Re: [tpmdd-devel] [PATCH v3 5/5] tpm: parse TPM event logs based on EFI table

2017-09-20 Thread Jason Gunthorpe 
On Wed, Sep 20, 2017 at 10:13:40AM +0200, Thiebaud Weksteen wrote:
> If we are not able to retrieve the TPM event logs from the ACPI table,
> check the EFI configuration table (Linux-specific GUID).
> 
> The format version of the log is now returned by the provider function.
> 
> Signed-off-by: Thiebaud Weksteen 

Thanks, looks good to me.

Reviewed-by: Jason Gunthorpe 

Jason

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

[tpmdd-devel] [PATCH v3 1/5] tpm: move tpm_eventlog.h outside of drivers folder

2017-09-20 Thread Thiebaud Weksteen via tpmdd-devel 
The generic definitions of data structures in tpm_eventlog.h are
required by other part of the kernel (namely, the EFI stub).

Signed-off-by: Thiebaud Weksteen 
---
 drivers/char/tpm/tpm-chip.c|  3 +-
 drivers/char/tpm/tpm-interface.c   |  2 +-
 drivers/char/tpm/tpm.h | 27 +++---
 drivers/char/tpm/tpm1_eventlog.c   |  2 +-
 drivers/char/tpm/tpm2_eventlog.c   |  2 +-
 drivers/char/tpm/tpm_acpi.c|  2 +-
 drivers/char/tpm/tpm_of.c  |  2 +-
 {drivers/char/tpm => include/linux}/tpm_eventlog.h | 32 +-
 8 files changed, 37 insertions(+), 35 deletions(-)
 rename {drivers/char/tpm => include/linux}/tpm_eventlog.h (77%)

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 67ec9d3d04f5..de2680118181 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -26,8 +26,9 @@
 #include 
 #include 
 #include 
+#include 
+
 #include "tpm.h"
-#include "tpm_eventlog.h"
 
 DEFINE_IDR(dev_nums_idr);
 static DEFINE_MUTEX(idr_lock);
diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index fe597e6c55c4..bd7091d510bd 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -30,9 +30,9 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "tpm.h"
-#include "tpm_eventlog.h"
 
 #define TPM_MAX_ORDINAL 243
 #define TSC_MAX_ORDINAL 12
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index 04fbff2edbf3..46caccf6fd1a 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -34,6 +34,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 
 #ifdef CONFIG_X86
@@ -397,10 +398,6 @@ struct tpm_cmd_t {
tpm_cmd_params  params;
 } __packed;
 
-struct tpm2_digest {
-   u16 alg_id;
-   u8 digest[SHA512_DIGEST_SIZE];
-} __packed;
 
 /* A string buffer type for constructing TPM commands. This is based on the
  * ideas of string buffer code in security/keys/trusted.h but is heap based
@@ -581,4 +578,26 @@ int tpm2_prepare_space(struct tpm_chip *chip, struct 
tpm_space *space, u32 cc,
   u8 *cmd);
 int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space,
  u32 cc, u8 *buf, size_t *bufsiz);
+
+extern const struct seq_operations tpm2_binary_b_measurements_seqops;
+
+#if defined(CONFIG_ACPI)
+int tpm_read_log_acpi(struct tpm_chip *chip);
+#else
+static inline int tpm_read_log_acpi(struct tpm_chip *chip)
+{
+   return -ENODEV;
+}
+#endif
+#if defined(CONFIG_OF)
+int tpm_read_log_of(struct tpm_chip *chip);
+#else
+static inline int tpm_read_log_of(struct tpm_chip *chip)
+{
+   return -ENODEV;
+}
+#endif
+
+int tpm_bios_log_setup(struct tpm_chip *chip);
+void tpm_bios_log_teardown(struct tpm_chip *chip);
 #endif
diff --git a/drivers/char/tpm/tpm1_eventlog.c b/drivers/char/tpm/tpm1_eventlog.c
index 9a8605e500b5..d6f70f365443 100644
--- a/drivers/char/tpm/tpm1_eventlog.c
+++ b/drivers/char/tpm/tpm1_eventlog.c
@@ -25,9 +25,9 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "tpm.h"
-#include "tpm_eventlog.h"
 
 
 static const char* tcpa_event_type_strings[] = {
diff --git a/drivers/char/tpm/tpm2_eventlog.c b/drivers/char/tpm/tpm2_eventlog.c
index 34a8afa69138..1ce4411292ba 100644
--- a/drivers/char/tpm/tpm2_eventlog.c
+++ b/drivers/char/tpm/tpm2_eventlog.c
@@ -21,9 +21,9 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "tpm.h"
-#include "tpm_eventlog.h"
 
