From patchwork Tue Nov 23 11:53:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ruchika Gupta X-Patchwork-Id: 519315 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp8505638imj; Tue, 23 Nov 2021 03:54:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJwceDA/k7ExDGlyPo4qPc2OU5vt3hh+yLDV6m3Ml6iayTqWe7xKDzBgBGgV2Ow9Kk2zyfWE X-Received: by 2002:a17:907:94d4:: with SMTP id dn20mr6869004ejc.379.1637668450899; Tue, 23 Nov 2021 03:54:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637668450; cv=none; d=google.com; s=arc-20160816; b=uJdfAJqyYNDh1kYu7l758lXt5h7DqtqUiGkPHbNtUjuUvOehrwOzr89j3Oi/PXo7aK Pg5v53V8UjMfxg/Pnfgudu9cBht8InOQEyoIDEO5NpujwOPDfQJHesaVrTqMgvX5iq2I bWmNbPjZvvCjrGUr2WnOy2qZdeaWRWwQzOhQzQ61/pXDUoDx+HJX0K7Pt2A/NU2quCyX ZU3zbJQpQih65zIJ0htn6OTnA8AC+f1Zh+AzQsHhOOOh/QlLOy7HdZdpFreuzt4uRI7/ SyC5WDhdoyF3IhylvXr4RKpIqOXY76Nll62OOx3+gvncmS9vr0uievo7yf6YQH8rynxb Tjmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=THJOraiVv0uCtQt1waG8A1icDvTUH8J71myKCCEdGS4=; b=Vu9t+Ng2zlGoHUi0krLDjXbc04fjw/QQCfzaNei9P1ivrJPtg0Rw0XJRF+QXtxQOJa PuHDLa4yL++eynv8WFcff5Fqv36/+tws41jZA1XXDkkG2Y1OWVgb6YySFHTdMqdWoiEQ 7iiZk9fxuCIxlQYO3ae+6zMLWOeD3lPArLzYE9FOOWgb74iuu0kWRIJttr3AF21nyxdG RF61HXcafe2oNYOeKnISA+sotAhpWtYOwgEdKzyY8JO3CN62gDzU007LIdkncxHKyC6T 8A7o8f9WuzpZpl+FpaUD4tuvbiFJ3j3K6GwGz7FUuj0oqLjeR2Gj8FNM8x5gWnRWrcCk 6cJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="QrXWZ5/y"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id y16si31607207edq.249.2021.11.23.03.54.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 03:54:10 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="QrXWZ5/y"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9E9D88373A; Tue, 23 Nov 2021 12:54:07 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="QrXWZ5/y"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E710F836C5; Tue, 23 Nov 2021 12:54:04 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7A2988372E for ; Tue, 23 Nov 2021 12:53:58 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ruchika.gupta@linaro.org Received: by mail-pl1-x62c.google.com with SMTP id b13so16892641plg.2 for ; Tue, 23 Nov 2021 03:53:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=THJOraiVv0uCtQt1waG8A1icDvTUH8J71myKCCEdGS4=; b=QrXWZ5/yI4/sZb3ZovjxP9CUBRL6c6/EZivD2yHKm2vs6zzGvsoK3dpIq+rr7hIrIC VKCyZE9rXb6edJ5ppbXEUrnM3xPsSuZBYqE7y52t5AfXUWQismVdi719WUmQ+FaNRtAx OCABVst8FkI9yaGqykn3SkQzB3LcSHNQ2IJDOG7GTANmK4RKRuCHfwfuaez1kUX+yh+3 O4pKmBCwdq8UngpKTjJavktUjeCtJXV3cazjiHeireq6IuZ+cKUSzaaMbYj4/LWYGrGm Ib4p4l6OeihNeV+okomjB+l8qwdQeLZwLQ8SnSSmCCOoZn9rpSGg1/fepCiK/gQ4174M Ltow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=THJOraiVv0uCtQt1waG8A1icDvTUH8J71myKCCEdGS4=; b=IoYZtKzx81rjSR9ZMX+wkaoVdfsd/BadGXGwVYvVw/mZNjhGAcXmAR5JCNQ51acEDU UPK6KQY49GXaWXasOonKyP5eEmmaxPPlS5ZUQYifu+rTgA7dOs4R9t+CsIrC2iAfJJeS f2Ct6+KQ9LJ/74gl48rybtJKBlV0a66dUp73KKTswnpVD394Hh/cJxyn78y6trHb3GFI uGD5uDbSnjHqAAxWRzV6sEjESJNU62GTfFbJNVCGnUE8sONkqIox2WulLROZC3FssSLP nH377y5M7Uw165YrMLtuiCtkphQSpQT8LKtsoU5oy09W9NPs/CH6ZBZqtYz/M5HAibaS Cv4A== X-Gm-Message-State: AOAM533GaVB8EjqZjs5SHXGNeE3QYgWTFXYSY/QU/KpImj5sxma55uPI VshQVDVFj8/Bwypn/YqdnPJegvj6NbzZ7g== X-Received: by 2002:a17:902:be06:b0:142:5a21:9e8a with SMTP id r6-20020a170902be0600b001425a219e8amr6259615pls.17.1637668436564; Tue, 23 Nov 2021 03:53:56 -0800 (PST) Received: from localhost.localdomain ([106.215.91.146]) by smtp.gmail.com with ESMTPSA id x6sm1115203pga.14.2021.11.23.03.53.