodimas Reviewed-by: Ilias Apalodimas --- v2 : Removed check for PCR0 in eventlog lib/efi_loader/efi_tcg2.c | 77 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index c3ebdf92f5..133fe8291a 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -199,6 +199,43 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index, return EFI_SUCCESS; } +/* tcg2_pcr_read - Read PCRs for a TPM2 device for a given tpml_digest_values + * + * @dev: device + * @digest_list: list of digest algorithms to extend + * + * @Return: status code + */ +static efi_status_t tcg2_pcr_read(struct udevice *dev, u32 pcr_index, + struct tpml_digest_values *digest_list) +{ + struct tpm_chip_priv *priv; + unsigned int updates, pcr_select_min; + u32 rc; + size_t i; + + priv = dev_get_uclass_priv(dev); + if (!priv) + return EFI_DEVICE_ERROR; + + pcr_select_min = priv->pcr_select_min; + + for (i = 0; i < digest_list->count; i++) { + u16 hash_alg = digest_list->digests[i].hash_alg; + u8 *digest = (u8 *)&digest_list->digests[i].digest; + + rc = tpm2_pcr_read(dev, pcr_index, pcr_select_min, + hash_alg, digest, alg_to_len(hash_alg), + &updates); + if (rc) { + EFI_PRINT("Failed to read PCR\n"); + return EFI_DEVICE_ERROR; + } + } + + return EFI_SUCCESS; +} + /* put_event - Append an agile event to an eventlog * * @pcr_index: PCR index @@ -1427,6 +1464,8 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, u32 pcr, pos; u64 base; u32 sz; + bool extend_pcr = false; + int i; ret = platform_get_eventlog(dev, &base, &sz); if (ret == EFI_SUCCESS) { @@ -1447,6 +1486,26 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, return EFI_COMPROMISED_DATA; } + ret = tcg2_pcr_read(dev, 0, &digest_list); + if (ret) { + log_err("Error reading PCR 0\n"); + return ret; + } + + /* + * If PCR0 is 0, previous firmware didn't have the capability + * to extend the PCR. In this scenario, extend the PCR as + * the eventlog is parsed. + */ + for (i = 0; i < digest_list.count; i++) { + u8 buffer[TPM2_DIGEST_LEN] = { 0 }; + u16 hash_alg = digest_list.digests[i].hash_alg; + + if (!memcmp((u8 *)&digest_list.digests[i].digest, + buffer, alg_to_len(hash_alg))) + extend_pcr = true; + } + while (pos < sz) { ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list, &pcr); @@ -1454,6 +1513,24 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, log_err("Error parsing event\n"); return ret; } + + if (extend_pcr) { + ret = tcg2_pcr_extend(dev, pcr, &digest_list); + if (ret != EFI_SUCCESS) { + log_err("Error in extending PCR\n"); + return ret; + } + + /* Clear the digest for next event */ + for (i = 0; i < digest_list.count; i++) { + u16 hash_alg = + digest_list.digests[i].hash_alg; + u8 *digest = + (u8 *)&digest_list.digests[i].digest; + + memset(digest, 0, alg_to_len(hash_alg)); + } + } } memcpy(log_buffer, buffer, sz);