[PATCH v2] efi_loader: check tcg2 protocol installation outside the TCG protocol

Ilias Apalodimas ilias.apalodimas at linaro.org
Thu Nov 25 21:40:56 CET 2021 

Hi Heinrich,

[...]

> > >   	u32 len;
> > > @@ -962,6 +976,9 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
> > >   	IMAGE_NT_HEADERS32 *nt;
> > >   	struct efi_handler *handler;
> > > 
> > > +	if (!is_tcg2_protocol_installed())
> > > +		return EFI_NOT_READY;
> > > +
> > >   	ret = platform_get_tpm2_device(&dev);
> > >   	if (ret != EFI_SUCCESS)
> > >   		return ret;
> > > @@ -2140,6 +2157,9 @@ efi_status_t efi_tcg2_measure_efi_app_invocation(struct efi_loaded_image_obj *ha
> > >   	u32 event = 0;
> > >   	struct smbios_entry *entry;
> > > 
> > > +	if (!is_tcg2_protocol_installed())
> > > +		return EFI_NOT_READY;
> > > +
> > >   	if (tcg2_efi_app_invoked)
> > >   		return EFI_SUCCESS;
> > > 
> > > @@ -2190,6 +2210,9 @@ efi_status_t efi_tcg2_measure_efi_app_exit(void)
> > >   	efi_status_t ret;
> > >   	struct udevice *dev;
> > > 
> > > +	if (!is_tcg2_protocol_installed())
> > 
> > [...]
> > 
> > Heinrich, this whole patch is needed because installing  the tcg2 protocol
> > always returns EFI_SUCCESS.  The reason is that some sandbox tests with
> > sandbox_tpm used to fail.  Do you want to keep this or perhaps just failing
> > the boot now is the protocol fails to install is an option ?
> 
> Which test failed?

It's been a while, but if my memory serves me correctly, during the
protocol installation we need to call: 
efi_init_event_log() -> create_specid_event() -> tpm2_get_pcr_info() ->
tpm2_get_capability().

That get_capability call wasn't supported in sandbox.  So the result was
EFI TCG2 stopping the boot process.  Simon did fix a few things on sandbox
since then, but I can't remember if capabilities was one of them.

> 
> We should consistently test the TCG2 protocol using swtpm both on QEMU
> and on the sandbox. I am still waiting for Tom to apply
> 
> [U-BOOT-TEST-HOOKS,1/1] Enable TPMv2 emulation
> https://patchwork.ozlabs.org/project/uboot/patch/20211115101106.36479-1-heinrich.schuchardt@canonical.com/
> 
> to move to that target.
> 
> Until then we can disable the tcg2 test or the TCG2 protocol on the sandbox.

That would be fine by me.  Not stopping the boot on failures introduces the
need for patches like this.  So you suggest we drop this and just fail the
boot ?

Thanks
/Ilias
> 
> Best regards
> 
> Heinrich

More information about the U-Boot mailing list