[PATCH v2 4/6] tpm: add PCR allocate into the eventlog handling
Raymond Mao
raymond.mao at linaro.org
Fri Jan 17 17:40:27 CET 2025
Get eventlog bank mask when parsing the eventlog from previous
boot stage and invoke PCR allocate function based on it.
PCR allocate will be proceeded if any dismatches observed among
the active, supportted and eventlog bank masks to re-configurate
the TPM with the proper algorithms and reboot the system.
Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
---
changes in v2
- Replaced with the renamed API by patch 3/6.
lib/tpm_tcg2.c | 52 +++++++++++++++++---------------------------------
1 file changed, 17 insertions(+), 35 deletions(-)
diff --git a/lib/tpm_tcg2.c b/lib/tpm_tcg2.c
index 6425bf143a..6ac4237484 100644
--- a/lib/tpm_tcg2.c
+++ b/lib/tpm_tcg2.c
@@ -360,12 +360,12 @@ static int tcg2_replay_eventlog(struct tcg2_event_log *elog,
return 0;
}
-static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog)
+static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog,
+ u32 *log_active)
{
struct tpml_digest_values digest_list;
struct tcg_efi_spec_id_event *event;
struct tcg_pcr_event *log;
- u32 log_active;
u32 calc_size;
u32 active;
u32 count;
@@ -376,6 +376,8 @@ static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog)
int rc;
u32 i;
+ *log_active = 0;
+
if (elog->log_size <= offsetof(struct tcg_pcr_event, event))
return 0;
@@ -421,7 +423,6 @@ static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog)
* algorithms, so just check the EvenLog against the TPM active ones.
*/
digest_list.count = 0;
- log_active = 0;
for (i = 0; i < count; ++i) {
algo = get_unaligned_le16(&event->digest_sizes[i].algorithm_id);
mask = tcg2_algorithm_to_mask(algo);
@@ -447,17 +448,15 @@ static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog)
algo);
return -1;
}
- log_active |= mask;
+ *log_active |= mask;
}
rc = tcg2_get_active_pcr_banks(dev, &active);
if (rc)
return rc;
/* If the EventLog and active algorithms don't match exit */
- if (log_active != active) {
- log_err("EventLog doesn't contain all active PCR banks\n");
- return -1;
- }
+ if (*log_active != active)
+ return -ERESTARTSYS;
/* Read PCR0 to check if previous firmware extended the PCRs or not. */
rc = tcg2_pcr_read(dev, 0, &digest_list);
@@ -554,43 +553,21 @@ int tcg2_log_prepare_buffer(struct udevice *dev, struct tcg2_event_log *elog,
bool ignore_existing_log)
{
struct tcg2_event_log log;
- int rc, i;
+ int rc;
+ u32 log_active = 0;
elog->log_position = 0;
elog->found = false;
- /*
- * Make sure U-Boot is compiled with all the active PCRs
- * since we are about to create an EventLog and we won't
- * measure anything if the PCR banks don't match
- */
- if (!tpm2_check_active_banks(dev)) {
- log_err("Cannot create EventLog\n");
- log_err("Mismatch between U-Boot and TPM hash algos\n");
- log_info("TPM:\n");
- tpm2_print_active_banks(dev);
- log_info("U-Boot:\n");
- for (i = 0; i < ARRAY_SIZE(hash_algo_list); i++) {
- const struct digest_info *algo = &hash_algo_list[i];
- const char *str;
-
- if (!algo->supported)
- continue;
-
- str = tpm2_algorithm_name(algo->hash_alg);
- if (str)
- log_info("%s\n", str);
- }
- return -EINVAL;
- }
-
rc = tcg2_platform_get_log(dev, (void **)&log.log, &log.log_size);
if (!rc) {
log.log_position = 0;
log.found = false;
if (!ignore_existing_log) {
- rc = tcg2_log_parse(dev, &log);
+ rc = tcg2_log_parse(dev, &log, &log_active);
+ if (rc == -ERESTARTSYS && log_active)
+ goto pcr_allocate;
if (rc)
return rc;
}
@@ -617,6 +594,11 @@ int tcg2_log_prepare_buffer(struct udevice *dev, struct tcg2_event_log *elog,
elog->found = log.found;
}
+pcr_allocate:
+ rc = tpm2_activate_banks(dev, log_active);
+ if (rc)
+ return rc;
+
/*
* Initialize the log buffer if no log was discovered and the buffer is
* valid. User's can pass in their own buffer as a fallback if no
--
2.25.1
More information about the U-Boot
mailing list