From patchwork Fri Aug 6 07:02:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 492806 Delivered-To: patch@linaro.org Received: by 2002:a05:6638:396:0:0:0:0 with SMTP id y22csp45144jap; Fri, 6 Aug 2021 00:03:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyeBWDuuYMm8Yyb5dD5Xqn44YniCXXommMSS/tdFmbw0UwgMMr1sBfE2PgI2ysxjwHKeFMY X-Received: by 2002:a05:6402:3481:: with SMTP id v1mr10804201edc.60.1628233396680; Fri, 06 Aug 2021 00:03:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628233396; cv=none; d=google.com; s=arc-20160816; b=VlNY7apVnsgT8dv9bww5uFwhmyPcCpN2UstJF3GTd19ISZ0tyIMW1OiGbhnSLcw/tq MdOTNErqRztY7O2vZjVwUO5XlJ9xtCdhSS94mPA7hUPnVT1VVhH6D+5/e41KImzNOgh4 dqT56CGcbOGhNWvNq7zMmW5sJM6W1aRybdpUaAGsKfgrsr0w7NmP5dd6R1UGEaO6Gtpt adiBXUuu59U+us7/WzlmLZm1BGV6YUktlj9PNTpTVexVCxjFaO628yRJSAWk3cQ0U2GW yIG3Sd0Dr8dna+RsyicT3WfJt0G2kD3zcZ1l6L96rANA7+za9IgDUj8lCaQaqNATBIFa T4ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=l7uLbbzmQcCQQtrwe9xF/acuDiHco9zb2Hjf2C+tE48=; b=y5bCO2hl8VopZr+Q/NBd94SDwR1jCdlGPH7o0kOOXI8+yqqRII15TwDwVfWlCFN8xE 12JhKn5mSqEY7ntGtMDK0H4TF3A6QNpZ/O07bgKkrtJqjwquZ0q/Y8gWNcrrgG5eThR0 u6bAjxKRuCA8NEzCDX7WpJ1aZFYvfQFxwtpwnp55I1z2p1Q12b0pgYLgcReIrdkKbKQb HQAUFJqGMXAQ/6E4BrMZQyqN1VzBOqz77OW0rVaSkWgy5z+yxxT0tuTrDEro4akcq9Fh jvjspalt0mouppPkPKnEUxtLBvNDMLdny6gWS3lg0R3ta/n3997UiWo1QG6TV6L26Xwt t0oA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GoYjrHsi; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id u1si6270090edo.320.2021.08.06.00.03.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:03:16 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GoYjrHsi; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 975CB82E83; Fri, 6 Aug 2021 09:03:06 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="GoYjrHsi"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0611582E7D; Fri, 6 Aug 2021 09:03:04 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id AC36B82E23 for ; Fri, 6 Aug 2021 09:02:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1034.google.com with SMTP id o44-20020a17090a0a2fb0290176ca3e5a2fso15946360pjo.1 for ; Fri, 06 Aug 2021 00:02:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=l7uLbbzmQcCQQtrwe9xF/acuDiHco9zb2Hjf2C+tE48=; b=GoYjrHsiWm8jkBGurqrOxIKKqc/FvJTy+vZzwbReuTP1mw54Jw6v7N27O+dCcnZ16V kxxMWMfMRL5kjVQnMt6fhH4DDj3HmeKkJlI1BitNPVkPj7KowOTP+G2IDitXx81FGuVo 1X/of3v2kHyZNjuhrZbD2EQ3Ycmfxla1kd6Gy4sV2h3y0wRJnlJe0bp24JlL3bqY4dA8 qM9qXuB8HNMsTgyp2gWAbmwwQiDpK4dK3myzDw9Q/fg5gevaeJV8STm5E9uuk9POLI1P FCe1j9YfubHarAQBe+C35QTBewEpqCrD0jFXqrRR1jBMR+fepYWdE+MtJpjlWm2VlvFA Tjzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=l7uLbbzmQcCQQtrwe9xF/acuDiHco9zb2Hjf2C+tE48=; b=Jjy+yCcxOx7TzjNmObbCuXN8NEBndD1yZCyWwHfGTWyWSkRXTf7wzS8FtWELoeM7rh WGVLJJiHRObD/c+DSRUkUEdlV2jngiElmn1FUd9+wH5wSTJnMvxmQiN1NJFKPCYs3qT7 9nRy+wyteGy1wHW8PgkZBQ55mWicoAY2O6r9ASsGJEXReRvszvHWfKlM1MZLpYQpOOCw yEGIpCiMZ8Q204RftE1bN/pDFsO0solSIhHrKY45YuVEKr/63DiFqXFC3MX3Z3lqbien 26oVWE8ovdwt54pIZe2qRndk1GsVw2cUEgRPEab/SbqlQXDcZClqPmh2lWwYi8tYOZiw RKrg== X-Gm-Message-State: AOAM532wtxj/5xzTVHiy4mn4DVAcbxakRh73+u9F4WHZuWPjKycowu02 avyNHxTFY0S8bD9vuRfbhZgHnQ== X-Received: by 2002:a17:902:e890:b029:12c:d32a:9fe8 with SMTP id w16-20020a170902e890b029012cd32a9fe8mr7270950plg.70.1628233375095; Fri, 06 Aug 2021 00:02:55 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u24sm5145304pfm.27.2021.08.06.00.02.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:02:54 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v3 1/5] efi_loader: add secure boot variable measurement Date: Fri, 6 Aug 2021 16:02:11 +0900 Message-Id: <20210806070215.19887-2-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210806070215.19887-1-masahisa.kojima@linaro.org> References: <20210806070215.19887-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure the secure boot policy before validating the UEFI image. This commit adds the secure boot variable measurement of "SecureBoot", "PK", "KEK", "db", "dbx", "dbt", and "dbr". Note that this implementation assumes that secure boot variables are pre-configured and not be set/updated in runtime. Signed-off-by: Masahisa Kojima --- Changes in v3: - add "dbt" and "dbr" measurement - accept empty variable measurement for "SecureBoot", "PK", "KEK", "db" and "dbx" as TCG2 spec requires - fix comment format Changes in v2: - missing null check for getting variable data - some minor fix for readability include/efi_tcg2.h | 20 +++++ lib/efi_loader/efi_tcg2.c | 165 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 185 insertions(+) -- 2.17.1 diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index bcfb98168a..497ba3ce94 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -142,6 +142,26 @@ struct efi_tcg2_final_events_table { struct tcg_pcr_event2 event[]; }; +/** + * struct tdUEFI_VARIABLE_DATA - event log structure of UEFI variable + * @variable_name: The vendorGUID parameter in the + * GetVariable() API. + * @unicode_name_length: The length in CHAR16 of the Unicode name of + * the variable. + * @variable_data_length: The size of the variable data. + * @unicode_name: The CHAR16 unicode name of the variable + * without NULL-terminator. + * @variable_data: The data parameter of the efi variable + * in the GetVariable() API. + */ +struct efi_tcg2_uefi_variable_data { + efi_guid_t variable_name; + u64 unicode_name_length; + u64 variable_data_length; + u16 unicode_name[1]; + u8 variable_data[1]; +}; + struct efi_tcg2_protocol { efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this, struct efi_tcg2_boot_service_capability *capability); diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 1319a8b378..a2e9587cd0 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -78,6 +78,19 @@ static const struct digest_info hash_algo_list[] = { }, }; +struct variable_info { + u16 *name; + const efi_guid_t *guid; +}; + +static struct variable_info secure_variables[] = { + {L"SecureBoot", &efi_global_variable_guid}, + {L"PK", &efi_global_variable_guid}, + {L"KEK", &efi_global_variable_guid}, + {L"db", &efi_guid_image_security_database}, + {L"dbx", &efi_guid_image_security_database}, +}; + #define MAX_HASH_COUNT ARRAY_SIZE(hash_algo_list) /** @@ -1264,6 +1277,39 @@ free_pool: return ret; } +/** + * tcg2_measure_event() - common function to add event log and extend PCR + * + * @dev: TPM device + * @pcr_index: PCR index + * @event_type: type of event added + * @size: event size + * @event: event data + * + * Return: status code + */ +static efi_status_t EFIAPI +tcg2_measure_event(struct udevice *dev, u32 pcr_index, u32 event_type, + u32 size, u8 event[]) +{ + struct tpml_digest_values digest_list; + efi_status_t ret; + + ret = tcg2_create_digest(event, size, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_agile_log_append(pcr_index, event_type, &digest_list, + size, event); + +out: + return ret; +} + /** * efi_append_scrtm_version - Append an S-CRTM EV_S_CRTM_VERSION event on the * eventlog and extend the PCRs @@ -1294,6 +1340,118 @@ out: return ret; } +/** + * tcg2_measure_variable() - add variable event log and extend PCR + * + * @dev: TPM device + * @pcr_index: PCR index + * @event_type: type of event added + * @var_name: variable name + * @guid: guid + * @data_size: variable data size + * @data: variable data + * + * Return: status code + */ +static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index, + u32 event_type, u16 *var_name, + const efi_guid_t *guid, + efi_uintn_t data_size, u8 *data) +{ + u32 event_size; + efi_status_t ret; + struct efi_tcg2_uefi_variable_data *event; + + event_size = sizeof(event->variable_name) + + sizeof(event->unicode_name_length) + + sizeof(event->variable_data_length) + + (u16_strlen(var_name) * sizeof(u16)) + data_size; + event = malloc(event_size); + if (!event) + return EFI_OUT_OF_RESOURCES; + + guidcpy(&event->variable_name, guid); + event->unicode_name_length = u16_strlen(var_name); + event->variable_data_length = data_size; + memcpy(event->unicode_name, var_name, + (event->unicode_name_length * sizeof(u16))); + if (data) { + memcpy((u16 *)event->unicode_name + event->unicode_name_length, + data, data_size); + } + ret = tcg2_measure_event(dev, pcr_index, event_type, event_size, + (u8 *)event); + free(event); + return ret; +} + +/** + * tcg2_measure_secure_boot_variable() - measure secure boot variables + * + * @dev: TPM device + * + * Return: status code + */ +static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) +{ + u8 *data; + efi_uintn_t data_size; + u32 count, i; + efi_status_t ret; + + count = ARRAY_SIZE(secure_variables); + for (i = 0; i < count; i++) { + /* + * According to the TCG2 PC Client PFP spec, "SecureBoot", + * "PK", "KEK", "db" and "dbx" variables must be measured + * even if they are empty. + */ + data = efi_get_var(secure_variables[i].name, + secure_variables[i].guid, + &data_size); + + ret = tcg2_measure_variable(dev, 7, + EV_EFI_VARIABLE_DRIVER_CONFIG, + secure_variables[i].name, + secure_variables[i].guid, + data_size, data); + free(data); + if (ret != EFI_SUCCESS) + goto error; + } + + /* + * TCG2 PC Client PFP spec says "dbt" and "dbr" are + * measured if present and not empty. + */ + data = efi_get_var(L"dbt", + &efi_global_variable_guid, + &data_size); + if (data) { + ret = tcg2_measure_variable(dev, 7, + EV_EFI_VARIABLE_DRIVER_CONFIG, + L"dbt", + &efi_global_variable_guid, + data_size, data); + free(data); + } + + data = efi_get_var(L"dbr", + &efi_global_variable_guid, + &data_size); + if (data) { + ret = tcg2_measure_variable(dev, 7, + EV_EFI_VARIABLE_DRIVER_CONFIG, + L"dbr", + &efi_global_variable_guid, + data_size, data); + free(data); + } + +error: + return ret; +} + /** * efi_tcg2_register() - register EFI_TCG2_PROTOCOL * @@ -1328,6 +1486,13 @@ efi_status_t efi_tcg2_register(void) tcg2_uninit(); goto fail; } + + ret = tcg2_measure_secure_boot_variable(dev); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + return ret; fail: From patchwork Fri Aug 6 07:02:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 492808 Delivered-To: patch@linaro.org Received: by 2002:a05:6638:396:0:0:0:0 with SMTP id y22csp45433jap; Fri, 6 Aug 2021 