From patchwork Wed Jul 14 13:00:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 476740 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp544904jao; Wed, 14 Jul 2021 05:59:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx4G5wo2RvrsOlb6VFgLLvVjIshogOs97vOoRMUWS2ZQpDsSLwrMnVglvLeiWC6N1TpmEyZ X-Received: by 2002:a17:907:9884:: with SMTP id ja4mr11957147ejc.406.1626267581012; Wed, 14 Jul 2021 05:59:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626267581; cv=none; d=google.com; s=arc-20160816; b=HdZqVw8e7wDtwGdZ/uA8F3Qs+r0zgXjPPAaruLJOzZdPYdv3SROV71YV4X9Ygjmqe5 Q5yYVjpymlCusw0xkka8nj25zG6t1g+V48rBC0wLNLqrvSgUvXvri6qZgMmC+EZr0E0w z5x6tZ636lbMNoHJ7sOb+ZqQV8jCTikrviKo3bjPlLTO4w8jerMNI2t4LL+lL7ZN/sMe Gl9LRuvv7PsdtNuvJtEbizSf69ZDc+nyvQ32DD98SMDjY3mtidV0EA3UCxzd5v5ZDm30 jsrgfgtfsBmfUbpSBVV/d3/b4vk1476cCQNcaHkfOtDBnMWquiCpLpvkYtY8AhGmLCmY 4rzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=WIuWVwVtGWNBC2O/6yRh6sWmuFInx7j0lx8zSknccQk=; b=MjN18C8U9W50Az6ZStw59ZQzWLKm3RWC2Q03OQovUKxoZJ59UHxTkWpLm5ftHZ2lpc s0wvHxnSxA2HAcqwntuWaW2TjeAvHE5QRyFEGMmqej6IBJSOvwQ8tULB8g6eKG+p+lhQ HMMF3VFd5+DY4uTlwqSL/eDNjUyipbxnK4M0GZqAqEz43ilWbikGyIlJ3kAOti4rFsNw z2FFhPX3X+jgpxFyc5M39h/ZlaE0HtvGS3JJtoaFbQwGk0NsAoz1vfLdV1FNfPSyCCOO ai8CeHzitWWFsoQNXQ9mhcx/aWuiB6+1zN81yZ3xjIc/ySsQregbNWhVQqKnzEO39tDJ TKkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Z7k7MwUC; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id e5si526849ejb.594.2021.07.14.05.59.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 05:59:40 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Z7k7MwUC; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 3FE1C81F7B; Wed, 14 Jul 2021 14:59:31 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Z7k7MwUC"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 09B2881E47; Wed, 14 Jul 2021 14:59:27 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id AEA3080FC5 for ; Wed, 14 Jul 2021 14:59:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pf1-x430.google.com with SMTP id m83so1999983pfd.0 for ; Wed, 14 Jul 2021 05:59:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=WIuWVwVtGWNBC2O/6yRh6sWmuFInx7j0lx8zSknccQk=; b=Z7k7MwUC8Rp527OfKciDQxVaU0v4R7cSqBB9ydG0Hgbt/rNTJl+57xnNv7NV5K7sst A6Iv3qHDP5X3NkWS0VSV1y1phb+XUIoj+aku6fsOij5VNyvfG/VuayLsnUIsqkgkcpGU 8WRYP2KnNn0xSBBMc+pdp+U2QUxu+VY9hTaS+5rRaOMeEOKjcDcrf49B3qfsRzspnb3S Q0sccSkcEhqCirL1dEqms3tE311zhG8FjPJ56RUMpRq53fZv4f4qprNd7YdbrX/9OgXD Xy0u5V3187uGefr6knMaehcAso19SWoEZTP+71ucg4oKXTdpQYdl2925qNQR8z+ZRfjX sG1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=WIuWVwVtGWNBC2O/6yRh6sWmuFInx7j0lx8zSknccQk=; b=sws6foCKihya/gsSbPvpj7azYqw28Kqi5pcBrjeVLQd7DQfpaj/8qqa4fvRcFvd7OK YlBcVMccF7yGb8hMBV5/pcXsWcEyPL2QD0VouTbNOtOG8dEWRHKc+UYEcEtW5Mo9Fn9N qp+u3S8LN7IPyZKqJf7wpKYQXC9RW4Nt9gIPd7sE0TSXJjV3lUSPsPf+AzxIx2jYcNIZ RI7aVHXRgJAobgHUtChhgvqjMdhsneHHYAjHBmKNvkooUaJiUsC8uVDqTXoBIJ7FJAGo oZkVTFyjZhHLlT56Drq4xzcYkIHi3qoCyrmFDyKQt/NeIQwiX3h28ak+3A2mKTXMX3Pi z1Yw== X-Gm-Message-State: AOAM531TIXlN4roBD0ySoLRDcDBQ7TgriXhcXheY3a/lB8RtJ5bbwcyQ cgCMxvhGm/dPZ1fXfsoEhCzErA== X-Received: by 2002:aa7:854a:0:b029:332:330e:1387 with SMTP id y10-20020aa7854a0000b0290332330e1387mr413609pfn.67.1626267562183; Wed, 14 Jul 2021 05:59:22 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id m21sm2787509pfo.159.2021.07.14.05.59.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 05:59:21 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v2 1/6] efi_loader: increase eventlog buffer size Date: Wed, 14 Jul 2021 22:00:01 +0900 Message-Id: <20210714130006.17837-2-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210714130006.17837-1-masahisa.kojima@linaro.org> References: <20210714130006.17837-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec says "The Log Area Minimum Length for the TCG event log MUST be at least 64KB." in ACPI chapter. This commit increase the buffer size to 64KB. Signed-off-by: Masahisa Kojima --- Changes in v2: - increase buffer size to 64KB, it follows the minimum size requirement stated in TCG spec lib/efi_loader/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.17.1 Reviewed-by: Heinrich Schuchardt diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 156b391521..20edac6932 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -326,7 +326,7 @@ config EFI_TCG2_PROTOCOL config EFI_TCG2_PROTOCOL_EVENTLOG_SIZE int "EFI_TCG2_PROTOCOL EventLog size" depends on EFI_TCG2_PROTOCOL - default 4096 + default 65536 help Define the size of the EventLog for EFI_TCG2_PROTOCOL. Note that this is going to be allocated twice. One for the eventlog it self From patchwork Wed Jul 14 13:00:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 476741 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp545045jao; Wed, 14 Jul 2021 05:59:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwHWuTEOOYnRo50hsXZ1Lg9jbY+aWuY1LP4EU3bj/QELtGHoXMzXqIcC3Q999L2ueEi6BR9 X-Received: by 2002:a05:6402:1a3c:: with SMTP id be28mr13400260edb.15.1626267591920; Wed, 14 Jul 2021 05:59:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626267591; cv=none; d=google.com; s=arc-20160816; b=JO1N03sLkIWXaNSoL8qMAmJgHQ4lz3GN1i2nIp1gRI0cL35+M7zp6aFNro/1tQmfEV z6jrAy5E+T7bjHuSjG036MSnSmENyZVl7+iorYUY1KX/RmLHA3LhOu+V1jvGr4uRaf47 2igiU40PRjLSX70dv7qpYdeZDiUw3A3Ll1gva5a2RPca80EfXOq2CvgD/A2ao0BSXAjZ FFkjFJVDlCY333q7YHm+9cbGbT8kgnoL3xqIRThU+x+k8cz+JR9Gl4aTN/Iie+FDhjq1 7JpZdXDU5bH9j071fowxuqen4VC6QsXjKzk8/hgl3Ah4OthG+FSKA7GeR6bC1WXb5FTE HUrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=8Hsn+V+guE2lypZsedX3RNba7aS8U/05Sz1tivzJWJA=; b=lJdm5a/ZbVp0lUx4QDyK+6UIGRisk4ELweMcG3WbdYMdFh+hmOd/caLfznU4zWLGlo Hl0Kq6y/oCzneIau4hifGT0TZHJwBfLdeShVSOPeYE6RBzAHLnNhDpRPgUBFi+GOIjei qHU6WYgd8YnOXIhPCY6Nvibv3gDER+E6GZeJkhAUECPMwKQFar0sG5rYdVaJ0sIilTq9 ofnsZzlo5vv9wMt3wL5tvSD97r/YN2PXO5E+QdhSGz3Ls1M5KBGWJV8cwwNp4iUVLE5y LSDUP/3xpFYNoCoHUNzLw00iwFEK4vARuPzztD0uitUv5VVX+Z962YW3nXCmfEdQHt7C JXZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="cG/FeU7T"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id l1si2902438ejo.68.2021.07.14.05.59.