From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=osEq=NF=lists.denx.de=u-boot-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-12.2 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 17D75C4338F
	for <u-boot@archiver.kernel.org>; Sat, 14 Aug 2021 09:06:31 +0000 (UTC)
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 0818E60EFE
	for <u-boot@archiver.kernel.org>; Sat, 14 Aug 2021 09:06:29 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0818E60EFE
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmx.de
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id ECAEE80C94;
	Sat, 14 Aug 2021 11:06:27 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=gmx.de
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="GV9HVl0J";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 5AF3D82000; Sat, 14 Aug 2021 11:06:25 +0200 (CEST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 5940A80C85
 for <u-boot@lists.denx.de>; Sat, 14 Aug 2021 11:06:21 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=gmx.de
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=xypron.glpk@gmx.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1628931977;
 bh=mCjEPPwK9OMD80q6e4cl+3ZPkB4NpWWNO5aAULawGfg=;
 h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To;
 b=GV9HVl0JFEZ7YXAqiBM+L9CqObCsL9Z9Uzirn/7diQMb3jKaPAI5GWJ9VF+xiGFrD
 58CJ56KtR7B5sdYEAEJgaPYDBeEVk4wpdRQNPlebbUxYPACwgy2QCVzCWhnJMbmfZ3
 LT9LE6S55EjkWoOaBT3wCKTx0XAJBnt9GxqYL7pU=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.123.35] ([88.152.144.157]) by mail.gmx.net (mrgmx104
 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MaJ81-1mZZRU0jNl-00WCe3; Sat, 14
 Aug 2021 11:06:17 +0200
Subject: Re: [PATCH v4 3/5] efi_loader: add ExitBootServices() measurement
To: Masahisa Kojima <masahisa.kojima@linaro.org>,
 Alexander Graf <agraf@csgraf.de>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Simon Glass <sjg@chromium.org>,
 Dhananjay Phadke <dphadke@linux.microsoft.com>,
 AKASHI Takahiro <takahiro.akashi@linaro.org>, u-boot@lists.denx.de
References: <20210813071243.18885-1-masahisa.kojima@linaro.org>
 <20210813071243.18885-4-masahisa.kojima@linaro.org>
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
Message-ID: <a537683d-a16e-eac0-0c29-a9d156941329@gmx.de>
Date: Sat, 14 Aug 2021 11:06:16 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <20210813071243.18885-4-masahisa.kojima@linaro.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:h7AJdTMTCOv5WMXBP+qQbQo5HOMHrJH537MDxEV92fYZiYyTszw
 eLxZ0w++M92cUFE8v4iAI1ZYzhBOcsRFpzzU+Ce+WTBe+WDIc4ZxXcjP81Y9CPQ8GFL7Wii
 xM5fHyMd5Q+PVDYZWpeN2bWbQn1vSaQdNkaiNCiNTO+WK7SnN1R16Si6GeQoz1ANHjKrZe5
 +j9FPbWeVtiDwD7oLg6yQ==
X-UI-Out-Filterresults: notjunk:1;V03:K0:2k1pxdAbkQA=:/4xbTvkOIOSkKJL3VbwKA4
 26a0TxBNO3p25shq7eYLdkKKi3JHrrvN1TPM1E+/c+HU8TG8CLd3b3lg9faDHve0Rm1F4VWqR
 7mZkqwyJoHMapseDED/kmVpAmZXwnILZhQ/SyID8GvcEntQWAM8lalTBVj5OVXN/J1G351X5u
 P05TLe17iAIfFjJ05aIc4pIV/OQyfn+oTfH8Kx8ITRC678W88hV3evltmAdB1rZECXfFGaujC
 M02SSnhtXMwYqPF+A9BGMud7bSSigIBxeVUSEcXVv4jf0rmfR/8L6Z8ezIis2dj8+rwR3rfMs
 hfP/TaucTC73m3QSkFHK5+574Mk1+4y7IO3HrpZhoDpaqXEetccwIIM7sG0TTJ0hJevcz2JUa
 XFc6tjH17FrgKXpmM0MVMu7xeg1m+WVtivOS4U3nV9/LmDpu2jtw3kjBuoqWZRJ8XvqXy5ocU
 Ixf3lGJWVYPBhTPx/9QcbMKHp8mM3GEKthQ6L6+H48ihA4xq5TNEAF/oHo2FG84T/jTC2FGYJ
 aok16RBVUAMooGpZLmuDAeJUxjMr7xZEHQehWco9dgbwsyS87dDfDQrJsut8iUAleWoMI0/qY
 qn7JA2mqds9XVlyTZpQazXquhdOw+dOUjN5PgliDbG17da+70OhoHxC6HjfjBuFaJVV7grjDg
 r6VpF5c/9XbuMAwaLiX4drgZCwTLu7puHwTI8ByWfXCVK9kFAFDtv6zuiz2EQtJ6zXC02olZe
 FBHIa1qHf43p4iZ6LSpqeBBGzH5x2KoVCYyUtKyGqNpoowuaoiFpvUoWh3MwC/ZrzgRHoNw96
 bTpii1EQSuI/XAtxFr2GQdajWqWayEDK7NAG+33n+kG6Vzo1LUEDBkeKsY8KLOg4N/xO98kgR
 xY0VaDkPsKg2gpA31XXpQJ4Cclz0ipvC9AQId8Jklnl+w+zgtprsG7jndlwcaucclNdVnV+ut
 7jw+RwUFYHsev5udhqGZ5YdfighEOuC9aZpe/d0ftnktuZOtQZWWGlVVrgL8RqbR4/9byKYPW
 CnFbJ0cMFmXFbpqArjC/UwQv0uXZ19xN+rVxiuHM4Nm9yY53vaXnwqqW1x+Jvy8qgb8wD74Hc
 8sOKwhXFxDKr9CNZTnw1o6SZdM53x6kusjmpybXfInIzpqdGk/Cwe5GpQ==
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

