From patchwork Fri Nov 26 11:53:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ruchika Gupta X-Patchwork-Id: 519690 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp2166925imj; Fri, 26 Nov 2021 03:53:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJyrSXoczER2rh+j0pU3hYnzKM6GpyvVOERHUGkOcSFEjaDdj29q1pOULuS5RwpLHUh+bWIa X-Received: by 2002:a17:906:4792:: with SMTP id cw18mr39264422ejc.224.1637927622900; Fri, 26 Nov 2021 03:53:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637927622; cv=none; d=google.com; s=arc-20160816; b=Mjm02lcFQsWKdvx8UmZt6hoTaU5iCuAVr1Js2vTKt1DUMRM1VPv8XcZEg8kHvaUJyw ZQGv7lKpiD7f3sDwyOYR4HyK5sf43b1ynAudjzlR29MlOnXfTOZQvZJ0czrmlWVhYiWR ISq0h6xxqxQXs2oDom8Oma0FRKi7U3jGWNmnt9Gxbs8VIwx0DPUV7SnJn67sT+jiauYy eATM5JLJ4gnnvV18rLYovfKcUObWi9KFzw2Qb1KS9stMnw965rCT+5XjH6TSBhUk5oYJ KRljBj8iut2orMnqIfD3eK2tTJ3ihe3oJDDXGlTRto3ZTkvU1fzyQTtPnptilyPBqoWR gpmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=vl/wGy7g0lDLqs6daPcstMz7bck9g4KcHz/anTfWs9g=; b=zpnQnVSePpD6vJwKRimeIegL/HTc7TQDz60lc9lP7d+6LsOvDnbgdk9u0mxAKTZ4SA FKKnoIK6L4o+QPYLYTlKOqjnXzAGjY9ehK6nmbjVXPH7OEG5En+mtp36yq+bjNYiKD3a U1przhSA8NYbW64QRbqZG95NqMJ/UwpIpWF5AjIpsVOncDoJP7EYug9MeMz2W3Uap6yz 3qfCdnWKep9+ytNM1ZaccFlUJdI7vxLQALHJUzDVQB6pAMhoYAalyJz9whI+HVnKDvD8 d7wqbuaDbcbqh0zTuaTFC6tLOjyyyKRb1Xw9AunihguaK088aO4pQbZUxBOU7nMAjLdp wJ4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=B02PUrN+; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id qb12si12305902ejc.389.2021.11.26.03.53.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Nov 2021 03:53:42 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=B02PUrN+; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5FC3E83778; Fri, 26 Nov 2021 12:53:41 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="B02PUrN+"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2C8BF80F7A; Fri, 26 Nov 2021 12:53:27 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0030883760 for ; Fri, 26 Nov 2021 12:53:18 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ruchika.gupta@linaro.org Received: by mail-pj1-x1031.google.com with SMTP id fv9-20020a17090b0e8900b001a6a5ab1392so7885970pjb.1 for ; Fri, 26 Nov 2021 03:53:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=vl/wGy7g0lDLqs6daPcstMz7bck9g4KcHz/anTfWs9g=; b=B02PUrN+CBTxsOK7RMORGI7OKn9yXSlol0Wj1g2suwbxjfNvfXwjJnIknpAD/N+rVa YLFyOOpOzHtCQpAYbRgsNj2/nFF2NSrwjMX/3ZWBQRA3XIRrq+lNOvf65sTRzUorJRIV iGjnyeKpu5qf3CbyIXhipU4sBkqw2+q0p8CGBDeZJ3dz3VvIYf2eoNGKTZhRfq01pLRD i3zOCTbj0VuSXRcJdWJ3EsLVuyHOKUErO/S8wcMTwMUlPZ872890TaVOjhmtnY03efQt KQ0PwC5Eh7UA/rIAelqwIeF3FXsOIexuH3xcYWBrODYC/f4hFmnfVF+Tp2JhXURTD0DV SO4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vl/wGy7g0lDLqs6daPcstMz7bck9g4KcHz/anTfWs9g=; b=JQ51ac7TwuBNwXep1PlOxwsVX9GelbE0AC4rR75KXGWeKLvDMhGfDhZ5YAq7g8Y0et a/L42CAZW6H3WWeQzyPQvyF5+qdej/ZLpNwhNR5F3DgVJjNSPuAAQ05tlE3GghVoYxbI wx3TFK7cRmWn7PKQjaFm+8MaDY2o0Kuks09YNJk5e0ZHX8Xtwi95GdLg5sIlRunT+MUw twQmAASt87ZCZ6qD8w8VXZxyZJWfcEtWN/EJznj66E4SXmbEGu1l5+xuEyI1MbnZZfEm rvYWzBokVSQdaX2Tuw0/D5QLJ4PZVuKY6QXLDxIH/jBjgB0aJGC9ftD8jObfYTgQuw0n 74eg== X-Gm-Message-State: AOAM53238Pos3c9QUlfwr14igBd9Cn06ZIhtjyW8nTZr5qo9b32cWPwW D+TQiHV+d9P/2T0Y8Wi0UPQ/BqnpFAOlBw== X-Received: by 2002:a17:90b:3810:: with SMTP id mq16mr14930399pjb.128.1637927597151; Fri, 26 Nov 2021 03:53:17 -0800 (PST) Received: from localhost.localdomain ([106.215.91.18]) by smtp.gmail.com with ESMTPSA id l11sm7128774pfu.129.2021.11.26.03.53.