From patchwork Fri Aug 13 07:12:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 496549 Delivered-To: patch@linaro.org Received: by 2002:a02:cf8a:0:0:0:0:0 with SMTP id w10csp273623jar; Fri, 13 Aug 2021 00:12:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyueaOmkQKPYxulhnCKoG8qLhZF8+meDmyuEyYDEIUc92u+sV+rWYjDJYsqBtGyFSZAAbOk X-Received: by 2002:a05:6402:2067:: with SMTP id bd7mr1314971edb.176.1628838765388; Fri, 13 Aug 2021 00:12:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628838765; cv=none; d=google.com; s=arc-20160816; b=yyBn4V7adbjnGUBBr/2sUHY4s5LhNHXRjHCZrDPkeYG9eknwxOQGPMGRI0BgC8/Wuh QdxgNfNlpqpi5cf+dr7yM/R7t3Fyca0lu6O4z3BAeE+j/U8U7yWwvcq8Q0HROosfh8Wd 4qX5ptEf2ROq8Cw23UJO5hEyy2n1n2rIgH2aUjiiYdiWj+zbRVbplp9ZNn6ya3unAoVo n2ZPIqWrkwgcEaWhZztJVYA1086O3PFr5pKE2M9hqnaYqJXXJJrmpNGpkbshvk6FVm4E miQt05V7H2sl47XVuBmocEkdzEkEuawYXX70CJwI8vrWjrkkv+w5bKXRuX21wRNxryEu A9xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=gXe+peYSzfoBWFU9j9PJlqFzw9im1Pjh36bMCNoc8+Q=; b=sV6B3N3LolhC7v3DWBlOsLzbaeLERzW/qxSuEWtS6PAas28p/N+41XshKZH6Za0uqJ IhswHDhXyT0I87pb1RkhyWJu00zEooYyV41CottOD6oYgkpxQl8101zfQPtQG5yJckh5 18tQ+Untx5W8IWIoyNtjEQzXEbn+dM2oUP9p/lrQ9RHWbDw+vElVHtq2OhZt9n+ompMU 8Uv2UdjTclNrl182ouV6UHTbtnbFVbAGvf8rbvF/IWWmZqL/btZeOTRoyRZvSkBUeMxs 1SJKImvZBRlLJwsa3fxhH5ahy8TC/UyqRA0wkOozY2VVUT+340DriF8Y6IW7eoyIPD1p btJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lvgqbXxr; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id s4si794388eji.269.2021.08.13.00.12.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:12:45 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lvgqbXxr; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2F22682D95; Fri, 13 Aug 2021 09:12:36 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="lvgqbXxr"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6177782D5B; Fri, 13 Aug 2021 09:12:28 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 33A3882D5B for ; Fri, 13 Aug 2021 09:12:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1029.google.com with SMTP id u13-20020a17090abb0db0290177e1d9b3f7so19422451pjr.1 for ; Fri, 13 Aug 2021 00:12:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=gXe+peYSzfoBWFU9j9PJlqFzw9im1Pjh36bMCNoc8+Q=; b=lvgqbXxreDZmh178Yat2rFP4ypqR3WEDWU1IGlsvjRQ8evvcJcmh+c3tISpczNIQsl WIdrTuYTCGszRkJeFfqxy5Wa4ySxlfJeOAHRdEdpPL2z1XpBnovQUKuqyhXIcnB1uGER LpI+Rb07fQJZHgTz++fblKWlmcXKpTCKab7TseFkjFO7zG7sF2w3m1s6u1cPhXMel1RH thoJDzTq7r66VBjYu05t7zNHJOBmofl3xEuoTK7td0boCX7J/e2ffST3Q5iQrl/BshwD qlVvTCS3GQwj0cETTiAShh3H60ytG8FXurjk+TSfS52H2boDO5eq6WBazySx2XVD8IwX iIGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=gXe+peYSzfoBWFU9j9PJlqFzw9im1Pjh36bMCNoc8+Q=; b=UIdeJypEZOZ2HfFQDGxd1YiIofBjlyB3NpPMi4Q3xnml68oiTS67fpij48iXeOt7h/ 8blv3z7OQhmQwmlX98Zmt5Zu7udkoVg38lWg1WAw3OS9SorCGkufel96ArtN5iVrhb80 bftsOClEmjgYBuN6bv81cQRtLBJPl4owc23zVENcfzSG6CwwbESkuE1TtQK8zZPvszKC o/1z8mu4NGs/PSaMJbLpXZGAowu7mosOZiqGYaSpkYgIvBXLG9VIBvs57OrS/R0UESdA V/ZCIeG5HT8HWxiIWaUj/DzeysU+qInSEPXtQ+8ASr+UcABaiddSIDJaEF/pAFBtxnSI YF1w== X-Gm-Message-State: AOAM532sjZexUrJVJbPi9rQsCLisF8vq4dV9MbWB+b1yr5FHFXXqJcGs oWRsSl89lWECOAE3kBfm+i3C0g== X-Received: by 2002:a05:6a00:1589:b029:3cd:c3bf:78f1 with SMTP id u9-20020a056a001589b02903cdc3bf78f1mr1113634pfk.22.1628838741535; Fri, 13 Aug 2021 00:12:21 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u21sm987078pfh.163.2021.08.13.00.12.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:12:21 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , AKASHI Takahiro , u-boot@lists.denx.de Subject: [PATCH v4 1/5] efi_loader: add secure boot variable measurement Date: Fri, 13 Aug 2021 16:12:39 +0900 Message-Id: <20210813071243.18885-2-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210813071243.18885-1-masahisa.kojima@linaro.org> References: <20210813071243.18885-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure the secure boot policy before validating the UEFI image. This commit adds the secure boot variable measurement of "SecureBoot", "PK", "KEK", "db", "dbx", "dbt", and "dbr". Note that this implementation assumes that secure boot variables are pre-configured and not be set/updated in runtime. Signed-off-by: Masahisa Kojima --- Changes in v4: - remove unnecessary EFIAPI specifier - modify wrong guid for dbt and dbr Changes in v3: - add "dbt" and "dbr" measurement - accept empty variable measurement for "SecureBoot", "PK", "KEK", "db" and "dbx" as TCG2 spec requires - fix comment format Changes in v2: - missing null check for getting variable data - some minor fix for readability include/efi_tcg2.h | 20 +++++ lib/efi_loader/efi_tcg2.c | 165 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 185 insertions(+) -- 2.17.1 diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index bcfb98168a..497ba3ce94 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -142,6 +142,26 @@ struct efi_tcg2_final_events_table { struct tcg_pcr_event2 event[]; }; +/** + * struct tdUEFI_VARIABLE_DATA - event log structure of UEFI variable + * @variable_name: The vendorGUID parameter in the + * GetVariable() API. + * @unicode_name_length: The length in CHAR16 of the Unicode name of + * the variable. + * @variable_data_length: The size of the variable data. + * @unicode_name: The CHAR16 unicode name of the variable + * without NULL-terminator. + * @variable_data: The data parameter of the efi variable + * in the GetVariable() API. + */ +struct efi_tcg2_uefi_variable_data { + efi_guid_t variable_name; + u64 unicode_name_length; + u64 variable_data_length; + u16 unicode_name[1]; + u8 variable_data[1]; +}; + struct efi_tcg2_protocol { efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this, struct efi_tcg2_boot_service_capability *capability); diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 1319a8b378..db3d6d7586 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -78,6 +78,19 @@ static const struct digest_info hash_algo_list[] = { }, }; +struct variable_info { + u16 *name; + const efi_guid_t *guid; +}; + +static struct variable_info secure_variables[] = { + {L"SecureBoot", &efi_global_variable_guid}, + {L"PK", &efi_global_variable_guid}, + {L"KEK", &efi_global_variable_guid}, + {L"db", &efi_guid_image_security_database}, + {L"dbx", &efi_guid_image_security_database}, +}; + #define MAX_HASH_COUNT ARRAY_SIZE(hash_algo_list) /** @@ -1264,6 +1277,39 @@ free_pool: return ret; } +/** + * tcg2_measure_event() - common function to add event log and extend PCR + * + * @dev: TPM device + * @pcr_index: PCR index + * @event_type: type of event added + * @size: event size + * @event: event data + * + * Return: status code + */ +static efi_status_t +tcg2_measure_event(struct udevice *dev, u32 pcr_index, u32 event_type, + u32 size, u8 event[]) +{ + struct tpml_digest_values digest_list; + efi_status_t ret; + + ret = tcg2_create_digest(event, size, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_agile_log_append(pcr_index, event_type, &digest_list, + size, event); + +out: + return ret; +} + /** * efi_append_scrtm_version - Append an S-CRTM EV_S_CRTM_VERSION event on the * eventlog and extend the PCRs @@ -1294,6 +1340,118 @@ out: return ret; } +/** + * tcg2_measure_variable() - add variable event log and extend PCR + * + * @dev: TPM device + * @pcr_index: PCR index + * @event_type: type of event added + * @var_name: variable name + * @guid: guid + * @data_size: variable data size + * @data: variable data + * + * Return: status code + */ +static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index, + u32 event_type, u16 *var_name, + const efi_guid_t *guid, + efi_uintn_t data_size, u8 *data) +{ + u32 event_size; + efi_status_t ret; + struct efi_tcg2_uefi_variable_data *event; + + event_size = sizeof(event->variable_name) + + sizeof(event->unicode_name_length) + + sizeof(event->variable_data_length) + + (u16_strlen(var_name) * sizeof(u16)) + data_size; + event = malloc(event_size); + if (!event) + return EFI_OUT_OF_RESOURCES; + + guidcpy(&event->variable_name, guid); + event->unicode_name_length = u16_strlen(var_name); + event->variable_data_length = data_size; + memcpy(event->unicode_name, var_name, + (event->unicode_name_length * sizeof(u16))); + if (data) { + memcpy((u16 *)event->unicode_name + event->unicode_name_length, + data, data_size); + } + ret = tcg2_measure_event(dev, pcr_index, event_type, event_size, + (u8 *)event); + free(event); + return ret; +} + +/** + * tcg2_measure_secure_boot_variable() - measure secure boot variables + * + * @dev: TPM device + * + * Return: status code + */ +static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) +{ + u8 *data; + efi_uintn_t data_size; + u32 count, i; + efi_status_t ret; + + count = ARRAY_SIZE(secure_variables); + for (i = 0; i < count; i++) { + /* + * According to the TCG2 PC Client PFP spec, "SecureBoot", + * "PK", "KEK", "db" and "dbx" variables must be measured + * even if they are empty. + */ + data = efi_get_var(secure_variables[i].name, + secure_variables[i].guid, + &data_size); + + ret = tcg2_measure_variable(dev, 7, + EV_EFI_VARIABLE_DRIVER_CONFIG, + secure_variables[i].name, + secure_variables[i].guid, + data_size, data); + free(data); + if (ret != EFI_SUCCESS) + goto error; + } + + /* + * TCG2 PC Client PFP spec says "dbt" and "dbr" are + * measured if present and not empty. + */ + data = efi_get_var(L"dbt", + &efi_guid_image_security_database, + &data_size); + if (data) { + ret = tcg2_measure_variable(dev, 7, + EV_EFI_VARIABLE_DRIVER_CONFIG, + L"dbt", + &efi_guid_image_security_database, + data_size, data); + free(data); + } + + data = efi_get_var(L"dbr", + &efi_guid_image_security_database, + &data_size); + if (data) { + ret = tcg2_measure_variable(dev, 7, + EV_EFI_VARIABLE_DRIVER_CONFIG, + L"dbr", + &efi_guid_image_security_database, + data_size, data); + free(data); + } + +error: + return ret; +} + /** * efi_tcg2_register() - register EFI_TCG2_PROTOCOL * @@ -1328,6 +1486,13 @@ efi_status_t efi_tcg2_register(void) tcg2_uninit(); goto fail; } + + ret = tcg2_measure_secure_boot_variable(dev); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + return ret; fail: From patchwork Fri Aug 13 07:12:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 