| Age | Commit message (Collapse) | Author |
|---|
|
The extend operation still occurs even if `*_log_extend_event`
returns EFI_VOLUME_FULL.
Let's print a warning when we first see this error code, but otherwise
continue booting.
Bailing on this condition has caused machines with limited event log
space to become unbootable with TPM 2.0 enabled. (fixes #654)
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
|
|
Intel Trust Domain Extensions (Intel TDX) extends Virtual Machine
Extensions (VMX) and Multi-Key Total Memory Encryption (MK-TME) with a
new kind of virtual machine guest called a Trust Domain(TD)[1]. A TD
runs in a CPU mode that is designed to protect the confidentiality of
its memory contents and its CPU state from any other software, including
the hosting Virtual Machine Monitor (VMM).
Trust Domain Virtual Firmware (TDVF) is required to provide Intel TDX
implementation and service for EFI_CC_MEASUREMENT_PROTOCOL[2]. The bugzilla
for TDVF is at https://bugzilla.tianocore.org/show_bug.cgi?id=3625.
To support CC measurement/attestation with Intel TDX technology, these 4
RTMR registers will be extended by TDX service like TPM/TPM2 PCR:
- RTMR[0] for TDVF configuration
- RTMR[1] for the TD OS loader and kernel
- RTMR[2] for the OS application
- RTMR[3] reserved for special usage only
Add a TDX Implementation for CC Measurement protocol along with
TPM/TPM2 protocol.
References:
[1] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf
[2] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf
[3] https://software.intel.com/content/dam/develop/external/us/en/documents/intel-tdx-guest-hypervisor-communication-interface-1.0-344426-002.pdf
Signed-off-by: Lu Ken <ken.lu@intel.com>
[rharwood: style pass on code and commit message]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
On Dell hardware booted in UEFI with option TPM 1.2 "On without Pre-Boot
Measurements", it appears that `tpm_log_event()` fails with Unsupported,
which causes Shim to abort due to believing it couldn't set up the
MokListRT, MokListXRT and SbatLevelRT variables.
This patch ignore the error when trying to write to the TPM and sets the
TPM as 'defective' to not try to write to it anymore.
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
|
Keep from cluttering up valgrind with allocations that aren't part of
the tested info (yet).
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This re-structures our includes so we can be sure everything is always
including all the system headers in a uniform, predictable way.
Temporarily it also adds a bunch of junk at all the places we use
variadic functions to specifically pick either the MS (cdecl) or ELF
ABIs.
I'm not 100% sure that's all correct (see later patch) but it's enough
to allow this to build.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This does two things:
- consolidates all our TPM event type #defines to one place
- uses EV_IPL instead of hard-coding 0xd
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The license statements in our source files were getting to be a giant
mess, and mostly they all just say the same thing. I've switched most
of it to SPDX labels, but left copyright statements in place (where they
were not obviously incorrect copy-paste jobs that I did...).
If there's some change here you don't think is valid, let me know and
we can fix it up together.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
Upstream: pr#212
|
|
The "TCG PC Client Specific Platform Firmware Profile Specification" says
that when measuring a PE/COFF image, the TCG_PCR_EVENT2 structure Event
field MUST contain a UEFI_IMAGE_LOAD_EVENT structure.
Currently an empty UEFI_IMAGE_LOAD_EVENT structure is passed so users only
have the hash of the PE/COFF image, but not information such the file path
of the binary.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Upstream-commit-id: c252b9ee94c
|
|
According to the comment in tpm_measure_variable ("Don't measure something that we've already measured"), shim
shouldn't measure duplicate events if they are identical, which also aligns with section 2.3.4.8 of the TCG PC
Client Platform Firmware Profile Specification ("If it has been measured previously, it MUST NOT be measured
again"). This is currently broken because tpm_data_measured() uses the return value of CompareGuid() incorrectly.
Upstream-commit-id: 103adc89ce5
|
|
tpm_measure_variable() calculates VarLogSize by adding the size of VarName
and VarData to the size of EFI_VARIABLE_DATA_TREE, and then subtracting
the size of the UnicodeName and VariableData members. This results in a
calculation that is 5 bytes larger than necessary because it doesn't take
in to account the padding of these members. The effect of this is that
shim measures an additional 5 zero bytes when measuring UEFI variables
(at least on 64-bit architectures).
Byte packing EFI_VARIABLE_DATA_TREE fixes this.
Upstream-commit-id: 7e4d3f1c8c7
|
|
tpm_log_event_raw() allocates a buffer for the EFI_TCG2_EVENT structure
that is one byte larger than necessary, and sets event->Size accordingly.
The result of this is that the event data recorded in the log differs
from the data that is measured to the TPM (it has an extra zero byte
at the end).
Upstream-commit-id: 8a27a4809a6
|
|
Calling the TPM2 get_event_log causes the firmware to start logging
events to the final events table, but implementations may also continue
logging to the boot services event log. Any OS that wishes to
reconstruct the full PCR state must already look at both the final
events log and the boot services event log, so if this call is made
anywhere other than immediately before ExitBootServices() then the OS
must deduplicate events that occur in both, complicating things
immensely.
Linux already has support for copying up the boot services event log
across the ExitBootServices() boundary, so there's no reason to make
this call. Remove it.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Upstream-commit-id: fd7c3bd920b
|
|
Don't return EFI_NOT_FOUND from tpm_log_event*() unless we're in
REQUIRE_TPM mode.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
clang-analyzer caught this.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
I'm pretty done with typing uefi_call_wrapper() and counting arguments
every time. Instead, just make the compiler error if we don't have
ms_abi. Also, make it so nothing can use uefi_call_wrapper() directly.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Also consistently name our status variable "efi_status" unless there's a
good reason not to, such as already having another one of those.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Since booting the entry with fallback in the stack of things that got
measured will result in all the wrong PCR values, in the cases where TPM
is present and enabled, use ->Reset() instead of loading the Boot####
variable and executing its target.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
EFI_PHYSICAL_ADDRESS is UINT64 everywhere, so you can't just copy a
32-bit pointer to it.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
We're currently measuring the raw second stage loader into PCR 9, but
we're closer to spec if we measure the semi-parsed PE into PCR 4. The
hash that's logged is the same as the hash used for the Authenticode
validation, so refactor shim.c a little to separate out the hash
generation.
|
|
It's desirable to be able to use PCR 7 for all TPM policy on Secure Boot
systems, but right now Shim doesn't record any information about its
configuration or the signature used to launch the second stage loader. Add
support for that.
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
The TCG EFI Protocol Specification for family "2.0" mentions that not all
TPM2 chips may support the EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 (crypto agile)
log format. So instead of always use this log format, the GetCapability()
function should be used to determine which format is supported by the TPM.
For example, the Intel PTT firmware based TPM found in Lenovo Thinkapd X1
Carbon (4th gen), only supports SHA-1 (EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2)
log format. So a call to GetEventLog() using the crypto agile format was
returning EFI_INVALID_PARAMETER, making tpm_log_event() function to fail.
This was preventing shim to correctly measure the second stage bootloader:
$ tpm2_listpcrs -L 0x04:9
Bank/Algorithm: TPM_ALG_SHA1(0x0004)
PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
After passing a supported log format to GetEventLog(), it succeeds and so
shim is able to call the HashLogExtendEvent() EFI function correctly:
$ tpm2_listpcrs -L 0x04:9
Bank/Algorithm: TPM_ALG_SHA1(0x0004)
PCR_09: 07 5a 7e d3 75 64 ad 91 1a 34 17 17 c2 34 10 2b 58 5b de b7
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
The EFI_TCG2_PROTOCOL.GetCapability() function is used to learn if a TPM2
chip is present. But the protocol capability information is also needed
for other reasons, for example to determine what event log formats are
supported by the firmware.
Take out the GetCapability() call from the tpm2_present() logic and reduce
that function to just checking if a TPM2 chip is available or not, so the
capabilities can later be used to determine the supported TPM log formats.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
When measuring data into the TPM and generating events logs, the event
type is set to EV_IPL (0xd), and for TPM1.2 the algorithm will always
be set to SHA-1 (0x4).
So, add some macro-defined constants for these instead of having them
as magic numbers to make the code more readable.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
EFI TrEE Protocol uses the same protocol GUID as EFI TCG2 protocol, and
defines the capability structure version 1.0. Hence, the structure and
name are all align the EFI TrEE Protocol.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
Certain AMI BIOS (Intel NUC5i3MYBE BIOS version 0037) may make the strict
check on the last 3 arguments passed to get_event_log() and don't expect
NULL pointers are passed. In order to work around this failure
(EFI_INVALID_PARAMETER), pass them even though we really don't use it.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
According to TCG EFI Protocol Specification for TPM 2.0 family,
all events generated after the invocation of EFI_TCG2_GET_EVENT_LOG
shall be stored in an instance of an EFI_CONFIGURATION_TABLE aka
EFI TCG 2.0 final events table. Hence, it is necessary to trigger the
internal switch through calling get_event_log() in order to allow
to retrieve the logs from OS runtime.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
Add support for measuring the MOK database and secure boot state into a
TPM, and do the same for the second stage loader. This avoids a hole in
TPM measurement between the firmware and the second stage loader.
|