00:03:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJycxNREYvRD9q5WXaOfOcZytKWY0jGjH9tmgOriR4BL71m5nuJTtE3nBpf/5xaElkzOUwV5 X-Received: by 2002:a05:6402:1ad9:: with SMTP id ba25mr11073035edb.255.1628233421633; Fri, 06 Aug 2021 00:03:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628233421; cv=none; d=google.com; s=arc-20160816; b=1DHhQwYXc86+ylPehwZj7s5uYBpuOL4HmM6G40fw+ikyIR9tY7Dy0YCVTC670h/Xi4 GFXsbtPiTXC/WqGhJYdG+z4Lyi1+y9f0gFUyN21GCTuAJFunCUZLkOLv6DawkzPR0qM1 yPidbx7rgo/kFPv7eVl4u1/tMiFelxJGRvFR15wV8na9XrV7cDcXisbOGrPIHR2gkBZ4 8k2RfUYumRnFNRPgodl9HpspoWZEXgMoVENVBVF6fgVLHUyqllkDEgxprMey6jXW1J53 f8f532MIgwOk87Fz5WDU4NsTNHjvZiRta47a2K+KfKjM6WcF9hAXjRIgOFar8SMBvls1 GNpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=V8ALb+0Chn5c/gmenCiNJcmuueCSa4vbdyjqSf7g6gI=; b=Mxvm+oND1TZLvA/+d5ZaRhgEIeJSWxfQlzcu0Gcx7dgivrHKOAOqOH7Rl9zGcXaMTe Yp+6V3g+Q+jB1fQD0kZGgeqF/H6BdD2qqsseeWhEYg9XuDy259ZX+SriNC0oP0zlGPfC M2gcpElbat/1J6zoHgMooNfNTG46bWjlYIpKn2VOY69+PGioKm1l/F3gy+bU4mKOjv1N 70XQjz0a0e3ZcWhgSTl0FukG5q19wL3+QaBJm0xk3SFANauVEwzYNIlFiVLpiiFlQB7b aCuYlIvTeAy0lRrh4ZYadBIMmRsJnB99GvJfwZHStbWlJv+8PeRntDtQwLeZKtOQf9iO syyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="QFLDtp/X"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id l20si7768027edt.377.2021.08.06.00.03.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:03:41 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="QFLDtp/X"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 028AD82E8D; Fri, 6 Aug 2021 09:03:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="QFLDtp/X"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0878582EA8; Fri, 6 Aug 2021 09:03:08 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5A25D82DC1 for ; Fri, 6 Aug 2021 09:02:59 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x102b.google.com with SMTP id nh14so15000867pjb.2 for ; Fri, 06 Aug 2021 00:02:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=V8ALb+0Chn5c/gmenCiNJcmuueCSa4vbdyjqSf7g6gI=; b=QFLDtp/X6bBWZgRnOQOZchFAtSHnVs5216Ck+rEtmEmIG0JXgj7mrTUOJJmQQvnRqT 97222d6uI3hWFEo/qDXlzmV2erhFXZpIWIdpgTIbL0I0Ay6yLYYEu8CmMZ27xDPWboyc kqEfOehCCzKcihCBFHgjcVS/yJFCfOkJ6eBhVKg3pzKNT0Q+9+hYZ57URacaDisLeeWO eYIyPVZ0KDz7Gtzk2LKhPeoK9YJ9VXubAO7htwGZx9lEYA41L616cEySBs0gsr3I+NAT ubtTDaP7LzaspINJalqKFNl/GvuP+AndmumlFdz5PoAmHiVGPrLpBMOSr7R7ZVaNXQNP 7PSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=V8ALb+0Chn5c/gmenCiNJcmuueCSa4vbdyjqSf7g6gI=; b=QFq58AWdWo/FusvguK2LzZyyVNRTTOS3e7HDcA/TMC02cIEMG7r5bU26R1HB6TwpAs GFjIgwl7ptj38/AJ9dyQoGnh4cUygK/EPGnnxIuwFLCrwNOBYthFSbckPVKV30ftdS9g hQS07RkX+MJ9gOSHp3rWloGN8FQOfy5MDres/7O8P4jY78H7Kgdsx4twYm5ui4IIFwYU 9vyW/vlTOoxXNdWkD3gp2PYo2C7pXnEDECEKrMFmKu8rzpsfugelKkCCZQrH0h3JFY2Q tObd0DdomwXbkQTGqqZg8tcJ9PgF8Is+Vm0ND5PQOsmtkRuhMoHDSS4TfdOnXTHaAg+j PFtw== X-Gm-Message-State: AOAM533AQdgQHw/q5j5OARtPfduFs6U71xRazXrYfuaXxiTMzIu/nY/L jsWXPzNCOH/3I1i2UTazZ6yfuQ== X-Received: by 2002:a63:cf0a:: with SMTP id j10mr187281pgg.4.1628233377646; Fri, 06 Aug 2021 00:02:57 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u24sm5145304pfm.27.2021.08.06.00.02.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:02:57 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v3 2/5] efi_loader: add boot variable measurement Date: Fri, 6 Aug 2021 16:02:12 +0900 Message-Id: <20210806070215.19887-3-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210806070215.19887-1-masahisa.kojima@linaro.org> References: <20210806070215.19887-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure "Boot####" and "BootOrder" variables, EV_SEPARATOR event prior to the Ready to Boot invocation. Since u-boot does not implement Ready to Boot event, these measurements are performed when efi_start_image() is called. TCG spec also requires to measure "Calling EFI Application from Boot Option" for each boot attempt, and "Returning from EFI Application from Boot Option" if a boot device returns control back to the Boot Manager. Signed-off-by: Masahisa Kojima --- Changes in v3: - modify log output Changes in v2: - use efi_create_indexed_name() for "Boot####" variable include/efi_loader.h | 4 ++ include/tpm-v2.h | 18 ++++- lib/efi_loader/efi_boottime.c | 20 ++++++ lib/efi_loader/efi_tcg2.c | 121 ++++++++++++++++++++++++++++++++++ 4 files changed, 162 insertions(+), 1 deletion(-) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index a120d94431..345cbb72c4 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -499,6 +499,10 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ void efi_variables_boot_exit_notify(void); +/* Measure efi application invocation */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void); +/* Measure efi application exit */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void); /* Called by bootefi to initialize root node */ efi_status_t efi_root_node_register(void); /* Called by bootefi to initialize runtime */ diff --git a/include/tpm-v2.h b/include/tpm-v2.h index 247b386967..325c73006e 100644 --- a/include/tpm-v2.h +++ b/include/tpm-v2.h @@ -73,7 +73,7 @@ struct udevice; /* * event types, cf. * "TCG PC Client Platform Firmware Profile Specification", Family "2.0" - * rev 1.04, June 3, 2019 + * Level 00 Version 1.05 Revision 23, May 7, 2021 */ #define EV_EFI_EVENT_BASE ((u32)0x80000000) #define EV_EFI_VARIABLE_DRIVER_CONFIG ((u32)0x80000001) @@ -85,8 +85,24 @@ struct udevice; #define EV_EFI_ACTION ((u32)0x80000007) #define EV_EFI_PLATFORM_FIRMWARE_BLOB ((u32)0x80000008) #define EV_EFI_HANDOFF_TABLES ((u32)0x80000009) +#define EV_EFI_PLATFORM_FIRMWARE_BLOB2 ((u32)0x8000000A) +#define EV_EFI_HANDOFF_TABLES2 ((u32)0x8000000B) +#define EV_EFI_VARIABLE_BOOT2 ((u32)0x8000000C) #define EV_EFI_HCRTM_EVENT ((u32)0x80000010) #define EV_EFI_VARIABLE_AUTHORITY ((u32)0x800000E0) +#define EV_EFI_SPDM_FIRMWARE_BLOB ((u32)0x800000E1) +#define EV_EFI_SPDM_FIRMWARE_CONFIG ((u32)0x800000E2) + +#define EFI_CALLING_EFI_APPLICATION \ + "Calling EFI Application from Boot Option" +#define EFI_RETURNING_FROM_EFI_APPLICATION \ + "Returning from EFI Application from Boot Option" +#define EFI_EXIT_BOOT_SERVICES_INVOCATION \ + "Exit Boot Services Invocation" +#define EFI_EXIT_BOOT_SERVICES_FAILED \ + "Exit Boot Services Returned with Failure" +#define EFI_EXIT_BOOT_SERVICES_SUCCEEDED \ + "Exit Boot Services Returned with Success" /* TPMS_TAGGED_PROPERTY Structure */ struct tpms_tagged_property { diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 0b98e91813..13ab139222 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2994,6 +2994,16 @@ efi_status_t EFIAPI efi_start_image(efi_handle_t image_handle, image_obj->exit_status = &exit_status; image_obj->exit_jmp = &exit_jmp; + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { + if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { + ret = efi_tcg2_measure_efi_app_invocation(); + if (ret != EFI_SUCCESS) { + log_warning("tcg2 measurement fails(0x%lx)\n", + ret); + } + } + } + /* call the image! */ if (setjmp(&exit_jmp)) { /* @@ -3252,6 +3262,16 @@ static efi_status_t EFIAPI efi_exit(efi_handle_t image_handle, exit_status != EFI_SUCCESS) efi_delete_image(image_obj, loaded_image_protocol); + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { + if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { + ret = efi_tcg2_measure_efi_app_exit(); + if (ret != EFI_SUCCESS) { + log_warning("tcg2 measurement fails(0x%lx)\n", + ret); + } + } + } + /* Make sure entry/exit counts for EFI world cross-overs match */ EFI_EXIT(exit_status); diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index a2e9587cd0..7dd30c2bc9 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -35,6 +35,7 @@ struct event_log_buffer { }; static struct event_log_buffer event_log; +static bool tcg2_efi_app_invoked; /* * When requesting TPM2_CAP_TPM_PROPERTIES the value is on a standard offset. * Since the current tpm2_get_capability() response buffers starts at @@ -1385,6 +1386,126 @@ static efi_status_t tcg2_measure_variable(struct udevice *dev, u32 pcr_index, return ret; } +/** + * tcg2_measure_boot_variable() - measure boot variables + * + * @dev: TPM device + * + * Return: status code + */ +static efi_status_t tcg2_measure_boot_variable(struct udevice *dev) +{ + u16 *boot_order; + u16 *boot_index; + u16 var_name[] = L"BootOrder"; + u16 boot_name[] = L"Boot####"; + u8 *bootvar; + efi_uintn_t var_data_size; + u32 count, i; + efi_status_t ret; + + boot_order = efi_get_var(var_name, &efi_global_variable_guid, + &var_data_size); + if (!boot_order) { + ret = EFI_NOT_FOUND; + goto error; + } + + ret = tcg2_measure_variable(dev, 1, EV_EFI_VARIABLE_BOOT2, var_name, + &efi_global_variable_guid, var_data_size, + (u8 *)boot_order); + if (ret != EFI_SUCCESS) + goto error; + + count = var_data_size / sizeof(*boot_order); + boot_index = boot_order; + for (i = 0; i < count; i++) { + efi_create_indexed_name(boot_name, sizeof(boot_name), + "Boot", *boot_index++); + + bootvar = efi_get_var(boot_name, &efi_global_variable_guid, + &var_data_size); + + if (!bootvar) { + log_info("%ls not found\n", boot_name); + continue; + } + + ret = tcg2_measure_variable(dev, 1, EV_EFI_VARIABLE_BOOT2, + boot_name, + &efi_global_variable_guid, + var_data_size, bootvar); + free(bootvar); + if (ret != EFI_SUCCESS) + goto error; + } + +error: + free(boot_order); + return ret; +} + +/** + * efi_tcg2_measure_efi_app_invocation() - measure efi app invocation + * + * Return: status code + */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void) +{ + efi_status_t ret; + u32 pcr_index; + struct udevice *dev; + u32 event = 0; + + if (tcg2_efi_app_invoked) + return EFI_SUCCESS; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + return ret; + + ret = tcg2_measure_boot_variable(dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 4, EV_EFI_ACTION, + strlen(EFI_CALLING_EFI_APPLICATION), + (u8 *)EFI_CALLING_EFI_APPLICATION); + if (ret != EFI_SUCCESS) + goto out; + + for (pcr_index = 0; pcr_index <= 7; pcr_index++) { + ret = tcg2_measure_event(dev, pcr_index, EV_SEPARATOR, + sizeof(event), (u8 *)&event); + if (ret != EFI_SUCCESS) + goto out; + } + + tcg2_efi_app_invoked = true; +out: + return ret; +} + +/** + * efi_tcg2_measure_efi_app_exit() - measure efi app exit + * + * Return: status code + */ +efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void) +{ + efi_status_t ret; + struct udevice *dev; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + return ret; + + ret = tcg2_measure_event(dev, 4, EV_EFI_ACTION, + strlen(EFI_RETURNING_FROM_EFI_APPLICATION), + (u8 *)EFI_RETURNING_FROM_EFI_APPLICATION); + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * From patchwork Fri Aug 6 07:02:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 492807 Delivered-To: patch@linaro.org Received: by 2002:a05:6638:396:0:0:0:0 with SMTP id y22csp45262jap; Fri, 6 Aug 2021 00:03:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyDrJEw2agEve8dgaT61GHYL/qOWCh/eE+Yc/PfC2TQaD7QvHzgmn1HFdalBqRnML/0MWmH X-Received: by 2002:a17:906:c342:: with SMTP id ci2mr8623159ejb.122.1628233406557; Fri, 06 Aug 2021 00:03:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628233406; cv=none; d=google.com; s=arc-20160816; b=VCLRHu9tGxnAJJ8Ip9puzTnM35QeDbCMXwNKLmheduSrw0jLi5hGypSya6U81C+ur+ bwOMSOdgNLkmoM4pzZt0fgCtVoRpOdux3PFr7DqrbnsSVhuwGmhAeXrZ0tUqNz1lI5Ao DpGeiLeHyqtP9bpdJfzj5EyehKRaDqthrulGyYVDxcFNOqrV/ZD+lymHx7oMxXqcZJMC uXCfzF8Iulyh5SnGca2V/MYa4GoX8lYrjeBz4ihIJhSemOTnuxkH2LYfm7511PcCrZ44 zJuHBxeyOfuDvUwqBi4F88eyJiowQCaldNmzw1o/WDGcRg9zLuYiVEa5QQE+bgwsqDwJ nz1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=W0csjySmNxtMU8s3mJeZpAnnM6e5u7V1pA8Spz7gF30=; b=qd+3r7+H52GCG5Sue/qNv+UWcA7KdJyI+qc03LmM52TNksvR4Sogzp3vqWOAirMWQB YBYCf8QhYgbuelO2XgT+3Y7ES0GzdLcu0Os3F2uQXB3+cLwDhfgurBbK0iWwhQdUNacM TR1HZSXSjVNxkKtcUuqYTagxzsCtUqr+D7Zv/JnZZ9YB2XIS+JaQE0Gy9RWglAPciJN2 c7khqJNxvwmT2RKBTinTrxQUO1JmgASEUnpHIx2PC+OEIxgMXZX4sm636akd63MdwHTu dF3o9Uzt9PtYC98ujF1WxhFitx0GOXFUb8/5qFCDUV5gckz5JE5ygfdW1op2uqaOm4Oq orJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=oc2xka6T; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id bd27si7801625edb.219.2021.08.06.00.03.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:03:26 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=oc2xka6T; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4445082EA8; Fri, 6 Aug 2021 09:03:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="oc2xka6T"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A23AF82EA5; Fri, 6 Aug 2021 09:03:09 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C37F582E7A for ; Fri, 6 Aug 2021 09:03:01 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1034.google.com with SMTP id nh14so15001162pjb.2 for ; Fri, 06 Aug 2021 00:03:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=W0csjySmNxtMU8s3mJeZpAnnM6e5u7V1pA8Spz7gF30=; b=oc2xka6TrPXaQEAPDmhhQPQKFlLEOIIMc0XWw3DLLAMIr7FqnGEFaassHr2qTmYDW/ 4byNIXg9Wmv5ef/E4XaAVNCZaOVwZCFInhgH52ek5JjOLXkb5rzWkkR+Eq0d8Pqurdt2 ezc0KoguZjUF7i7kcM3vFgCJ+j7jw3rtm36PURc48NsGoPA8trh46yuDkTK3lQJvA8k4 CjlFHs4svAg9dUI9s7DrAm74KBCFmQtbLtrCq9vUjYHZ0iA6rhXDP33Oe1qv0lP3O8zr Como1YXnDUgzq2/SQfPYxP/cySzaLEAZ1LofiuA0Aizzz+nPeRvGrnT7vRZB/p2K+t+c z41g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=W0csjySmNxtMU8s3mJeZpAnnM6e5u7V1pA8Spz7gF30=; b=Vd4tGtCc1lW504lf8ZrcWoQZfZ+krU38BTr2JwvvIfE2UcmFZ+mmI/sKWTxKTkWj9R a5iwQWu1DTywb+9/Y6mk+4k98slk3YeTLcr18suyIXKjvwmY6tPKmN/pFiirNJJNDpw4 F9o+z8KSYqk2igxBBtYJupmmDb4XviyBn4TzDOhtCfMubsnHnC2Fa3HRLTIDmFPxiSYM efBoAU/V9vy400KhC5Bh0Ru9SQxEGWWJ+eJG4fMHpx+D/yq6QlWDTNDuZAKMyQdUD15V n4fCZZkfkKcthZBp1Y8CVgGuHvffHPo8OEd/AWnmbEVplozQb90KSHgw/oSMy0GASevw BbUA== X-Gm-Message-State: AOAM530zau7mDVwPyzNXRbCab29hRfhhXcGzGFAv3lB/sEGAk6x/j+q8 XoCQVbkTC51aXacqGWv97Bu2TQ== X-Received: by 2002:a65:62cb:: with SMTP id m11mr70018pgv.425.1628233380200; Fri, 06 Aug 2021 00:03:00 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u24sm5145304pfm.27.2021.08.06.00.02.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:02:59 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v3 3/5] efi_loader: add ExitBootServices() measurement Date: Fri, 6 Aug 2021 16:02:13 +0900 Message-Id: <20210806070215.19887-4-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210806070215.19887-1-masahisa.kojima@linaro.org> References: <20210806070215.19887-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client PFP spec requires to measure "Exit Boot Services Invocation" if ExitBootServices() is invoked. Depending upon the return code from the ExitBootServices() call, "Exit Boot Services Returned with Success" or "Exit Boot Services Returned with Failure" is also measured. Signed-off-by: Masahisa Kojima --- (no changes since v2) Changes in v2: - use strlen instead of sizeof, event log for EV_EFI_ACTION string shall not include NUL terminator include/efi_loader.h | 1 + lib/efi_loader/efi_boottime.c | 5 +++ lib/efi_loader/efi_tcg2.c | 70 +++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index 345cbb72c4..d2b6768899 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -499,6 +499,7 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size); efi_status_t efi_init_variables(void); /* Notify ExitBootServices() is called */ void efi_variables_boot_exit_notify(void); +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void); /* Measure efi application invocation */ efi_status_t