[PATCH v2] efi_loader: check tcg2 protocol installation outside the TCG protocol

Heinrich Schuchardt xypron.glpk at gmx.de
Fri Nov 26 00:45:32 CET 2021 

On 11/25/21 21:40, Ilias Apalodimas wrote:
> Hi Heinrich,
>
> [...]
>
>>>>    	u32 len;
>>>> @@ -962,6 +976,9 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
>>>>    	IMAGE_NT_HEADERS32 *nt;
>>>>    	struct efi_handler *handler;
>>>>
>>>> +	if (!is_tcg2_protocol_installed())
>>>> +		return EFI_NOT_READY;
>>>> +
>>>>    	ret = platform_get_tpm2_device(&dev);
>>>>    	if (ret != EFI_SUCCESS)
>>>>    		return ret;
>>>> @@ -2140,6 +2157,9 @@ efi_status_t efi_tcg2_measure_efi_app_invocation(struct efi_loaded_image_obj *ha
>>>>    	u32 event = 0;
>>>>    	struct smbios_entry *entry;
>>>>
>>>> +	if (!is_tcg2_protocol_installed())
>>>> +		return EFI_NOT_READY;
>>>> +
>>>>    	if (tcg2_efi_app_invoked)
>>>>    		return EFI_SUCCESS;
>>>>
>>>> @@ -2190,6 +2210,9 @@ efi_status_t efi_tcg2_measure_efi_app_exit(void)
>>>>    	efi_status_t ret;
>>>>    	struct udevice *dev;
>>>>
>>>> +	if (!is_tcg2_protocol_installed())
>>>
>>> [...]
>>>
>>> Heinrich, this whole patch is needed because installing  the tcg2 protocol
>>> always returns EFI_SUCCESS.  The reason is that some sandbox tests with
>>> sandbox_tpm used to fail.  Do you want to keep this or perhaps just failing
>>> the boot now is the protocol fails to install is an option ?
>>
>> Which test failed?
>
> It's been a while, but if my memory serves me correctly, during the
> protocol installation we need to call:
> efi_init_event_log() -> create_specid_event() -> tpm2_get_pcr_info() ->
> tpm2_get_capability().
>
> That get_capability call wasn't supported in sandbox.  So the result was
> EFI TCG2 stopping the boot process.  Simon did fix a few things on sandbox
> since then, but I can't remember if capabilities was one of them.
>
>>
>> We should consistently test the TCG2 protocol using swtpm both on QEMU
>> and on the sandbox. I am still waiting for Tom to apply
>>
>> [U-BOOT-TEST-HOOKS,1/1] Enable TPMv2 emulation
>> https://patchwork.ozlabs.org/project/uboot/patch/20211115101106.36479-1-heinrich.schuchardt@canonical.com/
>>
>> to move to that target.
>>
>> Until then we can disable the tcg2 test or the TCG2 protocol on the sandbox.
>
> That would be fine by me.  Not stopping the boot on failures introduces the
> need for patches like this.  So you suggest we drop this and just fail the
> boot ?

If the sandbox makes problems due to its incomplete TPM emulation I
would suggest:

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 700dc838dd..201a0d62e2 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -307,7 +307,7 @@ config EFI_RNG_PROTOCOL
  config EFI_TCG2_PROTOCOL
         bool "EFI_TCG2_PROTOCOL support"
         default y
-       depends on TPM_V2
+       depends on TPM_V2 && !SANDBOX

We can revert such a change once swtpm can be used to provide a tpm
emulation for the sandbox.

Best regards

Heinrich

More information about the U-Boot mailing list