From patchwork Mon Nov 29 07:39:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ruchika Gupta X-Patchwork-Id: 519699 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp5728866imj; Sun, 28 Nov 2021 23:40:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJy5o10qq3M9w24i77PURh7JUF1enjBouQqS759vEEEnypVjxpsi/aZzl9H7ulvWHuOkMC3u X-Received: by 2002:a17:907:3f9d:: with SMTP id hr29mr60783040ejc.369.1638171632186; Sun, 28 Nov 2021 23:40:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1638171632; cv=none; d=google.com; s=arc-20160816; b=r77DyRffvGCosTUfte8iBx4XVzHFKnkXj6TVDT+LUWdPCQxaIYhAh20awwgekLqGo4 NbvK6Iig8KypNpj04yXJxXmSmL7A1lAe3IASyafwkhj6XlsmTQ1gfz1m3LXcYOLh8dWN bMDc3ccrQbdlrC0vD5FmLDvuoZPAxGVGuVYAvcOhHJRAipZj/EMfIyrAbX6yDkcgHzgV FM8TZpXstyfzbKnxDOZ7GDOJe2v3hKVZfqRsYimTJ5j6NiI14Z6I7qbUw6yeHHdHFffA cn62uomUMG52TXxRAveveSAtZEsan1hdJDHSmZFyqI0nrUQ8JRlOboOnb4BZqiH6UYo0 fY1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ftpIGbuYB13XlZTGi+S527axABjqMkdXSU1z/Oppnr8=; b=PnAR4Sl9uoDJm6nOQd42oecMiXLT58KGkBklVbB717GhCNwrHnjrBe1uo0KIi4tECB 5OZjvL/6XL6JLJiFCASxwtelYptJVRad7USmwBfzeFdLrI1EG7Y4fnjGjrf2O4Kzk/0R jmxhstfJQjJeEuXbeoUuqM4xAJPxVoGSxVqj6y7udbP7lEtfNKtLdD9Iw7bVNId1ZDgE NhgGMrGkC+uGW6psuv29jgqe3ur5xn5MJZI0KNuvnQWEgQwgETmyN3o6O5OTx2nW0bq3 7CBnb1C7O7sQBxwksAzr6if8tQMobP7HUwre54sW9SYEhaI300Kr2cUx49iSlTVWTpAI r6Nw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=f6uerIAr; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id 11si21752869ejk.83.2021.11.28.23.40.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Nov 2021 23:40:32 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=f6uerIAr; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0B76582F95; Mon, 29 Nov 2021 08:40:29 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="f6uerIAr"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6628582F95; Mon, 29 Nov 2021 08:40:27 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5695882A53 for ; Mon, 29 Nov 2021 08:40:23 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ruchika.gupta@linaro.org Received: by mail-pf1-x432.google.com with SMTP id n85so15935530pfd.10 for ; Sun, 28 Nov 2021 23:40:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ftpIGbuYB13XlZTGi+S527axABjqMkdXSU1z/Oppnr8=; b=f6uerIArOmirlnl6krldLj3pnKm6avrYR5YIWqydloqnDLxLWn+QP6slVtjSxpY8GO D1TIRTceE2fobf3UF3PCDWAtfwr49FyV+TvFHBNMP3IAoy1a4Xe/FlLRgFepNTQ9k7zP snr773XvleJW1VFPOsDFENS2N5epngyXnXzdnUEz3FRdH8jvGdb7/kvN/M8PNP4SmPMO +AFIQBgUiMFQew0iw5AL0N9I8UvzTQQYn/7Cz8zUCezVz7GsJV0GchYPnLhLpOlTf3xw BkxPXNkNfYzeZq31q8Mpda8VmSikiEqdCPVSNNoIAd1UhneJvopdOKcFhToEvzfnVNo8 ixEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ftpIGbuYB13XlZTGi+S527axABjqMkdXSU1z/Oppnr8=; b=GB51GlkKWQzaLSmSihw8LH/ttaK03o4MJqhq83ySODVZ9WBR1CMsrOH3FNkUS9AUP8 NPOH7srM57VVDlbygM1nZZUqJpD4JKp1z2TD8O56oQhypzABPMMknx3221+homVA/ARO SvYALTWejdnMbIwTLhOUD3MmgwLj3KyMYaPh6l9o2mUosqSjrm4iH+rwOyf6s2BAtBtS PGASFgOfpGTh0u8LaNN18hIXNk/2NmvRMn3wl2PVW+uQ5s8llG9oEN0hP96WU5lh+iBk ajZX2+oEcVfWYNs2ij07Umj8rzFhhmmM9Lo44olIV9xe7MU9Q9i3zHD9AdAJDhanLw11 QnQA== X-Gm-Message-State: AOAM533vOVaz68nDEByTc33uloCLSxfTkEEzc7LwXV3kDR0lUnqL2Zsl NMW6DRsp4t69pmgWb3rp4nIydR+TCQ5nhw== X-Received: by 2002:a63:554a:: with SMTP id f10mr4552535pgm.444.1638171621196; Sun, 28 Nov 2021 23:40:21 -0800 (PST) Received: from localhost.localdomain ([122.177.109.169]) by smtp.gmail.com with ESMTPSA id r16sm11785678pgk.45.2021.11.28.23.40.