From patchwork Wed May 12 06:59:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 435460 Delivered-To: patch@linaro.org Received: by 2002:a02:c901:0:0:0:0:0 with SMTP id t1csp4558360jao; Wed, 12 May 2021 00:00:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyOXOACIhEUkf508YVgJObN5MnFJQEBmeIa82G1H+e6Th6S1BBbZdshyDj4ye7I8vYpxVzm X-Received: by 2002:a05:6402:11ca:: with SMTP id j10mr41645450edw.184.1620802841912; Wed, 12 May 2021 00:00:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620802841; cv=none; d=google.com; s=arc-20160816; b=u8MGX5lNVgdY8aUIqR+fk8GhdEAX/TG7kvqZ0UUJDGAXKCmq1uMThf3F0iUTucCwlB LmpfCVzfl8sw2sn10odVqOuNHEaem/Wv7joWqFIYDRivJGRM5pIAuyKilEPoZ/3LowX5 yUZLV6QrrfjPZaiLlxwi3n5Ku24wv3JrowTf+oJblpBcvcOw448AtYXCB1atap6xMJyl KSQnWOzqe4dc1e8FUS9KEqhryMmolo9KybwfdtsE+wpqFM4SDA9v5XcxZFGa6X+sD34D qiQhIBNTMcL0mZ2mEEkThysnpDkfxjiyX94FXKQH3kNGF5gfdjpDhUhPhLUim4mE6Pwf TRSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=WIkOYvCyCLku8aweKHUky96KQwyTuf7xt3PToLNMxXY=; b=X63xK5NWpc42s6xv0fiuwD4hfDzLjbzW7/MSw9Fim59CirNI6tgL+O2E5/c2/JfCHv 9f3CIMUa1bnLlNTsefIqXJgarSyp43NeVf2d+Er3gbjb2ljUn8JfG2djuPTpSl4BtcQZ ZGXQUZUrFTJTNgwWvRqMolJfgwdXdOhpK2plR1uK5670l7ko3dJQDLLwmJ2S9EeMw9KJ /DvTzA5FvNVoKU8KTGijHd1bSPY29RaU8dzbx0/ebnWZqdFoH0OZeOatG27u1QIur+9d v6hnKQ8ecuk98KAVP5VVUDWFtcENDOoFQfCcmWmEFL6idkUdQvcbcLYCwaYWKDdxTP9N fcQQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=pDDnopGf; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id y23si19270814edu.555.2021.05.12.00.00.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 May 2021 00:00:41 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=pDDnopGf; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 93E8D82D50; Wed, 12 May 2021 09:00:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="pDDnopGf"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D846282D4B; Wed, 12 May 2021 09:00:25 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 858F482AE7 for ; Wed, 12 May 2021 09:00:12 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pl1-x635.google.com with SMTP id n16so12033154plf.7 for ; Wed, 12 May 2021 00:00:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=WIkOYvCyCLku8aweKHUky96KQwyTuf7xt3PToLNMxXY=; b=pDDnopGfMRvISTTvcRlubTlnxOX2kmF/VB0wW4d/tlWSdXDtsvt/HQzP23HO2KKNTR O4Rptehg7ZtuaRzwubWB1UBKS+yjef5uLQ9GaOPLZStR7uzdCxosmtmXDi1qgU9rNwGm RqBr+NuFL2qMK49BbbMp8BbiJtwbFVEM3nHgqTI+7CceZqg4R9w2/LZfMVHJgUDO0bad 4uq+Bn3ZCbwEeWxRDnUVozEA/KogOyHAX8fhw6J9i+9J8BHRonY2f/3zMtHH1TQLgjfC 6FQbt9Xk2aWpgC0xs9ckeOLoZtW8vmdxxzyP4qo+Rl27Nuo7yOV+MUks92Tz/sU4R1JT 95Ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=WIkOYvCyCLku8aweKHUky96KQwyTuf7xt3PToLNMxXY=; b=NvoQUTYbXyLOOSfVNHqCgh5Yzw6+s9cVfR3jlJFey0KiadjgH8aTazgtqVx7KDhaBM kMSxLuK0ksk2XynMSlUOdmTCQYw1pnaTBtIpRjw11exH/D30+hkiyAO3TJsD3Ak3pCrX NBcESmFglrFvZlJYyfCrLlE0slN2GNyWYYYHWzebp7oyNoMu3/XKezr02SsuHSxE+pl4 BiONoK1zHIghI0Z51XFQUSKB5n9H38nlxlJbNe7FZtiz1DvWPwNtzVtjiY4a4t0jP7WJ GHwd/Iu1g+nLGf82DNvReUfSvGS2LglYlj86mQIGXlDs24SIHghllb0gQUqI6xg3kxkp 894Q== X-Gm-Message-State: AOAM532VVn1tT9EU1Zn38REPRD7L8jtQvDFr/1keuJLrvyT73L8CVN8m PcUKMZh7WlK5fO/jOTWSmRuj+Q== X-Received: by 2002:a17:902:ea0f:b029:ef:28a:c031 with SMTP id s15-20020a170902ea0fb02900ef028ac031mr28929750plg.49.1620802810970; Wed, 12 May 2021 00:00:10 -0700 (PDT) Received: from localhost.localdomain ([2400:2411:502:a100:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id in16sm15956081pjb.14.2021.05.12.00.00.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 May 2021 00:00:10 -0700 (PDT) From: Masahisa Kojima To: Heinrich Schuchardt Cc: Alexander Graf , Simon Glass , Ilias Apalodimas , Masahisa Kojima , Dhananjay Phadke , Takahiro Akashi , u-boot@lists.denx.de Subject: [PATCH v4 2/3] efi_loader: add PE/COFF image measurement Date: Wed, 12 May 2021 15:59:46 +0900 Message-Id: <20210512065947.23998-3-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210512065947.23998-1-masahisa.kojima@linaro.org> References: <20210512065947.23998-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.4 at phobos.denx.de X-Virus-Status: Clean "TCG PC Client Platform Firmware Profile Specification" requires to measure every attempt to load and execute a OS Loader(a UEFI application) into PCR[4]. This commit adds the PE/COFF image measurement, extends PCR, and appends measurement into Event Log. Signed-off-by: Masahisa Kojima --- (no changes since v2) Changes in v2: - Remove duplicate include - Remove unnecessary __packed attribute - Add all EV_EFI_* event definition - Create common function to prepare 8-byte aligned image - Add measurement for EV_EFI_BOOT_SERVICES_DRIVER and EV_EFI_RUNTIME_SERVICES_DRIVER - Use efi_search_protocol() to get device_path - Add function comment include/efi_loader.h | 6 + include/efi_tcg2.h | 9 ++ include/tpm-v2.h | 18 +++ lib/efi_loader/efi_image_loader.c | 59 +++++++-- lib/efi_loader/efi_tcg2.c | 207 ++++++++++++++++++++++++++++-- 5 files changed, 275 insertions(+), 24 deletions(-) -- 2.17.1 Acked-by: Ilias Apalodimas Tested-by: Ilias Apalodimas diff --git a/include/efi_loader.h b/include/efi_loader.h index de1a496a97..9f2854a255 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -426,6 +426,10 @@ efi_status_t efi_disk_register(void); efi_status_t efi_rng_register(void); /* Called by efi_init_obj_list() to install EFI_TCG2_PROTOCOL */ efi_status_t efi_tcg2_register(void); +/* measure the pe-coff image, extend PCR and add Event Log */ +efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size, + struct efi_loaded_image_obj *handle, + struct efi_loaded_image *loaded_image_info); /* Create handles and protocols for the partitions of a block device */ int efi_disk_create_partitions(efi_handle_t parent, struct blk_desc *desc, const char *if_typename, int diskid, @@ -847,6 +851,8 @@ bool efi_secure_boot_enabled(void); bool efi_capsule_auth_enabled(void); +void *efi_prepare_aligned_image(void *efi, u64 *efi_size, void **new_efi); + bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, WIN_CERTIFICATE **auth, size_t *auth_len); diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index 40e241ce31..bcfb98168a 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -9,6 +9,7 @@ #if !defined _EFI_TCG2_PROTOCOL_H_ #define _EFI_TCG2_PROTOCOL_H_ +#include #include #define EFI_TCG2_PROTOCOL_GUID \ @@ -53,6 +54,14 @@ struct efi_tcg2_event { u8 event[]; } __packed; +struct uefi_image_load_event { + efi_physical_addr_t image_location_in_memory; + u64 image_length_in_memory; + u64 image_link_time_address; + u64 length_of_device_path; + struct efi_device_path device_path[]; +}; + struct efi_tcg2_boot_service_capability { u8 size; struct efi_tcg2_version structure_version; diff --git a/include/tpm-v2.h b/include/tpm-v2.h index 7de7d6a57d..247b386967 100644 --- a/include/tpm-v2.h +++ b/include/tpm-v2.h @@ -70,6 +70,24 @@ struct udevice; #define EV_TABLE_OF_DEVICES ((u32)0x0000000B) #define EV_COMPACT_HASH ((u32)0x0000000C) +/* + * event types, cf. + * "TCG PC Client Platform Firmware Profile Specification", Family "2.0" + * rev 1.04, June 3, 2019 + */ +#define EV_EFI_EVENT_BASE ((u32)0x80000000) +#define EV_EFI_VARIABLE_DRIVER_CONFIG ((u32)0x80000001) +#define EV_EFI_VARIABLE_BOOT ((u32)0x80000002) +#define EV_EFI_BOOT_SERVICES_APPLICATION ((u32)0x80000003) +#define EV_EFI_BOOT_SERVICES_DRIVER ((u32)0x80000004) +#define EV_EFI_RUNTIME_SERVICES_DRIVER ((u32)0x80000005) +#define EV_EFI_GPT_EVENT ((u32)0x80000006) +#define EV_EFI_ACTION ((u32)0x80000007) +#define EV_EFI_PLATFORM_FIRMWARE_BLOB ((u32)0x80000008) +#define EV_EFI_HANDOFF_TABLES ((u32)0x80000009) +#define EV_EFI_HCRTM_EVENT ((u32)0x80000010) +#define EV_EFI_VARIABLE_AUTHORITY ((u32)0x800000E0) + /* TPMS_TAGGED_PROPERTY Structure */ struct tpms_tagged_property { u32 property; diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index fe1ee198e2..f37a85e56e 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -302,6 +302,40 @@ static int cmp_pe_section(const void *arg1, const void *arg2) return 1; } +/** + * efi_prepare_aligned_image() - prepare 8-byte aligned image + * @efi: pointer to the EFI binary + * @efi_size: size of @efi binary + * @new_efi: pointer to the newly allocated image + * + * If @efi is not 8-byte aligned, this function newly allocates + * the image buffer and updates @efi_size. + * + * Return: valid pointer to a image, return NULL if allocation fails. + */ +void *efi_prepare_aligned_image(void *efi, u64 *efi_size, void **new_efi) +{ + size_t new_efi_size; + void *p; + + /* + * Size must be 8-byte aligned and the trailing bytes must be + * zero'ed. Otherwise hash value may be incorrect. + */ + if (!IS_ALIGNED(*efi_size, 8)) { + new_efi_size = ALIGN(*efi_size, 8); + p = calloc(new_efi_size, 1); + if (!p) + return NULL; + memcpy(p, efi, *efi_size); + *efi_size = new_efi_size; + *new_efi = p; + return p; + } else { + return efi; + } +} + /** * efi_image_parse() - parse a PE image * @efi: Pointer to image @@ -561,7 +595,7 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) struct efi_signature_store *db = NULL, *dbx = NULL; void *new_efi = NULL; u8 *auth, *wincerts_end; - size_t new_efi_size, auth_size; + size_t auth_size; bool ret = false; EFI_PRINT("%s: Enter, %d\n", __func__, ret); @@ -569,19 +603,9 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) if (!efi_secure_boot_enabled()) return true; - /* - * Size must be 8-byte aligned and the trailing bytes must be - * zero'ed. Otherwise hash value may be incorrect. - */ - if (efi_size & 0x7) { - new_efi_size = (efi_size + 0x7) & ~0x7ULL; - new_efi = calloc(new_efi_size, 1); - if (!new_efi) - return false; - memcpy(new_efi, efi, efi_size); - efi = new_efi; - efi_size = new_efi_size; - } + efi = efi_prepare_aligned_image(efi, (u64 *)&efi_size, &new_efi); + if (!efi) + return false; if (!efi_image_parse(efi, efi_size, ®s, &wincerts, &wincerts_len)) { @@ -891,6 +915,13 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, goto err; } +#if CONFIG_IS_ENABLED(EFI_TCG2_PROTOCOL) + /* Measure an PE/COFF image */ + if (tcg2_measure_pe_image(efi, efi_size, handle, + loaded_image_info)) + log_err("PE image measurement failed\n"); +#endif + /* Copy PE headers */ memcpy(efi_reloc, efi, sizeof(*dos) diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 94e8f22bbb..7ad9cb2b89 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -13,8 +13,10 @@ #include #include #include +#include #include #include +#include #include #include #include @@ -706,6 +708,183 @@ out: return EFI_EXIT(ret); } +/** + * tcg2_hash_pe_image() - calculate PE/COFF image hash + * + * @efi: pointer to the EFI binary + * @efi_size: size of @efi binary + * @digest_list: list of digest algorithms to extend + * + * Return: status code + */ +static efi_status_t tcg2_hash_pe_image(void *efi, u64 efi_size, + struct tpml_digest_values *digest_list) +{ + WIN_CERTIFICATE *wincerts = NULL; + size_t wincerts_len; + struct efi_image_regions *regs = NULL; + void *new_efi = NULL; + u8 hash[TPM2_SHA512_DIGEST_SIZE]; + efi_status_t ret; + u32 active; + int i; + + efi = efi_prepare_aligned_image(efi, &efi_size, &new_efi); + if (!efi) + return EFI_OUT_OF_RESOURCES; + + if (!efi_image_parse(efi, efi_size, ®s, &wincerts, + &wincerts_len)) { + log_err("Parsing PE executable image failed\n"); + ret = EFI_INVALID_PARAMETER; + goto out; + } + + ret = __get_active_pcr_banks(&active); + if (ret != EFI_SUCCESS) { + ret = EFI_DEVICE_ERROR; + goto out; + } + + digest_list->count = 0; + for (i = 0; i < MAX_HASH_COUNT; i++) { + u16 hash_alg = hash_algo_list[i].hash_alg; + + if (!(active & alg_to_mask(hash_alg))) + continue; + switch (hash_alg) { + case TPM2_ALG_SHA1: + hash_calculate("sha1", regs->reg, regs->num, hash); + break; + case TPM2_ALG_SHA256: + hash_calculate("sha256", regs->reg, regs->num, hash); + break; + case TPM2_ALG_SHA384: + hash_calculate("sha384", regs->reg, regs->num, hash); + break; + case TPM2_ALG_SHA512: + hash_calculate("sha512", regs->reg, regs->num, hash); + break; + default: + EFI_PRINT("Unsupported algorithm %x\n", hash_alg); + return EFI_INVALID_PARAMETER; + } + digest_list->digests[i].hash_alg = hash_alg; + memcpy(&digest_list->digests[i].digest, hash, (u32)alg_to_len(hash_alg)); + digest_list->count++; + } + +out: + free(new_efi); + free(regs); + + return ret; +} + +/** + * tcg2_measure_pe_image() - measure PE/COFF image + * + * @efi: pointer to the EFI binary + * @efi_size: size of @efi binary + * @handle: loaded image handle + * @loaded_image: loaded image protocol + * + * Return: status code + */ +efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size, + struct efi_loaded_image_obj *handle, + struct efi_loaded_image *loaded_image) +{ + struct tpml_digest_values digest_list; + efi_status_t ret; + struct udevice *dev; + u32 pcr_index, event_type, event_size; + struct uefi_image_load_event *image_load_event; + struct efi_device_path *device_path; + u32 device_path_length; + IMAGE_DOS_HEADER *dos; + IMAGE_NT_HEADERS32 *nt; + struct efi_handler *handler; + + ret = platform_get_tpm2_device(&dev); + if (ret != EFI_SUCCESS) + return ret; + + switch (handle->image_type) { + case IMAGE_SUBSYSTEM_EFI_APPLICATION: + pcr_index = 4; + event_type = EV_EFI_BOOT_SERVICES_APPLICATION; + break; + case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER: + pcr_index = 2; + event_type = EV_EFI_BOOT_SERVICES_DRIVER; + break; + case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER: + pcr_index = 2; + event_type = EV_EFI_RUNTIME_SERVICES_DRIVER; + break; + default: + return EFI_UNSUPPORTED; + } + + ret = tcg2_hash_pe_image(efi, efi_size, &digest_list); + if (ret != EFI_SUCCESS) + return ret; + + ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); + if (ret != EFI_SUCCESS) + return ret; + + ret = EFI_CALL(efi_search_protocol(&handle->header, + &efi_guid_loaded_image_device_path, + &handler)); + if (ret != EFI_SUCCESS) + return ret; + + device_path = EFI_CALL(handler->protocol_interface); + device_path_length = efi_dp_size(device_path); + if (device_path_length > 0) { + /* add end node size */ + device_path_length += sizeof(struct efi_device_path); + } + event_size = sizeof(struct uefi_image_load_event) + device_path_length; + image_load_event = (struct uefi_image_load_event *)malloc(event_size); + if (!image_load_event) + return EFI_OUT_OF_RESOURCES; + + image_load_event->image_location_in_memory = (efi_physical_addr_t)efi; + image_load_event->image_length_in_memory = efi_size; + image_load_event->length_of_device_path = device_path_length; + + dos = (IMAGE_DOS_HEADER *)efi; + nt = (IMAGE_NT_HEADERS32 *)(efi + dos->e_lfanew); + if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { + IMAGE_NT_HEADERS64 *nt64 = (IMAGE_NT_HEADERS64 *)nt; + + image_load_event->image_link_time_address = + nt64->OptionalHeader.ImageBase; + } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { + image_load_event->image_link_time_address = + nt->OptionalHeader.ImageBase; + } else { + ret = EFI_INVALID_PARAMETER; + goto out; + } + + if (device_path_length > 0) { + memcpy(image_load_event->device_path, device_path, + device_path_length); + } + + ret = tcg2_agile_log_append(pcr_index, event_type, &digest_list, + event_size, (u8 *)image_load_event); + +out: + free(image_load_event); + + return ret; +} + /** * efi_tcg2_hash_log_extend_event() - extend and optionally log events * @@ -758,24 +937,32 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags, /* * if PE_COFF_IMAGE is set we need to make sure the image is not * corrupted, verify it and hash the PE/COFF image in accordance with - * the procedure specified in "Calculating the PE Image Hash" - * section of the "Windows Authenticode Portable Executable Signature + * the procedure specified in "Calculating the PE Image Hash" + * section of the "Windows Authenticode Portable Executable Signature * Format" - * Not supported for now */ if (flags & PE_COFF_IMAGE) { - ret = EFI_UNSUPPORTED; - goto out; - } + IMAGE_NT_HEADERS32 *nt; - pcr_index = efi_tcg_event->header.pcr_index; - event_type = efi_tcg_event->header.event_type; + ret = efi_check_pe((void *)data_to_hash, data_to_hash_len, + (void **)&nt); + if (ret != EFI_SUCCESS) { + log_err("Not a valid PE-COFF file\n"); + goto out; + } - ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len, - &digest_list); + ret = tcg2_hash_pe_image((void *)data_to_hash, data_to_hash_len, + &digest_list); + } else { + ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len, + &digest_list); + } if (ret != EFI_SUCCESS) goto out; + pcr_index = efi_tcg_event->header.pcr_index; + event_type = efi_tcg_event->header.event_type; + ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); if (ret != EFI_SUCCESS) goto out;