EFIAPI efi_tcg2_measure_efi_app_invocation(void); /* Measure efi application exit */ diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 13ab139222..b818cbb540 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -2182,6 +2182,11 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle, efi_set_watchdog(0); WATCHDOG_RESET(); out: + if (ret != EFI_SUCCESS) { + if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) + efi_tcg2_notify_exit_boot_services_failed(); + } + return EFI_EXIT(ret); } diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 7dd30c2bc9..bcd8626ff7 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1506,6 +1506,67 @@ efi_status_t EFIAPI efi_tcg2_measure_efi_app_exit(void) return ret; } +/** + * efi_tcg2_notify_exit_boot_services() - ExitBootService callback + * + * @event: callback event + * @context: callback context + */ +static void EFIAPI +efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *context) +{ + efi_status_t ret; + struct udevice *dev; + + EFI_ENTRY("%p, %p", event, context); + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_SUCCEEDED), + (u8 *)EFI_EXIT_BOOT_SERVICES_SUCCEEDED); + +out: + EFI_EXIT(ret); +} + +/** + * efi_tcg2_notify_exit_boot_services_failed() + * - notify ExitBootServices() is failed + * + * Return: status code + */ +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void) +{ + struct udevice *dev; + efi_status_t ret; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION), + (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION); + if (ret != EFI_SUCCESS) + goto out; + + ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION, + strlen(EFI_EXIT_BOOT_SERVICES_FAILED), + (u8 *)EFI_EXIT_BOOT_SERVICES_FAILED); + +out: + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * @@ -1584,6 +1645,7 @@ efi_status_t efi_tcg2_register(void) { efi_status_t ret = EFI_SUCCESS; struct udevice *dev; + struct efi_event *event; ret = platform_get_tpm2_device(&dev); if (ret != EFI_SUCCESS) { @@ -1608,6 +1670,14 @@ efi_status_t efi_tcg2_register(void) goto fail; } + ret = efi_create_event(EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK, + efi_tcg2_notify_exit_boot_services, NULL, + NULL, &event); + if (ret != EFI_SUCCESS) { + tcg2_uninit(); + goto fail; + } + ret = tcg2_measure_secure_boot_variable(dev); if (ret != EFI_SUCCESS) { tcg2_uninit(); From patchwork Fri Aug 6 07:02:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 492809 Delivered-To: patch@linaro.org Received: by 2002:a05:6638:396:0:0:0:0 with SMTP id y22csp45534jap; Fri, 6 Aug 2021 00:03:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzUeKPlfTlzsv3qR9IUeN6oUA6hmfKSZyZYU7A7FcudqrmOlfrmYmeHw6HQPnvDVslGvdhu X-Received: by 2002:a05:6402:1a3a:: with SMTP id be26mr11203543edb.232.1628233427819; Fri, 06 Aug 2021 00:03:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628233427; cv=none; d=google.com; s=arc-20160816; b=YyxzaVWQt1k9PsO0doxxenV6rmRxE7CUiBmMkyKnD1qVrJfdWWNtD4kLSAl9Lhhdci GokgnPzvs+8rGDMjKw6/wLHKGNe8jkcAjbNS9eZgRaXscdww0fpvCx4OYrRGLkG40g3n x2tfck+eUknnsxzFLFXcFQHqGZmcoWvXeNFEZ33y4vXRxcbzq4otjtmgaY7zDdIpACoP LmsJ2H7MuJjo+H1bDdPJmUnp6tuSl4dI/UaOngYvOmFOsr37a+Y4C5wFEpAqwmV+qxiC uLqvakuGDiBZG+aWOzTzJfbDSf0pLD/8cwKEik6p30KkYuU4Bz69J0CNehu0hu8Fy1rw yZgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=bdzYWTvWnrRQKlAmG80XhkxPwAgRAxEObGY3kS4a0nM=; b=mGAVTWdjy5nOTciusxkaiYwl+SzbxpWOJtShm2Ek38ldkZXhtH8q8b/mjmaqc6c7rH n/xuCnPujFoHqLubIjdutUdwWa23Rl7eep2RC18oqcCeVJYeCk9tbf1oRDAy8sUN8/0M 1KeD5YtEFsFaV9Y+VJ7/ALk1peBZ/WhXCVnaaHstfm9NwnDyewIOVdRIeqCB6GuDgnc2 isuIqy4f0IERcjVI2YubAx+AZ+7+XVy3L66cabqjRLZvZmkWx4q3cI0Xpm6bPqLEqOzh +3zooxALpBH67lyZQXti75laY+wRCUrWIVhqzISTHERKAfGicjbq+HDbLWGtFTf6J2DL LPJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GohKjQEg; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id jg40si8827415ejc.451.2021.08.06.00.03.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:03:47 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GohKjQEg; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0F84F82EE5; Fri, 6 Aug 2021 09:03:22 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="GohKjQEg"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A289982EA5; Fri, 6 Aug 2021 09:03:12 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7737882E23 for ; Fri, 6 Aug 2021 09:03:04 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1031.google.com with SMTP id mt6so15013833pjb.1 for ; Fri, 06 Aug 2021 00:03:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=bdzYWTvWnrRQKlAmG80XhkxPwAgRAxEObGY3kS4a0nM=; b=GohKjQEg0coeI1BJvVBgxRWUKvBaKu5EPxhK1SxatOXfiaMBCofB5uCGMSHa4mVtXR uRx1koiVfLeH8PuLCWmec4KI2HR/3jbMeRPFTsgH4ydfbUKL/HpRwh6Lc+ww69znDMBu 34NTLJl6d+rCxFneFAh8uxmH9IA5hgYaUmPLph7DWiODR0YGhkTEdkzNQz10QP20OmiQ EJurRXeRKIqWvvPNDvUDLOd4vafENDAuD5/Umfk16RRemuqBFFMhELlktjOMriXjcLu7 zsQTfCivHXAkD83bTKac7EAksRkwEBt4lMMPMk3rpYlE/yoImHhpg6VioVYF/h69tNoi 37UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=bdzYWTvWnrRQKlAmG80XhkxPwAgRAxEObGY3kS4a0nM=; b=R9eSo7FLfcFxo64IVpIlsibfF42aMDD+pguxFfwHVxjRVDK4LbalSGoDdtVigFT3Gl jctrJHIsmlQ4LBGVuc3oLR+gWIbRz99Gq7MfTHhftCk5iRIWvRzzm4Rw+vtxG5ZiT9sb 1Y/xC3mcBGbWWOMJ/42Gn93S0NUMQto9m1p7p8kmJR/KofnZW91YTKCkisbj6nKXFZp0 R9Fu28zO4nl1l/WMI4kokxNDHFiph6k7lNPqiFJsWMp5ppYSNvlSWEDBvQjs2czc8Wx6 /EszslTOhVXP2bFb5sSZIyfg7kIQs1TzmGmiXzLkHVnl8cBxe8V5j2td+k3RCmQp2RFo 3qJg== X-Gm-Message-State: AOAM530HvfKsIIit63UAC1eedDZu0XNHAgLZeZ7JFwAe4NPFg+Ks7XQc R0gvfK/CAUlh0xvGSyGmLU3QAA== X-Received: by 2002:a17:90a:1b2e:: with SMTP id q43mr8978501pjq.230.1628233382874; Fri, 06 Aug 2021 00:03:02 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u24sm5145304pfm.27.2021.08.06.00.03.