[v2][PATCH 1/3] efi_loader: Add check for event log passed from firmware
Masahisa Kojima
masahisa.kojima at linaro.org
Wed Nov 24 10:30:44 CET 2021
Hi Ruchika,
On Wed, 24 Nov 2021 at 18:12, Ruchika Gupta <ruchika.gupta at linaro.org> wrote:
>
> Hi Kojima-san,
>
> On Wed, 24 Nov 2021 at 13:08, Masahisa Kojima <masahisa.kojima at linaro.org> wrote:
>>
>> Hi Ruchika, Ilias,
>>
>> On Tue, 23 Nov 2021 at 20:53, Ruchika Gupta <ruchika.gupta at linaro.org> wrote:
>> >
>> > Platforms may have support to measure their initial firmware components
>> > and pass the event log to u-boot. The event log address can be passed
>> > in property tpm_event_log_addr and tpm_event_log_size of the tpm node.
>> > Platforms may choose their own specific mechanism to do so. A weak
>> > function is added to check if even log has been passed to u-boot
>> > from earlier firmware components. If available, the eventlog is parsed
>> > to check for its correctness and further event logs are appended to the
>> > passed log.
>>
>> It implies that U-Boot is no longer s-crtm, so existing
>> efi_append_scrtm_version()
>> call shall be skipped in this case.
>
>
> Thanks for bringing this up. Is this a required event ? I don't see the TF-A appending this event to the log currently. I will need to go and check the spec for this.
Yes, TCG PC Client Platform Firmware Profile Specification[*1] page 29
says the following item must be measured.
---
3. The SRTM’s version identifier, using the event type
EV_S_CRTM_VERSION. See Section 10.4.1 Event Types.
---
[*1] https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/
Thanks,
Masahisa Kojima
>
> Regards,
> Ruchika
>
>>
>>
>> Thanks,
>> Masahisa Kojima
>>
>> >
>> > Signed-off-by: Ruchika Gupta <ruchika.gupta at linaro.org>
>> > ---
>> > v2:
>> > Moved firmware eventlog code parsing to tcg2_get_fw_eventlog()
>> >
>> > lib/efi_loader/efi_tcg2.c | 322 ++++++++++++++++++++++++++++++++++++--
>> > 1 file changed, 308 insertions(+), 14 deletions(-)
>> >
>> > diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
>> > index 8c1f22e337..c3ebdf92f5 100644
>> > --- a/lib/efi_loader/efi_tcg2.c
>> > +++ b/lib/efi_loader/efi_tcg2.c
>> > @@ -324,6 +324,45 @@ __weak efi_status_t platform_get_tpm2_device(struct udevice **dev)
>> > return EFI_NOT_FOUND;
>> > }
>> >
>> > +/**
>> > + * platform_get_eventlog() - retrieve the eventlog address and size
>> > + *
>> > + * This function retrieves the eventlog address and size if the underlying
>> > + * firmware has done some measurements and passed them.
>> > + *
>> > + * This function may be overridden based on platform specific method of
>> > + * passing the eventlog address and size.
>> > + *
>> > + * @dev: udevice
>> > + * @addr: eventlog address
>> > + * @sz: eventlog size
>> > + * Return: status code
>> > + */
>> > +__weak efi_status_t platform_get_eventlog(struct udevice *dev, u64 *addr,
>> > + u32 *sz)
>> > +{
>> > + const u64 *basep;
>> > + const u32 *sizep;
>> > +
>> > + basep = dev_read_prop(dev, "tpm_event_log_addr", NULL);
>> > + if (!basep)
>> > + return EFI_NOT_FOUND;
>> > +
>> > + *addr = be64_to_cpup((__force __be64 *)basep);
>> > +
>> > + sizep = dev_read_prop(dev, "tpm_event_log_size", NULL);
>> > + if (!sizep)
>> > + return EFI_NOT_FOUND;
>> > +
>> > + *sz = be32_to_cpup((__force __be32 *)sizep);
>> > + if (*sz == 0) {
>> > + log_debug("event log empty\n");
>> > + return EFI_NOT_FOUND;
>> > + }
>> > +
>> > + return EFI_SUCCESS;
>> > +}
>> > +
>> > /**
>> > * tpm2_get_max_command_size() - get the supported max command size
>> > *
>> > @@ -1181,6 +1220,249 @@ static const struct efi_tcg2_protocol efi_tcg2_protocol = {
>> > .get_result_of_set_active_pcr_banks = efi_tcg2_get_result_of_set_active_pcr_banks,
>> > };
>> >
>> > +/**
>> > + * parse_event_log_header() - Parse and verify the event log header fields
>> > + *
>> > + * @buffer: Pointer to the event header
>> > + * @size: Size of the eventlog
>> > + * @pos: Position in buffer after event log header
>> > + *
>> > + * Return: status code
>> > + */
>> > +efi_status_t parse_event_log_header(void *buffer, u32 size, u32 *pos)
>> > +{
>> > + struct tcg_pcr_event *event_header = (struct tcg_pcr_event *)buffer;
>> > + int i = 0;
>> > +
>> > + if (size < sizeof(*event_header))
>> > + return EFI_COMPROMISED_DATA;
>> > +
>> > + if (get_unaligned_le32(&event_header->pcr_index) != 0 ||
>> > + get_unaligned_le32(&event_header->event_type) != EV_NO_ACTION)
>> > + return EFI_COMPROMISED_DATA;
>> > +
>> > + for (i = 0; i < sizeof(event_header->digest); i++) {
>> > + if (event_header->digest[i] != 0)
>> > + return EFI_COMPROMISED_DATA;
>> > + }
>> > +
>> > + *pos += sizeof(*event_header);
>> > +
>> > + return EFI_SUCCESS;
>> > +}
>> > +
>> > +/**
>> > + * parse_specid_event() - Parse and verify the specID Event in the eventlog
>> > + *
>> > + * @dev: udevice
>> > + * @buffer: Pointer to the start of the eventlog
>> > + * @log_size: Size of the eventlog
>> > + * @pos: Offset in the evenlog where specID event starts
>> > + *
>> > + * Return: status code
>> > + * @pos Offset in the eventlog where the specID event ends
>> > + * @digest_list: list of digests in the event
>> > + */
>> > +efi_status_t parse_specid_event(struct udevice *dev, void *buffer, u32 log_size,
>> > + u32 *pos,
>> > + struct tpml_digest_values *digest_list)
>> > +{
>> > + struct tcg_efi_spec_id_event *spec_event;
>> > + struct tcg_pcr_event *event_header = (struct tcg_pcr_event *)buffer;
>> > + size_t spec_event_size;
>> > + u32 active = 0, supported = 0, pcr_count = 0, alg_count = 0;
>> > + u32 spec_active = 0;
>> > + u16 hash_alg, hash_sz;
>> > + u8 vendor_sz;
>> > + int err, i;
>> > +
>> > + /* Check specID event data */
>> > + spec_event = (struct tcg_efi_spec_id_event *)((uintptr_t)buffer + *pos);
>> > + /* Check for signature */
>> > + if (memcmp(spec_event->signature, TCG_EFI_SPEC_ID_EVENT_SIGNATURE_03,
>> > + sizeof(TCG_EFI_SPEC_ID_EVENT_SIGNATURE_03))) {
>> > + log_err("specID Event: Signature mismatch\n");
>> > + return EFI_COMPROMISED_DATA;
>> > + }
>> > +
>> > + if (spec_event->spec_version_minor !=
>> > + TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MINOR_TPM2 ||
>> > + spec_event->spec_version_major !=
>> > + TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MAJOR_TPM2)
>> > + return EFI_COMPROMISED_DATA;
>> > +
>> > + if (spec_event->number_of_algorithms > MAX_HASH_COUNT ||
>> > + spec_event->number_of_algorithms < 1) {
>> > + log_err("specID Event: Number of algorithms incorrect\n");
>> > + return EFI_COMPROMISED_DATA;
>> > + }
>> > +
>> > + alg_count = spec_event->number_of_algorithms;
>> > +
>> > + err = tpm2_get_pcr_info(dev, &supported, &active, &pcr_count);
>> > + if (err)
>> > + return EFI_DEVICE_ERROR;
>> > +
>> > + digest_list->count = 0;
>> > + /*
>> > + * We may need to worry about the order of algs in this structure as
>> > + * subsequent entries in event should be in same order
>> > + */
>> > + for (i = 0; i < alg_count; i++) {
>> > + hash_alg =
>> > + get_unaligned_le16(&spec_event->digest_sizes[i].algorithm_id);
>> > + hash_sz =
>> > + get_unaligned_le16(&spec_event->digest_sizes[i].digest_size);
>> > +
>> > + if (!(supported & alg_to_mask(hash_alg))) {
>> > + log_err("specID Event: Unsupported algorithm\n");
>> > + return EFI_COMPROMISED_DATA;
>> > + }
>> > + digest_list->digests[digest_list->count++].hash_alg = hash_alg;
>> > +
>> > + spec_active |= alg_to_mask(hash_alg);
>> > + }
>> > +
>> > + /* TCG spec expects the event log to have hashes for all active PCR's */
>> > + if (spec_active != active) {
>> > + /*
>> > + * Previous stage bootloader should know all the active PCR's
>> > + * and use them in the Eventlog.