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Nov 2021 03:53:16 -0800 (PST) From: Ruchika Gupta To: u-boot@lists.denx.de, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de, agraf@csgraf.de, masahisa.kojima@linaro.org Cc: Ruchika Gupta Subject: [PATCH v7 3/3] efi_loader: Extend PCR's for firmware measurements Date: Fri, 26 Nov 2021 17:23:01 +0530 Message-Id: <20211126115301.1103687-3-ruchika.gupta@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211126115301.1103687-1-ruchika.gupta@linaro.org> References: <20211126115301.1103687-1-ruchika.gupta@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.37 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Firmwares before U-Boot may be capable of doing tpm measurements and passing them to U-Boot in the form of eventlog. However there may be scenarios where the firmwares don't have TPM driver and are not capable of extending the measurements in the PCRs. Based on TCG spec, if previous firnware has extended PCR's, PCR0 would not be 0. So, read the PCR0 to determine if the PCR's need to be extended as eventlog is parsed or not. Signed-off-by: Ruchika Gupta Reviewed-by: Ilias Apalodimas Tested-by: Ilias Apalodimas --- v7: Addressed Heinrick's comments - Added missing parameter in function header v6: Changed TPM2_DIGEST_LEN to TPM2_SHA512_DIGEST_SIZE v5 : No change v4 : No change v3 : Rebase changes on top of changes made in first patch series v2 : Removed check for PCR0 in eventlog lib/efi_loader/efi_tcg2.c | 76 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 5ded57fd29..d247179fbf 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -199,6 +199,44 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index, return EFI_SUCCESS; } +/* tcg2_pcr_read - Read PCRs for a TPM2 device for a given tpml_digest_values + * + * @dev: device + * @pcr_index: PCR index + * @digest_list: list of digest algorithms to extend + * + * @Return: status code + */ +static efi_status_t tcg2_pcr_read(struct udevice *dev, u32 pcr_index, + struct tpml_digest_values *digest_list) +{ + struct tpm_chip_priv *priv; + unsigned int updates, pcr_select_min; + u32 rc; + size_t i; + + priv = dev_get_uclass_priv(dev); + if (!priv) + return EFI_DEVICE_ERROR; + + pcr_select_min = priv->pcr_select_min; + + for (i = 0; i < digest_list->count; i++) { + u16 hash_alg = digest_list->digests[i].hash_alg; + u8 *digest = (u8 *)&digest_list->digests[i].digest; + + rc = tpm2_pcr_read(dev, pcr_index, pcr_select_min, + hash_alg, digest, alg_to_len(hash_alg), + &updates); + if (rc) { + EFI_PRINT("Failed to read PCR\n"); + return EFI_DEVICE_ERROR; + } + } + + return EFI_SUCCESS; +} + /* put_event - Append an agile event to an eventlog * * @pcr_index: PCR index @@ -1461,6 +1499,8 @@ static efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, u32 pcr, pos; u64 base; u32 sz; + bool extend_pcr = false; + int i; ret = platform_get_eventlog(dev, &base, &sz); if (ret != EFI_SUCCESS) @@ -1482,6 +1522,26 @@ static efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, return ret; } + ret = tcg2_pcr_read(dev, 0, &digest_list); + if (ret) { + log_err("Error reading PCR 0\n"); + return ret; + } + + /* + * If PCR0 is 0, previous firmware didn't have the capability + * to extend the PCR. In this scenario, extend the PCR as + * the eventlog is parsed. + */ + for (i = 0; i < digest_list.count; i++) { + u8 buffer[TPM2_SHA512_DIGEST_SIZE] = { 0 }; + u16 hash_alg = digest_list.digests[i].hash_alg; + + if (!memcmp((u8 *)&digest_list.digests[i].digest, buffer, + alg_to_len(hash_alg))) + extend_pcr = true; + } + while (pos < sz) { ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list, &pcr); @@ -1489,6 +1549,22 @@ static efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, log_err("Error parsing event\n"); return ret; } + if (extend_pcr) { + ret = tcg2_pcr_extend(dev, pcr, &digest_list); + if (ret != EFI_SUCCESS) { + log_err("Error in extending PCR\n"); + return ret; + } + + /* Clear the digest for next event */ + for (i = 0; i < digest_list.count; i++) { + u16 hash_alg = digest_list.digests[i].hash_alg; + u8 *digest = + (u8 *)&digest_list.digests[i].digest; + + memset(digest, 0, alg_to_len(hash_alg)); + } + } } memcpy(log_buffer, buffer, sz);