From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 81690C433F5
	for <u-boot@archiver.kernel.org>; Mon, 29 Nov 2021 07:40:32 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 0B76582F95;
	Mon, 29 Nov 2021 08:40:29 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="f6uerIAr";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 6628582F95; Mon, 29 Nov 2021 08:40:27 +0100 (CET)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com
 [IPv6:2607:f8b0:4864:20::432])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 5695882A53
 for <u-boot@lists.denx.de>; Mon, 29 Nov 2021 08:40:23 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=ruchika.gupta@linaro.org
Received: by mail-pf1-x432.google.com with SMTP id n85so15935530pfd.10
 for <u-boot@lists.denx.de>; Sun, 28 Nov 2021 23:40:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=ftpIGbuYB13XlZTGi+S527axABjqMkdXSU1z/Oppnr8=;
 b=f6uerIArOmirlnl6krldLj3pnKm6avrYR5YIWqydloqnDLxLWn+QP6slVtjSxpY8GO
 D1TIRTceE2fobf3UF3PCDWAtfwr49FyV+TvFHBNMP3IAoy1a4Xe/FlLRgFepNTQ9k7zP
 snr773XvleJW1VFPOsDFENS2N5epngyXnXzdnUEz3FRdH8jvGdb7/kvN/M8PNP4SmPMO
 +AFIQBgUiMFQew0iw5AL0N9I8UvzTQQYn/7Cz8zUCezVz7GsJV0GchYPnLhLpOlTf3xw
 BkxPXNkNfYzeZq31q8Mpda8VmSikiEqdCPVSNNoIAd1UhneJvopdOKcFhToEvzfnVNo8
 ixEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=ftpIGbuYB13XlZTGi+S527axABjqMkdXSU1z/Oppnr8=;
 b=GB51GlkKWQzaLSmSihw8LH/ttaK03o4MJqhq83ySODVZ9WBR1CMsrOH3FNkUS9AUP8
 NPOH7srM57VVDlbygM1nZZUqJpD4JKp1z2TD8O56oQhypzABPMMknx3221+homVA/ARO
 SvYALTWejdnMbIwTLhOUD3MmgwLj3KyMYaPh6l9o2mUosqSjrm4iH+rwOyf6s2BAtBtS
 PGASFgOfpGTh0u8LaNN18hIXNk/2NmvRMn3wl2PVW+uQ5s8llG9oEN0hP96WU5lh+iBk
 ajZX2+oEcVfWYNs2ij07Umj8rzFhhmmM9Lo44olIV9xe7MU9Q9i3zHD9AdAJDhanLw11
 QnQA==
X-Gm-Message-State: AOAM533vOVaz68nDEByTc33uloCLSxfTkEEzc7LwXV3kDR0lUnqL2Zsl
 NMW6DRsp4t69pmgWb3rp4nIydR+TCQ5nhw==
X-Google-Smtp-Source: ABdhPJybIXJoKOFwBPLQYvOv1n/ZHz7Ho1poq1Yt1q9TTBkj3uf5w/1u/nbaI+CcW67mM1Ln2+xL1w==
X-Received: by 2002:a63:554a:: with SMTP id f10mr4552535pgm.444.1638171621196; 
 Sun, 28 Nov 2021 23:40:21 -0800 (PST)
Received: from localhost.localdomain ([122.177.109.169])
 by smtp.gmail.com with ESMTPSA id r16sm11785678pgk.45.2021.11.28.23.40.18
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 28 Nov 2021 23:40:20 -0800 (PST)
From: Ruchika Gupta <ruchika.gupta@linaro.org>
To: u-boot@lists.denx.de, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de,
 agraf@csgraf.de, masahisa.kojima@linaro.org
Cc: Ruchika Gupta <ruchika.gupta@linaro.org>
Subject: [PATCH v8 3/3] efi_loader: Extend PCR's for firmware measurements
Date: Mon, 29 Nov 2021 13:09:46 +0530
Message-Id: <20211129073946.1374496-3-ruchika.gupta@linaro.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20211129073946.1374496-1-ruchika.gupta@linaro.org>
References: <20211129073946.1374496-1-ruchika.gupta@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.37
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

Firmwares before U-Boot may be capable of doing tpm measurements
and passing them to U-Boot in the form of eventlog. However there
may be scenarios where the firmwares don't have TPM driver and
are not capable of extending the measurements in the PCRs.
Based on TCG spec, if previous firnware has extended PCR's, PCR0
would not be 0. So, read the PCR0 to determine if the PCR's need
to be extended as eventlog is parsed or not.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
v8:
Addressed issues reported by cppcheck

v7:
Addressed Heinrick's comments - Added missing parameter in function header

v6: Changed TPM2_DIGEST_LEN to TPM2_SHA512_DIGEST_SIZE

v5 : No change

v4 : No change

v3 : 
Rebase changes on top of changes made in first patch series

v2 : 
Removed check for PCR0 in eventlog

 lib/efi_loader/efi_tcg2.c | 76 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index ce3e599c83..7d0ee8e1f1 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -199,6 +199,44 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index,
 	return EFI_SUCCESS;
 }
 
+/* tcg2_pcr_read - Read PCRs for a TPM2 device for a given tpml_digest_values
+ *
+ * @dev:		device
+ * @pcr_index:		PCR index
+ * @digest_list:	list of digest algorithms to extend
+ *
+ * @Return: status code
+ */
+static efi_status_t tcg2_pcr_read(struct udevice *dev, u32 pcr_index,
+				  struct tpml_digest_values *digest_list)
+{
+	struct tpm_chip_priv *priv;
+	unsigned int updates, pcr_select_min;
+	u32 rc;
+	size_t i;
+
+	priv = dev_get_uclass_priv(dev);
+	if (!priv)
+		return EFI_DEVICE_ERROR;
+
+	pcr_select_min = priv->pcr_select_min;
+
+	for (i = 0; i < digest_list->count; i++) {
+		u16 hash_alg = digest_list->digests[i].hash_alg;
+		u8 *digest = (u8 *)&digest_list->digests[i].digest;
+
+		rc = tpm2_pcr_read(dev, pcr_index, pcr_select_min,
+				   hash_alg, digest, alg_to_len(hash_alg),
+				   &updates);
+		if (rc) {
+			EFI_PRINT("Failed to read PCR\n");
+			return EFI_DEVICE_ERROR;
+		}
+	}
+
+	return EFI_SUCCESS;
+}
+
 /* put_event - Append an agile event to an eventlog
  *
  * @pcr_index:		PCR index
@@ -1458,6 +1496,8 @@ static efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer,
 	u32 pcr, pos;
 	u64 base;
 	u32 sz;
+	bool extend_pcr = false;
+	int i;
 
 	ret = platform_get_eventlog(dev, &base, &sz);
 	if (ret != EFI_SUCCESS)
@@ -1479,6 +1519,26 @@ static efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer,
 		return ret;
 	}
 
+	ret = tcg2_pcr_read(dev, 0, &digest_list);
+	if (ret) {
+		log_err("Error reading PCR 0\n");
+		return ret;
+	}
+
+	/*
+	 * If PCR0 is 0, previous firmware didn't have the capability
+	 * to extend the PCR. In this scenario, extend the PCR as
+	 * the eventlog is parsed.
+	 */
+	for (i = 0; i < digest_list.count; i++) {
+		u8 hash_buf[TPM2_SHA512_DIGEST_SIZE] =  { 0 };
+		u16 hash_alg = digest_list.digests[i].hash_alg;
+
+		if (!memcmp((u8 *)&digest_list.digests[i].digest, hash_buf,
+			    alg_to_len(hash_alg)))
+			extend_pcr = true;
+	}
+
 	while (pos < sz) {
 		ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list,
 				       &pcr);
@@ -1486,6 +1546,22 @@ static efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer,
 			log_err("Error parsing event\n");
 			return ret;
 		}
+		if (extend_pcr) {
+			ret = tcg2_pcr_extend(dev, pcr, &digest_list);
+			if (ret != EFI_SUCCESS) {
+				log_err("Error in extending PCR\n");
+				return ret;
+			}
+
+			/* Clear the digest for next event */
+			for (i = 0; i < digest_list.count; i++) {
+				u16 hash_alg = digest_list.digests[i].hash_alg;
+				u8 *digest =
+				   (u8 *)&digest_list.digests[i].digest;
+
+				memset(digest, 0, alg_to_len(hash_alg));
+			}
+		}
 	}
 
 	memcpy(log_buffer, buffer, sz);
-- 
2.25.1