From patchwork Mon Nov 30 09:47:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 334709 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp4489354ilb; Mon, 30 Nov 2020 01:48:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJw/gJxRhohn+88KB6VikuUYJcOuCg5d75zJzLVQ00RhsqJxLUiJeoPaH47Fr+l7RlelB24o X-Received: by 2002:a05:6402:1d9a:: with SMTP id dk26mr2948607edb.283.1606729689071; Mon, 30 Nov 2020 01:48:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606729689; cv=none; d=google.com; s=arc-20160816; b=MNE1MK3p5isIpY3PvcN9DI0y4Mw7dOHJzU/yd/bgolt/FAvFduhEe2WYlZMHK12ZYV S/1lZLoanN1tATHF1PAZH2Qy6h3XKkt2hVRZ/ak00DB9kH9+nDPWqNr3udm7NZeTLAvS IbPoC6HA92TNsm/vI4f27cbgzJ9nSBjmriqe4AqeNY8a/f6BcLkosSap6CFxetkizCRz Zw8ac6blrVjdqA6+GazZ6jYHTI+9RY5fwU79h7Cjr5OptgIKMvbe12ccawCG3U5d+6pQ VRKBn8aGe0NeCcf51NgMN1dR1HtlMgshJHWOuPQ1tbv/krY6/UVkFaNMsIROWWE0SzNE 3DKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=n7PrUqg/Akxa7wNaAdh1r9PAoYEZ2QaVZAcmCCQE1iY=; b=s53sg4Z3vlwdvKZWxVKtAmuDlwr7pko1719zfxp9y7d+egtwqnBnP8oOZISokcXWmm Er7ysTloyEeV1hnHOkcNoYSKNSr+08TtxHW1NyMd22SfmVCGyED1+dg7Uw8FnfVR9+Tl pCdXPk1TucYvUrtMjg3eHLvq/Bk+7IpxXJAeKodvtzUILKN4NMI1HONEfROtYYUxXQEw r10cUxuPErLQIWY4SbeY5msLC+yFy+UNFC0gpKjMpbjeZiFsIT8DYO1HUMQn6MO2UkXd RiAcym7ZHXt+Qb1bq9ygtYCEL288Pl+fr9GwwdHf9oDvM1HIPfYaEsnSUuITNPlMwJW9 navw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Kmc04tUT; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id qh14si1753671ejb.442.2020.11.30.01.48.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Nov 2020 01:48:09 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Kmc04tUT; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8634B827C1; Mon, 30 Nov 2020 10:48:07 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Kmc04tUT"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6EEE78261F; Mon, 30 Nov 2020 10:47:51 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id BBC46825A8 for ; Mon, 30 Nov 2020 10:47:47 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wm1-x344.google.com with SMTP id c198so17656658wmd.0 for ; Mon, 30 Nov 2020 01:47:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=n7PrUqg/Akxa7wNaAdh1r9PAoYEZ2QaVZAcmCCQE1iY=; b=Kmc04tUT4Cx1T3IFvTWMpZK4H7kS3FNs7XJwvInq9mSXMgWipi2r/CSlC6w/X6Lksp owX46eyIlw3ZhKxdg5IdIwno+agCSsy3cam4PtwUm13nN9SixypKFSKW+dmsJBlshOcb voTM4C1mIJGx6CGejYS0/ULJXGk7SLMRurt2elvxSRjANZrnsPsIx4ppZPJuFao/nINf H+1COCn28kUJ9CqvPbaZebFVvjq8NPGb+BZkr+4kbNs+4ioMDa83nSmsqdM0OQlHRXHr aXgA7U9rkyInrYWflrIIno/JVAtxPUrWRu9iqVtSXdeLzjVmXRBvxHLa5fksMMTQB5wP zKyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=n7PrUqg/Akxa7wNaAdh1r9PAoYEZ2QaVZAcmCCQE1iY=; b=Liir5kIuJhpmZf12xtiU5PHLVqOtqDqtlFOHXK9jikGgNOY14ENjJsQzuNjOnkmDDm 82d8P565EL5PtU+9gm9VWeXTwqRBPwh3OGhq0J4+77g7JHbogDKQ1kTMTk36TcdB05G2 OHBCLRLC5zjhBA+7pGHPJoGIBWUtxbSAV99H5+ZO61qD+dU6WA3Rdzb6Qcc+SzKa9Cj6 5jS5hvBl0sQk73uYJZ+U/GBkWdBRxFyIwTzSxWvSPVJmoZsq8B1nXetCA8ZkO1ABh+ux 7Pc/gkwjL99qSkziac/RQMj03vkYLX6gwRc/8IsJ+/5P1fbBf4KSk21vIQ999UkwoWVT xTBg== X-Gm-Message-State: AOAM531kjV6MtUZx21wceXvlkUmuwrT0fx0+YGCRol1CPi1QrrzOnV1V 94//SHHy0ixuHoKW2ylkqIr0Hw== X-Received: by 2002:a1c:98c7:: with SMTP id a190mr502791wme.184.1606729667385; Mon, 30 Nov 2020 01:47:47 -0800 (PST) Received: from apalos.home ([2a02:587:4641:1e88:2e56:dcff:fe9a:8f06]) by smtp.gmail.com with ESMTPSA id b18sm28006795wrt.54.2020.11.30.01.47.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Nov 2020 01:47:47 -0800 (PST) From: Ilias Apalodimas To: xypron.glpk@gmx.de Cc: ard.biesheuvel@arm.com, Ilias Apalodimas , Alexander Graf , Simon Glass , Dhananjay Phadke , Bin Meng , u-boot@lists.denx.de Subject: [PATCH 1/3 v2] tpm: Add tpm2 headers for TCG2 eventlog support Date: Mon, 30 Nov 2020 11:47:39 +0200 Message-Id: <20201130094742.2088573-2-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201130094742.2088573-1-ilias.apalodimas@linaro.org> References: <20201130094742.2088573-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean A following patch introduces support for the EFI_TCG2_PROTOCOL eventlog management. Introduce the necessary tpm related headers Signed-off-by: Ilias Apalodimas --- include/tpm-v2.h | 82 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) -- 2.29.2 diff --git a/include/tpm-v2.h b/include/tpm-v2.h index f1826ff38589..fab6b86ca2fa 100644 --- a/include/tpm-v2.h +++ b/include/tpm-v2.h @@ -18,6 +18,12 @@ #define TPM2_DIGEST_LEN 32 +#define TPM2_SHA1_DIGEST_SIZE 20 +#define TPM2_SHA256_DIGEST_SIZE 32 +#define TPM2_SHA384_DIGEST_SIZE 48 +#define TPM2_SHA512_DIGEST_SIZE 64 +#define TPM2_SM3_256_DIGEST_SIZE 32 + #define TPM2_MAX_PCRS 32 #define TPM2_PCR_SELECT_MAX ((TPM2_MAX_PCRS + 7) / 8) #define TPM2_MAX_CAP_BUFFER 1024 @@ -45,6 +51,15 @@ #define TPM2_PT_MAX_COMMAND_SIZE (u32)(TPM2_PT_FIXED + 30) #define TPM2_PT_MAX_RESPONSE_SIZE (u32)(TPM2_PT_FIXED + 31) +/* event types */ +#define EV_POST_CODE ((u32)0x00000001) +#define EV_NO_ACTION ((u32)0x00000003) +#define