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:03:02 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v3 4/5] efi_loader: refactor efi_append_scrtm_version() Date: Fri, 6 Aug 2021 16:02:14 +0900 Message-Id: <20210806070215.19887-5-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210806070215.19887-1-masahisa.kojima@linaro.org> References: <20210806070215.19887-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Refactor efi_append_scrtm_version() to use common function for adding eventlog and extending PCR. Signed-off-by: Masahisa Kojima --- (no changes since v1) lib/efi_loader/efi_tcg2.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index bcd8626ff7..f38d578a32 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1321,23 +1321,11 @@ out: */ static efi_status_t efi_append_scrtm_version(struct udevice *dev) { - struct tpml_digest_values digest_list; u8 ver[] = U_BOOT_VERSION_STRING; - const int pcr_index = 0; efi_status_t ret; - ret = tcg2_create_digest(ver, sizeof(ver), &digest_list); - if (ret != EFI_SUCCESS) - goto out; + ret = tcg2_measure_event(dev, 0, EV_S_CRTM_VERSION, sizeof(ver), ver); - ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); - if (ret != EFI_SUCCESS) - goto out; - - ret = tcg2_agile_log_append(pcr_index, EV_S_CRTM_VERSION, &digest_list, - sizeof(ver), ver); - -out: return ret; } From patchwork Fri Aug 6 07:02:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 492810 Delivered-To: patch@linaro.org Received: by 2002:a05:6638:396:0:0:0:0 with SMTP id y22csp45639jap; Fri, 6 Aug 2021 00:03:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzUV/p/eP8UPNtP3JMtsvn8eUuIdt3XK9vPBK3MQXJQWAvZ8lkYHqqvTYxFprgxzbnjGjQj X-Received: by 2002:aa7:c794:: with SMTP id n20mr453998eds.244.1628233438355; Fri, 06 Aug 2021 00:03:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628233438; cv=none; d=google.com; s=arc-20160816; b=gC3oukjGakS2zhb4dIGUNxwaer+wCvSS+lHDoOckFVp/t2z81D/UYKYLKp4+4Y82Qw /onDHp7aOWiSoSg3iuiF7qGDtT/av0/8UODMm+0+FUmEqzwuvLOAbyeM960JkMATdfzX 1tGJfYcKFT6LiTGrY2NG5JJ+h9PvybdAHwhKtSZtULeWHkRJBSy/eyMpKjW1aXVm7srX ls2ZTCJzbRZzjHSREOQldr/CIdEkqLV1fyONr98tvbgDWfkdJNk7Z6LSQug+8B3dKiy+ 0vE0keAXLNi4h4Y3QNtIswqNq1HIo50qUlNFMk5Cx+4hF4B2lx7EVaIyWtwH4+tYUbxa KSLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:to:from:dkim-signature; bh=yinBnJBxQjuI4tZQyapGmUTjdu1gCyGp9T0IeXwRNLI=; b=R97SGrHhSGLHEKl7XT1SWifvLeNGdHxQe+O/wO7pmyF5iem7MhhBgC2+o/o36V18jy 7u7iVDM8uNeBGh7kJOH5I1DGN6ybpXEZDwmBwPGM8MuAZp8kH/krpbNN6UruMdFX9FG3 eQhEin9ClWd4iuCByikI9CLt9I36zjDvqQ/XpYP9FO7G26l5vmE62b5V/5MZGa6NpzXF Uz5mFfEQc/7XvMqhanncztB1cM7GmRRNOyCB58YcEDlCTi3s6KPRy47dX2W4H6lspl6U Y1pxEIBxDabwhOz/fLu/cGdQAuV/MUL7uqcVWa1XIU+YQYNlZlDYvhFcSOjA7nYxTITa D0/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=SjQSVMwZ; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id cw8si7111152edb.20.2021.08.06.00.03.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:03:58 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=SjQSVMwZ; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A854782EBD; Fri, 6 Aug 2021 09:03:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="SjQSVMwZ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 10C1982EBB; Fri, 6 Aug 2021 09:03:17 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 31B5182E8D for ; Fri, 6 Aug 2021 09:03:07 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1031.google.com with SMTP id u13-20020a17090abb0db0290177e1d9b3f7so21143659pjr.1 for ; Fri, 06 Aug 2021 00:03:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=yinBnJBxQjuI4tZQyapGmUTjdu1gCyGp9T0IeXwRNLI=; b=SjQSVMwZvWDenrH8HhbF2Af8W8QK90qf395jx1HXf6BkpoP46rPQxaIeMXowceaa7i aJvZA7hCD9dLw8qNvbx/qpwjg14XRM6VUPoG6Ydg5N3Sb60TlnKmaV7tIblckrIzTB2O vDPQmghTVevuBZcuepsO9BxvXSFlIBaFc0N9drbpFD9/SliuVMSzQzrmL+ZEXK0prkTd bZyxBmghb+k4aDy6A/CoDqb5adnLV28Zoj3rKiWSKoGaOZcGy8oNT/k7Qc67hNNZ5rjI v1jEXHTMgCsKRcb1kDxk1iRyjNKljLCetdioQjGgIm885TtIp01xD60TzHlmgd7us6l/ T0tA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=yinBnJBxQjuI4tZQyapGmUTjdu1gCyGp9T0IeXwRNLI=; b=UzZyQOmv8bXCxHfClqBC9dzJn3hndrImGOuMQIYLXZ5c6WtpQTi0ll0uyajg6da95L ApUvGfLdNXWaAfjaprsK1aXlQTPhY4xy5AKbtZSh+FaMMHQaZcNLccZYoLkYizy5oaD6 y0mOPt3o7tLIpXv1LYXX8aKQfwmNBTrzby7DYQG3AgPVEUdnuX+xKI/H9MqHmjijY/q5 3vASZydFtIYeLuBhDxJM0jDayJeYUBzvgMV07Ann55ln/o+l7YrQmCL86tdZGM5k1Ks9 ZFwAzMTvstMPvCPeydl1We3bbU4OsutH4knT7wWaAKSE637Os+9kLKSq2btgjEDNSsMI TeFQ== X-Gm-Message-State: AOAM531gG9TQvFmvlzp8xgVCEa4m7/1taSXFXX8r+G5pJiqKAYUuBgso JXoamiKF5eWuZDiZusR5M/z11A== X-Received: by 2002:aa7:93b1:0:b029:3c0:a7b7:3db0 with SMTP id x17-20020aa793b10000b02903c0a7b73db0mr3370449pff.40.1628233385429; Fri, 06 Aug 2021 00:03:05 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id u24sm5145304pfm.27.2021.08.06.00.03.