Re: [PATCH] tpm: Enable boot despite unknown firmware failure

Thu, 15 Jun 2023 04:31:53 -0700 

On Wed, Jun 14, 2023 at 04:59:29PM +0200, Michał Grzelak wrote:
> Currently booting the system is prevented when call to EFI firmware
> hash_log_extend_event() returns unknown error. Solve this by following
> convention used in commit a4356538d (commands/tpm: Don't propagate
> measurement failures to the verifiers layer).
>
> Let the system to be bootable by default when unknown TPM error is
> encountered. Make grub_tpm_is_fail_fatal() global and move its body to
> efi/tpm.c. Check environment variable tpm_fail_fatal to fallback to
> previous behaviour.
>
> Signed-off-by: Michał Grzelak <mchl.gr...@gmail.com>
> ---
>  grub-core/commands/efi/tpm.c | 10 +++++++++-
>  grub-core/commands/tpm.c     | 11 ++---------
>  include/grub/tpm.h           |  1 +
>  3 files changed, 12 insertions(+), 10 deletions(-)
>
> diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c
> index c616768f9..05f3064f7 100644
> --- a/grub-core/commands/efi/tpm.c
> +++ b/grub-core/commands/efi/tpm.c
> @@ -18,6 +18,7 @@
>   *  EFI TPM support code.
>   */
>
> +#include <grub/env.h>
>  #include <grub/err.h>
>  #include <grub/i18n.h>
>  #include <grub/efi/api.h>
> @@ -146,7 +147,8 @@ grub_efi_log_event_status (grub_efi_status_t status)
>      case GRUB_EFI_NOT_FOUND:
>        return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
>      default:
> -      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("unknown TPM error"));
> +      return grub_error (grub_tpm_is_fail_fatal () ? GRUB_ERR_UNKNOWN_DEVICE
> +                         : GRUB_ERR_NONE, N_("unknown TPM error"));
>      }
>  }
>
> @@ -266,6 +268,12 @@ grub_cc_log_event (unsigned char *buf, grub_size_t size, 
> grub_uint8_t pcr,
>      grub_efi_log_event_status (status);
>  }
>
> +bool
> +grub_tpm_is_fail_fatal (void)
> +{
> +  return grub_env_get_bool ("tpm_fail_fatal", false);
> +}
> +

This function should be defined in the include/grub/tpm.h as

static inline bool
is_tpm_fail_fatal (void)
{
  return grub_env_get_bool ("tpm_fail_fatal", false);
}

Of course you should include grub/env.h there too. And probably docs excerpt
introduced by commit a4356538d should be generalized a bit too...

Otherwise patch LGTM...

Daniel

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to