[PATCH v8 3/3] efi_loader: add PE/COFF image measurement

Heinrich Schuchardt xypron.glpk at gmx.de
Tue May 25 14:57:21 CEST 2021


On 14.05.21 02:53, Masahisa Kojima wrote:
> "TCG PC Client Platform Firmware Profile Specification"
> requires to measure every attempt to load and execute
> a OS Loader(a UEFI application) into PCR[4].
> This commit adds the PE/COFF image measurement, extends PCR,
> and appends measurement into Event Log.
>
> Acked-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> Tested-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
> ---
>
> (no changes since v7)
>
> Changes in v7:
> - include hash-checksum.h instead of rsa.h
> - select HASH_CALCULATE in Kconfig, not to update lib/Makefile
> - rebased the base code
>
> Changes in v6:
> - update lib/Makefile to add hash-checksum.c as a compilation target
>
> (no changes since v2)
>
> Changes in v2:
> - Remove duplicate <efi.h> include
> - Remove unnecessary __packed attribute
> - Add all EV_EFI_* event definition
> - Create common function to prepare 8-byte aligned image
> - Add measurement for EV_EFI_BOOT_SERVICES_DRIVER and
>   EV_EFI_RUNTIME_SERVICES_DRIVER
> - Use efi_search_protocol() to get device_path
> - Add function comment
>
>  include/efi_loader.h              |   6 +
>  include/efi_tcg2.h                |   9 ++
>  include/tpm-v2.h                  |  18 +++
>  lib/efi_loader/Kconfig            |   1 +
>  lib/efi_loader/efi_image_loader.c |  59 +++++++--
>  lib/efi_loader/efi_tcg2.c         | 207 ++++++++++++++++++++++++++++--
>  6 files changed, 276 insertions(+), 24 deletions(-)
>
> diff --git a/include/efi_loader.h b/include/efi_loader.h
> index de1a496a97..9f2854a255 100644
> --- a/include/efi_loader.h
> +++ b/include/efi_loader.h
> @@ -426,6 +426,10 @@ efi_status_t efi_disk_register(void);
>  efi_status_t efi_rng_register(void);
>  /* Called by efi_init_obj_list() to install EFI_TCG2_PROTOCOL */
>  efi_status_t efi_tcg2_register(void);
> +/* measure the pe-coff image, extend PCR and add Event Log */
> +efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
> +				   struct efi_loaded_image_obj *handle,
> +				   struct efi_loaded_image *loaded_image_info);
>  /* Create handles and protocols for the partitions of a block device */
>  int efi_disk_create_partitions(efi_handle_t parent, struct blk_desc *desc,
>  			       const char *if_typename, int diskid,
> @@ -847,6 +851,8 @@ bool efi_secure_boot_enabled(void);
>
>  bool efi_capsule_auth_enabled(void);
>
> +void *efi_prepare_aligned_image(void *efi, u64 *efi_size, void **new_efi);
> +
>  bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp,
>  		     WIN_CERTIFICATE **auth, size_t *auth_len);
>
> diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h
> index 40e241ce31..bcfb98168a 100644
> --- a/include/efi_tcg2.h
> +++ b/include/efi_tcg2.h
> @@ -9,6 +9,7 @@
>  #if !defined _EFI_TCG2_PROTOCOL_H_
>  #define _EFI_TCG2_PROTOCOL_H_
>
> +#include <efi_api.h>
>  #include <tpm-v2.h>
>
