From patchwork Tue May 11 21:03:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 434224 Delivered-To: patch@linaro.org Received: by 2002:a02:c901:0:0:0:0:0 with SMTP id t1csp4203896jao; Tue, 11 May 2021 14:03:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJztjExTyKt94EowkYk04j3T7KR/5xvfD1cy/XEOmdzvr33kcvXa1Z9/23EczCAv0ny+wgAY X-Received: by 2002:a17:906:28d4:: with SMTP id p20mr34219802ejd.552.1620767032222; Tue, 11 May 2021 14:03:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620767032; cv=none; d=google.com; s=arc-20160816; b=fs3hxAGQdmQGhWwlA2tKrKxtv02ZSdNMQgO4XNRejnD0/VFO8x1yYZFAqCsYgdB05Z 3KraDZ5R/0yqHtq/H7rMr2kJwYAXtXJkZnzotpNxRoFMCCgfXcC9DRMXzDvdOd3X0PUV u9zHTIqe92A4WoerIiMAPVkQL69kgsUas9YSDyDtcn0gr5+LrU6+kdLsboi2k1X5KcnA U/W57HheTH08oUbBCn9uC4urhlTjtGWqttADCLZbg1BgXEfXlNIu7db4Wl/OOrPeZ+xt oNTZN2M5FCtpOZm68KvVqd9AYrDPoyXL4W53U+PR3NqfEYjxETd5qXI5o1KOFSgZsYA2 OoGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=Bu13ExTNijiKfEcsL5RIIuSG6DAexg2roUbNRGuPCDM=; b=ryx5KUdUJg2EdUoPgfcVfAS9xKMJORI9487n9boP2BfDYF8nxTQksfPNuOfY96m/3P mh/vVNR+No+s/YBsx7DTNUicFtBbkYYgovSYOIS4xDBneWeJRG6uvmHVcN+kqa+BNdAH g7JOWixngvr++JO5f9XadqFVJsV0GZe6aZy2BJkqs0EEKQjD3N+qUDxeRtsIxMRngqop XMrV7ezPihi3Hx4sxu/5CFljfEirEiiBnamyvcTGpd+53SsHrNXCrZD8DmDLeKFFMJMO hkRmD7VmV7ZT1u2D/guZHa7pe4soxrQ4uLbFXj2O+IyZZ31jbzbXJrQf+VwzrnvE9eWN UISA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=rDHEAqo9; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id ce10si6911839edb.39.2021.05.11.14.03.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 May 2021 14:03:52 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=rDHEAqo9; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 520B282CE7; Tue, 11 May 2021 23:03:50 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="rDHEAqo9"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9817A82CE7; Tue, 11 May 2021 23:03:49 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D98ED81F8C for ; Tue, 11 May 2021 23:03:46 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ed1-x530.google.com with SMTP id c22so24507615edn.7 for ; Tue, 11 May 2021 14:03:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Bu13ExTNijiKfEcsL5RIIuSG6DAexg2roUbNRGuPCDM=; b=rDHEAqo9sVZNia6sGhQY2OOYWFjKg9T8+uX0WrihHqoP1OnDLzljYRqH6Pre0UWkAS tobLtPr19hCpYDQHaxw9iTPH9NZgVbS/55rMpfiUdx9coVTsmcwlcBVYzBuupQyXjFe7 h2sYcTt4GOoUJgPavssDrwtFmXb1/g1k0FkNGjjtjJMLcYVjKcm6uStfiw2BQnXn4RfY uZFylILRqQ4rUIgikI/LJv/9obfjgAFJWvCv9pNtPcqKn9CTvczHubAXnn1k0l4FR3ms QJnNSDfqFKXgcJRWEBTrpSen+fNJPNUJzL+QwSrBkYl5xjvgyaQy/nQmosQ9Iof2f5oo PVEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Bu13ExTNijiKfEcsL5RIIuSG6DAexg2roUbNRGuPCDM=; b=VxhkYNAxXsj0ckR2YCwhD4dilXlhhtWJBpa0x8AZmpcphBky9tRcrIDLZmFVFrv/My UGPpFLYIaGDn2BuUQQ+q0VAnxVUuL3orHvMUrySIkT0sUS59Zrqsw7iCA2Gzqg/CikpJ a9XJGSrv92cEwkXncwMsiUQ2vGh3tU/MjmGzYPc6YKEE6fM1GCxOD0FS60T+HBNti2QM MHOyiYaYujAZg0Y1H24Oku/dENwSpZryfmPixGk2UG6I5FV+eN8hQW+vz9BLcHYXkYeF 5Ih7STkflAPmxhDJE6TBGZqxfo2sdfx+gLkJ+OG9UoVY0Q56egsZP0gh/GhkTEy+uWC8 oEHQ== X-Gm-Message-State: AOAM530EkrgWSqTzZgHlB4T7/Tdrt0hyX65Vk1mdHuPhJf8UypoEVleJ wrTDSMrXQXJ37giLBsqlXSo5Fg== X-Received: by 2002:aa7:d4d5:: with SMTP id t21mr25506340edr.95.1620767026528; Tue, 11 May 2021 14:03:46 -0700 (PDT) Received: from apalos.home ([2a02:587:466e:1389:2e56:dcff:fe9a:8f06]) by smtp.gmail.com with ESMTPSA id kx3sm12395805ejc.44.2021.05.11.14.03.