From: Thiebaud Weksteen <tweek@google.com> To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Cc: Matthew Garrett <mjg59@google.com>, linux-efi@vger.kernel.org, Ard Biesheuvel <ard.biesheuvel@linaro.org>, Matt Fleming <matt@codeblueprint.co.uk>, linux-kernel@vger.kernel.org, tpmdd-devel@lists.sourceforge.net, peterhuewe@gmx.de, Jason Gunthorpe <jgunthorpe@obsidianresearch.com>, tpmdd@selhorst.net Subject: Re: [PATCH v2 2/3] efi: call get_event_log before ExitBootServices Date: Mon, 18 Sep 2017 14:28:45 +0200 [thread overview] Message-ID: <CA+zpnLfs=DhW6kgbLV63_XzmKS7VnGGE0ecbFBZ0bu4wx3Jf+w@mail.gmail.com> (raw) In-Reply-To: <20170914190247.rrbdzdexjjywxipf@linux.intel.com> On Thu, Sep 14, 2017 at 9:02 PM, Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> wrote: > On Thu, Sep 14, 2017 at 11:48:54AM -0700, Matthew Garrett wrote: >> On Thu, Sep 14, 2017 at 11:43 AM, Jarkko Sakkinen >> <jarkko.sakkinen@linux.intel.com> wrote: >> > On Mon, Sep 11, 2017 at 12:00:21PM +0200, Thiebaud Weksteen wrote: >> >> With TPM 2.0 specification, the event logs may only be accessible by >> >> calling an EFI Boot Service. Modify the EFI stub to copy the log area to >> >> a new Linux-specific EFI configuration table so it remains accessible >> >> once booted. >> >> >> >> When calling this service, it is possible to specify the expected format >> >> of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the >> >> first format is retrieved. >> >> >> >> Signed-off-by: Thiebaud Weksteen <tweek@google.com> >> > >> > With a quick skim the code change looks good but I remember from >> > Matthew's talk that there was this issue that ExitBootServices() would >> > cause a yet another event? >> > >> > I guess you could manually synthetize that event by reading the PCR >> > values right after ExitBootServices()? >> >> I think that would involve breaking SHA1… the information should be > > You are absolutely right, was not thinking clearly :-) > >> available in the TCG_TREE_FINAL_EVENTS configuration table, so it >> /should/ just be a matter of merging the events from that into the >> event log. > > Right, it is available through runtime services. Why this isn't part > of the patch set? This is not included yet as this table (EFI_TCG2_FINAL_EVENTS_TABLE_GUID) relies on the TPM2 format for the log entries (TCG_PCR_EVENT2, "Crypto Agile"). I first plan to add the parsing of this log version (ie, efi_retrieve_tpm2_eventlog_2) before adding the merging of both tables. But these will be separate patch sets. > > /Jrakko > > /Jarkko
WARNING: multiple messages have this Message-ID (diff)
From: Thiebaud Weksteen <tweek-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> To: Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org> Cc: Matthew Garrett <mjg59-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>, linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>, Matt Fleming <matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org, peterhuewe-Mmb7MZpHnFY@public.gmane.org, Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>, tpmdd-yWjUBOtONefk1uMJSBkQmQ@public.gmane.org Subject: Re: [PATCH v2 2/3] efi: call get_event_log before ExitBootServices Date: Mon, 18 Sep 2017 14:28:45 +0200 [thread overview] Message-ID: <CA+zpnLfs=DhW6kgbLV63_XzmKS7VnGGE0ecbFBZ0bu4wx3Jf+w@mail.gmail.com> (raw) In-Reply-To: <20170914190247.rrbdzdexjjywxipf-VuQAYsv1563Yd54FQh9/CA@public.gmane.org> On Thu, Sep 14, 2017 at 9:02 PM, Jarkko Sakkinen <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org> wrote: > On Thu, Sep 14, 2017 at 11:48:54AM -0700, Matthew Garrett wrote: >> On Thu, Sep 14, 2017 at 11:43 AM, Jarkko Sakkinen >> <jarkko.sakkinen-VuQAYsv1563Yd54FQh9/CA@public.gmane.org> wrote: >> > On Mon, Sep 11, 2017 at 12:00:21PM +0200, Thiebaud Weksteen wrote: >> >> With TPM 2.0 specification, the event logs may only be accessible by >> >> calling an EFI Boot Service. Modify the EFI stub to copy the log area to >> >> a new Linux-specific EFI configuration table so it remains