proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-06-14 20:06:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
486 Commits 1 Branch 3 Tags 11 MiB
d89b722ef7
Commit Graph

6 Commits

Author SHA1 Message Date
Javier Martinez Canillas
55c65546e4 shim/tpm: Avoid passing an usupported event log format to GetEventLogs() 
The TCG EFI Protocol Specification for family "2.0" mentions that not all
TPM2 chips may support the EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 (crypto agile)
log format. So instead of always use this log format, the GetCapability()
function should be used to determine which format is supported by the TPM.

For example, the Intel PTT firmware based TPM found in Lenovo Thinkapd X1
Carbon (4th gen), only supports SHA-1 (EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2)
log format. So a call to GetEventLog() using the crypto agile format was
returning EFI_INVALID_PARAMETER, making tpm_log_event() function to fail.

This was preventing shim to correctly measure the second stage bootloader:

$ tpm2_listpcrs -L 0x04:9

Bank/Algorithm: TPM_ALG_SHA1(0x0004)
PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

After passing a supported log format to GetEventLog(), it succeeds and so
shim is able to call the HashLogExtendEvent() EFI function correctly:

$ tpm2_listpcrs -L 0x04:9

Bank/Algorithm: TPM_ALG_SHA1(0x0004)
PCR_09: 07 5a 7e d3 75 64 ad 91 1a 34 17 17 c2 34 10 2b 58 5b de b7

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
 2017-06-15 11:30:22 -04:00
Javier Martinez Canillas
9c40fb7c05 shim/tpm: Remove magic numbers 
When measuring data into the TPM and generating events logs, the event
type is set to EV_IPL (0xd), and for TPM1.2 the algorithm will always
be set to SHA-1 (0x4).

So, add some macro-defined constants for these instead of having them
as magic numbers to make the code more readable.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
 2017-06-15 11:30:22 -04:00
Lans Zhang
478f0f0948 shim/tpm: the EFI_TCG2_BOOT_SERVICE_CAPABILITY structure shouldn't be packed 
According to TCG EFI Protocol Specification, this structure is not packed.

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 2017-02-06 11:18:07 -05:00
Lans Zhang
94c955bbbd shim/tpm: correct the definition of the capability structure version 1.0 
EFI TrEE Protocol uses the same protocol GUID as EFI TCG2 protocol, and
defines the capability structure version 1.0. Hence, the structure and
name are all align the EFI TrEE Protocol.

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 2017-02-06 11:18:07 -05:00
Lans Zhang
d3884fe833 shim: trigger to record further logs to tcg 2.0 final event log area 
According to TCG EFI Protocol Specification for TPM 2.0 family,
all events generated after the invocation of EFI_TCG2_GET_EVENT_LOG
shall be stored in an instance of an EFI_CONFIGURATION_TABLE aka
EFI TCG 2.0 final events table. Hence, it is necessary to trigger the
internal switch through calling get_event_log() in order to allow
to retrieve the logs from OS runtime.

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 2016-09-30 09:38:33 -04:00
Matthew Garrett
22b58f2455 Measure state and second stage into TPM 
Add support for measuring the MOK database and secure boot state into a
TPM, and do the same for the second stage loader. This avoids a hole in
TPM measurement between the firmware and the second stage loader.
 2016-05-11 11:11:05 -04:00