aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorMasahisa Kojima <masahisa.kojima@linaro.org>2021-08-13 16:12:41 +0900
committerHeinrich Schuchardt <xypron.glpk@gmx.de>2021-08-14 20:54:41 +0200
commitfdff03e5b338772b9340b7b2965b9de71c323f24 (patch)
treedaa1f05a9e52eb83cc26ceabd1adb8071bba435d /lib
parent8fc4e0b4273adc741dfd1917970162ca224f98bf (diff)
downloadu-boot-fdff03e5b338772b9340b7b2965b9de71c323f24.zip
u-boot-fdff03e5b338772b9340b7b2965b9de71c323f24.tar.gz
u-boot-fdff03e5b338772b9340b7b2965b9de71c323f24.tar.bz2
efi_loader: add ExitBootServices() measurement
TCG PC Client PFP spec requires to measure "Exit Boot Services Invocation" if ExitBootServices() is invoked. Depending upon the return code from the ExitBootServices() call, "Exit Boot Services Returned with Success" or "Exit Boot Services Returned with Failure" is also measured. Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Swap two ifs in efi_exit_boot_services(). efi_tcg2_notify_exit_boot_services must have EFIAPI signature. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Diffstat (limited to 'lib')
-rw-r--r--lib/efi_loader/efi_boottime.c5
-rw-r--r--lib/efi_loader/efi_tcg2.c70
2 files changed, 75 insertions, 0 deletions
diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c
index 13ab139..f0283b5 100644
--- a/lib/efi_loader/efi_boottime.c
+++ b/lib/efi_loader/efi_boottime.c
@@ -2182,6 +2182,11 @@ static efi_status_t EFIAPI efi_exit_boot_services(efi_handle_t image_handle,
efi_set_watchdog(0);
WATCHDOG_RESET();
out:
+ if (IS_ENABLED(CONFIG_EFI_TCG2_PROTOCOL)) {
+ if (ret != EFI_SUCCESS)
+ efi_tcg2_notify_exit_boot_services_failed();
+ }
+
return EFI_EXIT(ret);
}
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index ed71337..c6f2e48 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -1507,6 +1507,67 @@ efi_status_t efi_tcg2_measure_efi_app_exit(void)
}
/**
+ * efi_tcg2_notify_exit_boot_services() - ExitBootService callback
+ *
+ * @event: callback event
+ * @context: callback context
+ */
+static void EFIAPI
+efi_tcg2_notify_exit_boot_services(struct efi_event *event, void *context)
+{
+ efi_status_t ret;
+ struct udevice *dev;
+
+ EFI_ENTRY("%p, %p", event, context);
+
+ ret = platform_get_tpm2_device(&dev);
+ if (ret != EFI_SUCCESS)
+ goto out;
+
+ ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+ strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION),
+ (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION);
+ if (ret != EFI_SUCCESS)
+ goto out;
+
+ ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+ strlen(EFI_EXIT_BOOT_SERVICES_SUCCEEDED),
+ (u8 *)EFI_EXIT_BOOT_SERVICES_SUCCEEDED);
+
+out:
+ EFI_EXIT(ret);
+}
+
+/**
+ * efi_tcg2_notify_exit_boot_services_failed()
+ * - notify ExitBootServices() is failed
+ *
+ * Return: status code
+ */
+efi_status_t efi_tcg2_notify_exit_boot_services_failed(void)
+{
+ struct udevice *dev;
+ efi_status_t ret;
+
+ ret = platform_get_tpm2_device(&dev);
+ if (ret != EFI_SUCCESS)
+ goto out;
+
+ ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+ strlen(EFI_EXIT_BOOT_SERVICES_INVOCATION),
+ (u8 *)EFI_EXIT_BOOT_SERVICES_INVOCATION);
+ if (ret != EFI_SUCCESS)
+ goto out;
+
+ ret = tcg2_measure_event(dev, 5, EV_EFI_ACTION,
+ strlen(EFI_EXIT_BOOT_SERVICES_FAILED),
+ (u8 *)EFI_EXIT_BOOT_SERVICES_FAILED);
+
+out:
+ return ret;
+}
+
+/**
* tcg2_measure_secure_boot_variable() - measure secure boot variables
*
* @dev: TPM device
@@ -1584,6 +1645,7 @@ efi_status_t efi_tcg2_register(void)
{
efi_status_t ret = EFI_SUCCESS;
struct udevice *dev;
+ struct efi_event *event;
ret = platform_get_tpm2_device(&dev);
if (ret != EFI_SUCCESS) {
@@ -1608,6 +1670,14 @@ efi_status_t efi_tcg2_register(void)
goto fail;
}
+ ret = efi_create_event(EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK,
+ efi_tcg2_notify_exit_boot_services, NULL,
+ NULL, &event);
+ if (ret != EFI_SUCCESS) {
+ tcg2_uninit();
+ goto fail;
+ }
+
ret = tcg2_measure_secure_boot_variable(dev);
if (ret != EFI_SUCCESS) {
tcg2_uninit();