On Wed, May 12, 2021 at 03:59:46PM +0900, Masahisa Kojima wrote:

"TCG PC Client Platform Firmware Profile Specification" requires to measure every attempt to load and execute a OS Loader(a UEFI application) into PCR[4]. This commit adds the PE/COFF image measurement, extends PCR, and appends measurement into Event Log.

Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org

(no changes since v2)

Changes in v2:

• Remove duplicate <efi.h> include
• Remove unnecessary __packed attribute
• Add all EV_EFI_* event definition
• Create common function to prepare 8-byte aligned image
• Add measurement for EV_EFI_BOOT_SERVICES_DRIVER and EV_EFI_RUNTIME_SERVICES_DRIVER
• Use efi_search_protocol() to get device_path
• Add function comment

include/efi_loader.h | 6 + include/efi_tcg2.h | 9 ++ include/tpm-v2.h | 18 +++ lib/efi_loader/efi_image_loader.c | 59 +++++++-- lib/efi_loader/efi_tcg2.c | 207 ++++++++++++++++++++++++++++-- 5 files changed, 275 insertions(+), 24 deletions(-)

diff --git a/include/efi_loader.h b/include/efi_loader.h index de1a496a97..9f2854a255 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -426,6 +426,10 @@ efi_status_t efi_disk_register(void); efi_status_t efi_rng_register(void); /* Called by efi_init_obj_list() to install EFI_TCG2_PROTOCOL */ efi_status_t efi_tcg2_register(void); +/* measure the pe-coff image, extend PCR and add Event Log */ +efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,

• 		   struct efi_loaded_image_obj *handle,
  

• 		   struct efi_loaded_image *loaded_image_info);
  

/* Create handles and protocols for the partitions of a block device */ int efi_disk_create_partitions(efi_handle_t parent, struct blk_desc *desc, const char *if_typename, int diskid, @@ -847,6 +851,8 @@ bool efi_secure_boot_enabled(void);

bool efi_capsule_auth_enabled(void);

+void *efi_prepare_aligned_image(void *efi, u64 *efi_size, void **new_efi);

bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp, WIN_CERTIFICATE **auth, size_t *auth_len);

diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index 40e241ce31..bcfb98168a 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -9,6 +9,7 @@ #if !defined _EFI_TCG2_PROTOCOL_H_ #define _EFI_TCG2_PROTOCOL_H_

+#include <efi_api.h> #include <tpm-v2.h>

#define EFI_TCG2_PROTOCOL_GUID \ @@ -53,6 +54,14 @@ struct efi_tcg2_event { u8 event[]; } __packed;

+struct uefi_image_load_event {

• efi_physical_addr_t image_location_in_memory;
• u64 image_length_in_memory;
• u64 image_link_time_address;
• u64 length_of_device_path;
• struct efi_device_path device_path[];

+};

struct efi_tcg2_boot_service_capability { u8 size; struct efi_tcg2_version structure_version; diff --git a/include/tpm-v2.h b/include/tpm-v2.h index 7de7d6a57d..247b386967 100644 --- a/include/tpm-v2.h +++ b/include/tpm-v2.h @@ -70,6 +70,24 @@ struct udevice; #define EV_TABLE_OF_DEVICES ((u32)0x0000000B) #define EV_COMPACT_HASH ((u32)0x0000000C)

+/*

• • event types, cf.
• • "TCG PC Client Platform Firmware Profile Specification", Family "2.0"
• • rev 1.04, June 3, 2019
• */

+#define EV_EFI_EVENT_BASE ((u32)0x80000000) +#define EV_EFI_VARIABLE_DRIVER_CONFIG ((u32)0x80000001) +#define EV_EFI_VARIABLE_BOOT ((u32)0x80000002) +#define EV_EFI_BOOT_SERVICES_APPLICATION ((u32)0x80000003) +#define EV_EFI_BOOT_SERVICES_DRIVER ((u32)0x80000004) +#define EV_EFI_RUNTIME_SERVICES_DRIVER ((u32)0x80000005) +#define EV_EFI_GPT_EVENT ((u32)0x80000006) +#define EV_EFI_ACTION ((u32)0x80000007) +#define EV_EFI_PLATFORM_FIRMWARE_BLOB ((u32)0x80000008) +#define EV_EFI_HANDOFF_TABLES ((u32)0x80000009) +#define EV_EFI_HCRTM_EVENT ((u32)0x80000010) +#define EV_EFI_VARIABLE_AUTHORITY ((u32)0x800000E0)

/* TPMS_TAGGED_PROPERTY Structure */ struct tpms_tagged_property { u32 property; diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index fe1ee198e2..f37a85e56e 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -302,6 +302,40 @@ static int cmp_pe_section(const void *arg1, const void *arg2) return 1; }

+/**

• • efi_prepare_aligned_image() - prepare 8-byte aligned image
• • @efi: pointer to the EFI binary
• • @efi_size: size of @efi binary
• • @new_efi: pointer to the newly allocated image
• • If @efi is not 8-byte aligned, this function newly allocates
• • the image buffer and updates @efi_size.
• • Return: valid pointer to a image, return NULL if allocation fails.
• */

+void *efi_prepare_aligned_image(void *efi, u64 *efi_size, void **new_efi) +{

• size_t new_efi_size;
• void *p;
• /*

• * Size must be 8-byte aligned and the trailing bytes must be
  

• * zero'ed. Otherwise hash value may be incorrect.
  

• */
  

• if (!IS_ALIGNED(*efi_size, 8)) {

• new_efi_size = ALIGN(*efi_size, 8);
  

• p = calloc(new_efi_size, 1);
  

• if (!p)
  

• 	return NULL;
  

• memcpy(p, efi, *efi_size);
  

• *efi_size = new_efi_size;
  

• *new_efi = p;
  

• return p;
  

• } else {

• return efi;
  

• }

+}

/**

• efi_image_parse() - parse a PE image
• @efi: Pointer to image

@@ -561,7 +595,7 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) struct efi_signature_store *db = NULL, *dbx = NULL; void *new_efi = NULL; u8 *auth, *wincerts_end;

• size_t new_efi_size, auth_size;

• size_t auth_size; bool ret = false;

  EFI_PRINT("%s: Enter, %d\n", __func__, ret);

@@ -569,19 +603,9 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) if (!efi_secure_boot_enabled()) return true;

• /*

• * Size must be 8-byte aligned and the trailing bytes must be
  

• * zero'ed. Otherwise hash value may be incorrect.
  

• */
  

• if (efi_size & 0x7) {

• new_efi_size = (efi_size + 0x7) & ~0x7ULL;
  

• new_efi = calloc(new_efi_size, 1);
  

• if (!new_efi)
  

• 	return false;
  

• memcpy(new_efi, efi, efi_size);
  

• efi = new_efi;
  

• efi_size = new_efi_size;
  

• }

• efi = efi_prepare_aligned_image(efi, (u64 *)&efi_size, &new_efi);

• if (!efi)

• return false;
  
  

  if (!efi_image_parse(efi, efi_size, &regs, &wincerts, &wincerts_len)) {

@@ -891,6 +915,13 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj *handle, goto err; }

+#if CONFIG_IS_ENABLED(EFI_TCG2_PROTOCOL)

• /* Measure an PE/COFF image */
• if (tcg2_measure_pe_image(efi, efi_size, handle,

• 		  loaded_image_info))
  

• log_err("PE image measurement failed\n");
  

+#endif

• /* Copy PE headers */ memcpy(efi_reloc, efi, sizeof(*dos)

diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index 94e8f22bbb..7ad9cb2b89 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -13,8 +13,10 @@ #include <efi_loader.h> #include <efi_tcg2.h> #include <log.h> +#include <malloc.h> #include <version.h> #include <tpm-v2.h> +#include <u-boot/rsa.h> #include <u-boot/sha1.h> #include <u-boot/sha256.h> #include <u-boot/sha512.h> @@ -706,6 +708,183 @@ out: return EFI_EXIT(ret); }

+/**

• • tcg2_hash_pe_image() - calculate PE/COFF image hash
• • @efi: pointer to the EFI binary
• • @efi_size: size of @efi binary
• • @digest_list: list of digest algorithms to extend
• • Return: status code
• */

+static efi_status_t tcg2_hash_pe_image(void *efi, u64 efi_size,

• 		       struct tpml_digest_values *digest_list)
  

+{

• WIN_CERTIFICATE *wincerts = NULL;
• size_t wincerts_len;
• struct efi_image_regions *regs = NULL;
• void *new_efi = NULL;
• u8 hash[TPM2_SHA512_DIGEST_SIZE];
• efi_status_t ret;
• u32 active;
• int i;
• efi = efi_prepare_aligned_image(efi, &efi_size, &new_efi);
• if (!efi)

• return EFI_OUT_OF_RESOURCES;
  

• if (!efi_image_parse(efi, efi_size, &regs, &wincerts,

• 	     &wincerts_len)) {
  

• log_err("Parsing PE executable image failed\n");
  

• ret = EFI_INVALID_PARAMETER;
  

• goto out;
  

• }
• ret = __get_active_pcr_banks(&active);
• if (ret != EFI_SUCCESS) {

• ret = EFI_DEVICE_ERROR;
  

• goto out;
  

• }
• digest_list->count = 0;
• for (i = 0; i < MAX_HASH_COUNT; i++) {

• u16 hash_alg = hash_algo_list[i].hash_alg;
  

• if (!(active & alg_to_mask(hash_alg)))
  

• 	continue;
  

• switch (hash_alg) {
  

• case TPM2_ALG_SHA1:
  

• 	hash_calculate("sha1", regs->reg, regs->num, hash);
  

• 	break;
  

• case TPM2_ALG_SHA256:
  

• 	hash_calculate("sha256", regs->reg, regs->num, hash);
  

• 	break;
  

• case TPM2_ALG_SHA384:
  

• 	hash_calculate("sha384", regs->reg, regs->num, hash);
  

• 	break;
  

• case TPM2_ALG_SHA512:
  

• 	hash_calculate("sha512", regs->reg, regs->num, hash);
  

• 	break;
  

• default:
  

• 	EFI_PRINT("Unsupported algorithm %x\n", hash_alg);
  

• 	return EFI_INVALID_PARAMETER;
  

• }
  

• digest_list->digests[i].hash_alg = hash_alg;
  

• memcpy(&digest_list->digests[i].digest, hash, (u32)alg_to_len(hash_alg));
  

• digest_list->count++;
  

• }

+out:

• free(new_efi);
• free(regs);
• return ret;

+}

+/**

• • tcg2_measure_pe_image() - measure PE/COFF image
• • @efi: pointer to the EFI binary
• • @efi_size: size of @efi binary
• • @handle: loaded image handle
• • @loaded_image: loaded image protocol
• • Return: status code
• */

+efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,

• 		   struct efi_loaded_image_obj *handle,
  

• 		   struct efi_loaded_image *loaded_image)
  

+{

• struct tpml_digest_values digest_list;
• efi_status_t ret;
• struct udevice *dev;
• u32 pcr_index, event_type, event_size;
• struct uefi_image_load_event *image_load_event;
• struct efi_device_path *device_path;
• u32 device_path_length;
• IMAGE_DOS_HEADER *dos;
• IMAGE_NT_HEADERS32 *nt;
• struct efi_handler *handler;
• ret = platform_get_tpm2_device(&dev);
• if (ret != EFI_SUCCESS)

• return ret;
  

• switch (handle->image_type) {
• case IMAGE_SUBSYSTEM_EFI_APPLICATION:

• pcr_index = 4;
  

• event_type = EV_EFI_BOOT_SERVICES_APPLICATION;
  

• break;
  

• case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:

• pcr_index = 2;
  

• event_type = EV_EFI_BOOT_SERVICES_DRIVER;
  

• break;
  

• case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:

• pcr_index = 2;
  

• event_type = EV_EFI_RUNTIME_SERVICES_DRIVER;
  

• break;
  

• default:

• return EFI_UNSUPPORTED;
  

• }
• ret = tcg2_hash_pe_image(efi, efi_size, &digest_list);
• if (ret != EFI_SUCCESS)

• return ret;
  

• ret = tcg2_pcr_extend(dev, pcr_index, &digest_list);
• if (ret != EFI_SUCCESS)

• return ret;
  

• ret = EFI_CALL(efi_search_protocol(&handle->header,

• 			   &efi_guid_loaded_image_device_path,
  

• 			   &handler));
  

• if (ret != EFI_SUCCESS)

• return ret;
  

• device_path = EFI_CALL(handler->protocol_interface);
• device_path_length = efi_dp_size(device_path);
• if (device_path_length > 0) {

• /* add end node size */
  

• device_path_length += sizeof(struct efi_device_path);
  

• }
• event_size = sizeof(struct uefi_image_load_event) + device_path_length;
• image_load_event = (struct uefi_image_load_event *)malloc(event_size);
• if (!image_load_event)

• return EFI_OUT_OF_RESOURCES;
  

• image_load_event->image_location_in_memory = (efi_physical_addr_t)efi;
• image_load_event->image_length_in_memory = efi_size;
• image_load_event->length_of_device_path = device_path_length;
• dos = (IMAGE_DOS_HEADER *)efi;
• nt = (IMAGE_NT_HEADERS32 *)(efi + dos->e_lfanew);
• if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {

• IMAGE_NT_HEADERS64 *nt64 = (IMAGE_NT_HEADERS64 *)nt;
  

• image_load_event->image_link_time_address =
  

• 		nt64->OptionalHeader.ImageBase;
  

• } else if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {

• image_load_event->image_link_time_address =
  

• 		nt->OptionalHeader.ImageBase;
  

• } else {

• ret = EFI_INVALID_PARAMETER;
  

• goto out;
  

• }
• if (device_path_length > 0) {

• memcpy(image_load_event->device_path, device_path,
  

•        device_path_length);
  

• }
• ret = tcg2_agile_log_append(pcr_index, event_type, &digest_list,

• 		    event_size, (u8 *)image_load_event);
  

+out:

• free(image_load_event);
• return ret;

+}

/**

• efi_tcg2_hash_log_extend_event() - extend and optionally log events

@@ -758,24 +937,32 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags, /* * if PE_COFF_IMAGE is set we need to make sure the image is not * corrupted, verify it and hash the PE/COFF image in accordance with

• * the  procedure  specified  in  "Calculating  the  PE  Image  Hash"
  

• * section  of the "Windows Authenticode Portable Executable Signature
  

• * the procedure specified in "Calculating the PE Image Hash"
  

• * section of the "Windows Authenticode Portable Executable Signature
  

  • Format"

• * Not supported for now
  

  */ if (flags & PE_COFF_IMAGE) {

• ret = EFI_UNSUPPORTED;
  

• goto out;
  

• }

• IMAGE_NT_HEADERS32 *nt;
  
  

• pcr_index = efi_tcg_event->header.pcr_index;
• event_type = efi_tcg_event->header.event_type;

• ret = efi_check_pe((void *)data_to_hash, data_to_hash_len,
  

• 		   (void **)&nt);
  

• if (ret != EFI_SUCCESS) {
  

• 	log_err("Not a valid PE-COFF file\n");
  

• 	goto out;
  

• }
  
  

• ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len,

• 		 &digest_list);
  

• ret = tcg2_hash_pe_image((void *)data_to_hash, data_to_hash_len,
  

• 			 &digest_list);
  

• } else {

• ret = tcg2_create_digest((u8 *)data_to_hash, data_to_hash_len,
  

• 			 &digest_list);
  

• } if (ret != EFI_SUCCESS) goto out;

• pcr_index = efi_tcg_event->header.pcr_index;

• event_type = efi_tcg_event->header.event_type;

• ret = tcg2_pcr_extend(dev, pcr_index, &digest_list); if (ret != EFI_SUCCESS) goto out;

-- 2.17.1

This might need a rebase since Heinrich merged some minor cleanups yesterday. Other than that

Acked-by: Ilias Apalodimas ilias.apalodimas@linaro.org Tested-by: Ilias Apalodimas ilias.apalodimas@linaro.org

On Wed, May 12, 2021 at 03:59:47PM +0900, Masahisa Kojima wrote:

Build error occurs when CONFIG_EFI_SECURE_BOOT/ CONFIG_EFI_CAPSULE_AUTHENTICATE/CONFIG_EFI_TCG2_PROTOCOL is enabled, because hash-checksum.c is not compiled.

With the following commit, commit 0bcb28dfb946 ("lib: Rename rsa-checksum.c to hash-checksum.c") CONFIG_FIT_SIGNATURE option is required to use hash_calculate() function.

This commit adds CONFIG_FIT_SIGNATURE option in Kconfig, and missing required options for CONFIG_EFI_TCG2_PROTOCOL.

Signed-off-by: Masahisa Kojima masahisa.kojima@linaro.org

Changes in v4:

• newly added in this patch series, due to rebasing the base code.

lib/efi_loader/Kconfig | 8 ++++++++ 1 file changed, 8 insertions(+)

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index b76e77180e..93463fb362 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -175,6 +175,7 @@ config EFI_CAPSULE_AUTHENTICATE select PKCS7_VERIFY select IMAGE_SIGN_INFO select EFI_SIGNATURE_SUPPORT

• select FIT_SIGNATURE default n help Select this option if you want to enable capsule

@@ -302,6 +303,12 @@ config EFI_RNG_PROTOCOL config EFI_TCG2_PROTOCOL bool "EFI_TCG2_PROTOCOL support" depends on TPM_V2

• select FIT_SIGNATURE
• select SHA1
• select SHA256
• select SHA512_ALGO
• select SHA384
• select SHA512 help Provide a EFI_TCG2_PROTOCOL implementation using the TPM hardware of the platform.

@@ -338,6 +345,7 @@ config EFI_SECURE_BOOT select PKCS7_MESSAGE_PARSER select PKCS7_VERIFY select EFI_SIGNATURE_SUPPORT

• select FIT_SIGNATURE default n help Select this option to enable EFI secure boot support.

-- 2.17.1

I've sent a similar patch yesterday that Heinrich already applied on his tree, you'll only need to add FIT_SIGNATURE now

Cheers /Ilias