496550 Delivered-To: patch@linaro.org Received: by 2002:a02:cf8a:0:0:0:0:0 with SMTP id w10csp273760jar; Fri, 13 Aug 2021 00:12:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxSI12s0BK+8zm1MFZc8cPT481uBLeCOLu/IpYC7O5V4Sj1TBNYq3g3GL7cCIKXCxW3Pg10 X-Received: by 2002:a05:6402:440e:: with SMTP id y14mr1347864eda.238.1628838775978; Fri, 13 Aug 2021 00:12:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628838775; cv=none; d=google.com; s=arc-20160816; b=S4u0uREB7CHGYyvSIn9vabzsDeMxPOaaz52QWwnbKsrDFikh7XneT0X5BgjHe+oHmk e0GVOVwvJiPEdtrC7gSVYgsWOlMQs9J8LCIILbzoPnq0lbGegkowW/z5jvNh4BCrsdEW rwmqJifX83l4dJIFC8U9BCq15TWR1/mzWZyYf0fzykQf4NVM7gDgKG6TnDRsuFjJd+3A Pa22IYXby0Cx8ihFfhAStNd30gwW4Mwda2+xqlfiWZXgsjwO8yOqrjEMMR569U/4BrBA 0yKOO5ZOACSP9a5Z0ZFs5oM17yapq3wd3AJzRtLEft/Wsn4t7W0VYSxp8Wz/KfcC37ZQ CcMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=HxVy8JBaVCnsb6ozYjiq5FldXudeiYMpi/b6S06NAxw=; b=IQvA/Z+Y5GQcpjrUTjWLtzQW85eVfj7XIEM7FSOe0jnDJWl5mfkshyv/dumkI9O+qe R9iDA17j7Rhc5WTzKk5vMaJ/QHNozIgDfFx0IpeLI1v0gLNDYvXbckYSWOSVfkNs6P13 d/K8DdLmBwMiLAINkx0jXl1K4wTRorzW+N3u4MspyK+WXkblLMxdCAecsBSVzyPC7ymz ApIx+XtLOyHEObiGsCOwevj/NBxcBeRr9a3EDRWhVC5g/Hs/r7eRgGe0/dnHEvGO5wcA pcpozqFmsIMc4yJr4FBWN8AS3lz4kuMYYZhOVND7dZiWBJp3YvJ2zVemfJ9DT3VDqxMp LvzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=PHj3UXqw; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id j17si717175ejm.446.2021.08.13.00.12.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:12:55 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=PHj3UXqw; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7F47882DE8; Fri, 13 Aug 2021 09:12:44 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="PHj3UXqw"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6B5E182DD9; Fri, 13 Aug 2021 09:12:34 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 165EB8296F for ; Fri, 13 Aug 2021 09:12:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pl1-x62c.google.com with SMTP id e15so10685240plh.8 for ; Fri, 13 Aug 2021 00:12:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=HxVy8JBaVCnsb6ozYjiq5FldXudeiYMpi/b6S06NAxw=; b=PHj3UXqwgtdrJ/onvs6V9G11GqoswNmOF9EGQlWLyv64Vw96B4WgR/pof+S9xVxmjh w/HoyfQbmfrx1ocNu60PmpZAW43i8puOliOODk+oYpHeV5WbpUtVe4A5cnrn4YPYcep5 L3iQIUVniVIlTOHElKBUyIOh/RUjEl6eU5VELgDp7+cQAQkhtpSaPxw/br7xlUUnWDxf s2bpHP7hThzh5tU4TllY4pNFMnhO5ACGzZbpMDJBPTcP/Q+643BJUV56cQuwmwJu8dVW 0/drRsMXauUF86Xri+1mdJJ8+EMtQoG/896k3LfhgZMYj12Jyv3lrqTDry/hM+kjzC3V NhKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=HxVy8JBaVCnsb6ozYjiq5FldXudeiYMpi/b6S06NAxw=; b=Y/e1xn+O0cShzlaD6RWDcgdhoW33kK4O3FmJp7y8nLcvhY5SEwFxvFbX0u+nr/cRLh sdNSL+CCPDbLBuvhW1TXisAzD3yqCPimf3Jy8UN1CkJn1RILbEvxxyrAl+dHC5MdIWUu tev0+a3xMt/ZvrrRVh2NPoXfO06ppN6v9Jfrsb9N+CDrTZrng3UxmXBC0Ix5eQrjFRTc eMQByaNeKbMMhTNbIG90IM7tE99XsDiiiMrEOkSa951uFy21hHi96HFJ27oOuFhAUJS1 oLZv1ACmWkF4Mv2L4SwdJ1pzIb0NHD9j3yUtA/L4PJ8tBd8kFzxCvUmNvY+Ob2vALlFd F/qQ== X-Gm-Message-State: AOAM531oZZYvktIOMKjYTctAlEsuaV7HtXEw+/HQEJ4pfDCC2rqTffC0 l09IfpqTPjJWvknaXhMA7DJ2fA== X-Received: by 2002:a17:903:2292:b0:12d:91c3:bd95 with SMTP id b18-20020a170903229200b0012d91c3bd95mr1032137plh.23.1628838744063; Fri, 13 Aug 2021 00:12:24 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u21sm987078pfh.163.2021.08.13.00.12.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:12:23 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , AKASHI Takahiro , u-boot@lists.denx.de Subject: [PATCH v4 2/5] efi_loader: add boot variable measurement Date: Fri, 13 Aug 2021 16:12:40 +0900 Message-Id: <20210813071243.18885-3-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210813071243.18885-1-masahisa.kojima@linaro.org> References: <20210813071243.18885-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure "Boot####" and "BootOrder" variables, EV_SEPARATOR event prior to the Ready to Boot invocation. Since u-boot does not implement Ready to Boot event, these measurements are performed when efi_start_image() is called. TCG spec also requires to measure "Calling EFI Application from Boot Option" for each boot attempt, and "Returning from EFI Application from Boot Option" if a boot device returns control back to the Boot Manager. Signed-off-by: Masahisa Kojima --- Changes in v4: - remove unnecessary EFIAPI specifier Changes in v3: - modify log output Changes in v2: - use efi_create_indexed_name() for "Boot####" variable include/efi_loader.h | 4 ++ include/tpm-v2.h | 18 ++++- lib/efi_loader/efi_boottime.c | 20 ++++++ lib/efi_loader/efi_tcg2.c | 121 ++++++++++++++++++++++++++++++++++ 4 files changed, 162 insertions(+), 1 deletion(-) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index a120d94431..6f61e9faac 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -499,6 +499,10 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ void efi_variables_boot_exit_notify(void); +/* Measure efi application invocation */ +efi_status_t efi_tcg2_measure_efi_app_invocation(void); +/* Measure efi application exit */ +efi_status_t efi_tcg2_measure_efi_app_exit(void); /* Called by bootefi to initialize root node */ efi_status_t