EV_SEPARATOR ((u32)0x00000004) +#define EV_S_CRTM_CONTENTS ((u32)0x00000007) +#define EV_S_CRTM_VERSION ((u32)0x00000008) +#define EV_CPU_MICROCODE ((u32)0x00000009) +#define EV_TABLE_OF_DEVICES ((u32)0x0000000B) + /* TPMS_TAGGED_PROPERTY Structure */ struct tpms_tagged_property { u32 property; @@ -86,6 +101,73 @@ struct tpms_capability_data { union tpmu_capabilities data; } __packed; +/** + * SHA1 Event Log Entry Format + * + * @pcr_index: PCRIndex event extended to + * @event_type: Type of event (see EFI specs) + * @digest: Value extended into PCR index + * @event_size: Size of event + * @event: Event data + */ +struct tcg_pcr_event { + u32 pcr_index; + u32 event_type; + u8 digest[TPM2_SHA1_DIGEST_SIZE]; + u32 event_size; + u8 event[]; +} __packed; + +/** + * Definition of TPMU_HA Union + */ +union tmpu_ha { + u8 sha1[TPM2_SHA1_DIGEST_SIZE]; + u8 sha256[TPM2_SHA256_DIGEST_SIZE]; + u8 sm3_256[TPM2_SM3_256_DIGEST_SIZE]; + u8 sha384[TPM2_SHA384_DIGEST_SIZE]; + u8 sha512[TPM2_SHA512_DIGEST_SIZE]; +} __packed; + +/** + * Definition of TPMT_HA Structure + * + * @hash_alg: Hash algorithm defined in enum tpm2_algorithms + * @digest: Digest value for a given algorithm + */ +struct tpmt_ha { + u16 hash_alg; + union tmpu_ha digest; +} __packed; + +/** + * Definition of TPML_DIGEST_VALUES Structure + * + * @count: Number of algorithms supported by hardware + * @digests: struct for algorithm id and hash value + */ +struct tpml_digest_values { + u32 count; + struct tpmt_ha digests[TPM2_NUM_PCR_BANKS]; +} __packed; + +/** + * Crypto Agile Log Entry Format + * + * @pcr_index: PCRIndex event extended to + * @event_type: Type of event + * @digests: List of digestsextended to PCR index + * @event_size: Size of the event data + * @event: Event data + */ +struct tcg_pcr_event2 { + u32 pcr_index; + u32 event_type; + struct tpml_digest_values digests; + u32 event_size; + u8 event[]; +} __packed; + /** * TPM2 Structure Tags for command/response buffers. * From patchwork Mon Nov 30 09:47:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 334711 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp4489544ilb; Mon, 30 Nov 2020 01:48:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJxKGFrYKojvJdqJlRXZFmOEUfFpZFx3pWWcRgujUmHXF4ebfjxxw22alpNuUgtuTpKiyZHM X-Received: by 2002:a17:906:28d4:: with SMTP id p20mr12284878ejd.322.1606729711622; Mon, 30 Nov 2020 01:48:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606729711; cv=none; d=google.com; s=arc-20160816; b=wvSCdh/zZUx4AUgdRkiVkRyPiR9HZ1ye4ZLvzT3EpbS9qjznOnhw0VPOZ1UsRcdYoW wAtqg2x7XDDunGZrBqMIwrW53Tsu2MzAtTQmFdLTXwzZXh6t12BCMzlDXroQ764+ABbI Ym6KPL/naY33pc8URKhcL1WGmBzqksMXAcKKjovepGpU3PqPNf1gx5EYFqm1aMKfkvDS Km579RSpDXDJWgfmLKyKcCWVyhbLh3+aUhBx0p1VybuWyq2ceHrmWPQt4PGxUmVFYpf6 4xa9gfwxou8s2FsjrmOjfYtQ/KbwbqZqilREFIX7STCHKCeUG+SlipHq+Ub3GRNXBdnw vdog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xF2ioaIIdQO/9B2ynG7SzMi5ybr892lPbitG+1uslMw=; b=zywiMjCViZmfhBfxsFvQyzlJ41PWB74BCP2R7YgKdm5r+8HzhI8LLNOK7A5nKGmOVs f9b1iSUN7LLne6snvSftsA/AtyCRWdKoNOQ6mY/ekr2yU8nPeCedEuK4rC5aqSUg6S6j SQ0tOhBfCFZoNf4miMw4dK6jPfWl4iLu9kwkCYEAtxwWyFcAdYYV/IjMCI9JtlXCHcwA 2uYKXqzmBFFNPOuO2oZeF9l4RoY7tmnscalWk10cbKy4HN0iRFVohKhh7HwxqO6Y/5tZ 0GpgsY7tICuyz9x7XBH1i3knH/NYoR8AVnogS+d2de6r75Z78JIQVXaIztQZaUMP+jo7 bifA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=hddv67Jd; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id g12si4554309ejd.532.2020.11.30.01.48.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Nov 2020 01:48:31 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=hddv67Jd; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 262DE827D4; Mon, 30 Nov 2020 10:48:16 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="hddv67Jd"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 461B5825A8; Mon, 30 Nov 2020 10:47:59 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C8F4B825A5 for ; Mon, 30 Nov 2020 10:47:49 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wr1-x42b.google.com with SMTP id g14so15165885wrm.13 for ; Mon, 30 Nov 2020 01:47:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xF2ioaIIdQO/9B2ynG7SzMi5ybr892lPbitG+1uslMw=; b=hddv67JdxkK5zIxUYv8JxRoo2UwfAGEl859DN6w3v14a9tKxFeITm9sAMRuU5SYaTg n/WDEAxfwIJU5P4hjT9zwxhL3kW/XYBM+xGX+tEYPoj7o2WjwqegkVkX4hsQd19Tr3RE I5OCG+PUII+3xy4k181u147RVvEdIFPqXTxEdNlwdFlKJnGYBef81VuaqE8scsorcqVJ rIu6c1nFWy8Q8gv/h2Q4OWD5ih6WxdsQhdnjLRXU6jtdgxJFbNXctjnMoTv+bVtJ+dbM dejl1Sc+jZKqB5ACDJSzKcL5OhhKuwp+VlWu67YMTgVeWiwh54kj8giLItVZsSyuXv8y GsHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xF2ioaIIdQO/9B2ynG7SzMi5ybr892lPbitG+1uslMw=; b=tuQ7qr56IQmZf3twKL42k047KhX19zMSipdK4rvURZu0tusiQuJrokUlq3qtu38/DW /ur3O+SOYUmBWt7kuyDxE+QjEUOMzBW/7baGwYMTWR/hR7z5tS4RSMG/4e9nsqc/+WGc S77FHYrdzoUktN1LHYoYJjHeRu413aPPOML3yS7BisrbhkS3pI4mQsgu5VeK9OnKo3a1 2ZZnH9dxcj9hDdeLk8tiI9STt0Ph2UYRtdFGD6g3L51abV+OD56n0bD0LKD3U1c/TQqc Xv5reZzjmzup/fS07hDrOaYyuv5qXYdWCRBupq4HQ8/CDRWZlYVEe3AboeD32srU2wQo AIOQ== X-Gm-Message-State: AOAM532bXzVWvGe0eH4uytyFQJbcPElzY8xy/LZtzdR6sUsfx9lr2Bam dEjll6+bASdrWNaWteqW+qI/pA== X-Received: by 2002:adf:fa05:: with SMTP id m5mr26805042wrr.26.1606729669298; Mon, 30 Nov 2020 01:47:49 -0800 (PST) Received: from apalos.home ([2a02:587:4641:1e88:2e56:dcff:fe9a:8f06]) by smtp.gmail.com with ESMTPSA id b18sm28006795wrt.54.2020.11.30.01.47.