[PATCH v3 3/3] efi_loader: add DeployedMode and AuditMode variable measurement

Heinrich Schuchardt xypron.glpk at gmx.de
Fri Oct 1 18:43:27 CEST 2021 


On 10/1/21 13:18, Masahisa Kojima wrote:
> This commit adds the DeployedMode and AuditMode variable
> measurement required in TCG PC Client PFP Spec.
>
> Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
> ---
>
> Changes in v3:
> - read variable first, then mesure the variable
>
>   lib/efi_loader/efi_tcg2.c | 50 +++++++++++++++++++++++++++++++++++++++
>   1 file changed, 50 insertions(+)
>
> diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> index 28e0362bf2..7fba4bc458 100644
> --- a/lib/efi_loader/efi_tcg2.c
> +++ b/lib/efi_loader/efi_tcg2.c
> @@ -12,6 +12,7 @@
>   #include <dm.h>
>   #include <efi_loader.h>
>   #include <efi_tcg2.h>
> +#include <efi_variable.h>
>   #include <log.h>
>   #include <malloc.h>
>   #include <smbios.h>
> @@ -1822,6 +1823,53 @@ out:
>   	return ret;
>   }
>
> +/**
> + * tcg2_measure_deployed_audit_mode() - measure deployedmode and auditmode
> + *
> + * @dev:	TPM device
> + *
> + * Return:	status code
> + */
> +static efi_status_t tcg2_measure_deployed_audit_mode(struct udevice *dev)
> +{
> +	u8 deployed_mode;
> +	u8 audit_mode;
> +	efi_uintn_t size;
> +	efi_status_t ret;
> +	u32 pcr_index;
> +
> +	size = sizeof(deployed_mode);
> +	ret = efi_get_variable_int(L"DeployedMode", &efi_global_variable_guid,
> +				   NULL, &size, &deployed_mode, NULL);
> +	if (ret != EFI_SUCCESS)
> +		return ret;
> +
> +	size = sizeof(audit_mode);
> +	ret = efi_get_variable_int(L"AuditMode", &efi_global_variable_guid,
> +				   NULL, &size, &audit_mode, NULL);
> +	if (ret != EFI_SUCCESS)
> +		return ret;
> +
> +	pcr_index = (deployed_mode ? 1 : 7);
> +
> +	ret = tcg2_measure_variable(dev, pcr_index,
> +				    EV_EFI_VARIABLE_DRIVER_CONFIG,
> +				    L"DeployedMode",
> +				    &efi_global_variable_guid,
> +				    size, &deployed_mode);
> +	if (ret != EFI_SUCCESS)
> +		return ret;
> +
> +
> +	ret = tcg2_measure_variable(dev, pcr_index,
> +				    EV_EFI_VARIABLE_DRIVER_CONFIG,
> +				    L"AuditMode",
> +				    &efi_global_variable_guid,
> +				    size, &audit_mode);
> +
> +	return ret;
> +}
> +
>   /**
>    * tcg2_measure_secure_boot_variable() - measure secure boot variables
>    *
> @@ -1885,6 +1933,8 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev)
>   		free(data);
>   	}
>
> +	ret = tcg2_measure_deployed_audit_mode(dev);

You do the same thing four times. A loop is preferable.

Best regards

Heinrich

> +
>   error:
>   	return ret;
>   }
>

More information about the U-Boot mailing list