From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id BA7BFC433F5
	for <u-boot@archiver.kernel.org>; Fri, 26 Nov 2021 13:52:35 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id CCFA882054;
	Fri, 26 Nov 2021 14:52:32 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="rLAyxo6v";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 843BC8128C; Fri, 26 Nov 2021 14:52:30 +0100 (CET)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com
 [IPv6:2a00:1450:4864:20::536])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id BC52C8128C
 for <u-boot@lists.denx.de>; Fri, 26 Nov 2021 14:52:25 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org
Received: by mail-ed1-x536.google.com with SMTP id z5so39399873edd.3
 for <u-boot@lists.denx.de>; Fri, 26 Nov 2021 05:52:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to;
 bh=KIUmXRse3iKKy5L9SCF9flZFlkRuwDyK//lb4Zo9UQw=;
 b=rLAyxo6veBOC/Am6MNCjDps7JDOCMEHWHL3tdM52K1FpfatFpHY2CyW5akXciqtGvw
 1OEWy267AyP+leqXAeVeoyy/D81WFz1xuR0XUDk5WFDecG9dPyeSrTEEZqprI7gWbvfy
 EkuK/zYB0QvxovUuBLoe5J7SyyCfuBPHBt1i1D1keSGmiYQ8wAK8/shodSTWt47B3GnV
 Ld3kEV3/ExIo6Gj/F5dOrKqyDoaaULUTpv8f2dWcxpX5Mj+n7f2opyFvW620ikJlG2E9
 U5+b4FECgSLxWptDoeo+DaS+O3oiUmcx9XoI6Ll4OZCOOXsXNbt7i5EycxL/dvxoWm32
 CEYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:references
 :mime-version:content-disposition:in-reply-to;
 bh=KIUmXRse3iKKy5L9SCF9flZFlkRuwDyK//lb4Zo9UQw=;
 b=tdwW+NJ2DUXwwiKlEJOEtpcvnPgzzKGB/BHReoQOjmSZVuqUKdvMQZdV+v75YE7xM2
 12+2ZSXAt1N3o532d3OaxnDadFt1O65SQ9zmxUA1KyXzMdFzGHo9VGoDNgMOxR9sP71L
 RmWFdJxT2Tp+6gcDBlIAMMsgyTkQfIAgSgvAtwpSyZrE7h7Eg+DkM4SQ9EJSYvKeRCP8
 VlSyflvRd4bleXnBdp+1OpUxb5RpclMNlZRIMxC25F7YBA3nATXO3TcdnzLJqJy6ZkXs
 YHkBdrWUhbWDreyVe2Wy88ZQHWLxuSRSUWfeYwmPaoCYbLtJK5AFQb4MI5N42TlJw14R
 52lw==
X-Gm-Message-State: AOAM530s6o1osgTt2u+0aGB4NMOWWmftQV+8GRDVJ8pMm2Wu4c7D1gYG
 bLdGWqeG9uytLkQXfPeomz8w4g==
X-Google-Smtp-Source: ABdhPJxosvHdTA3l6BUjbsOgr8ZoP2m/cDLCW9uvZORaCszK8KTIVNg+FrthpcCNQEym7iLSPHuk5Q==
X-Received: by 2002:a17:906:55d7:: with SMTP id
 z23mr38704123ejp.393.1637934745007; 
 Fri, 26 Nov 2021 05:52:25 -0800 (PST)
Received: from apalos.home (ppp-94-66-220-227.home.otenet.gr. [94.66.220.227])
 by smtp.gmail.com with ESMTPSA id
 c7sm3255225ejd.91.2021.11.26.05.52.23
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 26 Nov 2021 05:52:24 -0800 (PST)
Date: Fri, 26 Nov 2021 15:52:21 +0200
From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: Ruchika Gupta <ruchika.gupta@linaro.org>
Cc: u-boot@lists.denx.de, xypron.glpk@gmx.de, agraf@csgraf.de,
 masahisa.kojima@linaro.org
Subject: Re: [PATCH v7 1/3] efi_loader: Add check for event log passed from
 firmware
Message-ID: <YaDmlV5CQxRxAoLi@apalos.home>
References: <20211126115301.1103687-1-ruchika.gupta@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20211126115301.1103687-1-ruchika.gupta@linaro.org>
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.37
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

On Fri, Nov 26, 2021 at 05:22:59PM +0530, Ruchika Gupta wrote:
> Platforms may have support to measure their initial firmware components
> and pass the event log to u-boot. The event log address can be passed
> in property tpm_event_log_addr and tpm_event_log_size of the tpm node.
