From patchwork Fri Oct 1 11:18:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 515027 Delivered-To: patch@linaro.org Received: by 2002:a02:606e:0:0:0:0:0 with SMTP id d46csp683523jaf; Fri, 1 Oct 2021 04:19:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx4vddteTGpacl+gVusFoc8nDebf488dpmmUrWKUyEoUuXNWizKqHeAwo1zCXb4EXjkG9GX X-Received: by 2002:a17:907:3e05:: with SMTP id hp5mr5326022ejc.527.1633087171137; Fri, 01 Oct 2021 04:19:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633087171; cv=none; d=google.com; s=arc-20160816; b=mKPXKEfYZf589KfF6mOWBhYXfIUkT3y+2tL5pydVvPSQ1+KDgVQQ2tJO/ojrumKNDo YDklIxfTcjRYTJQtM+0A4zYlJjU5QLH56TEFYMxWpPQx/nUBRhPsRR7+XM55QCLQhRH5 Jj6zeDB5flQ8dDqJyv8NhEeUKs1gkYOL4fV0HTqfqxUi5nkrwOxvNlh3O5TiaMa98o59 8BzC9XKaqBhRhi1CebC02BMLbCqj8FnVmlI03K7NRdO/9ab6im5Z+rnDUVPc2hUIJUrR Xhvj5d1y0SBS8vLzs+j53ykJ0+My2soNIdpTffFs6k5NIbIE7pTGZ1Jr2+idpxhpXWca LmvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=Z/+oBdaMmQVgk0nGn5Za3emHUh4w2XzdhU382jU6Y3Q=; b=Pog2Y6wdA7jKpASTL91ii4L3RZjm7uQJA3FqNMGh7R/hIZNzAhNcLEvACqw1r63xy7 /k+a56R38Lgde/bKN9BOG1kvM45sPEoa2wJEh8aV5gFkxsRCdiehwpr0B1RLMn1nNeRr DGTKKu7OAmrbf3+S3Z06HkNSk8/HvTNv4wjQNjvJP4Tr76YHIpmQ5GEdimem0DdtIzWJ guAUbRDCmfRGU4IWaVP5HFIgY6VhW/LxHWz+TioWC0eiOyvPQZMpw4U9v8qvGrhgMPwd e4ndSZCxMTeKlhC4UqfU2P8bLV5sV4/KIaxfYjD05DcbT6KX3S2H5ltQdLKu6l81qx2a K1gQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="Htgi/za4"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id e6si6658720ejk.740.2021.10.01.04.19.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Oct 2021 04:19:31 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="Htgi/za4"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5C3E08316C; Fri, 1 Oct 2021 13:19:22 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Htgi/za4"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3AA3B8316C; Fri, 1 Oct 2021 13:19:19 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 38A9C82021 for ; Fri, 1 Oct 2021 13:19:12 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1035.google.com with SMTP id me5-20020a17090b17c500b0019af76b7bb4so9010079pjb.2 for ; Fri, 01 Oct 2021 04:19:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Z/+oBdaMmQVgk0nGn5Za3emHUh4w2XzdhU382jU6Y3Q=; b=Htgi/za4KapqRfDTCVEIZHkx5j9csY01uRKYgDpAFrf1DbO9yrr1M38EJa1aVVEWp3 cJ0TrJP0M1nSyBvfgOdbo1ld55rV1xmQqnKkWbG98/nbTIEQ12yRnGCtPjqoknobBS3F Sv8PeyRdEuFC2tgtdUAhoWvcuYNL9t7XwmhPy9oVXDXP+IoFr58Iwz8Yzub4taPVijld J7liQKwOq+yLyftj0u/ptWqQ0qCmZRJvIPpf6pKvRjXCIfhwfZ40qx6cc08CRk//Z83J PXSfrZG5/KSxFXKuVQvFH1ElNv5OiY9cQW6vUw1I0AszC0SVgr5wEC34qMWt1Qlly9dg u07A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Z/+oBdaMmQVgk0nGn5Za3emHUh4w2XzdhU382jU6Y3Q=; b=aKL6zguXwPZzRS5EVDRD9dMVDNpNe7yniq4JhL5gEj2dvo/3Xc8LIPszLpe7B0qjfq 98kMO5IltBDmgbDALVGvtIP5TB5345TPf64dBiV9Ve/Ro2gcwpcV4Mz7oKraTWBdZYnA J8NyFSs5DwgAjQikAlGcWhe++Ki1fc00HKsHz+FSYf6hFDByZZ9YnUqpxUL5/EtIdrz0 jrZxVUhb73nxfL0L3CTEd+M85jm3ed71PcCTN6DotbbQKkH9SmbaLKy7qLob3vonWRMy HcRhWM7M1An05lhayXsiiOrY25B2oKvgBHuUwTHxJTOhwU3VSX69rW1CNEl4N9ymLk/4 J/mQ== X-Gm-Message-State: AOAM530d+zg2/6O/BQki88lBpEzUkkeI6HSBkjlKz575WLdOXJw9mUmD PKaC8VHPoMiYL5uuxTKEntvLE64ftFIQOg== X-Received: by 2002:a17:90a:43e3:: with SMTP id r90mr12608769pjg.81.1633087150207; Fri, 01 Oct 2021 04:19:10 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id w12sm5689829pjf.27.2021.10.01.04.19.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Oct 2021 04:19:09 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Masahisa Kojima , Alexander Graf , Simon Glass , Bin Meng , Christian Gmeiner Subject: [PATCH v3 1/3] efi_loader: add SMBIOS table measurement Date: Fri, 1 Oct 2021 20:18:42 +0900 Message-Id: <20211001111844.7422-2-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211001111844.7422-1-masahisa.kojima@linaro.org> References: <20211001111844.7422-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client spec requires to measure the SMBIOS table that contain static configuration information (e.g. Platform Manufacturer Enterprise Number assigned by IANA, platform model number, Vendor and Device IDs for each SMBIOS table). The device- and environment-dependent information such as serial number is cleared to zero or space character for the measurement. Existing smbios_string() function returns pointer to the string with const qualifier, but exisintg use case is updating version string and const qualifier must be removed. This commit removes const qualifier from smbios_string() return value and reuses to clear the strings for the measurement. This commit also fixes the following compiler warning: lib/smbios-parser.c:59:39: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] const struct smbios_header *header = (struct smbios_header *)entry->struct_table_address; Signed-off-by: Masahisa Kojima --- Changes in v3: - TCG spec says EV_SEPARATOR must be the last, swap the order of measurement Changes in v2: - use flexible array for table_entry field - modify funtion name to find_smbios_table() - remove unnecessary const qualifier from smbios_string() - create non-const version of next_header() include/efi_loader.h | 2 + include/efi_tcg2.h | 15 ++++ include/smbios.h | 17 +++- lib/efi_loader/Kconfig | 1 + lib/efi_loader/efi_boottime.c | 2 + lib/efi_loader/efi_smbios.c | 2 - lib/efi_loader/efi_tcg2.c | 84 +++++++++++++++++++ lib/smbios-parser.c | 152 +++++++++++++++++++++++++++++++--- 8 files changed, 261 insertions(+), 14 deletions(-) -- 2.17.1 diff --git a/include/efi_loader.h b/include/efi_loader.h index c440962fe5..13f0c24058 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -308,6 +308,8 @@ extern const efi_guid_t efi_guid_capsule_report; extern const efi_guid_t efi_guid_firmware_management_protocol; /* GUID for the ESRT */ extern const efi_guid_t efi_esrt_guid; +/* GUID of the SMBIOS table */ +extern const efi_guid_t smbios_guid; extern char __efi_runtime_start[], __efi_runtime_stop[]; extern char __efi_runtime_rel_start[], __efi_runtime_rel_stop[]; diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index 8f02d4fb0b..ca66695b39 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -210,6 +210,21 @@ struct efi_tcg2_uefi_variable_data { u8 variable_data[1]; }; +/** + * struct tdUEFI_HANDOFF_TABLE_POINTERS2 - event log structure of SMBOIS tables + * @table_description_size: size of table description + * @table_description: table description + * @number_of_tables: number of uefi configuration table + * @table_entry: uefi configuration table entry + */ +#define SMBIOS_HANDOFF_TABLE_DESC "SmbiosTable" +struct smbios_handoff_table_pointers2 { + u8 table_description_size; + u8 table_description[sizeof(SMBIOS_HANDOFF_TABLE_DESC)]; + u64 number_of_tables; + struct efi_configuration_table table_entry[]; +} __packed; + struct efi_tcg2_protocol { efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this, struct efi_tcg2_boot_service_capability *capability); diff --git a/include/smbios.h b/include/smbios.h index aa6b6f3849..acfcbfe2ca 100644 --- a/include/smbios.h +++ b/include/smbios.h @@ -260,9 +260,9 @@ const struct smbios_header *smbios_header(const struct smbios_entry *entry, int * * @header: pointer to struct smbios_header * @index: string index - * @return: NULL or a valid const char pointer + * @return: NULL or a valid char pointer */ -const char *smbios_string(const struct smbios_header *header, int index); +char *smbios_string(const struct smbios_header *header, int index); /** * smbios_update_version() - Update the version string @@ -292,4 +292,17 @@ int smbios_update_version(const char *version); */ int smbios_update_version_full(void *smbios_tab, const char *version); +/** + * smbios_prepare_measurement() - Update smbios table for the measurement + * + * TCG specification requires to measure static configuration information. + * This function clear the device dependent parameters such as + * serial number for the measurement. + * + * @entry: pointer to a struct smbios_entry + * @header: pointer to a struct smbios_header + */ +void smbios_prepare_measurement(const struct smbios_entry *entry, + struct smbios_header *header); + #endif /* _SMBIOS_H_ */ diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index f48d9e8b51..e691b1ea96 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -320,6 +320,7 @@ config EFI_TCG2_PROTOCOL select SHA384 select SHA512 select HASH + select SMBIOS_PARSER help Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware of the platform. diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index f0283b539e..701e2212c8 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -86,6 +86,8 @@ const efi_guid_t efi_guid_event_group_reset_system = /* GUIDs of the Load File and Load File2 protocols */ const efi_guid_t efi_guid_load_file_protocol = EFI_LOAD_FILE_PROTOCOL_GUID; const efi_guid_t efi_guid_load_file2_protocol = EFI_LOAD_FILE2_PROTOCOL_GUID; +/* GUID of the SMBIOS table */ +const efi_guid_t smbios_guid = SMBIOS_TABLE_GUID; static efi_status_t EFIAPI efi_disconnect_controller( efi_handle_t controller_handle, diff --git a/lib/efi_loader/efi_smbios.c b/lib/efi_loader/efi_smbios.c index 2eb4cb1c1a..fc0b23397c 100644 --- a/lib/efi_loader/efi_smbios.c +++ b/lib/efi_loader/efi_smbios.c @@ -13,8 +13,6 @@ #include #include -static const efi_guid_t smbios_guid = SMBIOS_TABLE_GUID; - /* * Install the SMBIOS table as a configuration table. * diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index d3b8f93f14..f14d4d6da1 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -1455,6 +1456,81 @@ error: return ret; } +/** + * tcg2_measure_smbios() - measure smbios table + * + * @dev: TPM device + * @entry: pointer to the smbios_entry structure + * + * Return: status code + */ +static efi_status_t +tcg2_measure_smbios(struct udevice *dev, + const struct smbios_entry *entry) +{ + efi_status_t ret; + struct smbios_header *smbios_copy; + struct smbios_handoff_table_pointers2 *event = NULL; + u32 event_size; + + /* + * TCG PC Client PFP Spec says + * "SMBIOS structures that contain static configuration information + * (e.g. Platform Manufacturer Enterprise Number assigned by IANA, + * platform model number, Vendor and Device IDs for each SMBIOS table) + * that is relevant to the security of the platform MUST be measured". + * Device dependent parameters such as serial number are cleared to + * zero or spaces for the measurement. + */ + event_size = sizeof(struct smbios_handoff_table_pointers2) + + FIELD_SIZEOF(struct efi_configuration_table, guid) + + entry->struct_table_length; + event = calloc(1, event_size); + if (!event) { + ret = EFI_OUT_OF_RESOURCES; + goto out; + } + + event->table_description_size = sizeof(SMBIOS_HANDOFF_TABLE_DESC); + memcpy(event->table_description, SMBIOS_HANDOFF_TABLE_DESC, + sizeof(SMBIOS_HANDOFF_TABLE_DESC)); + put_unaligned_le64(1, &event->number_of_tables); + guidcpy(&event->table_entry[0].guid, &smbios_guid); + smbios_copy = (struct smbios_header *)((uintptr_t)&event->table_entry[0].table); + memcpy(&event->table_entry[0].table, + (void *)((uintptr_t)entry->struct_table_address), + entry->struct_table_length); + + smbios_prepare_measurement(entry, smbios_copy); + + ret = tcg2_measure_event(dev, 1, EV_EFI_HANDOFF_TABLES2, event_size, + (u8 *)event); + if (ret != EFI_SUCCESS) + goto out; + +out: + free(event); + + return ret; +} + +/** + * find_smbios_table() - find smbios table + * + * Return: pointer to the smbios table + */ +static void *find_smbios_table(void) +{ + u32 i; + + for (i = 0; i < systab.nr_tables; i++) { + if (!guidcmp(&smbios_guid, &systab.tables[i].guid)) + return systab.tables[i].table; + } + + return NULL; +} + /** * efi_tcg2_measure_efi_app_invocation() - measure efi app invocation * @@ -1466,6 +1542,7 @@ efi_status_t efi_tcg2_measure_efi_app_invocation(void) u32 pcr_index; struct udevice *dev; u32 event = 0; + struct smbios_entry *entry; if (tcg2_efi_app_invoked) return EFI_SUCCESS; @@ -1484,6 +1561,13 @@ efi_status_t efi_tcg2_measure_efi_app_invocation(void) if (ret != EFI_SUCCESS) goto out; + entry = (struct smbios_entry *)find_smbios_table(); + if (entry) { + ret = tcg2_measure_smbios(dev, entry); + if (ret != EFI_SUCCESS) + goto out; + } + for (pcr_index = 0; pcr_index <= 7; pcr_index++) { ret = tcg2_measure_event(dev, pcr_index, EV_SEPARATOR, sizeof(event), (u8 *)&event); diff --git a/lib/smbios-parser.c b/lib/smbios-parser.c index 34203f952c..596a967302 100644 --- a/lib/smbios-parser.c +++ b/lib/smbios-parser.c @@ -39,10 +39,8 @@ const struct smbios_entry *smbios_entry(u64 address, u32 size) return entry; } -static const struct smbios_header *next_header(const struct smbios_header *curr) +static u8 *find_next_header(u8 *pos) { - u8 *pos = ((u8 *)curr) + curr->length; - /* search for _double_ NULL bytes */ while (!((*pos == 0) && (*(pos + 1) == 0))) pos++; @@ -50,13 +48,27 @@ static const struct smbios_header *next_header(const struct smbios_header *curr) /* step behind the double NULL bytes */ pos += 2; - return (struct smbios_header *)pos; + return pos; +} + +static struct smbios_header *get_next_header(struct smbios_header *curr) +{ + u8 *pos = ((u8 *)curr) + curr->length; + + return (struct smbios_header *)find_next_header(pos); +} + +static const struct smbios_header *next_header(const struct smbios_header *curr) +{ + u8 *pos = ((u8 *)curr) + curr->length; + + return (struct smbios_header *)find_next_header(pos); } const struct smbios_header *smbios_header(const struct smbios_entry *entry, int type) { const unsigned int num_header = entry->struct_count; - const struct smbios_header *header = (struct smbios_header *)entry->struct_table_address; + const struct smbios_header *header = (struct smbios_header *)((uintptr_t)entry->struct_table_address); for (unsigned int i = 0; i < num_header; i++) { if (header->type == type) @@ -68,8 +80,8 @@ const struct smbios_header *smbios_header(const struct smbios_entry *entry, int return NULL; } -static const char *string_from_smbios_table(const struct smbios_header *header, - int idx) +static char *string_from_smbios_table(const struct smbios_header *header, + int idx) { unsigned int i = 1; u8 *pos; @@ -86,10 +98,10 @@ static const char *string_from_smbios_table(const struct smbios_header *header, pos++; } - return (const char *)pos; + return (char *)pos; } -const char *smbios_string(const struct smbios_header *header, int index) +char *smbios_string(const struct smbios_header *header, int index) { if (!header) return NULL; @@ -109,7 +121,7 @@ int smbios_update_version_full(void *smbios_tab, const char *version) if (!hdr) return log_msg_ret("tab", -ENOENT); bios = (struct smbios_type0 *)hdr; - ptr = (char *)smbios_string(hdr, bios->bios_ver); + ptr = smbios_string(hdr, bios->bios_ver); if (!ptr) return log_msg_ret("str", -ENOMEDIUM); @@ -132,3 +144,123 @@ int smbios_update_version_full(void *smbios_tab, const char *version) return 0; } + +struct smbios_filter_param { + u32 offset; + u32 size; + bool is_string; +}; + +struct smbios_filter_table { + int type; + struct smbios_filter_param *params; + u32 count; +}; + +struct smbios_filter_param smbios_type1_filter_params[] = { + {offsetof(struct smbios_type1, serial_number), + FIELD_SIZEOF(struct smbios_type1, serial_number), true}, + {offsetof(struct smbios_type1, uuid), + FIELD_SIZEOF(struct smbios_type1, uuid), false}, + {offsetof(struct smbios_type1, wakeup_type), + FIELD_SIZEOF(struct smbios_type1, wakeup_type), false}, +}; + +struct smbios_filter_param smbios_type2_filter_params[] = { + {offsetof(struct smbios_type2, serial_number), + FIELD_SIZEOF(struct smbios_type2, serial_number), true}, + {offsetof(struct smbios_type2, chassis_location), + FIELD_SIZEOF(struct smbios_type2, chassis_location), false}, +}; + +struct smbios_filter_param smbios_type3_filter_params[] = { + {offsetof(struct smbios_type3, serial_number), + FIELD_SIZEOF(struct smbios_type3, serial_number), true}, + {offsetof(struct smbios_type3, asset_tag_number), + FIELD_SIZEOF(struct smbios_type3, asset_tag_number), true}, +}; + +struct smbios_filter_param smbios_type4_filter_params[] = { + {offsetof(struct smbios_type4, serial_number), + FIELD_SIZEOF(struct smbios_type4, serial_number), true}, + {offsetof(struct smbios_type4, asset_tag), + FIELD_SIZEOF(struct smbios_type4, asset_tag), true}, + {offsetof(struct smbios_type4, part_number), + FIELD_SIZEOF(struct smbios_type4, part_number), true}, + {offsetof(struct smbios_type4, core_count), + FIELD_SIZEOF(struct smbios_type4, core_count), false}, + {offsetof(struct smbios_type4, core_enabled), + FIELD_SIZEOF(struct smbios_type4, core_enabled), false}, + {offsetof(struct smbios_type4, thread_count), + FIELD_SIZEOF(struct smbios_type4, thread_count), false}, + {offsetof(struct smbios_type4, core_count2), + FIELD_SIZEOF(struct smbios_type4, core_count2), false}, + {offsetof(struct smbios_type4, core_enabled2), + FIELD_SIZEOF(struct smbios_type4, core_enabled2), false}, + {offsetof(struct smbios_type4, thread_count), + FIELD_SIZEOF(struct smbios_type4, thread_count2), false}, + {offsetof(struct smbios_type4, voltage), + FIELD_SIZEOF(struct smbios_type4, voltage), false}, +}; + +struct smbios_filter_table smbios_filter_tables[] = { + {SMBIOS_SYSTEM_INFORMATION, smbios_type1_filter_params, + ARRAY_SIZE(smbios_type1_filter_params)}, + {SMBIOS_BOARD_INFORMATION, smbios_type2_filter_params, + ARRAY_SIZE(smbios_type2_filter_params)}, + {SMBIOS_SYSTEM_ENCLOSURE, smbios_type3_filter_params, + ARRAY_SIZE(smbios_type3_filter_params)}, + {SMBIOS_PROCESSOR_INFORMATION, smbios_type4_filter_params, + ARRAY_SIZE(smbios_type4_filter_params)}, +}; + +static void clear_smbios_table(struct smbios_header *header, + struct smbios_filter_param *filter, + u32 count) +{ + u32 i; + char *str; + u8 string_id; + + for (i = 0; i < count; i++) { + if (filter[i].is_string) { + string_id = *((u8 *)header + filter[i].offset); + if (string_id == 0) /* string is empty */ + continue; + + str = smbios_string(header, string_id); + if (!str) + continue; + + /* string is cleared to space, keep '\0' terminator */ + memset(str, ' ', strlen(str)); + + } else { + memset((void *)((u8 *)header + filter[i].offset), + 0, filter[i].size); + } + } +} + +void smbios_prepare_measurement(const struct smbios_entry *entry, + struct smbios_header *smbios_copy) +{ + u32 i, j; + struct smbios_header *header; + + for (i = 0; i < ARRAY_SIZE(smbios_filter_tables); i++) { + header = smbios_copy; + for (j = 0; j < entry->struct_count; j++) { + if (header->type == smbios_filter_tables[i].type) + break; + + header = get_next_header(header); + } + if (j >= entry->struct_count) + continue; + + clear_smbios_table(header, + smbios_filter_tables[i].params, + smbios_filter_tables[i].count); + } +} From patchwork Fri Oct 1 11:18:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 515028 Delivered-To: patch@linaro.org Received: by 2002:a02:606e:0:0:0:0:0 with SMTP id d46csp683639jaf; Fri, 1 Oct 2021 04:19:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxQfJsQxa3klUe5Ik1LJos1gs9OG/kpPIQHebcMuD/yH9pFhelUxWsXjb3JaGLFeEz7KOgu X-Received: by 2002:aa7:c4ce:: with SMTP id p14mr13812821edr.129.1633087181237; Fri, 01 Oct 2021 04:19:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633087181; cv=none; d=google.com; s=arc-20160816; b=rc5gYc/w0rrzDrZogLtMCxDiazvE6+w3tjzIBXb8eKO1vLncIw9gT9BNCQEXg0FuMb cc9KqkoH2CPMer3H2PLAfzJ2ClHgn21eA57reRq6xL77Y6inqyPOWGF+qnl5LfZhwuk7 x0ZzjHAizZ8JpQD/36ffaqgrUgGhi46EM69cJVSLW1T0U4xwgxnRnYZE4Lwr0BIEqPwW XloveExLIyA59CJ6WsxqJWBwIfFrMbEmP63EgyBpw9mfrmf/Fn3tRRJ+Uv1uETtyMj/d V9oywh462Q2pUKa+jV7zswczHH1yuAnYqUFGpuo0r6XvFVJ/90b7twtZvYceIxw1LYen 07WQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=yauZ0OcnAFWdKnEMOQcePg1XdrLlnVzrXQt4wOdhDMQ=; b=JD9mLCxsw/miiA+48UGqkUZH/lhM7Vb/H9MZCMFABOhCldZR5/Q42dcZH0VtzhCV23 dDaR0pJxii439QsA8p6QkQJ999TCscDpfdgKnLab8PF9szQVM/0wzjSP0QzaQXrCU736 VOQZutmxL0dbMj6zD2N0qninV0cPq6APMVqavBOiGbLDPs8yhzXBH+bHjXG5a88xmJtm C0Vc1DZGBqJ0w7cgkZ2b9YLYmtOsskel9IB8WoFdJn4Ev8LGjSYOZdhDc0WgAA99CwpQ khGx2YG/rU3jdcVzDWdyyOFstp+dW9LHKmBorzpdt23cIPL2HSnc6DMpv5+MKhYzZNzK xorQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Im0Npn3t; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id l2si9012391ejo.509.2021.10.01.04.19.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Oct 2021 04:19:41 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Im0Npn3t; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 44A158328E; Fri, 1 Oct 2021 13:19:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Im0Npn3t"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 21330831B2; Fri, 1 Oct 2021 13:19:23 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8E661815B7 for ; Fri, 1 Oct 2021 13:19:14 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x532.google.com with SMTP id 75so9121490pga.3 for ; Fri, 01 Oct 2021 04:19:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=yauZ0OcnAFWdKnEMOQcePg1XdrLlnVzrXQt4wOdhDMQ=; b=Im0Npn3tMgT/gz9X46JrbFTfQBIeN8dBeJqVgI3huhR8dh1F0NwzOs3oGtvL0qHf6U 0c9Swt8zS2fjkTVfUDWJdXdYBAdQaPNSZ12Y8Of6KAdfUgHhZY2vA0PM7HMx7yCTIzr2 hfWHbiCsCrYSwx9AmIpM7qnrvve2taa4RauQmvTegEcZNS3qp8dvbOO+n4+2gaf4gIzb VCnFhwZloOjY26pZrORQdS4X1+EGQuCz6AYoCPMZoa3eBb9Slhk42Iv8RLOttQMZ3Emf YRInjtZVaOYX+1KUU5pdB2771Gk0U/lnoIXdNfPj4YleOi0zpUEh7FQF1Y3z2JwmY/ft L6wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=yauZ0OcnAFWdKnEMOQcePg1XdrLlnVzrXQt4wOdhDMQ=; b=7MW1TSGsHWSRotn5TS7SGIzQRtuJNyRxWsOknBFd4F3jguG/Td04xfzSjHCV9IxGk/ KfgYn1A005YcxH2z1n80u5tXXvsUwnzt7HWK/eFmAb/VvV15mvSuZgSxF+xt2x8W9cce m+M491J7/ZZurcT/kabRq6etA9oIVr8XbX2ehtoXOqJMsgjfQ9gCTzqrKfS1vf79I5qa oqfIMb8R+12RO0vz6dMCh2B56INIuPt5R/IxkMfsnBq+ynObnEOaS1jCN5Bty3oiCPcT aLoc7yKJxXnjvP3/l0lmXsW/JCJM2NGcHS3kp1x38Z2FA2OARlDDkJTcQwDC8NZMG7Rl DePg== X-Gm-Message-State: AOAM532LMq7WAZFdmpC1iwGWad5DtQ0eAjLhivzvthTuf823Hh7rAT+s tGYhAVSVn/BjB5vJVAHnZ6hQj2DH2NNEGg== X-Received: by 2002:aa7:9815:0:b0:43d:7dd:8c99 with SMTP id e21-20020aa79815000000b0043d07dd8c99mr9784566pfl.24.1633087152648; Fri, 01 Oct 2021 04:19:12 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id w12sm5689829pjf.27.2021.10.01.04.19.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Oct 2021 04:19:12 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Masahisa Kojima , Alexander Graf , Simon Glass Subject: [PATCH v3 2/3] efi_loader: add UEFI GPT measurement Date: Fri, 1 Oct 2021 20:18:43 +0900 Message-Id: <20211001111844.7422-3-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211001111844.7422-1-masahisa.kojima@linaro.org> References: <20211001111844.7422-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This commit adds the UEFI GPT disk partition topology measurement required in TCG PC Client PFP Spec. Signed-off-by: Masahisa Kojima --- Changes in v3: - EV_EFI_GPT_EVENT is measured before EV_SEPARATOR, same as other PCRs - use PTR_ARRAY instead of ARRAY - create sub-function of allocating io_aligned buffer - move search_gpt_dp_node() into efi_device_path.c include/blk.h | 3 + include/efi_loader.h | 3 +- include/efi_tcg2.h | 12 +++ lib/efi_loader/efi_boottime.c | 2 +- lib/efi_loader/efi_device_path.c | 27 +++++ lib/efi_loader/efi_tcg2.c | 163 ++++++++++++++++++++++++++++++- 6 files changed, 207 insertions(+), 3 deletions(-) -- 2.17.1 diff --git a/include/blk.h b/include/blk.h index 19bab081c2..f0cc7ca1a2 100644 --- a/include/blk.h +++ b/include/blk.h @@ -45,6 +45,9 @@ enum if_type { #define BLK_PRD_SIZE 