>> > + */
>> > + log_err("specID Event: All active hash alg not present\n");
>> > + return EFI_COMPROMISED_DATA;
>> > + }
>> > +
>> > + /*
>> > + * the size of the spec event and placement of vendor_info_size
>> > + * depends on supported algoriths
>> > + */
>> > + spec_event_size =
>> > + offsetof(struct tcg_efi_spec_id_event, digest_sizes) +
>> > + alg_count * sizeof(spec_event->digest_sizes[0]);
>> > +
>> > + vendor_sz = *(uint8_t *)((uintptr_t)buffer + *pos + spec_event_size);
>> > +
>> > + spec_event_size += sizeof(vendor_sz) + vendor_sz;
>> > + *pos += spec_event_size;
>> > +
>> > + if (get_unaligned_le32(&event_header->event_size) != spec_event_size) {
>> > + log_err("specID event: header event size mismatch\n");
>> > + /* Right way to handle this can be to call SetActive PCR's */
>> > + return EFI_COMPROMISED_DATA;
>> > + }
>> > +
>> > + return EFI_SUCCESS;
>> > +}
>> > +
>> > +efi_status_t tcg2_parse_event(struct udevice *dev, void *buffer, u32 log_size,
>> > + u32 *offset, struct tpml_digest_values *digest_list,
>> > + u32 *pcr)
>> > +{
>> > + struct tcg_pcr_event2 *event = NULL;
>> > + u32 event_type, count, size, event_size;
>> > + size_t pos;
>> > +
>> > + if (*offset > log_size)
>> > + return EFI_COMPROMISED_DATA;
>> > +
>> > + event = (struct tcg_pcr_event2 *)((uintptr_t)buffer + *offset);
>> > +
>> > + *pcr = get_unaligned_le32(&event->pcr_index);
>> > +
>> > + event_size = tcg_event_final_size(digest_list);
>> > +
>> > + if (*offset + event_size > log_size) {
>> > + log_err("Event exceeds log size\n");
>> > + return EFI_COMPROMISED_DATA;
>> > + }
>> > +
>> > + event_type = get_unaligned_le32(&event->event_type);
>> > +
>> > + /* get the count */
>> > + count = get_unaligned_le32(&event->digests.count);
>> > + if (count != digest_list->count)
>> > + return EFI_COMPROMISED_DATA;
>> > +
>> > + pos = offsetof(struct tcg_pcr_event2, digests);
>> > + pos += offsetof(struct tpml_digest_values, digests);
>> > +
>> > + for (int i = 0; i < digest_list->count; i++) {
>> > + u16 alg;
>> > + u16 hash_alg = digest_list->digests[i].hash_alg;
>> > + u8 *digest = (u8 *)&digest_list->digests[i].digest;
>> > +
>> > + alg = get_unaligned_le16((void *)((uintptr_t)event + pos));
>> > +
>> > + if (alg != hash_alg)
>> > + return EFI_COMPROMISED_DATA;
>> > +
>> > + pos += offsetof(struct tpmt_ha, digest);
>> > + memcpy(digest, (void *)((uintptr_t)event + pos), alg_to_len(hash_alg));
>> > + pos += alg_to_len(hash_alg);
>> > + }
>> > +
>> > + size = get_unaligned_le32((void *)((uintptr_t)event + pos));
>> > + event_size += size;
>> > + pos += sizeof(u32); /* tcg_pcr_event2 event_size*/
>> > + pos += size;
>> > +
>> > + /* make sure the calculated buffer is what we checked against */
>> > + if (pos != event_size)
>> > + return EFI_COMPROMISED_DATA;
>> > +
>> > + if (pos > log_size)
>> > + return EFI_COMPROMISED_DATA;
>> > +
>> > + *offset += pos;
>> > +
>> > + return EFI_SUCCESS;
>> > +}
>> > +
>> > +efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer,
>> > + size_t *log_sz)
>> > +{
>> > + struct tpml_digest_values digest_list;
>> > + efi_status_t ret;
>> > + u32 pcr, pos;
>> > + u64 base;
>> > + u32 sz;
>> > +
>> > + ret = platform_get_eventlog(dev, &base, &sz);
>> > + if (ret == EFI_SUCCESS) {
>> > + void *buffer = (void *)base;
