From patchwork Wed Nov 24 15:08:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ruchika Gupta X-Patchwork-Id: 519351 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp10528924imj; Wed, 24 Nov 2021 07:09:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJwCzsKnT2oZprfqNMZi3/aqaleWCcM+QAFibC7G/yUvZdj2bfTQZn0sgecu1ab8EJNRT4WU X-Received: by 2002:a2e:a7ce:: with SMTP id x14mr16648466ljp.390.1637766579992; Wed, 24 Nov 2021 07:09:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637766579; cv=none; d=google.com; s=arc-20160816; b=q2fluFKnkTZ01bqvyB/tTXxoELSfSlCe/ZgR0EclD9pSOjZov4S8VO9uBCu1S/dKzK Od9fu9Me09qe6hEDKS3DF+tZnwzflBpHpmBiQjvkSUD7Q/QbEhbbeQ0Ps/kEcW4SWmWi xeeYKXBaPL8oP3AFZXvvd3jrATjX7rwDPFxYgvnCobGRPqf5tsEo2Q2QTEc5JB2HLTdS 9cSIG1qDEQdapmPngkM+QMkr6T2ShsL40gpj5rPMyi46xALu5oY54GVk47xmgDf3gFtz Gad/0y/02MGeMp/r6nEPVxvrYuF0vqCR9U04epMJiusueYPZshCL6Yh1w9x7Kf9bTJxa mmxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ElLgIOIrov5tiWzjZSoI2dd1JuB79umXnzrshK3/jHc=; b=f14qA/MWqleDT4knR6rQD8maB9XLsDMyaiIW7lRTc2FhYItPCcRfDd/PklWZzWdWbA Kec6/LN3HdM+ocmZy7bKGqAT1WxEgdsht91w9FnS7U53wRQBMjTokmXeQOwPrVKCZAht +WMSa/M2dJjUPFmh0+LnsVrjMqTSu6+GSlhftI9ZyIPnHr6DS2GojqnWSNb0HsQPqVwX pFdcIyO2NSv9q7K43D0g0O2gyMmnQH/TqYn83G7FHf9JONRsYDqeCSqOkUpZ2C3wx0zy /4ZBmdxWagrIJVNJiW4hrkU1LlBTJFjL6I/06cZN9r1OoxzxywwTAl3ZcGTsH1P9B4VO muUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=PoPx2iv0; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id dm6si209282ejc.222.2021.11.24.07.09.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Nov 2021 07:09:39 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=PoPx2iv0; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5C170830E7; Wed, 24 Nov 2021 16:09:35 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="PoPx2iv0"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4090E83679; Wed, 24 Nov 2021 16:09:25 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8B82680F7A for ; Wed, 24 Nov 2021 16:09:18 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ruchika.gupta@linaro.org Received: by mail-pl1-x629.google.com with SMTP id u17so2080932plg.9 for ; Wed, 24 Nov 2021 07:09:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ElLgIOIrov5tiWzjZSoI2dd1JuB79umXnzrshK3/jHc=; b=PoPx2iv0MSD2qrdoquD6Yi20deY9o4Z/lPcgwiju4bv4IQzEziCCmMY+L1gOH79VNt cipKtyQIR4lmTIvAfGA4lD8P/u/z44jSd1CtqihNEdg7Jo6umvnJaU77EgntPZka23yb sJjHi0MMKcdeQuidMqDywJBJDGN5uMaAjjJBr+lrA3bxJQTBaIGGRj7WDcmAg9lsErm0 OLOoni8oDRNLm8EKOisP3jg62BZ5QR9RlOyS03TJp4SkMXupBngFjDy0ZxmxjdqhQ9b6 xx8H+HRnuCptLbEtr/Zhz2zi/CkLAZ+9sDHnYIcXMtTkBZb9CmMdnvYZ9UMRDBAXpRC1 xilQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ElLgIOIrov5tiWzjZSoI2dd1JuB79umXnzrshK3/jHc=; b=SVnOyiX8FDvIEuBE2WmV6wqJTHYB3trWLtg3EFwLW4mQHlMJJlahkRA43GBRL1cEQw HicDn2gqR0+Ya3OsmYtMI+Fkc5DxYiZeDowARBF+oCst9BKGkHnzZWhISBLNpo8bZp4k 72ojt11ez1o7XYQREVvyrHZAbFFXMYlFJ0GlW92ODtdI7K2rgsvgtnKVT70+qIvx9Awl 1OF1Z56ZDreaFqOX9i678i3sgRB5YsvinSB2UyyRHs/mkgqV3xyYg/YqWMkeR1N1SRx4 8Ob63CisyONycvlUR2OCxuYflKfwXEcbecHIE/vPGEQ3PVnYZG/Ojov9zzrF8UZRFARg tDLA== X-Gm-Message-State: AOAM533rrKvjc5B616VhTFZAslskRmHjUHzXM6z3DhjseVeJlQTEJOuI GyAA8Fn40YiyB2YP5J3J+D6jISDmti1Kyg== X-Received: by 2002:a17:902:b615:b0:143:bbf0:aad0 with SMTP id b21-20020a170902b61500b00143bbf0aad0mr19463511pls.12.1637766556642; Wed, 24 Nov 2021 07:09:16 -0800 (PST) Received: from localhost.localdomain ([106.215.91.18]) by smtp.gmail.com with ESMTPSA id t67sm60967pfd.24.2021.11.24.07.09.