Re: [PATCH 2/2 v4] efi: Add basic EFI_TCG2_PROTOCOL support
On Thu, 12 Nov 2020 at 21:22, Heinrich Schuchardt
wrote:
> On 11/12/20 8:10 PM, Ilias Apalodimas wrote:
> > Hi Heinrich,
> >
> >
> > [...]
> >>> + return EFI_SUCCESS;
> >>> +
> >>> + tpm_ver = tpm_get_version(dev);
> >>> + if (tpm_ver != TPM_V2) {
> >>> + log_warning("Only TPMv2 supported for EFI_TCG2_PROTOCOL");
> >>
> >> The message should end with \n.
> >>
> >> This message becomes superfluous if you correct
> platform_get_tpm2_device().
> >>
> >
> > platform_get_tpm2_device() is used in EFI calls, won't that break
> printing from
> > EFI apps?
>
> If platform_get_tpm2_device() only return TPM2v2 devices, you don't need
> to check the type and hence you won't need the log_warning() above.
>
Well you still need to warn the user that only TPMv2 devices are supported
no?
Hence my question on what's the best way to do that.
> Regards
>
> Heinrich
>
> >
> >>> + return EFI_SUCCESS;
> >>> + }
> >>> +
> >>> + ret = efi_add_protocol(efi_root, _guid_tcg2_protocol,
> >>> + (void *)_tcg2_protocol);
> >>> + if (ret != EFI_SUCCESS)
> >>> + log_err("Cannot install EFI_TCG2_PROTOCOL");
> >>
> >> The message should end with \n.
> >>
> >> Best regards
> >>
> >> Heinrich
> >>
> >>> +
> >>> + return ret;
> >>> +}
> >>>
> >>
> >
> > Cheers
> > /Ilias
> >
>
>
Re: [PATCH 2/2 v4] efi: Add basic EFI_TCG2_PROTOCOL support
On 11/11/20 10:18 AM, Ilias Apalodimas wrote:
> Since U-boot EFI implementation is getting richer it makes sense to
> add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM
> available on the device.
>
> This is the initial implementation of the protocol which only adds
> support for GetCapability(). It's limited in the newer and safer
> TPMv2 devices.
>
> Signed-off-by: Ilias Apalodimas
> ---
> * changes since v3:
> - added check for maximum number of PCRs allowed
> - replaced multiple return Xl with goto out tags
> * changes since v2:
> - added description about include/efi_tcg2.h
> - switch bool to u8 for tpm_present_flag
> - removed superfluous 'default n' from Kconfig
> - use 'goto 'tag' when possible
>
> * changes since v1:
> - change return variable of platform_get_tpm2_device() when used
> - since more headers were included in patch #2 use them in offset
> calculations for all tpm commands
> - change the size of the response buffer regardless of what
> tpm2_get_capability() is doing
> include/efi_loader.h | 2 +
> include/efi_tcg2.h | 94 +++
> lib/efi_loader/Kconfig | 7 +
> lib/efi_loader/Makefile| 1 +
> lib/efi_loader/efi_setup.c | 7 +
> lib/efi_loader/efi_tcg2.c | 539 +
> 6 files changed, 650 insertions(+)
> create mode 100644 include/efi_tcg2.h
> create mode 100644 lib/efi_loader/efi_tcg2.c
>
> diff --git a/include/efi_loader.h b/include/efi_loader.h
> index f550ced56876..e5015d865ec9 100644
> --- a/include/efi_loader.h
> +++ b/include/efi_loader.h
> @@ -405,6 +405,8 @@ efi_status_t efi_console_register(void);
> efi_status_t efi_disk_register(void);
> /* Called by efi_init_obj_list() to install EFI_RNG_PROTOCOL */
> efi_status_t efi_rng_register(void);
> +/* Called by efi_init_obj_list() to install EFI_TCG2_PROTOCOL */
> +efi_status_t efi_tcg2_register(void);
> /* Create handles and protocols for the partitions of a block device */
> int efi_disk_create_partitions(efi_handle_t parent, struct blk_desc *desc,
> const char *if_typename, int diskid,
> diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h
