From patchwork Tue Dec 24 16:01:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 853201 Delivered-To: patch@linaro.org Received: by 2002:a5d:4888:0:b0:385:e875:8a9e with SMTP id g8csp3982730wrq; Tue, 24 Dec 2024 08:02:31 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCViWktzh8VvoO7U+DLjK7ZMJGfh+0N/vkvgVYB6TwXOGlsW/B42fnz2y+W4eD2TVeCP2haQ/Q==@linaro.org X-Google-Smtp-Source: AGHT+IHzUTyqt5X5EqmRcgwbq8m6ZsEyaD3/UilVZRpCTSFBSq1qNwETebIJtVCh45fVtqiR/T9c X-Received: by 2002:a17:907:60d6:b0:aab:daf9:972 with SMTP id a640c23a62f3a-aac334c0ba9mr1762496366b.28.1735056151229; Tue, 24 Dec 2024 08:02:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1735056151; cv=none; d=google.com; s=arc-20240605; b=QnwCwnYVB1p0vMND4A1IQ9lUjLWUvJt/q76RWUQ0hmBHZpopAFDkiiX9fGS7et8twX qVL7uf3Xzx36RvT/hk1RGb4o5ziD6L57sHU6Qfgg2iEwYb9h7GmVkGXn62lescbPUFD6 EscuIQoOmh/F3MMdDfKuD3OlIH265a9RmvUi1wkdYeRrpTpCGbHcxcBpX3aNIeH1Ow2K sKOUTItDVeCzWFSipfLSE3aaJMWOcPT8fsLwd5aiCHEzCc3Ay3JpEiT0tL1caIA86/QW Jp0aWE4dU3qCJbR1TqqjwUMp74FDEs8SADKiZSrMjMGo2ugb9g+qIrIGOOzvG0vnQ59A Z2cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wuO4ssy8cSq34X/hITvl0QT65bRxCl3Upur/XNNIJOE=; fh=MXFne/3XAK7RUtsOf/Btx/lXhXwtjQKdDpJclDZA50k=; b=NWvLqRR8hcr2JaN1IGPBUiRRPnWqu4ZB/R7FRm7F+Pja7N5YIQXymUcuLX2o1ap4In v4sFWDZJ9i1RA61mFfDGsvNKuJVbOljlx7i65MYd1LzoQ1LkRRET0UhO9DdKIRAXF5EE 1RQHgzNYEYT+Jm1uDBTXL3FicApWmdBGEKk8AAoF7GDAXQRtrvAJ8tN31ooF6PBIASjY 13IB4yjeJsiBcBCAyFKJHN4KD1sqaK9Aa4t7XbQ97vi1H2UD2WC+CnV7EGnx6B0oePKc ZfOIboa7KXCa+ohT7h8fxRO2oKyR56YErZQSTucxaXubfXdoe+XJIRMc2jalh11nTaJr bNZQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=isKcK670; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id a640c23a62f3a-aac0f081d25si738306766b.674.2024.12.24.08.02.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Dec 2024 08:02:31 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=isKcK670; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2A1FC80352; Tue, 24 Dec 2024 17:02:16 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="isKcK670"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3C3F680352; Tue, 24 Dec 2024 17:02:15 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 07A06801F5 for ; Tue, 24 Dec 2024 17:02:13 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qv1-xf36.google.com with SMTP id 6a1803df08f44-6d88cb85987so43222856d6.1 for ; Tue, 24 Dec 2024 08:02:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1735056131; x=1735660931; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wuO4ssy8cSq34X/hITvl0QT65bRxCl3Upur/XNNIJOE=; b=isKcK670Hmh0V4zHCwsFojhunlOT7ENpPMQUgyqq4cbheMXfJhQaCa1m1kAzekAYda hpAHHmsoIF/pYxFqRJTAlsKd/7JbRYHbjbTQHkQq7p4xZkDQ8spgeSZEASeJd1z7KvqF bj6y2F09QS+S81rG7z+BwUDO1zLdPDA/HC6O0GHgP/TA3PTxjGDoeguHPWJvPJptEAWQ CsbTm2xYFO7h7EDwuVIGiGaCnWccy4TnyHMFFj1dqGUBnMnl2apNWcBcoAIoPTFTWHaT UgQ42xslEyWJhlSrF1Oxx+0DZ+twWAZDkRSdXRoo6MqaH1g8h1uK2rgdxtbZg60IHW3U kmeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735056131; x=1735660931; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wuO4ssy8cSq34X/hITvl0QT65bRxCl3Upur/XNNIJOE=; b=ttTc5tDL5DmFgXfF6+l51+Hc088X+UjUeJYZfr2oFtsdVM5V4DrmppaRWEoaavyJmo b21dR/tHxsI+zp0bDBTpPF/3eBJfXalv/R2TBJ8NEvQQy1dsGJ0ZV2lQrcsCGuwwqb4B KtYBvDE2cQDl+yhQuxy989/aJVLXCYeASS0wCvbICYwyY7W3I/jhVc1CizJp/uX1z8mo qBPpfK1i9rwP6RdkPhNNPA2cUYQLXCLM+tLeyQ5n4MsWruDFP77lmycRG9isF0FKFTx8 N76raUlcPp+u78VDIhtPIlHzsEziGD3kekMGAIzsKhVds3ILtrDcHpqnvFkWZl6UwXkI 7ynQ== X-Gm-Message-State: AOJu0Yz3smvGcCxsZRgbUUoe3b17eiygra2KDUjC3fGQK5TXWsYI+tW3 t6RFGs5ztGeNI1ErDudD6NQgyYutQ2G880Ycp326Ib+rH059tjedv1Db9cTEt48JxHsoKA9AvOB h X-Gm-Gg: ASbGnctPvMGWykHme9PM4tsazzDjt7mOPh5G7x5fRD4fudi7OQl1kIWKrAMqhmn1WN7 PpoAm7JtI7NM3ymSQKlz7mcz8Lwsi/BJGJi24RAH/3J4mQxBuBG7Nfi6PmNMKsmb+zcYxIBE0Mk puowBO3ApOj+yEkB62UZzrz8igQ0bYNCWGJS2RyOOeLBBJ44mF13NWoU86FdcWmOXrebkyUsvvh W9NVX+7zmCSBSmvuEfFIWdakIwURzsrcqAULasDXGhe71x4dyzH4KtgrDl5c6g7nNtl71qWOjca SFCzI84Og4bPaUGw8+tH/da33BUt84kZJF1UnbcaclI2QAH7CiPEU/I= X-Received: by 2002:a05:6214:460a:b0:6d8:88c2:af5f with SMTP id 6a1803df08f44-6dd23580fd0mr275672856d6.1.1735056131288; Tue, 24 Dec 2024 08:02:11 -0800 (PST) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6dd181d432asm53840816d6.110.2024.12.24.08.02.