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Nov 2021 23:40:20 -0800 (PST) From: Ruchika Gupta To: u-boot@lists.denx.de, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de, agraf@csgraf.de, masahisa.kojima@linaro.org Cc: Ruchika Gupta Subject: [PATCH v8 3/3] efi_loader: Extend PCR's for firmware measurements Date: Mon, 29 Nov 2021 13:09:46 +0530 Message-Id: <20211129073946.1374496-3-ruchika.gupta@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211129073946.1374496-1-ruchika.gupta@linaro.org> References: <20211129073946.1374496-1-ruchika.gupta@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.37 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Firmwares before U-Boot may be capable of doing tpm measurements and passing them to U-Boot in the form of eventlog. However there may be scenarios where the firmwares don't have TPM driver and are not capable of extending the measurements in the PCRs. Based on TCG spec, if previous firnware has extended PCR's, PCR0 would not be 0. So, read the PCR0 to determine if the PCR's need to be extended as eventlog is parsed or not. Signed-off-by: Ruchika Gupta Reviewed-by: Ilias Apalodimas Tested-by: Ilias Apalodimas --- v8: Addressed issues reported by cppcheck v7: Addressed Heinrick's comments - Added missing parameter in function header v6: Changed TPM2_DIGEST_LEN to TPM2_SHA512_DIGEST_SIZE v5 : No change v4 : No change v3 : Rebase changes on top of changes made in first patch series v2 : Removed check for PCR0 in eventlog lib/efi_loader/efi_tcg2.c | 76 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index ce3e599c83..7d0ee8e1f1 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -199,6 +199,44 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index, return EFI_SUCCESS; } +/* tcg2_pcr_read - Read PCRs for a TPM2 device for a given tpml_digest_values + * + * @dev: device + * @pcr_index: PCR index + * @digest_list: list of digest algorithms to extend + * + * @Return: status code + */ +static efi_status_t tcg2_pcr_read(struct udevice *dev, u32 pcr_index, + struct tpml_digest_values *digest_list) +{ + struct tpm_chip_priv *priv; + unsigned int updates, pcr_select_min; + u32 rc; + size_t i; + + priv = dev_get_uclass_priv(dev); + if (!priv) + return EFI_DEVICE_ERROR; + + pcr_select_min = priv->pcr_select_min; + + for (i = 0; i < digest_list->count; i++) { + u16 hash_alg = digest_list->digests[i].hash_alg; + u8 *digest = (u8 *)&digest_list->digests[i].digest; + + rc = tpm2_pcr_read(dev, pcr_index, pcr_select_min, + hash_alg, digest, alg_to_len(hash_alg), + &updates); + if (rc) { + EFI_PRINT("Failed to read PCR\n"); + return EFI_DEVICE_ERROR; + } + } + + return EFI_SUCCESS; +} + /* put_event - Append an agile event to an eventlog * * @pcr_index: PCR index @@ -1458,6 +1496,8 @@ static efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, u32 pcr, pos; u64 base; u32 sz; + bool extend_pcr = false; + int i; ret = platform_get_eventlog(dev, &base, &sz); if (ret != EFI_SUCCESS) @@ -1479,6 +1519,26 @@ static efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, return ret; } + ret = tcg2_pcr_read(dev, 0, &digest_list); + if (ret) { + log_err("Error reading PCR 0\n"); + return ret; + } + + /* + * If PCR0 is 0, previous firmware didn't have the capability + * to extend the PCR. In this scenario, extend the PCR as + * the eventlog is parsed. + */ + for (i = 0; i < digest_list.count; i++) { + u8 hash_buf[TPM2_SHA512_DIGEST_SIZE] = { 0 }; + u16 hash_alg = digest_list.digests[i].hash_alg; + + if (!memcmp((u8 *)&digest_list.digests[i].digest, hash_buf, + alg_to_len(hash_alg))) + extend_pcr = true; + } + while (pos < sz) { ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list, &pcr); @@ -1486,6 +1546,22 @@ static efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, log_err("Error parsing event\n"); return ret; } + if (extend_pcr) { + ret = tcg2_pcr_extend(dev, pcr, &digest_list); + if (ret != EFI_SUCCESS) { + log_err("Error in extending PCR\n"); + return ret; + } + + /* Clear the digest for next event */ + for (i = 0; i < digest_list.count; i++) { + u16 hash_alg = digest_list.digests[i].hash_alg; + u8 *digest = + (u8 *)&digest_list.digests[i].digest; + + memset(digest, 0, alg_to_len(hash_alg)); + } + } } memcpy(log_buffer, buffer, sz);