From patchwork Wed Jul 7 13:36:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 470806 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp6006165jao; Wed, 7 Jul 2021 06:37:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw+LUHJsU0LqVd+/19VEcaHRJ/zK+wbSl5EmhPXV+EgyzCUqF0z3J/NwiwLiWlNvglA7HfW X-Received: by 2002:a17:907:2da6:: with SMTP id gt38mr23340026ejc.528.1625665038112; Wed, 07 Jul 2021 06:37:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625665038; cv=none; d=google.com; s=arc-20160816; b=wR0E1bE53RuKJrVsFnBGPqkjrmeqjw2c0a9veD1uLSm8WGe9fLpmq3oAmo0xMLrtnm 4wCAeRLI5vgNfYQbSDxFyxho50AE/SOHr6xZTGc7UAesg5N3ElMj8c+4mJpWRxL9MzlV 3MKNH0UUSaOnJV4ADneFuokavwyXxbhfh8bYuQGMBpJkrqNRc99GHYZ/OSZqJklvpNAY YqdsL8lG7b6+ovVIZFEK8hlEwB+3j5HO0tI3Nq1+XPTN0EBYxXJZ3wH9FAqJEC/kTGCJ EszGfIOuzvcaKndaHuxdJDtq5CPqeJJq6zl6puLktBgOXOqLNMyAdHgbnIv31AU5TvL8 /FUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=ZM8Gqjt4H/M/T8dTY3DEdYYZkhn28GpsMwaxi2oYkrA=; b=yGd11htN/uWWgCDTEp8w11q5dZLsinm3k1bd99/YKXWKW+OPq7mftGzztVMZp0eUst pHveoH7orcjbM36iPsiWQVyIeIPAa6uYoRsXPTZwF/It7BmsZPdPkpbPLoGx69S7R1ob ghTU/abPoxNSdHzumhpI8HBoD2zCmx9l2ru1G0e/GJNEXrwp7WWOAkvU1oowUkSotMp5 hFowUkYhgBddm6Uk9DH2mnNGcZsm66YsxeLB2Z9x1WFrBZzpRTOf10XcwE6E802lGypP 9UVJuDJT9h2ZACLrVpcduvylS+ZnRYe4nTY2x7yBKfcf7nrAWgwADVy0XNn7CFLV38YQ HoWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ju5geQEi; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id y11si2839768eje.13.2021.07.07.06.37.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:37:18 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ju5geQEi; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2B62082E32; Wed, 7 Jul 2021 15:36:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Ju5geQEi"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id DCE0E82E16; Wed, 7 Jul 2021 15:36:48 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2A25782E1D for ; Wed, 7 Jul 2021 15:36:43 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x52c.google.com with SMTP id t9so2279634pgn.4 for ; Wed, 07 Jul 2021 06:36:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=ZM8Gqjt4H/M/T8dTY3DEdYYZkhn28GpsMwaxi2oYkrA=; b=Ju5geQEi8Cx8jgtHyxEhJB+nknwUm0K7OyI2cCFbYN4P3Et0kxA9X4zSuaXWUOApNf 1eqlS5YoDWzDNoJOYpaYlfvFcX9bStkk7im7KKnIT/z8n3iByq8Flh3SD8Zp650qPM9l sr6MtsVhpSLFRxpbVfbNdEQuiRFuIutTuUNe0KPDevnF14smN4m0z1s6XHjB4oV6qbdM Hx0gMYQ3TGtiVxqb+eqYr4Ut0+mJcwk319GVejDD/yapODrlvVDFXwaVbqBwq0LXq53L EorAhfomFqrekcyDdDHvowHV5VNdhNBodE6urk99W0euyGwMm5eRnexMxuBsCVlErtwj gM2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=ZM8Gqjt4H/M/T8dTY3DEdYYZkhn28GpsMwaxi2oYkrA=; b=F/HZRcSz4oWWBOma1FIWZRwQybiEF9kmtvUpkFa7li6RynGDUJzxFy3PxLhw+E6b8d aLR/tpJu7nHgDfzLmwwnPAXFsloRM59z6D4PS7NjmlocaJPQmPjrgZ18NROtCTHnrz2B PqvuDKUZq2xmxZXUxD1nvVwVUXoSA1gYA0KSsb4TJc6tJWNpaGeTZxyrbXJuZczqX32i lZAhY14YEl9lzzcmpkuAF5Y2IX0kmj0bkj76kerVjKHfPZrGH2Yhj3X0udEhQL7828Ku z0+p/Vm/i+TxtobPsTR8f4AORK59lbE0J4VVajglHSXEK488ERVvl6tTX1m4C1bDMSfb DitQ== X-Gm-Message-State: AOAM531P0tU0RRv/yxL5j67po6vRrsGFGKLVg6QCAWmk6n63B8XE5+Mj Md966/BAO6Mu29syZYPSxA2XJg== X-Received: by 2002:a63:ef44:: with SMTP id c4mr25935305pgk.162.1625665000045; Wed, 07 Jul 2021 06:36:40 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id t9sm6438659pjs.50.2021.07.07.06.36.