[PATCH v2] efi_loader: check tcg2 protocol installation outside the TCG protocol

Heinrich Schuchardt xypron.glpk at gmx.de
Thu Nov 25 21:27:17 CET 2021 

On 11/25/21 14:22, Ilias Apalodimas wrote:
> Hi Kojima-san,
>
> On Thu, Nov 25, 2021 at 08:36:28PM +0900, Masahisa Kojima wrote:
>> +/**
>
> [...]
>
>> + * is_tcg2_protocol_installed - chech whether tcg2 protocol is installed
>> + *
>> + * @Return: true if tcg2 protocol is installed, false if not
>> + */
>> +bool is_tcg2_protocol_installed(void)
>> +{
>> +	struct efi_handler *handler;
>> +	efi_status_t ret;
>> +
>> +	ret = efi_search_protocol(efi_root, &efi_guid_tcg2_protocol, &handler);
>> +	return ((ret == EFI_SUCCESS) ? true : false);
>> +}
>
> return ret == EFI_SUCCESS; is enough here.
>
>> +
>>   static u32 tcg_event_final_size(struct tpml_digest_values *digest_list)
>>   {
>>   	u32 len;
>> @@ -962,6 +976,9 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
>>   	IMAGE_NT_HEADERS32 *nt;
>>   	struct efi_handler *handler;
>>
>> +	if (!is_tcg2_protocol_installed())
>> +		return EFI_NOT_READY;
>> +
>>   	ret = platform_get_tpm2_device(&dev);
>>   	if (ret != EFI_SUCCESS)
>>   		return ret;
>> @@ -2140,6 +2157,9 @@ efi_status_t efi_tcg2_measure_efi_app_invocation(struct efi_loaded_image_obj *ha
>>   	u32 event = 0;
>>   	struct smbios_entry *entry;
>>
>> +	if (!is_tcg2_protocol_installed())
>> +		return EFI_NOT_READY;
>> +
>>   	if (tcg2_efi_app_invoked)
>>   		return EFI_SUCCESS;
>>
>> @@ -2190,6 +2210,9 @@ efi_status_t efi_tcg2_measure_efi_app_exit(void)
>>   	efi_status_t ret;
>>   	struct udevice *dev;
>>
>> +	if (!is_tcg2_protocol_installed())
>
> [...]
>
> Heinrich, this whole patch is needed because installing  the tcg2 protocol
> always returns EFI_SUCCESS.  The reason is that some sandbox tests with
> sandbox_tpm used to fail.  Do you want to keep this or perhaps just failing
> the boot now is the protocol fails to install is an option ?

Which test failed?

We should consistently test the TCG2 protocol using swtpm both on QEMU
and on the sandbox. I am still waiting for Tom to apply

[U-BOOT-TEST-HOOKS,1/1] Enable TPMv2 emulation
https://patchwork.ozlabs.org/project/uboot/patch/20211115101106.36479-1-heinrich.schuchardt@canonical.com/

to move to that target.

Until then we can disable the tcg2 test or the TCG2 protocol on the sandbox.

Best regards

Heinrich

More information about the U-Boot mailing list