From patchwork Fri Aug 13 07:12:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 496549 Delivered-To: patch@linaro.org Received: by 2002:a02:cf8a:0:0:0:0:0 with SMTP id w10csp273623jar; Fri, 13 Aug 2021 00:12:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyueaOmkQKPYxulhnCKoG8qLhZF8+meDmyuEyYDEIUc92u+sV+rWYjDJYsqBtGyFSZAAbOk X-Received: by 2002:a05:6402:2067:: with SMTP id bd7mr1314971edb.176.1628838765388; Fri, 13 Aug 2021 00:12:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628838765; cv=none; d=google.com; s=arc-20160816; b=yyBn4V7adbjnGUBBr/2sUHY4s5LhNHXRjHCZrDPkeYG9eknwxOQGPMGRI0BgC8/Wuh QdxgNfNlpqpi5cf+dr7yM/R7t3Fyca0lu6O4z3BAeE+j/U8U7yWwvcq8Q0HROosfh8Wd 4qX5ptEf2ROq8Cw23UJO5hEyy2n1n2rIgH2aUjiiYdiWj+zbRVbplp9ZNn6ya3unAoVo n2ZPIqWrkwgcEaWhZztJVYA1086O3PFr5pKE2M9hqnaYqJXXJJrmpNGpkbshvk6FVm4E miQt05V7H2sl47XVuBmocEkdzEkEuawYXX70CJwI8vrWjrkkv+w5bKXRuX21wRNxryEu A9xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=gXe+peYSzfoBWFU9j9PJlqFzw9im1Pjh36bMCNoc8+Q=; b=sV6B3N3LolhC7v3DWBlOsLzbaeLERzW/qxSuEWtS6PAas28p/N+41XshKZH6Za0uqJ IhswHDhXyT0I87pb1RkhyWJu00zEooYyV41CottOD6oYgkpxQl8101zfQPtQG5yJckh5 18tQ+Untx5W8IWIoyNtjEQzXEbn+dM2oUP9p/lrQ9RHWbDw+vElVHtq2OhZt9n+ompMU 8Uv2UdjTclNrl182ouV6UHTbtnbFVbAGvf8rbvF/IWWmZqL/btZeOTRoyRZvSkBUeMxs 1SJKImvZBRlLJwsa3fxhH5ahy8TC/UyqRA0wkOozY2VVUT+340DriF8Y6IW7eoyIPD1p btJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lvgqbXxr; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id s4si794388eji.269.2021.08.13.00.12.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:12:45 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lvgqbXxr; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2F22682D95; Fri, 13 Aug 2021 09:12:36 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="lvgqbXxr"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6177782D5B; Fri, 13 Aug 2021 09:12:28 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 33A3882D5B for ; Fri, 13 Aug 2021 09:12:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1029.google.com with SMTP id u13-20020a17090abb0db0290177e1d9b3f7so19422451pjr.1 for ; Fri, 13 Aug 2021 00:12:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=gXe+peYSzfoBWFU9j9PJlqFzw9im1Pjh36bMCNoc8+Q=; b=lvgqbXxreDZmh178Yat2rFP4ypqR3WEDWU1IGlsvjRQ8evvcJcmh+c3tISpczNIQsl WIdrTuYTCGszRkJeFfqxy5Wa4ySxlfJeOAHRdEdpPL2z1XpBnovQUKuqyhXIcnB1uGER LpI+Rb07fQJZHgTz++fblKWlmcXKpTCKab7TseFkjFO7zG7sF2w3m1s6u1cPhXMel1RH thoJDzTq7r66VBjYu05t7zNHJOBmofl3xEuoTK7td0boCX7J/e2ffST3Q5iQrl/BshwD qlVvTCS3GQwj0cETTiAShh3H60ytG8FXurjk+TSfS52H2boDO5eq6WBazySx2XVD8IwX iIGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=gXe+peYSzfoBWFU9j9PJlqFzw9im1Pjh36bMCNoc8+Q=; b=UIdeJypEZOZ2HfFQDGxd1YiIofBjlyB3NpPMi4Q3xnml68oiTS67fpij48iXeOt7h/ 8blv3z7OQhmQwmlX98Zmt5Zu7udkoVg38lWg1WAw3OS9SorCGkufel96ArtN5iVrhb80 bftsOClEmjgYBuN6bv81cQRtLBJPl4owc23zVENcfzSG6CwwbESkuE1TtQK8zZPvszKC o/1z8mu4NGs/PSaMJbLpXZGAowu7mosOZiqGYaSpkYgIvBXLG9VIBvs57OrS/R0UESdA V/ZCIeG5HT8HWxiIWaUj/DzeysU+qInSEPXtQ+8ASr+UcABaiddSIDJaEF/pAFBtxnSI YF1w== X-Gm-Message-State: AOAM532sjZexUrJVJbPi9rQsCLisF8vq4dV9MbWB+b1yr5FHFXXqJcGs oWRsSl89lWECOAE3kBfm+i3C0g== X-Received: by 2002:a05:6a00:1589:b029:3cd:c3bf:78f1 with SMTP id u9-20020a056a001589b02903cdc3bf78f1mr1113634pfk.22.1628838741535; Fri, 13 Aug 2021 00:12:21 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u21sm987078pfh.163.2021.08.13.00.12.