diff options
| author | Tamas K Lengyel <lengyelt@ainfosec.com> | 2017-11-08 15:10:18 -0700 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2018-03-06 14:42:32 -0500 |
| commit | ba06a4362d22b41887bb4121694e0562cefa5385 (patch) | |
| tree | f982292351608cc3ede0db0831c20088a4f9e467 /shim.c | |
| parent | 555ef92650944e5ec8ccc23d1d892e984b04afd6 (diff) | |
| download | efi-boot-shim-ba06a4362d22b41887bb4121694e0562cefa5385.tar.gz efi-boot-shim-ba06a4362d22b41887bb4121694e0562cefa5385.zip | |
Add REQUIRE_TPM flag to treat TPM related errors as critical
Currently TPM related errors are being silently discarded.
Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
Diffstat (limited to 'shim.c')
| -rw-r--r-- | shim.c | 13 |
1 files changed, 11 insertions, 2 deletions
@@ -1308,7 +1308,12 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, return efi_status; /* Measure the binary into the TPM */ - tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, sha1hash, 4); + efi_status = tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, sha1hash, 4); +#ifdef REQUIRE_TPM + if (efi_status != EFI_SUCCESS) { + return efi_status; + } +#endif if (secure_mode ()) { efi_status = verify_buffer(data, datasize, &context, @@ -1818,7 +1823,11 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) goto done; /* Measure the binary into the TPM */ - tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4); + status = tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4); +#ifdef REQUIRE_TPM + if (status != EFI_SUCCESS) + goto done; +#endif if (!secure_mode()) goto done; |