> new file mode 100644
> index ..4214f767eaba
> --- /dev/null
> +++ b/include/efi_tcg2.h
> @@ -0,0 +1,94 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/*
> + * Defines data structures and APIs that allow an OS to interact with UEFI
> + * firmware to query information about the device
> + *
> + * Copyright (c) 2020, Linaro Limited
> + */
> +
> +#if !defined _EFI_TCG2_PROTOCOL_H_
> +#define _EFI_TCG2_PROTOCOL_H_
> +
> +#include
> +
> +#define EFI_TCG2_PROTOCOL_GUID \
> + EFI_GUID(0x607f766c, 0x7455, 0x42be, 0x93, \
> + 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f)
> +
> +/* TPMV2 only */
> +#define TCG2_EVENT_LOG_FORMAT_TCG_2 0x0002
> +
> +/* SHA1, SHA256, SHA384, SHA512, TPM_ALG_SM3_256 */
> +#define MAX_HASH_COUNT 5
> +/* Algorithm Registry */
> +#define EFI_TCG2_BOOT_HASH_ALG_SHA10x0001
> +#define EFI_TCG2_BOOT_HASH_ALG_SHA256 0x0002
> +#define EFI_TCG2_BOOT_HASH_ALG_SHA384 0x0004
> +#define EFI_TCG2_BOOT_HASH_ALG_SHA512 0x0008
> +#define EFI_TCG2_BOOT_HASH_ALG_SM3_256 0x0010
> +
> +typedef u32 efi_tcg_event_log_bitmap;
> +typedef u32 efi_tcg_event_log_format;
> +typedef u32 efi_tcg_event_algorithm_bitmap;
> +
> +struct efi_tcg2_version {
> + u8 major;
> + u8 minor;
> +};
> +
> +struct efi_tcg2_event_header {
> + u32 header_size;
> + u16 header_version;
> + u32 pcr_index;
> + u32 event_type;
> +} __packed;
> +
> +struct efi_tcg2_event {
> + u32 size;
> + struct efi_tcg2_event_header header;
> + u8 event[];
> +} __packed;
> +
> +struct efi_tcg2_boot_service_capability {
> + u8 size;
> + struct efi_tcg2_version structure_version;
> + struct efi_tcg2_version protocol_version;
> + efi_tcg_event_algorithm_bitmap hash_algorithm_bitmap;
> + efi_tcg_event_log_bitmap supported_event_logs;
> + u8 tpm_present_flag;
> + u16 max_command_size;
> + u16 max_response_size;
> + u32 manufacturer_id;
> + u32 number_of_pcr_banks;
> + efi_tcg_event_algorithm_bitmap active_pcr_banks;
> +};
> +
> +#define boot_service_capability_min \
> + sizeof(struct efi_tcg2_boot_service_capability) - \
> + offsetof(struct efi_tcg2_boot_service_capability, number_of_pcr_banks)
> +
> +struct efi_tcg2_protocol {
> + efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this,
> +struct
> efi_tcg2_boot_service_capability *capability);
> + efi_status_t (EFIAPI * get_eventlog)(struct efi_tcg2_protocol *this,
> + efi_tcg_event_log_format
> log_format,
> + u64 *event_log_location, u64
> *event_log_last_entry,
> + bool *event_log_truncated);
> + efi_status_t (EFIAPI *
Re: [PATCH 2/2 v4] efi: Add basic EFI_TCG2_PROTOCOL support
On 11/12/20 8:10 PM, Ilias Apalodimas wrote:
> Hi Heinrich,
>
>
> [...]
>>> + return EFI_SUCCESS;
>>> +
>>> + tpm_ver = tpm_get_version(dev);
>>> + if (tpm_ver != TPM_V2) {
>>> + log_warning("Only TPMv2 supported for EFI_TCG2_PROTOCOL");
>>
>> The message should end with \n.
>>
>> This message becomes superfluous if you correct platform_get_tpm2_device().
>>
>
> platform_get_tpm2_device() is used in EFI calls, won't that break printing
> from
> EFI apps?
If platform_get_tpm2_device() only return TPM2v2 devices, you don't need
to check the type and hence you won't need the log_warning() above.
Regards
Heinrich
>
>>> + return EFI_SUCCESS;
>>> + }
>>> +
>>> + ret = efi_add_protocol(efi_root, _guid_tcg2_protocol,
>>> + (void *)_tcg2_protocol);
>>> + if (ret != EFI_SUCCESS)
>>> + log_err("Cannot install EFI_TCG2_PROTOCOL");
>>
>> The message should end with \n.