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 05:59:51 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="cG/FeU7T"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 23AA482039; Wed, 14 Jul 2021 14:59:37 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="cG/FeU7T"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 92B6082000; Wed, 14 Jul 2021 14:59:32 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id EADAF81E53 for ; Wed, 14 Jul 2021 14:59:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x102d.google.com with SMTP id g6-20020a17090adac6b029015d1a9a6f1aso3563848pjx.1 for ; Wed, 14 Jul 2021 05:59:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=8Hsn+V+guE2lypZsedX3RNba7aS8U/05Sz1tivzJWJA=; b=cG/FeU7TLy1GkFm9TINfK/itZ9O1oQcjjhS70FJ8V9N5L6jGc46quut21CGLGk9xsF tF0fctyOkBisngYOeW95heLhtHgIVJSCibGb9bffAXguMZdAN8saVw8QLfqLwYTcS2+d Qa+WL1EIDVKfr4MwmT1/LxTAYcXcnv6/NCACPob0Sm3Bc7dsFVz5XvoQ1a1Of2v39uro DD8gbuCYwBG8spDZD0aa7VAz4eczr6dmMOPJJ++s0PNIFoAHGioq7qjauazGYXlaXSe9 fVIwot6urN2vmSe6yoyibvBuY04++XUi+Z6WI3R6uPcqk4mqYi/Ui+NvCNNZ0VEpOU6f lMog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=8Hsn+V+guE2lypZsedX3RNba7aS8U/05Sz1tivzJWJA=; b=e1TNBFl2OhSZVYqgAPXEed35246s5tPykgdkSVpUr8uPZ7Fh+F++SmR/s2T+PQqtn7 NnuRGNG++U/wmxecmW0fIeVRxAgLSdI2B0F0wgfBU3bskZN9igPEDzNR5HLkg1ztamdu ac/crYy5LkMHo+gsYDaA5SgMt/Nepn5ujPeAS+1yI8l1vDuyArmPZgKHM7TP8otmaIse vxtRu+ijtfb1+uKt0kAhUUSRaxOPz3061KDfBiXJ9EHM6C+ZZJeAt6Kjt+jI11alw05E BRXAOMSZL7gHNeoOxnLlH16oYjU8J5iZSsnWuvmSkjARMG4++NdQSH08gYHYQ/jmEPLM 3K4Q== X-Gm-Message-State: AOAM531KDX80UtxvI4RQl6dvJx+s84xzjW39gtvlW8O/huJnhBTWKSnV CLJroIwRrV7qWl9OR+wsekvReg== X-Received: by 2002:a17:90a:4404:: with SMTP id s4mr3712075pjg.218.1626267565338; Wed, 14 Jul 2021 05:59:25 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id m21sm2787509pfo.159.2021.07.14.05.59.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 05:59:24 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v2 2/6] efi_loader: add secure boot variable measurement Date: Wed, 14 Jul 2021 22:00:02 +0900 Message-Id: <20210714130006.17837-3-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210714130006.17837-1-masahisa.kojima@linaro.org> References: <20210714130006.17837-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure the secure boot policy before validating the UEFI image. This commit adds the secure boot variable measurement of "SecureBoot", "PK", "KEK", "db" and "dbx". Note that this implementation assumes that secure boot variables are pre-configured and not be set/updated in runtime. Signed-off-by: Masahisa Kojima --- Changes in v2: - missing null check for getting variable data - some minor fix for readability include/efi_tcg2.h | 20 ++++++ lib/efi_loader/efi_tcg2.c | 139 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 159 insertions(+) -- 2.17.1 diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index bcfb98168a..8d7b77c087 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -142,6 +142,26 @@ struct efi_tcg2_final_events_table { struct tcg_pcr_event2 event[]; }; +/** + * struct tdUEFI_VARIABLE_DATA + * @variable_name: The vendorGUID parameter in the + * GetVariable() API. + * @unicode_name_length: The length in CHAR16 of the Unicode name of + * the variable. + * @variable_data_length: The size of the variable data. + * @unicode_name: The CHAR16 unicode name of the variable + * without NULL-terminator. + * @variable_data: The data parameter of the efi variable + * in the GetVariable() API. + */ +struct efi_tcg2_uefi_variable_data { + efi_guid_t variable_name; + u64 unicode_name_length; + u64 variable_data_length; + u16 unicode_name[1]; + u8 variable_data[1]; +}; + struct efi_tcg2_protocol { efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this, struct efi_tcg2_boot_service_capability *capability); diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 1319a8b378..12db6f6b7c 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -78,6 +78,19 @@ static const struct digest_info hash_algo_list[] = { }, }; +struct variable_info { + u16 *name; + const efi_guid_t *guid; +}; + +static struct variable_info secure_variables[] = { + {L"SecureBoot", &efi_global_variable_guid}, + {L"PK", &efi_global_variable_guid}, + {L"KEK", &efi_global_variable_guid}, + {L"db", &efi_guid_image_security_database}, + {L"dbx", &efi_guid_image_security_database}, +}; + #define MAX_HASH_COUNT ARRAY_SIZE(hash_algo_list) /** @@ -1264,6 +1277,39 @@ free_pool: return ret; } +/** + * tcg2_measure_event() - common function to add event log and extend PCR + * + * @dev: TPM device + * @pcr_index: PCR index + * @event_type: type of event added + * @size: event size + * @event: event data + * + * Return: status code + */ +static efi_status_t EFIAPI +tcg2_measure_event(struct udevice *dev, u32 pcr_index, u32 event_type, + u32 size, u8 event[]) +{ + struct tpml_digest_values digest_list; + efi_status_t ret; + + ret = tcg2_create_digest(event, size, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_agile_log_append(pcr_index, event_type, &digest_list, + size, event); + +out: + return ret; +} + /** * efi_append_scrtm_version - Append an S-CRTM EV_S_CRTM_VERSION event on the * eventlog and extend the PCRs @@ -1294,6 +1340,92 @@ out: return ret; } +/** + * tcg2_measure_variable() - add variable event log and extend PCR + * + * @dev: TPM device + * @pcr_index: PCR index + * @event_type: type of event added + * @var_name: variable name + * @guid: guid + * @data_size: variable data size + * @data: variable data + * + * Return: status code + */ +static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index, + u32 event_type, u16 *var_name, + const efi_guid_t *guid, + efi_uintn_t data_size, u8 *data) +{ + u32 event_size; + efi_status_t ret; + struct efi_tcg2_uefi_variable_data *event; + + event_size = sizeof(event->variable_name) + + sizeof(event->unicode_name_length) + + sizeof(event->variable_data_length) + + (u16_strlen(var_name) * sizeof(u16)) + data_size; + event = malloc(event_size); + if (!event) + return EFI_OUT_OF_RESOURCES; + + guidcpy(&event->variable_name, guid); + event->unicode_name_length = u16_strlen(var_name); + event->variable_data_length = data_size; + memcpy(event->unicode_name, var_name, + (event->unicode_name_length * sizeof(u16))); + memcpy((u16 *)event->unicode_name + event->unicode_name_length, + data, data_size); + ret = tcg2_measure_event(dev, pcr_index, event_type, event_size, + (u8 *)event); + free(event); + return ret; +} + +/** + * tcg2_measure_secure_boot_variable() - measure secure boot variables + * + * @dev: TPM device + * + * Return: status code + */ +static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) +{ + u8 *data; + efi_uintn_t data_size; + u32 count, i; + efi_status_t ret; + + count = ARRAY_SIZE(secure_variables); + for (i = 0; i < count; i++) { + data = efi_get_var(secure_variables[i].name, + secure_variables[i].guid, + &data_size); + if (data == NULL) { + log_info("%ls not found\n", secure_variables[i].name); + continue; + } + + ret = tcg2_measure_variable(dev, 7, + EV_EFI_VARIABLE_DRIVER_CONFIG, + secure_variables[i].name, + secure_variables[i].guid, + data_size, (u8 *)data); + free(data); + if (ret != EFI_SUCCESS) + goto error; + } + + /* + * TODO: add DBT and DBR measurement support when u-boot supports + * these variables. + */ + +error: + return ret; +} + /** * efi_tcg2_register() - register EFI_TCG2_PROTOCOL * @@ -1328,6 +1460,13 @@ efi_status_t efi_tcg2_register(void) tcg2_uninit(); goto fail; } + + ret = tcg2_measure_secure_boot_variable(dev); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + return ret; fail: From patchwork Wed Jul 14 13:00:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 476742 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp545185jao; Wed, 14 Jul 2021 06:00:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyhd1nWfbIH2qWlwcCOGbqM0zLC6p8A7xoG7JJlwSTTzMMM8BgjR49coyrrlHeaADiZJIoL X-Received: by 2002:aa7:cb19:: with SMTP id s25mr13744006edt.194.1626267601540; Wed, 14 Jul 2021 06:00:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626267601; cv=none; d=google.com; s=arc-20160816; b=EXdtk8iCQ3qgpSJCromy7CEr9l7eCR19WT8OFhhCh4R55JVkm+VDK1aA7OTaUqqtCC 35WWXcbBDWn46ieLgWw4fINHeOb68RQqnhu2H1T4bqJhiX8X/q9gbfkvmvXP+eCqGSUZ hZfZq6cOJ/XkjVS/O9KpCIMvXoBA3iJZr3g6vRRKyUpnbTvSBdNWnNYD93Pk8p+aQ3DE 7nqDCEr3nzDGlmAqfJeI6CniAI5fJEg3cvM7gGGXGRXxlWL+U+w3AZZ0cFqncJVw2INF Rmf4fj9/fo7KXNujMD4yppJTCnJ3xzhyKfSRYKpeZcCH1mGlnBmNPBDm32wyby/0l2sK tHEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=9vb0IigBLO56hsEskR74tTxD6tfP8jNyWZE9oPxUhnM=; b=B3nGMMfRk0mOFcyjKr49iKhHvjj6lSyLmxE3jTYBS7L0j+4ebb1rRLquFs9A7oLmOn twy0r/f/tgsfbzX4QbNThnMd1sM+MlFbgCTRA0IMhRYCMJGmKL3ZmlIo3QvQby/v4dUt GD48RSOC4g7SL5rCeuNZa0n4iQ1+3gpkOjddPZIyOgd55ZEGzuTciTLQCkIRe2xdbxBb EDp/6PnM+pUqH72j1pT7bJDShOZVVGdftPuZh5R7K7Ho8NDzyapjLWd7g9k7wBpX1vF4 lZofNH5Tl/kRT/LFPQGSAxWWA5ZEz894nzqqoRC5PVRvJHtrQF2tte5R3hK7o3oofjb5 2I+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="uu/PDoGM"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id l7si3080243edk.216.2021.07.14.06.00.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 06:00:01 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="uu/PDoGM"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6F59782005; Wed, 14 Jul 2021 14:59:42 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="uu/PDoGM"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 60C418201E; Wed, 14 Jul 2021 14:59:35 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 03CF4812A6 for ; Wed, 14 Jul 2021 14:59:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1030.google.com with SMTP id jx7-20020a17090b46c7b02901757deaf2c8so1384894pjb.0 for ; Wed, 14 Jul 2021 05:59:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=9vb0IigBLO56hsEskR74tTxD6tfP8jNyWZE9oPxUhnM=; b=uu/PDoGM+0EtlEbw375xesMJx6dS+vYWRvAhA8vls1dHMinagwF520rbq1vw3Irliy fi83XIyon1+gKYiaJdVODvjwtQlbNHuxZeTq7gW4TqHeWFHJyxp7yuWH8zF0qLUlNYzP