>  #define EFI_TCG2_PROTOCOL_GUID \
> @@ -53,6 +54,14 @@ struct efi_tcg2_event {
>  	u8 event[];
>  } __packed;
>
> +struct uefi_image_load_event {
> +	efi_physical_addr_t image_location_in_memory;
> +	u64 image_length_in_memory;
> +	u64 image_link_time_address;
> +	u64 length_of_device_path;
> +	struct efi_device_path device_path[];
> +};
> +
>  struct efi_tcg2_boot_service_capability {
>  	u8 size;
>  	struct efi_tcg2_version structure_version;
> diff --git a/include/tpm-v2.h b/include/tpm-v2.h
> index 7de7d6a57d..247b386967 100644
> --- a/include/tpm-v2.h
> +++ b/include/tpm-v2.h
> @@ -70,6 +70,24 @@ struct udevice;
>  #define EV_TABLE_OF_DEVICES		((u32)0x0000000B)
>  #define EV_COMPACT_HASH			((u32)0x0000000C)
>
> +/*
> + * event types, cf.
> + * "TCG PC Client Platform Firmware Profile Specification", Family "2.0"
> + * rev 1.04, June 3, 2019
> + */
> +#define EV_EFI_EVENT_BASE			((u32)0x80000000)
> +#define EV_EFI_VARIABLE_DRIVER_CONFIG		((u32)0x80000001)
> +#define EV_EFI_VARIABLE_BOOT			((u32)0x80000002)
> +#define EV_EFI_BOOT_SERVICES_APPLICATION	((u32)0x80000003)
> +#define EV_EFI_BOOT_SERVICES_DRIVER		((u32)0x80000004)
> +#define EV_EFI_RUNTIME_SERVICES_DRIVER		((u32)0x80000005)
> +#define EV_EFI_GPT_EVENT			((u32)0x80000006)
> +#define EV_EFI_ACTION				((u32)0x80000007)
> +#define EV_EFI_PLATFORM_FIRMWARE_BLOB		((u32)0x80000008)
> +#define EV_EFI_HANDOFF_TABLES			((u32)0x80000009)
> +#define EV_EFI_HCRTM_EVENT			((u32)0x80000010)
> +#define EV_EFI_VARIABLE_AUTHORITY		((u32)0x800000E0)
> +
>  /* TPMS_TAGGED_PROPERTY Structure */
>  struct tpms_tagged_property {
>  	u32 property;
> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> index 98845b8ba3..0e6200fa25 100644
> --- a/lib/efi_loader/Kconfig
> +++ b/lib/efi_loader/Kconfig
> @@ -309,6 +309,7 @@ config EFI_TCG2_PROTOCOL
>  	select SHA512_ALGO
>  	select SHA384
>  	select SHA512
> +	select HASH_CALCULATE
>  	help
>  	  Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware
>  	  of the platform.
> diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
> index fe1ee198e2..f37a85e56e 100644
> --- a/lib/efi_loader/efi_image_loader.c
> +++ b/lib/efi_loader/efi_image_loader.c
> @@ -302,6 +302,40 @@ static int cmp_pe_section(const void *arg1, const void *arg2)
>  		return 1;
>  }
>
> +/**
> + * efi_prepare_aligned_image() - prepare 8-byte aligned image
> + * @efi:		pointer to the EFI binary
> + * @efi_size:		size of @efi binary
> + * @new_efi:		pointer to the newly allocated image
> + *
> + * If @efi is not 8-byte aligned, this function newly allocates
> + * the image buffer and updates @efi_size.
> + *
> + * Return:	valid pointer to a image, return NULL if allocation fails.
> + */
> +void *efi_prepare_aligned_image(void *efi, u64 *efi_size, void **new_efi)
> +{
> +	size_t new_efi_size;
> +	void *p;
> +
> +	/*
> +	 * Size must be 8-byte aligned and the trailing bytes must be
> +	 * zero'ed. Otherwise hash value may be incorrect.
> +	 */
> +	if (!IS_ALIGNED(*efi_size, 8)) {

Why don't you unconditionally copy to a new buffer? Then the caller can
free the return value unconditionally.

> +		new_efi_size = ALIGN(*efi_size, 8);
> +		p = calloc(new_efi_size, 1);
> +		if (!p)
> +			return NULL;
> +		memcpy(p, efi, *efi_size);
> +		*efi_size = new_efi_size;
> +		*new_efi = p;
> +		return p;
> +	} else {
> +		return efi;
> +	}
> +}
> +
>  /**
>   * efi_image_parse() - parse a PE image
>   * @efi:	Pointer to image
> @@ -561,7 +595,7 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  	struct efi_signature_store *db = NULL, *dbx = NULL;
>  	void *new_efi = NULL;
>  	u8 *auth, *wincerts_end;
> -	size_t new_efi_size, auth_size;
> +	size_t auth_size;
>  	bool ret = false;
>
>  	EFI_PRINT("%s: Enter, %d\n", __func__, ret);
> @@ -569,19 +603,9 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
>  	if (!efi_secure_boot_enabled())
>  		return true;
>
> -	/*
> -	 * Size must be 8-byte aligned and the trailing bytes must be
> -	 * zero'ed. Otherwise hash value may be incorrect.
> -	 */
> -	if (efi_size & 0x7) {
> -		new_efi_size = (efi_size + 0x7) & ~0x7ULL;
> -		new_efi = calloc(new_efi_size, 1);
> -		if (!new_efi)
> -			return false;
> -		memcpy(new_efi, efi, efi_size);
> -		efi = new_efi;
> -		efi_size = new_efi_size;
> -	}
> +	efi = efi_prepare_aligned_image(efi, (u64 *)&efi_size, &new_efi);
> +	if (!efi)
> +		return false;
>
>  	if (!efi_image_parse(efi, efi_size, &regs, &wincerts,
>  			     &wincerts_len)) {
> @@ -891,6 +915,13 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle,
>  		goto err;
>  	}
>
> +#if CONFIG_IS_ENABLED(EFI_TCG2_PROTOCOL)
> +	/* Measure an PE/COFF image */
> +	if (tcg2_measure_pe_image(efi, efi_size, handle,
> +				  loaded_image_info))
> +		log_err("PE image measurement failed\n");
> +#endif
> +
>  	/* Copy PE headers */
>  	memcpy(efi_reloc, efi,
>  	       sizeof(*dos)
> diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> index c8616bf31e..316eaf572b 100644
> --- a/lib/efi_loader/efi_tcg2.c
> +++ b/lib/efi_loader/efi_tcg2.c
> @@ -13,8 +13,10 @@
>  #include <efi_loader.h>
>  #include <efi_tcg2.h>
>  #include <log.h>
> +#include <malloc.h>
>  #include <version.h>
>  #include <tpm-v2.h>
> +#include <u-boot/hash-checksum.h>
>  #include <u-boot/sha1.h>
>  #include <u-boot/sha256.h>
>  #include <u-boot/sha512.h>
> @@ -706,6 +708,183 @@ out:
>  	return EFI_EXIT(ret);
>  }
>
> +/**
> + * tcg2_hash_pe_image() - calculate PE/COFF image hash
> + *
> + * @efi:		pointer to the EFI binary
> + * @efi_size:		size of @efi binary
> + * @digest_list:	list of digest algorithms to extend
> + *
> + * Return:	status code
> + */
> +static efi_status_t tcg2_hash_pe_image(void *efi, u64 efi_size,
> +				       struct tpml_digest_values *digest_list)
> +{
> +	WIN_CERTIFICATE *wincerts = NULL;
> +	size_t wincerts_len;
> +	struct efi_image_regions *regs = NULL;
> +	void *new_efi = NULL;
> +	u8 hash[TPM2_SHA512_DIGEST_SIZE];
> +	efi_status_t ret;
> +	u32 active;
> +	int i;
> +
> +	efi = efi_prepare_aligned_image(efi, &efi_size, &new_efi);
> +	if (!efi)
> +		return EFI_OUT_OF_RESOURCES;
> +
> +	if (!efi_image_parse(efi, efi_size, &regs, &wincerts,
> +			     &wincerts_len)) {
> +		log_err("Parsing PE executable image failed\n");
> +		ret = EFI_INVALID_PARAMETER;
> +		goto out;
> +	}
> +
> +	ret = __get_active_pcr_banks(&active);
> +	if (ret != EFI_SUCCESS) {
> +		ret = EFI_DEVICE_ERROR;
> +		goto out;
> +	}
> +
> +	digest_list->count = 0;
> +	for (i = 0; i < MAX_HASH_COUNT; i++) {
> +		u16 hash_alg = hash_algo_list[i].hash_alg;
> +
> +		if (!(active & alg_to_mask(hash_alg)))
> +			continue;
> +		switch (hash_alg) {
> +		case TPM2_ALG_SHA1:
> +			hash_calculate("sha1", regs->reg, regs->num, hash);
> +			break;
> +		case TPM2_ALG_SHA256:
> +			hash_calculate("sha256", regs->reg, regs->num, hash);
> +			break;
> +		case TPM2_ALG_SHA384:
> +			hash_calculate("sha384", regs->reg, regs->num, hash);
> +			break;
> +		case TPM2_ALG_SHA512:
> +			hash_calculate("sha512", regs->reg, regs->num, hash);
> +			break;
> +		default:
> +			EFI_PRINT("Unsupported algorithm %x\n", hash_alg);
> +			return EFI_INVALID_PARAMETER;
> +		}
> +		digest_list->digests[i].hash_alg = hash_alg;
> +		memcpy(&digest_list->digests[i].digest, hash, (u32)alg_to_len(hash_alg));
> +		digest_list->count++;
> +	}
> +
> +out:
> +	free(new_efi);

