From patchwork Fri Nov 26 05:00:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ruchika Gupta X-Patchwork-Id: 519687 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp1833396imj; Thu, 25 Nov 2021 21:01:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJzz7Z4xKz1HJEgz2Uvo/blvbTYirEdJ9OXhZ8UO44ptTIkan1yBDUmAekd33XUjSQt9Cjns X-Received: by 2002:a50:9ec9:: with SMTP id a67mr44802792edf.238.1637902899532; Thu, 25 Nov 2021 21:01:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637902899; cv=none; d=google.com; s=arc-20160816; b=i7UNdyerJmPi2z2XUFXOmuBkikJ/72M2jlqLNiQjBn4+8AyQNU13GhAwic7CoKKYZq TJ/Up5R62x1m3ngsxqL6jae3QDfgaatzB+gqT1cb3AkvD+CMsRMzW/nB8sZIjrvyClbD JMZJCm7aKIqVp5UdJquxVfjhw0+GvVDdZ682P8fKF2NIEJqVxjT2iYXtAvk7DsjEXOxR IHCXysXomo1wswPCEfJQgv6TE7lSAQIBF2DK872dB2nqCtrlii4aIf9Ua+FfclER9tXD qyCFf27Lh4YbpQDEmiGodwVwIoNdHLeodgWvTW0VTyX9/lUNSiYN1SP7224WVrTTmREr +YWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=L+7RAzm5suj9weITD582JAQbFoTSRVR81sh/53j/BLY=; b=By5GoM84fJXpsyQqXEsAvmBkvc6g2cHROxn11epBDitKOYF8Q0W8/+stzbaW37Tg5X DBlQUwkON93OJnoehQTKHab2Jpdm1li7dAYU6X1qXmjTgEv/Mzd2CUfIRHAF+OZH9qOV fbfh1fFxRPeilZoMcsFzW9lBN/ci74Thixz6k1Vxa3rvRaJUOk7Pvepa+iTIaXGeJg4G eYdB/NBau1EDz/uBsH/aswvEGv9/+b3mm6xP5SJhRCFI46TQCceoC0vgePHObnSqLE6c P7t/MsRdHO1n478X4hNkrRLDn85ItWsT/FetBkyI6GiOXZenswGWtRX8FfQNCCY7PVjV PAyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lJVgGSVU; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id hv12si6486847ejc.372.2021.11.25.21.01.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Nov 2021 21:01:39 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lJVgGSVU; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B911C83731; Fri, 26 Nov 2021 06:01:23 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="lJVgGSVU"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 98E34836C5; Fri, 26 Nov 2021 06:01:17 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5E96083257 for ; Fri, 26 Nov 2021 06:01:13 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ruchika.gupta@linaro.org Received: by mail-pj1-x102c.google.com with SMTP id w33-20020a17090a6ba400b001a722a06212so7362171pjj.0 for ; Thu, 25 Nov 2021 21:01:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=L+7RAzm5suj9weITD582JAQbFoTSRVR81sh/53j/BLY=; b=lJVgGSVUopgj2m2Jx5kGDS6hXaJLT87CaiNCh6mM+fRVMjlrGm5P5NUXiubZSJNi4X 4DoeMYeYITj/ADalWa9/5hoBwdbobwa6YGnLE47jcTTSzd1AMPvNVeAzzoCL5N1YgCP3 0OBrapAOwyjtmArUmj1n3vioqF4kyZPvCKHNG3qLpQIomy+d+wdnrf5q7BycqFBrTP6z BJ1CwfuamYJH4XbeXlvCSWCEYUZ8YqtUpNeEEPLqFSMEkcMz0qu/7EihiU7NI+GYrncY +PVyOXq4e4/OjXmG/Iu+X2JeMRkbukjZvhxNsyWZGXQCX7fMQyU31QdDsJuI3qZrzUgf lvQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=L+7RAzm5suj9weITD582JAQbFoTSRVR81sh/53j/BLY=; b=x/FPWlsZM4BzfDneLQ7Y9pZu/V7nrEfpRfuS3sXpYd8Yx+KfBdjc8zHB9beHTZNlO6 vOsHVDi34IBrHfMT40n9nrBMYFcShjS2+Rp0P7VcyCuqxnB8rlV7VgEaoSwLNYaP84G+ 8yq7YioXr7zrHL9GX5zF+HJAt+XaSbRC3Bhv6tDtYb3VoXz3frUgP4iKfxLo11/KBHOZ gj6An7VKzwLoBs1ee4R8LpukvR8xM9/k9aZwkGf3dGrkxh7Hc5qcABv62gSvkvX1/W95 245/munA3vn4C2nUWjb/wvtnib2AkgSrTrNkE+O19s8RthFID2dcLnB6hP+aVh41SBVM /wlQ== X-Gm-Message-State: AOAM533knV3jp3BbVyAt0E7V1ZWJm4cCDkUacMrVRqCtJd3SEv23UTVz VO23m4oX+W3/pKkUJlIO3M2KjmrFkvExug== X-Received: by 2002:a17:903:2443:b0:142:1e92:1d19 with SMTP id l3-20020a170903244300b001421e921d19mr35919243pls.24.1637902871515; Thu, 25 Nov 2021 21:01:11 -0800 (PST) Received: from localhost.localdomain ([106.215.91.18]) by smtp.gmail.com with ESMTPSA id s7sm4904405pfm.188.2021.11.25.21.01.