[PATCH 3/3] efi_loader: add DeployedMode and AuditMode variable measurement
Masahisa Kojima
masahisa.kojima at linaro.org
Thu Sep 16 09:31:22 CEST 2021
Hi Heinrich,
On Thu, 16 Sept 2021 at 16:02, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>
>
>
> On 9/15/21 7:15 AM, Masahisa Kojima wrote:
> > This commit adds the DeployedMode and AuditMode variable
> > measurement required in TCG PC Client PFP Spec.
> >
> > Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
> > ---
> > lib/efi_loader/efi_tcg2.c | 47 +++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 47 insertions(+)
> >
> > diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> > index 35810615ed..427d6e22b1 100644
> > --- a/lib/efi_loader/efi_tcg2.c
> > +++ b/lib/efi_loader/efi_tcg2.c
> > @@ -12,6 +12,7 @@
> > #include <dm.h>
> > #include <efi_loader.h>
> > #include <efi_tcg2.h>
> > +#include <efi_variable.h>
> > #include <log.h>
> > #include <malloc.h>
> > #include <smbios.h>
> > @@ -1828,6 +1829,50 @@ out:
> > return ret;
> > }
> >
> > +/**
> > + * tcg2_measure_deployed_audit_mode() - measure deployedmode and auditmode
> > + *
> > + * @dev: TPM device
> > + *
> > + * Return: status code
> > + */
> > +static efi_status_t tcg2_measure_deployed_audit_mode(struct udevice *dev)
> > +{
> > + u8 deployed_mode;
> > + u8 audit_mode;
> > + efi_uintn_t size;
> > + efi_status_t ret;
> > + u32 pcr_index;
> > +
> > + size = sizeof(deployed_mode);
> > + ret = efi_get_variable_int(L"DeployedMode", &efi_global_variable_guid,
> > + NULL, &size, &deployed_mode, NULL);
> > + if (ret != EFI_SUCCESS)
> > + return ret;
>
> Why should AuditMode not be measured if DeployedMode does not exist?
TCG spec says that PCR index is different depending on the DeployedMode value.
--- PCR[1]
If the system supports UEFI 2.5 or later and DeployedMode is enabled,
the following additional variables MUST
be measured into PCR[1]:
a. The DeployedMode variable value. The Event Type SHALL be
EV_EFI_VARIABLE_DRIVER_CONFIG and
the Event value shall be the value of the UEFI_VARIABLE data structure.
b. The AuditMode variable value. The Event Type SHALL be
EV_EFI_VARIABLE_DRIVER_CONFIG and the
Event value shall be the value of the UEFI_VARIABLE data structure.
---
--- PCR[7]
If the system supports UEFI 2.5 or later and DeployedMode is NOT
enabled, the following additional
variables MUST be measured into PCR[7]:
a. The contents of the AuditMode variable
b. The contents of the DeployedMode variable
---
If DeployedMode does not exist, we can not decide which PCR to be extended.
Thanks,
Masahisa Kojima
>
> Could we handle these variables in a loop over an array containing dbt
> and dbr reduce code duplication?
>
> Best regards
>
> Heinrich
>
> > +
> > + pcr_index = (deployed_mode ? 1 : 7);
> > +
> > + ret = tcg2_measure_variable(dev, pcr_index,
> > + EV_EFI_VARIABLE_DRIVER_CONFIG,
> > + L"DeployedMode",
> > + &efi_global_variable_guid,
> > + size, &deployed_mode);
> > +
> > + size = sizeof(audit_mode);
> > + ret = efi_get_variable_int(L"AuditMode", &efi_global_variable_guid,
> > + NULL, &size, &audit_mode, NULL);
> > + if (ret != EFI_SUCCESS)
> > + return ret;
> > +
> > + ret = tcg2_measure_variable(dev, pcr_index,
> > + EV_EFI_VARIABLE_DRIVER_CONFIG,
> > + L"AuditMode",
> > + &efi_global_variable_guid,
> > + size, &audit_mode);
> > +
> > + return ret;
> > +}
> > +
> > /**
> > * tcg2_measure_secure_boot_variable() - measure secure boot variables
> > *
> > @@ -1891,6 +1936,8 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev)
> > free(data);
> > }
> >
> > + ret = tcg2_measure_deployed_audit_mode(dev);
> > +
> > error:
> > return ret;
> > }
> >
More information about the U-Boot
mailing list