DUXunYiLHQYqJpQR6nsPE7u4AjowRVzwS9QE5s8/vO5BVSa2bwOBOgyNpduuq2lCGoKx gwdJvhdLGnTwJBfkz5HS9eKj9N4dQOqEUUGgrE+KtlE8A6kGAiM7CneoJ1PYRLRuGtYM /wYzU2Stxuv0zkNkfAWZfQDbdiLPWy/qLwnSt0E9cAVpdTGVe1ocRvHWC2lpUaN5wj2W 77VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=9vb0IigBLO56hsEskR74tTxD6tfP8jNyWZE9oPxUhnM=; b=A7c2J3A5IBvGWbFl3kltX9qU8xb2cErouaprYuX4+5oWPrf/M3Ibo42T+cwCGggiV0 xLZanFdj/CAuCq42BHEmCkJJmm92t4wzJBzAIQHd+QkUDyFQQkqYW7tRBFxjvWb85yHY jaEDjxmpT9trxocedxlOA86DEHs8kmttKAz2heCgviCUl9cWN14t47kyvQV0n4EFSOCV hg1RwT7HfTwOE1jISj3i5qP+JosFQd/51nZs8KQXeN/lpIohhK38IgOKoUzmS05+MR4z xssNeqE+hBUMT/fWSFY4ReCI48Kp0Swmw3vw9woNVpenB3FzYxyfPLX97oIbEXWkEys2 zl9Q== X-Gm-Message-State: AOAM532K0Z16z+mSBjjchUexYTzkgGqujewQC02YqgFaBTdb0uF+KS1n Kfjos0+2U++JH+XXyFT5WHiowQ== X-Received: by 2002:a17:90a:4988:: with SMTP id d8mr9598860pjh.85.1626267568376; Wed, 14 Jul 2021 05:59:28 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id m21sm2787509pfo.159.2021.07.14.05.59.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 05:59:27 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v2 3/6] efi_loader: add boot variable measurement Date: Wed, 14 Jul 2021 22:00:03 +0900 Message-Id: <20210714130006.17837-4-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210714130006.17837-1-masahisa.kojima@linaro.org> References: <20210714130006.17837-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure "Boot####" and "BootOrder" variables, EV_SEPARATOR event prior to the Ready to Boot invocation. Since u-boot does not implement Ready to Boot event, these measurements are performed when efi_start_image() is called. TCG spec also requires to measure "Calling EFI Application from Boot Option" for each boot attempt, and "Returning from EFI Application from Boot Option" if a boot device returns control back to the Boot Manager. Signed-off-by: Masahisa Kojima --- Changes in v2: - use efi_create_indexed_name() for "Boot####" variable include/efi_loader.h | 4 ++ include/tpm-v2.h | 18 ++++- lib/efi_loader/efi_boottime.c | 20 ++++++ lib/efi_loader/efi_tcg2.c | 121 ++++++++++++++++++++++++++++++++++ 4 files changed, 162 insertions(+), 1 deletion(-) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index b81180cfda..703b675950 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -407,6 +407,10 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ void efi_variables_boot_exit_notify(void); +/* Measure efi application invocation */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void); +/* Measure efi application exit */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void); /* Called by bootefi to initialize root node */ efi_status_t efi_root_node_register(void); /* Called by bootefi to initialize runtime */ diff --git a/include/tpm-v2.h b/include/tpm-v2.h index 247b386967..325c73006e 100644 --- a/include/tpm-v2.h +++ b/include/tpm-v2.h @@ -73,7 +73,7 @@ struct udevice; /* * event types, cf. * "TCG PC Client Platform Firmware Profile Specification", Family "2.0" - * rev 1.04, June 3, 2019 + * Level 00 Version 1.05 Revision 23, May 7, 2021 */ #define EV_EFI_EVENT_BASE ((u32)0x80000000) #define EV_EFI_VARIABLE_DRIVER_CONFIG ((u32)0x80000001) @@ -85,8 +85,24 @@ struct udevice; #define EV_EFI_ACTION ((u32)0x80000007) #define EV_EFI_PLATFORM_FIRMWARE_BLOB ((u32)0x80000008) #define EV_EFI_HANDOFF_TABLES ((u32)0x80000009) +#define EV_EFI_PLATFORM_FIRMWARE_BLOB2 ((u32)0x8000000A) +#define EV_EFI_HANDOFF_TABLES2 ((u32)0x8000000B) +#define EV_EFI_VARIABLE_BOOT2 ((u32)0x8000000C) #define EV_EFI_HCRTM_EVENT ((u32)0x80000010) #define EV_EFI_VARIABLE_AUTHORITY ((u32)0x800000E0) +#define EV_EFI_SPDM_FIRMWARE_BLOB ((u32)0x800000E1) +#define EV_EFI_SPDM_FIRMWARE_CONFIG ((u32)0x800000E2) + +#define EFI_CALLING_EFI_APPLICATION \ + "Calling EFI Application from Boot Option" +#define EFI_RETURNING_FROM_EFI_APPLICATION \ + "Returning from EFI Application from Boot Option" +#define EFI_EXIT_BOOT_SERVICES_INVOCATION \ + "Exit Boot Services Invocation" +#define EFI_EXIT_BOOT_SERVICES_FAILED \ + "Exit Boot Services Returned with Failure" +#define EFI_EXIT_BOOT_SERVICES_SUCCEEDED \ + "Exit Boot Services Returned with Success" /* TPMS_TAGGED_PROPERTY Structure */ struct tpms_tagged_property { diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index f6d5ba05e3..2914800c56 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2993,6 +2993,16 @@ efi_status_t EFIAPI efi_start_image(efi_handle_t image_handle, image_obj->exit_status = &exit_status; image_obj->exit_jmp = &exit_jmp; + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { + if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { + ret = efi_tcg2_measure_efi_app_invocation(); + if (ret != EFI_SUCCESS) { + EFI_PRINT("tcg2 measurement fails(0x%lx)\n", + ret); + } + } + } + /* call the image! */ if (setjmp(&exit_jmp)) { /* @@ -3251,6 +3261,16 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t image_handle, exit_status != EFI_SUCCESS) efi_delete_image(image_obj, loaded_image_protocol); + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { + if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { + ret = efi_tcg2_measure_efi_app_exit(); + if (ret != EFI_SUCCESS) { + EFI_PRINT("tcg2 measurement fails(0x%lx)\n", + ret); + } + } + } + /* Make sure entry/exit counts for EFI world cross-overs match */ EFI_EXIT(exit_status); diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 12db6f6b7c..d59fc5a890 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -35,6 +35,7 @@ struct event_log_buffer { }; static struct event_log_buffer event_log; +static bool tcg2_efi_app_invoked; /* * When requesting TPM2_CAP_TPM_PROPERTIES the value is on a standard offset. * Since the current tpm2_get_capability() response buffers starts at @@ -1383,6 +1384,126 @@ static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index, return ret; } +/** + * tcg2_measure_boot_variable() - measure boot variables + * + * @dev: TPM device + * + * Return: status code + */ +static efi_status_t tcg2_measure_boot_variable(struct udevice *dev) +{ + u16 *boot_order; + u16 *boot_index; + u16 var_name[] = L"BootOrder"; + u16 boot_name[] = L"Boot####"; + u8 *bootvar; + efi_uintn_t var_data_size; + u32 count, i; + efi_status_t ret; + + boot_order = efi_get_var(var_name, &efi_global_variable_guid, + &var_data_size); + if (!boot_order) { + log_info("BootOrder not defined\n"); + ret = EFI_NOT_FOUND; + goto error; + } + + ret = tcg2_measure_variable(dev, 1, EV_EFI_VARIABLE_BOOT2, var_name, + &efi_global_variable_guid, var_data_size, + (u8 *)boot_order); + if (ret != EFI_SUCCESS) + goto error; + + count = var_data_size / sizeof(*boot_order); + boot_index = boot_order; + for (i = 0; i < count; i++) { + efi_create_indexed_name(boot_name, sizeof(boot_name), "Boot", *boot_index++); + + bootvar = efi_get_var(boot_name, &efi_global_variable_guid, + &var_data_size); + + if (!bootvar) { + log_info("%ls not found\n", boot_name); + continue; + } + + ret = tcg2_measure_variable(dev, 1, EV_EFI_VARIABLE_BOOT2, + boot_name, + &efi_global_variable_guid, + var_data_size, bootvar); + free(bootvar); + if (ret != EFI_SUCCESS) + goto error; + } + +error: + free(boot_order); + return ret; +} + +/** + * efi_tcg2_measure_efi_app_invocation() - measure efi app invocation + * + * Return: status code + */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void) +{ + efi_status_t ret; + u32 pcr_index; + struct udevice *dev; + u32 event = 0; + + if (tcg2_efi_app_invoked) + return EFI_SUCCESS; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + return ret; + + ret = tcg2_measure_boot_variable(dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 4, EV_EFI_ACTION, + strlen(EFI_CALLING_EFI_APPLICATION), + (u8 *)EFI_CALLING_EFI_APPLICATION); + if (ret != EFI_SUCCESS) + goto out; + + for (pcr_index = 0; pcr_index <= 7; pcr_index++) { + ret = tcg2_measure_event(dev, pcr_index, EV_SEPARATOR, + sizeof(event), (u8 *)&event); + if (ret != EFI_SUCCESS) + goto out; + } + + tcg2_efi_app_invoked = true; +out: + return ret; +} + +/** + * efi_tcg2_measure_efi_app_exit() - measure efi app exit + * + * Return: status code + */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void) +{ + efi_status_t ret; + struct udevice *dev; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + return ret; + + ret = tcg2_measure_event(dev, 4, EV_EFI_ACTION, + strlen(EFI_RETURNING_FROM_EFI_APPLICATION), + (u8 *)EFI_RETURNING_FROM_EFI_APPLICATION); + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * From patchwork Wed Jul 14 13:00:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 476743 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp545442jao; Wed, 14 Jul 2021 06:00:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyNbdk8Eu9Y9xlZtR7Xjmh6eFD/uFU1aEKkITJ5d0e5CxQWC/dUiZTvIancYc59uPAJL0aK X-Received: by 2002:aa7:d991:: with SMTP id u17mr13429899eds.240.1626267614604; Wed, 14 Jul 2021 06:00:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626267614; cv=none; d=google.com; s=arc-20160816; b=baUIdczcB3F0CCajaZVbPJLzxRIZSpVy3ChL5CbNNNSuDfQC+3AEI1jAkjMGNP1BJ2 fGbgEZ6Q+MfsIRZkkDielgMo1sVh+vV9Ski411Aey6uZWz0IWwBi5ahw0qyloIOExlOD lW+RibJ7DWTfVbXrbMnGLhusCB3yHidt11FaeAIG6d8KBW+US27ElJtPrNzZv7g6Lrqo mD9GUIQcoPwNDRdk7xwWiiJ3nEdzJgf9c5aZNV7Porp3GB7/Ahw7SzMExEA1SnqmfutP vaMm3NL99QKhHpGbzl4n4rNwo+GWjOyhDhcSYyr9VZmF+pKyd3GXDxAQDz7/OZ9afnkX nKwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=Bq13+REwRJPvq9bG1YxzJCs9okChwjBuVheJNBhtLzo=; b=ZXzBdAYmzG94wU5Vc4iBzvW9fdWzHdhdirQT/OPSlAYONXqL1J0PgOOwwc/nMqoBJi hoa+nmRXGsLuxUSXMlDAsaAIccbQdGg5ZQhAIirf7HH/IxnK7we7n3aHavj+ulxqsuTx 55Bgd2IPzBEyGKC2AKUNfpZP0uT2xKF39oq1n8KEBRTC/q7OrEaU1Pbzb+aULPJy/tC1 7bcwnVexSC601uqWJj3Z24EDGQAnjRuHlnK72I86GytNPqmSY3vJOc0m7kBSbyxLlNCG bRaIz+0ZO53uTOnxZE/woiG50b/ccyXpZ894YcZ25rp4LBaLOr9sMCTQdTfisDDkOfpT 4Stg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RFbYNSF1; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id bd4si2457267edb.531.2021.07.14.06.00.