| Message ID | 20210915051546.500-4-masahisa.kojima@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Enhance Measured Boot | expand |
On 9/15/21 7:15 AM, Masahisa Kojima wrote: > This commit adds the DeployedMode and AuditMode variable > measurement required in TCG PC Client PFP Spec. > > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> > --- > lib/efi_loader/efi_tcg2.c | 47 +++++++++++++++++++++++++++++++++++++++ > 1 file changed, 47 insertions(+) > > diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c > index 35810615ed..427d6e22b1 100644 > --- a/lib/efi_loader/efi_tcg2.c > +++ b/lib/efi_loader/efi_tcg2.c > @@ -12,6 +12,7 @@ > #include <dm.h> > #include <efi_loader.h> > #include <efi_tcg2.h> > +#include <efi_variable.h> > #include <log.h> > #include <malloc.h> > #include <smbios.h> > @@ -1828,6 +1829,50 @@ out: > return ret; > } > > +/** > + * tcg2_measure_deployed_audit_mode() - measure deployedmode and auditmode > + * > + * @dev: TPM device > + * > + * Return: status code > + */ > +static efi_status_t tcg2_measure_deployed_audit_mode(struct udevice *dev) > +{ > + u8 deployed_mode; > + u8 audit_mode; > + efi_uintn_t size; > + efi_status_t ret; > + u32 pcr_index; > + > + size = sizeof(deployed_mode); > + ret = efi_get_variable_int(L"DeployedMode", &efi_global_variable_guid, > + NULL, &size, &deployed_mode, NULL); > + if (ret != EFI_SUCCESS) > + return ret; Why should AuditMode not be measured if DeployedMode does not exist? Could we handle these variables in a loop over an array containing dbt and dbr reduce code duplication? Best regards Heinrich > + > + pcr_index = (deployed_mode ? 1 : 7); > + > + ret = tcg2_measure_variable(dev, pcr_index, > + EV_EFI_VARIABLE_DRIVER_CONFIG, > + L"DeployedMode", > + &efi_global_variable_guid, > + size, &deployed_mode); > + > + size = sizeof(audit_mode); > + ret = efi_get_variable_int(L"AuditMode", &efi_global_variable_guid, > + NULL, &size, &audit_mode, NULL); > + if (ret != EFI_SUCCESS) > + return ret; > + > + ret = tcg2_measure_variable(dev, pcr_index, > + EV_EFI_VARIABLE_DRIVER_CONFIG, > + L"AuditMode", > + &efi_global_variable_guid, > + size, &audit_mode); > + > + return ret; > +} > + > /** > * tcg2_measure_secure_boot_variable() - measure secure boot variables > * > @@ -1891,6 +1936,8 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) > free(data); > } > > + ret = tcg2_measure_deployed_audit_mode(dev); > + > error: > return ret; > } >
Hi Heinrich, On Thu, 16 Sept 2021 at 16:02, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > > > > On 9/15/21 7:15 AM, Masahisa Kojima wrote: > > This commit adds the DeployedMode and AuditMode variable > > measurement required in TCG PC Client PFP Spec. > > > > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> > > --- > > lib/efi_loader/efi_tcg2.c | 47 +++++++++++++++++++++++++++++++++++++++ > > 1 file changed, 47 insertions(+) > > > > diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c > > index 35810615ed..427d6e22b1 100644 > > --- a/lib/efi_loader/efi_tcg2.c > > +++ b/lib/efi_loader/efi_tcg2.c > > @@ -12,6 +12,7 @@ > > #include <dm.h> > > #include <efi_loader.h> > > #include <efi_tcg2.h> > > +#include <efi_variable.h> > > #include <log.h> > > #include <malloc.h> > > #include <smbios.h> > > @@ -1828,6 +1829,50 @@ out: > > return ret; > > } > > > > +/** > > + * tcg2_measure_deployed_audit_mode() - measure deployedmode and auditmode > > + * > > + * @dev: TPM device > > + * > > + * Return: status code > > + */ > > +static efi_status_t tcg2_measure_deployed_audit_mode(struct udevice *dev) > > +{ > > + u8 deployed_mode; > > + u8 audit_mode; > > + efi_uintn_t size; > > + efi_status_t ret; > > + u32 pcr_index; > > + > > + size = sizeof(deployed_mode); > > + ret = efi_get_variable_int(L"DeployedMode", &efi_global_variable_guid, > > + NULL, &size, &deployed_mode, NULL); > > + if (ret != EFI_SUCCESS) > > + return