new_efi may be a buffer allocated with calloc() in
efi_prepare_aligned_image() or it may be a buffer passed by an EFI
application to LoadImage(). You must not free() memory that was never
allocated via calloc() or malloc().

Best regards

Heinrich

> +	free(regs);
> +
> +	return ret;
> +}
> +
> +/**
> + * tcg2_measure_pe_image() - measure PE/COFF image
> + *
> + * @efi:		pointer to the EFI binary
> + * @efi_size:		size of @efi binary
> + * @handle:		loaded image handle
> + * @loaded_image:	loaded image protocol
> + *
> + * Return:	status code
> + */
> +efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
> +				   struct efi_loaded_image_obj *handle,
> +				   struct efi_loaded_image *loaded_image)
> +{
> +	struct tpml_digest_values digest_list;
> +	efi_status_t ret;
> +	struct udevice *dev;
> +	u32 pcr_index, event_type, event_size;
> +	struct uefi_image_load_event *image_load_event;
> +	struct efi_device_path *device_path;
> +	u32 device_path_length;
> +	IMAGE_DOS_HEADER *dos;
> +	IMAGE_NT_HEADERS32 *nt;
> +	struct efi_handler *handler;
> +
> +	ret = platform_get_tpm2_device(&dev);
> +	if (ret != EFI_SUCCESS)
> +		return ret;
> +
> +	switch (handle->image_type) {
> +	case IMAGE_SUBSYSTEM_EFI_APPLICATION:
> +		pcr_index = 4;
> +		event_type = EV_EFI_BOOT_SERVICES_APPLICATION;
> +		break;
> +	case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
> +		pcr_index = 2;
> +		event_type = EV_EFI_BOOT_SERVICES_DRIVER;
> +		break;
> +	case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
> +		pcr_index = 2;
> +		event_type = EV_EFI_RUNTIME_SERVICES_DRIVER;
> +		break;
> +	default:
> +		return EFI_UNSUPPORTED;
> +	}
> +
> +	ret = tcg2_hash_pe_image(efi, efi_size, &digest_list);
> +	if (ret != EFI_SUCCESS)
> +		return ret;
> +
> +	ret = tcg2_pcr_extend(dev, pcr_index, &digest_list);
> +	if (ret != EFI_SUCCESS)
> +		return ret;
> +
> +	ret = EFI_CALL(efi_search_protocol(&handle->header,
> +					   &efi_guid_loaded_image_device_path,
> +					   &handler));
> +	if (ret != EFI_SUCCESS)
> +		return ret;
> +
> +	device_path = EFI_CALL(handler->protocol_interface);
> +	device_path_length = efi_dp_size(device_path);
> +	if (device_path_length > 0) {
> +		/* add end node size */
> +		device_path_length += sizeof(struct efi_device_path);
> +	}
> +	event_size = sizeof(struct uefi_image_load_event) + device_path_length;
> +	image_load_event = (struct uefi_image_load_event *)malloc(event_size);
> +	if (!image_load_event)
> +		return EFI_OUT_OF_RESOURCES;
> +
> +	image_load_event->image_location_in_memory = (efi_physical_addr_t)efi;
> +	image_load_event->image_length_in_memory = efi_size;
