Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp727398ybm; Tue, 21 May 2019 02:29:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqxifQAocdn4k8h90tY+zUhanlWqzCD8xN7ywvLg5pLwoXiz5ztqTBMqWxNbSDhQsyoMS+EN X-Received: by 2002:a65:66d9:: with SMTP id c25mr17910821pgw.122.1558430950076; Tue, 21 May 2019 02:29:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558430950; cv=none; d=google.com; s=arc-20160816; b=NuRjwuhoXIIUU0jk9z0qzAyOktPeAB2gpTuu8XW6ovn45FTa/x9iOGX28WC6uzJgwJ i6I8ncHbvU3UQLBWC3GxQgVFX3uQFrcJgIYW2LUsOjGANGPuHZEqJSQqZhpBY5DjoeMW HrKosJBvETNoRzZ8fd9hbWSJyDPm2YLsv3y9Zx5eihk68gEv92u0eY4QigN3UECthG5S 670n//a30m3nIWYDF7DY5fzhvPY6IrFdDeRkvRnYP5QOq8xmscXHUGdrK8nEz3t0qt0o CzRMCwcWjrrhI6xJiCDf742JXmNZKjGtqbFs/cqOnACtKPD6pHJ0IR+oXHGDZi5mJ7wf 2OUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=ePk/LAdsqK2QuSF3FET//AcaRKkYpEyvxNQW6KJ/bws=; b=rrGvTcL7GPfQjbpPnBRUHzEZf+1GtrJ3Q0NbLydNNMExRL4sM22dx0+13UWkai6TxN LizDEuaNdwLVCZ6ysV5qPdvkREOoto0xcSe9vFxtg82rPRdthlUeJ9choqq21DLd5erx XgZC/tWy8HN2uWb//tAgdgtwlrPRoQH4K+rLGTyXu6BrGQRdW+YEn+1nMRna3ofnLhhA A8TBi+fOqgQGCzBrf2dTBQNGJP+DjtWfB5SDbSrWzq2h72ukBtmpnCRAwqsmHMolGWdZ V8tVBa60lQz0ulDvaD6KbB1x6svC1M2bHTe+u9NalBVunktl/m0MiTYKx6lizkeL3UdK bFuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=oSrZMjgc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t5si19019553pgv.164.2019.05.21.02.28.54; Tue, 21 May 2019 02:29:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=oSrZMjgc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727478AbfEUJ1H (ORCPT + 99 others); Tue, 21 May 2019 05:27:07 -0400 Received: from mail-it1-f193.google.com ([209.85.166.193]:40896 "EHLO mail-it1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726242AbfEUJ1H (ORCPT ); Tue, 21 May 2019 05:27:07 -0400 Received: by mail-it1-f193.google.com with SMTP id h11so3583630itf.5 for ; Tue, 21 May 2019 02:27:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ePk/LAdsqK2QuSF3FET//AcaRKkYpEyvxNQW6KJ/bws=; b=oSrZMjgc40gkhwPG8kTuosCy4j5ESU04gGMKEkf0GdmeFvHK4617JT9UO0kpDMR5gR uOOnaRMEo13PaYAcntSMUfDsO1tftEMx2SVH5dtzwRZ6vgOQwW0dr9gzzaB+ujwg7opd EPsT8G/RATkTcL1c7CiIhGloBHzUHmXsJDqGH3EQpqcRSaCVptPNybSR1iHnJ/mx8mc0 8cTMvG0bjaeLH4g0Q70Mkv8lduNWi0dpP5bZde1ZDfkWa387tqtnscASrXXL6f3EJLYp m0CkwcY5hKt2oJ3XDt9Y+DI5948LulMyWhWGXZiF3SEzx3gpL2tmcsTVHMETUZL+D9FD A+aQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ePk/LAdsqK2QuSF3FET//AcaRKkYpEyvxNQW6KJ/bws=; b=HFcZ9ydcVa7l9NpdfDTV1zzA0K+RAN4KidSkIkDLYf8VpndAgUfJGWb61CZysS4PgS nbQlw/9LGa2LllUXnYZf6+fRKhHkhIv4oPm8+vP4KVUu4qmLvh83Jhmn9M5VGCfLQ11G LbOWPHsoR5oo88ImbXu26eRuWfnQKaP5R863r39XlXpovPEjpiO0nG6bCxMDduF1QiCz qWbgtA4Q3otUIut/5uD34weNx6wqUnN0gLpeX+7Eg3+Lxp6H9kpFSlku6z4fQsIMLhRY gk9/kZKMS9HKb76F1tqazZt6bK8h/Buz/JOgw/urhiS8IZggrsLu6wFXhziutoRmokPg ZDRw== X-Gm-Message-State: APjAAAXprm6OMw1di5rBQxFMQ4osa46FVL9bxxYn1o/cYip7arky/8Te OuXVZqDgtvv4XQGRoZsTcv7l362LEPyzHUTnRQkHfg== X-Received: by 2002:a02:b047:: with SMTP id q7mr8721430jah.2.1558430826102; Tue, 21 May 2019 02:27:06 -0700 (PDT) MIME-Version: 1.0 References: <20190520205501.177637-1-matthewgarrett@google.com> <20190520205501.177637-5-matthewgarrett@google.com> In-Reply-To: <20190520205501.177637-5-matthewgarrett@google.com> From: Ard Biesheuvel Date: Tue, 21 May 2019 10:26:54 +0100 Message-ID: Subject: Re: [PATCH V7 4/4] efi: Attempt to get the TCG2 event log in the boot stub To: Matthew Garrett Cc: linux-integrity , =?UTF-8?Q?Peter_H=C3=BCwe?= , Jarkko Sakkinen , Jason Gunthorpe , Roberto Sassu , linux-efi , linux-security-module , Linux Kernel Mailing List , Thiebaud Weksteen , Bartosz Szczepanek , Matthew Garrett Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 20 May 2019 at 21:55, Matthew Garrett wrote: > > From: Matthew Garrett > > Right now we only attempt to obtain the SHA1-only event log. The > protocol also supports a crypto agile log format, which contains digests > for all algorithms in use. Attempt to obtain this first, and fall back > to obtaining the older format if the system doesn't support it. This is > lightly complicated by the event sizes being variable (as we don't know > in advance which algorithms are in use), and the interface