From: Masahisa Kojima <masahisa.kojima@linaro.org>
To: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: U-Boot Mailing List <u-boot@lists.denx.de>,
Heinrich Schuchardt <xypron.glpk@gmx.de>,
Alexander Graf <agraf@csgraf.de>
Subject: Re: [PATCH v2 3/3] efi_loader: add DeployedMode and AuditMode variable measurement
Date: Tue, 28 Sep 2021 20:45:41 +0900 [thread overview]
Message-ID: <CADQ0-X-5uO1VYWZSkuu8P-M7_VprwUF_H3-5v2o6jnHDEKWpYg@mail.gmail.com> (raw)
In-Reply-To: <CAC_iWjLgC=5qF549P2E5yBhd70vU8Lgjci1BMna0s2RiLWw44w@mail.gmail.com>
On Mon, 27 Sept 2021 at 22:53, Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> On Tue, 21 Sept 2021 at 10:17, Masahisa Kojima
> <masahisa.kojima@linaro.org> wrote:
> >
> > This commit adds the DeployedMode and AuditMode variable
> > measurement required in TCG PC Client PFP Spec.
> >
> > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
> > ---
> >
> > (no changes since v1)
> >
> > lib/efi_loader/efi_tcg2.c | 47 +++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 47 insertions(+)
> >
> > diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> > index ea2c1ead03..68542c7cd3 100644
> > --- a/lib/efi_loader/efi_tcg2.c
> > +++ b/lib/efi_loader/efi_tcg2.c
> > @@ -12,6 +12,7 @@
> > #include <dm.h>
> > #include <efi_loader.h>
> > #include <efi_tcg2.h>
> > +#include <efi_variable.h>
> > #include <log.h>
> > #include <malloc.h>
> > #include <smbios.h>
> > @@ -1828,6 +1829,50 @@ out:
> > return ret;
> > }
> >
> > +/**
> > + * tcg2_measure_deployed_audit_mode() - measure deployedmode and auditmode
> > + *
> > + * @dev: TPM device
> > + *
> > + * Return: status code
> > + */
> > +static efi_status_t tcg2_measure_deployed_audit_mode(struct udevice *dev)
> > +{
> > + u8 deployed_mode;
> > + u8 audit_mode;
> > + efi_uintn_t size;
> > + efi_status_t ret;
> > + u32 pcr_index;
> > +
> > + size = sizeof(deployed_mode);
> > + ret = efi_get_variable_int(L"DeployedMode", &efi_global_variable_guid,
> > + NULL, &size, &deployed_mode, NULL);
> > + if (ret != EFI_SUCCESS)
> > + return ret;
> > +
> > + pcr_index = (deployed_mode ? 1 : 7);
> > +
> > + ret = tcg2_measure_variable(dev, pcr_index,
> > + EV_EFI_VARIABLE_DRIVER_CONFIG,
> > + L"DeployedMode",
> > + &efi_global_variable_guid,
> > + size, &deployed_mode);
> > +
>
> tcg2_measure_variable() can't fail here? Do we care if it does?
I will add appropriate error handling.
>
> > + size = sizeof(audit_mode);
> > + ret = efi_get_variable_int(L"AuditMode", &efi_global_variable_guid,
> > + NULL, &size, &audit_mode, NULL);
> > + if (ret != EFI_SUCCESS)
> > + return ret;
> > +
> > + ret = tcg2_measure_variable(dev, pcr_index,
> > + EV_EFI_VARIABLE_DRIVER_CONFIG,
> > + L"AuditMode",
> > + &efi_global_variable_guid,
> > + size, &audit_mode);
> > +
>
> Does it make sense to read both of the variables first and measure
> them only if both are present?
Yes, it is better. If one of the variable is not present, skip both DeployedMode
and AuditMode measurement.
> IOW is there any connection between AuditMode and DeployedMode measurements?
In UEFI spec:
DeployedMode = 1 -> AuditMode is always 0
DeployedMode = 0 -> AuditMode can be 0 or 1
Thanks,
Masahisa Kojima
>
>
> Regards
> /Ilias
> > + return ret;
> > +}
> > +
> > /**
> > * tcg2_measure_secure_boot_variable() - measure secure boot variables
> > *
> > @@ -1891,6 +1936,8 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev)
> > free(data);
> > }
> >
> > + ret = tcg2_measure_deployed_audit_mode(dev);
> > +
> > error:
> > return ret;
> > }
> > --
> > 2.17.1
> >
prev parent reply other threads:[~2021-09-28 11:46 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-21 7:19 [PATCH v2 0/3] Enhance Measured Boot Masahisa Kojima
2021-09-21 7:19 ` [PATCH v2 1/3] efi_loader: add SMBIOS table measurement Masahisa Kojima
2021-09-22 16:19 ` Simon Glass
2021-09-23 9:16 ` Ilias Apalodimas
2021-09-24 23:36 ` Simon Glass
2021-09-27 8:52 ` Ilias Apalodimas
2021-09-27 20:17 ` Simon Glass
2021-09-28 17:40 ` Ilias Apalodimas
2021-10-01 15:16 ` Simon Glass
2021-10-01 11:10 ` Masahisa Kojima
2021-09-21 7:19 ` [PATCH v2 2/3] efi_loader: add UEFI GPT measurement Masahisa Kojima
2021-09-27 20:21 ` Ilias Apalodimas
2021-10-01 7:37 ` Masahisa Kojima
2021-10-01 9:08 ` Ilias Apalodimas
2021-09-21 7:19 ` [PATCH v2 3/3] efi_loader: add DeployedMode and AuditMode variable measurement Masahisa Kojima
2021-09-27 13:53 ` Ilias Apalodimas
2021-09-28 11:45 ` Masahisa Kojima [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CADQ0-X-5uO1VYWZSkuu8P-M7_VprwUF_H3-5v2o6jnHDEKWpYg@mail.gmail.com \
--to=masahisa.kojima@linaro.org \
--cc=agraf@csgraf.de \
--cc=ilias.apalodimas@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).