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Nov 2021 21:01:11 -0800 (PST) From: Ruchika Gupta To: u-boot@lists.denx.de, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de, agraf@csgraf.de, masahisa.kojima@linaro.org Cc: Ruchika Gupta Subject: [PATCH v6 3/3] efi_loader: Extend PCR's for firmware measurements Date: Fri, 26 Nov 2021 10:30:55 +0530 Message-Id: <20211126050055.765911-3-ruchika.gupta@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211126050055.765911-1-ruchika.gupta@linaro.org> References: <20211126050055.765911-1-ruchika.gupta@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.37 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Firmwares before U-Boot may be capable of doing tpm measurements and passing them to U-Boot in the form of eventlog. However there may be scenarios where the firmwares don't have TPM driver and are not capable of extending the measurements in the PCRs. Based on TCG spec, if previous firnware has extended PCR's, PCR0 would not be 0. So, read the PCR0 to determine if the PCR's need to be extended as eventlog is parsed or not. Signed-off-by: Ruchika Gupta Reviewed-by: Ilias Apalodimas Tested-by: Ilias Apalodimas --- v6: Changed TPM2_DIGEST_LEN to TPM2_SHA512_DIGEST_SIZE v5 : No change v4 : No change v3 : Rebase changes on top of changes made in first patch series v2 : Removed check for PCR0 in eventlog lib/efi_loader/efi_tcg2.c | 75 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index a789c44660..295070f3d8 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -199,6 +199,43 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index, return EFI_SUCCESS; } +/* tcg2_pcr_read - Read PCRs for a TPM2 device for a given tpml_digest_values + * + * @dev: device + * @digest_list: list of digest algorithms to extend + * + * @Return: status code + */ +static efi_status_t tcg2_pcr_read(struct udevice *dev, u32 pcr_index, + struct tpml_digest_values *digest_list) +{ + struct tpm_chip_priv *priv; + unsigned int updates, pcr_select_min; + u32 rc; + size_t i; + + priv = dev_get_uclass_priv(dev); + if (!priv) + return EFI_DEVICE_ERROR; + + pcr_select_min = priv->pcr_select_min; + + for (i = 0; i < digest_list->count; i++) { + u16 hash_alg = digest_list->digests[i].hash_alg; + u8 *digest = (u8 *)&digest_list->digests[i].digest; + + rc = tpm2_pcr_read(dev, pcr_index, pcr_select_min, + hash_alg, digest, alg_to_len(hash_alg), + &updates); + if (rc) { + EFI_PRINT("Failed to read PCR\n"); + return EFI_DEVICE_ERROR; + } + } + + return EFI_SUCCESS; +} + /* put_event - Append an agile event to an eventlog * * @pcr_index: PCR index @@ -1428,6 +1465,8 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, u32 pcr, pos; u64 base; u32 sz; + bool extend_pcr = false; + int i; ret = platform_get_eventlog(dev, &base, &sz); if (ret != EFI_SUCCESS) @@ -1449,6 +1488,26 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, return EFI_COMPROMISED_DATA; } + ret = tcg2_pcr_read(dev, 0, &digest_list); + if (ret) { + log_err("Error reading PCR 0\n"); + return ret; + } + + /* + * If PCR0 is 0, previous firmware didn't have the capability + * to extend the PCR. In this scenario, extend the PCR as + * the eventlog is parsed. + */ + for (i = 0; i < digest_list.count; i++) { + u8 buffer[TPM2_SHA512_DIGEST_SIZE] = { 0 }; + u16 hash_alg = digest_list.digests[i].hash_alg; + + if (!memcmp((u8 *)&digest_list.digests[i].digest, buffer, + alg_to_len(hash_alg))) + extend_pcr = true; + } + while (pos < sz) { ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list, &pcr); @@ -1456,6 +1515,22 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, log_err("Error parsing event\n"); return ret; } + if (extend_pcr) { + ret = tcg2_pcr_extend(dev, pcr, &digest_list); + if (ret != EFI_SUCCESS) { + log_err("Error in extending PCR\n"); + return ret; + } + + /* Clear the digest for next event */ + for (i = 0; i < digest_list.count; i++) { + u16 hash_alg = digest_list.digests[i].hash_alg; + u8 *digest = + (u8 *)&digest_list.digests[i].digest; + + memset(digest, 0, alg_to_len(hash_alg)); + } + } } memcpy(log_buffer, buffer, sz);