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Nov 2021 07:09:16 -0800 (PST) From: Ruchika Gupta To: u-boot@lists.denx.de, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de, agraf@csgraf.de, masahisa.kojima@linaro.org Cc: Ruchika Gupta Subject: [PATCH v5 3/3] efi_loader: Extend PCR's for firmware measurements Date: Wed, 24 Nov 2021 20:38:58 +0530 Message-Id: <20211124150858.496805-3-ruchika.gupta@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211124150858.496805-1-ruchika.gupta@linaro.org> References: <20211124150858.496805-1-ruchika.gupta@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.37 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Firmwares before U-Boot may be capable of doing tpm measurements and passing them to U-Boot in the form of eventlog. However there may be scenarios where the firmwares don't have TPM driver and are not capable of extending the measurements in the PCRs. Based on TCG spec, if previous firnware has extended PCR's, PCR0 would not be 0. So, read the PCR0 to determine if the PCR's need to be extended as eventlog is parsed or not. Signed-off-by: Ruchika Gupta Reviewed-by: Ilias Apalodimas Tested-by: Ilias Apalodimas --- v5 : No change v4 : No change v3 : Rebase changes on top of changes made in first patch of series v2 : Removed check for PCR0 in eventlog lib/efi_loader/efi_tcg2.c | 75 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index a789c44660..b44eed0ec9 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -199,6 +199,43 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index, return EFI_SUCCESS; } +/* tcg2_pcr_read - Read PCRs for a TPM2 device for a given tpml_digest_values + * + * @dev: device + * @digest_list: list of digest algorithms to extend + * + * @Return: status code + */ +static efi_status_t tcg2_pcr_read(struct udevice *dev, u32 pcr_index, + struct tpml_digest_values *digest_list) +{ + struct tpm_chip_priv *priv; + unsigned int updates, pcr_select_min; + u32 rc; + size_t i; + + priv = dev_get_uclass_priv(dev); + if (!priv) + return EFI_DEVICE_ERROR; + + pcr_select_min = priv->pcr_select_min; + + for (i = 0; i < digest_list->count; i++) { + u16 hash_alg = digest_list->digests[i].hash_alg; + u8 *digest = (u8 *)&digest_list->digests[i].digest; + + rc = tpm2_pcr_read(dev, pcr_index, pcr_select_min, + hash_alg, digest, alg_to_len(hash_alg), + &updates); + if (rc) { + EFI_PRINT("Failed to read PCR\n"); + return EFI_DEVICE_ERROR; + } + } + + return EFI_SUCCESS; +} + /* put_event - Append an agile event to an eventlog * * @pcr_index: PCR index @@ -1428,6 +1465,8 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, u32 pcr, pos; u64 base; u32 sz; + bool extend_pcr = false; + int i; ret = platform_get_eventlog(dev, &base, &sz); if (ret != EFI_SUCCESS) @@ -1449,6 +1488,26 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, return EFI_COMPROMISED_DATA; } + ret = tcg2_pcr_read(dev, 0, &digest_list); + if (ret) { + log_err("Error reading PCR 0\n"); + return ret; + } + + /* + * If PCR0 is 0, previous firmware didn't have the capability + * to extend the PCR. In this scenario, extend the PCR as + * the eventlog is parsed. + */ + for (i = 0; i < digest_list.count; i++) { + u8 buffer[TPM2_DIGEST_LEN] = { 0 }; + u16 hash_alg = digest_list.digests[i].hash_alg; + + if (!memcmp((u8 *)&digest_list.digests[i].digest, buffer, + alg_to_len(hash_alg))) + extend_pcr = true; + } + while (pos < sz) { ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list, &pcr); @@ -1456,6 +1515,22 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, log_err("Error parsing event\n"); return ret; } + if (extend_pcr) { + ret = tcg2_pcr_extend(dev, pcr, &digest_list); + if (ret != EFI_SUCCESS) { + log_err("Error in extending PCR\n"); + return ret; + } + + /* Clear the digest for next event */ + for (i = 0; i < digest_list.count; i++) { + u16 hash_alg = digest_list.digests[i].hash_alg; + u8 *digest = + (u8 *)&digest_list.digests[i].digest; + + memset(digest, 0, alg_to_len(hash_alg)); + } + } } memcpy(log_buffer, buffer, sz);