From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756530AbdIRR4f (ORCPT ); Mon, 18 Sep 2017 13:56:35 -0400 Received: from mga04.intel.com ([192.55.52.120]:22739 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753535AbdIRR4d (ORCPT ); Mon, 18 Sep 2017 13:56:33 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,413,1500966000"; d="scan'208";a="1173376777" Date: Mon, 18 Sep 2017 20:56:28 +0300 From: Jarkko Sakkinen To: Thiebaud Weksteen Cc: Matthew Garrett , linux-efi@vger.kernel.org, Ard Biesheuvel , Matt Fleming , linux-kernel@vger.kernel.org, tpmdd-devel@lists.sourceforge.net, peterhuewe@gmx.de, Jason Gunthorpe , tpmdd@selhorst.net Subject: Re: [PATCH v2 2/3] efi: call get_event_log before ExitBootServices Message-ID: <20170918175628.67evhsklb77nxbdk@linux.intel.com> References: <20170911100022.7251-1-tweek@google.com> <20170911100022.7251-3-tweek@google.com> <20170914184126.eevnstwq3i6fiq4j@linux.intel.com> <20170914190247.rrbdzdexjjywxipf@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 18, 2017 at 02:28:45PM +0200, Thiebaud Weksteen wrote: > On Thu, Sep 14, 2017 at 9:02 PM, Jarkko Sakkinen > wrote: > > On Thu, Sep 14, 2017 at 11:48:54AM -0700, Matthew Garrett wrote: > >> On Thu, Sep 14, 2017 at 11:43 AM, Jarkko Sakkinen > >> wrote: > >> > On Mon, Sep 11, 2017 at 12:00:21PM +0200, Thiebaud Weksteen wrote: > >> >> With TPM 2.0 specification, the event logs may only be accessible by > >> >> calling an EFI Boot Service. Modify the EFI stub to copy the log area to > >> >> a new Linux-specific EFI configuration table so it remains accessible > >> >> once booted. > >> >> > >> >> When calling this service, it is possible to specify the expected format > >> >> of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the > >> >> first format is retrieved. > >> >> > >> >> Signed-off-by: Thiebaud Weksteen > >> > > >> > With a quick skim the code change looks good but I remember from > >> > Matthew's talk that there was this issue that ExitBootServices() would > >> > cause a yet another event? > >> > > >> > I guess you could manually synthetize that event by reading the PCR > >> > values right after ExitBootServices()? > >> > >> I think that would involve breaking SHA1… the information should be > > > > You are absolutely right, was not thinking clearly :-) > > > >> available in the TCG_TREE_FINAL_EVENTS configuration table, so it > >> /should/ just be a matter of merging the events from that into the > >> event log. > > > > Right, it is available through runtime services. Why this isn't part > > of the patch set? > > This is not included yet as this table > (EFI_TCG2_FINAL_EVENTS_TABLE_GUID) relies on the TPM2 format for the > log entries (TCG_PCR_EVENT2, "Crypto Agile"). I first plan to add the > parsing of this log version (ie, efi_retrieve_tpm2_eventlog_2) before > adding the merging of both tables. But these will be separate patch > sets. OK, this should be documented to the commit message to make it clear. linux-integrity@vger.kernel.org is now up and running. I'm still surviving from jetlag etc. so testing might be postponed either near end of the week or next week. Thanks for doing this. This is really important stuff in order to get the Linux TPM 2.0 support feature complete. /Jarkko