>> > +
>> > + if (sz > TPM2_EVENT_LOG_SIZE)
>> > + return EFI_VOLUME_FULL;
>> > +
>> > + pos = 0;
>> > + /* Parse the eventlog to check for its validity */
>> > + ret = parse_event_log_header(buffer, sz, &pos);
>> > + if (ret || pos > sz)
>> > + return EFI_COMPROMISED_DATA;
>> > +
>> > + ret = parse_specid_event(dev, buffer, sz, &pos, &digest_list);
>> > + if (ret || pos > sz) {
>> > + log_err("Error parsing SPEC ID Event\n");
>> > + return EFI_COMPROMISED_DATA;
>> > + }
>> > +
>> > + while (pos < sz) {
>> > + ret = tcg2_parse_event(dev, buffer, sz, &pos,
>> > + &digest_list, &pcr);
>> > + if (ret) {
>> > + log_err("Error parsing event\n");
>> > + return ret;
>> > + }
>> > + }
>> > +
>> > + memcpy(log_buffer, buffer, sz);
>> > + *log_sz = sz;
>> > + }
>> > +
>> > + return ret;
>> > +}
>> > +
>> > /**
>> > * create_specid_event() - Create the first event in the eventlog
>> > *
>> > @@ -1340,6 +1622,12 @@ static efi_status_t efi_init_event_log(void)
>> > * last log entry
>> > */
>> > memset(event_log.buffer, 0xff, TPM2_EVENT_LOG_SIZE);
>> > +
>> > + /*
>> > + * The log header is defined to be in SHA1 event log entry format.
>> > + * Setup event header
>> > + */
>> > + event_header = (struct tcg_pcr_event *)event_log.buffer;
>> > event_log.pos = 0;
>> > event_log.last_event_size = 0;
>> > event_log.get_event_called = false;
>> > @@ -1347,22 +1635,28 @@ static efi_status_t efi_init_event_log(void)
>> > event_log.truncated = false;
>> >
>> > /*
>> > - * The log header is defined to be in SHA1 event log entry format.
>> > - * Setup event header
>> > + * Check if earlier firmware have passed any eventlog. Different
>> > + * platforms can use different ways to do so
>> > */
>> > - event_header = (struct tcg_pcr_event *)event_log.buffer;
>> > - put_unaligned_le32(0, &event_header->pcr_index);
>> > - put_unaligned_le32(EV_NO_ACTION, &event_header->event_type);
>> > - memset(&event_header->digest, 0, sizeof(event_header->digest));
>> > - ret = create_specid_event(dev, (void *)((uintptr_t)event_log.buffer + sizeof(*event_header)),
>> > - &spec_event_size);
>> > - if (ret != EFI_SUCCESS)
>> > - goto free_pool;
>> > - put_unaligned_le32(spec_event_size, &event_header->event_size);
>> > - event_log.pos = spec_event_size + sizeof(*event_header);
>> > - event_log.last_event_size = event_log.pos;
>> > + ret = tcg2_get_fw_eventlog(dev, event_log.buffer, &event_log.pos);
>> > + if (ret == EFI_NOT_FOUND) {
>> > + put_unaligned_le32(0, &event_header->pcr_index);
>> > + put_unaligned_le32(EV_NO_ACTION, &event_header->event_type);
>> > + memset(&event_header->digest, 0, sizeof(event_header->digest));
>> > + ret = create_specid_event(dev,
>> > + (void *)((uintptr_t)event_log.buffer +
>> > + sizeof(*event_header)),
>> > + &spec_event_size);
>> > + if (ret != EFI_SUCCESS)
>> > + goto free_pool;
>> > + put_unaligned_le32(spec_event_size, &event_header->event_size);
>> > + event_log.pos = spec_event_size + sizeof(*event_header);
>> > + event_log.last_event_size = event_log.pos;
>> > + }
>> > +
>> > + if (ret == EFI_SUCCESS)
>> > + ret = create_final_event();
>> >
>> > - ret = create_final_event();
>> > if (ret != EFI_SUCCESS)
>> > goto free_pool;
>> >
>> > --
>> > 2.25.1
>> >
More information about the U-Boot
mailing list