[PATCH 1/5] efi_loader: increase eventlog buffer size

Thu Jul 15 16:33:40 CEST 2021

On 7/15/21 2:57 PM, Simon Glass wrote:
> Hi Ilias,
>
> On Thu, 15 Jul 2021 at 00:20, Ilias Apalodimas
> <ilias.apalodimas at linaro.org> wrote:
>>
>> On Wed, Jul 14, 2021 at 08:52:07AM -0600, Simon Glass wrote:
>>> Hi Ilias,
>>>
>>> On Mon, 12 Jul 2021 at 03:28, Ilias Apalodimas
>>> <ilias.apalodimas at linaro.org> wrote:
>>>>
>>>> On Mon, 12 Jul 2021 at 11:40, Masahisa Kojima
>>>> <masahisa.kojima at linaro.org> wrote:
>>>>>
>>>>> Hi Simon,
>>>>>
>>>>> On Sun, 11 Jul 2021 at 09:01, Simon Glass <sjg at chromium.org> wrote:
>>>>>>
>>>>>> Hi Masahisa,
>>>>>>
>>>>>> On Wed, 7 Jul 2021 at 20:21, Masahisa Kojima <masahisa.kojima at linaro.org> wrote:
>>>>>>>
>>>>>>> On Wed, 7 Jul 2021 at 22:47, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 7/7/21 3:36 PM, Masahisa Kojima wrote:
>>>>>>>>> This is a preperation to add eventlog support
>>>>>>>>> described in TCG PC Client PFP spec.
>>>>>>>>>
>>>>>>>>> Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
>>>>>>>>> ---
>>>>>>>>>    lib/efi_loader/Kconfig | 2 +-
>>>>>>>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>>>>>
>>>>>>>>> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
>>>>>>>>> index b2ab48a048..a87bf3cc98 100644
>>>>>>>>> --- a/lib/efi_loader/Kconfig
>>>>>>>>> +++ b/lib/efi_loader/Kconfig
>>>>>>>>> @@ -327,7 +327,7 @@ config EFI_TCG2_PROTOCOL
>>>>>>>>>    config EFI_TCG2_PROTOCOL_EVENTLOG_SIZE
>>>>>>>>>        int "EFI_TCG2_PROTOCOL EventLog size"
>>>>>>>>>        depends on EFI_TCG2_PROTOCOL
>>>>>>>>> -     default 4096
>>>>>>>>> +     default 16384
>>>>>>>>
>>>>>>>> I found this text in EDK II:
>>>>>>>>
>>>>>>>> Minimum length(in bytes) of the system preboot TCG event log area(LAML)
>>>>>>>> -----------------------------------------------------------------------
>>>>>>>>
>>>>>>>> For PC Client Implementation spec up to and including 1.2 the minimum
>>>>>>>> log size is 64KB. (SecurityPkg/SecurityPkg.dec)
>>>>>>>
>>>>>>> Thank you for your feedback.
>>>>>>> I have not checked this.
>>>>>>> TCG spec also says "The Log Area Minimum Length for the TCG event log
>>>>>>> MUST be at least 64KB." in ACPI chapter.
>>>>>>> I will update to set 64KB as default.
>>>>>>>
>>>>>>
>>>>>> Is this the same as the BLOBLISTT_TPM2_TCG_LOG thing? If so, can we
>>>>>> put this in the bloblist? We want to avoid adding code in EFI which is
>>>>>> in U-Boot.
>>>>>
>>>>> I think bloblist is used for data passing from SPL/TPL to u-boot.
>>>>> Is your comment saying that the eventlog generated
>>>>> in u-boot(done in efi_tcg2.c with this patch series) should be appended
>>>>> into the buffer pointed by BLOBLISTT_TPM2_TCG_LOG blob?
>>>>>
>>>>
>>>> Even in that case the eventlog can't be appended.  The TCG eventlog
>>>> hould be copied into EFI memory, since the kernel expects to find it
>>>> there.
>>>
>>> Typically bloblist is relocated by U-Boot. There are lots of tables
>>> that must be passed to linux, including ACPI and SMBIOS. With bloblist
>>> they can all be in one place.
>>
>>
>> The eventlog must be allocated in EFI memory though.
>
> There is really only one memory in U-Boot. I feel that all stuff that
> EFI passes on to linux should be in a single bloblist.

We have should follow existing standards and not invent our own. LInux
is not the only OS booted via U-Boot.

Best regards

Heinrich

>
>>
>>>
>>>> What we could do is copy the contents of that buffer to the eventlog.
>>>> Depending on what that buffer already has (e.g the starting header of
>>>> the eventlog), we might need to strip it from the efi_tcg.c code.
>>>
>>> I'm not really sure, but the eventlog is not just EFI thing, right?
>>> The code should be generic.
>>
>> It's purely an EFI construct.  Specifically the entire spec, and even the  log
>> format for the eventlog are described in
>> https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf
>
> For some reason I have seen this in ACPI, or something similar.
> Perhaps I was getting confused.
>
> We need to find ways to implement EFI things with generic code. I'm
> not 100% sure about this particular thing, but since we already create
> something similar with ACPI I think we should at least look at doing
> it in one place.
>
> Regards,
> Simon
>