>>
>> Best regards
>>
>> Heinrich
>>
>>> +
>>> + return ret;
>>> +}
>>>
>>
>
> Cheers
> /Ilias
>
Re: [PATCH 2/2 v4] efi: Add basic EFI_TCG2_PROTOCOL support
On 11/12/20 7:49 PM, Heinrich Schuchardt wrote:
> On 11/11/20 10:18 AM, Ilias Apalodimas wrote:
>> Since U-boot EFI implementation is getting richer it makes sense to
>> add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM
>> available on the device.
>>
>> This is the initial implementation of the protocol which only adds
>> support for GetCapability(). It's limited in the newer and safer
>> TPMv2 devices.
>>
>> Signed-off-by: Ilias Apalodimas
>> ---
>> * changes since v3:
>> - added check for maximum number of PCRs allowed
>> - replaced multiple return Xl with goto out tags
>> * changes since v2:
>> - added description about include/efi_tcg2.h
>> - switch bool to u8 for tpm_present_flag
>> - removed superfluous 'default n' from Kconfig
>> - use 'goto 'tag' when possible
>>
>> * changes since v1:
>> - change return variable of platform_get_tpm2_device() when used
>> - since more headers were included in patch #2 use them in offset
>> calculations for all tpm commands
>> - change the size of the response buffer regardless of what
>> tpm2_get_capability() is doing
>> include/efi_loader.h | 2 +
>> include/efi_tcg2.h | 94 +++
>> lib/efi_loader/Kconfig | 7 +
>> lib/efi_loader/Makefile| 1 +
>> lib/efi_loader/efi_setup.c | 7 +
>> lib/efi_loader/efi_tcg2.c | 539 +
>> 6 files changed, 650 insertions(+)
>> create mode 100644 include/efi_tcg2.h
>> create mode 100644 lib/efi_loader/efi_tcg2.c
>>
>> diff --git a/include/efi_loader.h b/include/efi_loader.h
>> index f550ced56876..e5015d865ec9 100644
>> --- a/include/efi_loader.h
>> +++ b/include/efi_loader.h
>> @@ -405,6 +405,8 @@ efi_status_t efi_console_register(void);
>> efi_status_t efi_disk_register(void);
>> /* Called by efi_init_obj_list() to install EFI_RNG_PROTOCOL */
>> efi_status_t efi_rng_register(void);
>> +/* Called by efi_init_obj_list() to install EFI_TCG2_PROTOCOL */
>> +efi_status_t efi_tcg2_register(void);
>> /* Create handles and protocols for the partitions of a block device */
>> int efi_disk_create_partitions(efi_handle_t parent, struct blk_desc *desc,
>> const char *if_typename, int diskid,
>> diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h
>> new file mode 100644
>> index ..4214f767eaba
>> --- /dev/null
>> +++ b/include/efi_tcg2.h
>> @@ -0,0 +1,94 @@
>> +/* SPDX-License-Identifier: GPL-2.0+ */
>> +/*
>> + * Defines data structures and APIs that allow an OS to interact with UEFI
>> + * firmware to query information about the device
>> + *
>> + * Copyright (c) 2020, Linaro Limited
>> + */
>> +
>> +#if !defined _EFI_TCG2_PROTOCOL_H_
>> +#define _EFI_TCG2_PROTOCOL_H_
>> +
>> +#include
>> +
>> +#define EFI_TCG2_PROTOCOL_GUID \
>> +EFI_GUID(0x607f766c, 0x7455, 0x42be, 0x93, \
>> + 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f)
>> +
>> +/* TPMV2 only */
>> +#define TCG2_EVENT_LOG_FORMAT_TCG_2 0x0002
>> +
>> +/* SHA1, SHA256, SHA384, SHA512, TPM_ALG_SM3_256 */
>> +#define MAX_HASH_COUNT 5
>> +/* Algorithm Registry */
>> +#define EFI_TCG2_BOOT_HASH_ALG_SHA10x0001
>> +#define EFI_TCG2_BOOT_HASH_ALG_SHA256 0x0002
>> +#define EFI_TCG2_BOOT_HASH_ALG_SHA384 0x0004
>> +#define EFI_TCG2_BOOT_HASH_ALG_SHA512 0x0008
>> +#define EFI_TCG2_BOOT_HASH_ALG_SM3_256 0x0010
>> +
>> +typedef u32 efi_tcg_event_log_bitmap;
>> +typedef u32 efi_tcg_event_log_format;
>> +typedef u32 efi_tcg_event_algorithm_bitmap;
>> +
>> +struct efi_tcg2_version {
>> +u8 major;
>> +u8 minor;
>> +};
>> +
>> +struct efi_tcg2_event_header {
>> +u32 header_size;
>> +u16 header_version;
>> +u32 pcr_index;
>> +u32 event_type;
>> +} __packed;
>> +
>> +struct efi_tcg2_event {
>> +u32 size;
>> +struct efi_tcg2_event_header header;
>> +u8 event[];
>> +} __packed;
>> +
>> +struct efi_tcg2_boot_service_capability {
>> +u8 size;
>> +struct efi_tcg2_version structure_version;
>> +struct efi_tcg2_version protocol_version;
>> +efi_tcg_event_algorithm_bitmap hash_algorithm_bitmap;
>> +efi_tcg_event_log_bitmap supported_event_logs;
>> +u8 tpm_present_flag;
>> +u16 max_command_size;
>> +u16 max_response_size;
>> +u32 manufacturer_id;
>> +u32 number_of_pcr_banks;
>> +efi_tcg_event_algorithm_bitmap active_pcr_banks;
>> +};
>> +
>> +#define boot_service_capability_min \
>> +sizeof(struct efi_tcg2_boot_service_capability) - \
>> +offsetof(struct efi_tcg2_boot_service_capability, number_of_pcr_banks)
>> +
>> +struct efi_tcg2_protocol {
>> +efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this,
>> + struct
>> efi_tcg2_boot_service_capability *capability);
>> +efi_status_t (EFIAPI * get_eventlog)(struct efi_tcg2_protocol *this,
>> + efi_tcg_event_log_format
>> log_format,
>> + u64
Re: [PATCH 2/2 v4] efi: Add basic EFI_TCG2_PROTOCOL support
Hi Heinrich,
[...]
> > + return EFI_SUCCESS;
> > +
> > + tpm_ver = tpm_get_version(dev);
> > + if (tpm_ver != TPM_V2) {
> > + log_warning("Only TPMv2 supported for EFI_TCG2_PROTOCOL");
>
> The message should end with \n.
>
> This message becomes superfluous if you correct platform_get_tpm2_device().
>
platform_get_tpm2_device() is used in EFI calls, won't that break printing from
EFI apps?
> > + return EFI_SUCCESS;
> > + }
> > +
> > + ret = efi_add_protocol(efi_root, _guid_tcg2_protocol,
> > + (void *)_tcg2_protocol);
> > + if (ret != EFI_SUCCESS)
> > + log_err("Cannot install EFI_TCG2_PROTOCOL");
>
> The message should end with \n.
>
> Best regards
>
> Heinrich
>
> > +
> > + return ret;
> > +}
> >
>
Cheers
/Ilias
Re: [PATCH 2/2 v4] efi: Add basic EFI_TCG2_PROTOCOL support
On 11/11/20 10:18 AM, Ilias Apalodimas wrote:
> Since U-boot EFI implementation is getting richer it makes sense to
> add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM
> available on the device.
>
> This is the initial implementation of the protocol which only adds
> support for GetCapability(). It's limited in the newer and safer
> TPMv2 devices.