> Platforms may choose their own specific mechanism to do so. A weak
> function is added to check if even log has been passed to u-boot
> from earlier firmware components. If available, the eventlog is parsed
> to check for its correctness and further event logs are appended to the
> passed log.
> 
> Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
> ---
> v7:
> Addressed Heinrich's comments
> Changed functions not exported out of this file as static.
> Corrected function decsriptions and added few.
> Added declaration of weak function in header file
> Moved offset check to parse functions
> 
> v6: No change
> 
> v5:
> Shift the efi_init_event_log() to a different location in the file.
> This help fixes compilation issue introduced by calling efi_append_scrtm_version()
> from it.
> 
> v4:
> Add SCRTM version to log only if previous firmware doesn't pass the eventlog
> 
> v3:
> Return as soon as you detect error
> 
> v2:
> Moved firmware eventlog code parsing to tcg2_get_fw_eventlog()
> 
>  include/efi_loader.h      |   2 +
>  lib/efi_loader/efi_tcg2.c | 472 ++++++++++++++++++++++++++++++++------
>  2 files changed, 405 insertions(+), 69 deletions(-)
> 
> diff --git a/include/efi_loader.h b/include/efi_loader.h
> index d52e399841..67c40ca57a 100644
> --- a/include/efi_loader.h
> +++ b/include/efi_loader.h
> @@ -988,4 +988,6 @@ efi_status_t efi_esrt_register(void);
>   */
>  efi_status_t efi_esrt_populate(void);
>  efi_status_t efi_load_capsule_drivers(void);
> +
> +efi_status_t platform_get_eventlog(struct udevice *dev, u64 *addr, u32 *sz);
>  #endif /* _EFI_LOADER_H */
> diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> index 8c1f22e337..5ded57fd29 100644
> --- a/lib/efi_loader/efi_tcg2.c
> +++ b/lib/efi_loader/efi_tcg2.c
> @@ -324,6 +324,45 @@ __weak efi_status_t platform_get_tpm2_device(struct udevice **dev)
>  	return EFI_NOT_FOUND;
>  }
>  
> +/**
> + * platform_get_eventlog() - retrieve the eventlog address and size
> + *
> + * This function retrieves the eventlog address and size if the underlying
> + * firmware has done some measurements and passed them.
> + *
> + * This function may be overridden based on platform specific method of
> + * passing the eventlog address and size.
> + *
> + * @dev:	udevice
> + * @addr:	eventlog address
> + * @sz:		eventlog size
> + * Return:	status code
> + */
> +__weak efi_status_t platform_get_eventlog(struct udevice *dev, u64 *addr,
> +					  u32 *sz)
> +{
> +	const u64 *basep;
> +	const u32 *sizep;
> +
> +	basep = dev_read_prop(dev, "tpm_event_log_addr", NULL);
> +	if (!basep)
> +		return EFI_NOT_FOUND;
> +
> +	*addr = be64_to_cpup((__force __be64 *)basep);
> +
> +	sizep = dev_read_prop(dev, "tpm_event_log_size", NULL);
> +	if (!sizep)
> +		return EFI_NOT_FOUND;
> +
> +	*sz = be32_to_cpup((__force __be32 *)sizep);
> +	if (*sz == 0) {
> +		log_debug("event log empty\n");
> +		return EFI_NOT_FOUND;
> +	}
> +
> +	return EFI_SUCCESS;
> +}
> +
>  /**
>   * tpm2_get_max_command_size() - get the supported max command size
>   *
> @@ -1181,6 +1220,283 @@ static const struct efi_tcg2_protocol efi_tcg2_protocol = {
>  	.get_result_of_set_active_pcr_banks = efi_tcg2_get_result_of_set_active_pcr_banks,
>  };
>  
> +/**
> + * parse_event_log_header() -  Parse and verify the event log header fields
> + *
> + * @buffer:			Pointer to the start of the eventlog
> + * @size:			Size of the eventlog
> + * @pos:			Return offset of the next event in buffer right
> + * 				after the event header i.e specID
> + *
> + * Return:	status code
> + */
> +static efi_status_t parse_event_log_header(void *buffer, u32 size, u32 *pos)
