From patchwork Wed Mar 24 14:50:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 407836 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp477928jai; Wed, 24 Mar 2021 07:50:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJziPP9B8CTSpPkf8H9kfTYZpThV/4mak5h5hSdv4wpBeCfHM/A6lEl5qAdX2PXjIsawupiA X-Received: by 2002:a17:907:720a:: with SMTP id dr10mr3991893ejc.375.1616597458486; Wed, 24 Mar 2021 07:50:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616597458; cv=none; d=google.com; s=arc-20160816; b=nB/CBgcFyCMjcuZrVIEwBxoKqroaNuY5xexn7eVpQ+CLw88UEX2TxtcviIiwCuEDXz TYxez0i5nAbtp005/CPONVBHU5Z0TtIA7VdgNhCJkEjcQ07D6c1UNpav2l1M8eTz3q/n 0zj0yg5eu17kN1g5p4LrlAJjKy5wY3Un+Fgzmegga6yyD/JXKy6mByjYaognlcDRDOwe q6gM3NXZEepgyGcXQ09U8s7KHiUPi/+JVNdU/11AzojNXXOufKGhYNxbdzbePIknvg4I x8Db3Mly+cidVMCTG0d3hNFWF4oGG9s40t7S+T/mmSLT73duKZhw6V86zFro8Y3+nMzm YMeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=v2S1oySmNrUXDZg12cdP2VAc4/y4YgZB8vzoPfUhTTY=; b=jFnhCT2XMJ+ewg17misRevVM/UvMJf41eoD1RshXtaTs9KLA9n2sB5AOdgZi6g5cZq wazilCjksvmP5QFnLOHjcAkzI2VtfKKYnLd3T5fpL+yHRIN3MXT7rwO+uHQ9gF2Eq+72 BvFzjMC6FwGjJItVCDmUB+Z5Jc+08AyNWOZxiJWOH9LenRbwKYXDu/sVE7G1TcHYSW/s ON2XKluCSdRpofA9t9y0uXD/CB2xHe8s7acFRJ1x4uXMYbLq0p2qj+CxTVnmCAd1QhCD CbWYTm3P1DFThoD5myy66pSHZ+9I/I7MzTl4kTdKh8qhKugQ+yAcorK+XhPHKVi3uQed rRHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Mo3wPttj; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id t4si1954661ejs.517.2021.03.24.07.50.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Mar 2021 07:50:58 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Mo3wPttj; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B7F23828E6; Wed, 24 Mar 2021 15:50:54 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Mo3wPttj"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B3210828E8; Wed, 24 Mar 2021 15:50:52 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id AC562828C0 for ; Wed, 24 Mar 2021 15:50:49 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wr1-x42f.google.com with SMTP id x16so24734716wrn.4 for ; Wed, 24 Mar 2021 07:50:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=v2S1oySmNrUXDZg12cdP2VAc4/y4YgZB8vzoPfUhTTY=; b=Mo3wPttjtVTOmd17OC0ihy65HOhtfAIaLW2bRBrsm2fAOm9xJAEDYezY/1LqKTeA7s dtgesBY7+lmk+CyI9kPWJIShE9kiRzSug8oMKKz+pdf9Oa6AmgHkF/paHxrZDiO8jVL3 RaORltTeol3GSnuYLv+/2dQ6dAzkZg0xSPm/Rtgljro5sH9XtpX5giqksSx6+LVzegUJ 0Emby/VeWWYT6vKzaZAW/0mja8fE3aDP5h31QjD7gQL0tAgy9FGZ9Btu5R2XJsLRoRwf CCP7yI8q49UlfLRA3DP9xqk5F1Kogd9K3AS6N3VVzBCkWSvnyTBzGG1aDkFfKEs6iFA7 /N7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=v2S1oySmNrUXDZg12cdP2VAc4/y4YgZB8vzoPfUhTTY=; b=hizpHMk0BKJoJsWTS65qZJ5h3cEBQtNASO4XwHWuVZ8V2OIgOT3CTDEYXxVNz5b1lO jxhVfs5tpTvhUuYMb0SONr58zlL1owK6TKQVCj/K3a1c8FLUMT8Ow10ozxBMBZo3cdcx Szgniy0ZupvA4FKYLfGk0nP0HOo6AgRaN1Pw/IJJNgXVvz97fha9y0AQNDMNIC00V60e jeL99Mp4Pu13WpNF2kAhL7lbEq1JpENToo9eaXWnVq63yH5xme2rdZn5WM4QV3/Np8Wc XTRa775tod2e48ovFJjbdPngrmwGFukDkpYE2KmF7y5kTmu/VYqEWLEH0YmqiJ5RxGfY YiDA== X-Gm-Message-State: AOAM533IBHzr6WVsCGtkbAy1ripKXNk/C0HWU9sRL7tF0Hcfcn6S5A5x 7XPf3sbm0ZHamo6QDSGqJpzjYw== X-Received: by 2002:adf:e603:: with SMTP id p3mr3935839wrm.360.1616597449297; Wed, 24 Mar 2021 07:50:49 -0700 (PDT) Received: from localhost.localdomain (ppp-94-64-113-158.home.otenet.gr. [94.64.113.158]) by smtp.gmail.com with ESMTPSA id c131sm2909921wma.37.2021.03.24.07.50.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Mar 2021 07:50:49 -0700 (PDT) From: Ilias Apalodimas To: xypron.glpk@gmx.de Cc: Ilias Apalodimas , Alexander Graf , u-boot@lists.denx.de Subject: [PATCH] efi_loader: Add an S-CRTM even for firmware version Date: Wed, 24 Mar 2021 16:50:46 +0200 Message-Id: <20210324145046.1220041-1-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.31.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean TCG PC Client Platform Firmware Profile Spec mandates that an S-CRTM event for the version identifier using the event type EV_S_CRTM_VERSION must be measured. So since we are trying to add more conformance into U-Boot, let's add the event using U_BOOT_VERSION_STRING, extend PCR[0] accordingly and log it in the EventLog Signed-off-by: Ilias Apalodimas --- Heinrich this won't apply without my previous patch fixing EFI TCG memory when the protocol installation fails lib/efi_loader/efi_tcg2.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) -- 2.31.0 diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 02de63808f9a..c0efd867a486 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -1051,6 +1052,36 @@ out: return ret; } +/** + * efi_append_scrtm_version - Append an S-CRTM EV_S_CRTM_VERSION event on the + * eventlog and extend the PCRs + * + * @dev: TPM device + * + * @Return: status code + */ +static efi_status_t efi_append_scrtm_version(struct udevice *dev) +{ + struct tpml_digest_values digest_list; + u8 ver[] = U_BOOT_VERSION_STRING; + const int pcr_index = 0; + efi_status_t ret; + + ret = tcg2_create_digest(ver, sizeof(ver), &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_agile_log_append(pcr_index, EV_S_CRTM_VERSION, &digest_list, + sizeof(ver), ver); + +out: + return ret; +} + /** * efi_tcg2_register() - register EFI_TCG2_PROTOCOL * @@ -1074,6 +1105,10 @@ efi_status_t efi_tcg2_register(void) if (ret != EFI_SUCCESS) goto fail; + ret = efi_append_scrtm_version(dev); + if (ret != EFI_SUCCESS) + goto out; + ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol, (void *)&efi_tcg2_protocol); if (ret != EFI_SUCCESS) {