[PATCH v2] efi_loader: tcg2: Return success even when TPM device is not found
Ilias Apalodimas
ilias.apalodimas at linaro.org
Mon Nov 29 17:50:59 CET 2021
Heinrich,
On Mon, 29 Nov 2021 at 18:41, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>
> On 11/29/21 15:55, Ilias Apalodimas wrote:
> > On Mon, 29 Nov 2021 at 16:26, Michal Simek <michal.simek at xilinx.com> wrote:
> >>
> >> For systems which have TPM support enabled but actual device is missing
> >> there is no reason to show a message that measurement failed in
> >> efi_load_pe(). To ensure that the patch is returning EFI_SUCCESS even for
> >> cases where TPM device is not found.
> >> The reason is that other parts of the code return also EFI_NOT_FOUND in
> >> tcg2_measure_pe_image() (e.g efi_search_protocol) that's why this error
> >> code can't be checked but still it needs to be reported.
> >>
> >> The same logic is also used in efi_tcg2_get_eventlog() added by
> >> commit c8d0fd582576 ("efi_loader: Introduce eventlog support for
> >> TCG2_PROTOCOL").
> >>
> >> Signed-off-by: Michal Simek <michal.simek at xilinx.com>
> >> ---
> >>
> >> Changes in v2:
> >> - Change subject and description
> >> - Change logic in different location
> >> - Origin thread was https://lore.kernel.org/r/657a869c04e9b09e3bd2e6fd74ff94320b7fbe9b.1638191161.git.michal.simek@xilinx.com
> >>
> >> lib/efi_loader/efi_tcg2.c | 3 ++-
> >> 1 file changed, 2 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> >> index 8c1f22e3377b..db785f4d8c27 100644
> >> --- a/lib/efi_loader/efi_tcg2.c
> >> +++ b/lib/efi_loader/efi_tcg2.c
> >> @@ -888,7 +888,8 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
> >>
> >> ret = platform_get_tpm2_device(&dev);
> >> if (ret != EFI_SUCCESS)
> >> - return ret;
> >> + /* don't fail when TPM is not found */
> >> + return EFI_SUCCESS;
> >>
> >> switch (handle->image_type) {
> >> case IMAGE_SUBSYSTEM_EFI_APPLICATION:
> >> --
> >> 2.33.1
> >>
> >
> > Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> >
>
> This patch means:
>
> You can run some command that initializes the TCG2 protocol (e.g.
> debug_hd), then unbind the TPM, run a first EFI binary which diverts EFI
> API addresses, bind the TPM again and run the normal binary and nobody
> will see the first binary in boot measurement.
Why? What you describe is an issue with, or without this patch. The
code never stops if tcg2_measure_pe_image() fails. The only thing
this patch does is silence a print if a TPM device is not found.
Regards
/Ilias
>
> Best regards
>
> Heinrich
More information about the U-Boot
mailing list