accessible >> >> once booted. >> >> >> >> When calling this service, it is possible to specify the expected format >> >> of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the >> >> first format is retrieved. >> >> >> >> Signed-off-by: Thiebaud Weksteen <tweek-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> >> > >> > With a quick skim the code change looks good but I remember from >> > Matthew's talk that there was this issue that ExitBootServices() would >> > cause a yet another event? >> > >> > I guess you could manually synthetize that event by reading the PCR >> > values right after ExitBootServices()? >> >> I think that would involve breaking SHA1… the information should be > > You are absolutely right, was not thinking clearly :-) > >> available in the TCG_TREE_FINAL_EVENTS configuration table, so it >> /should/ just be a matter of merging the events from that into the >> event log. > > Right, it is available through runtime services. Why this isn't part > of the patch set? This is not included yet as this table (EFI_TCG2_FINAL_EVENTS_TABLE_GUID) relies on the TPM2 format for the log entries (TCG_PCR_EVENT2, "Crypto Agile"). I first plan to add the parsing of this log version (ie, efi_retrieve_tpm2_eventlog_2) before adding the merging of both tables. But these will be separate patch sets. > > /Jrakko > > /Jarkko
next prev parent reply other threads:[~2017-09-18 12:29 UTC|newest] Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-09-11 10:00 [PATCH v2 0/3] Call GetEventLog before ExitBootServices Thiebaud Weksteen 2017-09-11 10:00 ` Thiebaud Weksteen 2017-09-11 10:00 ` [PATCH v2 1/3] tpm: move tpm_eventlog.h outside of drivers folder Thiebaud Weksteen 2017-09-11 10:00 ` [PATCH v2 2/3] efi: call get_event_log before ExitBootServices Thiebaud Weksteen 2017-09-13 14:49 ` kbuild test robot 2017-09-13 14:49 ` kbuild test robot [not found] ` <201709132252.uZyTCtDz%fengguang.wu-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> 2017-09-13 16:28 ` Thiebaud Weksteen via tpmdd-devel 2017-09-14 10:24 ` [tpmdd-devel] " Javier Martinez Canillas 2017-09-14 10:24 ` Javier Martinez Canillas 2017-09-18 12:11 ` Thiebaud Weksteen 2017-09-18 12:11 ` Thiebaud Weksteen 2017-09-18 12:49 ` Javier Martinez Canillas 2017-09-14 18:43 ` Jarkko Sakkinen 2017-09-14 18:43 ` Jarkko Sakkinen 2017-09-14 18:48 ` Matthew Garrett 2017-09-14 18:48 ` Matthew Garrett 2017-09-14 19:02 ` Jarkko Sakkinen 2017-09-15 4:06 ` Jarkko Sakkinen 2017-09-15 4:06 ` Jarkko Sakkinen 2017-09-18 12:28 ` Thiebaud Weksteen [this message] 2017-09-18 12:28 ` Thiebaud Weksteen 2017-09-18 17:56 ` Jarkko Sakkinen 2017-09-18 17:56 ` Jarkko Sakkinen 2017-09-11 10:00 ` [PATCH v2 3/3] tpm: parse TPM event logs based on EFI table Thiebaud Weksteen 2017-09-11 16:47 ` Jason Gunthorpe 2017-09-11 16:47 ` Jason Gunthorpe 2017-09-12 8:48 ` Thiebaud Weksteen 2017-09-18 12:38 ` Thiebaud Weksteen 2017-09-18 12:38 ` Thiebaud Weksteen 2017-09-18 16:28 ` Jason Gunthorpe 2017-09-13 16:27 ` kbuild test robot 2017-09-13 16:27 ` kbuild test robot 2017-09-13 16:43 ` Thiebaud Weksteen 2017-09-13 16:43 ` Thiebaud Weksteen 2017-09-14 18:47 ` Jarkko Sakkinen 2017-09-18 12:33 ` Thiebaud Weksteen 2017-09-18 12:33 ` Thiebaud Weksteen 2017-09-13 18:59 ` [PATCH v2 0/3] Call GetEventLog before ExitBootServices Jarkko Sakkinen 2017-09-13 18:59 ` Jarkko Sakkinen 2017-09-14 10:21 ` [tpmdd-devel] " Javier Martinez Canillas 2017-11-03 15:27 ` Jarkko Sakkinen 2017-11-03 15:27 ` Jarkko Sakkinen
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CA+zpnLfs=DhW6kgbLV63_XzmKS7VnGGE0ecbFBZ0bu4wx3Jf+w@mail.gmail.com' \ --to=tweek@google.com \ --cc=ard.biesheuvel@linaro.org \ --cc=jarkko.sakkinen@linux.intel.com \ --cc=jgunthorpe@obsidianresearch.com \ --cc=linux-efi@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=matt@codeblueprint.co.uk \ --cc=mjg59@google.com \ --cc=peterhuewe@gmx.de \ --cc=tpmdd-devel@lists.sourceforge.net \ --cc=tpmdd@selhorst.net \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.