From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55058C433F5 for ; Tue, 28 Sep 2021 11:46:03 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 745376113E for ; Tue, 28 Sep 2021 11:46:02 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 745376113E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id EA02E8312A; Tue, 28 Sep 2021 13:45:59 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="vwrBVcym"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9E28182D88; Tue, 28 Sep 2021 13:45:57 +0200 (CEST) Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id DB0D28312A for ; Tue, 28 Sep 2021 13:45:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-il1-x131.google.com with SMTP id b6so22999131ilv.0 for ; Tue, 28 Sep 2021 04:45:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=T+9N2l6K6F/vvfmmHYj7OzTreoxvcfmF30I3B+rZTp0=; b=vwrBVcymnFZt7zDAreNkSLVY1V2bO1uf1s3C+8xJN32baoV63A6atiInbO4LMGmRHX OJS1a78BDshduj/nkBOHxJN7HANGSIqFP1JyyR0ZxMfJl0OIPoYLOUcNKs3x4oLFQ0K/ jghi1VANc/N2Lo5TN2esf/DMVijtPUN6es5SYG9GOMAhzZB21B2bOoNo0ZQDHZqYFt+H ztmpCwCT/J2zEvCPmGvztqChicc71AxU7kO50ex21gN5Zbi/F/RvR0zuCjUKeGIAOX5I u46px3LzYL8z/1ultv6UaJR22E1ZmApio+1/1MPg9OeVzg14TNB1PQJdzX1xbcRxqiee YRVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=T+9N2l6K6F/vvfmmHYj7OzTreoxvcfmF30I3B+rZTp0=; b=S1iQ9AY5w1eTupU8CYjPcZmgCKq8PvcVeFpF5PyKDDTo0YCuFfffkUTBDqcpIVNQVS iI+IlYbVZR+BQSK86dDWFFyr2C490jFzWgpNt5FqWpJ7M42/oeSO5nmUpIrkGoPeqHUQ NUs9qQM6yuQEJq0VcFy34XKFaAu+Z5fHrLxfDbQrdTdudfABXQVbhDuorqflvx3+pchy NfIQrQpkmKFCYCoBdb6QA6dr2f2xGckMK+5mMOviogeqRqT0O66sd9ENidtSkW/b2Gv1 VjQH8YgbGIGId9wxw4u38Icx1lIRG2ffm4yUeEdi5B5Lhbiy9WoP1i9Ev2GKZ6/5Oe4o 9JuA== X-Gm-Message-State: AOAM531d6a1r+a/pk71N5VV/3zGsY2pW9xgR0OXiN7Yfpo1gR9XGAj/M LEBBuJ1ZzrtQURR+IHiqUgnYJIRAvXuhqjQ1NfYjP2jzBqA= X-Google-Smtp-Source: ABdhPJwFOjlkwpRE3g7obUkBgtjB1jZckbWwJvxpPMRltSgao11uuElUmyCogRJnTUZ2MM1vpXgRcmTsdj6l+p7WwCI= X-Received: by 2002:a05:6e02:20c3:: with SMTP id 3mr4095694ilq.269.1632829552646; Tue, 28 Sep 2021 04:45:52 -0700 (PDT) MIME-Version: 1.0 References: <20210921071931.3755-1-masahisa.kojima@linaro.org> <20210921071931.3755-4-masahisa.kojima@linaro.org> In-Reply-To: From: Masahisa Kojima Date: Tue, 28 Sep 2021 20:45:41 +0900 Message-ID: Subject: Re: [PATCH v2 3/3] efi_loader: add DeployedMode and AuditMode variable measurement To: Ilias Apalodimas Cc: U-Boot Mailing List , Heinrich Schuchardt , Alexander Graf Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean On Mon, 27 Sept 2021 at 22:53, Ilias Apalodimas wrote: > > On Tue, 21 Sept 2021 at 10:17, Masahisa Kojima > wrote: > > > > This commit adds the DeployedMode and AuditMode variable > > measurement required in TCG PC Client PFP Spec. > > > > Signed-off-by: Masahisa Kojima > > --- > > > > (no changes since v1) > > > > lib/efi_loader/efi_tcg2.c | 47 +++++++++++++++++++++++++++++++++++++++ > > 1 file changed, 47 insertions(+) > > > > diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c > > index ea2c1ead03..68542c7cd3 100644 > > --- a/lib/efi_loader/efi_tcg2.c > > +++ b/lib/efi_loader/efi_tcg2.c > > @@ -12,6 +12,7 @@ > > #include > > #include > > #include > > +#include > > #include > > #include > > #include > > @@ -1828,6 +1829,50 @@ out: > > return ret; > > } > > > > +/** > > + * tcg2_measure_deployed_audit_mode() - measure deployedmode and auditmode > > + * > > + * @dev: TPM device > > + * > > + * Return: status code > > + */ > > +static efi_status_t tcg2_measure_deployed_audit_mode(struct udevice *dev) > > +{ > > + u8 deployed_mode; > > + u8 audit_mode; > > + efi_uintn_t size; > > + efi_status_t ret; > > + u32 pcr_index; > > + > > + size = sizeof(deployed_mode); > > + ret = efi_get_variable_int(L"DeployedMode", &efi_global_variable_guid, > > + NULL, &size, &deployed_mode, NULL); > > + if (ret != EFI_SUCCESS) > > + return ret; > > + > > + pcr_index = (deployed_mode ? 1 : 7); > > + > > + ret = tcg2_measure_variable(dev, pcr_index, > > + EV_EFI_VARIABLE_DRIVER_CONFIG, > > + L"DeployedMode", > > + &efi_global_variable_guid, > > + size, &deployed_mode); > > + > > tcg2_measure_variable() can't fail here? Do we care if it does? I will add appropriate error handling. > > > + size = sizeof(audit_mode); > > + ret = efi_get_variable_int(L"AuditMode", &efi_global_variable_guid, > > + NULL, &size, &audit_mode, NULL); > > + if (ret != EFI_SUCCESS) > > + return ret; > > + > > + ret = tcg2_measure_variable(dev, pcr_index, > > + EV_EFI_VARIABLE_DRIVER_CONFIG, > > + L"AuditMode", > > + &efi_global_variable_guid, > > + size, &audit_mode); > > + > > Does it make sense to read both of the variables first and measure > them only if both are present? Yes, it is better. If one of the variable is not present, skip both DeployedMode and AuditMode measurement. > IOW is there any connection between AuditMode and DeployedMode measurements? In UEFI spec: DeployedMode = 1 -> AuditMode is always 0 DeployedMode = 0 -> AuditMode can be 0 or 1 Thanks, Masahisa Kojima > > > Regards > /Ilias > > + return ret; > > +} > > + > > /** > > * tcg2_measure_secure_boot_variable() - measure secure boot variables > > * > > @@ -1891,6 +1936,8 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) > > free(data); > > } > > > > + ret = tcg2_measure_deployed_audit_mode(dev); > > + > > error: > > return ret; > > } > > -- > > 2.17.1 > >