> +{
> +	struct tcg_pcr_event *event_header = (struct tcg_pcr_event *)buffer;
> +	int i = 0;
> +
> +	if (size < sizeof(*event_header))
> +		return EFI_COMPROMISED_DATA;
> +
> +	if (get_unaligned_le32(&event_header->pcr_index) != 0 ||
> +	    get_unaligned_le32(&event_header->event_type) != EV_NO_ACTION)
> +		return EFI_COMPROMISED_DATA;
> +
> +	for (i = 0; i < sizeof(event_header->digest); i++) {
> +		if (event_header->digest[i])
> +			return EFI_COMPROMISED_DATA;
> +	}
> +
> +	*pos += sizeof(*event_header);
> +
> +	return EFI_SUCCESS;
> +}
> +
> +/**
> + * parse_specid_event() -  Parse and verify the specID Event in the eventlog
> + *
> + * @dev:		udevice
> + * @buffer:		Pointer to the start of the eventlog
> + * @log_size:		Size of the eventlog
> + * @pos:		[in] Offset of specID event in the eventlog buffer
> + * 			[out] Return offset of the next event in the buffer
> + * 			after the specID
> + * @digest_list:	list of digests in the event
> + *
> + * Return:		status code
> + * @pos			Offset in the eventlog where the specID event ends
> + * @digest_list:	list of digests in the event
> + */
> +static efi_status_t parse_specid_event(struct udevice *dev, void *buffer,
> +				       u32 log_size, u32 *pos,
> +				       struct tpml_digest_values *digest_list)
> +{
> +	struct tcg_efi_spec_id_event *spec_event;
> +	struct tcg_pcr_event *event_header = (struct tcg_pcr_event *)buffer;
> +	size_t spec_event_size;
> +	u32 active = 0, supported = 0, pcr_count = 0, alg_count = 0;
> +	u32 spec_active = 0;
> +	u16 hash_alg, hash_sz;
> +	u8 vendor_sz;
> +	int err, i;
> +
> +	if (*pos >= log_size || (*pos + sizeof(*spec_event)) > log_size)
> +		return EFI_COMPROMISED_DATA;
> +
> +	/* Check specID event data */
> +	spec_event = (struct tcg_efi_spec_id_event *)((uintptr_t)buffer + *pos);
> +	/* Check for signature */
> +	if (memcmp(spec_event->signature, TCG_EFI_SPEC_ID_EVENT_SIGNATURE_03,
> +		   sizeof(TCG_EFI_SPEC_ID_EVENT_SIGNATURE_03))) {
> +		log_err("specID Event: Signature mismatch\n");
> +		return EFI_COMPROMISED_DATA;
> +	}
> +
> +	if (spec_event->spec_version_minor !=
> +			TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MINOR_TPM2 ||
> +	    spec_event->spec_version_major !=
> +			TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MAJOR_TPM2)
> +		return EFI_COMPROMISED_DATA;
> +
> +	if (spec_event->number_of_algorithms > MAX_HASH_COUNT ||
> +	    spec_event->number_of_algorithms < 1) {
> +		log_err("specID Event: Number of algorithms incorrect\n");
> +		return EFI_COMPROMISED_DATA;
> +	}
> +
> +	alg_count = spec_event->number_of_algorithms;
> +
> +	err = tpm2_get_pcr_info(dev, &supported, &active, &pcr_count);
> +	if (err)
> +		return EFI_DEVICE_ERROR;
> +
> +	digest_list->count = 0;
> +	/*
> +	 * We have to take care that the sequence of algorithms that we record
> +	 * in digest_list matches the sequence in eventlog.
> +	 */
> +	for (i = 0; i < alg_count; i++) {
> +		hash_alg =
> +		  get_unaligned_le16(&spec_event->digest_sizes[i].algorithm_id);
> +		hash_sz =
> +		   get_unaligned_le16(&spec_event->digest_sizes[i].digest_size);
> +
> +		if (!(supported & alg_to_mask(hash_alg))) {
> +			log_err("specID Event: Unsupported algorithm\n");
> +			return EFI_COMPROMISED_DATA;
> +		}
> +		digest_list->digests[digest_list->count++].hash_alg = hash_alg;
> +
> +		spec_active |= alg_to_mask(hash_alg);
> +	}
> +
> +	/*
> +	 * TCG specification expects the event log to have hashes for all
> +	 * active PCR's
> +	 */
> +	if (spec_active != active) {
> +		/*
> +		 * Previous stage bootloader should know all the active PCR's
> +		 * and use them in the Eventlog.
