From patchwork Fri Aug 6 07:02:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 492807 Delivered-To: patch@linaro.org Received: by 2002:a05:6638:396:0:0:0:0 with SMTP id y22csp45262jap; Fri, 6 Aug 2021 00:03:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyDrJEw2agEve8dgaT61GHYL/qOWCh/eE+Yc/PfC2TQaD7QvHzgmn1HFdalBqRnML/0MWmH X-Received: by 2002:a17:906:c342:: with SMTP id ci2mr8623159ejb.122.1628233406557; Fri, 06 Aug 2021 00:03:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628233406; cv=none; d=google.com; s=arc-20160816; b=VCLRHu9tGxnAJJ8Ip9puzTnM35QeDbCMXwNKLmheduSrw0jLi5hGypSya6U81C+ur+ bwOMSOdgNLkmoM4pzZt0fgCtVoRpOdux3PFr7DqrbnsSVhuwGmhAeXrZ0tUqNz1lI5Ao DpGeiLeHyqtP9bpdJfzj5EyehKRaDqthrulGyYVDxcFNOqrV/ZD+lymHx7oMxXqcZJMC uXCfzF8Iulyh5SnGca2V/MYa4GoX8lYrjeBz4ihIJhSemOTnuxkH2LYfm7511PcCrZ44 zJuHBxeyOfuDvUwqBi4F88eyJiowQCaldNmzw1o/WDGcRg9zLuYiVEa5QQE+bgwsqDwJ nz1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=W0csjySmNxtMU8s3mJeZpAnnM6e5u7V1pA8Spz7gF30=; b=qd+3r7+H52GCG5Sue/qNv+UWcA7KdJyI+qc03LmM52TNksvR4Sogzp3vqWOAirMWQB YBYCf8QhYgbuelO2XgT+3Y7ES0GzdLcu0Os3F2uQXB3+cLwDhfgurBbK0iWwhQdUNacM TR1HZSXSjVNxkKtcUuqYTagxzsCtUqr+D7Zv/JnZZ9YB2XIS+JaQE0Gy9RWglAPciJN2 c7khqJNxvwmT2RKBTinTrxQUO1JmgASEUnpHIx2PC+OEIxgMXZX4sm636akd63MdwHTu dF3o9Uzt9PtYC98ujF1WxhFitx0GOXFUb8/5qFCDUV5gckz5JE5ygfdW1op2uqaOm4Oq orJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=oc2xka6T; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id bd27si7801625edb.219.2021.08.06.00.03.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:03:26 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=oc2xka6T; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4445082EA8; Fri, 6 Aug 2021 09:03:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="oc2xka6T"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A23AF82EA5; Fri, 6 Aug 2021 09:03:09 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C37F582E7A for ; Fri, 6 Aug 2021 09:03:01 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1034.google.com with SMTP id nh14so15001162pjb.2 for ; Fri, 06 Aug 2021 00:03:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=W0csjySmNxtMU8s3mJeZpAnnM6e5u7V1pA8Spz7gF30=; b=oc2xka6TrPXaQEAPDmhhQPQKFlLEOIIMc0XWw3DLLAMIr7FqnGEFaassHr2qTmYDW/ 4byNIXg9Wmv5ef/E4XaAVNCZaOVwZCFInhgH52ek5JjOLXkb5rzWkkR+Eq0d8Pqurdt2 ezc0KoguZjUF7i7kcM3vFgCJ+j7jw3rtm36PURc48NsGoPA8trh46yuDkTK3lQJvA8k4 CjlFHs4svAg9dUI9s7DrAm74KBCFmQtbLtrCq9vUjYHZ0iA6rhXDP33Oe1qv0lP3O8zr Como1YXnDUgzq2/SQfPYxP/cySzaLEAZ1LofiuA0Aizzz+nPeRvGrnT7vRZB/p2K+t+c z41g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=W0csjySmNxtMU8s3mJeZpAnnM6e5u7V1pA8Spz7gF30=; b=Vd4tGtCc1lW504lf8ZrcWoQZfZ+krU38BTr2JwvvIfE2UcmFZ+mmI/sKWTxKTkWj9R a5iwQWu1DTywb+9/Y6mk+4k98slk3YeTLcr18suyIXKjvwmY6tPKmN/pFiirNJJNDpw4 F9o+z8KSYqk2igxBBtYJupmmDb4XviyBn4TzDOhtCfMubsnHnC2Fa3HRLTIDmFPxiSYM efBoAU/V9vy400KhC5Bh0Ru9SQxEGWWJ+eJG4fMHpx+D/yq6QlWDTNDuZAKMyQdUD15V n4fCZZkfkKcthZBp1Y8CVgGuHvffHPo8OEd/AWnmbEVplozQb90KSHgw/oSMy0GASevw BbUA== X-Gm-Message-State: AOAM530zau7mDVwPyzNXRbCab29hRfhhXcGzGFAv3lB/sEGAk6x/j+q8 XoCQVbkTC51aXacqGWv97Bu2TQ== X-Received: by 2002:a65:62cb:: with SMTP id m11mr70018pgv.425.1628233380200; Fri, 06 Aug 2021 00:03:00 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u24sm5145304pfm.27.2021.08.06.00.02.