20 #define BLK_REV_SIZE 8 +#define PART_FORMAT_PCAT 0x1 +#define PART_FORMAT_GPT 0x2 + /* * Identifies the partition table type (ie. MBR vs GPT GUID) signature */ diff --git a/include/efi_loader.h b/include/efi_loader.h index 13f0c24058..c557e8bee6 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -503,7 +503,7 @@ efi_status_t efi_init_variables(void); void efi_variables_boot_exit_notify(void); efi_status_t efi_tcg2_notify_exit_boot_services_failed(void); /* Measure efi application invocation */ -efi_status_t efi_tcg2_measure_efi_app_invocation(void); +efi_status_t efi_tcg2_measure_efi_app_invocation(struct efi_loaded_image_obj *handle); /* Measure efi application exit */ efi_status_t efi_tcg2_measure_efi_app_exit(void); /* Called by bootefi to initialize root node */ @@ -845,6 +845,7 @@ struct efi_device_path *efi_dp_from_lo(struct efi_load_option *lo, efi_uintn_t *size, efi_guid_t guid); struct efi_device_path *efi_dp_concat(const struct efi_device_path *dp1, const struct efi_device_path *dp2); +struct efi_device_path *search_gpt_dp_node(struct efi_device_path *device_path); efi_status_t efi_deserialize_load_option(struct efi_load_option *lo, u8 *data, efi_uintn_t *size); unsigned long efi_serialize_load_option(struct efi_load_option *lo, u8 **data); diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index ca66695b39..50a59f9263 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -225,6 +225,18 @@ struct smbios_handoff_table_pointers2 { struct efi_configuration_table table_entry[]; } __packed; +/** + * struct tdUEFI_GPT_DATA - event log structure of industry standard tables + * @uefi_partition_header: gpt partition header + * @number_of_partitions: the number of partition + * @partitions: partition entries + */ +struct efi_gpt_data { + gpt_header uefi_partition_header; + u64 number_of_partitions; + gpt_entry partitions[]; +} __packed; + struct efi_tcg2_protocol { efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this, struct efi_tcg2_boot_service_capability *capability); diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 701e2212c8..bf5661e1ee 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -3003,7 +3003,7 @@ efi_status_t EFIAPI efi_start_image(efi_handle_t image_handle, if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { - ret = efi_tcg2_measure_efi_app_invocation(); + ret = efi_tcg2_measure_efi_app_invocation(image_obj); if (ret != EFI_SUCCESS) { log_warning("tcg2 measurement fails(0x%lx)\n", ret); diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c index cbdb466da4..6aec64f373 100644 --- a/lib/efi_loader/efi_device_path.c +++ b/lib/efi_loader/efi_device_path.c @@ -1294,3 +1294,30 @@ efi_device_path *efi_dp_from_lo(struct efi_load_option *lo, return NULL; } + +/** + * search_gpt_dp_node() - search gpt device path node + * + * @device_path: device path + * + * Return: pointer to the gpt device path node + */ +struct efi_device_path *search_gpt_dp_node(struct efi_device_path *device_path) +{ + struct efi_device_path *dp = device_path; + + while (dp) { + if (dp->type == DEVICE_PATH_TYPE_MEDIA_DEVICE && + dp->sub_type == DEVICE_PATH_SUB_TYPE_HARD_DRIVE_PATH) { + struct efi_device_path_hard_drive_path *hd_dp = + (struct efi_device_path_hard_drive_path *)dp; + + if (hd_dp->partmap_type == PART_FORMAT_GPT && + hd_dp->signature_type == SIG_TYPE_GUID) + return dp; + } + dp = efi_dp_next(dp); + } + + return NULL; +} diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index f14d4d6da1..28e0362bf2 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1531,12 +1531,169 @@ static void *find_smbios_table(void) return NULL; } +static void *allocate_io_aligned_buf(void **buf, u32 size, u32 io_align) +{ + if (!buf) + return NULL; + + *buf = calloc(1, size); + if (!*buf) + return NULL; + + return (void *)PTR_ALIGN((uintptr_t)*buf, io_align); +} + +/** + * tcg2_measure_gpt_table() - measure gpt table + * + * @dev: TPM device + * @loaded_image: handle to the loaded image + * + * Return: status code + */ +static efi_status_t +tcg2_measure_gpt_data(struct udevice *dev, + struct efi_loaded_image_obj *loaded_image) +{ + efi_status_t ret; + efi_handle_t handle; + struct efi_handler *dp_handler; + struct efi_device_path *orig_device_path; + struct efi_device_path *device_path; + struct efi_device_path *dp; + struct efi_block_io *block_io; + struct efi_gpt_data *event = NULL; + efi_guid_t null_guid = NULL_GUID; + void *orig_gpt_h = NULL; + void *orig_gpt_e = NULL; + gpt_header *gpt_h = NULL; + gpt_entry *entry = NULL; + gpt_entry *gpt_e; + u32 num_of_valid_entry = 0; + u32 event_size; + u32 i; + u32 total_gpt_entry_size; + + ret = efi_search_protocol(&loaded_image->header, + &efi_guid_loaded_image_device_path, + &dp_handler); + if (ret != EFI_SUCCESS) + return ret; + + orig_device_path = dp_handler->protocol_interface; + device_path = efi_dp_dup(orig_device_path); + if (!device_path) + return EFI_OUT_OF_RESOURCES; + + dp = search_gpt_dp_node(device_path); + if (!dp) { + /* no GPT device path node found, skip GPT measurement */ + ret = EFI_SUCCESS; + goto out1; + } + + /* read GPT header */ + dp->type = DEVICE_PATH_TYPE_END; + dp->sub_type = DEVICE_PATH_SUB_TYPE_END; + dp = device_path; + ret = EFI_CALL(systab.boottime->locate_device_path(&efi_block_io_guid, + &dp, &handle)); + if (ret != EFI_SUCCESS) + goto out1; + + ret = EFI_CALL(efi_handle_protocol(handle, + &efi_block_io_guid, (void **)&block_io)); + if (ret != EFI_SUCCESS) + goto out1; + + gpt_h = allocate_io_aligned_buf(&orig_gpt_h, + block_io->media->block_size + + block_io->media->io_align, + block_io->media->io_align); + if (!orig_gpt_h || !gpt_h) { + ret = EFI_OUT_OF_RESOURCES; + goto out2; + } + + ret = block_io->read_blocks(block_io, block_io->media->media_id, 1, + block_io->media->block_size, gpt_h); + if (ret != EFI_SUCCESS) + goto out2; + + /* read GPT entry */ + total_gpt_entry_size = gpt_h->num_partition_entries * + gpt_h->sizeof_partition_entry; + entry = allocate_io_aligned_buf(&orig_gpt_e, + total_gpt_entry_size + + block_io->media->io_align, + block_io->media->io_align); + if (!orig_gpt_e || !entry) { + ret = EFI_OUT_OF_RESOURCES; + goto out2; + } + + ret = block_io->read_blocks(block_io, block_io->media->media_id, + gpt_h->partition_entry_lba, + total_gpt_entry_size, entry); + if (ret != EFI_SUCCESS) + goto out2; + + /* count valid GPT entry */ + gpt_e = entry; + for (i = 0; i < gpt_h->num_partition_entries; i++) { + if (guidcmp(&null_guid, &gpt_e->partition_type_guid)) + num_of_valid_entry++; + + gpt_e = (gpt_entry *)((u8 *)gpt_e + gpt_h->sizeof_partition_entry); + } + + /* prepare event data for measurement */ + event_size = sizeof(struct efi_gpt_data) + + (num_of_valid_entry * gpt_h->sizeof_partition_entry); + event = calloc(1, event_size); + if (!event) { + ret = EFI_OUT_OF_RESOURCES; + goto out2; + } + memcpy(event, gpt_h, sizeof(gpt_header)); + put_unaligned_le64(num_of_valid_entry, &event->number_of_partitions); + + /* copy valid GPT entry */ + gpt_e = entry; + num_of_valid_entry = 0; + for (i = 0; i < gpt_h->num_partition_entries; i++) { + if (guidcmp(&null_guid, &gpt_e->partition_type_guid)) { + memcpy((u8 *)event->partitions + + (num_of_valid_entry * gpt_h->sizeof_partition_entry), + gpt_e, gpt_h->sizeof_partition_entry); + num_of_valid_entry++; + } + + gpt_e = (gpt_entry *)((u8 *)gpt_e + gpt_h->sizeof_partition_entry); + } + + ret = tcg2_measure_event(dev, 5, EV_EFI_GPT_EVENT, event_size, (u8 *)event); + if (ret != EFI_SUCCESS) + goto out2; + +out2: + EFI_CALL(efi_close_protocol((efi_handle_t)block_io, &efi_block_io_guid, + NULL, NULL)); + free(orig_gpt_h); + free(orig_gpt_e); + free(event); +out1: + efi_free_pool(device_path); + + return ret; +} + /** * efi_tcg2_measure_efi_app_invocation() - measure efi app invocation * * Return: status code */ -efi_status_t efi_tcg2_measure_efi_app_invocation(void) +efi_status_t efi_tcg2_measure_efi_app_invocation(struct efi_loaded_image_obj *handle) { efi_status_t ret; u32 pcr_index; @@ -1568,6 +1725,10 @@ efi_status_t efi_tcg2_measure_efi_app_invocation(void) goto out; } + ret = tcg2_measure_gpt_data(dev, handle); + if (ret != EFI_SUCCESS) + goto out; + for (pcr_index = 0; pcr_index <= 7; pcr_index++) { ret = tcg2_measure_event(dev, pcr_index, EV_SEPARATOR, sizeof(event), (u8 *)&event); From patchwork Fri Oct 1 11:18:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 515029 Delivered-To: patch@linaro.org Received: by 2002:a02:606e:0:0:0:0:0 with SMTP id d46csp683782jaf; Fri, 1 Oct 2021 04:19:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxFxE+wRsSr9Y7S/+JfFyB9c2D4TuUb2oalNhyvQbOIh7SC70ynMS1EmnwAlk9eyF8fWqcY X-Received: by 2002:a50:da06:: with SMTP id z6mr13972208edj.355.1633087192200; Fri, 01 Oct 2021 04:19:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633087192; cv=none; d=google.com; s=arc-20160816; b=pcR0mtV/es3feOVmyqVWk3mIjiCrPkOS07XCUouQ5L1cLfJ5rB9XIZI1ZuSFrqV8nE gHQQGQufsIhZGIed6YZ4MxgWJAkIsLDFZvn43bt72jO35nFuL6V5mLsH+0BvWTn5h2qq J2yMfQJwYjGLZ0nINOrVNNgiRDOMiFyc4uX78QIEm0JbeEPrfpW47lzqCX29t2TJNMGr 8dtodHErP6oZO32Lh0VfWpCRBTb8cAe7ji0G9FSmtCmxOZJMyKT9fxbtkxhKEx4bFHWh vO632DFN/i6eb4C9AxZtmyPxxTP9eSIZpMff3qyGONeftMfy0wlLr+8aH7E28ER9wg3u HT4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=Jsw/e912MSWr+5izVXg2CWImiLVUrNCjAxOBHQQLH0A=; b=lfYl/PvYvxRznGV/yEKj2NZJvsp8MSxQG74y404xqJnl3+E+17sagCsiW5BZFxVSlN 0xIvNOhumCAxu/9fp570e3fem1C97OUdnoydpXyK2u4NjSU0bD9Iv8lZK2a3CYcrkeup IQLaEsBedTdnjW7JxUkFw4MJ3Lx6ndXPyoT+B7Baz+rgBTr5NaxhWHAGL2+F5k5Gdf/1 eABTNON/ccLA8N6aLcZ9CQgl4CsrFj/c8Fsx38LHFYW4f35wttAFHbIw8P0vpH/RvoBr 1IW7lvX5oGErdWrNQsveaVLlsR8ezL2CE/lP67GOJ+/W4kgQAMXlp+JEuWoF154NvlZ/ d9Pg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=PuN5Yh3C; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id hp5si10738634ejc.447.2021.10.01.04.19.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Oct 2021 04:19:52 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=PuN5Yh3C; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D20778323E; Fri, 1 Oct 2021 13:19:34 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="PuN5Yh3C"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 729C283178; Fri, 1 Oct 2021 13:19:25 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5E29783143 for ; Fri, 1 Oct 2021 13:19:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x531.google.com with SMTP id 66so8698462pgc.9 for ; Fri, 01 Oct 2021 04:19:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Jsw/e912MSWr+5izVXg2CWImiLVUrNCjAxOBHQQLH0A=; b=PuN5Yh3CcU7JrdykhrimqlXXDXpcFBckDwMDc1bdnQRO6EcDBrCb1cIshC5gd/J4Vi PDY/q8cXJmQ1cZx9UGdvSlDClPpQGvQBcg4k7wmNU3fseUCQ0Cdkbl8tdNAk4u1LCxH6 yoXnpcSN6ifKe0TLsDNv9o8bY5pWB+cAKZ5WJsWV480G6NlN9fvUG8BD932Y4owcyvBh j0r1m490t8KSNJHpdyozj+oUV+OFjNmOZ1nsJFVhPP4FZh4zb7+xCNg2sq/JuHcTX6eA d+3wF6+0/qljt+IooNiRuReuUmo9id+pTLn2xT9Vgz5e/ytriPPgUyHvvHgr/QrB/ddE vS+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Jsw/e912MSWr+5izVXg2CWImiLVUrNCjAxOBHQQLH0A=; b=PEcS3ontLeIj/lag47gBXUiwGw7ysxfYEsQELskH/H2LtCbpFJAyBILGJ8PksqlwVk ot+zRabjq4XjPMMtb9zOkyR15hLhJB6Dfm3J3L839finaycGcrDqjqz+gwbdQqevwo3J lcndTNVNHGXZT7Iamlf1QeKQFocon5hj+CpUoJQQftJIMdDxkJWY6jm4JY7WUF0ynzoM 8DKAh3EpeXyiDhlxxeKwL7/mBtV8X680MYpae4XxTCYrSLqwMhY+6fozdd4L90Df4y7V 4UPFJIVC2XFe7wJKPyEy7wfxyhDiZ84qZVpjxQIuIVm6ZGuNicG7Z9OeOLsuHqly61yH koyQ== X-Gm-Message-State: AOAM531fQbYTIAGdAvabIPDm0jdhpIaKCriuPxVYlOS5K+YPWv0AYJo2 tDGzuYAkgii1QVuxlhb3WhcNSVM6evg9Hg== X-Received: by 2002:a62:1943:0:b0:444:f894:e19d with SMTP id 64-20020a621943000000b00444f894e19dmr9580557pfz.36.1633087154700; Fri, 01 Oct 2021 04:19:14 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id w12sm5689829pjf.27.2021.10.01.04.19.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Oct 2021 04:19:14 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Masahisa Kojima , Alexander Graf Subject: [PATCH v3 3/3] efi_loader: add DeployedMode and AuditMode variable measurement Date: Fri, 1 Oct 2021 20:18:44 +0900 Message-Id: <20211001111844.7422-4-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211001111844.7422-1-masahisa.kojima@linaro.org> References: <20211001111844.7422-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This commit adds the DeployedMode and AuditMode variable measurement required in TCG PC Client PFP Spec. Signed-off-by: Masahisa Kojima --- Changes in v3: - read variable first, then mesure the variable lib/efi_loader/efi_tcg2.c | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) -- 2.17.1 diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 28e0362bf2..7fba4bc458 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -12,6 +12,7 @@ #include #include #include +#include #include #include #include @@ -1822,6 +1823,53 @@ out: return ret; } +/** + * tcg2_measure_deployed_audit_mode() - measure deployedmode and auditmode + * + * @dev: TPM device + * + * Return: status code + */ +static efi_status_t tcg2_measure_deployed_audit_mode(struct udevice *dev) +{ + u8 deployed_mode; + u8 audit_mode; + efi_uintn_t size; + efi_status_t ret; + u32 pcr_index; + + size = sizeof(deployed_mode); + ret = efi_get_variable_int(L"DeployedMode", &efi_global_variable_guid, + NULL, &size, &deployed_mode, NULL); + if (ret != EFI_SUCCESS) + return ret; + + size = sizeof(audit_mode); + ret = efi_get_variable_int(L"AuditMode", &efi_global_variable_guid, + NULL, &size, &audit_mode, NULL); + if (ret != EFI_SUCCESS) + return ret; + + pcr_index = (deployed_mode ? 1 : 7); + + ret = tcg2_measure_variable(dev, pcr_index, + EV_EFI_VARIABLE_DRIVER_CONFIG, + L"DeployedMode", + &efi_global_variable_guid, + size, &deployed_mode); + if (ret != EFI_SUCCESS) + return ret; + + + ret = tcg2_measure_variable(dev, pcr_index, + EV_EFI_VARIABLE_DRIVER_CONFIG, + L"AuditMode", + &efi_global_variable_guid, + size, &audit_mode); + + return ret; +} + /** * tcg2_measure_secure_boot_variable() - measure secure boot variables * @@ -1885,6 +1933,8 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) free(data); } + ret = tcg2_measure_deployed_audit_mode(dev); + error: return ret; }