> +		 */
> +		log_err("specID Event: All active hash alg not present\n");
> +		return EFI_COMPROMISED_DATA;
> +	}
> +
> +	/*
> +	 * the size of the spec event and placement of vendor_info_size
> +	 * depends on supported algoriths
> +	 */
> +	spec_event_size =
> +		offsetof(struct tcg_efi_spec_id_event, digest_sizes) +
> +		alg_count * sizeof(spec_event->digest_sizes[0]);
> +
> +	if (*pos + spec_event_size >= log_size)
> +		return EFI_COMPROMISED_DATA;
> +
> +	vendor_sz = *(uint8_t *)((uintptr_t)buffer + *pos + spec_event_size);
> +
> +	spec_event_size += sizeof(vendor_sz) + vendor_sz;
> +	*pos += spec_event_size;
> +
> +	if (get_unaligned_le32(&event_header->event_size) != spec_event_size) {
> +		log_err("specID event: header event size mismatch\n");
> +		/* Right way to handle this can be to call SetActive PCR's */
> +		return EFI_COMPROMISED_DATA;
> +	}
> +
> +	return EFI_SUCCESS;
> +}
> +
> +/**
> + * tcg2_parse_event() -  Parse the event in the eventlog
> + *
> + * @dev:		udevice
> + * @buffer:		Pointer to the start of the eventlog
> + * @log_size:		Size of the eventlog
> + * @offset:		[in] Offset of the event in the eventlog buffer
> + * 			[out] Return offset of the next event in the buffer
> + * @digest_list:	list of digests in the event
> + * @pcr			Index of the PCR in the event
> + *
> + * Return:		status code
> + */
> +static efi_status_t tcg2_parse_event(struct udevice *dev, void *buffer,
> +				     u32 log_size, u32 *offset,
> +				     struct tpml_digest_values *digest_list,
> +				     u32 *pcr)
> +{
> +	struct tcg_pcr_event2 *event = NULL;
> +	u32 event_type, count, size, event_size;
> +	size_t pos;
> +
> +	event_size = tcg_event_final_size(digest_list);
> +	if (*offset >= log_size || *offset + event_size > log_size) {
> +		log_err("Event exceeds log size\n");
> +		return EFI_COMPROMISED_DATA;
> +	}
> +
> +	event = (struct tcg_pcr_event2 *)((uintptr_t)buffer + *offset);
> +	*pcr = get_unaligned_le32(&event->pcr_index);
> +	event_type = get_unaligned_le32(&event->event_type);
> +
> +	/* get the count */
> +	count = get_unaligned_le32(&event->digests.count);
> +	if (count != digest_list->count)
> +		return EFI_COMPROMISED_DATA;
> +
> +	pos = offsetof(struct tcg_pcr_event2, digests);
> +	pos += offsetof(struct tpml_digest_values, digests);
> +
> +	for (int i = 0; i < digest_list->count; i++) {
> +		u16 alg;
> +		u16 hash_alg = digest_list->digests[i].hash_alg;
> +		u8 *digest = (u8 *)&digest_list->digests[i].digest;
> +
> +		alg = get_unaligned_le16((void *)((uintptr_t)event + pos));
> +
> +		if (alg != hash_alg)
> +			return EFI_COMPROMISED_DATA;
> +
> +		pos += offsetof(struct tpmt_ha, digest);
> +		memcpy(digest, (void *)((uintptr_t)event + pos), alg_to_len(hash_alg));
> +		pos += alg_to_len(hash_alg);
> +	}
> +
> +	size = get_unaligned_le32((void *)((uintptr_t)event + pos));
> +	event_size += size;
> +	pos += sizeof(u32); /* tcg_pcr_event2 event_size*/
> +	pos += size;
> +
> +	/* make sure the calculated buffer is what we checked against */
> +	if (pos != event_size)
> +		return EFI_COMPROMISED_DATA;
> +
> +	if (pos > log_size)
> +		return EFI_COMPROMISED_DATA;
> +
> +	*offset += pos;
> +
> +	return EFI_SUCCESS;
> +}
> +
> +/**
> + * tcg2_get_fw_eventlog() -  Get the eventlog address and size
> + *
> + * If the previous firmware has passed some eventlog, this function get it's
> + * location and check for it's validity.