>
> Signed-off-by: Ilias Apalodimas
> ---
> * changes since v3:
> - added check for maximum number of PCRs allowed
> - replaced multiple return Xl with goto out tags
> * changes since v2:
> - added description about include/efi_tcg2.h
> - switch bool to u8 for tpm_present_flag
> - removed superfluous 'default n' from Kconfig
> - use 'goto 'tag' when possible
>
> * changes since v1:
> - change return variable of platform_get_tpm2_device() when used
> - since more headers were included in patch #2 use them in offset
> calculations for all tpm commands
> - change the size of the response buffer regardless of what
> tpm2_get_capability() is doing
> include/efi_loader.h | 2 +
> include/efi_tcg2.h | 94 +++
> lib/efi_loader/Kconfig | 7 +
> lib/efi_loader/Makefile| 1 +
> lib/efi_loader/efi_setup.c | 7 +
> lib/efi_loader/efi_tcg2.c | 539 +
> 6 files changed, 650 insertions(+)
> create mode 100644 include/efi_tcg2.h
> create mode 100644 lib/efi_loader/efi_tcg2.c
>
> diff --git a/include/efi_loader.h b/include/efi_loader.h
> index f550ced56876..e5015d865ec9 100644
> --- a/include/efi_loader.h
> +++ b/include/efi_loader.h
> @@ -405,6 +405,8 @@ efi_status_t efi_console_register(void);
> efi_status_t efi_disk_register(void);
> /* Called by efi_init_obj_list() to install EFI_RNG_PROTOCOL */
> efi_status_t efi_rng_register(void);
> +/* Called by efi_init_obj_list() to install EFI_TCG2_PROTOCOL */
> +efi_status_t efi_tcg2_register(void);
> /* Create handles and protocols for the partitions of a block device */
> int efi_disk_create_partitions(efi_handle_t parent, struct blk_desc *desc,
> const char *if_typename, int diskid,
> diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h
> new file mode 100644
> index ..4214f767eaba
> --- /dev/null
> +++ b/include/efi_tcg2.h
> @@ -0,0 +1,94 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/*
> + * Defines data structures and APIs that allow an OS to interact with UEFI
> + * firmware to query information about the device
> + *
> + * Copyright (c) 2020, Linaro Limited
> + */
> +
> +#if !defined _EFI_TCG2_PROTOCOL_H_
> +#define _EFI_TCG2_PROTOCOL_H_
> +
> +#include
> +
> +#define EFI_TCG2_PROTOCOL_GUID \
> + EFI_GUID(0x607f766c, 0x7455, 0x42be, 0x93, \
> + 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f)
> +
> +/* TPMV2 only */
> +#define TCG2_EVENT_LOG_FORMAT_TCG_2 0x0002
> +
> +/* SHA1, SHA256, SHA384, SHA512, TPM_ALG_SM3_256 */
> +#define MAX_HASH_COUNT 5
> +/* Algorithm Registry */
> +#define EFI_TCG2_BOOT_HASH_ALG_SHA10x0001
> +#define EFI_TCG2_BOOT_HASH_ALG_SHA256 0x0002
> +#define EFI_TCG2_BOOT_HASH_ALG_SHA384 0x0004
> +#define EFI_TCG2_BOOT_HASH_ALG_SHA512 0x0008
> +#define EFI_TCG2_BOOT_HASH_ALG_SM3_256 0x0010
> +
> +typedef u32 efi_tcg_event_log_bitmap;
> +typedef u32 efi_tcg_event_log_format;
> +typedef u32 efi_tcg_event_algorithm_bitmap;
> +
> +struct efi_tcg2_version {
> + u8 major;
> + u8 minor;
> +};
> +
> +struct efi_tcg2_event_header {
> + u32 header_size;
> + u16 header_version;
> + u32 pcr_index;
> + u32 event_type;
> +} __packed;
> +
> +struct efi_tcg2_event {
> + u32 size;
> + struct efi_tcg2_event_header header;
> + u8 event[];
> +} __packed;
> +
> +struct efi_tcg2_boot_service_capability {
> + u8 size;
> + struct efi_tcg2_version structure_version;
> + struct efi_tcg2_version protocol_version;
> + efi_tcg_event_algorithm_bitmap hash_algorithm_bitmap;
> + efi_tcg_event_log_bitmap supported_event_logs;
> + u8 tpm_present_flag;
> + u16 max_command_size;
> + u16 max_response_size;
> + u32 manufacturer_id;
> + u32 number_of_pcr_banks;
> + efi_tcg_event_algorithm_bitmap active_pcr_banks;
> +};
> +
> +#define boot_service_capability_min \
> + sizeof(struct efi_tcg2_boot_service_capability) - \
> + offsetof(struct efi_tcg2_boot_service_capability, number_of_pcr_banks)
> +
> +struct efi_tcg2_protocol {
> + efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this,
> +struct
> efi_tcg2_boot_service_capability *capability);