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Nov 2020 01:47:48 -0800 (PST) From: Ilias Apalodimas To: xypron.glpk@gmx.de Cc: ard.biesheuvel@arm.com, Ilias Apalodimas , Alexander Graf , Simon Glass , Bin Meng , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH 2/3 v2] efi_loader: Introduce eventlog support for TCG2_PROTOCOL Date: Mon, 30 Nov 2020 11:47:40 +0200 Message-Id: <20201130094742.2088573-3-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201130094742.2088573-1-ilias.apalodimas@linaro.org> References: <20201130094742.2088573-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean In the previous patches we only introduced a minimal subset of the EFI_TCG2_PROTOCOL protocol implementing GetCapability(). So let's continue adding features to it, introducing the GetEventLog() and HashLogExtendEvent() functions. In order to do that we first need to construct the eventlog in memory, specifically in EFI_BOOT_SERVICES_DATA memory and a configuration table from EFI_ACPI_MEMORY_NVS. U-Boot won't currently add any events to the log or measure any components, but will expose the necessary EFI APIs for applications to do so. Signed-off-by: Ilias Apalodimas --- include/efi_api.h | 4 + include/efi_tcg2.h | 71 ++++- lib/efi_loader/Kconfig | 9 + lib/efi_loader/efi_setup.c | 12 +- lib/efi_loader/efi_tcg2.c | 553 +++++++++++++++++++++++++++++++++++-- 5 files changed, 625 insertions(+), 24 deletions(-) -- 2.29.2 diff --git a/include/efi_api.h b/include/efi_api.h index 5744f6aed86d..364c578a3b1b 100644 --- a/include/efi_api.h +++ b/include/efi_api.h @@ -356,6 +356,10 @@ struct efi_runtime_services { EFI_GUID(0x4006c0c1, 0xfcb3, 0x403e, \ 0x99, 0x6d, 0x4a, 0x6c, 0x87, 0x24, 0xe0, 0x6d) +#define EFI_TCG2_FINAL_EVENTS_TABLE_GUID \ + EFI_GUID(0x1e2ed096, 0x30e2, 0x4254, 0xbd, \ + 0x89, 0x86, 0x3b, 0xbe, 0xf8, 0x23, 0x25) + struct efi_configuration_table { efi_guid_t guid; void *table; diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index 86b8fe4c01af..40e241ce315c 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -17,6 +17,8 @@ /* TPMV2 only */ #define TCG2_EVENT_LOG_FORMAT_TCG_2 0x00000002 +#define EFI_TCG2_EXTEND_ONLY 0x0000000000000001 +#define PE_COFF_IMAGE 0x0000000000000010 /* Algorithm Registry */ #define EFI_TCG2_BOOT_HASH_ALG_SHA1 0x00000001 @@ -25,6 +27,10 @@ #define EFI_TCG2_BOOT_HASH_ALG_SHA512 0x00000008 #define EFI_TCG2_BOOT_HASH_ALG_SM3_256 0x00000010 +#define EFI_TCG2_FINAL_EVENTS_TABLE_VERSION 1 + +#define TPM2_EVENT_LOG_SIZE CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE + typedef u32 efi_tcg_event_log_bitmap; typedef u32 efi_tcg_event_log_format; typedef u32 efi_tcg_event_algorithm_bitmap; @@ -65,6 +71,68 @@ struct efi_tcg2_boot_service_capability { sizeof(struct efi_tcg2_boot_service_capability) - \ offsetof(struct efi_tcg2_boot_service_capability, number_of_pcr_banks) +#define TCG_EFI_SPEC_ID_EVENT_SIGNATURE_03 "Spec ID Event03" +#define TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MAJOR_TPM2 2 +#define TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MINOR_TPM2 0 +#define TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_ERRATA_TPM2 2 + +/** + * struct TCG_EfiSpecIdEventAlgorithmSize + * + * @algorithm_id: algorithm defined in enum tpm2_algorithms + * @digest_size: size of the algorithm + */ +struct tcg_efi_spec_id_event_algorithm_size { + u16 algorithm_id; + u16 digest_size; +} __packed; + +/** + * struct TCG_EfiSpecIDEventStruct + * + * @signature: signature, set to Spec ID Event03 + * @platform_class: class defined in TCG ACPI Specification + * Client Common Header. + * @spec_version_minor: minor version + * @spec_version_major: major version + * @spec_version_errata: major version + * @uintn_size: size of the efi_uintn_t fields used in various + * data structures used in this specification. + * 0x01 indicates u32 and 0x02 indicates u64 + * @number_of_algorithms: hashing algorithms used in this event log + * @digest_sizes: array of number_of_algorithms pairs + * 1st member defines the algorithm id + * 2nd member defines the algorithm size + * @vendor_info_size: size in bytes for vendor specific info + * @vendor_info: vendor specific info + */ +struct tcg_efi_spec_id_event { + u8 signature[16]; + u32 platform_class; + u8 spec_version_minor; + u8 spec_version_major; + u8 spec_errata; + u8 uintn_size; + u32 number_of_algorithms; + struct tcg_efi_spec_id_event_algorithm_size digest_sizes[TPM2_NUM_PCR_BANKS]; + u8 vendor_info_size; + /* U-Boot does not provide any