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Aug 2021 00:03:04 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt , Alexander Graf , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Dhananjay Phadke , u-boot@lists.denx.de Subject: [PATCH v3 5/5] efi_loader: add comment for efi_tcg2.h Date: Fri, 6 Aug 2021 16:02:15 +0900 Message-Id: <20210806070215.19887-6-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210806070215.19887-1-masahisa.kojima@linaro.org> References: <20210806070215.19887-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This commit adds the comment of the TCG Specification efi_tcg2.h file refers, and comment for the structure. Signed-off-by: Masahisa Kojima --- Changes in v3: - update comment format Changes in v2: - newly create commit from v2 include/efi_tcg2.h | 57 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 54 insertions(+), 3 deletions(-) -- 2.17.1 diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index 497ba3ce94..b6b958da51 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -3,6 +3,13 @@ * Defines data structures and APIs that allow an OS to interact with UEFI * firmware to query information about the device * + * This file refers the following TCG specification. + * - TCG PC Client Platform Firmware Profile Specification + * https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/ + * + * - TCG EFI Protocol Specification + * https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/ + * * Copyright (c) 2020, Linaro Limited */ @@ -36,11 +43,23 @@ typedef u32 efi_tcg_event_log_bitmap; typedef u32 efi_tcg_event_log_format; typedef u32 efi_tcg_event_algorithm_bitmap; +/** + * struct tdEFI_TCG2_VERSION - structure of EFI TCG2 version + * @major: major version + * @minor: minor version + */ struct efi_tcg2_version { u8 major; u8 minor; }; +/** + * struct tdEFI_TCG2_EVENT_HEADER - structure of EFI TCG2 event header + * @header_size: size of the event header + * @header_version: header version + * @pcr_index: index of the PCR that is extended + * @event_type: type of the event that is extended + */ struct efi_tcg2_event_header { u32 header_size; u16 header_version; @@ -48,12 +67,27 @@ struct efi_tcg2_event_header { u32 event_type; } __packed; +/** + * struct tdEFI_TCG2_EVENT - structure of EFI TCG2 event + * @size: total size of the event including the size component, the header + * and the event data + * @header: event header + * @event: event to add + */ struct efi_tcg2_event { u32 size; struct efi_tcg2_event_header header; u8 event[]; } __packed; +/** + * struct tdUEFI_IMAGE_LOAD_EVENT - structure of PE/COFF image measurement + * @image_location_in_memory: image address + * @image_length_in_memory: image size + * @image_link_time_address: image link time address + * @length_of_device_path: devive path size + * @device_path: device path + */ struct uefi_image_load_event { efi_physical_addr_t image_location_in_memory; u64 image_length_in_memory; @@ -62,6 +96,23 @@ struct uefi_image_load_event { struct efi_device_path device_path[]; }; +/** + * struct tdEFI_TCG2_BOOT_SERVICE_CAPABILITY - protocol capability information + * @size: allocated size of the structure + * @structure_version: version of this structure + * @protocol_version: version of the EFI TCG2 protocol. + * @hash_algorithm_bitmap: supported hash algorithms + * @supported_event_logs: bitmap of supported event log formats + * @tpm_present_flag: false = TPM not present + * @max_command_size: max size (in bytes) of a command + * that can be sent to the TPM + * @max_response_size: max size (in bytes) of a response that + * can be provided by the TPM + * @manufacturer_id: 4-byte Vendor ID + * @number_of_pcr_banks: maximum number of PCR banks + * @active_pcr_banks: bitmap of currently active + * PCR banks (hashing algorithms). + */ struct efi_tcg2_boot_service_capability { u8 size; struct efi_tcg2_version structure_version; @@ -86,7 +137,7 @@ struct efi_tcg2_boot_service_capability { #define TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_ERRATA_TPM2 2 /** - * struct TCG_EfiSpecIdEventAlgorithmSize + * struct TCG_EfiSpecIdEventAlgorithmSize - hashing algorithm information * * @algorithm_id: algorithm defined in enum tpm2_algorithms * @digest_size: size of the algorithm @@ -97,7 +148,7 @@ struct tcg_efi_spec_id_event_algorithm_size { } __packed; /** - * struct TCG_EfiSpecIDEventStruct + * struct TCG_EfiSpecIDEventStruct - content of the event log header * * @signature: signature, set to Spec ID Event03 * @platform_class: class defined in TCG ACPI Specification @@ -130,7 +181,7 @@ struct tcg_efi_spec_id_event { } __packed; /** - * struct tdEFI_TCG2_FINAL_EVENTS_TABLE + * struct tdEFI_TCG2_FINAL_EVENTS_TABLE - log entries after Get Event Log * @version: version number for this structure * @number_of_events: number of events recorded after invocation of * GetEventLog()