 /*
  * calc_tpm2_event_size() - calculate the event size, where event
diff --git a/drivers/char/tpm/tpm_acpi.c b/drivers/char/tpm/tpm_acpi.c
index 169edf3ce86d..acc990ba376a 100644
--- a/drivers/char/tpm/tpm_acpi.c
+++ b/drivers/char/tpm/tpm_acpi.c
@@ -25,9 +25,9 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "tpm.h"
-#include "tpm_eventlog.h"
 
 struct acpi_tcpa {
struct acpi_table_header hdr;
diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_of.c
index aadb7f464076..4a2f8c79231e 100644
--- a/drivers/char/tpm/tpm_of.c
+++ b/drivers/char/tpm/tpm_of.c
@@ -17,9 +17,9 @@
 
 #include 
 #include 
+#include 
 
 #include "tpm.h"
-#include "tpm_eventlog.h"
 
 int tpm_read_log_of(struct tpm_chip *chip)
 {
diff --git a/drivers/char/tpm/tpm_eventlog.h b/include/linux/tpm_eventlog.h
similarity index 77%
rename from drivers/char/tpm/tpm_eventlog.h
rename to include/linux/tpm_eventlog.h
index b4b549559203..446656d1f317 100644
--- a/drivers/char/tpm/tpm_eventlog.h
+++ b/include/linux/tpm_eventlog.h
@@ -1,6 +1,5 @@
-
-#ifndef __TPM_EVENTLOG_H__
-#define __TPM_EVENTLOG_H__
+#ifndef __LINUX_TPM_EVENTLOG_H__
+#define __LINUX_TPM_EVENTLOG_H__
 
 #include 
 
@@ -104,6 +103,11 @@ struct tcg_event_field {
u8 event[0];
 } __packed;
 
+struct tpm2_digest {
+   u16 alg_id;
+   u8 digest[SHA512_DIGEST_SIZE];
+} __packed;
+
 struct tcg_pcr_event2 {
u32

[tpmdd-devel] [PATCH v3 4/5] efi: call get_event_log before ExitBootServices

2017-09-20 Thread Thiebaud Weksteen via tpmdd-devel 
With TPM 2.0 specification, the event logs may only be accessible by
calling an EFI Boot Service. Modify the EFI stub to copy the log area to
a new Linux-specific EFI configuration table so it remains accessible
once booted.

When calling this service, it is possible to specify the expected format
of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the
first format is retrieved.

Signed-off-by: Thiebaud Weksteen 
---
 arch/x86/boot/compressed/eboot.c  |  1 +
 drivers/firmware/efi/Makefile |  2 +-
 drivers/firmware/efi/efi.c|  4 ++
 drivers/firmware/efi/libstub/Makefile |  3 +-
 drivers/firmware/efi/libstub/tpm.c| 81 +++
 drivers/firmware/efi/tpm.c| 40 +
 include/linux/efi.h   | 46 
 7 files changed, 174 insertions(+), 3 deletions(-)
 create mode 100644 drivers/firmware/efi/tpm.c

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index a1686f3dc295..ef6abe8b3788 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -999,6 +999,7 @@ struct boot_params *efi_main(struct efi_config *c,
 
/* Ask the firmware to clear memory on unclean shutdown */
efi_enable_reset_attack_mitigation(sys_table);
+   efi_retrieve_tpm2_eventlog(sys_table);
 
setup_graphics(boot_params);
 
diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
index 0329d319d89a..2f074b5cde87 100644
--- a/drivers/firmware/efi/Makefile
+++ b/drivers/firmware/efi/Makefile
@@ -10,7 +10,7 @@
 KASAN_SANITIZE_runtime-wrappers.o  := n
 
 obj-$(CONFIG_ACPI_BGRT)+= efi-bgrt.o
-obj-$(CONFIG_EFI)  += efi.o vars.o reboot.o memattr.o
+obj-$(CONFIG_EFI)  += efi.o vars.o reboot.o memattr.o tpm.o
 obj-$(CONFIG_EFI)  += capsule.o memmap.o
 obj-$(CONFIG_EFI_VARS) += efivars.o
 obj-$(CONFIG_EFI_ESRT) += esrt.o
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index f97f272e16ee..0308acfaaf76 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -52,6 +52,7 @@ struct efi __read_mostly efi = {
.properties_table   = EFI_INVALID_TABLE_ADDR,
.mem_attr_table = EFI_INVALID_TABLE_ADDR,
.rng_seed   = EFI_INVALID_TABLE_ADDR,
+   .tpm_log= EFI_INVALID_TABLE_ADDR
 };
 EXPORT_SYMBOL(efi);
 