vendor info */ + u8 vendor_info[]; +} __packed; + +/** + * struct tdEFI_TCG2_FINAL_EVENTS_TABLE + * @version: version number for this structure + * @number_of_events: number of events recorded after invocation of + * GetEventLog() + * @event: List of events of type tcg_pcr_event2 + */ +struct efi_tcg2_final_events_table { + u64 version; + u64 number_of_events; + struct tcg_pcr_event2 event[]; +}; + struct efi_tcg2_protocol { efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this, struct efi_tcg2_boot_service_capability *capability); @@ -73,7 +141,8 @@ struct efi_tcg2_protocol { u64 *event_log_location, u64 *event_log_last_entry, bool *event_log_truncated); efi_status_t (EFIAPI * hash_log_extend_event)(struct efi_tcg2_protocol *this, - u64 flags, u64 data_to_hash, + u64 flags, + efi_physical_addr_t data_to_hash, u64 data_to_hash_len, struct efi_tcg2_event *efi_tcg_event); efi_status_t (EFIAPI * submit_command)(struct efi_tcg2_protocol *this, diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 29ea14b2ee2a..42970b652641 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -191,6 +191,15 @@ config EFI_TCG2_PROTOCOL Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware of the platform. +config EFI_TCG2_PROTOCOL_EVENTLOG_SIZE + int "EFI_TCG2_PROTOCOL EventLog size" + depends on EFI_TCG2_PROTOCOL + default 4096 + help + Define the size of the EventLog for EFI_TCG2_PROTOCOL. Note that + this is going to be allocated twice. One for the eventlog it self + and one for the configuration table that is required from the spec + config EFI_LOAD_FILE2_INITRD bool "EFI_FILE_LOAD2_PROTOCOL for Linux initial ramdisk" default n diff --git a/lib/efi_loader/efi_setup.c b/lib/efi_loader/efi_setup.c index e206b60bb82c..2bb2c3c7aafa 100644 --- a/lib/efi_loader/efi_setup.c +++ b/lib/efi_loader/efi_setup.c @@ -157,12 +157,6 @@ efi_status_t efi_init_obj_list(void) goto out; } - if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { - ret = efi_tcg2_register(); - if (ret != EFI_SUCCESS) - goto out; - } - /* Initialize variable services */ ret = efi_init_variables(); if (ret != EFI_SUCCESS) @@ -189,6 +183,12 @@ efi_status_t efi_init_obj_list(void) if (ret != EFI_SUCCESS) goto out; + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { + ret = efi_tcg2_register(); + if (ret != EFI_SUCCESS) + goto out; + } + /* Secure boot */ ret = efi_init_secure_boot(); if (ret != EFI_SUCCESS) diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 62f2f9427b6e..b0ed76f6653d 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -14,11 +14,24 @@ #include #include #include +#include +#include +#include #include #include +#include + +struct event_log_buffer { + void *buffer; + void *final_buffer; + size_t pos; /* eventlog position */ + size_t final_pos; /* final events config table position */ + size_t last_event_size; + bool get_event_called; + bool truncated; +}; -DECLARE_GLOBAL_DATA_PTR; - +static struct event_log_buffer event_log; /* * When requesting TPM2_CAP_TPM_PROPERTIES the value is on a standard offset. * Since the current tpm2_get_capability() response buffers starts at @@ -30,33 +43,40 @@ DECLARE_GLOBAL_DATA_PTR; #define properties_offset (offsetof(struct tpml_tagged_tpm_property, tpm_property) + \ offsetof(struct tpms_tagged_property, value)) -struct { +static const efi_guid_t efi_guid_tcg2_protocol = EFI_TCG2_PROTOCOL_GUID; +static const efi_guid_t efi_guid_final_events = EFI_TCG2_FINAL_EVENTS_TABLE_GUID; + +struct digest_info { u16 hash_alg; u32 hash_mask; -} hash_algo_list[] = { + u16 hash_len; +}; + +const static struct digest_info hash_algo_list[] = { { TPM2_ALG_SHA1, EFI_TCG2_BOOT_HASH_ALG_SHA1, + TPM2_SHA1_DIGEST_SIZE, }, { TPM2_ALG_SHA256, EFI_TCG2_BOOT_HASH_ALG_SHA256, + TPM2_SHA256_DIGEST_SIZE, }, { TPM2_ALG_SHA384, EFI_TCG2_BOOT_HASH_ALG_SHA384, + TPM2_SHA384_DIGEST_SIZE, }, { TPM2_ALG_SHA512, EFI_TCG2_BOOT_HASH_ALG_SHA512, - }, - { - TPM2_ALG_SM3_256, - EFI_TCG2_BOOT_HASH_ALG_SM3_256, + TPM2_SHA512_DIGEST_SIZE, }, }; #define MAX_HASH_COUNT ARRAY_SIZE(hash_algo_list) + /** * alg_to_mask - Get a TCG hash mask for algorithms * @@ -76,7 +96,146 @@ static u32 alg_to_mask(u16 hash_alg) return 0; } -const efi_guid_t efi_guid_tcg2_protocol = EFI_TCG2_PROTOCOL_GUID; +/** + * alg_to_len - Get a TCG hash len for algorithms + * + * @hash_alg: TCG defined algorithm + * + * @Return: len of chosen algorithm, 0 if the algorithm is not supported + */ +static u16 alg_to_len(u16 hash_alg) +{ + int i; + + for (i = 0; i < MAX_HASH_COUNT; i++) { + if (hash_algo_list[i].hash_alg == hash_alg) + return hash_algo_list[i].hash_len; + } + + return 0; +} + +static u32 tcg_event_final_size(struct tpml_digest_values *digest_list) +{ + u32 len; + int i; + + len = offsetof(struct tcg_pcr_event2, digests); + len += offsetof(struct tpml_digest_values, digests); + for (i = 0; i < digest_list->count; i++) { + u16 hash_alg = digest_list->digests[i].hash_alg; + + len += offsetof(struct tpmt_ha, digest); + len += alg_to_len(hash_alg); + } + len += sizeof(u32); /* tcg_pcr_event2 event_size*/ + + return len; +} + +/* tcg2_pcr_extend - Extend PCRs for a TPM2 device for a given tpml_digest_values + * + * @dev: device + * @digest_list: list of digest algorithms to extend + * + * @Return: status code + */ +static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index, + struct tpml_digest_values *digest_list) +{ + u32 rc; + int i; + + for (i = 0; i < digest_list->count; i++) { + u32 alg = digest_list->digests[i].hash_alg; + + rc = tpm2_pcr_extend(dev, pcr_index, alg, + (u8 *)&digest_list->digests[i].digest, + alg_to_len(alg)); + if (rc) { + EFI_PRINT("Failed to extend PCR\n"); + return EFI_DEVICE_ERROR; + } + } + + return EFI_SUCCESS; +} + +/* tcg2_agile_log_append - Append an agile event to out eventlog + * + * @pcr_index: PCR index + * @event_type: type of event added + * @digest_list: list of digest algorithms to add + * @size: size of event + * @event: event to add + * + * @Return: status code + */ +static efi_status_t tcg2_agile_log_append(u32 pcr_index, u32 event_type, + struct tpml_digest_values *digest_list, + u32 size, u8 event[]) +{ + void *log = event_log.buffer + event_log.pos; + size_t pos; + int i; + u32 event_size; + + if (event_log.get_event_called) + log = event_log.final_buffer + event_log.final_pos; + + /* + * size refers to the length of event[] only, we need to check against + * the final tcg_pcr_event2 size + */ + event_size = size + tcg_event_final_size(digest_list); + if (event_log.pos + event_size > TPM2_EVENT_LOG_SIZE || + event_log.final_pos + event_size > TPM2_EVENT_LOG_SIZE) { + event_log.truncated = true; + return EFI_VOLUME_FULL; + } + + put_unaligned_le32(pcr_index, log); + pos = offsetof(struct tcg_pcr_event2, event_type); + put_unaligned_le32(event_type, log + pos); + pos = offsetof(struct tcg_pcr_event2, digests); /* count */ + put_unaligned_le32(digest_list->count, log + pos); + + pos += offsetof(struct tpml_digest_values, digests); + for (i = 0; i < digest_list->count; i++) { + u16 hash_alg = digest_list->digests[i].hash_alg; + u8 *digest = (u8 *)&digest_list->digests[i].digest; + + put_unaligned_le16(hash_alg, log + pos); + pos += offsetof(struct tpmt_ha, digest); + memcpy(log + pos, digest, alg_to_len(hash_alg)); + pos += alg_to_len(hash_alg); + } + + put_unaligned_le32(size, log + pos); + pos += sizeof(u32); /* tcg_pcr_event2 event_size*/ + memcpy(log + pos, event, size); + pos += size; + + /* make sure the calculated buffer is what we checked against */ + if (pos != event_size) + return EFI_INVALID_PARAMETER; + + /* if GetEventLog hasn't been called update the normal log */ + if (!event_log.get_event_called) { + event_log.pos += pos; + event_log.last_event_size = pos; + } else { + /* if GetEventLog has been called update config table log */ + struct efi_tcg2_final_events_table *final_event; + + final_event = + (struct efi_tcg2_final_events_table *)(event_log.final_buffer); + final_event->number_of_events++; + event_log.final_pos += pos; + } + + return EFI_SUCCESS; +} /** * platform_get_tpm_device() - retrieve TPM device @@ -208,7 +367,7 @@ static int tpm2_get_num_pcr(struct udevice *dev, u32 *num_pcr) * * Return: true if PCR is active */ -bool is_active_pcr(struct tpms_pcr_selection *selection) +static bool is_active_pcr(struct tpms_pcr_selection *selection) { int i; /* @@ -308,6 +467,103 @@ out: return -1; } +/** + * __get_active_pcr_banks() - returns the currently active PCR banks + * + * @active_pcr_banks: pointer for receiving the bitmap of currently + * active PCR banks + * + * Return: status code + */ +static efi_status_t __get_active_pcr_banks(u32 *active_pcr_banks) +{ + struct udevice *dev; + u32 active, supported, pcr_banks; + efi_status_t ret; + int err; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + err = tpm2_get_pcr_info(dev, &supported, &active, &pcr_banks); + if (err) { + ret = EFI_DEVICE_ERROR; + goto out; + } + + *active_pcr_banks = active; + +out: + return ret; +} + +/* tcg2_create_digest - create a list of digests of the supported PCR banks + * for a given memory range + * + * @input: input memory + * @length: length of buffer to calculate the digest + * @digest_list: list of digests to fill in + * + * Return: status code + */ +static efi_status_t tcg2_create_digest(const u8 *input, u32 length, + struct tpml_digest_values *digest_list) +{ + sha1_context ctx; + sha256_context ctx_256; + sha512_context ctx_512; + u8 final[TPM2_ALG_SHA512]; + efi_status_t ret; + u32 active; + int i; + + ret = __get_active_pcr_banks(&active); + if (ret != EFI_SUCCESS) + return ret; + + digest_list->count = 0; + for (i = 0; i < MAX_HASH_COUNT; i++) { + u16 hash_alg = hash_algo_list[i].hash_alg; + + if (!