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 06:00:14 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RFbYNSF1; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8E05C82859; Wed, 14 Jul 2021 14:59:45 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="RFbYNSF1"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2F03E8203B; Wed, 14 Jul 2021 14:59:37 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C9CBB81E53 for ; Wed, 14 Jul 2021 14:59:32 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1032.google.com with SMTP id h1-20020a17090a3d01b0290172d33bb8bcso3796340pjc.0 for ; Wed, 14 Jul 2021 05:59:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=Bq13+REwRJPvq9bG1YxzJCs9okChwjBuVheJNBhtLzo=; b=RFbYNSF1Wye8M/ee7WeRJG86Ss6w37Xb97I/MOqZvtd5f+pHCu9fWYGXjGD+NGQqbF fGYpnz9VR7hTYQeC8Ji5A3nQWT6Tlyk6J5HTtWB+vkwgM7mI3enCaHgFX+cgZl15gRY6 LqDR7rwgVZZqXN98dWJ2tfp9jFW0f9GGr/qZTMdBj+5/298I6t2B4a6Zx3uNC/Mh4zkw 5b4/WiS/uMbN5wVk7cfDYgLATutfxy6Khwgrj2epIaj2MCH8M+7iPPqYl9Cr0C+8Afiz PTfZpcRIvpdIL6XxmDeSWnYKi/rEOPk03ZJw3dEy6mEsOQ8floZ2ZpD96slSEwq9nwjE pvAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=Bq13+REwRJPvq9bG1YxzJCs9okChwjBuVheJNBhtLzo=; b=scsUBcSrCJSuZXgC0Jyfdh6OUT5ki4rEZy8K82K6/OHMA1OcQZMljSC2SWl4sucgIA rQzZJ+ob8A8aT4iVX/QbWzXd/dGS3M54WHYi7ij9B+4Qt7Qrhw76lR+USoYgMuiB+5ez ZvEg6aWJSb1qRHhrOi4kbTueJr067zfkRN5ERs/ZG4nh1OI4HcT/pIN08+LD6+t+U0lO Zn+jK3pADdz17co7iz9QXB+m+BHtMNh0fHpMhbyxfd8cGBEGEyPX5eMwnyRvVaWY7Yok HASph7IxPYfzUIpU1q++tyyW64vIb7vOm5N66PN5g3LnTMsJsRL3+T1/2Rvio/wkObU/ 4MLw== X-Gm-Message-State: AOAM531yuHxU0qh4wm3hYeklid8r37Fc5yXZ3EqAzLjHaNGKltBEdAk3 VMJacAW4ipNRVyJ1yiu0Vp+DXQ== X-Received: by 2002:a17:90b:ed4:: with SMTP id gz20mr9598176pjb.209.1626267571197; Wed, 14 Jul 2021 05:59:31 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id m21sm2787509pfo.159.2021.07.14.05.59.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 05:59:30 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v2 4/6] efi_loader: add ExitBootServices() measurement Date: Wed, 14 Jul 2021 22:00:04 +0900 Message-Id: <20210714130006.17837-5-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210714130006.17837-1-masahisa.kojima@linaro.org> References: <20210714130006.17837-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure "Exit Boot Services Invocation" if ExitBootServices() is invoked. Depending upon the return code from the ExitBootServices() call, "Exit Boot Services Returned with Success" or "Exit Boot Services Returned with Failure" is also measured. Signed-off-by: Masahisa Kojima --- Changes in v2: - use strlen instead of sizeof, event log for EV_EFI_ACTION string shall not include NUL terminator include/efi_loader.h | 1 + lib/efi_loader/efi_boottime.c | 5 +++ lib/efi_loader/efi_tcg2.c | 70 +++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 703b675950..355fd184bc 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -407,6 +407,7 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ void efi_variables_boot_exit_notify(void); +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void); /* Measure efi application invocation */ efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void); /* Measure efi application exit */ diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 2914800c56..6e07ef65bc 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2181,6 +2181,11 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle, efi_set_watchdog(0); WATCHDOG_RESET(); out: + if (ret != EFI_SUCCESS) { + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) + efi_tcg2_notify_exit_boot_services_failed(); + } + return EFI_EXIT(ret); } diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index d59fc5a890..32e3818af4 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1504,6 +1504,67 @@ efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void) return ret; } +/** + * efi_tcg2_notify_exit_boot_services() - ExitBootService callback + * + * @event: callback event + * @context: callback context + */ +static void EFIAPI +efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *context) +{ + efi_status_t ret; + struct udevice *dev; + + EFI_ENTRY("%p, %p", event, context); + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_SUCCEEDED), + (u8 *)EFI_EXIT_BOOT_SERVICES_SUCCEEDED); + +out: + EFI_EXIT(ret); +} + +/** + * efi_tcg2_notify_exit_boot_services_failed() + * - notify ExitBootServices() is failed + * + * Return: status code + */ +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void) +{ + struct udevice *dev; + efi_status_t ret; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_FAILED), + (u8 *)EFI_EXIT_BOOT_SERVICES_FAILED); + +out: + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * @@ -1558,6 +1619,7 @@ efi_status_t efi_tcg2_register(void) { efi_status_t ret = EFI_SUCCESS; struct udevice *dev; + struct efi_event *event; ret = platform_get_tpm2_device(&dev); if (ret != EFI_SUCCESS) { @@ -1582,6 +1644,14 @@ efi_status_t efi_tcg2_register(void) goto fail; } + ret = efi_create_event(EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK, + efi_tcg2_notify_exit_boot_services, NULL, + NULL, &event); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + ret = tcg2_measure_secure_boot_variable(dev); if (ret != EFI_SUCCESS) { tcg2_uninit(); From patchwork Wed Jul 14 13:00:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 476744 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp545728jao; Wed, 14 Jul 2021 06:00:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyufiwwxgh7D638jbwmw0KijjP6yAU9SD6NZU4TRW5fomBJO2ojVjxAJF4H0uZmdn3KUiJs X-Received: by 2002:a50:9f8e:: with SMTP id c14mr13481622edf.283.1626267626248; Wed, 14 Jul 2021 06:00:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626267626; cv=none; d=google.com; s=arc-20160816; b=o5WIARArt1+SJT7cIbVsXrI0gJ2JLIouVwXcG/Pbkls8brJRwnvxEaZq4wmMXqZ1ar M2WXY3DBj3y7KcY5nHD4XSYWzu8oUcr/h2jOlg6AeNA2S+LyGSLKz/Ai3YLNDtKVTjgO fzJR/uk7tkogqsUWrXUMaZb1nFfdgTSzK4Y+eVLEoBWV7pfHfcxVSojPtJqEuJonTxbD 0fbtOd22dPGkhpbJmZBO++mi9vWpKQTunv6RJoES+LLRwW2srXA9ILZ47LVb1SkK8ox5 0MO5aSjmJxvOSA3CBWK6b3aHkv8zrsW0FUGBgjdSEnLf5dJQZCWkgCDMQE8BeQRdQaHm qhsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=XZx3gtBECc26PxTN/5rlJQTrqXCgZNQqIBoi6qZj1rw=; b=RzstrlrgqAT4wUBw7pYxBhmRvAH0EWyTshRvuUSuN9pi7bkZcwJ3U90ilEcFIj1pYe c9L9c5NIzebKMw10KKuf2LtF8sKPxMiN25j+ZUQAZL7cqBl2KyWmXsZoGhOtJKarQRO9 JoToG5v8zPiJ32HtKJtvKiyyuCFVioEEmOyE6cMaRlixNbI2gj++2BGnc2iSN+mcKdXN 0K9xGiXvswpKnFx2G+Wi9sPJjkdD/7rmFkGJX0KIES5ZtJRAeg2aiO7P0Lk5rNqPKAqL sE6VNDXToiRMm5a4aZUQMkRWaqxondDkq7Zu/TRjvwouAlRyTK1zrOt7mKXF7oKVDrZc m9Pg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ncd7mrmS; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id j22si2555681edr.518.2021.07.14.06.00.