> + efi_status_t (EFIAPI * get_eventlog)(struct efi_tcg2_protocol *this,
> + efi_tcg_event_log_format
> log_format,
> + u64 *event_log_location, u64
> *event_log_last_entry,
> + bool *event_log_truncated);
> + efi_status_t (EFIAPI *
Re: [PATCH 2/2 v4] efi: Add basic EFI_TCG2_PROTOCOL support
Hi Simon, On Wed, Nov 11, 2020 at 07:42:31AM -0700, Simon Glass wrote: > Hi Ilias, > > On Wed, 11 Nov 2020 at 02:18, Ilias Apalodimas > wrote: > > > > Since U-boot EFI implementation is getting richer it makes sense to > > add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM > > available on the device. > > > > This is the initial implementation of the protocol which only adds > > support for GetCapability(). It's limited in the newer and safer > > TPMv2 devices. > > > > Signed-off-by: Ilias Apalodimas > > --- > > * changes since v3: > > - added check for maximum number of PCRs allowed > > - replaced multiple return Xl with goto out tags > > * changes since v2: > > - added description about include/efi_tcg2.h > > - switch bool to u8 for tpm_present_flag > > - removed superfluous 'default n' from Kconfig > > - use 'goto 'tag' when possible > > > > * changes since v1: > > - change return variable of platform_get_tpm2_device() when used > > - since more headers were included in patch #2 use them in offset > > calculations for all tpm commands > > - change the size of the response buffer regardless of what > > tpm2_get_capability() is doing > > include/efi_loader.h | 2 + > > include/efi_tcg2.h | 94 +++ > > lib/efi_loader/Kconfig | 7 + > > lib/efi_loader/Makefile| 1 + > > lib/efi_loader/efi_setup.c | 7 + > > lib/efi_loader/efi_tcg2.c | 539 + > > 6 files changed, 650 insertions(+) > > create mode 100644 include/efi_tcg2.h > > create mode 100644 lib/efi_loader/efi_tcg2.c > > I will let Heinrich review this one. I do feel that the overly long > identifiers make the code hard to read. I completely agree. The reason I kept them that long, is that the TCG specs are quite confusing to follow, so I tried to adhere to the naming as much as possible. Regards /Ilias > > Regards, > Simon
Re: [PATCH 2/2 v4] efi: Add basic EFI_TCG2_PROTOCOL support
Hi Ilias, On Wed, 11 Nov 2020 at 02:18, Ilias Apalodimas wrote: > > Since U-boot EFI implementation is getting richer it makes sense to > add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM > available on the device. > > This is the initial implementation of the protocol which only adds > support for GetCapability(). It's limited in the newer and safer > TPMv2 devices. > > Signed-off-by: Ilias Apalodimas > --- > * changes since v3: > - added check for maximum number of PCRs allowed > - replaced multiple return Xl with goto out tags > * changes since v2: > - added description about include/efi_tcg2.h > - switch bool to u8 for tpm_present_flag > - removed superfluous 'default n' from Kconfig > - use 'goto 'tag' when possible > > * changes since v1: > - change return variable of platform_get_tpm2_device() when used > - since more headers were included in patch #2 use them in offset > calculations for all tpm commands > - change the size of the response buffer regardless of what > tpm2_get_capability() is doing > include/efi_loader.h | 2 + > include/efi_tcg2.h | 94 +++ > lib/efi_loader/Kconfig | 7 + > lib/efi_loader/Makefile| 1 + > lib/efi_loader/efi_setup.c | 7 + > lib/efi_loader/efi_tcg2.c | 539 + > 6 files changed, 650 insertions(+) > create mode 100644 include/efi_tcg2.h > create mode 100644 lib/efi_loader/efi_tcg2.c I will let Heinrich review this one. I do feel that the overly long identifiers make the code hard to read. Regards, Simon
[PATCH 2/2 v4] efi: Add basic EFI_TCG2_PROTOCOL support
Since U-boot EFI implementation is getting richer it makes sense to
add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM
available on the device.
This is the initial implementation of the protocol which only adds
support for GetCapability(). It's limited in the newer and safer
TPMv2 devices.
