[PATCH v2] efi_loader: tcg2: Return success even when TPM device is not found
Ilias Apalodimas
ilias.apalodimas at linaro.org
Mon Nov 29 21:46:25 CET 2021
On Mon, 29 Nov 2021 at 18:50, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> Heinrich,
>
> On Mon, 29 Nov 2021 at 18:41, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
> >
> > On 11/29/21 15:55, Ilias Apalodimas wrote:
> > > On Mon, 29 Nov 2021 at 16:26, Michal Simek <michal.simek at xilinx.com> wrote:
> > >>
> > >> For systems which have TPM support enabled but actual device is missing
> > >> there is no reason to show a message that measurement failed in
> > >> efi_load_pe(). To ensure that the patch is returning EFI_SUCCESS even for
> > >> cases where TPM device is not found.
> > >> The reason is that other parts of the code return also EFI_NOT_FOUND in
> > >> tcg2_measure_pe_image() (e.g efi_search_protocol) that's why this error
> > >> code can't be checked but still it needs to be reported.
> > >>
> > >> The same logic is also used in efi_tcg2_get_eventlog() added by
> > >> commit c8d0fd582576 ("efi_loader: Introduce eventlog support for
> > >> TCG2_PROTOCOL").
> > >>
> > >> Signed-off-by: Michal Simek <michal.simek at xilinx.com>
> > >> ---
> > >>
> > >> Changes in v2:
> > >> - Change subject and description
> > >> - Change logic in different location
> > >> - Origin thread was https://lore.kernel.org/r/657a869c04e9b09e3bd2e6fd74ff94320b7fbe9b.1638191161.git.michal.simek@xilinx.com
> > >>
> > >> lib/efi_loader/efi_tcg2.c | 3 ++-
> > >> 1 file changed, 2 insertions(+), 1 deletion(-)
> > >>
> > >> diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> > >> index 8c1f22e3377b..db785f4d8c27 100644
> > >> --- a/lib/efi_loader/efi_tcg2.c
> > >> +++ b/lib/efi_loader/efi_tcg2.c
> > >> @@ -888,7 +888,8 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
> > >>
> > >> ret = platform_get_tpm2_device(&dev);
> > >> if (ret != EFI_SUCCESS)
> > >> - return ret;
> > >> + /* don't fail when TPM is not found */
> > >> + return EFI_SUCCESS;
> > >>
> > >> switch (handle->image_type) {
> > >> case IMAGE_SUBSYSTEM_EFI_APPLICATION:
> > >> --
> > >> 2.33.1
> > >>
> > >
> > > Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > >
> >
> > This patch means:
> >
> > You can run some command that initializes the TCG2 protocol (e.g.
> > debug_hd), then unbind the TPM, run a first EFI binary which diverts EFI
> > API addresses, bind the TPM again and run the normal binary and nobody
> > will see the first binary in boot measurement.
>
> Why? What you describe is an issue with, or without this patch. The
> code never stops if tcg2_measure_pe_image() fails. The only thing
> this patch does is silence a print if a TPM device is not found.
>
But tbh we can sort out Heinrich's concern while not printing that
error message. I'll come up with a patch shortly.
Cheers
/Ilias
> Regards
> /Ilias
>
> >
> > Best regards
> >
> > Heinrich
More information about the U-Boot
mailing list