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 06:00:26 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ncd7mrmS; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4221482970; Wed, 14 Jul 2021 14:59:48 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Ncd7mrmS"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B67408202A; Wed, 14 Jul 2021 14:59:39 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 91590812A6 for ; Wed, 14 Jul 2021 14:59:35 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x536.google.com with SMTP id u14so2287270pga.11 for ; Wed, 14 Jul 2021 05:59:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=XZx3gtBECc26PxTN/5rlJQTrqXCgZNQqIBoi6qZj1rw=; b=Ncd7mrmSYoHrYZ+37Y1EMzZ9nBxlw8trefLM5NeVCviU98hHw62ZC845Rar+xb436k FiDw2X1e/QVro6VHWuGFtVzdD0n5Lfi8cgQY1cLWakiJ40DWSAtlYDrcYsslUn9hCzTH CrrONj5lhf2v9oE5+G2SONN2/+wmQ1/DZwDmsb3vYj3bQ6uQGXJURKkz/bNNsLMARhLJ 1uau/3N+1QMTPasMMilQqR81zMpETlF7tTx/zTpn99GFoZXj6SHVM2tN7lqnzqTkxWDf 6pmcbZZZx8Qsb0xIQZr1agCbTcp1WgquGbJiKbSwNIGWRcuCAk3IjEMfRwLVQ4vrobJD fyHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=XZx3gtBECc26PxTN/5rlJQTrqXCgZNQqIBoi6qZj1rw=; b=pC56me18RrW2C66T6VXTjUcRHMylOs7JmpHRKl5/Ou0JwCwID5Ne2JUWaGCMhn/R/J g2cAqYAwCRw8iUqVOEhspn/9/dKdbJQyP4OHEOcd6+VmBWI+B4KCOVrWMv2lAuv5Qvf7 Hq56IkiakBb0F4PnXR01un7t/Sw/QzKj0+L7ZPvA3AWJQ3vSHMYjfq+8kWsm5hhN9DUR NkAw4X6rcDBkhV4B6/uTOVTwnCKmdLDJzQ9ZfVQZV2aOwdFq+XyjVWOzYSSfmSr0OmXB xs9k5GkDfTFDCd4Vpo8TiBcv9Z2Zqymr0FE3QGm1LJgrBMRy2mMYq8DqBE4/0L8vTpob adoA== X-Gm-Message-State: AOAM531eWkSz6d6r0YIXD027SRgBG7hbNsZwz5jRgH3xkHaBCcaHpe6o w9BY8a4fJZsr9Ru5Tv1tQdMWeA== X-Received: by 2002:aa7:93cd:0:b029:328:9d89:a790 with SMTP id y13-20020aa793cd0000b02903289d89a790mr10125311pff.71.1626267574007; Wed, 14 Jul 2021 05:59:34 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id m21sm2787509pfo.159.2021.07.14.05.59.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 05:59:33 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v2 5/6] efi_loader: refactor efi_append_scrtm_version() Date: Wed, 14 Jul 2021 22:00:05 +0900 Message-Id: <20210714130006.17837-6-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210714130006.17837-1-masahisa.kojima@linaro.org> References: <20210714130006.17837-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Refactor efi_append_scrtm_version() to use common function for adding eventlog and extending PCR. Signed-off-by: Masahisa Kojima --- Changes in v2: no update lib/efi_loader/efi_tcg2.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 32e3818af4..564ac2255a 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1321,23 +1321,11 @@ out: */ static efi_status_t efi_append_scrtm_version(struct udevice *dev) { - struct tpml_digest_values digest_list; u8 ver[] = U_BOOT_VERSION_STRING; - const int pcr_index = 0; efi_status_t ret; - ret = tcg2_create_digest(ver, sizeof(ver), &digest_list); - if (ret != EFI_SUCCESS) - goto out; + ret = tcg2_measure_event(dev, 0, EV_S_CRTM_VERSION, sizeof(ver), ver); - ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); - if (ret != EFI_SUCCESS) - goto out; - - ret = tcg2_agile_log_append(pcr_index, EV_S_CRTM_VERSION, &digest_list, - sizeof(ver), ver); - -out: return ret; } From patchwork Wed Jul 14 13:00:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 476745 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp545997jao; Wed, 14 Jul 2021 06:00:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyQBflnnkHlVDPOBifD/8kS6rUg8AEDxvUMJAkSHSIQw7wwc7IILk1qx1ldOu94/rII+Sg1 X-Received: by 2002:a17:906:2450:: with SMTP id a16mr12206790ejb.137.1626267637253; Wed, 14 Jul 2021 06:00:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626267637; cv=none; d=google.com; s=arc-20160816; b=IS8cU/VFdQKCGPYdp5OkM9cgoOpvOGNvjPjHgEBJaczQ6mzwqIhHvV7z13wF1/Y7Fi fgD9bcTsoAakzZ0LZ6Kjs8z2JcDd7+YXOBNMDXvLthuM1SyivA6Q7XLfAjs0cTiMg4St IEVEGosVZpJP1BO2b+KGgqYVsQkLNufNm05N/1Lsmhs8Ca9mqAN7toEUnaYfq0IpGCNv 3vhrwV6yulrHXJR7uXT4wOc5O0h35E2tx3qzDObfKIao4b9ErEe7WPzuzWwcSRoHSqh9 eejdiyQ0wUVLEmCSCJ246CIcL48EowT1kDWXv0/qMaR7oyG34ViUmGfX/RwpUl9J6uEK S6Bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=MuZ+n890G/isu+6lLjUc78dSUOsnwHi6nT3HFfXq3Vo=; b=faCr3SxYECPjJ6Wb9htx6Zy+R9LMQULOF46RWRP+Mk5Nq5Z5g3aBeywwvQbQCZ4wVx m1CKSTN8w1dTg3obsSntFwEtVrV68bQ/nyZsqqK6TzScTsK9u5LrdSBSELZvldaZvbGB r32VsUENza9VUBrd3oAO46IzYeCpNxZvITLJ+4hJ4cPt84Bj1LcajZbBuZwRPNYfHSmP wbBueNFVJmUdPxvxr8Ta2jKfU/gLKR+PbuPfYx8BV0S5K6TwbYjDQ9gowbeNBRazYYkj 4nwKIbEKm4MYSM1R//tRlzd4BxlioWRhsx7jO+bThzvRQpfADfH4seDQEseCc4k4xI9H jJwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=hrP4sg7a; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id g15si2489406edy.571.2021.07.14.06.00.