From patchwork Wed Jul 7 13:36:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 470803 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp6005770jao; Wed, 7 Jul 2021 06:36:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzq6cPZeZeM1zgo8KWuL8V6BlPxZZ8/ai+SCnKyxYcfrjl4RAyfwZqqiFUhxSS+guQfu2KR X-Received: by 2002:a17:906:d552:: with SMTP id cr18mr20862456ejc.276.1625665008064; Wed, 07 Jul 2021 06:36:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625665008; cv=none; d=google.com; s=arc-20160816; b=xVS97s5ZK72O2O2w7HkkXWXpZ6iDRNCP3lXf4jLerIFqkGJEUgfojdjnVrFha52GUZ qBPW1GtdR4KCdGSaGLMH91wsbUGiOKmET37U5cTv+AzbEtqs8vuUTfk1FvA55mZZOUVp J0bBOamAksA5MaMul5FvQLZsWpfmvrJxySSc63xpfgtWsSAMvuie/ntSyNyZWVPk/T/B unWjinyLgKLaXRtjkzDwDbfXVz6EXH1MKFotFQA75I70CAN4uDbKzE2ZFemSfUUZBuQQ SHSGon4XLYahGCXpwg6S/KXWNlLMvZvlRG8suj30lXaGbtH1A2lJmiXEN8mFEaa6Q3Yd /Qfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=rTm8nY8PYnSrDquNRjPJyfgm4ilzRqYtSUomNZNBPQ0=; b=WIWw6Q1H4+lV4h3gMNm1xj/P4pc99bKClOeOxMDyIfZj+QLW2lAYpIefWjqXuRM1Gp 3Mq7+5DhJSmI6tssrYQc63H3xfUwYbNuNIvG1E1VVbKzlkgw30tEtFdQfKMLdpqWFcna PBgirmDQPZGIYWeB1pzpKwSE4ZaSOhM5dAyKcpnBy2vEuRFJfi13EyMSVOdZffw0JqBP rsVBa0FGtdBpxd/Wlba7X+KH6fPjj5+968m73JqgOqFfnmF/D4v7LaFmk8MyhJXn7udT QdZVr5CRmNFbAv8wv0p+TvRVXEBZUYeLg3U0NJItlfCeXVTOycgD+5PBlCoGfLs8zrSM cbbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ud3rYuJ3; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id n22si17804604edd.43.2021.07.07.06.36.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:36:48 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ud3rYuJ3; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 67F8A82E0B; Wed, 7 Jul 2021 15:36:39 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ud3rYuJ3"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 51C6582E0B; Wed, 7 Jul 2021 15:36:37 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9856C82BED for ; Wed, 7 Jul 2021 15:36:33 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pf1-x429.google.com with SMTP id a127so2138217pfa.10 for ; Wed, 07 Jul 2021 06:36:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=rTm8nY8PYnSrDquNRjPJyfgm4ilzRqYtSUomNZNBPQ0=; b=ud3rYuJ3fNx87/R9XF9jAu6vWpsR07pHaBMyClUJDIudCOoF5lqR3FTZDd1/eqTKOj 0pUMyQNPL6RBJ+xLWjtfVKKmGh6tujbnLNr7MdDmOHHobux0W8o2OcdV2yruaY9y65KV NJkbFEdLCDV0CFd5FZGHr4EU+6092cPdeFJv9IRd5yxUEberxmc0gc/mYsfrCdyv9C61 sSRdk8YRDFBWEIK1BFKFU83iVCJC4CkY1Isf3w1EJy/pCZVnCre75YHiP38fHVeHKqmV monq+NqnIObqLcxEf3gMpXvr4MYlCT1rWM7HLIJcxNCsq6nv349tjJdlyNJ8HWrw21uZ SsQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=rTm8nY8PYnSrDquNRjPJyfgm4ilzRqYtSUomNZNBPQ0=; b=MBz/bpTcR4auoyTwvcfMgRLuAv1vBMvQ6Blsdz1X0hyvXcLCWk2cPT6i6/MFe9xKcC cv6NsmWq/RuniN0oH1niRT9ktclQLoPpVT1fUi2/HxpAITfxm5FtUo0YMOFkqFS9AlcK ooJXtFkibz8fAZU0eapaMkfWG9L9IIvbGZtndnSWFIcfyFEY9dCuOshm6A5dRP72K/UY CvDdlFWsTLwbwHWT7o/mc3N7fuwCx16h545JitvOrI6qD1S4AUYMqOkw8wdJaCsUHQAx 7wui1VDk5DDzkVbz7XRmBP+UXr6lOXwquEoyG3jWENrLU3VBgx/ZZl9NUOteYcsg2+5c 6/lw== X-Gm-Message-State: AOAM530msDBeH4nXju7M4IqgI68fO90js0qGCUkYBue2bYesYXmJSEef vT7fNOn9Wbat9ikpDNRYKd1y9Q== X-Received: by 2002:a65:6404:: with SMTP id a4mr26624101pgv.175.1625664991981; Wed, 07 Jul 2021 06:36:31 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id t9sm6438659pjs.50.2021.07.07.06.36.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:36:31 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH 1/5] efi_loader: increase eventlog buffer size Date: Wed, 7 Jul 2021 22:36:34 +0900 Message-Id: <20210707133638.12630-2-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210707133638.12630-1-masahisa.kojima@linaro.org> References: <20210707133638.12630-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This is a preperation to add eventlog support described in TCG PC Client PFP spec. Signed-off-by: Masahisa Kojima --- lib/efi_loader/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.17.1 diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index b2ab48a048..a87bf3cc98 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -327,7 +327,7 @@ config EFI_TCG2_PROTOCOL config EFI_TCG2_PROTOCOL_EVENTLOG_SIZE int "EFI_TCG2_PROTOCOL EventLog size" depends on EFI_TCG2_PROTOCOL - default 4096 + default 16384 help Define the size of the EventLog for EFI_TCG2_PROTOCOL. Note that this is going to be allocated twice. One for the eventlog it self From patchwork Wed Jul 7 13:36:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 470805 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp6006037jao; Wed, 7 Jul 2021 06:37:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzOvURbQtrgq2epwwYoubUUQPLM5EhPBCKKNKUqbNsHkTbwV5GTBRV+VW5lcxA/pbjmtdut X-Received: by 2002:a05:6402:502:: with SMTP id m2mr5436323edv.57.1625665027969; Wed, 07 Jul 2021 06:37:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625665027; cv=none; d=google.com; s=arc-20160816; b=dBRdH8sZyrW+ESGqhGwK5P+bXowQl7U4FDmaKTTvd0HiWN72hpQSY3a/WsOp5C51Ki Pm+VJ/HE6xEKWKw8sjX/6DtQaXZFqTrnI5M4tQdgrLPOHPUwlSdgSCCfIW4iQaFYEuA1 QshGoQ3fkn9BIeNCG0QFRvydCJMwqM7jx+F9VIffRd81PP5pmpkxfWGC+9fom8u40h4W r3xpCRt+7DotxsDIL+DnjsAI2fS2LnEWikLTyEM3xn3fwhI8S6L0ojtVeRUldX00suYO GVazmayhsZ4QyTqJy6L7sj3Qc5HokWX6QRr8aExbvtoaHKlQY6fDEhPRZ3de9UprbOLu AQSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=wiRXmSnPylwY+UUf6fF1HMr47StzIlQJm/birG8EPaE=; b=dkPu7bcci3Ltfci13E1V2aUzgzuhvMuSIfDmPSyJ1UqiAoWNsQEzxbZXF64YDivQmE ZSwiSdib7uYyj8PvMPXmcccrApxNeKM6MPyU8QjTXS2faBD3CDnDhB2B1QFYDUriC5To P38VykwvExd8O/0UJTtasL3H6faGkQdzarqjkZA+Du5SpohUN4pjf1FgVBFDODWVfP4l /gm9hv4NtuSWs0ExD6YICmtmEG2zzJh/GsIqUuTUEFe/AZH1hiVqVjm1huyG70lukCLC PFIltY5xDN+BhSr5/88pv2yoZ0XH2NvYquify4TkMJvDH+2xEVcwfta+CAhd8WezhR9+ u5lw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=febKa1JM; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id v9si16162493edr.346.2021.07.07.06.37.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:37:07 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=febKa1JM; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id DBF3F82E16; Wed, 7 Jul 2021 15:36:50 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="febKa1JM"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4A52B82E2B; Wed, 7 Jul 2021 15:36:45 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3C7E282E05 for ; Wed, 7 Jul 2021 15:36:36 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pf1-x42b.google.com with SMTP id 17so2163967pfz.4 for ; Wed, 07 Jul 2021 06:36:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=wiRXmSnPylwY+UUf6fF1HMr47StzIlQJm/birG8EPaE=; b=febKa1JM7kYk9xZje5swPWVy6HP1KkkJtXpiHpk7jYAGuEusMNMbn4IftlirOS/NOv YZYV4Ws25fhkVSFlRcUS0ct+fxXZeSlBAlm6x1RyGOOrjb4IQcADHJM0jq9OKbwaghZJ +moNt48sA7UH7J8JxpiIguOmKkEbYJdBy2vUQzW8p3C6EIjiMYypNo9c9d7TKVPBzB7o IHoEn/RYYc0G+VPCrEB/khH066XViZQ7/3nkrJAbbK4DQzWzvWF5+ZpH9lD7NZFHHr6b p5H/iJODA9+DuV8zmEGatb4OK/JBMUMy9vM0oUd/7pCSZl8+a78O0t++GCJcg2nOs9Xn 3esw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=wiRXmSnPylwY+UUf6fF1HMr47StzIlQJm/birG8EPaE=; b=YqSywF1R2jlCG82adpd2BeolNkwQ+9dY4yzXdiS0TZ2Ati1X3PNGWj0HkgzAOY9an0 xNV9wk1ZcCFxr/TU8KPA5LoFuVRNIt6NQDQYfrETs8ELNEA0yobJB6+cvOyBHGElty3P MtPpO93OL5aBQi5bApxunEzL2yqkVyaTgpZwYAEq7RSMCZvautd3UUmBhvlt0Tat6EGm R+XIxx8rh8z3Nxaf6q3Ly8ufRrR76jnPL3DrEzZp/6Ta7irNSb89xD+/+AmRjN0+7XvU NX5UjU4eT+nPUM487WiqTUPGicQOd234wZAt0M7jAwJf0HNBxxtHY35X9l+JVOIcJBgB 1wRg== X-Gm-Message-State: AOAM532gZjaMHHJDrJssPcefGi9JFcIou6R7EYA0gNgUtmIkzNZO45WO qPc9k17xG/qM0yiUjKmtPsgffw== X-Received: by 2002:a63:f916:: with SMTP id h22mr26367811pgi.6.1625664994698; Wed, 07 Jul 2021 06:36:34 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id t9sm6438659pjs.50.2021.07.07.06.36.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:36:34 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH 2/5] efi_loader: add secure boot variable measurement Date: Wed, 7 Jul 2021 22:36:35 +0900 Message-Id: <20210707133638.12630-3-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210707133638.12630-1-masahisa.kojima@linaro.org> References: <20210707133638.12630-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure the secure boot policy before validating the UEFI image. This commit adds the secure boot variable measurement of "SecureBoot", "PK", "KEK", "db" and "dbx". Note that this implementation assumes that secure boot variables are pre-configured and not be set/updated in runtime. Signed-off-by: Masahisa Kojima --- include/efi_tcg2.h | 20 ++++++ lib/efi_loader/efi_tcg2.c | 135 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 155 insertions(+) -- 2.17.1 diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index bcfb98168a..8d7b77c087 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -142,6 +142,26 @@ struct efi_tcg2_final_events_table { struct tcg_pcr_event2 event[]; }; +/** + * struct tdUEFI_VARIABLE_DATA + * @variable_name: The vendorGUID parameter in the + * GetVariable() API. + * @unicode_name_length: The length in CHAR16 of the Unicode name of + * the variable. + * @variable_data_length: The size of the variable data. + * @unicode_name: The CHAR16 unicode name of the variable + * without NULL-terminator. + * @variable_data: The data parameter of the efi variable + * in the GetVariable() API. + */ +struct efi_tcg2_uefi_variable_data { + efi_guid_t variable_name; + u64 unicode_name_length; + u64 variable_data_length; + u16 unicode_name[1]; + u8 variable_data[1]; +}; + struct efi_tcg2_protocol { efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this, struct efi_tcg2_boot_service_capability *capability); diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 1319a8b378..2a248bd62a 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -78,6 +78,19 @@ static const struct digest_info hash_algo_list[] = { }, }; +struct variable_info { + u16 *name; + const efi_guid_t *guid; +}; + +static struct variable_info secure_variables[] = { + {L"SecureBoot", &efi_global_variable_guid}, + {L"PK", &efi_global_variable_guid}, + {L"KEK", &efi_global_variable_guid}, + {L"db", &efi_guid_image_security_database}, + {L"dbx", &efi_guid_image_security_database}, +}; + #define MAX_HASH_COUNT ARRAY_SIZE(hash_algo_list) /** @@ -1264,6 +1277,39 @@ free_pool: return ret; } +/** + * tcg2_measure_event() - common function to add event log and extend PCR + * + * @dev: TPM device + * @pcr_index: PCR index + * @event_type: type of event added + * @size: event size + * @event: event data + * + * Return: status code + */ +static efi_status_t EFIAPI +tcg2_measure_event(struct udevice *dev, u32 pcr_index, u32 event_type, + u32 size, u8 event[]) +{ + struct tpml_digest_values digest_list; + efi_status_t ret; + + ret = tcg2_create_digest(event, size, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_agile_log_append(pcr_index, event_type, &digest_list, + size, event); + +out: + return ret; +} + /** * efi_append_scrtm_version - Append an S-CRTM EV_S_CRTM_VERSION event on the * eventlog and extend the PCRs @@ -1294,6 +1340,88 @@ out: return ret; } +/** + * tcg2_measure_variable() - add variable event log and extend PCR + * + * @dev: TPM device + * @pcr_index: PCR index + * @event_type: type of event added + * @var_name: variable name + * @guid: guid + * @data_size: variable data size + * @data: variable data + * + * Return: status code + */ +static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index, + u32 event_type, u16 *var_name, + const efi_guid_t *guid, + efi_uintn_t data_size, u8 *data) +{ + u32 event_size; + efi_status_t ret; + struct efi_tcg2_uefi_variable_data *event; + + event_size = sizeof(event->variable_name) + + sizeof(event->unicode_name_length) + + sizeof(event->variable_data_length) + + (u16_strlen(var_name) * sizeof(*var_name)) + data_size; + event = malloc(event_size); + if (!event) + return EFI_OUT_OF_RESOURCES; + + guidcpy(&event->variable_name, guid); + event->unicode_name_length = u16_strlen(var_name); + event->variable_data_length = data_size; + memcpy(event->unicode_name, var_name, + (event->unicode_name_length * sizeof(*event->unicode_name))); + memcpy((u16 *)event->unicode_name + event->unicode_name_length, + (u8 *)data, data_size); + ret = tcg2_measure_event(dev, pcr_index, event_type, event_size, + (u8 *)event); + free(event); + return ret; +} + +/** + * tcg2_measure_secure_boot_variable() - measure secure boot variables + * + * @dev: TPM device + * + * Return: status code + */ +static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) +{ + u8 *data; + efi_uintn_t data_size; + u32 count, i; + efi_status_t ret; + + count = ARRAY_SIZE(secure_variables); + for (i = 0; i < count; i++) { + data = efi_get_var(secure_variables[i].name, + secure_variables[i].guid, + &data_size); + + ret = tcg2_measure_variable(dev, 7, + EV_EFI_VARIABLE_DRIVER_CONFIG, + secure_variables[i].name, + secure_variables[i].guid, + data_size, (u8 *)data); + free(data); + if (ret != EFI_SUCCESS) + goto error; + } + + /* + * TODO: add DBT and DBR measurement support when u-boot supports + * these variables. + */ + +error: + return ret; +} + /** * efi_tcg2_register() - register EFI_TCG2_PROTOCOL * @@ -1328,6 +1456,13 @@ efi_status_t efi_tcg2_register(void) tcg2_uninit(); goto fail; } + + ret = tcg2_measure_secure_boot_variable(dev); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + return ret; fail: From patchwork Wed Jul 7 13:36:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 470804 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp6005886jao; Wed, 7 Jul 2021 06:36:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx+YJro51n2egN07MxU28NaM08L61h4OfU/yYZcHhjv0dfZYCCgBuFdc5Guz3okmaguTnQt X-Received: by 2002:a17:907:7708:: with SMTP id kw8mr24615000ejc.111.1625665017671; Wed, 07 Jul 2021 06:36:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625665017; cv=none; d=google.com; s=arc-20160816; b=mQ+4hbVbr4Ydro0XV5j9IOUmSNJIFTQAkfDLDLtKbYWizLoTlGb8VOjiqXXxVYxc02 rnLWuMIeeaDhEZQ4larQdRftk1v9TdEviLX5nbjPMchKfY8DVvBuzjXGGhwcdabNrU8P BXVmljZ7tXlV6HvCyz9EclmS3zQ/4ZvDJUnk2tBQvlQ9vtLm/9n6xOFhLQcocdxfwOnc H+yW9ggfnb7fSa7iyBef6OuhyQKsyuIANZdraSLAMELUFKr7WPefN0AbQ/wcTfsXKE1f 5s5oSOVn7QOyc6Rqw0CukT+W1Jz4wnQEC3/6v4qbTbCJig0p1U0iCerb9bokwSlbde/3 8wtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=VEw+wH4Ks+/IyACZDvPQNDI4MJKVwjKesPl+x6yaVTw=; b=e+ufWZ3lSRxtULQOZMSfsM/oiiY91qkIuvGoGWdzMFiedRvTTq0aQOjSDlMNd0124E o8h8f8P/HorbAeahbXvUq+aJkxUR8DgQkQgWMhMH5BagKToE3a/nXnjBwlwVL4LVHjis Pxw/hg/60s7qWKCF+aUumGjuQkq+7OEuMv1/PCNttXL4Boghip3Eab46tjt7ZJjK6eiq mUg4Oc/L1DKY0wdKqzkINbfksnHVQROyJkalEmOVtCnx+q/sdgXoZHodwhgW52MfIx+l yrgkQ08yEfv5IBVSq5RowAjh6HYhfmhxjdF6T9LgCFfPbNuOHAkAIlB8GdiQ8PKn66oB uxLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Poefw4UV; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id ds7si23085791ejc.670.2021.07.07.06.36.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:36:57 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Poefw4UV; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2524B82E1E; Wed, 7 Jul 2021 15:36:46 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Poefw4UV"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 318E082E23; Wed, 7 Jul 2021 15:36:43 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id F212A82E06 for ; Wed, 7 Jul 2021 15:36:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x52b.google.com with SMTP id a2so2269498pgi.6 for ; Wed, 07 Jul 2021 06:36:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=VEw+wH4Ks+/IyACZDvPQNDI4MJKVwjKesPl+x6yaVTw=; b=Poefw4UVlrIjos3Rc6NqJVtp0FjSVfD7D6fsIh+vN6y+xfJMycncR3AZ+WgkJAtCYQ LPvfnvPjKDjV4sZxx7abvg8/3c1tuCADg3BGqEt4JDiq3iEWYAF+At6beK9X6V/g/klL khz8e9kWGCkaEcXk5/WxLiFIT+JvnOFJBQ1M8nbpIpdpGs3SR5mxTq6/qk8EkU+KwhvW FT326O9cSH63oKmm27cDoBHw7M/6EFcKlw1jSDeBpfGRvROl2Dd5FiGi1TAE0xZfxF/u /R91QxHrUt7CfCZdU18tR8AHwqerBPa95wtPOLGDeSaubroZNaFAiqjYeni3Osfxkac6 26Vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=VEw+wH4Ks+/IyACZDvPQNDI4MJKVwjKesPl+x6yaVTw=; b=qrsqy9WUIvRlSsl/FnSZJjj00HA/ZBeDn+7mG69VQoitHS9sRc8qHiOZeEcNp+nqaN xRJb4EnoPloK/nLI+1nVhtTSEhY3mYPhpaLUjnPgpIfSVy/dDDr/tmieUyEN9K+lag2c 2pBjsmjG2NUaGO73lYn2qiRBk2fViHGLqnUGcDZr6QC4NFQZNrvc4ONzCI5aUfFKUnmV SwAROu7+6C+5it5WMnWQR4stQXBldBSysh3Sc8di+bKsEvldfeZwNe3JKlyTF8uWYTTI 0lGYNz/KPEUilyI9Hs9xuMBupt5yFf2ZIRR6BhFzlrl/LQHSonPtHdSraCvBHMX/FGEv iwaw== X-Gm-Message-State: AOAM530tNvPggOPEBdwUE81wneHZamaANzN7HiEM81YnmdGz9I0OyHSw ApRy7NvV0U9U0G+FtM3YAMp4lQ== X-Received: by 2002:a63:7d15:: with SMTP id y21mr26438535pgc.352.1625664997317; Wed, 07 Jul 2021 06:36:37 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id t9sm6438659pjs.50.2021.07.07.06.36.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:36:36 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH 3/5] efi_loader: add boot variable measurement Date: Wed, 7 Jul 2021 22:36:36 +0900 Message-Id: <20210707133638.12630-4-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210707133638.12630-1-masahisa.kojima@linaro.org> References: <20210707133638.12630-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure "Boot####" and "BootOrder" variables, EV_SEPARATOR event prior to the Ready to Boot invocation. Since u-boot does not implement Ready to Boot event, these measurements are performed when efi_start_image() is called. TCG spec also requires to measure "Calling EFI Application from Boot Option" for each boot attempt, and "Returning from EFI Application from Boot Option" if a boot device returns control back to the Boot Manager. Signed-off-by: Masahisa Kojima --- include/efi_loader.h | 4 ++ include/tpm-v2.h | 18 ++++- lib/efi_loader/efi_boottime.c | 20 ++++++ lib/efi_loader/efi_tcg2.c | 123 ++++++++++++++++++++++++++++++++++ 4 files changed, 164 insertions(+), 1 deletion(-) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 0a9c82a257..281ffff30f 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -407,6 +407,10 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ void efi_variables_boot_exit_notify(void); +/* Measure efi application invocation */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void); +/* Measure efi application exit */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void); /* Called by bootefi to initialize root node */ efi_status_t efi_root_node_register(void); /* Called by bootefi to initialize runtime */ diff --git a/include/tpm-v2.h b/include/tpm-v2.h index 3e48e35861..8a7b7f1874 100644 --- a/include/tpm-v2.h +++ b/include/tpm-v2.h @@ -73,7 +73,7 @@ struct udevice; /* * event types, cf. * "TCG PC Client Platform Firmware Profile Specification", Family "2.0" - * rev 1.04, June 3, 2019 + * Level 00 Version 1.05 Revision 23, May 7, 2021 */ #define EV_EFI_EVENT_BASE ((u32)0x80000000) #define EV_EFI_VARIABLE_DRIVER_CONFIG ((u32)0x80000001) @@ -85,8 +85,24 @@ struct udevice; #define EV_EFI_ACTION ((u32)0x80000007) #define EV_EFI_PLATFORM_FIRMWARE_BLOB ((u32)0x80000008) #define EV_EFI_HANDOFF_TABLES ((u32)0x80000009) +#define EV_EFI_PLATFORM_FIRMWARE_BLOB2 ((u32)0x8000000A) +#define EV_EFI_HANDOFF_TABLES2 ((u32)0x8000000B) +#define EV_EFI_VARIABLE_BOOT2 ((u32)0x8000000C) #define EV_EFI_HCRTM_EVENT ((u32)0x80000010) #define EV_EFI_VARIABLE_AUTHORITY ((u32)0x800000E0) +#define EV_EFI_SPDM_FIRMWARE_BLOB ((u32)0x800000E1) +#define EV_EFI_SPDM_FIRMWARE_CONFIG ((u32)0x800000E2) + +#define EFI_CALLING_EFI_APPLICATION \ + "Calling EFI Application from Boot Option" +#define EFI_RETURNING_FROM_EFI_APPLICATION \ + "Returning from EFI Application from Boot Option" +#define EFI_EXIT_BOOT_SERVICES_INVOCATION \ + "Exit Boot Services Invocation" +#define EFI_EXIT_BOOT_SERVICES_FAILED \ + "Exit Boot Services Returned with Failure" +#define EFI_EXIT_BOOT_SERVICES_SUCCEEDED \ + "Exit Boot Services Returned with Success" /* TPMS_TAGGED_PROPERTY Structure */ struct tpms_tagged_property { diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index f6d5ba05e3..2914800c56 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2993,6 +2993,16 @@ efi_status_t EFIAPI efi_start_image(efi_handle_t image_handle, image_obj->exit_status = &exit_status; image_obj->exit_jmp = &exit_jmp; + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { + if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { + ret = efi_tcg2_measure_efi_app_invocation(); + if (ret != EFI_SUCCESS) { + EFI_PRINT("tcg2 measurement fails(0x%lx)\n", + ret); + } + } + } + /* call the image! */ if (setjmp(&exit_jmp)) { /* @@ -3251,6 +3261,16 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t image_handle, exit_status != EFI_SUCCESS) efi_delete_image(image_obj, loaded_image_protocol); + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { + if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { + ret = efi_tcg2_measure_efi_app_exit(); + if (ret != EFI_SUCCESS) { + EFI_PRINT("tcg2 measurement fails(0x%lx)\n", + ret); + } + } + } + /* Make sure entry/exit counts for EFI world cross-overs match */ EFI_EXIT(exit_status); diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 2a248bd62a..6e903e3cb3 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -35,6 +35,7 @@ struct event_log_buffer { }; static struct event_log_buffer event_log; +static bool tcg2_efi_app_invoked; /* * When requesting TPM2_CAP_TPM_PROPERTIES the value is on a standard offset. * Since the current tpm2_get_capability() response buffers starts at @@ -1383,6 +1384,128 @@ static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index, return ret; } +/** + * tcg2_measure_boot_variable() - measure boot variables + * + * @dev: TPM device + * + * Return: status code + */ +static efi_status_t tcg2_measure_boot_variable(struct udevice *dev) +{ + u16 *boot_order; + u16 var_name[] = L"BootOrder"; + u16 boot_name[] = L"Boot0000"; + u16 hexmap[] = L"0123456789ABCDEF"; + u8 *bootvar; + efi_uintn_t var_data_size; + u32 count, i; + efi_status_t ret; + + boot_order = efi_get_var(var_name, &efi_global_variable_guid, + &var_data_size); + if (!boot_order) { + log_info("BootOrder not defined\n"); + ret = EFI_NOT_FOUND; + goto error; + } + + ret = tcg2_measure_variable(dev, 1, EV_EFI_VARIABLE_BOOT2, var_name, + &efi_global_variable_guid, var_data_size, + (u8 *)boot_order); + if (ret != EFI_SUCCESS) + goto error; + + count = var_data_size / sizeof(*boot_order); + for (i = 0; i < count; i++) { + boot_name[4] = hexmap[(boot_order[i] & 0xf000) >> 12]; + boot_name[5] = hexmap[(boot_order[i] & 0x0f00) >> 8]; + boot_name[6] = hexmap[(boot_order[i] & 0x00f0) >> 4]; + boot_name[7] = hexmap[(boot_order[i] & 0x000f)]; + + bootvar = efi_get_var(boot_name, &efi_global_variable_guid, + &var_data_size); + + if (!bootvar) { + log_info("%ls not found\n", boot_name); + continue; + } + + ret = tcg2_measure_variable(dev, 1, EV_EFI_VARIABLE_BOOT2, + boot_name, + &efi_global_variable_guid, + var_data_size, bootvar); + free(bootvar); + if (ret != EFI_SUCCESS) + goto error; + } + +error: + free(boot_order); + return ret; +} + +/** + * efi_tcg2_measure_efi_app_invocation() - measure efi app invocation + * + * Return: status code + */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void) +{ + efi_status_t ret; + u32 pcr_index; + struct udevice *dev; + u32 event = 0; + + if (tcg2_efi_app_invoked) + return EFI_SUCCESS; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + return ret; + + ret = tcg2_measure_boot_variable(dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 4, EV_EFI_ACTION, + strlen(EFI_CALLING_EFI_APPLICATION), + (u8 *)EFI_CALLING_EFI_APPLICATION); + if (ret != EFI_SUCCESS) + goto out; + + for (pcr_index = 0; pcr_index <= 7; pcr_index++) { + ret = tcg2_measure_event(dev, pcr_index, EV_SEPARATOR, + sizeof(event), (u8 *)&event); + if (ret != EFI_SUCCESS) + goto out; + } + + tcg2_efi_app_invoked = true; +out: + return ret; +} + +/** + * efi_tcg2_measure_efi_app_exit() - measure efi app exit + * + * Return: status code + */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void) +{ + efi_status_t ret; + struct udevice *dev; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + return ret; + + ret = tcg2_measure_event(dev, 4, EV_EFI_ACTION, + strlen(EFI_RETURNING_FROM_EFI_APPLICATION), + (u8 *)EFI_RETURNING_FROM_EFI_APPLICATION); + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * From patchwork Wed Jul 7 13:36:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 470806 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp6006165jao; Wed, 7 Jul 2021 06:37:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw+LUHJsU0LqVd+/19VEcaHRJ/zK+wbSl5EmhPXV+EgyzCUqF0z3J/NwiwLiWlNvglA7HfW X-Received: by 2002:a17:907:2da6:: with SMTP id gt38mr23340026ejc.528.1625665038112; Wed, 07 Jul 2021 06:37:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625665038; cv=none; d=google.com; s=arc-20160816; b=wR0E1bE53RuKJrVsFnBGPqkjrmeqjw2c0a9veD1uLSm8WGe9fLpmq3oAmo0xMLrtnm 4wCAeRLI5vgNfYQbSDxFyxho50AE/SOHr6xZTGc7UAesg5N3ElMj8c+4mJpWRxL9MzlV 3MKNH0UUSaOnJV4ADneFuokavwyXxbhfh8bYuQGMBpJkrqNRc99GHYZ/OSZqJklvpNAY YqdsL8lG7b6+ovVIZFEK8hlEwB+3j5HO0tI3Nq1+XPTN0EBYxXJZ3wH9FAqJEC/kTGCJ EszGfIOuzvcaKndaHuxdJDtq5CPqeJJq6zl6puLktBgOXOqLNMyAdHgbnIv31AU5TvL8 /FUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=ZM8Gqjt4H/M/T8dTY3DEdYYZkhn28GpsMwaxi2oYkrA=; b=yGd11htN/uWWgCDTEp8w11q5dZLsinm3k1bd99/YKXWKW+OPq7mftGzztVMZp0eUst pHveoH7orcjbM36iPsiWQVyIeIPAa6uYoRsXPTZwF/It7BmsZPdPkpbPLoGx69S7R1ob ghTU/abPoxNSdHzumhpI8HBoD2zCmx9l2ru1G0e/GJNEXrwp7WWOAkvU1oowUkSotMp5 hFowUkYhgBddm6Uk9DH2mnNGcZsm66YsxeLB2Z9x1WFrBZzpRTOf10XcwE6E802lGypP 9UVJuDJT9h2ZACLrVpcduvylS+ZnRYe4nTY2x7yBKfcf7nrAWgwADVy0XNn7CFLV38YQ HoWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ju5geQEi; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id y11si2839768eje.13.2021.07.07.06.37.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:37:18 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Ju5geQEi; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2B62082E32; Wed, 7 Jul 2021 15:36:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Ju5geQEi"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id DCE0E82E16; Wed, 7 Jul 2021 15:36:48 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2A25782E1D for ; Wed, 7 Jul 2021 15:36:43 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x52c.google.com with SMTP id t9so2279634pgn.4 for ; Wed, 07 Jul 2021 06:36:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=ZM8Gqjt4H/M/T8dTY3DEdYYZkhn28GpsMwaxi2oYkrA=; b=Ju5geQEi8Cx8jgtHyxEhJB+nknwUm0K7OyI2cCFbYN4P3Et0kxA9X4zSuaXWUOApNf 1eqlS5YoDWzDNoJOYpaYlfvFcX9bStkk7im7KKnIT/z8n3iByq8Flh3SD8Zp650qPM9l sr6MtsVhpSLFRxpbVfbNdEQuiRFuIutTuUNe0KPDevnF14smN4m0z1s6XHjB4oV6qbdM Hx0gMYQ3TGtiVxqb+eqYr4Ut0+mJcwk319GVejDD/yapODrlvVDFXwaVbqBwq0LXq53L EorAhfomFqrekcyDdDHvowHV5VNdhNBodE6urk99W0euyGwMm5eRnexMxuBsCVlErtwj gM2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=ZM8Gqjt4H/M/T8dTY3DEdYYZkhn28GpsMwaxi2oYkrA=; b=F/HZRcSz4oWWBOma1FIWZRwQybiEF9kmtvUpkFa7li6RynGDUJzxFy3PxLhw+E6b8d aLR/tpJu7nHgDfzLmwwnPAXFsloRM59z6D4PS7NjmlocaJPQmPjrgZ18NROtCTHnrz2B PqvuDKUZq2xmxZXUxD1nvVwVUXoSA1gYA0KSsb4TJc6tJWNpaGeTZxyrbXJuZczqX32i lZAhY14YEl9lzzcmpkuAF5Y2IX0kmj0bkj76kerVjKHfPZrGH2Yhj3X0udEhQL7828Ku z0+p/Vm/i+TxtobPsTR8f4AORK59lbE0J4VVajglHSXEK488ERVvl6tTX1m4C1bDMSfb DitQ== X-Gm-Message-State: AOAM531P0tU0RRv/yxL5j67po6vRrsGFGKLVg6QCAWmk6n63B8XE5+Mj Md966/BAO6Mu29syZYPSxA2XJg== X-Received: by 2002:a63:ef44:: with SMTP id c4mr25935305pgk.162.1625665000045; Wed, 07 Jul 2021 06:36:40 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id t9sm6438659pjs.50.2021.07.07.06.36.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:36:39 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH 4/5] efi_loader: add ExitBootServices() measurement Date: Wed, 7 Jul 2021 22:36:37 +0900 Message-Id: <20210707133638.12630-5-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210707133638.12630-1-masahisa.kojima@linaro.org> References: <20210707133638.12630-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure "Exit Boot Services Invocation" if ExitBootServices() is invoked. Depending upon the return code from the ExitBootServices() call, "Exit Boot Services Returned with Success" or "Exit Boot Services Returned with Failure" is also measured. Signed-off-by: Masahisa Kojima --- include/efi_loader.h | 1 + lib/efi_loader/efi_boottime.c | 5 +++ lib/efi_loader/efi_tcg2.c | 70 +++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 281ffff30f..e9bd1aac08 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -407,6 +407,7 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ void efi_variables_boot_exit_notify(void); +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void); /* Measure efi application invocation */ efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void); /* Measure efi application exit */ diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 2914800c56..6e07ef65bc 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2181,6 +2181,11 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle, efi_set_watchdog(0); WATCHDOG_RESET(); out: + if (ret != EFI_SUCCESS) { + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) + efi_tcg2_notify_exit_boot_services_failed(); + } + return EFI_EXIT(ret); } diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 6e903e3cb3..823abd8217 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1506,6 +1506,67 @@ efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void) return ret; } +/** + * efi_tcg2_notify_exit_boot_services() - ExitBootService callback + * + * @event: callback event + * @context: callback context + */ +static void EFIAPI +efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *context) +{ + efi_status_t ret; + struct udevice *dev; + + EFI_ENTRY("%p, %p", event, context); + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_SUCCEEDED), + (u8 *)EFI_EXIT_BOOT_SERVICES_SUCCEEDED); + +out: + EFI_EXIT(ret); +} + +/** + * efi_tcg2_notify_exit_boot_services_failed() + * - notify ExitBootServices() is failed + * + * Return: status code + */ +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void) +{ + struct udevice *dev; + efi_status_t ret; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + sizeof(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + sizeof(EFI_EXIT_BOOT_SERVICES_FAILED), + (u8 *)EFI_EXIT_BOOT_SERVICES_FAILED); + +out: + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * @@ -1556,6 +1617,7 @@ efi_status_t efi_tcg2_register(void) { efi_status_t ret = EFI_SUCCESS; struct udevice *dev; + struct efi_event *event; ret = platform_get_tpm2_device(&dev); if (ret != EFI_SUCCESS) { @@ -1580,6 +1642,14 @@ efi_status_t efi_tcg2_register(void) goto fail; } + ret = efi_create_event(EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK, + efi_tcg2_notify_exit_boot_services, NULL, + NULL, &event); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + ret = tcg2_measure_secure_boot_variable(dev); if (ret != EFI_SUCCESS) { tcg2_uninit(); From patchwork Wed Jul 7 13:36:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 470807 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp6006309jao; Wed, 7 Jul 2021 