From patchwork Wed Jul 14 13:00:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 476743 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp545442jao; Wed, 14 Jul 2021 06:00:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyNbdk8Eu9Y9xlZtR7Xjmh6eFD/uFU1aEKkITJ5d0e5CxQWC/dUiZTvIancYc59uPAJL0aK X-Received: by 2002:aa7:d991:: with SMTP id u17mr13429899eds.240.1626267614604; Wed, 14 Jul 2021 06:00:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626267614; cv=none; d=google.com; s=arc-20160816; b=baUIdczcB3F0CCajaZVbPJLzxRIZSpVy3ChL5CbNNNSuDfQC+3AEI1jAkjMGNP1BJ2 fGbgEZ6Q+MfsIRZkkDielgMo1sVh+vV9Ski411Aey6uZWz0IWwBi5ahw0qyloIOExlOD lW+RibJ7DWTfVbXrbMnGLhusCB3yHidt11FaeAIG6d8KBW+US27ElJtPrNzZv7g6Lrqo mD9GUIQcoPwNDRdk7xwWiiJ3nEdzJgf9c5aZNV7Porp3GB7/Ahw7SzMExEA1SnqmfutP vaMm3NL99QKhHpGbzl4n4rNwo+GWjOyhDhcSYyr9VZmF+pKyd3GXDxAQDz7/OZ9afnkX nKwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=Bq13+REwRJPvq9bG1YxzJCs9okChwjBuVheJNBhtLzo=; b=ZXzBdAYmzG94wU5Vc4iBzvW9fdWzHdhdirQT/OPSlAYONXqL1J0PgOOwwc/nMqoBJi hoa+nmRXGsLuxUSXMlDAsaAIccbQdGg5ZQhAIirf7HH/IxnK7we7n3aHavj+ulxqsuTx 55Bgd2IPzBEyGKC2AKUNfpZP0uT2xKF39oq1n8KEBRTC/q7OrEaU1Pbzb+aULPJy/tC1 7bcwnVexSC601uqWJj3Z24EDGQAnjRuHlnK72I86GytNPqmSY3vJOc0m7kBSbyxLlNCG bRaIz+0ZO53uTOnxZE/woiG50b/ccyXpZ894YcZ25rp4LBaLOr9sMCTQdTfisDDkOfpT 4Stg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RFbYNSF1; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id bd4si2457267edb.531.2021.07.14.06.00.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 06:00:14 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RFbYNSF1; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8E05C82859; Wed, 14 Jul 2021 14:59:45 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="RFbYNSF1"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2F03E8203B; Wed, 14 Jul 2021 14:59:37 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C9CBB81E53 for ; Wed, 14 Jul 2021 14:59:32 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1032.google.com with SMTP id h1-20020a17090a3d01b0290172d33bb8bcso3796340pjc.0 for ; Wed, 14 Jul 2021 05:59:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=Bq13+REwRJPvq9bG1YxzJCs9okChwjBuVheJNBhtLzo=; b=RFbYNSF1Wye8M/ee7WeRJG86Ss6w37Xb97I/MOqZvtd5f+pHCu9fWYGXjGD+NGQqbF fGYpnz9VR7hTYQeC8Ji5A3nQWT6Tlyk6J5HTtWB+vkwgM7mI3enCaHgFX+cgZl15gRY6 LqDR7rwgVZZqXN98dWJ2tfp9jFW0f9GGr/qZTMdBj+5/298I6t2B4a6Zx3uNC/Mh4zkw 5b4/WiS/uMbN5wVk7cfDYgLATutfxy6Khwgrj2epIaj2MCH8M+7iPPqYl9Cr0C+8Afiz PTfZpcRIvpdIL6XxmDeSWnYKi/rEOPk03ZJw3dEy6mEsOQ8floZ2ZpD96slSEwq9nwjE pvAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=Bq13+REwRJPvq9bG1YxzJCs9okChwjBuVheJNBhtLzo=; b=scsUBcSrCJSuZXgC0Jyfdh6OUT5ki4rEZy8K82K6/OHMA1OcQZMljSC2SWl4sucgIA rQzZJ+ob8A8aT4iVX/QbWzXd/dGS3M54WHYi7ij9B+4Qt7Qrhw76lR+USoYgMuiB+5ez ZvEg6aWJSb1qRHhrOi4kbTueJr067zfkRN5ERs/ZG4nh1OI4HcT/pIN08+LD6+t+U0lO Zn+jK3pADdz17co7iz9QXB+m+BHtMNh0fHpMhbyxfd8cGBEGEyPX5eMwnyRvVaWY7Yok HASph7IxPYfzUIpU1q++tyyW64vIb7vOm5N66PN5g3LnTMsJsRL3+T1/2Rvio/wkObU/ 4MLw== X-Gm-Message-State: AOAM531yuHxU0qh4wm3hYeklid8r37Fc5yXZ3EqAzLjHaNGKltBEdAk3 VMJacAW4ipNRVyJ1yiu0Vp+DXQ== X-Received: by 2002:a17:90b:ed4:: with SMTP id gz20mr9598176pjb.209.1626267571197; Wed, 14 Jul 2021 05:59:31 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id m21sm2787509pfo.159.2021.07.14.05.59.