From patchwork Fri Aug 13 07:12:41 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Masahisa Kojima <masahisa.kojima@linaro.org>
X-Patchwork-Id: 496551
Delivered-To: patch@linaro.org
Received: by 2002:a02:cf8a:0:0:0:0:0 with SMTP id w10csp273919jar;
 Fri, 13 Aug 2021 00:13:07 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyGEl0vpoZKdschppXWRCe+YteeqEwhLiV2UO1sTfWMMQEXOeSKMwdFF2V2DsYj0hlUHq0h
X-Received: by 2002:a17:906:ca43:: with SMTP id
 jx3mr1101745ejb.193.1628838787140; 
 Fri, 13 Aug 2021 00:13:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1628838787; cv=none;
 d=google.com; s=arc-20160816;
 b=SqcsFPnn6aK+n6OSp6G6qBmSypBt+LZ18Rb+Sokn+XaIgVl0E9IigdijR+a5DN42rG
 FkdFzg99rkFvM0sCo7gzPUWelzNscBk2OsmIF0zChW3GUaEGtBp9gdaYdXRHsVoy1F7w
 LN5lL2g9c6sp3U2eiCLgJnNwA5RSZ0KPBq1Io1mSsTse56xBkAq3OM7WBISQyFunvsEc
 HS/DRzGedEBwA3t+/TATOsBjqN1X7fgqcZT6zzEY9Q6kE5b3XuCtqODY5jwquvQDOeeU
 6nZ+pINCBd/s9Tr9QUCMMJBFMCKVFMr2dduDRfBiW429nlW8bfng25JQW0/dFwdeWp3v
 7XnQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:references:in-reply-to
 :message-id:date:subject:to:from:dkim-signature;
 bh=7HSP5dUmE2u4ycyj6hUfaNPODIHqeZNBPQthC7eBnyc=;
 b=FGoUfMgTvL5KZX19iH5Z5NUobdm+LFu2QTMvhMliP9rSHDAr/3+YnyJk2BhARgTJh7
 ISfwz6F7Yt3fPCWpF/RqMEM/M4yf+LzSrfy6xUXWQzlL5I4ufCWqVZS20gYc1qaSkZT8
 9xfrUCipeAv3/cg2Q8YwvIkx7gcSzspkSZZONu1iR2+pPkQUySWI4AneDT4OzjwYLY+L
 ERTwNcn/6QRtNE270dvrR1bE0u7K/9V0Tw8+gf6zz0na0dLXEBf452KQ1sl1AKjQGz00
 fsIatONE8nWeErFlurYuol2fGxCAfo58vckEF/epEJqBopkxEqsgywb1wqdFucxqUv7n
 9K6g==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b="m/Dm+XbH";
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 85.214.62.61 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61])
 by mx.google.com with ESMTPS id
 l10si904916eds.340.2021.08.13.00.13.06
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 13 Aug 2021 00:13:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 85.214.62.61 as permitted sender)
 client-ip=85.214.62.61; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b="m/Dm+XbH";
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 85.214.62.61 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
 by phobos.denx.de (Postfix) with ESMTP id 4023282DFE;
 Fri, 13 Aug 2021 09:12:50 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org
 header.b="m/Dm+XbH"; dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 0F5E882D5B; Fri, 13 Aug 2021 09:12:35 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham
 autolearn_force=no version=3.4.2
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com