giving us > back a pointer to the start of the final entry rather than a pointer to > the end of the log - as a result, we need to parse the final entry to > figure out its length in order to know how much data to copy up to the > OS. > > Signed-off-by: Matthew Garrett Provided that this gets a tested-by from Bartosz, Acked-by: Ard Biesheuvel > --- > drivers/firmware/efi/libstub/tpm.c | 50 ++++++++++++++++++++---------- > 1 file changed, 33 insertions(+), 17 deletions(-) > > diff --git a/drivers/firmware/efi/libstub/tpm.c b/drivers/firmware/efi/libstub/tpm.c > index 5bd04f75d8d6..6b3b507a54eb 100644 > --- a/drivers/firmware/efi/libstub/tpm.c > +++ b/drivers/firmware/efi/libstub/tpm.c > @@ -57,7 +57,7 @@ void efi_enable_reset_attack_mitigation(efi_system_table_t *sys_table_arg) > > #endif > > -static void efi_retrieve_tpm2_eventlog_1_2(efi_system_table_t *sys_table_arg) > +void efi_retrieve_tpm2_eventlog(efi_system_table_t *sys_table_arg) > { > efi_guid_t tcg2_guid = EFI_TCG2_PROTOCOL_GUID; > efi_guid_t linux_eventlog_guid = LINUX_EFI_TPM_EVENT_LOG_GUID; > @@ -67,6 +67,7 @@ static void efi_retrieve_tpm2_eventlog_1_2(efi_system_table_t *sys_table_arg) > unsigned long first_entry_addr, last_entry_addr; > size_t log_size, last_entry_size; > efi_bool_t truncated; > + int version = EFI_TCG2_EVENT_LOG_FORMAT_TCG_2; > void *tcg2_protocol = NULL; > > status = efi_call_early(locate_protocol, &tcg2_guid, NULL, > @@ -74,14 +75,20 @@ static void efi_retrieve_tpm2_eventlog_1_2(efi_system_table_t *sys_table_arg) > if (status != EFI_SUCCESS) > return; > > - status = efi_call_proto(efi_tcg2_protocol, get_event_log, tcg2_protocol, > - EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2, > - &log_location, &log_last_entry, &truncated); > - if (status != EFI_SUCCESS) > - return; > + status = efi_call_proto(efi_tcg2_protocol, get_event_log, > + tcg2_protocol, version, &log_location, > + &log_last_entry, &truncated); > + > + if (status != EFI_SUCCESS || !log_location) { > + version = EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2; > + status = efi_call_proto(efi_tcg2_protocol, get_event_log, > + tcg2_protocol, version, &log_location, > + &log_last_entry, &truncated); > + if (status != EFI_SUCCESS || !log_location) > + return; > + > + } > > - if (!log_location) > - return; > first_entry_addr = (unsigned long) log_location; > > /* > @@ -96,8 +103,23 @@ static void efi_retrieve_tpm2_eventlog_1_2(efi_system_table_t *sys_table_arg) > * We need to calculate its size to deduce the full size of > * the logs. > */ > - last_entry_size = sizeof(struct tcpa_event) + > - ((struct tcpa_event *) last_entry_addr)->event_size; > + if (version == EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) { > + /* > + * The TCG2 log format has variable length entries, > + * and the information to decode the hash algorithms > + * back into a size is contained in the first entry - > + * pass a pointer to the final entry (to calculate its > + * size) and the first entry (so we know how long each > + * digest is) > + */ > + last_entry_size = > + __calc_tpm2_event_size((void *)last_entry_addr, > + (void *)(long)log_location, > + false); > + } else { > + last_entry_size = sizeof(struct tcpa_event) + > + ((struct tcpa_event *) last_entry_addr)->event_size; > + } > log_size = log_last_entry - log_location + last_entry_size; > } > > @@ -114,7 +136,7 @@ static void efi_retrieve_tpm2_eventlog_1_2(efi_system_table_t *sys_table_arg) > > memset(log_tbl, 0, sizeof(*log_tbl) + log_size); > log_tbl->size = log_size; > - log_tbl->version = EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2; > + log_tbl->version = version; > memcpy(log_tbl->log, (void *) first_entry_addr, log_size); > > status = efi_call_early(install_configuration_table, > @@ -126,9 +148,3 @@ static void efi_retrieve_tpm2_eventlog_1_2(efi_system_table_t *sys_table_arg) > err_free: > efi_call_early(free_pool, log_tbl); > } > - > -void efi_retrieve_tpm2_eventlog(efi_system_table_t *sys_table_arg) > -{ > - /* Only try to retrieve the logs in 1.2 format. */ > - efi_retrieve_tpm2_eventlog_1_2(sys_table_arg); > -} > -- > 2.21.0.1020.gf2820cf01a-goog >