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Dec 2024 08:02:10 -0800 (PST) From: Raymond Mao To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Raymond Mao , Tom Rini , Heinrich Schuchardt , Simon Glass , Tim Harvey , Eddie James , Masahisa Kojima Subject: [PATCH v2 06/11] tpm: Don't create an EventLog if algorithms are misconfigured Date: Tue, 24 Dec 2024 08:01:08 -0800 Message-Id: <20241224160118.675977-7-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241224160118.675977-1-raymond.mao@linaro.org> References: <20241224160118.675977-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean From: Ilias Apalodimas We already check the active banks vs what U-Boot was compiled with when trying to extend a PCR and we refuse to do so if the TPM active ones don't match the ones U-Boot supports. Do the same thing for the EventLog creation since extending will fail anyway and print a message so the user can figure out the missing algorithms. Signed-off-by: Ilias Apalodimas Co-developed-by: Raymond Mao Signed-off-by: Raymond Mao --- Changes in v2 - None. include/tpm-v2.h | 7 +++++++ lib/tpm-v2.c | 23 +++++++++++++++++++++++ lib/tpm_tcg2.c | 27 ++++++++++++++++++++++++++- 3 files changed, 56 insertions(+), 1 deletion(-) diff --git a/include/tpm-v2.h b/include/tpm-v2.h index c49eadda26..6b3f2175b7 100644 --- a/include/tpm-v2.h +++ b/include/tpm-v2.h @@ -770,4 +770,11 @@ bool tpm2_check_active_banks(struct udevice *dev); */ bool tpm2_is_active_bank(struct tpms_pcr_selection *selection); +/** + * tpm2_print_active_banks() - Print the active TPM PCRs + * + * @dev: TPM device + */ +void tpm2_print_active_banks(struct udevice *dev); + #endif /* __TPM_V2_H */ diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c index 96c164f2a5..bac6fd9101 100644 --- a/lib/tpm-v2.c +++ b/lib/tpm-v2.c @@ -926,3 +926,26 @@ bool tpm2_check_active_banks(struct udevice *dev) return true; } + +void tpm2_print_active_banks(struct udevice *dev) +{ + struct tpml_pcr_selection pcrs; + size_t i; + int rc; + + rc = tpm2_get_pcr_info(dev, &pcrs); + if (rc) { + log_err("Can't retrieve active PCRs\n"); + return; + } + + for (i = 0; i < pcrs.count; i++) { + if (tpm2_is_active_bank(&pcrs.selection[i])) { + const char *str; + + str = tpm2_algorithm_name(pcrs.selection[i].hash); + if (str) + log_info("%s\n", str); + } + } +} diff --git a/lib/tpm_tcg2.c b/lib/tpm_tcg2.c index 99671804e3..e77a904129 100644 --- a/lib/tpm_tcg2.c +++ b/lib/tpm_tcg2.c @@ -567,11 +567,36 @@ int tcg2_log_prepare_buffer(struct udevice *dev, struct tcg2_event_log *elog, bool ignore_existing_log) { struct tcg2_event_log log; - int rc; + int rc, i; elog->log_position = 0; elog->found = false; + /* + * Make sure U-Boot is compiled with all the active PCRs + * since we are about to create an EventLog and we won't + * measure anything if the PCR banks don't match + */ + if (!tpm2_check_active_banks(dev)) { + log_err("Cannot create EventLog\n"); + log_err("Mismatch between U-Boot and TPM hash algos\n"); + log_info("TPM:\n"); + tpm2_print_active_banks(dev); + log_info("U-Boot:\n"); + for (i = 0; i < ARRAY_SIZE(hash_algo_list); i++) { + const struct digest_info *algo = &hash_algo_list[i]; + const char *str; + + if (!algo->supported) + continue; + + str = tpm2_algorithm_name(algo->hash_alg); + if (str) + log_info("%s\n", str); + } + return -EINVAL; + } + rc = tcg2_platform_get_log(dev, (void **)&log.log, &log.log_size); if (!rc) { log.log_position = 0;