From patchwork Tue Oct 26 08:27:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 516164 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp46700imj; Tue, 26 Oct 2021 01:26:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyInilKutIhMXuR4hUDR85v5Gc5GmS9/dY2vIKYvl4tu0orjWK6ufYb9+wR/ngN0HjISpei X-Received: by 2002:a17:906:d552:: with SMTP id cr18mr16020245ejc.88.1635236797000; Tue, 26 Oct 2021 01:26:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635236796; cv=none; d=google.com; s=arc-20160816; b=b6e4uNAizjK8WV+XRTmYBrCNIK+/C/Z9IBIbnE63yGiaIikOeujvonFpuZnGrS/zfo k+v/ce7V3QjmApnI/63ntLFEK/HTxs9Mv0vL1Osl1bJSAx7bfVxXJmEsWzg5hxuLb9pC uysVy2Ee1B21QnsfVNJUu09G6S+i0/C2+Yx+6mWVuz8TkfjaQKe5R45vl+hR1ec0MWJK Us58QIdgtbGnJIngAFZTu4z4W+aMutGVtk9mX/jiMrKfEPLsgOlBjE+bie/qW5e7qmsr B/gv0+QyxFeCZ/yY1ViK3v4bRzeJ65S48jR4s06oVm8AA5XG3spqrZUj9ETyxJnEYn32 VQrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=VftUisnVcVTNaEFjQU++DzQ4fdrwgE5AFf8z5uwTxQA=; b=uZOG2jNvREYKx2v5mDzhtRg5wwqDdOmcfqUckx2RG9HfOUwtrrILUgqm+A+04Yi2At oNohYoi3uJMXnXMhq00iwwYv60ns+mN9BsBoUs4woPIys8auImuIL9QavAg/KuqcklTg uE7pdg5svpH4lWVlWe2iRyBsaKLY/ZZXTpHP0Gi4we/REHHcaBf0tFboJ/R178M/45lu 9Ygh59Gm8V2Fqeo/GYVq52yysUwlyR1ZX9ZdxyjNdiWU29Fiq9kfI8xsmtOywrAbvr8A NLhUqtr5uhLUnRFac2izJS8U2lM+hH5PpkDDhxvVfmi77DKNwIOVmq/hV6Ix/QplzwOx IAkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=sCBUAbMD; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id z17si25030733edm.510.2021.10.26.01.26.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Oct 2021 01:26:36 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=sCBUAbMD; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C151380F5F; Tue, 26 Oct 2021 10:26:35 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="sCBUAbMD"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4F278834CC; Tue, 26 Oct 2021 10:26:29 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id AE7CE80F3B for ; Tue, 26 Oct 2021 10:26:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pg1-x52f.google.com with SMTP id 75so13428560pga.3 for ; Tue, 26 Oct 2021 01:26:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=VftUisnVcVTNaEFjQU++DzQ4fdrwgE5AFf8z5uwTxQA=; b=sCBUAbMDb6G2m3yr9ir+naSy4AfxZLncyOrOa8fYndbzQgqrrlg5NRSIXAXf2BWKUY 626wv8sIyN/5vDJCpjO6xI8C7GreIS85JfK6AtVfs04a/Z5isKYUsoq9ojX4ilOcm3gv eTQOzzoKPgDXL+9uab+SwH7Obr18+ismOyhQGCSjUxkaPJzFUZPiPOfYEaowUkmH3z0x 0MrwTjlFu0bNPZHo6GzHE0l11mSTGNvSTefnw9t0Tv0/WCY4swycWPIWAcCswY9sJEot +rtT/dNrU5TjwA6DmFPVnTJ2fbrDhJOtq0QRvMMcWktxDyISb+09wbZeUxWWkrye/CDT u+4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=VftUisnVcVTNaEFjQU++DzQ4fdrwgE5AFf8z5uwTxQA=; b=8IZ0xvdXFFvDAnAD19iSUYqcwLH4ASAZvtHxNB+p/w8fwy7Ms/ncJmYpxjFqZYrn4x jGhstc6L5AMdUPzaBIFW6U4Iz7sLLReYRLPce3CM2fNBXgUwWnAr5dIZ4uf3WRTAlAFO JiS38ClmxxpKBhgzmLXU5LXyFMT9f5NC9jTgouL1eL3B9ebM/Y+M5SEI1F04z9ZHP+Pn cLrBl5ivBL3A4nnmRjrtPrCksogyGL9+2sxkjcZv/Ke6QZpccc0wCTQ9eYJpTtyjhhK6 siyZYUn2aSucWQryIE441apoFS8i8ca58sWeXjBYj/uiwxHhSsk7Ze3ZgUZGiLhEyMMw FD1A== X-Gm-Message-State: AOAM533doR9TiXN7CtLypTDcAmCuoHJP1tcyswRgCWcMDQUIUwUNP12i qjZEUiW/7GDBtl+fcdKATTFhJVDcw5o84A== X-Received: by 2002:aa7:811a:0:b0:44c:b9ef:f618 with SMTP id b26-20020aa7811a000000b0044cb9eff618mr24341984pfi.9.1635236776964; Tue, 26 Oct 2021 01:26:16 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id c8sm20135873pjr.38.2021.10.26.01.26.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Oct 2021 01:26:16 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Alexander Graf , Bin Meng , Christian Gmeiner Subject: [PATCH v4 1/4] efi_loader: add SMBIOS table measurement Date: Tue, 26 Oct 2021 17:27:24 +0900 Message-Id: <20211026082727.23399-2-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211026082727.23399-1-masahisa.kojima@linaro.org> References: <20211026082727.23399-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean TCG PC Client Platform Firmware Profile Specification requires to measure the SMBIOS table that contains static configuration information (e.g. Platform Manufacturer Enterprise Number assigned by IANA, platform model number, Vendor and Device IDs for each SMBIOS table). The device- and environment-dependent information such as serial number is cleared to zero or space character for the measurement. Existing smbios_string() function returns pointer to the string with const qualifier, but exisintg use case is updating version string and const qualifier must be removed. This commit removes const qualifier from smbios_string() return value and reuses to clear the strings for the measurement. This commit also fixes the following compiler warning: lib/smbios-parser.c:59:39: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] const struct smbios_header *header = (struct smbios_header *)entry->struct_table_address; Signed-off-by: Masahisa Kojima --- Changes in v4: - update commit message Changes in v3: - TCG spec says EV_SEPARATOR must be the last, swap the order of measurement Changes in v2: - use flexible array for table_entry field - modify funtion name to find_smbios_table() - remove unnecessary const qualifier from smbios_string() - create non-const version of next_header() include/efi_loader.h | 2 + include/efi_tcg2.h | 15 ++++ include/smbios.h | 17 +++- lib/efi_loader/Kconfig | 1 + lib/efi_loader/efi_boottime.c | 2 + lib/efi_loader/efi_smbios.c | 2 - lib/efi_loader/efi_tcg2.c | 84 +++++++++++++++++++ lib/smbios-parser.c | 152 +++++++++++++++++++++++++++++++--- 8 files changed, 