> + *
> + * @dev:		udevice
> + * @log_buffer:		eventlog address
> + * @log_sz:		eventlog size
> + *
> + * Return:	status code
> + */
> +static efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer,
> +					 size_t *log_sz)
> +{
> +	struct tpml_digest_values digest_list;
> +	void *buffer;
> +	efi_status_t ret;
> +	u32 pcr, pos;
> +	u64 base;
> +	u32 sz;
> +
> +	ret = platform_get_eventlog(dev, &base, &sz);
> +	if (ret != EFI_SUCCESS)
> +		return ret;
> +
> +	if (sz > TPM2_EVENT_LOG_SIZE)
> +		return EFI_VOLUME_FULL;
> +
> +	buffer = (void *)base;
> +	pos = 0;
> +	/* Parse the eventlog to check for its validity */
> +	ret = parse_event_log_header(buffer, sz, &pos);
> +	if (ret)
> +		return ret;
> +
> +	ret = parse_specid_event(dev, buffer, sz, &pos, &digest_list);
> +	if (ret) {
> +		log_err("Error parsing SPEC ID Event\n");
> +		return ret;
> +	}
> +
> +	while (pos < sz) {
> +		ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list,
> +				       &pcr);
> +		if (ret) {
> +			log_err("Error parsing event\n");
> +			return ret;
> +		}
> +	}
> +
> +	memcpy(log_buffer, buffer, sz);
> +	*log_sz = sz;
> +
> +	return ret;
> +}
> +
>  /**
>   * create_specid_event() - Create the first event in the eventlog
>   *
> @@ -1312,69 +1628,6 @@ out:
>  	return ret;
>  }
>  
> -/**
> - * efi_init_event_log() - initialize an eventlog
> - */
> -static efi_status_t efi_init_event_log(void)
> -{
> -	/*
> -	 * vendor_info_size is currently set to 0, we need to change the length
> -	 * and allocate the flexible array member if this changes
> -	 */
> -	struct tcg_pcr_event *event_header = NULL;
> -	struct udevice *dev;
> -	size_t spec_event_size;
> -	efi_status_t ret;
> -
> -	ret = platform_get_tpm2_device(&dev);
> -	if (ret != EFI_SUCCESS)
> -		goto out;
> -
> -	ret = efi_allocate_pool(EFI_BOOT_SERVICES_DATA, TPM2_EVENT_LOG_SIZE,
> -				(void **)&event_log.buffer);
> -	if (ret != EFI_SUCCESS)
> -		goto out;
> -
> -	/*
> -	 * initialize log area as 0xff so the OS can easily figure out the
> -	 * last log entry
> -	 */
> -	memset(event_log.buffer, 0xff, TPM2_EVENT_LOG_SIZE);
> -	event_log.pos = 0;
> -	event_log.last_event_size = 0;
> -	event_log.get_event_called = false;
> -	event_log.ebs_called = false;
> -	event_log.truncated = false;
> -
> -	/*
> -	 * The log header is defined to be in SHA1 event log entry format.
> -	 * Setup event header
> -	 */
> -	event_header =  (struct tcg_pcr_event *)event_log.buffer;
> -	put_unaligned_le32(0, &event_header->pcr_index);
> -	put_unaligned_le32(EV_NO_ACTION, &event_header->event_type);
> -	memset(&event_header->digest, 0, sizeof(event_header->digest));
> -	ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)),
> -				  &spec_event_size);
> -	if (ret != EFI_SUCCESS)
> -		goto free_pool;
> -	put_unaligned_le32(spec_event_size, &event_header->event_size);
> -	event_log.pos = spec_event_size + sizeof(*event_header);
> -	event_log.last_event_size = event_log.pos;
> -
> -	ret = create_final_event();
> -	if (ret != EFI_SUCCESS)
> -		goto free_pool;
> -
> -out:
> -	return ret;
> -
> -free_pool:
> -	efi_free_pool(event_log.buffer);
> -	event_log.buffer = NULL;
> -	return ret;
> -}
> -
>  /**
>   * tcg2_measure_event() - common function to add event log and extend PCR
>   *
> @@ -1427,6 +1680,93 @@ static efi_status_t efi_append_scrtm_version(struct udevice *dev)
>  	return ret;
>  }
>  
> +/**
> + * efi_init_event_log() - initialize an eventlog
> + *
> + * Return:		status code
> + */
> +static efi_status_t efi_init_event_log(void)
> +{
> +	/*
> +	 * vendor_info_size is currently set to 0, we need to change the length
> +	 * and allocate the flexible array member if this changes
> +	 */
> +	struct tcg_pcr_event *event_header = NULL;
> +	struct udevice *dev;
> +	size_t spec_event_size;
> +	efi_status_t ret;
> +
> +	ret = platform_get_tpm2_device(&dev);
> +	if (ret != EFI_SUCCESS)
> +		return ret;
> +
> +	ret = efi_allocate_pool(EFI_BOOT_SERVICES_DATA, TPM2_EVENT_LOG_SIZE,
> +				(void **)&event_log.buffer);
> +	if (ret != EFI_SUCCESS)
> +		return ret;
> +
> +	/*
> +	 * initialize log area as 0xff so the OS can easily figure out the
> +	 * last log entry
> +	 */
> +	memset(event_log.buffer, 0xff, TPM2_EVENT_LOG_SIZE);
> +
> +	/*
> +	 * The log header is defined to be in SHA1 event log entry format.
> +	 * Setup event header
> +	 */
> +	event_header =  (struct tcg_pcr_event *)event_log.buffer;
> +	event_log.pos = 0;
> +	event_log.last_event_size = 0;
> +	event_log.get_event_called = false;
> +	event_log.ebs_called = false;
> +	event_log.truncated = false;
> +
> +	/*
> +	 * Check if earlier firmware have passed any eventlog. Different
> +	 * platforms can use different ways to do so.
> +	 */
> +	ret = tcg2_get_fw_eventlog(dev, event_log.buffer, &event_log.pos);
> +	/*
> +	 * If earlier firmware hasn't passed any eventlog, go ahead and
> +	 * create the eventlog header.
> +	 */
> +	if (ret == EFI_NOT_FOUND) {
> +		put_unaligned_le32(0, &event_header->pcr_index);
> +		put_unaligned_le32(EV_NO_ACTION, &event_header->event_type);
> +		memset(&event_header->digest, 0, sizeof(event_header->digest));
> +		ret = create_specid_event(dev,
> +					  (void *)((uintptr_t)event_log.buffer +
> +						   sizeof(*event_header)),
> +					  &spec_event_size);
> +		if (ret != EFI_SUCCESS)
> +			goto free_pool;
> +		put_unaligned_le32(spec_event_size, &event_header->event_size);
> +		event_log.pos = spec_event_size + sizeof(*event_header);
> +		event_log.last_event_size = event_log.pos;
> +
> +		/*
> +		 * Add SCRTM version to the log if previous firmmware
> +		 * doesn't pass an eventlog.
> +		 */
> +		ret = efi_append_scrtm_version(dev);
> +	}
> +
> +	if (ret != EFI_SUCCESS)
> +		goto free_pool;
> +
> +	ret = create_final_event();
> +	if (ret != EFI_SUCCESS)
> +		goto free_pool;
> +
> +	return ret;
> +
> +free_pool:
> +	efi_free_pool(event_log.buffer);
> +	event_log.buffer = NULL;
> +	return ret;
> +}
> +
>  /**
>   * tcg2_measure_variable() - add variable event log and extend PCR
>   *
> @@ -1963,12 +2303,6 @@ efi_status_t efi_tcg2_register(void)
>  	if (ret != EFI_SUCCESS)
>  		goto fail;
>  
> -	ret = efi_append_scrtm_version(dev);
> -	if (ret != EFI_SUCCESS) {
> -		tcg2_uninit();
> -		goto fail;
> -	}
> -
>  	ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol,
>  			       (void *)&efi_tcg2_protocol);
>  	if (ret != EFI_SUCCESS) {
> -- 
> 2.25.1
> 

Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>