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jul 2021 05:59:30 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v2 4/6] efi_loader: add ExitBootServices() measurement Date: Wed, 14 Jul 2021 22:00:04 +0900 Message-Id: <20210714130006.17837-5-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210714130006.17837-1-masahisa.kojima@linaro.org> References: <20210714130006.17837-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure "Exit Boot Services Invocation" if ExitBootServices() is invoked. Depending upon the return code from the ExitBootServices() call, "Exit Boot Services Returned with Success" or "Exit Boot Services Returned with Failure" is also measured. Signed-off-by: Masahisa Kojima --- Changes in v2: - use strlen instead of sizeof, event log for EV_EFI_ACTION string shall not include NUL terminator include/efi_loader.h | 1 + lib/efi_loader/efi_boottime.c | 5 +++ lib/efi_loader/efi_tcg2.c | 70 +++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 703b675950..355fd184bc 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -407,6 +407,7 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ void efi_variables_boot_exit_notify(void); +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void); /* Measure efi application invocation */ efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void); /* Measure efi application exit */ diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 2914800c56..6e07ef65bc 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2181,6 +2181,11 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle, efi_set_watchdog(0); WATCHDOG_RESET(); out: + if (ret != EFI_SUCCESS) { + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) + efi_tcg2_notify_exit_boot_services_failed(); + } + return EFI_EXIT(ret); } diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index d59fc5a890..32e3818af4 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1504,6 +1504,67 @@ efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void) return ret; } +/** + * efi_tcg2_notify_exit_boot_services() - ExitBootService callback + * + * @event: callback event + * @context: callback context + */ +static void EFIAPI +efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *context) +{ + efi_status_t ret; + struct udevice *dev; + + EFI_ENTRY("%p, %p", event, context); + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_SUCCEEDED), + (u8 *)EFI_EXIT_BOOT_SERVICES_SUCCEEDED); + +out: + EFI_EXIT(ret); +} + +/** + * efi_tcg2_notify_exit_boot_services_failed() + * - notify ExitBootServices() is failed + * + * Return: status code + */ +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void) +{ + struct udevice *dev; + efi_status_t ret; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_FAILED), + (u8 *)EFI_EXIT_BOOT_SERVICES_FAILED); + +out: + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * @@ -1558,6 +1619,7 @@ efi_status_t efi_tcg2_register(void) { efi_status_t ret = EFI_SUCCESS; struct udevice *dev; + struct efi_event *event; ret = platform_get_tpm2_device(&dev); if (ret != EFI_SUCCESS) { @@ -1582,6 +1644,14 @@ efi_status_t efi_tcg2_register(void) goto fail; } + ret = efi_create_event(EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK, + efi_tcg2_notify_exit_boot_services, NULL, + NULL, &event); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + ret = tcg2_measure_secure_boot_variable(dev); if (ret != EFI_SUCCESS) { tcg2_uninit();