261 insertions(+), 14 deletions(-) -- 2.17.1 Reviewed-by: Simon Glass diff --git a/include/efi_loader.h b/include/efi_loader.h index f6d65a6c0c..d0433ea52e 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -308,6 +308,8 @@ extern const efi_guid_t efi_guid_capsule_report; extern const efi_guid_t efi_guid_firmware_management_protocol; /* GUID for the ESRT */ extern const efi_guid_t efi_esrt_guid; +/* GUID of the SMBIOS table */ +extern const efi_guid_t smbios_guid; extern char __efi_runtime_start[], __efi_runtime_stop[]; extern char __efi_runtime_rel_start[], __efi_runtime_rel_stop[]; diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index 8f02d4fb0b..ca66695b39 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -210,6 +210,21 @@ struct efi_tcg2_uefi_variable_data { u8 variable_data[1]; }; +/** + * struct tdUEFI_HANDOFF_TABLE_POINTERS2 - event log structure of SMBOIS tables + * @table_description_size: size of table description + * @table_description: table description + * @number_of_tables: number of uefi configuration table + * @table_entry: uefi configuration table entry + */ +#define SMBIOS_HANDOFF_TABLE_DESC "SmbiosTable" +struct smbios_handoff_table_pointers2 { + u8 table_description_size; + u8 table_description[sizeof(SMBIOS_HANDOFF_TABLE_DESC)]; + u64 number_of_tables; + struct efi_configuration_table table_entry[]; +} __packed; + struct efi_tcg2_protocol { efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this, struct efi_tcg2_boot_service_capability *capability); diff --git a/include/smbios.h b/include/smbios.h index aa6b6f3849..acfcbfe2ca 100644 --- a/include/smbios.h +++ b/include/smbios.h @@ -260,9 +260,9 @@ const struct smbios_header *smbios_header(const struct smbios_entry *entry, int * * @header: pointer to struct smbios_header * @index: string index - * @return: NULL or a valid const char pointer + * @return: NULL or a valid char pointer */ -const char *smbios_string(const struct smbios_header *header, int index); +char *smbios_string(const struct smbios_header *header, int index); /** * smbios_update_version() - Update the version string @@ -292,4 +292,17 @@ int smbios_update_version(const char *version); */ int smbios_update_version_full(void *smbios_tab, const char *version); +/** + * smbios_prepare_measurement() - Update smbios table for the measurement + * + * TCG specification requires to measure static configuration information. + * This function clear the device dependent parameters such as + * serial number for the measurement. + * + * @entry: pointer to a struct smbios_entry + * @header: pointer to a struct smbios_header + */ +void smbios_prepare_measurement(const struct smbios_entry *entry, + struct smbios_header *header); + #endif /* _SMBIOS_H_ */ diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 06633e90a1..52f71c07c9 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -312,6 +312,7 @@ config EFI_TCG2_PROTOCOL select SHA384 select SHA512 select HASH + select SMBIOS_PARSER help Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware of the platform. diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 352c2db25a..973134b12d 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -86,6 +86,8 @@ const efi_guid_t efi_guid_event_group_reset_system = /* GUIDs of the Load File and Load File2 protocols */ const efi_guid_t efi_guid_load_file_protocol = EFI_LOAD_FILE_PROTOCOL_GUID; const efi_guid_t efi_guid_load_file2_protocol = EFI_LOAD_FILE2_PROTOCOL_GUID; +/* GUID of the SMBIOS table */ +const efi_guid_t smbios_guid = SMBIOS_TABLE_GUID; static efi_status_t EFIAPI efi_disconnect_controller( efi_handle_t controller_handle, diff --git a/lib/efi_loader/efi_smbios.c b/lib/efi_loader/efi_smbios.c index 2eb4cb1c1a..fc0b23397c 100644 --- a/lib/efi_loader/efi_smbios.c +++ b/lib/efi_loader/efi_smbios.c @@ -13,8 +13,6 @@ #include #include -static const efi_guid_t smbios_guid = SMBIOS_TABLE_GUID; - /* * Install the SMBIOS table as a configuration table. * diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index b6f8f9923d..da589d0197 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include @@ -1452,6 +1453,81 @@ error: return ret; } +/** + * tcg2_measure_smbios() - measure smbios table + * + * @dev: TPM device + * @entry: pointer to the smbios_entry structure + * + * Return: status code + */ +static efi_status_t +tcg2_measure_smbios(struct udevice *dev, + const struct smbios_entry *entry) +{ + efi_status_t ret; + struct smbios_header *smbios_copy; + struct smbios_handoff_table_pointers2 *event = NULL; + u32 event_size; + + /* + * TCG PC Client PFP Spec says + * "SMBIOS structures that contain static configuration information + * (e.g. Platform Manufacturer Enterprise Number assigned by IANA, + * platform model number, Vendor and Device IDs for each SMBIOS table) + * that is relevant to the security of the platform MUST be measured". + * Device dependent parameters such as serial number are cleared to + * zero or spaces for the measurement. + */ + event_size = sizeof(struct smbios_handoff_table_pointers2) + + FIELD_SIZEOF(struct efi_configuration_table, guid) + + entry->struct_table_length; + event = calloc(1, event_size); + if (!event) { + ret = EFI_OUT_OF_RESOURCES; + goto out; + } + + event->table_description_size = sizeof(SMBIOS_HANDOFF_TABLE_DESC); + memcpy(event->table_description, SMBIOS_HANDOFF_TABLE_DESC, + sizeof(SMBIOS_HANDOFF_TABLE_DESC)); + put_unaligned_le64(1, &event->number_of_tables); + guidcpy(&event->table_entry[0].guid, &smbios_guid); + smbios_copy = (struct smbios_header *)((uintptr_t)&event->table_entry[0].table); + memcpy(&event->table_entry[0].table, + (void *)((uintptr_t)entry->struct_table_address), + entry->struct_table_length); + + smbios_prepare_measurement(entry, smbios_copy); + + ret = tcg2_measure_event(dev, 1, EV_EFI_HANDOFF_TABLES2, event_size, + (u8 *)event); + if (ret != EFI_SUCCESS) + goto out; + +out: + free(event); + + return ret; +} + +/** + * find_smbios_table() - find smbios table + * + * Return: pointer to the smbios table + */ +static void *find_smbios_table(void) +{ + u32 i; + + for (i = 0; i < systab.nr_tables; i++) { + if (!guidcmp(&smbios_guid, &systab.tables[i].guid)) + return systab.tables[i].table; + } + + return NULL; +} + /** * efi_tcg2_measure_efi_app_invocation() - measure efi app invocation * @@ -1463,6 +1539,7 @@ efi_status_t efi_tcg2_measure_efi_app_invocation(void) u32 pcr_index; struct udevice *dev; u32 event = 0; + struct smbios_entry *entry; if (tcg2_efi_app_invoked) return EFI_SUCCESS; @@ -1481,6 +1558,13 @@ efi_status_t efi_tcg2_measure_efi_app_invocation(void) if (ret != EFI_SUCCESS) goto out; + entry = (struct smbios_entry *)find_smbios_table(); + if (entry) { + ret = tcg2_measure_smbios(dev, entry); + if (ret != EFI_SUCCESS) + goto out; + } + for (pcr_index = 0; pcr_index <= 7; pcr_index++) { ret = tcg2_measure_event(dev, pcr_index, EV_SEPARATOR, sizeof(event), (u8 *)&event); diff --git a/lib/smbios-parser.c b/lib/smbios-parser.c index 34203f952c..2b9392936b 100644 --- a/lib/smbios-parser.c +++ b/lib/smbios-parser.c @@ -39,10 +39,8 @@ const struct smbios_entry *smbios_entry(u64 address, u32 size) return entry; } -static const struct smbios_header *next_header(const struct smbios_header *curr) +static u8 *find_next_header(u8 *pos) { - u8 *pos = ((u8 *)curr) + curr->length; - /* search for _double_ NULL bytes */ while (!((*pos == 0) && (*(pos + 1) == 0))) pos++; @@ -50,13 +48,27 @@ static const struct smbios_header *next_header(const struct smbios_header *curr) /* step behind the double NULL bytes */ pos += 2; - return (struct smbios_header *)pos; + return pos; +} + +static struct smbios_header *get_next_header(struct smbios_header *curr) +{ + u8 *pos = ((u8 *)curr) + curr->length; + + return (struct smbios_header *)find_next_header(pos); +} + +static const struct smbios_header *next_header(const struct smbios_header *curr) +{ + u8 *pos = ((u8 *)curr) + curr->length; + + return (struct smbios_header *)find_next_header(pos); } const struct smbios_header *smbios_header(const struct smbios_entry *entry, int type) { const unsigned int num_header = entry->struct_count; - const struct smbios_header *header = (struct smbios_header *)entry->struct_table_address; + const struct smbios_header *header = (struct smbios_header *)((uintptr_t)entry->struct_table_address); for (unsigned int i = 0; i < num_header; i++) { if (header->type == type) @@ -68,8 +80,8 @@ const struct smbios_header *smbios_header(const struct smbios_entry *entry, int return NULL; } -static const char *string_from_smbios_table(const struct smbios_header *header, - int idx) +static char *string_from_smbios_table(const struct smbios_header *header, + int idx) { unsigned int i = 1; u8 *pos; @@ -86,10 +98,10 @@ static const char *string_from_smbios_table(const struct smbios_header *header, pos++; } - return (const char *)pos; + return (char *)pos; } -const char *smbios_string(const struct smbios_header *header, int index) +char *smbios_string(const struct smbios_header *header, int index) { if (!header) return NULL; @@ -109,7 +121,7 @@ int smbios_update_version_full(void *smbios_tab, const char *version) if (!hdr) return log_msg_ret("tab", -ENOENT); bios = (struct smbios_type0 *)hdr; - ptr = (char *)smbios_string(hdr, bios->bios_ver); + ptr = smbios_string(hdr, bios->bios_ver); if (!ptr) return log_msg_ret("str", -ENOMEDIUM); @@ -132,3 +144,123 @@ int smbios_update_version_full(void *smbios_tab, const char *version) return 0; } + +struct smbios_filter_param { + u32 offset; + u32 size; + bool is_string; +}; + +struct smbios_filter_table { + int type; + struct smbios_filter_param *params; + u32 count; +}; + +struct smbios_filter_param smbios_type1_filter_params[] = { + {offsetof(struct smbios_type1, serial_number), + FIELD_SIZEOF(struct smbios_type1, serial_number), true}, + {offsetof(struct smbios_type1, uuid), + FIELD_SIZEOF(struct smbios_type1, uuid), false}, + {offsetof(struct smbios_type1, wakeup_type), + FIELD_SIZEOF(struct smbios_type1, wakeup_type), false}, +}; + +struct smbios_filter_param smbios_type2_filter_params[] = { + {offsetof(struct smbios_type2, serial_number), + FIELD_SIZEOF(struct smbios_type2, serial_number), true}, + {offsetof(struct smbios_type2, chassis_location), + FIELD_SIZEOF(struct smbios_type2, chassis_location), false}, +}; + +struct smbios_filter_param smbios_type3_filter_params[] = { + {offsetof(struct smbios_type3, serial_number), + FIELD_SIZEOF(struct smbios_type3, serial_number), true}, + {offsetof(struct smbios_type3, asset_tag_number), + FIELD_SIZEOF(struct smbios_type3, asset_tag_number), true}, +}; + +struct smbios_filter_param smbios_type4_filter_params[] = { + {offsetof(struct smbios_type4, serial_number), + FIELD_SIZEOF(struct smbios_type4, serial_number), true}, + {offsetof(struct smbios_type4, asset_tag), + FIELD_SIZEOF(struct smbios_type4, asset_tag), true}, + {offsetof(struct smbios_type4, part_number), + FIELD_SIZEOF(struct smbios_type4, part_number), true}, + {offsetof(struct smbios_type4, core_count), + FIELD_SIZEOF(struct smbios_type4, core_count), false}, + {offsetof(struct smbios_type4, core_enabled), + FIELD_SIZEOF(struct smbios_type4, core_enabled), false}, + {offsetof(struct smbios_type4, thread_count), + FIELD_SIZEOF(struct smbios_type4, thread_count), false}, + {offsetof(struct smbios_type4, core_count2), + FIELD_SIZEOF(struct smbios_type4, core_count2), false}, + {offsetof(struct smbios_type4, core_enabled2), + FIELD_SIZEOF(struct smbios_type4, core_enabled2), false}, + {offsetof(struct smbios_type4, thread_count2), + FIELD_SIZEOF(struct smbios_type4, thread_count2), false}, + {offsetof(struct smbios_type4, voltage), + FIELD_SIZEOF(struct smbios_type4, voltage), false}, +}; + +struct smbios_filter_table smbios_filter_tables[] = { + {SMBIOS_SYSTEM_INFORMATION, smbios_type1_filter_params, + ARRAY_SIZE(smbios_type1_filter_params)}, + {SMBIOS_BOARD_INFORMATION, smbios_type2_filter_params, + ARRAY_SIZE(smbios_type2_filter_params)}, + {SMBIOS_SYSTEM_ENCLOSURE, smbios_type3_filter_params, + ARRAY_SIZE(smbios_type3_filter_params)}, + {SMBIOS_PROCESSOR_INFORMATION, smbios_type4_filter_params, + ARRAY_SIZE(smbios_type4_filter_params)}, +}; + +static void clear_smbios_table(struct smbios_header *header, + struct smbios_filter_param *filter, + u32 count) +{ + u32 i; + char *str; + u8 string_id; + + for (i = 0; i < count; i++) { + if (filter[i].is_string) { + string_id = *((u8 *)header + filter[i].offset); + if (string_id == 0) /* string is empty */ + continue; + + str = smbios_string(header, string_id); + if (!str) + continue; + + /* string is cleared to space, keep '\0' terminator */ + memset(str, ' ', strlen(str)); + + } else { + memset((void *)((u8 *)header + filter[i].offset), + 0, filter[i].size); + } + } +} + +void smbios_prepare_measurement(const struct smbios_entry *entry, + struct smbios_header *smbios_copy) +{ + u32 i, j; + struct smbios_header *header; + + for (i = 0; i < ARRAY_SIZE(smbios_filter_tables); i++) { + header = smbios_copy; + for (j = 0; j < entry->struct_count; j++) { + if (header->type == smbios_filter_tables[i].type) + break; + + header = get_next_header(header); + } + if (j >= entry->struct_count) + continue; + + clear_smbios_table(header, + smbios_filter_tables[i].params, + smbios_filter_tables[i].count); + } +} From patchwork Tue Oct 26 08:27:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 516165 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp46827imj; Tue, 26 Oct 2021 01:26:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxMuv3uWQxExfAUm37uQ74P/VORn5frU6X5nIaV25LroZZYsqJNlyDHcJyrZEnm9Lzo4A4a X-Received: by 2002:a05:6402:228d:: with SMTP id cw13mr17873110edb.348.1635236806494; Tue, 26 Oct 2021 01:26:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635236806; cv=none; d=google.com; s=arc-20160816; b=vZP7U6j3yNSbPlYd/E2z9gAhRP7eH4pSIfTWGwVOsV9DmRKKRUlt7v5VMCdZReMXsb jLd1+oKI5HldWb2jvmlxnT8YnAKcl1mh6UweC5C+eOXVnR1DyeL3hxKmTsBYE7zBjBxK Nopc44fPPCKXGL8nAfYcAf9r/gVuJPqkfSK/YuzUMbjwO04byY7ZM8jFpYUSmfqvhR3N Kr8SoPeynvAXVUmtkXwRV8Ji4HFQoJk4Ir73rl8OT2KmuT9xA3sEfnEcIRaeA90f/h9+ thkacpoIN8IounMXasfXANvi0RRgnPyHJ2BGOJ9GoIt8Y7obHftOXvC/rapZRihNXSZK 5g5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=T5m/DOiO/87rWb5kc7MGPwAfhB0PHXtaQ9cYYYuwffQ=; b=USFesHT2SdxfUC+GnBDq8cMz2ELDc0oDoeU4H390g9V9rIOjo/uUvMjIq51iiaGT3h r82T51Oo2iS+a8LMRi34xCKN2WC1fiOSbPHOAEKnG6dWF0BNONrCbPsosFtfyVeqq4nB vKlSGKUdNdw15CNUq+Jyfj3uReJ3zuuNEsREDmyo4s4ScRHTw+YxEJ6c9VNGt/t/ai8l WylC3ybZewK7323ZDi7RfDFCpSmq7Hkd0PoZVL17xKOmzyqrMXSibwn+eUQ65qIvUq3f qtggwHP132CCmCMQhfY1Txzqh8bIwclHI5aGQql+EJT1UpOBuntxMzPr+VylE76r2DPx wuiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=tiw0HJ2Z; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id au25si23943405ejc.562.2021.10.26.01.26.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Oct 2021 01:26:46 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=tiw0HJ2Z; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4C4D3833CB; Tue, 26 Oct 2021 10:26:41 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="tiw0HJ2Z"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D1E3680F5F; Tue, 26 Oct 2021 10:26:29 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1359A8336D for ; Tue, 26 Oct 2021 10:26:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pf1-x42e.google.com with SMTP id x66so13565947pfx.13 for ; Tue, 26 Oct 2021 01:26:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=T5m/DOiO/87rWb5kc7MGPwAfhB0PHXtaQ9cYYYuwffQ=; b=tiw0HJ2ZyaPUDQUVvM1rUDQKiOBqbC/O0HjhhogeL0ID44v+HIvdFyNuqD0j1fxBdT M595LbGVrunApGgV/BMD9U30WOIqEoPnQsCMrI1fccQcX65AlJ3xQlAwZVKO4nEl90q/ xYqbHk7fpSny1fHP4whnnSyIf7L7Mqj5iiEO7wrBUw4sfVRCGw/Fwje01s18Yh17COm8 En3/spAmXX0K5dyMBoxCppWmDSQQu/8eUu1rD0gSJZ+sgmhE3825by6CMZxmlfqblp7Z b/PJ+B/CC6x09bmXH5xX5Z3QBnZqdBC5GXf6CjFvIgl1f/8/77OyovPkYGiaBX2QZwmc n/sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=T5m/DOiO/87rWb5kc7MGPwAfhB0PHXtaQ9cYYYuwffQ=; b=QBFDmrdu7dHLPH8CSFTd+QQ5QAitEfbhmJIc8DKqYYyYO6/SdaUqizHS4ErfscbTG4 Mqd8htcIHmLOxS4PtUlr0zCaEO/O6yQcHOe3zN3hWkqkKXtgdL9Eu851VH3qW2vwte4G QjEmpm7qX5zU5iXeIhwmwIJrgMSBnao9TTljq8SY8DUa+bM0iAWFWieJ/516u923nA1t I0pj0YIp7KxV9NEvuQLCLxB5iLBhwoFru0gk0e0JvqhJnAgGdRKXfFLUQZGBgfVADTMl CypaF8U/ZQFV7/zYP6IsxpDm/jMuiIMwB7iEJWMNMXA33O9S5pjWKmEB17p4DGiPQhTC 35hg== X-Gm-Message-State: AOAM532LAr7iPHrjzwrzb7WKW2ii0a3X8pnvo/KFYqlsggFJ6s336X4R yH6lopRXuaaLX9qY+RGLIGW3tRtGZeYK1g== X-Received: by 2002:a05:6a00:acc:b0:44b:ff29:621b with SMTP id c12-20020a056a000acc00b0044bff29621bmr23958576pfl.32.1635236779339; Tue, 26 Oct 2021 01:26:19 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id c8sm20135873pjr.38.2021.10.26.01.26.