On 8/13/21 9:12 AM, Masahisa Kojima wrote:
> TCG PC Client PFP spec requires to measure
> "Exit Boot Services Invocation" if ExitBootServices() is invoked.
> Depending upon the return code from the ExitBootServices() call,
> "Exit Boot Services Returned with Success" or "Exit Boot Services
> Returned with Failure" is also measured.
>
> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
> ---
> Changes in v4:
> - remove unnecessary EFIAPI specifier
>
> Changes in v2:
> - use strlen instead of sizeof, event log for EV_EFI_ACTION string
>
>    shall not include NUL terminator
>   include/efi_loader.h          |  1 +
>   lib/efi_loader/efi_boottime.c |  5 +++
>   lib/efi_loader/efi_tcg2.c     | 70 +++++++++++++++++++++++++++++++++++
>   3 files changed, 76 insertions(+)
>
> diff --git a/include/efi_loader.h b/include/efi_loader.h
> index 6f61e9faac..32cb8d0f1e 100644
> --- a/include/efi_loader.h
> +++ b/include/efi_loader.h
> @@ -499,6 +499,7 @@ efi_status_t efi_run_image(void *source_buffer, efi_=
uintn_t source_size);
>   efi_status_t efi_init_variables(void);
>   /* Notify ExitBootServices() is called */
>   void efi_variables_boot_exit_notify(void);
> +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void);
>   /* Measure efi application invocation */
>   efi_status_t efi_tcg2_measure_efi_app_invocation(void);
>   /* Measure efi application exit */
> diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime=
.c
> index 13ab139222..b818cbb540 100644
> --- a/lib/efi_loader/efi_boottime.c
> +++ b/lib/efi_loader/efi_boottime.c
> @@ -2182,6 +2182,11 @@ static efi_status_t EFIAPI efi_exit_boot_services=
(efi_handle_t image_handle,
>   	efi_set_watchdog(0);
>   	WATCHDOG_RESET();
>   out:
> +	if (ret !=3D EFI_SUCCESS) {
> +		if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL))
> +			efi_tcg2_notify_exit_boot_services_failed();
> +	}
> +
>   	return EFI_EXIT(ret);
>   }
>
> diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> index ed71337780..8557fce1da 100644
> --- a/lib/efi_loader/efi_tcg2.c
> +++ b/lib/efi_loader/efi_tcg2.c
> @@ -1506,6 +1506,67 @@ efi_status_t efi_tcg2_measure_efi_app_exit(void)
>   	return ret;
>   }
>
> +/**
> + * efi_tcg2_notify_exit_boot_services() - ExitBootService callback
> + *
> + * @event:	callback event
> + * @context:	callback context
> + */
> +static void