@@ -444,6 +445,7 @@ static __initdata efi_config_table_type_t common_tables[] = 
{
{EFI_PROPERTIES_TABLE_GUID, "PROP", _table},
{EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMATTR", _attr_table},
{LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", _seed},
+   {LINUX_EFI_TPM_EVENT_LOG_GUID, "TPMEventLog", _log},
{NULL_GUID, NULL, NULL},
 };
 
@@ -532,6 +534,8 @@ int __init efi_config_parse_tables(void *config_tables, int 
count, int sz,
if (efi_enabled(EFI_MEMMAP))
efi_memattr_init();
 
+   efi_tpm_eventlog_init();
+
/* Parse the EFI Properties table if it exists */
if (efi.properties_table != EFI_INVALID_TABLE_ADDR) {
efi_properties_table_t *tbl;
diff --git a/drivers/firmware/efi/libstub/Makefile 
b/drivers/firmware/efi/libstub/Makefile
index dedf9bde44db..2abe6d22dc5f 100644
--- a/drivers/firmware/efi/libstub/Makefile
+++ b/drivers/firmware/efi/libstub/Makefile
@@ -29,8 +29,7 @@ OBJECT_FILES_NON_STANDARD := y
 # Prevents link failures: __sanitizer_cov_trace_pc() is not linked in.
 KCOV_INSTRUMENT:= n
 
-lib-y  := efi-stub-helper.o gop.o secureboot.o
-lib-$(CONFIG_RESET_ATTACK_MITIGATION) += tpm.o
+lib-y  := efi-stub-helper.o gop.o secureboot.o tpm.o
 
 # include the stub's generic dependencies from lib/ when building for ARM/arm64
 arm-deps := fdt_rw.c fdt_ro.c fdt_wip.c fdt.c fdt_empty_tree.c fdt_sw.c sort.c
diff --git a/drivers/firmware/efi/libstub/tpm.c 
b/drivers/firmware/efi/libstub/tpm.c
index 6224cdbc9669..da661bf8cb96 100644
--- a/drivers/firmware/efi/libstub/tpm.c
+++ b/drivers/firmware/efi/libstub/tpm.c
@@ -4,15 +4,18 @@
  * Copyright (C) 2016 CoreOS, Inc
  * Copyright (C) 2017 Google, Inc.
  * Matthew Garrett 
+ * Thiebaud Weksteen 
  *
  * This file is part of the Linux kernel, and is made available under the
  * terms of the GNU General Public License version 2.
  */
 #include 
+#include 
 #include 
 
 #include "efistub.h"
 
+#ifdef CONFIG_RESET_ATTACK_MITIGATION
 static const efi_char16_t efi_MemoryOverWriteRequest_name[] = {
'M', 'e', 'm', 'o', 'r', 'y', 'O', 'v', 'e', 'r', 'w', 'r', 'i', 't',
'e', 'R', 'e', 'q', 'u', 'e', 's', 't', 'C', 'o', 'n', 't', 'r', 'o',
@@ -56,3 +59,81 @@ void efi_enable_reset_attack_mitigation(efi_system_table_t 
*sys_table_arg)

[tpmdd-devel] [PATCH v3 3/5] tpm: add event log format version

2017-09-20 Thread Thiebaud Weksteen via tpmdd-devel 
Although defined as part of the TCG EFI specification, we add these
definitions here so that any event log provider may reference them.

