[PATCH 4/6] tpm: add PCR allocate into the eventlog handling

Ilias Apalodimas ilias.apalodimas at linaro.org
Thu Jan 16 14:03:48 CET 2025 

On Wed, 15 Jan 2025 at 22:02, Raymond Mao <raymond.mao at linaro.org> wrote:
>
> Get eventlog bank mask when parsing the eventlog from previous
> boot stage and invoke PCR allocate function based on it.
> PCR allocate will be proceeded if any dismatches observed among
> the active, supportted and eventlog bank masks to re-configurate
> the TPM with the proper algorithms and reboot the system.
>
> Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
> ---
>  lib/tpm_tcg2.c | 52 +++++++++++++++++---------------------------------
>  1 file changed, 17 insertions(+), 35 deletions(-)
>
> diff --git a/lib/tpm_tcg2.c b/lib/tpm_tcg2.c
> index 2d9076f091..fd84045d8b 100644
> --- a/lib/tpm_tcg2.c
> +++ b/lib/tpm_tcg2.c
> @@ -360,12 +360,12 @@ static int tcg2_replay_eventlog(struct tcg2_event_log *elog,
>         return 0;
>  }
>
> -static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog)
> +static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog,
> +                         u32 *log_active)
>  {
>         struct tpml_digest_values digest_list;
>         struct tcg_efi_spec_id_event *event;
>         struct tcg_pcr_event *log;
> -       u32 log_active;
>         u32 calc_size;
>         u32 active;
>         u32 count;
> @@ -376,6 +376,8 @@ static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog)
>         int rc;
>         u32 i;
>
> +       *log_active = 0;
> +
>         if (elog->log_size <= offsetof(struct tcg_pcr_event, event))
>                 return 0;
>
> @@ -421,7 +423,6 @@ static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog)
>          * algorithms, so just check the EvenLog against the TPM active ones.
>          */
>         digest_list.count = 0;
> -       log_active = 0;
>         for (i = 0; i < count; ++i) {
>                 algo = get_unaligned_le16(&event->digest_sizes[i].algorithm_id);
>                 mask = tcg2_algorithm_to_mask(algo);
> @@ -447,17 +448,15 @@ static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog)
>                                 algo);
>                         return -1;
>                 }
> -               log_active |= mask;
> +               *log_active |= mask;
>         }
>
>         rc = tcg2_get_active_pcr_banks(dev, &active);
>         if (rc)
>                 return rc;
>         /* If the EventLog and active algorithms don't match exit */
> -       if (log_active != active) {
> -               log_err("EventLog doesn't contain all active PCR banks\n");
> -               return -1;
> -       }
> +       if (*log_active != active)
> +               return -ERESTARTSYS;
>
>         /* Read PCR0 to check if previous firmware extended the PCRs or not. */
>         rc = tcg2_pcr_read(dev, 0, &digest_list);
> @@ -554,43 +553,21 @@ int tcg2_log_prepare_buffer(struct udevice *dev, struct tcg2_event_log *elog,
>                             bool ignore_existing_log)
>  {
>         struct tcg2_event_log log;
> -       int rc, i;
> +       int rc;
> +       u32 log_active = 0;
>
>         elog->log_position = 0;
>         elog->found = false;
>
> -       /*
> -        * Make sure U-Boot is compiled with all the active PCRs
> -        * since we are about to create an EventLog and we won't
> -        * measure anything if the PCR banks don't match
> -        */
> -       if (!tpm2_check_active_banks(dev)) {
> -               log_err("Cannot create EventLog\n");
> -               log_err("Mismatch between U-Boot and TPM hash algos\n");
> -               log_info("TPM:\n");
> -               tpm2_print_active_banks(dev);
> -               log_info("U-Boot:\n");
> -               for (i = 0; i < ARRAY_SIZE(hash_algo_list); i++) {
> -                       const struct digest_info *algo = &hash_algo_list[i];
> -                       const char *str;
> -
> -                       if (!algo->supported)
> -                               continue;
> -
> -                       str = tpm2_algorithm_name(algo->hash_alg);
> -                       if (str)
> -                               log_info("%s\n", str);
> -               }
> -               return -EINVAL;
> -       }
> -
>         rc = tcg2_platform_get_log(dev, (void **)&log.log, &log.log_size);
>         if (!rc) {
>                 log.log_position = 0;
>                 log.found = false;
>
>                 if (!ignore_existing_log) {
> -                       rc = tcg2_log_parse(dev, &log);
> +                       rc = tcg2_log_parse(dev, &log, &log_active);
> +                       if (rc == -ERESTARTSYS && log_active)
> +                               goto pcr_allocate;
>                         if (rc)
>                                 return rc;
>                 }
> @@ -617,6 +594,11 @@ int tcg2_log_prepare_buffer(struct udevice *dev, struct tcg2_event_log *elog,
>                 elog->found = log.found;
>         }
>
> +pcr_allocate:
> +       rc = tpm2_pcr_allocate(dev, log_active);
> +       if (rc)
> +               return rc;
> +
>         if (elog->found)
>                 return 0;
>
> --
> 2.25.1
>

With the naming changes on patch #3

Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>

More information about the U-Boot mailing list