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 May 2021 14:03:46 -0700 (PDT) From: Ilias Apalodimas To: xypron.glpk@gmx.de Cc: Ilias Apalodimas , Alexander Graf , u-boot@lists.denx.de Subject: [PATCH v2] efi_loader: Don't stop EFI subsystem init if installing TCG2 fails Date: Wed, 12 May 2021 00:03:41 +0300 Message-Id: <20210511210341.305289-1-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.31.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean Up to now we are stopping the EFI subsystem if a TPMv2 exists but the protocol fails to install. Now that we've switched the config to 'default y' the sandbox TPM fails, since it doesn't support all the required capabilities of the protocol. Not installing the protocol is not catastrophic. If the protocol fails to install the PCRs will never be extended to the expected values, so some other entity later in the boot flow will eventually figure it out and take the necessary actions. While at it fix a corner case were the user can see an invalid error message when the protocol failed to install. We do have a tcg2_uninit() which we call when the protocol installation fails. There are cases though that this might be called before the configuration table is installed (e.g probing the TPM for capabilities failed). In that case the user will see "Failed to delete final events config table". So stop printing it since it's not an actual failure , simply because the config table was never installed in the first place. In order to stop printing it make efi_init_event_log() and create_final_event() cleanup themselves and only call tcg2_uninit() when the protocol installation fails. Signed-off-by: Ilias Apalodimas --- changes since v1: - stop printing a warning when tcg2_uninit was called before installing the final events config table lib/efi_loader/efi_tcg2.c | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) -- 2.31.0 diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 8f8a26e7b7ae..31343e47678f 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -999,6 +999,11 @@ static efi_status_t create_final_event(void) event_log.final_pos = sizeof(*final_event); ret = efi_install_configuration_table(&efi_guid_final_events, final_event); + if (ret != EFI_SUCCESS) { + efi_free_pool(event_log.final_buffer); + event_log.final_buffer = NULL; + } + out: return ret; } @@ -1047,15 +1052,22 @@ static efi_status_t efi_init_event_log(void) ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)), &spec_event_size); if (ret != EFI_SUCCESS) - goto out; + goto free_pool; put_unaligned_le32(spec_event_size, &event_header->event_size); event_log.pos = spec_event_size + sizeof(*event_header); event_log.last_event_size = event_log.pos; ret = create_final_event(); + if (ret != EFI_SUCCESS) + goto free_pool; out: return ret; + +free_pool: + efi_free_pool(event_log.buffer); + event_log.buffer = NULL; + return ret; } /** @@ -1112,19 +1124,30 @@ efi_status_t efi_tcg2_register(void) goto fail; ret = efi_append_scrtm_version(dev); - if (ret != EFI_SUCCESS) + if (ret != EFI_SUCCESS) { + tcg2_uninit(); goto fail; + } ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol, (void *)&efi_tcg2_protocol); if (ret != EFI_SUCCESS) { - log_err("Cannot install EFI_TCG2_PROTOCOL\n"); + tcg2_uninit(); goto fail; } out: return ret; fail: - tcg2_uninit(); - return ret; + log_err("Cannot install EFI_TCG2_PROTOCOL\n"); + /* + * Return EFI_SUCCESS and don't stop the EFI subsystem. + * That's done for 2 reasons + * - If the protocol is not installed the PCRs won't be extended. So + * someone later in the boot flow will notice that and take the + * necessary actions. + * - The TPM sandbox is limited and we won't be able to run any efi + * related tests with TCG2 enabled + */ + return EFI_SUCCESS; }