efi_root_node_register(void); /* Called by bootefi to initialize runtime */ diff --git a/include/tpm-v2.h b/include/tpm-v2.h index 247b386967..325c73006e 100644 --- a/include/tpm-v2.h +++ b/include/tpm-v2.h @@ -73,7 +73,7 @@ struct udevice; /* * event types, cf. * "TCG PC Client Platform Firmware Profile Specification", Family "2.0" - * rev 1.04, June 3, 2019 + * Level 00 Version 1.05 Revision 23, May 7, 2021 */ #define EV_EFI_EVENT_BASE ((u32)0x80000000) #define EV_EFI_VARIABLE_DRIVER_CONFIG ((u32)0x80000001) @@ -85,8 +85,24 @@ struct udevice; #define EV_EFI_ACTION ((u32)0x80000007) #define EV_EFI_PLATFORM_FIRMWARE_BLOB ((u32)0x80000008) #define EV_EFI_HANDOFF_TABLES ((u32)0x80000009) +#define EV_EFI_PLATFORM_FIRMWARE_BLOB2 ((u32)0x8000000A) +#define EV_EFI_HANDOFF_TABLES2 ((u32)0x8000000B) +#define EV_EFI_VARIABLE_BOOT2 ((u32)0x8000000C) #define EV_EFI_HCRTM_EVENT ((u32)0x80000010) #define EV_EFI_VARIABLE_AUTHORITY ((u32)0x800000E0) +#define EV_EFI_SPDM_FIRMWARE_BLOB ((u32)0x800000E1) +#define EV_EFI_SPDM_FIRMWARE_CONFIG ((u32)0x800000E2) + +#define EFI_CALLING_EFI_APPLICATION \ + "Calling EFI Application from Boot Option" +#define EFI_RETURNING_FROM_EFI_APPLICATION \ + "Returning from EFI Application from Boot Option" +#define EFI_EXIT_BOOT_SERVICES_INVOCATION \ + "Exit Boot Services Invocation" +#define EFI_EXIT_BOOT_SERVICES_FAILED \ + "Exit Boot Services Returned with Failure" +#define EFI_EXIT_BOOT_SERVICES_SUCCEEDED \ + "Exit Boot Services Returned with Success" /* TPMS_TAGGED_PROPERTY Structure */ struct tpms_tagged_property { diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 0b98e91813..13ab139222 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2994,6 +2994,16 @@ efi_status_t EFIAPI efi_start_image(efi_handle_t image_handle, image_obj->exit_status = &exit_status; image_obj->exit_jmp = &exit_jmp; + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { + if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { + ret = efi_tcg2_measure_efi_app_invocation(); + if (ret != EFI_SUCCESS) { + log_warning("tcg2 measurement fails(0x%lx)\n", + ret); + } + } + } + /* call the image! */ if (setjmp(&exit_jmp)) { /* @@ -3252,6 +3262,16 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t image_handle, exit_status != EFI_SUCCESS) efi_delete_image(image_obj, loaded_image_protocol); + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { + if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { + ret = efi_tcg2_measure_efi_app_exit(); + if (ret != EFI_SUCCESS) { + log_warning("tcg2 measurement fails(0x%lx)\n", + ret); + } + } + } + /* Make sure entry/exit counts for EFI world cross-overs match */ EFI_EXIT(exit_status); diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index db3d6d7586..ed71337780 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -35,6 +35,7 @@ struct event_log_buffer { }; static struct event_log_buffer event_log; +static bool tcg2_efi_app_invoked; /* * When requesting TPM2_CAP_TPM_PROPERTIES the value is on a standard offset. * Since the current tpm2_get_capability() response buffers starts at @@ -1385,6 +1386,126 @@ static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index, return ret; } +/** + * tcg2_measure_boot_variable() - measure boot variables + * + * @dev: TPM device + * + * Return: status code + */ +static efi_status_t tcg2_measure_boot_variable(struct udevice *dev) +{ + u16 *boot_order; + u16 *boot_index; + u16 var_name[] = L"BootOrder"; + u16 boot_name[] = L"Boot####"; + u8 *bootvar; + efi_uintn_t var_data_size; + u32 count, i; + efi_status_t ret; + + boot_order = efi_get_var(var_name, &efi_global_variable_guid, + &var_data_size); + if (!boot_order) { + ret = EFI_NOT_FOUND; + goto error; + } + + ret = tcg2_measure_variable(dev, 1, EV_EFI_VARIABLE_BOOT2, var_name, + &efi_global_variable_guid, var_data_size, + (u8 *)boot_order); + if (ret != EFI_SUCCESS) + goto error; + + count = var_data_size / sizeof(*boot_order); + boot_index = boot_order; + for (i = 0; i < count; i++) { + efi_create_indexed_name(boot_name, sizeof(boot_name), + "Boot", *boot_index++); + + bootvar = efi_get_var(boot_name, &efi_global_variable_guid, + &var_data_size); + + if (!bootvar) { + log_info("%ls not found\n", boot_name); + continue; + } + + ret = tcg2_measure_variable(dev, 1, EV_EFI_VARIABLE_BOOT2, + boot_name, + &efi_global_variable_guid, + var_data_size, bootvar); + free(bootvar); + if (ret != EFI_SUCCESS) + goto error; + } + +error: + free(boot_order); + return ret; +} + +/** + * efi_tcg2_measure_efi_app_invocation() - measure efi app invocation + * + * Return: status code + */ +efi_status_t efi_tcg2_measure_efi_app_invocation(void) +{ + efi_status_t ret; + u32 pcr_index; + struct udevice *dev; + u32 event = 0; + + if (tcg2_efi_app_invoked) + return EFI_SUCCESS; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + return ret; + + ret = tcg2_measure_boot_variable(dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 4, EV_EFI_ACTION, + strlen(EFI_CALLING_EFI_APPLICATION), + (u8 *)EFI_CALLING_EFI_APPLICATION); + if (ret != EFI_SUCCESS) + goto out; + + for (pcr_index = 0; pcr_index <= 7; pcr_index++) { + ret = tcg2_measure_event(dev, pcr_index, EV_SEPARATOR, + sizeof(event), (u8 *)&event); + if (ret != EFI_SUCCESS) + goto out; + } + + tcg2_efi_app_invoked = true; +out: + return ret; +} + +/** + * efi_tcg2_measure_efi_app_exit() - measure efi app exit + * + * Return: status code + */ +efi_status_t efi_tcg2_measure_efi_app_exit(void) +{ + efi_status_t ret; + struct udevice *dev; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + return ret; + + ret = tcg2_measure_event(dev, 4, EV_EFI_ACTION, + strlen(EFI_RETURNING_FROM_EFI_APPLICATION), + (u8 *)EFI_RETURNING_FROM_EFI_APPLICATION); + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * From patchwork Fri Aug 13 07:12:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 496551 Delivered-To: patch@linaro.org Received: by 2002:a02:cf8a:0:0:0:0:0 with SMTP id w10csp273919jar; Fri, 13 Aug 2021 00:13:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGEl0vpoZKdschppXWRCe+YteeqEwhLiV2UO1sTfWMMQEXOeSKMwdFF2V2DsYj0hlUHq0h X-Received: by 2002:a17:906:ca43:: with SMTP id jx3mr1101745ejb.193.1628838787140; Fri, 13 Aug 2021 00:13:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628838787; cv=none; d=google.com; s=arc-20160816; b=SqcsFPnn6aK+n6OSp6G6qBmSypBt+LZ18Rb+Sokn+XaIgVl0E9IigdijR+a5DN42rG FkdFzg99rkFvM0sCo7gzPUWelzNscBk2OsmIF0zChW3GUaEGtBp9gdaYdXRHsVoy1F7w LN5lL2g9c6sp3U2eiCLgJnNwA5RSZ0KPBq1Io1mSsTse56xBkAq3OM7WBISQyFunvsEc HS/DRzGedEBwA3t+/TATOsBjqN1X7fgqcZT6zzEY9Q6kE5b3XuCtqODY5jwquvQDOeeU 6nZ+pINCBd/s9Tr9QUCMMJBFMCKVFMr2dduDRfBiW429nlW8bfng25JQW0/dFwdeWp3v 7XnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=7HSP5dUmE2u4ycyj6hUfaNPODIHqeZNBPQthC7eBnyc=; b=FGoUfMgTvL5KZX19iH5Z5NUobdm+LFu2QTMvhMliP9rSHDAr/3+YnyJk2BhARgTJh7 ISfwz6F7Yt3fPCWpF/RqMEM/M4yf+LzSrfy6xUXWQzlL5I4ufCWqVZS20gYc1qaSkZT8 9xfrUCipeAv3/cg2Q8YwvIkx7gcSzspkSZZONu1iR2+pPkQUySWI4AneDT4OzjwYLY+L ERTwNcn/6QRtNE270dvrR1bE0u7K/9V0Tw8+gf6zz0na0dLXEBf452KQ1sl1AKjQGz00 fsIatONE8nWeErFlurYuol2fGxCAfo58vckEF/epEJqBopkxEqsgywb1wqdFucxqUv7n 9K6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="m/Dm+XbH"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id l10si904916eds.340.2021.08.13.00.13.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:13:07 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="m/Dm+XbH"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4023282DFE; Fri, 13 Aug 2021 09:12:50 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="m/Dm+XbH"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0F5E882D5B; Fri, 13 Aug 2021 09:12:35 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 65E4282D95 for ; Fri, 13 Aug 2021 09:12:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pl1-x631.google.com with SMTP id q2so10672426plr.11 for ; Fri, 13 Aug 2021 00:12:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=7HSP5dUmE2u4ycyj6hUfaNPODIHqeZNBPQthC7eBnyc=; b=m/Dm+XbHDZ98aBFeIep5qkFCFc8eRktEJtBQtI3BsG3CSnZasGH6bzMo/MSbiSFCoE 1cRZtrKd77HT5LjfAHDAATMee/NZEcYF9XUSKoWiG9D9iivWq2nh4n57IPe7CBWDpTQn gvHJBmaZcpQy+4gQm5lW8qJnLpSgagTwylQ+9pu9SkDMSz7MaK6Q1j7GCS8Zf+TzJVIO LARlaTYbHJZM/tltxg3ESq6i+gW+iDCCjwSC71UnTeY1zJJwpt+BvatmciGQqrtHanfe OFgZgrK5pj6pKaqWxrUq9T15UrDFxh8bqnE1HdaV0Zr6gFndx53bDxeX6TMytNoQda8Z Kbjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=7HSP5dUmE2u4ycyj6hUfaNPODIHqeZNBPQthC7eBnyc=; b=sgegamDYSwH7GOLYMnOlvXAKCBjwa2SiqvBd6OVM/g+FtaEP9Vy5BSpZR+NFylIBSW Sy+bjK0XCTGtiyp09Y0QcuPESttcBfYeiCRjphXa182XQpvf387GyKR9tiYTPYpdn3Pq SYbfgQU/G0POYU4RfpcNXocnXe+4uovNrLtoBuX520tqgILkchXaUttUOdXjpaZj+ZDL e1068FmOtYJmKaYO043b5zblOlxWdv3d0XgRBttYa5GKkT2Lq9PC+d4EcDs2IRtTDDnU ziL13UZL2LoKJ/Te1FYDd6XzPitrvSCVre5hIDw9OE0Ck3dmr8vpD/z1ILCZG0JgPnjT FDBA== X-Gm-Message-State: AOAM533iSDr33b+kaQG+j07ds0mfvoNJUiH6+dM5LFaEvJ8/Uo0iSppX g3yrpJPNVrYHzgrINRlxNWXkDg== X-Received: by 2002:a17:902:7043:b029:12d:3625:289d with SMTP id h3-20020a1709027043b029012d3625289dmr1056412plt.32.1628838746595; Fri, 13 Aug 2021 00:12:26 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u21sm987078pfh.163.2021.08.13.00.12.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:12:26 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , AKASHI Takahiro , u-boot@lists.denx.de Subject: [PATCH v4 3/5] efi_loader: add ExitBootServices() measurement Date: Fri, 13 Aug 2021 16:12:41 +0900 Message-Id: <20210813071243.18885-4-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210813071243.18885-1-masahisa.kojima@linaro.org> References: <20210813071243.18885-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure "Exit Boot Services Invocation" if ExitBootServices() is invoked. Depending upon the return code from the ExitBootServices() call, "Exit Boot Services Returned with Success" or "Exit Boot Services Returned with Failure" is also measured. Signed-off-by: Masahisa Kojima --- Changes in v4: - remove unnecessary EFIAPI specifier Changes in v2: - use strlen instead of sizeof, event log for EV_EFI_ACTION string shall not include NUL terminator include/efi_loader.h | 1 + lib/efi_loader/efi_boottime.c | 5 +++ lib/efi_loader/efi_tcg2.c | 70 +++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 6f61e9faac..32cb8d0f1e 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -499,6 +499,7 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ void efi_variables_boot_exit_notify(void); +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void); /* Measure efi application invocation */ efi_status_t efi_tcg2_measure_efi_app_invocation(void); /* Measure efi application exit */ diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 13ab139222..b818cbb540 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2182,6 +2182,11 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle, efi_set_watchdog(0); WATCHDOG_RESET(); out: + if (ret != EFI_SUCCESS) { + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) + efi_tcg2_notify_exit_boot_services_failed(); + } + return EFI_EXIT(ret); } diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index ed71337780..8557fce1da 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1506,6 +1506,67 @@ efi_status_t efi_tcg2_measure_efi_app_exit(void) return ret; } +/** + * efi_tcg2_notify_exit_boot_services() - ExitBootService callback + * + * @event: callback event + * @context: callback context + */ +static void +efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *context) +{ + efi_status_t ret; + struct udevice *dev; + + EFI_ENTRY("%p, %p", event, context); + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_SUCCEEDED), + (u8 *)EFI_EXIT_BOOT_SERVICES_SUCCEEDED); + +out: + EFI_EXIT(ret); +} + +/** + * efi_tcg2_notify_exit_boot_services_failed() + * - notify ExitBootServices() is failed + * + * Return: status code + */ +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void) +{ + struct udevice *dev; + efi_status_t ret; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_FAILED), + (u8 *)EFI_EXIT_BOOT_SERVICES_FAILED); + +out: + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * @@ -1584,6 +1645,7 @@ efi_status_t efi_tcg2_register(void) { efi_status_t ret = EFI_SUCCESS; struct udevice *dev; + struct efi_event *event; ret = platform_get_tpm2_device(&dev); if (ret != EFI_SUCCESS) { @@ -1608,6 +1670,14 @@ efi_status_t efi_tcg2_register(void) goto fail; } + ret = efi_create_event(EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK, + efi_tcg2_notify_exit_boot_services, NULL, + NULL, &event); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + ret = tcg2_measure_secure_boot_variable(dev); if (ret != EFI_SUCCESS) { tcg2_uninit(); From patchwork Fri Aug 13 07:12:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 496552 Delivered-To: patch@linaro.org Received: by 2002:a02:cf8a:0:0:0:0:0 with SMTP id w10csp274069jar; Fri, 13 Aug 2021 00:13:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzVVR1NKyRGJ16N8ipCoOW/eQjeVtSixXafN28lVpXHLOZAB0xdAGRNnEppIJ/shL+Hb5uT X-Received: by 2002:a05:6402:270a:: with SMTP id y10mr1292476edd.385.1628838798744; Fri, 13 Aug 2021 00:13:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628838798; cv=none; d=google.com; s=arc-20160816; b=PS88LmwKVbiIuxi1MyGvnHXz3KT+CpESsmDhuJVhNobt51yP9fcodUIE4+4R6Lcu5G QmOJti7ZKIzvObgkjAd9Y2o2NgZGa3Cm8PLMS4IUWyMEJMjwQyusCUCwOgvWjSwBWBuP ikx64cCu0MMd6TfATGCMoc39W71rFT3/FGVr+5mfUWYcJ67k6vMdYbgJpKfvPXDOAApM 9NJIQWXwYbMzSAc/TRNca1et7O8sUewlFIWXbMiM/Hkhm4jRzCaYz9IJAmmSSBudQ41K T0lNbhn+mIEI53yPLCujewivavO/NoXQz5NAhiuBuGZsfn8wNyOeYQeAOzgPEesqy2C0 6uog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=DcLXUswaVVNp+gZdcP6dSnSRecZwqeYFTMz56L1G1fY=; b=WK2UuCxqLhBY0OCH9isq05kANDWmNlv087fs74S4IaKx2o3eYQVXowP20UnzlPK8I2 ywuGxmSlz1BMeRKIov1VdvZPJ4YRG1OyYFybJEnoMACCwDtKAVSbz3jvtkTokaIUMOVA VOeyAihQH1uGRIQx9H/cL47VOjPUF2NY3eWGxbfLAP+b9pB/55JHkDeym4ECRCvLP/AN jZXLZ3uvLTNFGMnKmfr9n8q9SiANftPVWvgg0ijPUxCef/HAPc9AFzkxiy9Iz9xW4hDn vwIradUZfccaeEooxaI/2/IcC0zv6S7TQHbXCg2a6m15JWm2nGia6EOv4gd588PWCCZY qb1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YGaDEcLh; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id ks26si844828ejb.542.2021.08.13.00.13.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:13:18 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YGaDEcLh; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C697C82D5B; Fri, 13 Aug 2021 09:12:54 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="YGaDEcLh"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3335682DD9; Fri, 13 Aug 2021 09:12:36 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9838682DD5 for ; Fri, 13 Aug 2021 09:12:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x102a.google.com with SMTP id nt11so14054537pjb.2 for ; Fri, 13 Aug 2021 00:12:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=DcLXUswaVVNp+gZdcP6dSnSRecZwqeYFTMz56L1G1fY=; b=YGaDEcLhkovzTCkL1MGQcRPBpDoT73a8OG9m8VnJCPE9HACAowOCE8W8nAhGX+71Li +13ZXgh69OWaszemiVmI6gONugTEPhgfkEXYzKkj90EbNroW6CDkeL4ZDDrtUUrz2ZyQ cQNBfY9usOZetJkglnseBF/4Sd5tutsTks32+5xb4yTbibAv8NgwtpUnFHF2B53niGUM 67KKik91aYIu8mWd2Achk3OZ/kKdRLUXZ8l4Ia7LotAV04lm8QX10y36Xs8NNzQEFumi DAGaUUMSoucOc6SiFg5n5y40kwfYw9uK9QbZmJuORck/UeHqm7uFV236h+ONEHteEm0y xm3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=DcLXUswaVVNp+gZdcP6dSnSRecZwqeYFTMz56L1G1fY=; b=nBtwwYhVvyZ8hxhqxpW5tBux+ceLnIB+3CYG8qJmABXfMSI24zxZLeBYeG5BE2lkWw XHI3PSyTrB8yXXcAYNIPPHZZDJ0wjUm0+PAWmZo6Q1352JWwtgySrreIaS33nfgSGBFU OIWbTOrrfbzIZH3AfgEUwm6W7u3lr+SUNujmGmcvR+RCMP7s0+/PW297XlYdAtli4E/I toJMVMo71gXS5oDbP0i1GLCRKZGnukxLoz+530fvXwintPWvgNM1Pu99Lx6lp0vy9Sd7 VIyLsWF8Kbh+YRNa26uSD6zqdfiXY+Oo4qveLrEXROk7jE1TqfyLwV6v+yZxFAIcJruQ 2gkw== X-Gm-Message-State: AOAM530ETmW9KX/ECsziiyNGndiP5xglNxxl2Y680QMTMCiVgjRrMOKt qAn+YJItf4B/p0Y6jl8MaTkJJA== X-Received: by 2002:a17:90a:c085:: with SMTP id o5mr1239910pjs.113.1628838749023; Fri, 13 Aug 2021 00:12:29 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u21sm987078pfh.163.2021.08.13.00.12.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:12:28 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , AKASHI Takahiro , u-boot@lists.denx.de Subject: [PATCH v4 4/5] efi_loader: refactor efi_append_scrtm_version() Date: Fri, 13 Aug 2021 16:12:42 +0900 Message-Id: <20210813071243.18885-5-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210813071243.18885-1-masahisa.kojima@linaro.org> References: <20210813071243.18885-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Refactor efi_append_scrtm_version() to use common function for adding eventlog and extending PCR. Signed-off-by: Masahisa Kojima --- (no changes since v1) lib/efi_loader/efi_tcg2.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 8557fce1da..2d03809e85 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1321,23 +1321,11 @@ out: */ static efi_status_t efi_append_scrtm_version(struct udevice *dev) { - struct tpml_digest_values digest_list; u8 ver[] = U_BOOT_VERSION_STRING; - const int pcr_index = 0; efi_status_t ret; - ret = tcg2_create_digest(ver, sizeof(ver), &digest_list); - if (ret != EFI_SUCCESS) - goto out; + ret = tcg2_measure_event(dev, 0, EV_S_CRTM_VERSION, sizeof(ver), ver); - ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); - if (ret != EFI_SUCCESS) - goto out; - - ret = tcg2_agile_log_append(pcr_index, EV_S_CRTM_VERSION, &digest_list, - sizeof(ver), ver); - -out: return ret; } From patchwork Fri Aug 13 07:12:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 496553 Delivered-To: patch@linaro.org Received: by 2002:a02:cf8a:0:0:0:0:0 with SMTP id w10csp274215jar; Fri, 13 Aug 2021 00:13:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw19GH94E1tXSn2DtLvhQP2u1bKr1WVDatL1yvsAtCR5u/o0hmivs+CEQ28BMfZjJlKuUg0 X-Received: by 2002:a05:6402:29a:: with SMTP id l26mr1306163edv.347.1628838809933; Fri, 13 Aug 2021 00:13:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628838809; cv=none; d=google.com; s=arc-20160816; b=Dtj3NUw1uTdjbiFrT5b+JsvEw+N/kZUZAgRcDmGSFOGzBylR1IrcLiAMp9A/SPBpKn vLLorpx1qgWCKGc8/nmTwRllt+5bg/I3nUY9O33GWV8WGSOTBoEAqBavQVHOgPQ/jV4Z GGntB4/abZFp/u/kV7znfcwr216rrR1OdzlPwyhl8ZAnhparQ6pfBN+6KvGTaEhhhOOD VfG4atPZA1mZPHGclj3ZTppEaxt8FMhs1Q4LDZqgikc8u3FYzd4mhDW4NKV92cev3HMk VpNV/0/vq4HpzownPPitk62P/GzLk0KpQQVjpQOAMvK0iseDZ3dxsbMJebm54V3CyQMs tOKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=SOdD8NWNx1896gTnGo0hZ49DiJQRNarQ+tyItVbXkdQ=; b=U3qMaMeNzUGamDzldPWsyHbmM6Ho056jXZxKwq2EeG9BZTO9PEZd4ukApkuNth9LZC RuXG+pADzO6xqonyeFHuXJc2XhWIUa70cSZrr2SEiGJAzfHYh5Buo3H4nST2OYnZA2Z3 8JqndEaFwaGPSQUQLYas57A1eV4W/w0QWgM04M+W+YJEB3hTS+V3dzPoeTSsMexKyup4 wrURdCSvV0JqPsJnzWB9EwNxxQ3Q4woLUBioMsWnUwDXQi6/z+SQ7VfpUVhaTs7mQrqK P3Qcv4csje1ruPqwDWSgekOY4WMPh8QcYarSbUcseco95bbYw7ByZQQCO8KhZR3j7V00 Zylg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=MVwfLBHL; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id b13si922250ede.445.2021.08.13.00.13.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:13:29 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=MVwfLBHL; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 97B7182E08; Fri, 13 Aug 2021 09:12:59 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="MVwfLBHL"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 12C5982DEC; Fri, 13 Aug 2021 09:12:45 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1EB7282DDA for ; Fri, 13 Aug 2021 09:12:33 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1029.google.com with SMTP id u21-20020a17090a8915b02901782c36f543so19387457pjn.4 for ; Fri, 13 Aug 2021 00:12:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=SOdD8NWNx1896gTnGo0hZ49DiJQRNarQ+tyItVbXkdQ=; b=MVwfLBHLWsOuZjpAaPobm92/EaYhq7KaVtvOw7aYbUQfKrqKA+8spzfbrBhq3j4qUX hKHdsx0k1Jiwlmn2WOtgKThKIxJ1u4ggPU0BjyvXy9lh1F/dF+PYGWzjyAHFqd9MRwrq cj7VOP5KUpcHneswFC5sjA670x2ENrRCXpTK7uWDJKeTj+aOkK3t28IG+4xtq9PCkay1 +/Rg39frhLvk61jBp28229kAenH5szker6dOyUcKtIZv/EKFGkDK9Z6fv1uZ7Y1n5VNz eaDhQk79UuxO1bpfKEcih34UuYRbsUy0hA553ArkN/2SlCcTMxQ5WNTujTa9X4KlLSaS lwow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=SOdD8NWNx1896gTnGo0hZ49DiJQRNarQ+tyItVbXkdQ=; b=JATAsgSi67wNror64fwezyxyh3Cr4rlexyWAf0ML3rytuJIS9m0BjKgTkr8G9yBmgo 0CxCR+MjEQ9CmWW9nEAnJU7UIU4lfyyCpcWSKKwiL9A+7JUcI9bXQdNyCPemN4Qyu2hG 7TQQhr3UTzIDPnfxXsbyeayV0Te1gRaDG0D/eEK/nueZAHjtG3tlQAE60auDulxumg18 N297qKwSjCmY92bFma+xMntT1DXfEneDXfcwobkq8Bzy3uLDRCOyF3ho3UkWP+DyyI45 zfR5l3eXvqlXGqXFklSigTyFQhH/lAIhzq23EV+Zy1z8snFN2kSvzKPLBkqkuVQXG/fN QkGQ== X-Gm-Message-State: AOAM533qrWU6bmgG7W8P/15xZ0D2WK1gLzJEXSx+VjQafhkx6QkwUHBW Z72rVpkdZGS2KvmfFvg9V0asvQ== X-Received: by 2002:a17:90b:3007:: with SMTP id hg7mr1302762pjb.66.1628838751495; Fri, 13 Aug 2021 00:12:31 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u21sm987078pfh.163.2021.08.13.00.12.