efi_loader: add ExitBootServices() measurement
authorMasahisa Kojima <masahisa.kojima@linaro.org>
Fri, 13 Aug 2021 07:12:41 +0000 (16:12 +0900)
committerHeinrich Schuchardt <xypron.glpk@gmx.de>
Sat, 14 Aug 2021 18:54:41 +0000 (20:54 +0200)
TCG PC Client PFP spec requires to measure
"Exit Boot Services Invocation" if ExitBootServices() is invoked.
Depending upon the return code from the ExitBootServices() call,
"Exit Boot Services Returned with Success" or "Exit Boot Services
Returned with Failure" is also measured.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Swap two ifs in efi_exit_boot_services().
efi_tcg2_notify_exit_boot_services must have EFIAPI signature.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
include/efi_loader.h
lib/efi_loader/efi_boottime.c
lib/efi_loader/efi_tcg2.c

index 6f61e9faaca316af25b1bfa4c0b5ad3bf6e2d85c..32cb8d0f1ef56d93858d65e776c1c73989f5c097 100644 (file)
@@ -499,6 +499,7 @@ efi_status_t efi_run_image(void *source_buffer, efi_uintn_t source_size);
 efi_status_t efi_init_variables(void);
 /* Notify ExitBootServices() is called */
 void efi_variables_boot_exit_notify(void);
+efi_status_t efi_tcg2_notify_exit_boot_services_failed(void);
 /* Measure efi application invocation */
 efi_status_t efi_tcg2_measure_efi_app_invocation(void);
 /* Measure efi application exit */
index 13ab1392228c4823f3d4feb12096da8d0c35585e..f0283b539e46ce1b27eabac7997193dd863b89d5 100644 (file)
@@ -2182,6 +2182,11 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle,
        efi_set_watchdog(0);
        WATCHDOG_RESET();
 out:
+       if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) {
+               if (ret != EFI_SUCCESS)
+                       efi_tcg2_notify_exit_boot_services_failed();
+       }
+
        return EFI_EXIT(ret);
 }
 
index ed71337780cfe67e890b1de35df85cfca0ef6e00..c6f2e4810659e4908bd3cd81452d68da01bfdc16 100644 (file)
@@ -1506,6 +1506,67 @@ efi_status_t efi_tcg2_measure_efi_app_exit(void)
        return ret;
 }
 
+/**
+ * efi_tcg2_notify_exit_boot_services() - ExitBootService callback
+ *
+ * @event:     callback event
+ * @context:   callback context
+ */
+static void EFIAPI
+efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *context)
+{
+       efi_status_t ret;
+       struct udevice *dev;
+
+       EFI_ENTRY("%p, %p", event, context);
+
+       ret = platform_get_tpm2_device(&dev);
+       if (ret != EFI_SUCCESS)
+               goto out;
+
+       ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+                                strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION),
+                                (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION);
+       if (ret != EFI_SUCCESS)
+               goto out;
+
+       ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+                                strlen(EFI_EXIT_BOOT_SERVICES_SUCCEEDED),
+                                (u8 *)EFI_EXIT_BOOT_SERVICES_SUCCEEDED);
+
+out:
+       EFI_EXIT(ret);
+}
+
+/**
+ * efi_tcg2_notify_exit_boot_services_failed()
+ *  - notify ExitBootServices() is failed
+ *
+ * Return:     status code
+ */
+efi_status_t efi_tcg2_notify_exit_boot_services_failed(void)
+{
+       struct udevice *dev;
+       efi_status_t ret;
+
+       ret = platform_get_tpm2_device(&dev);
+       if (ret != EFI_SUCCESS)
+               goto out;
+
+       ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+                                strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION),
+                                (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION);
+       if (ret != EFI_SUCCESS)
+               goto out;
+
+       ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+                                strlen(EFI_EXIT_BOOT_SERVICES_FAILED),
+                                (u8 *)EFI_EXIT_BOOT_SERVICES_FAILED);
+
+out:
+       return ret;
+}
+
 /**
  * tcg2_measure_secure_boot_variable() - measure secure boot variables
  *
@@ -1584,6 +1645,7 @@ efi_status_t efi_tcg2_register(void)
 {
        efi_status_t ret = EFI_SUCCESS;
        struct udevice *dev;
+       struct efi_event *event;
 
        ret = platform_get_tpm2_device(&dev);
        if (ret != EFI_SUCCESS) {
@@ -1608,6 +1670,14 @@ efi_status_t efi_tcg2_register(void)
                goto fail;
        }
 
+       ret = efi_create_event(EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK,
+                              efi_tcg2_notify_exit_boot_services, NULL,
+                              NULL, &event);
+       if (ret != EFI_SUCCESS) {
+               tcg2_uninit();
+               goto fail;
+       }
+
        ret = tcg2_measure_secure_boot_variable(dev);
        if (ret != EFI_SUCCESS) {
                tcg2_uninit();