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Oct 2021 01:26:18 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Alexander Graf Subject: [PATCH v4 2/4] efi_loader: add UEFI GPT measurement Date: Tue, 26 Oct 2021 17:27:25 +0900 Message-Id: <20211026082727.23399-3-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211026082727.23399-1-masahisa.kojima@linaro.org> References: <20211026082727.23399-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This commit adds the UEFI GPT disk partition topology measurement required in TCG PC Client Platform Firmware Profile Specification Signed-off-by: Masahisa Kojima --- Changes in v4: - update commit message - return EFI_SUCCESS if device path is NULL - use memalign() Changes in v3: - EV_EFI_GPT_EVENT is measured before EV_SEPARATOR, same as other PCRs - use PTR_ARRAY instead of ARRAY - create sub-function of allocating io_aligned buffer - move search_gpt_dp_node() into efi_device_path.c include/blk.h | 3 + include/efi_loader.h | 3 +- include/efi_tcg2.h | 12 +++ lib/efi_loader/efi_boottime.c | 2 +- lib/efi_loader/efi_device_path.c | 27 ++++++ lib/efi_loader/efi_tcg2.c | 146 ++++++++++++++++++++++++++++++- 6 files changed, 190 insertions(+), 3 deletions(-) -- 2.17.1 diff --git a/include/blk.h b/include/blk.h index 19bab081c2..f0cc7ca1a2 100644 --- a/include/blk.h +++ b/include/blk.h @@ -45,6 +45,9 @@ enum if_type { #define BLK_PRD_SIZE 20 #define BLK_REV_SIZE 8 +#define PART_FORMAT_PCAT 0x1 +#define PART_FORMAT_GPT 0x2 + /* * Identifies the partition table type (ie. MBR vs GPT GUID) signature */ diff --git a/include/efi_loader.h b/include/efi_loader.h index d0433ea52e..d52e399841 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -503,7 +503,7 @@ efi_status_t efi_init_variables(void); void efi_variables_boot_exit_notify(void); efi_status_t efi_tcg2_notify_exit_boot_services_failed(void); /* Measure efi application invocation */ -efi_status_t efi_tcg2_measure_efi_app_invocation(void); +efi_status_t efi_tcg2_measure_efi_app_invocation(struct efi_loaded_image_obj *handle); /* Measure efi application exit */ efi_status_t efi_tcg2_measure_efi_app_exit(void); /* Called by bootefi to initialize root node */ @@ -847,6 +847,7 @@ struct efi_device_path *efi_dp_from_lo(struct efi_load_option *lo, const efi_guid_t *guid); struct efi_device_path *efi_dp_concat(const struct efi_device_path *dp1, const struct efi_device_path *dp2); +struct efi_device_path *search_gpt_dp_node(struct efi_device_path *device_path); efi_status_t efi_deserialize_load_option(struct efi_load_option *lo, u8 *data, efi_uintn_t *size); unsigned long efi_serialize_load_option(struct efi_load_option *lo, u8 **data); diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index ca66695b39..50a59f9263 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -225,6 +225,18 @@ struct smbios_handoff_table_pointers2 { struct efi_configuration_table table_entry[]; } __packed; +/** + * struct tdUEFI_GPT_DATA - event log structure of industry standard tables + * @uefi_partition_header: gpt partition header + * @number_of_partitions: the number of partition + * @partitions: partition entries + */ +struct efi_gpt_data { + gpt_header uefi_partition_header; + u64 number_of_partitions; + gpt_entry partitions[]; +} __packed; + struct efi_tcg2_protocol { efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this, struct efi_tcg2_boot_service_capability *capability); diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 973134b12d..1823990d9b 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -3004,7 +3004,7 @@ efi_status_t EFIAPI efi_start_image(efi_handle_t image_handle, if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) { if (image_obj->image_type == IMAGE_SUBSYSTEM_EFI_APPLICATION) { - ret = efi_tcg2_measure_efi_app_invocation(); + ret = efi_tcg2_measure_efi_app_invocation(image_obj); if (ret != EFI_SUCCESS) { log_warning("tcg2 measurement fails(0x%lx)\n", ret); diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c index c04439d16d..735ed0bd0f 100644 --- a/lib/efi_loader/efi_device_path.c +++ b/lib/efi_loader/efi_device_path.c @@ -1239,3 +1239,30 @@ efi_device_path *efi_dp_from_lo(struct efi_load_option *lo, return NULL; } + +/** + * search_gpt_dp_node() - search gpt device path node + * + * @device_path: device path + * + * Return: pointer to the gpt device path node + */ +struct efi_device_path *search_gpt_dp_node(struct efi_device_path *device_path) +{ + struct efi_device_path *dp = device_path; + + while (dp) { + if (dp->type == DEVICE_PATH_TYPE_MEDIA_DEVICE && + dp->sub_type == DEVICE_PATH_SUB_TYPE_HARD_DRIVE_PATH) { + struct efi_device_path_hard_drive_path *hd_dp = + (struct efi_device_path_hard_drive_path *)dp; + + if (hd_dp->partmap_type == PART_FORMAT_GPT && + hd_dp->signature_type == SIG_TYPE_GUID) + return dp; + } + dp = efi_dp_next(dp); + } + + return NULL; +} diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index da589d0197..377b138855 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -1528,12 +1528,152 @@ static void *find_smbios_table(void) return NULL; } +/** + * tcg2_measure_gpt_table() - measure