(active & alg_to_mask(hash_alg))) + continue; + switch (hash_alg) { + case TPM2_ALG_SHA1: + sha1_starts(&ctx); + sha1_update(&ctx, input, length); + sha1_finish(&ctx, final); + digest_list->count++; + break; + case TPM2_ALG_SHA256: + sha256_starts(&ctx_256); + sha256_update(&ctx_256, input, length); + sha256_finish(&ctx_256, final); + digest_list->count++; + break; + case TPM2_ALG_SHA384: + sha384_starts(&ctx_512); + sha384_update(&ctx_512, input, length); + sha384_finish(&ctx_512, final); + digest_list->count++; + break; + case TPM2_ALG_SHA512: + sha512_starts(&ctx_512); + sha512_update(&ctx_512, input, length); + sha512_finish(&ctx_512, final); + digest_list->count++; + break; + default: + EFI_PRINT("Unsupported algorithm %x\n", hash_alg); + return EFI_INVALID_PARAMETER; + } + digest_list->digests[i].hash_alg = hash_alg; + memcpy(&digest_list->digests[i].digest, final, (u32)alg_to_len(hash_alg)); + } + + return EFI_SUCCESS; +} + /** * efi_tcg2_get_capability() - protocol capability information and state information * @@ -427,7 +683,28 @@ efi_tcg2_get_eventlog(struct efi_tcg2_protocol *this, u64 *event_log_location, u64 *event_log_last_entry, bool *event_log_truncated) { - return EFI_UNSUPPORTED; + efi_status_t ret = EFI_SUCCESS; + struct udevice *dev; + + EFI_ENTRY("%p, %u, %p, %p, %p", this, log_format, event_log_location, + event_log_last_entry, event_log_truncated); + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) { + event_log_location = NULL; + event_log_last_entry = NULL; + *event_log_truncated = false; + ret = EFI_SUCCESS; + goto out; + } + *event_log_location = (uintptr_t)event_log.buffer; + *event_log_last_entry = (uintptr_t)(event_log.buffer + event_log.pos - + event_log.last_event_size); + *event_log_truncated = event_log.truncated; + event_log.get_event_called = true; + +out: + return EFI_EXIT(ret); } /** @@ -450,7 +727,76 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags, u64 data_to_hash, u64 data_to_hash_len, struct efi_tcg2_event *efi_tcg_event) { - return EFI_UNSUPPORTED; + struct udevice *dev; + efi_status_t ret; + u32 event_type, pcr_index, event_size; + struct tpml_digest_values digest_list; + + EFI_ENTRY("%p, %llu, %llu, %llu, %p", this, flags, data_to_hash, + data_to_hash_len, efi_tcg_event); + + if (!this || !data_to_hash || !efi_tcg_event) { + ret = EFI_INVALID_PARAMETER; + goto out; + } + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + if (efi_tcg_event->size < efi_tcg_event->header.header_size + + sizeof(u32)) { + ret = EFI_INVALID_PARAMETER; + goto out; + } + + if (efi_tcg_event->header.pcr_index < 0 || + efi_tcg_event->header.pcr_index > TPM2_MAX_PCRS) { + ret = EFI_INVALID_PARAMETER; + goto out; + } + + /* + * if PE_COFF_IMAGE is set we need to make sure the image is not + * corrupted, verify it and hash the PE/COFF image in accordance with + * the procedure specified in "Calculating the PE Image Hash" + * section of the "Windows Authenticode Portable Executable Signature + * Format" + * Not supported for now + */ + if (flags & PE_COFF_IMAGE) { + ret = EFI_UNSUPPORTED; + goto out; + } + + pcr_index = efi_tcg_event->header.pcr_index; + event_type = efi_tcg_event->header.event_type; + + ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len, + &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + if (flags & EFI_TCG2_EXTEND_ONLY) { + if (event_log.truncated) + ret = EFI_VOLUME_FULL; + goto out; + } + + /* + * The efi_tcg_event size includes the size component and the + * headersize + */ + event_size = efi_tcg_event->size - sizeof(efi_tcg_event->size) - + efi_tcg_event->header.header_size; + ret = tcg2_agile_log_append(pcr_index, event_type, &digest_list, + event_size, efi_tcg_event->event); +out: + return EFI_EXIT(ret); } /** @@ -464,7 +810,7 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags, * * Return: status code */ -efi_status_t EFIAPI +static efi_status_t EFIAPI efi_tcg2_submit_command(struct efi_tcg2_protocol *this, u32 input_param_block_size, u8 *input_param_block, u32 output_param_block_size, u8 *output_param_block) @@ -481,11 +827,16 @@ efi_tcg2_submit_command(struct efi_tcg2_protocol *this, * * Return: status code */ -efi_status_t EFIAPI +static efi_status_t EFIAPI efi_tcg2_get_active_pcr_banks(struct efi_tcg2_protocol *this, u32 *active_pcr_banks) { - return EFI_UNSUPPORTED; + efi_status_t ret; + + EFI_ENTRY("%p, %p", this, active_pcr_banks); + ret = __get_active_pcr_banks(active_pcr_banks); + + return EFI_EXIT(ret); } /** @@ -496,7 +847,7 @@ efi_tcg2_get_active_pcr_banks(struct efi_tcg2_protocol *this, * * Return: status code */ -efi_status_t EFIAPI +static efi_status_t EFIAPI efi_tcg2_set_active_pcr_banks(struct efi_tcg2_protocol *this, u32 active_pcr_banks) { @@ -515,7 +866,7 @@ efi_tcg2_set_active_pcr_banks(struct efi_tcg2_protocol *this, * * Return: status code */ -efi_status_t EFIAPI +static efi_status_t EFIAPI efi_tcg2_get_result_of_set_active_pcr_banks(struct efi_tcg2_protocol *this, u32 *operation_present, u32 *response) { @@ -532,6 +883,169 @@ static const struct efi_tcg2_protocol