 [IPv6:2607:f8b0:4864:20::631])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 65E4282D95
 for <u-boot@lists.denx.de>; Fri, 13 Aug 2021 09:12:28 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=masahisa.kojima@linaro.org
Received: by mail-pl1-x631.google.com with SMTP id q2so10672426plr.11
 for <u-boot@lists.denx.de>; Fri, 13 Aug 2021 00:12:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:subject:date:message-id:in-reply-to:references;
 bh=7HSP5dUmE2u4ycyj6hUfaNPODIHqeZNBPQthC7eBnyc=;
 b=m/Dm+XbHDZ98aBFeIep5qkFCFc8eRktEJtBQtI3BsG3CSnZasGH6bzMo/MSbiSFCoE
 1cRZtrKd77HT5LjfAHDAATMee/NZEcYF9XUSKoWiG9D9iivWq2nh4n57IPe7CBWDpTQn
 gvHJBmaZcpQy+4gQm5lW8qJnLpSgagTwylQ+9pu9SkDMSz7MaK6Q1j7GCS8Zf+TzJVIO
 LARlaTYbHJZM/tltxg3ESq6i+gW+iDCCjwSC71UnTeY1zJJwpt+BvatmciGQqrtHanfe
 OFgZgrK5pj6pKaqWxrUq9T15UrDFxh8bqnE1HdaV0Zr6gFndx53bDxeX6TMytNoQda8Z
 Kbjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references;
 bh=7HSP5dUmE2u4ycyj6hUfaNPODIHqeZNBPQthC7eBnyc=;
 b=sgegamDYSwH7GOLYMnOlvXAKCBjwa2SiqvBd6OVM/g+FtaEP9Vy5BSpZR+NFylIBSW
 Sy+bjK0XCTGtiyp09Y0QcuPESttcBfYeiCRjphXa182XQpvf387GyKR9tiYTPYpdn3Pq
 SYbfgQU/G0POYU4RfpcNXocnXe+4uovNrLtoBuX520tqgILkchXaUttUOdXjpaZj+ZDL
 e1068FmOtYJmKaYO043b5zblOlxWdv3d0XgRBttYa5GKkT2Lq9PC+d4EcDs2IRtTDDnU
 ziL13UZL2LoKJ/Te1FYDd6XzPitrvSCVre5hIDw9OE0Ck3dmr8vpD/z1ILCZG0JgPnjT
 FDBA==
X-Gm-Message-State: AOAM533iSDr33b+kaQG+j07ds0mfvoNJUiH6+dM5LFaEvJ8/Uo0iSppX
 g3yrpJPNVrYHzgrINRlxNWXkDg==
X-Received: by 2002:a17:902:7043:b029:12d:3625:289d with SMTP id
 h3-20020a1709027043b029012d3625289dmr1056412plt.32.1628838746595; 
 Fri, 13 Aug 2021 00:12:26 -0700 (PDT)
Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1])
 by smtp.gmail.com with ESMTPSA id
 u21sm987078pfh.163.2021.08.13.00.12.24
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 13 Aug 2021 00:12:26 -0700 (PDT)
From: Masahisa Kojima <masahisa.kojima@linaro.org>
To: Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Alexander Graf <agraf@csgraf.de>, 
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Simon Glass <sjg@chromium.org>,
 Masahisa Kojima <masahisa.kojima@linaro.org>,
 Dhananjay Phadke <dphadke@linux.microsoft.com>,
 AKASHI Takahiro <takahiro.akashi@linaro.org>, u-boot@lists.denx.de
Subject: [PATCH v4 3/5] efi_loader: add ExitBootServices() measurement
Date: Fri, 13 Aug 2021 16:12:41 +0900
Message-Id: <20210813071243.18885-4-masahisa.kojima@linaro.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210813071243.18885-1-masahisa.kojima@linaro.org>
References: <20210813071243.18885-1-masahisa.kojima@linaro.org>
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