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 06:00:37 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=hrP4sg7a; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D8452820A9; Wed, 14 Jul 2021 14:59:51 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="hrP4sg7a"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id DD8A08203B; Wed, 14 Jul 2021 14:59:42 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5BF8582054 for ; Wed, 14 Jul 2021 14:59:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x534.google.com with SMTP id k20so2312835pgg.7 for ; Wed, 14 Jul 2021 05:59:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=MuZ+n890G/isu+6lLjUc78dSUOsnwHi6nT3HFfXq3Vo=; b=hrP4sg7a05ahJq9QWFBOPGpxcbjj8tEMg0QELwMdQf1fGAf3AQplO51TZiCk5/ZAAm 9lRRmEZrpZJdAQO9l99Fq4MioOvsYYhjrv5tWND2Egw3ap8CFDcCfAAU6Ir/po2sxpFO woZ31RQLOsLgayNrPeu/GrQAGWZy8odV5JPNN6v14vTWg76c/tWCX+VVWkrxpqb8CzUk /wgq039glERzkf10t++jdNVg5+ZkyS5/2Eb6CAcB+10H4+NqqtaQbGnogEInS7noDAAN vP6mO7CIJY+YzIG2mfqLhRDH/FbINgFAJ+1T+f9YDwM5rxntjTe4GeUCI4FLHGCCmmnv f2Ig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=MuZ+n890G/isu+6lLjUc78dSUOsnwHi6nT3HFfXq3Vo=; b=kaRTN1ge6ffNRY8vvn+COqbh6wRZYEU+ZWcwjvxC9v8NNzostVA7k96D7apGMz8CpC zNXdnZZ2xs0b/qWTrgZ3u1l2f/4LHnjkJUVecSYR+Ou3XCRTi8O/td+iHeOO/n234aYI kV2rF58hAMCg7uwTV+OiVIqdXaKp+mccHN/OgSyoveFzrTF3TVXzmuW9vsRIoLVqAUEx B8DpyCqtFYy2hiOPZwGafaEn9jWZM3QPuGEo8n1kciApxkPQ63JStQOChz/xmCGJ9f/R 0iyWxt3k6me3DA/6fbFQbX9UcSRY/l62sCR4oP4/36lumGwzbNAVgnRes560oK5PzsjM DenQ== X-Gm-Message-State: AOAM532WsON29hujNJWTqHLb29CYlH4UXyFsaoCAhiZPYq/YdyCnG5jH U6IMImEg4C5/lXFdXvEVmqajhQ== X-Received: by 2002:a63:1252:: with SMTP id 18mr8654164pgs.126.1626267576638; Wed, 14 Jul 2021 05:59:36 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id m21sm2787509pfo.159.2021.07.14.05.59.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 05:59:35 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v2 6/6] efi_loader: add comment for efi_tcg2.h Date: Wed, 14 Jul 2021 22:00:06 +0900 Message-Id: <20210714130006.17837-7-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210714130006.17837-1-masahisa.kojima@linaro.org> References: <20210714130006.17837-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This commit adds the comment of the TCG Specification efi_tcg2.h file refers, and comment for the structure. Signed-off-by: Masahisa Kojima --- Changes in v2: - newly create commit from v2 include/efi_tcg2.h | 51 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) -- 2.17.1 diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index 8d7b77c087..25613caa19 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -3,6 +3,13 @@ * Defines data structures and APIs that allow an OS to interact with UEFI * firmware to query information about the device * + * This file refers the following TCG specification. + * - TCG PC Client Platform Firmware Profile Specification + * https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/ + * + * - TCG EFI Protocol Specification + * https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/ + * * Copyright (c) 2020, Linaro Limited */ @@ -36,11 +43,23 @@ typedef u32 efi_tcg_event_log_bitmap; typedef u32 efi_tcg_event_log_format; typedef u32 efi_tcg_event_algorithm_bitmap; +/** + * struct tdEFI_TCG2_VERSION + * @major: major version + * @minor: minor version + */ struct efi_tcg2_version { u8 major; u8 minor; }; +/** + * struct tdEFI_TCG2_EVENT_HEADER + * @header_size: size of the event header + * @header_version: header version + * @pcr_index: index of the PCR that is extended + * @event_type: type of the event that is extended + */ struct efi_tcg2_event_header { u32 header_size; u16 header_version; @@ -48,12 +67,27 @@ struct efi_tcg2_event_header { u32 event_type; } __packed; +/** + * struct tdEFI_TCG2_EVENT + * @size: total size of the event including the size component, the header + * and the event data + * @header: event header + * @event: event to add + */ struct efi_tcg2_event { u32 size; struct efi_tcg2_event_header header; u8 event[]; } __packed; +/** + * struct tdUEFI_IMAGE_LOAD_EVENT + * @image_location_in_memory: image address + * @image_length_in_memory: image size + * @image_link_time_address: image link time address + * @length_of_device_path: devive path size + * @device_path: device path + */ struct uefi_image_load_event { efi_physical_addr_t image_location_in_memory; u64 image_length_in_memory; @@ -62,6 +96,23 @@ struct uefi_image_load_event { struct efi_device_path device_path[]; }; +/** + * struct tdEFI_TCG2_BOOT_SERVICE_CAPABILITY + * @size: allocated size of the structure + * @structure_version: version of this structure + * @protocol_version: version of the EFI TCG2 protocol. + * @hash_algorithm_bitmap: supported hash algorithms + * @supported_event_logs: bitmap of supported event log formats + * @tpm_present_flag: false = TPM not present + * @max_command_size: max size (in bytes) of a command + * that can be sent to the TPM + * @max_response_size: max size (in bytes) of a response that + * can be provided by the TPM + * @manufacturer_id: 4-byte Vendor ID + * @number_of_pcr_banks: maximum number of PCR banks + * @active_pcr_banks: bitmap of currently active + * PCR banks (hashing algorithms). + */ struct efi_tcg2_boot_service_capability { u8 size; struct efi_tcg2_version structure_version;