Signed-off-by: Thiebaud Weksteen 
---
 include/linux/tpm_eventlog.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/linux/tpm_eventlog.h b/include/linux/tpm_eventlog.h
index 446656d1f317..6337614b0855 100644
--- a/include/linux/tpm_eventlog.h
+++ b/include/linux/tpm_eventlog.h
@@ -8,6 +8,9 @@
 #define ACPI_TCPA_SIG  "TCPA"  /* 0x41504354 /'TCPA' */
 #define TPM2_ACTIVE_PCR_BANKS  3
 
+#define EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2 0x1
+#define EFI_TCG2_EVENT_LOG_FORMAT_TCG_2   0x2
+
 #ifdef CONFIG_PPC64
 #define do_endian_conversion(x) be32_to_cpu(x)
 #else
-- 
2.14.1.821.g8fa685d3b7-goog


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

[tpmdd-devel] [PATCH v3 5/5] tpm: parse TPM event logs based on EFI table

2017-09-20 Thread Thiebaud Weksteen via tpmdd-devel 
If we are not able to retrieve the TPM event logs from the ACPI table,
check the EFI configuration table (Linux-specific GUID).

The format version of the log is now returned by the provider function.

Signed-off-by: Thiebaud Weksteen 
---
 drivers/char/tpm/Makefile|  1 +
 drivers/char/tpm/tpm.h   |  8 +
 drivers/char/tpm/tpm1_eventlog.c | 11 --
 drivers/char/tpm/tpm_eventlog_acpi.c |  2 +-
 drivers/char/tpm/tpm_eventlog_efi.c  | 66 
 drivers/char/tpm/tpm_eventlog_of.c   |  4 ++-
 6 files changed, 88 insertions(+), 4 deletions(-)
 create mode 100644 drivers/char/tpm/tpm_eventlog_efi.c

diff --git a/drivers/char/tpm/Makefile b/drivers/char/tpm/Makefile
index c8509cd723a1..e94ccecff4a5 100644
--- a/drivers/char/tpm/Makefile
+++ b/drivers/char/tpm/Makefile
@@ -6,6 +6,7 @@ tpm-y := tpm-interface.o tpm-dev.o tpm-sysfs.o tpm-chip.o 
tpm2-cmd.o \
 tpm-dev-common.o tpmrm-dev.o tpm1_eventlog.o tpm2_eventlog.o \
  tpm2-space.o
 tpm-$(CONFIG_ACPI) += tpm_ppi.o tpm_eventlog_acpi.o
+tpm-$(CONFIG_EFI) += tpm_eventlog_efi.o
 tpm-$(CONFIG_OF) += tpm_eventlog_of.o
 obj-$(CONFIG_TCG_TIS_CORE) += tpm_tis_core.o
 obj-$(CONFIG_TCG_TIS) += tpm_tis.o
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index 46caccf6fd1a..1bd97e01df50 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -597,6 +597,14 @@ static inline int tpm_read_log_of(struct tpm_chip *chip)
return -ENODEV;
 }
 #endif
+#if defined(CONFIG_EFI)
+int tpm_read_log_efi(struct tpm_chip *chip);
+#else
+static inline int tpm_read_log_efi(struct tpm_chip *chip)
+{
+   return -ENODEV;
+}
+#endif
 
 int tpm_bios_log_setup(struct tpm_chip *chip);
 void tpm_bios_log_teardown(struct tpm_chip *chip);
diff --git a/drivers/char/tpm/tpm1_eventlog.c b/drivers/char/tpm/tpm1_eventlog.c
index d6f70f365443..add798bd69d0 100644
--- a/drivers/char/tpm/tpm1_eventlog.c
+++ b/drivers/char/tpm/tpm1_eventlog.c
@@ -21,6 +21,7 @@
  */
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -371,6 +372,10 @@ static int tpm_read_log(struct tpm_chip *chip)
if (rc != -ENODEV)
return rc;
 
+   rc = tpm_read_log_efi(chip);
+   if (rc != -ENODEV)
+   return rc;
+
return tpm_read_log_of(chip);
 }
 
@@ -388,11 +393,13 @@ int tpm_bios_log_setup(struct tpm_chip *chip)
 {
const char *name = dev_name(>dev);
unsigned int cnt;
+   int log_version;
int rc = 0;
 
rc = tpm_read_log(chip);
-   if (rc)
+   if (rc < 0)
return rc;
+   log_version = rc;
 
cnt = 0;
chip->bios_dir[cnt] = securityfs_create_dir(name, NULL);
@@ -404,7 +411,7 @@ int tpm_bios_log_setup(struct tpm_chip *chip)
cnt++;
 