Event notification functions must be of return type void EFIAPI to match
the ABI used by the x86_64 in the UEFI API.

I will fix this when merging.

Best regards

Heinrich

> +efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *conte=
xt)
> +{
> +	efi_status_t ret;
> +	struct udevice *dev;
> +
> +	EFI_ENTRY("%p, %p", event, context);
> +
> +	ret =3D platform_get_tpm2_device(&dev);
> +	if (ret !=3D EFI_SUCCESS)
> +		goto out;
> +
> +	ret =3D tcg2_measure_event(dev, 5, EV_EFI_ACTION,
> +				 strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION),
> +				 (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION);
> +	if (ret !=3D EFI_SUCCESS)
> +		goto out;
> +
> +	ret =3D tcg2_measure_event(dev, 5, EV_EFI_ACTION,
> +				 strlen(EFI_EXIT_BOOT_SERVICES_SUCCEEDED),
> +				 (u8 *)EFI_EXIT_BOOT_SERVICES_SUCCEEDED);
> +
> +out:
> +	EFI_EXIT(ret);
> +}
> +
> +/**
> + * efi_tcg2_notify_exit_boot_services_failed()
> + *  - notify ExitBootServices() is failed
> + *
> + * Return:	status code
> + */
> +efi_status_t efi_tcg2_notify_exit_boot_services_failed(void)
> +{
> +	struct udevice *dev;
> +	efi_status_t ret;
> +
> +	ret =3D platform_get_tpm2_device(&dev);
> +	if (ret !=3D EFI_SUCCESS)
> +		goto out;
> +
> +	ret =3D tcg2_measure_event(dev, 5, EV_EFI_ACTION,
> +				 strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION),
> +				 (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION);
> +	if (ret !=3D EFI_SUCCESS)
> +		goto out;
> +
> +	ret =3D tcg2_measure_event(dev, 5, EV_EFI_ACTION,
> +				 strlen(EFI_EXIT_BOOT_SERVICES_FAILED),
> +				 (u8 *)EFI_EXIT_BOOT_SERVICES_FAILED);
> +
> +out:
> +	return ret;
> +}
> +
>   /**
>    * tcg2_measure_secure_boot_variable() - measure secure boot variables
>    *
> @@ -1584,6 +1645,7 @@ efi_status_t efi_tcg2_register(void)
>   {
>   	efi_status_t ret =3D EFI_SUCCESS;
>   	struct udevice *dev;
> +	struct efi_event *event;
>
>   	ret =3D platform_get_tpm2_device(&dev);
>   	if (ret !=3D EFI_SUCCESS) {
> @@ -1608,6 +1670,14 @@ efi_status_t efi_tcg2_register(void)
>   		goto fail;
>   	}
>
> +	ret =3D efi_create_event(EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK,
> +			       efi_tcg2_notify_exit_boot_services, NULL,
> +			       NULL, &event);
> +	if (ret !=3D EFI_SUCCESS) {
> +		tcg2_uninit();
> +		goto fail;
> +	}
> +
>   	ret =3D tcg2_measure_secure_boot_variable(dev);
>   	if (ret !=3D EFI_SUCCESS) {
>   		tcg2_uninit();
>