From ba06a4362d22b41887bb4121694e0562cefa5385 Mon Sep 17 00:00:00 2001 From: Tamas K Lengyel Date: Wed, 8 Nov 2017 15:10:18 -0700 Subject: [PATCH] Add REQUIRE_TPM flag to treat TPM related errors as critical Currently TPM related errors are being silently discarded. Signed-off-by: Tamas K Lengyel --- Makefile | 5 +++++ shim.c | 13 +++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 8d40ca6..9ab1992 100644 --- a/Makefile +++ b/Makefile @@ -33,6 +33,7 @@ DEBUGINFO ?= $(prefix)/lib/debug/ DEBUGSOURCE ?= $(prefix)/src/debug/ OSLABEL ?= $(EFIDIR) DEFAULT_LOADER ?= \\\\grub$(ARCH_SUFFIX).efi +REQUIRE_TPM ?= ARCH ?= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24) @@ -68,6 +69,10 @@ ifneq ($(origin ENABLE_HTTPBOOT), undefined) CFLAGS += -DENABLE_HTTPBOOT endif +ifneq ($(origin REQUIRE_TPM), undefined) + CFLAGS += -DREQUIRE_TPM +endif + ifeq ($(ARCH),x86_64) CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -maccumulate-outgoing-args -m64 \ diff --git a/shim.c b/shim.c index 51c5832..90a5ea0 100644 --- a/shim.c +++ b/shim.c @@ -1308,7 +1308,12 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, return efi_status; /* Measure the binary into the TPM */ - tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, sha1hash, 4); + efi_status = tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, sha1hash, 4); +#ifdef REQUIRE_TPM + if (efi_status != EFI_SUCCESS) { + return efi_status; + } +#endif if (secure_mode ()) { efi_status = verify_buffer(data, datasize, &context, @@ -1818,7 +1823,11 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) goto done; /* Measure the binary into the TPM */ - tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4); + status = tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4); +#ifdef REQUIRE_TPM + if (status != EFI_SUCCESS) + goto done; +#endif if (!secure_mode()) goto done;