[PATCH v2] efi_loader: tcg2: Return success even when TPM device is not found
Heinrich Schuchardt
xypron.glpk at gmx.de
Mon Nov 29 17:41:46 CET 2021
On 11/29/21 15:55, Ilias Apalodimas wrote:
> On Mon, 29 Nov 2021 at 16:26, Michal Simek <michal.simek at xilinx.com> wrote:
>>
>> For systems which have TPM support enabled but actual device is missing
>> there is no reason to show a message that measurement failed in
>> efi_load_pe(). To ensure that the patch is returning EFI_SUCCESS even for
>> cases where TPM device is not found.
>> The reason is that other parts of the code return also EFI_NOT_FOUND in
>> tcg2_measure_pe_image() (e.g efi_search_protocol) that's why this error
>> code can't be checked but still it needs to be reported.
>>
>> The same logic is also used in efi_tcg2_get_eventlog() added by
>> commit c8d0fd582576 ("efi_loader: Introduce eventlog support for
>> TCG2_PROTOCOL").
>>
>> Signed-off-by: Michal Simek <michal.simek at xilinx.com>
>> ---
>>
>> Changes in v2:
>> - Change subject and description
>> - Change logic in different location
>> - Origin thread was https://lore.kernel.org/r/657a869c04e9b09e3bd2e6fd74ff94320b7fbe9b.1638191161.git.michal.simek@xilinx.com
>>
>> lib/efi_loader/efi_tcg2.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
>> index 8c1f22e3377b..db785f4d8c27 100644
>> --- a/lib/efi_loader/efi_tcg2.c
>> +++ b/lib/efi_loader/efi_tcg2.c
>> @@ -888,7 +888,8 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
>>
>> ret = platform_get_tpm2_device(&dev);
>> if (ret != EFI_SUCCESS)
>> - return ret;
>> + /* don't fail when TPM is not found */
>> + return EFI_SUCCESS;
>>
>> switch (handle->image_type) {
>> case IMAGE_SUBSYSTEM_EFI_APPLICATION:
>> --
>> 2.33.1
>>
>
> Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
>
This patch means:
You can run some command that initializes the TCG2 protocol (e.g.
debug_hd), then unbind the TPM, run a first EFI binary which diverts EFI
API addresses, bind the TPM again and run the normal binary and nobody
will see the first binary in boot measurement.
Best regards
Heinrich
More information about the U-Boot
mailing list