06:37:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJynxpaRnpfS6prXzcPdo6IIRrLm5Afh9PA1cPfKjokoqKP8XR+tU0SLuWmcb6orZWVAX9T8 X-Received: by 2002:a17:906:c30c:: with SMTP id s12mr23637108ejz.98.1625665048390; Wed, 07 Jul 2021 06:37:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625665048; cv=none; d=google.com; s=arc-20160816; b=b2Lp6bmJYF8txQf9RCevh2Gq1Qpr+2QdmQh6Hy6UtbSRGYvwGNqhqefwMzBc3sxpTC dlWD73GmarHQ55m+aFWKzs4QSLdnj1moAikjr9uJTfigeaWscOb8DBGVmdFUQKQMspaR Bqz0xAjG8VHftB0aEc1XsSriVi1hLlBctArUTWTrpJlCzkXXUpnBr2ahM6v+hopFyZvG h+uB4CU73S558OiP/QZIzCebKO+YkRIMS2f+xuCYcfNb+7FhT3+35CYiOwU5TwtiSyeC E8/U6co2xGmwgo/r3HtAqJWnbayUH77ed8mDOp8UTyGwJuEmp6oRm/Zu7eKvNo7AKBr+ FXcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=0RMll/Zb3XgRIaLgk5chq9sXoP6Fk2K8uIGjTRfKQJo=; b=LFE5zaeUsL7m6hbqnVFg7cw6rpXiRtnL4L9S9YO1ggrLGuSCT62pRWB0fz4llYZkBK t7ta7INTjlO+cijvLMB/IlRZ1qfZ4b+p0D8O7RwcTtRe0NZLcLc+R1mdwTk+YOoMMEOD 6nEVQC708pbr2RkvUtxwGybZr5Dg8CX6HSiOBawcEEGDwDBqJ4Yha7UIiry9HfyJ95zV F7OXU4WIKrjKbss+H+wK3LeeCYFinkjLWl0CBaDUPgTkScUVkFu3aqaEh06g5NE5p670 Xt6egDM6HqNyRIEGDw8YP67DNKdU6w5BAptRXiOgE7WLKvDkyWMeJl5cbnWvy3GCij2x O+jA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZXdjNEya; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id b13si7913185edz.49.2021.07.07.06.37.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:37:28 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZXdjNEya; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 460CE82E68; Wed, 7 Jul 2021 15:36:58 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ZXdjNEya"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 61A4082E0A; Wed, 7 Jul 2021 15:36:49 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7CF7E82E23 for ; Wed, 7 Jul 2021 15:36:44 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x534.google.com with SMTP id 37so2311370pgq.0 for ; Wed, 07 Jul 2021 06:36:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=0RMll/Zb3XgRIaLgk5chq9sXoP6Fk2K8uIGjTRfKQJo=; b=ZXdjNEyaokyET75oea0wN2QyB4KJGGsTWjA5RarVLwwUS5/iSxjJ8Ay68DgXrBaKbR DAmuqKUXtqSAcXgxh0eoV4klMfVnqGYEjS5Hiz5WAxhFonW3ozYiLdzEdpx7Gh4ELUxk 9pY9ICfDLxxcSJGX3usrLBZDVU80/rS3H7Hy/eo+YB+6UlPEqPUTa+9LSrRAXwgbU9yb cC9b+SR3634cYmc/v77uc1mrBRcFFec3jC6DbYGlYRQhGkm7cvC+0xdlXr3fow5q0q9K HkO5BhxHk0m4to/3eXofYNgaXGDkKBN0oJqh8oTOO5CWi6+dEQ3HBRnpA5KlABcX5X6K 1Ipg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=0RMll/Zb3XgRIaLgk5chq9sXoP6Fk2K8uIGjTRfKQJo=; b=NpY8VYWE7p1SqOXLmGvXeQWcqrLzo2+ypdSlaF4K0vTADyW45+cSZuGc/MdlNnMGZY iy3Sb8RKOvJEbX+I1ATCSkLy5l1ERDwp9PjtXFPZ1gbmqP0M1zSn33Qc2b/6RmWA305S wyIqOwdvHwxINs+SVV9l0QvLIyAu4pk6FbeZKpkNbcU1ClrFVDjYZE0MEfCiTjy7weEj AMDSLVmN/ataAMVesgA285oeLUcR+Sq+fT5t/sW3MuFoRuuOpCs/ioaCYDbU7Hv4J6/Y al7V2QQ5ZCBXHKAA/F9LpiLEdeO3avJNIusLFg/M2EVxlYCB+t9gPI9rd8D4yKdtTp5b VzMg== X-Gm-Message-State: AOAM531hXEAHNesnnBmObqmeRwL6h4c6HAOeIV3LauxbAAJeceSWCSQx cUZzU+1UnP+nAZpnUQmZ0Vkx2w== X-Received: by 2002:a63:5144:: with SMTP id r4mr26522325pgl.223.1625665002949; Wed, 07 Jul 2021 06:36:42 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id t9sm6438659pjs.50.2021.07.07.06.36.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jul 2021 06:36:42 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH 5/5] efi_loader: refactor efi_append_scrtm_version() Date: Wed, 7 Jul 2021 22:36:38 +0900 Message-Id: <20210707133638.12630-6-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210707133638.12630-1-masahisa.kojima@linaro.org> References: <20210707133638.12630-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Refactor efi_append_scrtm_version() to use common function for adding eventlog and extending PCR. Signed-off-by: Masahisa Kojima --- lib/efi_loader/efi_tcg2.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 823abd8217..00e442cea5 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1321,23 +1321,11 @@ out: */ static efi_status_t efi_append_scrtm_version(struct udevice *dev) { - struct tpml_digest_values digest_list; u8 ver[] = U_BOOT_VERSION_STRING; - const int pcr_index = 0; efi_status_t ret; - ret = tcg2_create_digest(ver, sizeof(ver), &digest_list); - if (ret != EFI_SUCCESS) - goto out; + ret = tcg2_measure_event(dev, 0, EV_S_CRTM_VERSION, sizeof(ver), ver); - ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); - if (ret != EFI_SUCCESS) - goto out; - - ret = tcg2_agile_log_append(pcr_index, EV_S_CRTM_VERSION, &digest_list, - sizeof(ver), ver); - -out: return ret; }