efi_tcg2_protocol = { .get_result_of_set_active_pcr_banks = efi_tcg2_get_result_of_set_active_pcr_banks, }; +/** + * create_specid_event() - Create the first event in the eventlog + * + * @dev: tpm device + * @event_header: Pointer to the final event header + * @event_size: final spec event size + * + * Return: status code + */ +static efi_status_t create_specid_event(struct udevice *dev, void *buffer, + size_t *event_size) +{ + struct tcg_efi_spec_id_event *spec_event; + size_t spec_event_size; + efi_status_t ret = EFI_DEVICE_ERROR; + u32 active, supported; + int err, i; + + /* + * Create Spec event. This needs to be the first event in the log + * according to the TCG EFI protocol spec + */ + + /* Setup specID event data */ + spec_event = (struct tcg_efi_spec_id_event *)buffer; + memcpy(spec_event->signature, TCG_EFI_SPEC_ID_EVENT_SIGNATURE_03, + sizeof(spec_event->signature)); + put_unaligned_le32(0, &spec_event->platform_class); /* type client */ + spec_event->spec_version_minor = + TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MINOR_TPM2; + spec_event->spec_version_major = + TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MAJOR_TPM2; + spec_event->spec_errata = + TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_ERRATA_TPM2; + spec_event->uintn_size = sizeof(efi_uintn_t) / sizeof(u32); + + err = tpm2_get_pcr_info(dev, &supported, &active, + &spec_event->number_of_algorithms); + if (err) + goto out; + if (spec_event->number_of_algorithms > MAX_HASH_COUNT || + spec_event->number_of_algorithms < 1) + goto out; + + for (i = 0; i < spec_event->number_of_algorithms; i++) { + u16 hash_alg = hash_algo_list[i].hash_alg; + u16 hash_len = hash_algo_list[i].hash_len; + + if (active && alg_to_mask(hash_alg)) { + put_unaligned_le16(hash_alg, + &spec_event->digest_sizes[i].algorithm_id); + put_unaligned_le16(hash_len, + &spec_event->digest_sizes[i].digest_size); + } + } + /* + * the size of the spec event and placement of vendor_info_size + * depends on supported algoriths + */ + spec_event_size = + offsetof(struct tcg_efi_spec_id_event, digest_sizes) + + spec_event->number_of_algorithms * sizeof(spec_event->digest_sizes[0]); + /* no vendor info for us */ + memset(buffer + spec_event_size, 0, + sizeof(spec_event->vendor_info_size)); + spec_event_size += sizeof(spec_event->vendor_info_size); + *event_size = spec_event_size; + + return EFI_SUCCESS; + +out: + return ret; +} + +/** + * create_final_event() - Create the final event and install the config + * defined by the TCG EFI spec + */ +static efi_status_t create_final_event(void) +{ + struct efi_tcg2_final_events_table *final_event; + efi_status_t ret; + + /* + * All events generated after the invocation of + * EFI_TCG2_GET_EVENT_LOGS need to be stored in an instance of an + * EFI_CONFIGURATION_TABLE + */ + ret = efi_allocate_pool(EFI_ACPI_MEMORY_NVS, TPM2_EVENT_LOG_SIZE, + &event_log.final_buffer); + if (ret != EFI_SUCCESS) + goto out; + + memset(event_log.final_buffer, 0xff, TPM2_EVENT_LOG_SIZE); + final_event = event_log.final_buffer; + final_event->number_of_events = 0; + final_event->version = EFI_TCG2_FINAL_EVENTS_TABLE_VERSION; + event_log.final_pos = sizeof(*final_event); + ret = efi_install_configuration_table(&efi_guid_final_events, + final_event); + if (ret != EFI_SUCCESS) + goto out; + + return EFI_SUCCESS; +out: + return ret; +} + +/** + * efi_init_event_log() - initialize an eventlog + */ +static efi_status_t efi_init_event_log(void) +{ + /* + * vendor_info_size is currently set to 0, we need to change the length + * and allocate the flexible array member if this changes + */ + struct tcg_pcr_event *event_header = NULL; + struct udevice *dev; + size_t spec_event_size; + efi_status_t ret; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = efi_allocate_pool(EFI_BOOT_SERVICES_DATA, TPM2_EVENT_LOG_SIZE, + (void **)&event_log.buffer); + if (ret != EFI_SUCCESS) + goto out; + + /* + * initialize log area as 0xff so the OS can easily figure out the + * last log entry + */ + memset(event_log.buffer, 0xff, TPM2_EVENT_LOG_SIZE); + event_log.pos = 0; + event_log.last_event_size = 0; + event_log.get_event_called = false; + event_log.truncated = false; + + /* + * The log header is defined to be in SHA1 event log entry format. + * Setup event header + */ + event_header = (struct tcg_pcr_event *)event_log.buffer; + put_unaligned_le32(0, &event_header->pcr_index); + put_unaligned_le32(EV_NO_ACTION, &event_header->event_type); + memset(&event_header->digest, 0, sizeof(event_header->digest)); + ret = create_specid_event(dev, event_log.buffer + sizeof(*event_header), + &spec_event_size); + if (ret != EFI_SUCCESS) + goto out; + put_unaligned_le32(spec_event_size, &event_header->event_size); + event_log.pos = spec_event_size + sizeof(*event_header); + event_log.last_event_size = event_log.pos; + + ret = create_final_event(); + +out: + return ret; +} + /** * efi_tcg2_register() - register