Signed-off-by: Ilias Apalodimas
---
* changes since v3:
- added check for maximum number of PCRs allowed
- replaced multiple return Xl with goto out tags
* changes since v2:
- added description about include/efi_tcg2.h
- switch bool to u8 for tpm_present_flag
- removed superfluous 'default n' from Kconfig
- use 'goto 'tag' when possible
* changes since v1:
- change return variable of platform_get_tpm2_device() when used
- since more headers were included in patch #2 use them in offset
calculations for all tpm commands
- change the size of the response buffer regardless of what
tpm2_get_capability() is doing
include/efi_loader.h | 2 +
include/efi_tcg2.h | 94 +++
lib/efi_loader/Kconfig | 7 +
lib/efi_loader/Makefile| 1 +
lib/efi_loader/efi_setup.c | 7 +
lib/efi_loader/efi_tcg2.c | 539 +
6 files changed, 650 insertions(+)
create mode 100644 include/efi_tcg2.h
create mode 100644 lib/efi_loader/efi_tcg2.c
diff --git a/include/efi_loader.h b/include/efi_loader.h
index f550ced56876..e5015d865ec9 100644
--- a/include/efi_loader.h
+++ b/include/efi_loader.h
@@ -405,6 +405,8 @@ efi_status_t efi_console_register(void);
efi_status_t efi_disk_register(void);
/* Called by efi_init_obj_list() to install EFI_RNG_PROTOCOL */
efi_status_t efi_rng_register(void);
+/* Called by efi_init_obj_list() to install EFI_TCG2_PROTOCOL */
+efi_status_t efi_tcg2_register(void);
/* Create handles and protocols for the partitions of a block device */
int efi_disk_create_partitions(efi_handle_t parent, struct blk_desc *desc,
const char *if_typename, int diskid,
diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h
new file mode 100644
index ..4214f767eaba
--- /dev/null
+++ b/include/efi_tcg2.h
@@ -0,0 +1,94 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Defines data structures and APIs that allow an OS to interact with UEFI
+ * firmware to query information about the device
+ *
+ * Copyright (c) 2020, Linaro Limited
+ */
+
+#if !defined _EFI_TCG2_PROTOCOL_H_
+#define _EFI_TCG2_PROTOCOL_H_
+
+#include
+
+#define EFI_TCG2_PROTOCOL_GUID \
+ EFI_GUID(0x607f766c, 0x7455, 0x42be, 0x93, \
+0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f)
+
+/* TPMV2 only */
+#define TCG2_EVENT_LOG_FORMAT_TCG_2 0x0002
+
+/* SHA1, SHA256, SHA384, SHA512, TPM_ALG_SM3_256 */
+#define MAX_HASH_COUNT 5
+/* Algorithm Registry */
+#define EFI_TCG2_BOOT_HASH_ALG_SHA10x0001
+#define EFI_TCG2_BOOT_HASH_ALG_SHA256 0x0002
+#define EFI_TCG2_BOOT_HASH_ALG_SHA384 0x0004
+#define EFI_TCG2_BOOT_HASH_ALG_SHA512 0x0008
+#define EFI_TCG2_BOOT_HASH_ALG_SM3_256 0x0010
+
+typedef u32 efi_tcg_event_log_bitmap;
+typedef u32 efi_tcg_event_log_format;
+typedef u32 efi_tcg_event_algorithm_bitmap;
+
+struct efi_tcg2_version {
+ u8 major;
+ u8 minor;
+};
+
+struct efi_tcg2_event_header {
+ u32 header_size;
+ u16 header_version;
+ u32 pcr_index;
+ u32 event_type;
+} __packed;
+
+struct efi_tcg2_event {
+ u32 size;
+ struct efi_tcg2_event_header header;
+ u8 event[];
+} __packed;
+
+struct efi_tcg2_boot_service_capability {
+ u8 size;
+ struct efi_tcg2_version structure_version;
+ struct efi_tcg2_version protocol_version;
+ efi_tcg_event_algorithm_bitmap hash_algorithm_bitmap;
+ efi_tcg_event_log_bitmap supported_event_logs;
+ u8 tpm_present_flag;
+ u16 max_command_size;
+ u16 max_response_size;
+ u32 manufacturer_id;
+ u32 number_of_pcr_banks;
+ efi_tcg_event_algorithm_bitmap active_pcr_banks;
+};
+
+#define boot_service_capability_min \
+ sizeof(struct efi_tcg2_boot_service_capability) - \
+ offsetof(struct efi_tcg2_boot_service_capability, number_of_pcr_banks)
+
+struct efi_tcg2_protocol {
+ efi_status_t (EFIAPI * get_capability)(struct efi_tcg2_protocol *this,
+ struct
efi_tcg2_boot_service_capability *capability);
+ efi_status_t (EFIAPI * get_eventlog)(struct efi_tcg2_protocol *this,
+efi_tcg_event_log_format
log_format,
+u64 *event_log_location, u64
*event_log_last_entry,
+bool *event_log_truncated);
+ efi_status_t (EFIAPI * hash_log_extend_event)(struct efi_tcg2_protocol
*this,
+ u64 flags, u64
data_to_hash,
+ u64 data_to_hash_len,
+