> +	image_load_event->length_of_device_path = device_path_length;
> +
> +	dos = (IMAGE_DOS_HEADER *)efi;
> +	nt = (IMAGE_NT_HEADERS32 *)(efi + dos->e_lfanew);
> +	if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
> +		IMAGE_NT_HEADERS64 *nt64 = (IMAGE_NT_HEADERS64 *)nt;
> +
> +		image_load_event->image_link_time_address =
> +				nt64->OptionalHeader.ImageBase;
> +	} else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
> +		image_load_event->image_link_time_address =
> +				nt->OptionalHeader.ImageBase;
> +	} else {
> +		ret = EFI_INVALID_PARAMETER;
> +		goto out;
> +	}
> +
> +	if (device_path_length > 0) {
> +		memcpy(image_load_event->device_path, device_path,
> +		       device_path_length);
> +	}
> +
> +	ret = tcg2_agile_log_append(pcr_index, event_type, &digest_list,
> +				    event_size, (u8 *)image_load_event);
> +
> +out:
> +	free(image_load_event);
> +
> +	return ret;
> +}
> +
>  /**
>   * efi_tcg2_hash_log_extend_event() - extend and optionally log events
>   *
> @@ -758,24 +937,32 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
>  	/*
>  	 * if PE_COFF_IMAGE is set we need to make sure the image is not
>  	 * corrupted, verify it and hash the PE/COFF image in accordance with
> -	 * the  procedure  specified  in  "Calculating  the  PE  Image  Hash"
> -	 * section  of the "Windows Authenticode Portable Executable Signature
> +	 * the procedure specified in "Calculating the PE Image Hash"
> +	 * section of the "Windows Authenticode Portable Executable Signature
>  	 * Format"
> -	 * Not supported for now
>  	 */
>  	if (flags & PE_COFF_IMAGE) {
> -		ret = EFI_UNSUPPORTED;
> -		goto out;
> -	}
> +		IMAGE_NT_HEADERS32 *nt;
>
> -	pcr_index = efi_tcg_event->header.pcr_index;
> -	event_type = efi_tcg_event->header.event_type;
> +		ret = efi_check_pe((void *)data_to_hash, data_to_hash_len,
> +				   (void **)&nt);
> +		if (ret != EFI_SUCCESS) {
> +			log_err("Not a valid PE-COFF file\n");
> +			goto out;
> +		}
> +		ret = tcg2_hash_pe_image((void *)data_to_hash, data_to_hash_len,
> +					 &digest_list);
> +	} else {
> +		ret = tcg2_create_digest((u8 *)(uintptr_t)data_to_hash,
> +					 data_to_hash_len, &digest_list);
> +	}
>
> -	ret = tcg2_create_digest((u8 *)(uintptr_t)data_to_hash,
> -				 data_to_hash_len, &digest_list);
>  	if (ret != EFI_SUCCESS)
>  		goto out;
>
> +	pcr_index = efi_tcg_event->header.pcr_index;
> +	event_type = efi_tcg_event->header.event_type;
> +
>  	ret = tcg2_pcr_extend(dev, pcr_index, &digest_list);
>  	if (ret != EFI_SUCCESS)
>  		goto out;
>



More information about the U-Boot mailing list