On 11/25/21 21:40, Ilias Apalodimas wrote:
Hi Heinrich,
[...]
u32 len;@@ -962,6 +976,9 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size, IMAGE_NT_HEADERS32 *nt; struct efi_handler *handler;
- if (!is_tcg2_protocol_installed())
return EFI_NOT_READY;- ret = platform_get_tpm2_device(&dev); if (ret != EFI_SUCCESS) return ret;
@@ -2140,6 +2157,9 @@ efi_status_t efi_tcg2_measure_efi_app_invocation(struct efi_loaded_image_obj *ha u32 event = 0; struct smbios_entry *entry;
- if (!is_tcg2_protocol_installed())
return EFI_NOT_READY;- if (tcg2_efi_app_invoked) return EFI_SUCCESS;
@@ -2190,6 +2210,9 @@ efi_status_t efi_tcg2_measure_efi_app_exit(void) efi_status_t ret; struct udevice *dev;
- if (!is_tcg2_protocol_installed())
[...]
Heinrich, this whole patch is needed because installing the tcg2 protocol always returns EFI_SUCCESS. The reason is that some sandbox tests with sandbox_tpm used to fail. Do you want to keep this or perhaps just failing the boot now is the protocol fails to install is an option ?
Which test failed?
It's been a while, but if my memory serves me correctly, during the protocol installation we need to call: efi_init_event_log() -> create_specid_event() -> tpm2_get_pcr_info() -> tpm2_get_capability().
That get_capability call wasn't supported in sandbox. So the result was EFI TCG2 stopping the boot process. Simon did fix a few things on sandbox since then, but I can't remember if capabilities was one of them.
We should consistently test the TCG2 protocol using swtpm both on QEMU and on the sandbox. I am still waiting for Tom to apply
[U-BOOT-TEST-HOOKS,1/1] Enable TPMv2 emulation https://patchwork.ozlabs.org/project/uboot/patch/20211115101106.36479-1-hein...
to move to that target.
Until then we can disable the tcg2 test or the TCG2 protocol on the sandbox.
That would be fine by me. Not stopping the boot on failures introduces the need for patches like this. So you suggest we drop this and just fail the boot ?
If the sandbox makes problems due to its incomplete TPM emulation I would suggest:
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 700dc838dd..201a0d62e2 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -307,7 +307,7 @@ config EFI_RNG_PROTOCOL config EFI_TCG2_PROTOCOL bool "EFI_TCG2_PROTOCOL support" default y - depends on TPM_V2 + depends on TPM_V2 && !SANDBOX
We can revert such a change once swtpm can be used to provide a tpm emulation for the sandbox.
Best regards
Heinrich