gpt table + * + * @dev: TPM device + * @loaded_image: handle to the loaded image + * + * Return: status code + */ +static efi_status_t +tcg2_measure_gpt_data(struct udevice *dev, + struct efi_loaded_image_obj *loaded_image) +{ + efi_status_t ret; + efi_handle_t handle; + struct efi_handler *dp_handler; + struct efi_device_path *orig_device_path; + struct efi_device_path *device_path; + struct efi_device_path *dp; + struct efi_block_io *block_io; + struct efi_gpt_data *event; + efi_guid_t null_guid = NULL_GUID; + gpt_header *gpt_h; + gpt_entry *entry; + gpt_entry *gpt_e; + u32 num_of_valid_entry = 0; + u32 event_size; + u32 i; + u32 total_gpt_entry_size; + + ret = efi_search_protocol(&loaded_image->header, + &efi_guid_loaded_image_device_path, + &dp_handler); + if (ret != EFI_SUCCESS) + return ret; + + orig_device_path = dp_handler->protocol_interface; + if (!orig_device_path) /* no device path, skip GPT measurement */ + return EFI_SUCCESS; + + device_path = efi_dp_dup(orig_device_path); + if (!device_path) + return EFI_OUT_OF_RESOURCES; + + dp = search_gpt_dp_node(device_path); + if (!dp) { + /* no GPT device path node found, skip GPT measurement */ + ret = EFI_SUCCESS; + goto out1; + } + + /* read GPT header */ + dp->type = DEVICE_PATH_TYPE_END; + dp->sub_type = DEVICE_PATH_SUB_TYPE_END; + dp = device_path; + ret = EFI_CALL(systab.boottime->locate_device_path(&efi_block_io_guid, + &dp, &handle)); + if (ret != EFI_SUCCESS) + goto out1; + + ret = EFI_CALL(efi_handle_protocol(handle, + &efi_block_io_guid, (void **)&block_io)); + if (ret != EFI_SUCCESS) + goto out1; + + gpt_h = memalign(block_io->media->io_align, block_io->media->block_size); + if (!gpt_h) { + ret = EFI_OUT_OF_RESOURCES; + goto out2; + } + + ret = block_io->read_blocks(block_io, block_io->media->media_id, 1, + block_io->media->block_size, gpt_h); + if (ret != EFI_SUCCESS) + goto out2; + + /* read GPT entry */ + total_gpt_entry_size = gpt_h->num_partition_entries * + gpt_h->sizeof_partition_entry; + entry = memalign(block_io->media->io_align, total_gpt_entry_size); + if (!entry) { + ret = EFI_OUT_OF_RESOURCES; + goto out2; + } + + ret = block_io->read_blocks(block_io, block_io->media->media_id, + gpt_h->partition_entry_lba, + total_gpt_entry_size, entry); + if (ret != EFI_SUCCESS) + goto out2; + + /* count valid GPT entry */ + gpt_e = entry; + for (i = 0; i < gpt_h->num_partition_entries; i++) { + if (guidcmp(&null_guid, &gpt_e->partition_type_guid)) + num_of_valid_entry++; + + gpt_e = (gpt_entry *)((u8 *)gpt_e + gpt_h->sizeof_partition_entry); + } + + /* prepare event data for measurement */ + event_size = sizeof(struct efi_gpt_data) + + (num_of_valid_entry * gpt_h->sizeof_partition_entry); + event = calloc(1, event_size); + if (!event) { + ret = EFI_OUT_OF_RESOURCES; + goto out2; + } + memcpy(event, gpt_h, sizeof(gpt_header)); + put_unaligned_le64(num_of_valid_entry, &event->number_of_partitions); + + /* copy valid GPT entry */ + gpt_e = entry; + num_of_valid_entry = 0; + for (i = 0; i < gpt_h->num_partition_entries; i++) { + if (guidcmp(&null_guid, &gpt_e->partition_type_guid)) { + memcpy((u8 *)event->partitions + + (num_of_valid_entry * gpt_h->sizeof_partition_entry), + gpt_e, gpt_h->sizeof_partition_entry); + num_of_valid_entry++; + } + + gpt_e = (gpt_entry *)((u8 *)gpt_e + gpt_h->sizeof_partition_entry); + } + + ret = tcg2_measure_event(dev, 5, EV_EFI_GPT_EVENT, event_size, (u8 *)event); + if (ret != EFI_SUCCESS) + goto out2; + +out2: + EFI_CALL(efi_close_protocol((efi_handle_t)block_io, &efi_block_io_guid, + NULL, NULL)); + free(gpt_h); + free(entry); + free(event); +out1: + efi_free_pool(device_path); + + return ret; +} + /** * efi_tcg2_measure_efi_app_invocation() - measure efi app invocation * * Return: status code */ -efi_status_t efi_tcg2_measure_efi_app_invocation(void) +efi_status_t efi_tcg2_measure_efi_app_invocation(struct efi_loaded_image_obj *handle) { efi_status_t ret; u32 pcr_index; @@ -1565,6 +1705,10 @@ efi_status_t efi_tcg2_measure_efi_app_invocation(void) goto out; } + ret = tcg2_measure_gpt_data(dev, handle); + if (ret != EFI_SUCCESS) + goto out; + for (pcr_index = 0; pcr_index <= 7; pcr_index++) { ret = tcg2_measure_event(dev, pcr_index, EV_SEPARATOR, sizeof(event), (u8 *)&event); From patchwork Tue Oct 26 08:27:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 516166 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp46932imj; Tue, 26 Oct 2021 01:26:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwN1Rl78S0eqSPPJuGz5xIQ6FgDmpa95A+c4MMAlZh04foxK6HnRAUK4KDy1sPjWBlLp9Tu X-Received: by 2002:a17:906:a1da:: with SMTP id bx26mr29450354ejb.558.1635236815894; Tue, 26 Oct 2021 01:26:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635236815; cv=none; d=google.com; s=arc-20160816; b=cPXMM4Sau41muuO4YILWjPVpUvxEE+67lxseNKrFfI4/DYut/tAs47BnyMtQql3rLT v0lG4wHJXKo6BKI+W0YQwwZbR65itBdYgSP25DQoxuYPMbrAv3ZvsSz0+8lWl8zaXGXB PopMTVv31C1cjjCU5ZF+ew28bKx7DPXNSGHYneEPdBFDOQgFtMczYNds/+0CGc4wZlJN +Zp894TRn+X/h+5mOfNFGSZyNXcxWfL4PoYEH9tzJ23dWk52fWS++wFh23RMTyoJYssv kHJsoaHtfz+lMWxtPOJ0Kqe0ZPcDCv/R6lNgLgfkSQlwLbSwI1mjHj4YGYDaKQ3UZ2PO OPog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=Qw8Hbqrw+E94UNqpVogZ1vVn0O9Hd6wqsCQPKRgBNX0=; b=saFtqoDlbVkJW15PWCV+qlrx0B3Zq1Xkao3w84eBOHSyEPNsZxnMH0UQZ/tMUXCZcb fcrJHZQXA9OK+8VEqRDdV5fedsPPl/islZ4ZDN+HVSfMrU93jbPpQBwqaOn8HRzV5K1S qah+XjR4p+r1h7QZjueX4u8bxZR65XMqQ1go8n18k7OKqQTmP59fWx3SI5C0h/sgeRYh FQQ7TTV9M9qqWY4khz8zJ5SVLsbtf2dVHoAHgFmyTDSh0d/KXNCZXU+xiFzghIuPlOiz k48EgNvhMZz8/ujlVrQ898FcIMeOH/0V+ihO08T7qqvUvSaHGzn7FoEAIvwxPuSj22B5 QAVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GLvWWoMh; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id e1si23761919ejs.278.2021.10.26.01.26.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Oct 2021 01:26:55 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GLvWWoMh; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A77B983542; Tue, 26 Oct 2021 10:26:45 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="GLvWWoMh"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 85A1680F5F; Tue, 26 Oct 2021 10:26:34 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 293E6833B5 for ; Tue, 26 Oct 2021 10:26:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pl1-x629.google.com with SMTP id n11so9800736plf.4 for ; Tue, 26 Oct 2021 01:26:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Qw8Hbqrw+E94UNqpVogZ1vVn0O9Hd6wqsCQPKRgBNX0=; b=GLvWWoMhFeRQlUdRH6dk3g2TvIwOCa/m8RBx4P5NhyHwzalmt0Trt0pN89UtPW1Tp4 NNK5z2ArmMYEEz/V4SqgxjkcHf8VVhlcWEVuTndLKGfwiTiU8GNP6Ilu3cdKcJ7uM3pJ iXzGvXNjawaTWfMUO6rdPHtc9v8Z5y4nFccAMtibOU28a6oj2dL4SFpWw9sCouO7OyPi srZmCJ+xcsi4pWTp1vKMOZy+5+5MpArSGz0TK9nYnEHKwy1xF4Pr64DkzdrPTHP4nTR/ 606vNM2/ZvQIsyez+c6Em9+evMedzdho0fvrVICvhF4hyCHoeERgx25elru3gUsqOyfx U0bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Qw8Hbqrw+E94UNqpVogZ1vVn0O9Hd6wqsCQPKRgBNX0=; b=bi3nQvpue+VXKDkaUunBJRkdyZy2tXcvtGHCurarHEKJdzKvrPSB9sS2wQKVkGdeN+ XQaFjum6joymTpK3guZeZb2k5xgbLWSEhfZwQWSU8yLYvwH+Vthsxo9mOzWp8LTIKdRg G/4igL55x6P0XSE7Bj9Ipw2Rx/hK2D18e5vegid5RMdRyF5q1dpG7Xu4Jhg18U9mtApv F3ri0zwJcOLt9P3ZwZOtAM6FycJ/0ACIYsCtwMTyeDCnwMTXdgzZ6z/RKpuzNvrSsOdC YN+ymflpGCrdSO9PoW2fhGBr+a+Ebi+YtUK2Q7qDD4CNyDoirpTm2c31jQTuI/8POJC2 2LIA== X-Gm-Message-State: AOAM533Vtv5voaUD2yVNCSEkY+p9oQd5/nJmvfX3JQCcrMy++wfHTumD hld6A/SihIpqaTBnYQQEf/rVoYJTJ19LmA== X-Received: by 2002:a17:90b:38c7:: with SMTP id nn7mr41536013pjb.214.1635236781508; Tue, 26 Oct 2021 01:26:21 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id c8sm20135873pjr.38.2021.10.26.01.26.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Oct 2021 01:26:21 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Alexander Graf Subject: [PATCH v4 3/4] efi_loader: simplify tcg2_measure_secure_boot_variable() Date: Tue, 26 Oct 2021 17:27:26 +0900 Message-Id: <20211026082727.23399-4-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211026082727.23399-1-masahisa.kojima@linaro.org> References: <20211026082727.23399-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This commit simplifies tcg2_measure_secure_boot_variable() using secure_variables table. Signed-off-by: Masahisa Kojima --- Newly added in v4 lib/efi_loader/efi_tcg2.c | 60 ++++++++++++--------------------------- 1 file changed, 18 insertions(+), 42 deletions(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 377b138855..6545ec9e79 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -81,12 +81,19 @@ static const struct digest_info hash_algo_list[] = { }, }; -static const u16 *secure_variables[] = { - u"SecureBoot", - u"PK", - u"KEK", - u"db", - u"dbx", +struct variable_info { + const u16 *name; + bool accept_empty; +}; + +static struct variable_info secure_variables[] = { + {u"SecureBoot", true}, + {u"PK", true}, + {u"KEK", true}, + {u"db", true}, + {u"dbx", true}, + {u"dbt", false}, + {u"dbr", false}, }; #define MAX_HASH_COUNT ARRAY_SIZE(hash_algo_list) @@ -1820,52 +1827,21 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) for (i = 0; i < count; i++) { const efi_guid_t *guid; - guid = efi_auth_var_get_guid(secure_variables[i]); + guid = efi_auth_var_get_guid(secure_variables[i].name); - /* - * According to the TCG2 PC Client PFP spec, "SecureBoot", - * "PK", "KEK", "db" and "dbx" variables must be measured - * even if they are empty. - */ - data = efi_get_var(secure_variables[i], guid, &data_size); + data = efi_get_var(secure_variables[i].name, guid, &data_size); + if (!data && !secure_variables[i].accept_empty) + continue; ret = tcg2_measure_variable(dev, 7, EV_EFI_VARIABLE_DRIVER_CONFIG, - secure_variables[i], guid, + secure_variables[i].name, guid, data_size, data); free(data); if (ret != EFI_SUCCESS) goto error; } - /* - * TCG2 PC Client PFP spec says "dbt" and "dbr" are - * measured if present and not empty. - */ - data = efi_get_var(L"dbt", - &efi_guid_image_security_database, - &data_size); - if (data) { - ret = tcg2_measure_variable(dev, 7, - EV_EFI_VARIABLE_DRIVER_CONFIG, - L"dbt", - &efi_guid_image_security_database, - data_size, data); - free(data); - } - - data = efi_get_var(L"dbr", - &efi_guid_image_security_database, - &data_size); - if (data) { - ret = tcg2_measure_variable(dev, 7, - EV_EFI_VARIABLE_DRIVER_CONFIG, - L"dbr", - &efi_guid_image_security_database, - data_size, data); - free(data); - } - error: return ret; } From patchwork Tue Oct 26 08:27:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 516167 Delivered-To: patch@linaro.org Received: by 2002:ac0:c404:0:0:0:0:0 with SMTP id t4csp47022imj; Tue, 26 Oct 2021 01:27:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxCfSCdvzShvwzrHdj5OC6cs7ogCTGi3LRUeXaS0GjBzMQK/uwy5J/Vl7RlWMj12lV6bVKk X-Received: by 2002:a17:907:8a20:: with SMTP id sc32mr25046063ejc.134.1635236825508; Tue, 26 Oct 2021 01:27:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635236825; cv=none; d=google.com; s=arc-20160816; b=bpcHT+hjna3NDI3Dd8xQVNi2FzynSfUQd2vE3vwQkicAzMkd50mN3kMIyyNlJEIsOV 