chip->bin_log_seqops.chip = chip;
-   if (chip->flags & TPM_CHIP_FLAG_TPM2)
+   if (log_version == EFI_TCG2_EVENT_LOG_FORMAT_TCG_2)
chip->bin_log_seqops.seqops =
_binary_b_measurements_seqops;
else
diff --git a/drivers/char/tpm/tpm_eventlog_acpi.c 
b/drivers/char/tpm/tpm_eventlog_acpi.c
index acc990ba376a..66f19e93c216 100644
--- a/drivers/char/tpm/tpm_eventlog_acpi.c
+++ b/drivers/char/tpm/tpm_eventlog_acpi.c
@@ -102,7 +102,7 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
memcpy_fromio(log->bios_event_log, virt, len);
 
acpi_os_unmap_iomem(virt, len);
-   return 0;
+   return EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2;
 
 err:
kfree(log->bios_event_log);
diff --git a/drivers/char/tpm/tpm_eventlog_efi.c 
b/drivers/char/tpm/tpm_eventlog_efi.c
new file mode 100644
index ..e3f9ffd341d2
--- /dev/null
+++ b/drivers/char/tpm/tpm_eventlog_efi.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2017 Google
+ *
+ * Authors:
+ *  Thiebaud Weksteen 
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include 
+#include 
+
+#include "tpm.h"
+
+/* read binary bios log from EFI configuration table */
+int tpm_read_log_efi(struct tpm_chip *chip)
+{
+
+   struct linux_efi_tpm_eventlog *log_tbl;
+   struct tpm_bios_log *log;
+   u32 log_size;
+   u8 tpm_log_version;
+
+   if (!(chip->flags & TPM_CHIP_FLAG_TPM2))
+   return -ENODEV;
+
+   if (efi.tpm_log == EFI_INVALID_TABLE_ADDR)
+   return -ENODEV;
+
+   log = >log;
+
+   log_tbl = memremap(efi.tpm_log, sizeof(*log_tbl), MEMREMAP_WB);
+   if (!log_tbl) {
+   pr_err("Could not map UEFI TPM log table !\n");
+   return -ENOMEM;
+   }
+
+   log_size = log_tbl->size;
+   memunmap(log_tbl);
+
+   log_tbl = memremap(efi.tpm_log, sizeof(*log_tbl) + log_size,
+

[tpmdd-devel] [PATCH v3 2/5] tpm: rename event log provider files

2017-09-20 Thread Thiebaud Weksteen via tpmdd-devel 
Rename the current TPM Event Log provider files (ACPI and OF)
for clarity.

Signed-off-by: Thiebaud Weksteen 
---
 drivers/char/tpm/Makefile| 4 ++--
 drivers/char/tpm/{tpm_acpi.c => tpm_eventlog_acpi.c} | 0
 drivers/char/tpm/{tpm_of.c => tpm_eventlog_of.c} | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename drivers/char/tpm/{tpm_acpi.c => tpm_eventlog_acpi.c} (100%)
 rename drivers/char/tpm/{tpm_of.c => tpm_eventlog_of.c} (100%)

diff --git a/drivers/char/tpm/Makefile b/drivers/char/tpm/Makefile
index 23681f01f95a..c8509cd723a1 100644
--- a/drivers/char/tpm/Makefile
+++ b/drivers/char/tpm/Makefile
@@ -5,8 +5,8 @@ obj-$(CONFIG_TCG_TPM) += tpm.o
 tpm-y := tpm-interface.o tpm-dev.o tpm-sysfs.o tpm-chip.o tpm2-cmd.o \
 tpm-dev-common.o tpmrm-dev.o tpm1_eventlog.o tpm2_eventlog.o \
  tpm2-space.o
-tpm-$(CONFIG_ACPI) += tpm_ppi.o tpm_acpi.o
-tpm-$(CONFIG_OF) += tpm_of.o
+tpm-$(CONFIG_ACPI) += tpm_ppi.o tpm_eventlog_acpi.o
+tpm-$(CONFIG_OF) += tpm_eventlog_of.o
 obj-$(CONFIG_TCG_TIS_CORE) += tpm_tis_core.o
 obj-$(CONFIG_TCG_TIS) += tpm_tis.o
 obj-$(CONFIG_TCG_TIS_SPI) += tpm_tis_spi.o
diff --git a/drivers/char/tpm/tpm_acpi.c b/drivers/char/tpm/tpm_eventlog_acpi.c
similarity index 100%
rename from drivers/char/tpm/tpm_acpi.c
rename to drivers/char/tpm/tpm_eventlog_acpi.c
diff --git a/drivers/char/tpm/tpm_of.c b/drivers/char/tpm/tpm_eventlog_of.c
similarity index 100%
rename from drivers/char/tpm/tpm_of.c
rename to drivers/char/tpm/tpm_eventlog_of.c
-- 
2.14.1.821.g8fa685d3b7-goog