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 03:53:56 -0800 (PST) From: Ruchika Gupta To: u-boot@lists.denx.de, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de, agraf@csgraf.de Cc: Ruchika Gupta Subject: [v2] [PATCH 3/3] efi_loader: Extend PCR's for firmware measurements Date: Tue, 23 Nov 2021 17:23:35 +0530 Message-Id: <20211123115335.125252-3-ruchika.gupta@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211123115335.125252-1-ruchika.gupta@linaro.org> References: <20211123115335.125252-1-ruchika.gupta@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.37 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Firmwares before U-Boot may be capable of doing tpm measurements and passing them to U-Boot in the form of eventlog. However there may be scenarios where the firmwares don't have TPM driver and are not capable of extending the measurements in the PCRs. Based on TCG spec, if previous firnware has extended PCR's, PCR0 would not be 0. So, read the PCR0 to determine if the PCR's need to be extended as eventlog is parsed or not. Signed-off-by: Ruchika Gupta Reviewed-by: Ilias Apalodimas Reviewed-by: Ilias Apalodimas --- v2 : Removed check for PCR0 in eventlog lib/efi_loader/efi_tcg2.c | 77 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index c3ebdf92f5..133fe8291a 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -199,6 +199,43 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index, return EFI_SUCCESS; } +/* tcg2_pcr_read - Read PCRs for a TPM2 device for a given tpml_digest_values + * + * @dev: device + * @digest_list: list of digest algorithms to extend + * + * @Return: status code + */ +static efi_status_t tcg2_pcr_read(struct udevice *dev, u32 pcr_index, + struct tpml_digest_values *digest_list) +{ + struct tpm_chip_priv *priv; + unsigned int updates, pcr_select_min; + u32 rc; + size_t i; + + priv = dev_get_uclass_priv(dev); + if (!priv) + return EFI_DEVICE_ERROR; + + pcr_select_min = priv->pcr_select_min; + + for (i = 0; i < digest_list->count; i++) { + u16 hash_alg = digest_list->digests[i].hash_alg; + u8 *digest = (u8 *)&digest_list->digests[i].digest; + + rc = tpm2_pcr_read(dev, pcr_index, pcr_select_min, + hash_alg, digest, alg_to_len(hash_alg), + &updates); + if (rc) { + EFI_PRINT("Failed to read PCR\n"); + return EFI_DEVICE_ERROR; + } + } + + return EFI_SUCCESS; +} + /* put_event - Append an agile event to an eventlog * * @pcr_index: PCR index @@ -1427,6 +1464,8 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, u32 pcr, pos; u64 base; u32 sz; + bool extend_pcr = false; + int i; ret = platform_get_eventlog(dev, &base, &sz); if (ret == EFI_SUCCESS) { @@ -1447,6 +1486,26 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, return EFI_COMPROMISED_DATA; } + ret = tcg2_pcr_read(dev, 0, &digest_list); + if (ret) { + log_err("Error reading PCR 0\n"); + return ret; + } + + /* + * If PCR0 is 0, previous firmware didn't have the capability + * to extend the PCR. In this scenario, extend the PCR as + * the eventlog is parsed. + */ + for (i = 0; i < digest_list.count; i++) { + u8 buffer[TPM2_DIGEST_LEN] = { 0 }; + u16 hash_alg = digest_list.digests[i].hash_alg; + + if (!memcmp((u8 *)&digest_list.digests[i].digest, + buffer, alg_to_len(hash_alg))) + extend_pcr = true; + } + while (pos < sz) { ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list, &pcr); @@ -1454,6 +1513,24 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, log_err("Error parsing event\n"); return ret; } + + if (extend_pcr) { + ret = tcg2_pcr_extend(dev, pcr, &digest_list); + if (ret != EFI_SUCCESS) { + log_err("Error in extending PCR\n"); + return ret; + } + + /* Clear the digest for next event */ + for (i = 0; i < digest_list.count; i++) { + u16 hash_alg = + digest_list.digests[i].hash_alg; + u8 *digest = + (u8 *)&digest_list.digests[i].digest; + + memset(digest, 0, alg_to_len(hash_alg)); + } + } } memcpy(log_buffer, buffer, sz);