EFI_TCG2_PROTOCOL * @@ -549,6 +1063,11 @@ efi_status_t efi_tcg2_register(void) log_warning("Unable to find TPMv2 device\n"); return EFI_SUCCESS; } + + ret = efi_init_event_log(); + if (ret != EFI_SUCCESS) + return ret; + ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol, (void *)&efi_tcg2_protocol); if (ret != EFI_SUCCESS) From patchwork Mon Nov 30 09:47:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 334710 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp4489467ilb; Mon, 30 Nov 2020 01:48:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJwTcDTdVnu08QLSp96kAPJylLpvfuCYO14CcbAkT9tw9S/HmRljfCSzmpagr5D8T1tmWH2o X-Received: by 2002:a50:8a02:: with SMTP id i2mr15302973edi.222.1606729701230; Mon, 30 Nov 2020 01:48:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606729701; cv=none; d=google.com; s=arc-20160816; b=BAqpvSw7pVb2kZXAdsABY8x/EV2+tTBG7jOxff8Y77/4KKQ47qRa4eJOf3RrFeLUOQ 3hlrqAQpc/1rW3Tu2bFfVmgOg+DcLrCbzeGh12j+yVFXLpCR0NMVPHxXznG/y4d+J2Bk dqdvrZPimd2xzj+98P/ew1qVKF2R1kkjH00Jv4OU6AAiI3ICMgLIDcqpNOomfjv2D6KF 9IYOH/D4Q65MgKAEliB2jl2Dwl7JxH+iLXoEsWQsaXZttck7J/1FXGeLK0cpXebR9gBF 8bpP1rFiiztS76e/1e756mqtzCJ4qGyHjCGBzKQvq7fpB4Dy9Qfi/32tE+vCp34RVjDX COdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=aV6qEMebgx+w/aBozMTF8qs7q5fn1lxE195sBCdncIQ=; b=vfiCp9UQ2RLcPO8UBWGWDYJxti8IvYu97MjHmRB2Ft3sz8z65PzpcjR2Xr5fBTe3M/ +gryLr81fGfiYDFOD18bFl8orByhmG7T63eeX+981o5kPQ5/UcTgg7rIn6Qzkpa22jbD vy9RIei/+8Ic+0/0l828znFiOczWkFs9BQswsEJnLWQk6u13qxrBQDj/87wtaivUREFd RUmHEX4lyo7DyBJ5H/P3O7lioZVttFqoMCOxKn8wDR9AUxBiBqV9PeQI9zjeF5DZsWhp oN7huAZd1E+vec7CSbhE+bPHxxVcpPCs7jdMee4iqi/sHfwbl7Hr+xuunqOIiXqwf/jr heYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=NMNa2Ol6; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id g25si4152742edr.220.2020.11.30.01.48.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Nov 2020 01:48:21 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=NMNa2Ol6; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0E209826DA; Mon, 30 Nov 2020 10:48:11 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="NMNa2Ol6"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B0E9B827A1; Mon, 30 Nov 2020 10:47:55 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 64DAF825A8 for ; Mon, 30 Nov 2020 10:47:51 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wr1-x444.google.com with SMTP id s8so15185753wrw.10 for ; Mon, 30 Nov 2020 01:47:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=aV6qEMebgx+w/aBozMTF8qs7q5fn1lxE195sBCdncIQ=; b=NMNa2Ol64WUqTKnbP23XdwdhGsvna3vD7HiQ1Q2C7Ig8pImo53Fp2RNEdp3K7qCfhs 1so5vrd/6huX2M2XBSLViji5bWrgXlN5sB5l8crSoTWLf9S3eYIhjkF6JCs5bD/QlhIH 4GbTAgac6tNbvYqcQ22MQ0Ikn53KAWY1CCjCCSh3YwP50objGU4CpSOmTy2bPS6aS2nV MHMUsYtvc2TIN+1NNqcgHgjz9ej/G4ILLgywDgOJYjAlI0t+zyzyXJT6Y6na17P80ktn GPK7Qw6ECkBSQCcC58cjsfVNgsGD1V294/eZw8n0h4LhUzxtyIoLi7jUt4g/8h3YbHYd C7Ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=aV6qEMebgx+w/aBozMTF8qs7q5fn1lxE195sBCdncIQ=; b=DBlSIfP+hslHP//7tyesXHInoQL/FYlnurDEg3HjdIXw3fm44tTMOLhSWKtFTuvATC GxnFrgP8n/WX49WXFk+Ap71zc8fveX9icdOvwR6HWtx89Kbvoct9QvA/IKdVFa0+KV4O Cdfa+8dHQppBvoU0hfM+u7wOxBksegCmB5kMTA/kIrShKGJGDdjiIpkhkpBP/5gWReOK /K79gNV9yhYctpociWXBv+4H32jd6U04hoNc15gqP6PxtDCL3kMHE2uzlW/lKDGpX2W7 OmkqENzH5RYYE6dx3HsZa+aCvh1xzQEsCfI8VH09sKpSrN3DxWdIp++c74cVgGCCoI5f rVHQ== X-Gm-Message-State: AOAM53147j1nE19ZhgKhFnU0067t2WHcORJbSeeQdtgJgNR+FO5459/E FA6ujwB5Z5E9Lj5U3UkWZE2fXw== X-Received: by 2002:adf:82c7:: with SMTP id 65mr26892864wrc.384.1606729671031; Mon, 30 Nov 2020 01:47:51 -0800 (PST) Received: from apalos.home ([2a02:587:4641:1e88:2e56:dcff:fe9a:8f06]) by smtp.gmail.com with ESMTPSA id b18sm28006795wrt.54.2020.11.30.01.47.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Nov 2020 01:47:50 -0800 (PST) From: Ilias Apalodimas To: xypron.glpk@gmx.de Cc: ard.biesheuvel@arm.com, Ilias Apalodimas , Alexander Graf , Simon Glass , Dhananjay Phadke , Bin Meng , u-boot@lists.denx.de Subject: [PATCH 3/3 v2] cmd: efidebug: Add support for TCG2 final events table Date: Mon, 30 Nov 2020 11:47:41 +0200 Message-Id: <20201130094742.2088573-4-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201130094742.2088573-1-ilias.apalodimas@linaro.org> References: <20201130094742.2088573-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean A previous commit is adding EFI_TCG2_PROTOCOL, which in it's eventlog support registers an EFI configuration table. Let's add the necessary GUID so 'efidebug table' command can display table names properly. Signed-off-by: Ilias Apalodimas --- cmd/efidebug.c | 4 ++++ 1 file changed, 4 insertions(+) -- 2.29.2 diff --git a/cmd/efidebug.c b/cmd/efidebug.c index 5288b9920b4d..70bb73ba025f 100644 --- a/cmd/efidebug.c +++ b/cmd/efidebug.c @@ -278,6 +278,10 @@ static const struct { "Runtime properties", EFI_RT_PROPERTIES_TABLE_GUID, }, + { + "TCG2 Final Events Table", + EFI_TCG2_FINAL_EVENTS_TABLE_GUID, + }, }; /**