7USaBc7fGXqDDlrVIPmDUmqnEhfco7V4Tcw5KANSqdLsmt2tKkCdNPGb6ZI6AuFdaUGf YRmMjZhg1jWWFwnow0WGIdc5XAQOrVd/1MqdIY+hgze4S69g34C75kgfh7CNK31vn4jR njQ9ujuuCKUYyTUJL5cFi/WIWVSvU/Hp3Dz8gorC3ckacTRkQltzcb3o++cjDMvPLm2k yQu1sB82Ao9m92Uw64DpkeAWUeWnuTLUbIZE47PfJN8p5L8eesN+HFDCkEl1aaWXo9Ct 0oJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=ZfhVmo77rYEAtoSBeJpMlpKrIxravrVpVSpi7503kLw=; b=Ob7W/rhStSxa0I3ajJgTMeD4U0Wj2okEddQitaz3ZLV3PiJvs9ey5Zm03HjHjtlt+R EANJM/j0L9j2hTbaKQ2/iSI2lT3URp58IFXfvibjpwJbl8MUNm5VBJRa53SYWVMJM7cV BDYAepEzzeomseWzlLZeR+VOro6aKLT8fak9oeu9nHNga9/QpEjHQM63WLkeVyDMnxur 4aj3lW7uczKIzMlhnkKBRfs2bu5djq1E/D3M0LaHfs+hHdGsrfREWG0OYT96psyi04e8 uSTrIeMY+M2ViNfQFFI0fB4xGFsS+eq/pHmIYHWm/jTXhwmGMXHm+W/SV+M4uMWQGlPb mwEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="b1aiArh/"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id hr33si12176398ejc.509.2021.10.26.01.27.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Oct 2021 01:27:05 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="b1aiArh/"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id DDE598352A; Tue, 26 Oct 2021 10:26:49 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="b1aiArh/"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 5773283381; Tue, 26 Oct 2021 10:26:35 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4972C834CD for ; Tue, 26 Oct 2021 10:26:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pl1-x634.google.com with SMTP id v16so4414709ple.9 for ; Tue, 26 Oct 2021 01:26:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ZfhVmo77rYEAtoSBeJpMlpKrIxravrVpVSpi7503kLw=; b=b1aiArh/GvDTvDTaXI1bX2f7Cpsrf6NPRJeMrkm3uEGNgjt6rhseO4AmlDnSU8tPUV D4oRoStSLTkrasV7AtILgwKhZFJiEqEQ6SPJUILqQEU48ReUIbD3iNzpCONp732HWg57 95EBI5ZQV+B421ODCjLr7kK7o5Zyq4lF10Ko3f4dyv7RfaynlomLkMRwq546vk8Z7SBw tI0GVSUfCyj6WB2KHIS+YWZlRlf1d/vvZOQjk8IzNZKBepcyntCrjKso0Vk/ov+1oLqN HAOsc0GT9MaFx28uzOZuhQv+bFEG9pl7I74Ee75nxzVZbPIw1zbGQNAE+NKuZLEfNSgP KG1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ZfhVmo77rYEAtoSBeJpMlpKrIxravrVpVSpi7503kLw=; b=HbUJtc1x1VoikAM4sYrpTTRpm5r5kyuOUWqc3uczxYbuKmfsTOsJEINAZ8ewVkXYCG 4YQyujQ8kolY5V8bsPNFT+IYCPZhyeZh/Dmio9TZr7D+9VtbD4XWENhJJIU4ARIv/926 18wACm2Y1n3uVn1JkZNsAHQLUJbYJ7mHIcVWIQWS9ApkRqoG4Xp+GWQJU7BXeLFIzRI9 yJ+Ere5QZPsp6jvq2zlnMP267VRrfFgezCNqxoTeGe8zUYkw1GmTEhniZA45aBpqn7Qg GXI6RxrWykzonq5Bt/SsUF81/hJ0r+Tk03MJzw8BVGsJT0PYrWMKb6f2D8bPgRMKlt5H QlDA== X-Gm-Message-State: AOAM530OklZ1tD3FKXnzDUJz9MSspGET5kFA/tXR7UCp72SRmlhZ4+30 hFOTgUHmCltlGUXeDoZYmnxDN15R6HB/CA== X-Received: by 2002:a17:90b:d94:: with SMTP id bg20mr24010565pjb.63.1635236783728; Tue, 26 Oct 2021 01:26:23 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id c8sm20135873pjr.38.2021.10.26.01.26.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Oct 2021 01:26:23 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Masahisa Kojima , Alexander Graf Subject: [PATCH v4 4/4] efi_loader: add DeployedMode and AuditMode variable measurement Date: Tue, 26 Oct 2021 17:27:27 +0900 Message-Id: <20211026082727.23399-5-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211026082727.23399-1-masahisa.kojima@linaro.org> References: <20211026082727.23399-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean This commit adds the DeployedMode and AuditMode variable measurement required in TCG PC Client Platform Firmware Profile Specification. Signed-off-by: Masahisa Kojima --- Changes in v4: - use table and loop - update commit message Changes in v3: - read variable first, then mesure the variable lib/efi_loader/efi_tcg2.c | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) -- 2.17.1 diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 6545ec9e79..6f0f36394a 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -84,16 +84,19 @@ static const struct digest_info hash_algo_list[] = { struct variable_info { const u16 *name; bool accept_empty; + u32 pcr_index; }; static struct variable_info secure_variables[] = { - {u"SecureBoot", true}, - {u"PK", true}, - {u"KEK", true}, - {u"db", true}, - {u"dbx", true}, - {u"dbt", false}, - {u"dbr", false}, + {u"SecureBoot", true, 7}, + {u"PK", true, 7}, + {u"KEK", true, 7}, + {u"db", true, 7}, + {u"dbx", true, 7}, + {u"dbt", false, 7}, + {u"dbr", false, 7}, + {u"DeployedMode", false, 1}, + {u"AuditMode", false, 1}, }; #define MAX_HASH_COUNT ARRAY_SIZE(hash_algo_list) @@ -1822,6 +1825,15 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) efi_uintn_t data_size; u32 count, i; efi_status_t ret; + u8 deployed_mode; + efi_uintn_t size; + u32 deployed_audit_pcr_index = 1; + + size = sizeof(deployed_mode); + ret = efi_get_variable_int(u"DeployedMode", &efi_global_variable_guid, + NULL, &size, &deployed_mode, NULL); + if (ret != EFI_SUCCESS || !deployed_mode) + deployed_audit_pcr_index = 7; count = ARRAY_SIZE(secure_variables); for (i = 0; i < count; i++) { @@ -1833,7 +1845,12 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) if (!data && !secure_variables[i].accept_empty) continue; - ret = tcg2_measure_variable(dev, 7, + if (u16_strcmp(u"DeployedMode", secure_variables[i].name)) + secure_variables[i].pcr_index = deployed_audit_pcr_index; + if (u16_strcmp(u"AuditMode", secure_variables[i].name)) + secure_variables[i].pcr_index = deployed_audit_pcr_index; + + ret = tcg2_measure_variable(dev, secure_variables[i].pcr_index, EV_EFI_VARIABLE_DRIVER_CONFIG, secure_variables[i].name, guid, data_size, data);