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:02:59 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v3 3/5] efi_loader: add ExitBootServices() measurement Date: Fri, 6 Aug 2021 16:02:13 +0900 Message-Id: <20210806070215.19887-4-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210806070215.19887-1-masahisa.kojima@linaro.org> References: <20210806070215.19887-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure "Exit Boot Services Invocation" if ExitBootServices() is invoked. Depending upon the return code from the ExitBootServices() call, "Exit Boot Services Returned with Success" or "Exit Boot Services Returned with Failure" is also measured. Signed-off-by: Masahisa Kojima --- (no changes since v2) Changes in v2: - use strlen instead of sizeof, event log for EV_EFI_ACTION string shall not include NUL terminator include/efi_loader.h | 1 + lib/efi_loader/efi_boottime.c | 5 +++ lib/efi_loader/efi_tcg2.c | 70 +++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 345cbb72c4..d2b6768899 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -499,6 +499,7 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ void efi_variables_boot_exit_notify(void); +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void); /* Measure efi application invocation */ efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void); /* Measure efi application exit */ diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 13ab139222..b818cbb540 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2182,6 +2182,11 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle, efi_set_watchdog(0); WATCHDOG_RESET(); out: + if (ret != EFI_SUCCESS) { + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) + efi_tcg2_notify_exit_boot_services_failed(); + } + return EFI_EXIT(ret); } diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 7dd30c2bc9..bcd8626ff7 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1506,6 +1506,67 @@ efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void) return ret; } +/** + * efi_tcg2_notify_exit_boot_services() - ExitBootService callback + * + * @event: callback event + * @context: callback context + */ +static void EFIAPI +efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *context) +{ + efi_status_t ret; + struct udevice *dev; + + EFI_ENTRY("%p, %p", event, context); + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_SUCCEEDED), + (u8 *)EFI_EXIT_BOOT_SERVICES_SUCCEEDED); + +out: + EFI_EXIT(ret); +} + +/** + * efi_tcg2_notify_exit_boot_services_failed() + * - notify ExitBootServices() is failed + * + * Return: status code + */ +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void) +{ + struct udevice *dev; + efi_status_t ret; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_FAILED), + (u8 *)EFI_EXIT_BOOT_SERVICES_FAILED); + +out: + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * @@ -1584,6 +1645,7 @@ efi_status_t efi_tcg2_register(void) { efi_status_t ret = EFI_SUCCESS; struct udevice *dev; + struct efi_event *event; ret = platform_get_tpm2_device(&dev); if (ret != EFI_SUCCESS) { @@ -1608,6 +1670,14 @@ efi_status_t efi_tcg2_register(void) goto fail; } + ret = efi_create_event(EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK, + efi_tcg2_notify_exit_boot_services, NULL, + NULL, &event); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + ret = tcg2_measure_secure_boot_variable(dev); if (ret != EFI_SUCCESS) { tcg2_uninit();