TCG PC Client PFP spec requires to measure
"Exit Boot Services Invocation" if ExitBootServices() is invoked.
Depending upon the return code from the ExitBootServices() call,
"Exit Boot Services Returned with Success" or "Exit Boot Services
Returned with Failure" is also measured.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
---
Changes in v4:
- remove unnecessary EFIAPI specifier

Changes in v2:
- use strlen instead of sizeof, event log for EV_EFI_ACTION string

  shall not include NUL terminator
 include/efi_loader.h          |  1 +
 lib/efi_loader/efi_boottime.c |  5 +++
 lib/efi_loader/efi_tcg2.c     | 70 +++++++++++++++++++++++++++++++++++
 3 files changed, 76 insertions(+)

-- 
2.17.1

diff --git a/include/efi_loader.h b/include/efi_loader.h
index 6f61e9faac..32cb8d0f1e 100644
--- a/include/efi_loader.h
+++ b/include/efi_loader.h
@@ -499,6 +499,7 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size);
 efi_status_t efi_init_variables(void);
 /* Notify ExitBootServices() is called */
 void efi_variables_boot_exit_notify(void);
+efi_status_t efi_tcg2_notify_exit_boot_services_failed(void);
 /* Measure efi application invocation */
 efi_status_t efi_tcg2_measure_efi_app_invocation(void);
 /* Measure efi application exit */
diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c
index 13ab139222..b818cbb540 100644
--- a/lib/efi_loader/efi_boottime.c
+++ b/lib/efi_loader/efi_boottime.c
@@ -2182,6 +2182,11 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle,
 	efi_set_watchdog(0);
 	WATCHDOG_RESET();
 out:
+	if (ret != EFI_SUCCESS) {
+		if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL))
+			efi_tcg2_notify_exit_boot_services_failed();
+	}
+
 	return EFI_EXIT(ret);
 }
 
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index ed71337780..8557fce1da 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -1506,6 +1506,67 @@ efi_status_t efi_tcg2_measure_efi_app_exit(void)
 	return ret;
 }
 
+/**
+ * efi_tcg2_notify_exit_boot_services() - ExitBootService callback
+ *
+ * @event:	callback event
+ * @context:	callback context
+ */
+static void
+efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *context)
+{
+	efi_status_t ret;
+	struct udevice *dev;
+
+	EFI_ENTRY("%p, %p", event, context);
+
+	ret = platform_get_tpm2_device(&dev);
+	if (ret != EFI_SUCCESS)
+		goto out;
+
+	ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+				 strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION),
+				 (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION);
+	if (ret != EFI_SUCCESS)
+		goto out;
+
+	ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+				 strlen(EFI_EXIT_BOOT_SERVICES_SUCCEEDED),
+				 (u8 *)EFI_EXIT_BOOT_SERVICES_SUCCEEDED);
+
+out:
+	EFI_EXIT(ret);
+}
+
+/**
+ * efi_tcg2_notify_exit_boot_services_failed()
+ *  - notify ExitBootServices() is failed
+ *
+ * Return:	status code
+ */
+efi_status_t efi_tcg2_notify_exit_boot_services_failed(void)
+{
+	struct udevice *dev;
+	efi_status_t ret;
+
+	ret = platform_get_tpm2_device(&dev);
+	if (ret != EFI_SUCCESS)
+		goto out;
+
+	ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+				 strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION),
+				 (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION);
+	if (ret != EFI_SUCCESS)
+		goto out;
+
+	ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+				 strlen(EFI_EXIT_BOOT_SERVICES_FAILED),
+				 (u8 *)EFI_EXIT_BOOT_SERVICES_FAILED);
+
+out:
+	return ret;
+}
+
 /**
  * tcg2_measure_secure_boot_variable() - measure secure boot variables
  *
@@ -1584,6 +1645,7 @@ efi_status_t efi_tcg2_register(void)
 {
 	efi_status_t ret = EFI_SUCCESS;
 	struct udevice *dev;
+	struct efi_event *event;
 
 	ret = platform_get_tpm2_device(&dev);
 	if (ret != EFI_SUCCESS) {
@@ -1608,6 +1670,14 @@ efi_status_t efi_tcg2_register(void)
 		goto fail;
 	}
 
+	ret = efi_create_event(EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK,
+			       efi_tcg2_notify_exit_boot_services, NULL,
+			       NULL, &event);
+	if (ret != EFI_SUCCESS) {
+		tcg2_uninit();
+		goto fail;
+	}
+
 	ret = tcg2_measure_secure_boot_variable(dev);
 	if (ret != EFI_SUCCESS) {
 		tcg2_uninit();