ret; > > Why should AuditMode not be measured if DeployedMode does not exist? TCG spec says that PCR index is different depending on the DeployedMode value. --- PCR[1] If the system supports UEFI 2.5 or later and DeployedMode is enabled, the following additional variables MUST be measured into PCR[1]: a. The DeployedMode variable value. The Event Type SHALL be EV_EFI_VARIABLE_DRIVER_CONFIG and the Event value shall be the value of the UEFI_VARIABLE data structure. b. The AuditMode variable value. The Event Type SHALL be EV_EFI_VARIABLE_DRIVER_CONFIG and the Event value shall be the value of the UEFI_VARIABLE data structure. --- --- PCR[7] If the system supports UEFI 2.5 or later and DeployedMode is NOT enabled, the following additional variables MUST be measured into PCR[7]: a. The contents of the AuditMode variable b. The contents of the DeployedMode variable --- If DeployedMode does not exist, we can not decide which PCR to be extended. Thanks, Masahisa Kojima > > Could we handle these variables in a loop over an array containing dbt > and dbr reduce code duplication? > > Best regards > > Heinrich > > > + > > + pcr_index = (deployed_mode ? 1 : 7); > > + > > + ret = tcg2_measure_variable(dev, pcr_index, > > + EV_EFI_VARIABLE_DRIVER_CONFIG, > > + L"DeployedMode", > > + &efi_global_variable_guid, > > + size, &deployed_mode); > > + > > + size = sizeof(audit_mode); > > + ret = efi_get_variable_int(L"AuditMode", &efi_global_variable_guid, > > + NULL, &size, &audit_mode, NULL); > > + if (ret != EFI_SUCCESS) > > + return ret; > > + > > + ret = tcg2_measure_variable(dev, pcr_index, > > + EV_EFI_VARIABLE_DRIVER_CONFIG, > > + L"AuditMode", > > + &efi_global_variable_guid, > > + size, &audit_mode); > > + > > + return ret; > > +} > > + > > /** > > * tcg2_measure_secure_boot_variable() - measure secure boot variables > > * > > @@ -1891,6 +1936,8 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) > > free(data); > > } > > > > + ret = tcg2_measure_deployed_audit_mode(dev); > > + > > error: > > return ret; > > } > >
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 35810615ed..427d6e22b1 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -12,6 +12,7 @@ #include <dm.h> #include <efi_loader.h> #include <efi_tcg2.h> +#include <efi_variable.h> #include <log.h> #include <malloc.h> #include <smbios.h> @@ -1828,6 +1829,50 @@ out: return ret; } +/** + * tcg2_measure_deployed_audit_mode() - measure deployedmode and auditmode + * + * @dev: TPM device + * + * Return: status code + */ +static efi_status_t tcg2_measure_deployed_audit_mode(struct udevice *dev) +{ + u8 deployed_mode; + u8 audit_mode; + efi_uintn_t size; + efi_status_t ret; + u32 pcr_index; + + size = sizeof(deployed_mode); + ret = efi_get_variable_int(L"DeployedMode", &efi_global_variable_guid, + NULL, &size, &deployed_mode, NULL); + if (ret != EFI_SUCCESS) + return ret; + + pcr_index = (deployed_mode ? 1 : 7); + + ret = tcg2_measure_variable(dev, pcr_index, + EV_EFI_VARIABLE_DRIVER_CONFIG, + L"DeployedMode", + &efi_global_variable_guid, + size, &deployed_mode); + + size = sizeof(audit_mode); + ret = efi_get_variable_int(L"AuditMode", &efi_global_variable_guid, + NULL, &size, &audit_mode, NULL); + if (ret != EFI_SUCCESS) + return ret; + + ret = tcg2_measure_variable(dev, pcr_index, + EV_EFI_VARIABLE_DRIVER_CONFIG, + L"AuditMode", + &efi_global_variable_guid, + size, &audit_mode); + + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * @@ -1891,6 +1936,8 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) free(data); } + ret = tcg2_measure_deployed_audit_mode(dev); + error: return ret; }
This commit adds the DeployedMode and AuditMode variable measurement required in TCG PC Client PFP Spec. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> --- lib/efi_loader/efi_tcg2.c | 47 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) -- 2.17.1