From: Luca Boccassi <[email protected]> The call was added in the 1.1 revision of the spec, 1.0 does not have it, and there are some machines out there with a TPM2 and a UEFI firmware that only supports version 1.0, so the call fails in those cases. Check the reported version before calling get_active_pcr_banks().
See Table 4 in section 6.2 of the TCG EFI Protocol Specification: https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf Follow-up for f326c5c4753c36a9068ba66036566229a0975908 Signed-off-by: Luca Boccassi <[email protected]> --- Found out the hard way: https://github.com/systemd/systemd/issues/38932 grub-core/commands/efi/tpm.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c index 59d0b6708..7b493c890 100644 --- a/grub-core/commands/efi/tpm.c +++ b/grub-core/commands/efi/tpm.c @@ -39,6 +39,7 @@ static grub_uint8_t grub_tpm_version; static grub_int8_t tpm1_present = -1; static grub_int8_t tpm2_present = -1; +static grub_int8_t tpm2_pcr_banks_reporting_present = -1; static grub_efi_boolean_t grub_tpm1_present (grub_efi_tpm_protocol_t *tpm) @@ -89,6 +90,34 @@ grub_tpm2_present (grub_efi_tpm2_protocol_t *tpm) return (grub_efi_boolean_t) tpm2_present; } +static grub_efi_boolean_t +grub_tpm2_pcr_banks_reporting_present (grub_efi_tpm2_protocol_t *tpm) +{ + grub_efi_status_t status; + EFI_TCG2_BOOT_SERVICE_CAPABILITY caps; + + caps.Size = (grub_uint8_t) sizeof (caps); + + if (tpm2_pcr_banks_reporting_present != -1) + return (grub_efi_boolean_t) tpm2_pcr_banks_reporting_present; + + if (!grub_tpm2_present (tpm)) + return (grub_efi_boolean_t) (tpm2_pcr_banks_reporting_present = 0); + + status = tpm->get_capability (tpm, &caps); + + if (status != GRUB_EFI_SUCCESS || caps.StructureVersion.Major < 1 + || (caps.StructureVersion.Major == 1 && caps.StructureVersion.Minor < 1)) + tpm2_pcr_banks_reporting_present = 0; + else + tpm2_pcr_banks_reporting_present = 1; + + grub_dprintf ("tpm", "tpm2 PCR banks reporting%s present\n", + tpm2_pcr_banks_reporting_present ? "" : " NOT"); + + return (grub_efi_boolean_t) tpm2_pcr_banks_reporting_present; +} + static grub_efi_boolean_t grub_tpm_handle_find (grub_efi_handle_t *tpm_handle, grub_efi_uint8_t *protocol_version) @@ -355,7 +384,7 @@ grub_tpm2_active_pcr_banks (void) return 0; } - if (grub_tpm2_present (tpm)) + if (grub_tpm2_pcr_banks_reporting_present (tpm)) { grub_efi_status_t status = tpm->get_active_pcr_banks (tpm, &active_pcr_banks); -- 2.47.3 _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