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Aug 2021 00:12:21 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , AKASHI Takahiro , u-boot@lists.denx.de Subject: [PATCH v4 1/5] efi_loader: add secure boot variable measurement Date: Fri, 13 Aug 2021 16:12:39 +0900 Message-Id: <20210813071243.18885-2-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210813071243.18885-1-masahisa.kojima@linaro.org> References: <20210813071243.18885-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure the secure boot policy before validating the UEFI image. This commit adds the secure boot variable measurement of "SecureBoot", "PK", "KEK", "db", "dbx", "dbt", and "dbr". Note that this implementation assumes that secure boot variables are pre-configured and not be set/updated in runtime. Signed-off-by: Masahisa Kojima --- Changes in v4: - remove unnecessary EFIAPI specifier - modify wrong guid for dbt and dbr Changes in v3: - add "dbt" and "dbr" measurement - accept empty variable measurement for "SecureBoot", "PK", "KEK", "db" and "dbx" as TCG2 spec requires - fix comment format Changes in v2: - missing null check for getting variable data - some minor fix for readability include/efi_tcg2.h | 20 +++++ lib/efi_loader/efi_tcg2.c | 165 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 185 insertions(+) -- 2.17.1 diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index bcfb98168a..497ba3ce94 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -142,6 +142,26 @@ struct efi_tcg2_final_events_table { struct tcg_pcr_event2 event[]; }; +/** + * struct tdUEFI_VARIABLE_DATA - event log structure of UEFI variable + * @variable_name: The vendorGUID parameter in the + * GetVariable() API. + * @unicode_name_length: The length in CHAR16 of the Unicode name of + * the variable. + * @variable_data_length: The size of the variable data. + * @unicode_name: The CHAR16 unicode name of the variable + * without NULL-terminator. + * @variable_data: The data parameter of the efi variable + * in the GetVariable() API. + */ +struct efi_tcg2_uefi_variable_data { + efi_guid_t variable_name; + u64 unicode_name_length; + u64 variable_data_length; + u16 unicode_name[1]; + u8 variable_data[1]; +}; + struct efi_tcg2_protocol { efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this, struct efi_tcg2_boot_service_capability *capability); diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 1319a8b378..db3d6d7586 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -78,6 +78,19 @@ static const struct digest_info hash_algo_list[] = { }, }; +struct variable_info { + u16 *name; + const efi_guid_t *guid; +}; + +static struct variable_info secure_variables[] = { + {L"SecureBoot", &efi_global_variable_guid}, + {L"PK", &efi_global_variable_guid}, + {L"KEK", &efi_global_variable_guid}, + {L"db", &efi_guid_image_security_database}, + {L"dbx", &efi_guid_image_security_database}, +}; + #define MAX_HASH_COUNT ARRAY_SIZE(hash_algo_list) /** @@ -1264,6 +1277,39 @@ free_pool: return ret; } +/** + * tcg2_measure_event() - common function to add event log and extend PCR + * + * @dev: TPM device + * @pcr_index: PCR index + * @event_type: type of event added + * @size: event size + * @event: event data + * + * Return: status code + */ +static efi_status_t +tcg2_measure_event(struct udevice *dev, u32 pcr_index, u32 event_type, + u32 size, u8 event[]) +{ + struct tpml_digest_values digest_list; + efi_status_t ret; + + ret = tcg2_create_digest(event, size, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_agile_log_append(pcr_index, event_type, &digest_list, + size, event); + +out: + return ret; +} + /** * efi_append_scrtm_version - Append an S-CRTM EV_S_CRTM_VERSION event on the * eventlog and extend the PCRs @@ -1294,6 +1340,118 @@ out: return ret; } +/** + * tcg2_measure_variable() - add variable event log and extend PCR + * + * @dev: TPM device + * @pcr_index: PCR index + * @event_type: type of event added + * @var_name: variable name + * @guid: guid + * @data_size: variable data size + * @data: variable data + * + * Return: status code + */ +static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index, + u32 event_type, u16 *var_name, + const efi_guid_t *guid, + efi_uintn_t data_size, u8 *data) +{ + u32 event_size; + efi_status_t ret; + struct efi_tcg2_uefi_variable_data *event; + + event_size = sizeof(event->variable_name) + + sizeof(event->unicode_name_length) + + sizeof(event->variable_data_length) + + (u16_strlen(var_name) * sizeof(u16)) + data_size; + event = malloc(event_size); + if (!event) + return EFI_OUT_OF_RESOURCES; + + guidcpy(&event->variable_name, guid); + event->unicode_name_length = u16_strlen(var_name); + event->variable_data_length = data_size; + memcpy(event->unicode_name, var_name, + (event->unicode_name_length * sizeof(u16))); + if (data) { + memcpy((u16 *)event->unicode_name + event->unicode_name_length, + data, data_size); + } + ret = tcg2_measure_event(dev, pcr_index, event_type, event_size, + (u8 *)event); + free(event); + return ret; +} + +/** + * tcg2_measure_secure_boot_variable() - measure secure boot variables + * + * @dev: TPM device + * + * Return: status code + */ +static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) +{ + u8 *data; + efi_uintn_t data_size; + u32 count, i; + efi_status_t ret; + + count = ARRAY_SIZE(secure_variables); + for (i = 0; i < count; i++) { + /* + * According to the TCG2 PC Client PFP spec, "SecureBoot", + * "PK", "KEK", "db" and "dbx" variables must be measured + * even if they are empty. + */ + data = efi_get_var(secure_variables[i].name, + secure_variables[i].guid, + &data_size); + + ret = tcg2_measure_variable(dev, 7, + EV_EFI_VARIABLE_DRIVER_CONFIG, + secure_variables[i].name, + secure_variables[i].guid, + data_size, data); + free(data); + if (ret != EFI_SUCCESS) + goto error; + } + + /* + * TCG2 PC Client PFP spec says "dbt" and "dbr" are + * measured if present and not empty. + */ + data = efi_get_var(L"dbt", + &efi_guid_image_security_database, + &data_size); + if (data) { + ret = tcg2_measure_variable(dev, 7, + EV_EFI_VARIABLE_DRIVER_CONFIG, + L"dbt", + &efi_guid_image_security_database, + data_size, data); + free(data); + } + + data = efi_get_var(L"dbr", + &efi_guid_image_security_database, + &data_size); + if (data) { + ret = tcg2_measure_variable(dev, 7, + EV_EFI_VARIABLE_DRIVER_CONFIG, + L"dbr", + &efi_guid_image_security_database, + data_size, data); + free(data); + } + +error: + return ret; +} + /** * efi_tcg2_register() - register EFI_TCG2_PROTOCOL * @@ -1328,6 +1486,13 @@ efi_status_t efi_tcg2_register(void) tcg2_uninit(); goto fail; } + + ret = tcg2_measure_secure_boot_variable(dev); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + return ret; fail: