From patchwork Fri Jun 14 12:09:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 804151 Delivered-To: patch@linaro.org Received: by 2002:a5d:6545:0:b0:35b:5a80:51b4 with SMTP id z5csp276396wrv; Fri, 14 Jun 2024 05:10:00 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVtBNX6++2jAgge5IWC8UE0Xay7ddcFr6CoeUgg2c30c4FNS/ddH7dBNrHXXTgJBHJfNWK4lT1viriAmwKQ81mL X-Google-Smtp-Source: AGHT+IGV/4IaBKbaxcC/9ciFR0m0DtyatkyR3PRnn1OFtGjcADP8QbRHUuwKYX3paAlj0JkRkyrh X-Received: by 2002:a17:906:d111:b0:a6f:10d0:fb85 with SMTP id a640c23a62f3a-a6f60d203e1mr162226566b.19.1718367000656; Fri, 14 Jun 2024 05:10:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1718367000; cv=none; d=google.com; s=arc-20160816; b=NOH7d77pamzvpRHWSVxTZCvvIE6b2jph1oOmDFnVc1kw6c2AEi7YeF3gN4yxoSAj6U gJIkQPAv/M3A3iqyFhMbE22rZ6KUfIMbzzRR7EaOAdvI1j+ScAtPSMhyGsKglxJCHGt+ rcUZTNCYsc3IOIXDUgNAO/lqavglHiGBWdRIxfw7PzXNeSakfHL69dSacwGtYIk+7i2Q 9tiZJ6+xKTNyoWKOFsCrqk+CaZSpe5f1CPb3QP3Cq7bqYp7KaJ/Hh6VBUccs0+FLTB5z X3+7rsvHYDglT7jKQ9+zIBKpnQkmZX4WC5YGYrgBeuHfgP5/0RXM3+Oes8XUzijJ9ooe YQgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=2IbHdPhio2c3ZIp2NyqYCLKFfMQNvG8zl2EuDFuifuY=; fh=wKjspPXUi9I85urEdEs0wZp+iocx9u3QfSCv+2OOOPM=; b=g+qbxyrEZJYs+IapGBUkjJz9E1NhTdz1o8kiFXLjceGcHwu8ZMx0/FIwDwsuid9j5O Guz8dckxAKrBQuTRTDyflHwe4+sEhS13OXk9cu1eSUKxqlUIXV7JRouKk6Uh86XT/Hc2 QSEJOIt7hsqszOLkNFZ6cV3tyDDx5Vo+mBY96B/iWKGATIk2veSOyp8+VVqRQWiwXDSl EAQ6ROZBeySrAUYi3c2kUGWmiXdtRJUzjqRlSoi6FrK7xlEochsZkmY96B3kAsvxPism 5S6yqwJ7vxqt7QLxByHb5oftnG40njQJewKzr2SFyLoMhlh2yHepJevzJIkOp2I+QxHc ed6Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=DJ3hVu+W; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id a640c23a62f3a-a6f56e8210fsi165597466b.1042.2024.06.14.05.10.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 14 Jun 2024 05:10:00 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=DJ3hVu+W; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id BB39F889B3; Fri, 14 Jun 2024 14:09:59 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="DJ3hVu+W"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 34BC4889B3; Fri, 14 Jun 2024 14:09:58 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B84A68867C for ; Fri, 14 Jun 2024 14:09:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-lj1-x22d.google.com with SMTP id 38308e7fff4ca-2ebe40673e8so20169191fa.3 for ; Fri, 14 Jun 2024 05:09:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1718366995; x=1718971795; darn=lists.denx.de; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=2IbHdPhio2c3ZIp2NyqYCLKFfMQNvG8zl2EuDFuifuY=; b=DJ3hVu+WDJb8kMm5EZC7muQAV4oW94TUkDQWx2sNpiO4nQT3W2x/Exh1lQyF6TFtBk ZbMC8peb3dMmyK8PhKiagzSoN4Z9CKuTIcJffAPJR3xSoyjSxMRzFKuqDh1HHCrScMcB miRNOTTS8oY78B+4sXFU4rA88xl0twleU4HAfGhrLMMLRxf+pYo/yUaWddurh7qTVJIO YCOVuwa9v0fhue3Fp/JDpyoGjIm3UyN1OYkBtvLthZDrgpjpZIWTHatX9Gw5z5EZ/Gm8 v3SptpWHKG1Qnm6NXkxX5pwi0vhnFy0d2TJd5avUL01pY86qikzMN7Ssm/jlPx+tDLWM Ucdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718366995; x=1718971795; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2IbHdPhio2c3ZIp2NyqYCLKFfMQNvG8zl2EuDFuifuY=; b=miCH6SBdC25LuXuPz+tCUjGIVGlqf1jnPbf85igonO+TAtAkObEltQQUjG6xmvqBYq t85qzdmzud/ibT5AqIjgyjkb6ghdoNOdSxhTxlTIqiZnzI0wiTuL5AxfWTBjMDZAyjjt NeXVhQPjqJfNVa9STWn5WxbCcBg5pQE7stzoZ1Y1qWRGZTUdsX/hRwPQmUmxGCDeOn8u hx4KeOWseYGouU8+sqmi/VzSYtKHX52Y1L+WU0Ws4T9JU333pPNUeL0j67aaC0PN9Yym ARpNLiPLmjeGRXRysIEB7s7Mydc/TEXG8XLSkktBZukE7QSKJ5ld4mmGJ68JWNbWO1Z+ u/jg== X-Forwarded-Encrypted: i=1; AJvYcCVZC9sSfmoaISIPvFQQtHa227wwK+NCQEP6kt2yA/Suzza+Syx+sjF3y82GGHIWxS8jinZfaK7rTWVoefmouQB++JPiGw== X-Gm-Message-State: AOJu0YxqJSJZOAzKYsDVKygi/bkhuIXZpG8MpnKnINxXv5T3BHKr8wge V3mn2580T/bFNaa5d36FZq92wIWnRzmL/i7n3a4szmPR++AXKp1X5ZydOfwAvKE= X-Received: by 2002:a2e:a17a:0:b0:2ec:16a6:edc3 with SMTP id 38308e7fff4ca-2ec16a6f04fmr10854641fa.22.1718366994995; Fri, 14 Jun 2024 05:09:54 -0700 (PDT) Received: from localhost.localdomain (ppp046103020130.access.hol.gr. [46.103.20.130]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-360750f23cdsm4235595f8f.77.2024.06.14.05.09.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 14 Jun 2024 05:09:54 -0700 (PDT) From: Ilias Apalodimas To: xypron.glpk@gmx.de Cc: Ilias Apalodimas , Tom Rini , Simon Glass , Mattijs Korpershoek , Eddie James , Masahisa Kojima , u-boot@lists.denx.de Subject: [PATCH] tpm: measure DTB in PCR1 instead of PCR0 Date: Fri, 14 Jun 2024 15:09:50 +0300 Message-ID: <20240614120951.16158-1-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.45.1 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean The PC client spec [0], doesn't describe measurements for DTBs. It does describe what do to for ACPI tables though. There is a description for ACPI in 3.3.4.1 PCR[0] – SRTM, POST BIOS, and Embedded Drivers and they explicitly mention ACPI in there. There's no mention of ACPI in 3.3.4.2 PCR[1] – Host Platform Configuration. However, in Figure 6 -- PCR Mapping of UEFI Components ACPI is shown in PCR1. The general description also mentions PCR0 is for code and PCR1 is for data such as ACPI and SMBIOS. So let's switch over the DTB measurements to PCR1 which seems a better fit. [0] https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification Reported-by: Heinrich Schuchardt Signed-off-by: Ilias Apalodimas Reviewed-by: Eddie James --- boot/bootm.c | 2 +- lib/efi_loader/efi_tcg2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- 2.45.1 diff --git a/boot/bootm.c b/boot/bootm.c index 6fa8edab021e..3de87eb185d7 100644 --- a/boot/bootm.c +++ b/boot/bootm.c @@ -963,7 +963,7 @@ int bootm_measure(struct bootm_headers *images) goto unmap_initrd; if (IS_ENABLED(CONFIG_MEASURE_DEVICETREE)) { - ret = tcg2_measure_data(dev, &elog, 0, images->ft_len, + ret = tcg2_measure_data(dev, &elog, 1, images->ft_len, (u8 *)images->ft_addr, EV_TABLE_OF_DEVICES, strlen("dts") + 1, diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 51264c1b998c..a8a54c9f131d 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1328,7 +1328,7 @@ efi_status_t efi_tcg2_measure_dtb(void *dtb) sha256_update(&hash_ctx, (u8 *)dtb + fdt_off_mem_rsvmap(dtb), rsvmap_size); sha256_finish(&hash_ctx, blob->data + blob->blob_description_size); - ret = measure_event(dev, 0, EV_POST_CODE, event_size, (u8 *)blob); + ret = measure_event(dev, 1, EV_POST_CODE, event_size, (u8 *)blob); free(blob); return ret;