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:36:39 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH 4/5] efi_loader: add ExitBootServices() measurement Date: Wed, 7 Jul 2021 22:36:37 +0900 Message-Id: <20210707133638.12630-5-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210707133638.12630-1-masahisa.kojima@linaro.org> References: <20210707133638.12630-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure "Exit Boot Services Invocation" if ExitBootServices() is invoked. Depending upon the return code from the ExitBootServices() call, "Exit Boot Services Returned with Success" or "Exit Boot Services Returned with Failure" is also measured. Signed-off-by: Masahisa Kojima --- include/efi_loader.h | 1 + lib/efi_loader/efi_boottime.c | 5 +++ lib/efi_loader/efi_tcg2.c | 70 +++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 281ffff30f..e9bd1aac08 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -407,6 +407,7 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ void efi_variables_boot_exit_notify(void); +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void); /* Measure efi application invocation */ efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void); /* Measure efi application exit */ diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 2914800c56..6e07ef65bc 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2181,6 +2181,11 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle, efi_set_watchdog(0); WATCHDOG_RESET(); out: + if (ret != EFI_SUCCESS) { + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) + efi_tcg2_notify_exit_boot_services_failed(); + } + return EFI_EXIT(ret); } diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 6e903e3cb3..823abd8217 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1506,6 +1506,67 @@ efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void) return ret; } +/** + * efi_tcg2_notify_exit_boot_services() - ExitBootService callback + * + * @event: callback event + * @context: callback context + */ +static void EFIAPI +efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *context) +{ + efi_status_t ret; + struct udevice *dev; + + EFI_ENTRY("%p, %p", event, context); + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_SUCCEEDED), + (u8 *)EFI_EXIT_BOOT_SERVICES_SUCCEEDED); + +out: + EFI_EXIT(ret); +} + +/** + * efi_tcg2_notify_exit_boot_services_failed() + * - notify ExitBootServices() is failed + * + * Return: status code + */ +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void) +{ + struct udevice *dev; + efi_status_t ret; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + sizeof(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + sizeof(EFI_EXIT_BOOT_SERVICES_FAILED), + (u8 *)EFI_EXIT_BOOT_SERVICES_FAILED); + +out: + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * @@ -1556,6 +1617,7 @@ efi_status_t efi_tcg2_register(void) { efi_status_t ret = EFI_SUCCESS; struct udevice *dev; + struct efi_event *event; ret = platform_get_tpm2_device(&dev); if (ret != EFI_SUCCESS) { @@ -1580,6 +1642,14 @@ efi_status_t efi_tcg2_register(void) goto fail; } + ret = efi_create_event(EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK, + efi_tcg2_notify_exit_boot_services, NULL, + NULL, &event); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + ret = tcg2_measure_secure_boot_variable(dev); if (ret != EFI_SUCCESS) { tcg2_uninit();