Re: [PATCH 3/3] efi_loader: add DeployedMode and AuditMode variable measurement

16 Sep 2021

Hi Heinrich,
On Thu, 16 Sept 2021 at 16:02, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
...
On 9/15/21 7:15 AM, Masahisa Kojima wrote:
...
This commit adds the DeployedMode and AuditMode variable
measurement required in TCG PC Client PFP Spec.
Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org
lib/efi_loader/efi_tcg2.c | 47 +++++++++++++++++++++++++++++++++++++++
  1 file changed, 47 insertions(+)

diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 35810615ed..427d6e22b1 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -12,6 +12,7 @@
  #include <dm.h>
  #include <efi_loader.h>
  #include <efi_tcg2.h>
+#include <efi_variable.h>
  #include <log.h>
  #include <malloc.h>
  #include <smbios.h>
@@ -1828,6 +1829,50 @@ out:
      return ret;
  }
+/**


tcg2_measure_deployed_audit_mode() - measure deployedmode and auditmode







@dev:     TPM device







Return:   status code


*/

+static efi_status_t tcg2_measure_deployed_audit_mode(struct udevice *dev)
+{

u8 deployed_mode;


u8 audit_mode;


efi_uintn_t size;


efi_status_t ret;


u32 pcr_index;



size = sizeof(deployed_mode);


ret = efi_get_variable_int(L"DeployedMode", &efi_global_variable_guid,


                           NULL, &size, &deployed_mode, NULL);


if (ret != EFI_SUCCESS)


        return ret;



Why should AuditMode not be measured if DeployedMode does not exist?
TCG spec says that PCR index is different depending on the DeployedMode value.
--- PCR[1]
If the system supports UEFI 2.5 or later and DeployedMode is enabled,
the following additional variables MUST
be measured into PCR[1]:
a. The DeployedMode variable value. The Event Type SHALL be
EV_EFI_VARIABLE_DRIVER_CONFIG and
the Event value shall be the value of the UEFI_VARIABLE data structure.
b. The AuditMode variable value. The Event Type SHALL be
EV_EFI_VARIABLE_DRIVER_CONFIG and the
Event value shall be the value of the UEFI_VARIABLE data structure.
---
--- PCR[7]
If the system supports UEFI 2.5 or later and DeployedMode is NOT
enabled, the following additional
variables MUST be measured into PCR[7]:
a. The contents of the AuditMode variable
b. The contents of the DeployedMode variable
---
If DeployedMode does not exist, we can not decide which PCR to be extended.
Thanks,
Masahisa Kojima
...
Could we handle these variables in a loop over an array containing dbt
and dbr reduce code duplication?
Best regards
Heinrich
...


pcr_index = (deployed_mode ? 1 : 7);



ret = tcg2_measure_variable(dev, pcr_index,


                            EV_EFI_VARIABLE_DRIVER_CONFIG,


                            L"DeployedMode",


                            &efi_global_variable_guid,


                            size, &deployed_mode);



size = sizeof(audit_mode);


ret = efi_get_variable_int(L"AuditMode", &efi_global_variable_guid,


                           NULL, &size, &audit_mode, NULL);


if (ret != EFI_SUCCESS)


        return ret;



ret = tcg2_measure_variable(dev, pcr_index,


                            EV_EFI_VARIABLE_DRIVER_CONFIG,


                            L"AuditMode",


                            &efi_global_variable_guid,


                            size, &audit_mode);



return ret;



+}

/**
tcg2_measure_secure_boot_variable() - measure secure boot variables




@@ -1891,6 +1936,8 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev)
              free(data);
      }

ret = tcg2_measure_deployed_audit_mode(dev);


error:
    return ret;
}


    