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:12:30 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , AKASHI Takahiro , u-boot@lists.denx.de Subject: [PATCH v4 5/5] efi_loader: add comment for efi_tcg2.h Date: Fri, 13 Aug 2021 16:12:43 +0900 Message-Id: <20210813071243.18885-6-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210813071243.18885-1-masahisa.kojima@linaro.org> References: <20210813071243.18885-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This commit adds the comment of the TCG Specification efi_tcg2.h file refers, and comment for the structure. Signed-off-by: Masahisa Kojima --- (no change since v3) Changes in v3: - update comment format Changes in v2: - newly create commit from v2 include/efi_tcg2.h | 57 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 54 insertions(+), 3 deletions(-) -- 2.17.1 diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index 497ba3ce94..b6b958da51 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -3,6 +3,13 @@ * Defines data structures and APIs that allow an OS to interact with UEFI * firmware to query information about the device * + * This file refers the following TCG specification. + * - TCG PC Client Platform Firmware Profile Specification + * https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/ + * + * - TCG EFI Protocol Specification + * https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/ + * * Copyright (c) 2020, Linaro Limited */ @@ -36,11 +43,23 @@ typedef u32 efi_tcg_event_log_bitmap; typedef u32 efi_tcg_event_log_format; typedef u32 efi_tcg_event_algorithm_bitmap; +/** + * struct tdEFI_TCG2_VERSION - structure of EFI TCG2 version + * @major: major version + * @minor: minor version + */ struct efi_tcg2_version { u8 major; u8 minor; }; +/** + * struct tdEFI_TCG2_EVENT_HEADER - structure of EFI TCG2 event header + * @header_size: size of the event header + * @header_version: header version + * @pcr_index: index of the PCR that is extended + * @event_type: type of the event that is extended + */ struct efi_tcg2_event_header { u32 header_size; u16 header_version; @@ -48,12 +67,27 @@ struct efi_tcg2_event_header { u32 event_type; } __packed; +/** + * struct tdEFI_TCG2_EVENT - structure of EFI TCG2 event + * @size: total size of the event including the size component, the header + * and the event data + * @header: event header + * @event: event to add + */ struct efi_tcg2_event { u32 size; struct efi_tcg2_event_header header; u8 event[]; } __packed; +/** + * struct tdUEFI_IMAGE_LOAD_EVENT - structure of PE/COFF image measurement + * @image_location_in_memory: image address + * @image_length_in_memory: image size + * @image_link_time_address: image link time address + * @length_of_device_path: devive path size + * @device_path: device path + */ struct uefi_image_load_event { efi_physical_addr_t image_location_in_memory; u64 image_length_in_memory; @@ -62,6 +96,23 @@ struct uefi_image_load_event { struct efi_device_path device_path[]; }; +/** + * struct tdEFI_TCG2_BOOT_SERVICE_CAPABILITY - protocol capability information + * @size: allocated size of the structure + * @structure_version: version of this structure + * @protocol_version: version of the EFI TCG2 protocol. + * @hash_algorithm_bitmap: supported hash algorithms + * @supported_event_logs: bitmap of supported event log formats + * @tpm_present_flag: false = TPM not present + * @max_command_size: max size (in bytes) of a command + * that can be sent to the TPM + * @max_response_size: max size (in bytes) of a response that + * can be provided by the TPM + * @manufacturer_id: 4-byte Vendor ID + * @number_of_pcr_banks: maximum number of PCR banks + * @active_pcr_banks: bitmap of currently active + * PCR banks (hashing algorithms). + */ struct efi_tcg2_boot_service_capability { u8 size; struct efi_tcg2_version structure_version; @@ -86,7 +137,7 @@ struct efi_tcg2_boot_service_capability { #define TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_ERRATA_TPM2 2 /** - * struct TCG_EfiSpecIdEventAlgorithmSize + * struct TCG_EfiSpecIdEventAlgorithmSize - hashing algorithm information * * @algorithm_id: algorithm defined in enum tpm2_algorithms * @digest_size: size of the algorithm @@ -97,7 +148,7 @@ struct tcg_efi_spec_id_event_algorithm_size { } __packed; /** - * struct TCG_EfiSpecIDEventStruct + * struct TCG_EfiSpecIDEventStruct - content of the event log header * * @signature: signature, set to Spec ID Event03 * @platform_class: class defined in TCG ACPI Specification @@ -130,7 +181,7 @@ struct tcg_efi_spec_id_event { } __packed; /** - * struct tdEFI_TCG2_FINAL_EVENTS_TABLE + * struct tdEFI_TCG2_FINAL_EVENTS_TABLE - log entries after Get Event Log * @version: version number for this structure * @number_of_events: number of events recorded after invocation of * GetEventLog()