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

[tpmdd-devel] [PATCH v3 0/5] Call GetEventLog before ExitBootServices

2017-09-20 Thread Thiebaud Weksteen via tpmdd-devel 
With TPM 1.2, the ACPI table ("TCPA") has two fields to recover the Event
Log Area (LAML and LASA). These logs are useful to understand and rebuild
the final values of PCRs.

With TPM 2.0, the ACPI table ("TPM2") does not contain these fields
anymore. The recommended method is now to call the GetEventLog EFI
protocol before ExitBootServices.

Implement this method within the EFI stub and create a copy of the logs
for the TPM device using a Linux-specific EFI configuration table
(LINUX_EFI_TPM_EVENT_LOG). This will create
/sys/kernel/security/tpm0/binary_bios_measurements for TPM 2.0 devices
(similarly to the current behaviour for TPM 1.2 devices).

Two formats for the log entries exist: TPM 1.2 (SHA1) and TPM 2.0 (Crypto
Agile). This patch set only retrieves the first type of logs. The second
type will be implemented in a subsequent patch set.

According to the specifications[1], once GetEventLog has been called,
future events shall be stored in a separate EFI configuration table
(EFI_TCG2_FINAL_EVENTS_TABLE). Events stored in this table are not
processed in this patch set as they are stored in the Crypto Agile format.
These could eventually be merged with the new table for a unified view
of the logs from userspace.

[1] TCG EFI Protocol Specification, Revision 00.13, March 30, 2016

https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf

---

Patchset Changelog:

Version 3:
- Move event log providers (acpi and of) to tpm_eventlog_*.c
- Move efi changes from PATCH 3 to PATCH 2
- Change return value of tpm_read_log_acpi and tpm_read_log_of
- Change iounmap to memunmap calls
- Use log_tbl as variable name for consistency
- Fix kbuild failures

Version 2:
- Move tpm_eventlog.h to top include directory, add commit for this.
- Use EFI_LOADER_DATA to store the configuration table
- Whitespace and new lines fixes

Thiebaud Weksteen (5):
  tpm: move tpm_eventlog.h outside of drivers folder
  tpm: rename event log provider files
  tpm: add event log format version
  efi: call get_event_log before ExitBootServices
  tpm: parse TPM event logs based on EFI table

 arch/x86/boot/compressed/eboot.c   |  1 +
 drivers/char/tpm/Makefile  |  5 +-
 drivers/char/tpm/tpm-chip.c|  3 +-
 drivers/char/tpm/tpm-interface.c   |  2 +-
 drivers/char/tpm/tpm.h | 35 --
 drivers/char/tpm/tpm1_eventlog.c   | 13 +++-
 drivers/char/tpm/tpm2_eventlog.c   |  2 +-
 .../char/tpm/{tpm_acpi.c => tpm_eventlog_acpi.c}   |  4 +-
 drivers/char/tpm/tpm_eventlog_efi.c| 66 ++
 drivers/char/tpm/{tpm_of.c => tpm_eventlog_of.c}   |  6 +-
 drivers/firmware/efi/Makefile  |  2 +-
 drivers/firmware/efi/efi.c |  4 ++
 drivers/firmware/efi/libstub/Makefile  |  3 +-
 drivers/firmware/efi/libstub/tpm.c | 81 ++
 drivers/firmware/efi/tpm.c | 40 +++
 include/linux/efi.h| 46 
 {drivers/char/tpm => include/linux}/tpm_eventlog.h | 35 +++---
 17 files changed, 304 insertions(+), 44 deletions(-)
 rename drivers/char/tpm/{tpm_acpi.c => tpm_eventlog_acpi.c} (97%)
 create mode 100644 drivers/char/tpm/tpm_eventlog_efi.c
 rename drivers/char/tpm/{tpm_of.c => tpm_eventlog_of.c} (93%)
 create mode 100644 drivers/firmware/efi/tpm.c
 rename {drivers/char/tpm => include/linux}/tpm_eventlog.h (77%)

-- 
2.14.1.821.g8fa685d3b7-goog


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel