Currently booting the system is prevented when call to EFI firmware hash_log_extend_event() returns unknown error. Solve this by following convention used in commit a4356538d (commands/tpm: Don't propagate measurement failures to the verifiers layer).
Let the system to be bootable by default when unknown TPM error is encountered. Make grub_tpm_is_fail_fatal() global and move its body to efi/tpm.c. Check environment variable tpm_fail_fatal to fallback to previous behaviour. Signed-off-by: Michał Grzelak <mchl.gr...@gmail.com> --- grub-core/commands/efi/tpm.c | 10 +++++++++- grub-core/commands/tpm.c | 11 ++--------- include/grub/tpm.h | 1 + 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c index c616768f9..05f3064f7 100644 --- a/grub-core/commands/efi/tpm.c +++ b/grub-core/commands/efi/tpm.c @@ -18,6 +18,7 @@ * EFI TPM support code. */ +#include <grub/env.h> #include <grub/err.h> #include <grub/i18n.h> #include <grub/efi/api.h> @@ -146,7 +147,8 @@ grub_efi_log_event_status (grub_efi_status_t status) case GRUB_EFI_NOT_FOUND: return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable")); default: - return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("unknown TPM error")); + return grub_error (grub_tpm_is_fail_fatal () ? GRUB_ERR_UNKNOWN_DEVICE + : GRUB_ERR_NONE, N_("unknown TPM error")); } } @@ -266,6 +268,12 @@ grub_cc_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr, grub_efi_log_event_status (status); } +bool +grub_tpm_is_fail_fatal (void) +{ + return grub_env_get_bool ("tpm_fail_fatal", false); +} + grub_err_t grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr, const char *description) diff --git a/grub-core/commands/tpm.c b/grub-core/commands/tpm.c index 9f830916d..f86bdc81e 100644 --- a/grub-core/commands/tpm.c +++ b/grub-core/commands/tpm.c @@ -18,7 +18,6 @@ * Core TPM support code. */ -#include <grub/env.h> #include <grub/err.h> #include <grub/i18n.h> #include <grub/misc.h> @@ -40,12 +39,6 @@ grub_tpm_verify_init (grub_file_t io, return GRUB_ERR_NONE; } -static inline bool -is_tpm_fail_fatal (void) -{ - return grub_env_get_bool ("tpm_fail_fatal", false); -} - static grub_err_t grub_tpm_verify_write (void *context, void *buf, grub_size_t size) { @@ -55,7 +48,7 @@ grub_tpm_verify_write (void *context, void *buf, grub_size_t size) return GRUB_ERR_NONE; grub_dprintf ("tpm", "Measuring buffer failed: %d\n", status); - return is_tpm_fail_fatal () ? status : GRUB_ERR_NONE; + return grub_tpm_is_fail_fatal () ? status : GRUB_ERR_NONE; } static grub_err_t @@ -91,7 +84,7 @@ grub_tpm_verify_string (char *str, enum grub_verify_string_type type) return GRUB_ERR_NONE; grub_dprintf ("tpm", "Measuring string %s failed: %d\n", str, status); - return is_tpm_fail_fatal () ? status : GRUB_ERR_NONE; + return grub_tpm_is_fail_fatal () ? status : GRUB_ERR_NONE; } struct grub_file_verifier grub_tpm_verifier = { diff --git a/include/grub/tpm.h b/include/grub/tpm.h index c19fcbd0a..aea145dd1 100644 --- a/include/grub/tpm.h +++ b/include/grub/tpm.h @@ -36,5 +36,6 @@ grub_err_t grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr, const char *description); +bool grub_tpm_is_fail_fatal (void); int grub_tpm_present (void); #endif -- 2.37.3 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel