Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Mon, Mar 5, 2018 at 4:40 PM Marc-André Lureau wrote: > Hi Thiebaud > On Wed, Sep 20, 2017 at 10:13 AM, Thiebaud Weksteen wrote: > > With TPM 2.0 specification, the event logs may only be accessible by > > calling an EFI Boot Service. Modify the EFI stub to copy the log area to > > a new Linux-specific EFI configuration table so it remains accessible > > once booted. > > > > When calling this service, it is possible to specify the expected format > > of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the > > first format is retrieved. > > > Do you have plans to add support for the crypto-agile format? I am > working on uefi/ovmf support, and I am wondering if it is at all > necessary to add support for the 1.2 format. What do you think? I can > eventually try to work on 2.0 format support. Yes, this is definitely my intent. I am running low on free time for this piece of work to happen just now though. Thanks > Thanks > > Signed-off-by: Thiebaud Weksteen > > --- > > arch/x86/boot/compressed/eboot.c | 1 + > > drivers/firmware/efi/Makefile | 2 +- > > drivers/firmware/efi/efi.c| 4 ++ > > drivers/firmware/efi/libstub/Makefile | 3 +- > > drivers/firmware/efi/libstub/tpm.c| 81 +++ > > drivers/firmware/efi/tpm.c| 40 + > > include/linux/efi.h | 46 > > 7 files changed, 174 insertions(+), 3 deletions(-) > > create mode 100644 drivers/firmware/efi/tpm.c > > > > diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c > > index a1686f3dc295..ef6abe8b3788 100644 > > --- a/arch/x86/boot/compressed/eboot.c > > +++ b/arch/x86/boot/compressed/eboot.c > > @@ -999,6 +999,7 @@ struct boot_params *efi_main(struct efi_config *c, > > > > /* Ask the firmware to clear memory on unclean shutdown */ > > efi_enable_reset_attack_mitigation(sys_table); > > + efi_retrieve_tpm2_eventlog(sys_table); > > > > setup_graphics(boot_params); > > > > diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile > > index 0329d319d89a..2f074b5cde87 100644 > > --- a/drivers/firmware/efi/Makefile > > +++ b/drivers/firmware/efi/Makefile > > @@ -10,7 +10,7 @@ > > KASAN_SANITIZE_runtime-wrappers.o := n > > > > obj-$(CONFIG_ACPI_BGRT)+= efi-bgrt.o > > -obj-$(CONFIG_EFI) += efi.o vars.o reboot.o memattr.o > > +obj-$(CONFIG_EFI) += efi.o vars.o reboot.o memattr.o tpm.o > > obj-$(CONFIG_EFI) += capsule.o memmap.o > > obj-$(CONFIG_EFI_VARS) += efivars.o > > obj-$(CONFIG_EFI_ESRT) += esrt.o > > diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c > > index f97f272e16ee..0308acfaaf76 100644 > > --- a/drivers/firmware/efi/efi.c > > +++ b/drivers/firmware/efi/efi.c > > @@ -52,6 +52,7 @@ struct efi __read_mostly efi = { > > .properties_table = EFI_INVALID_TABLE_ADDR, > > .mem_attr_table = EFI_INVALID_TABLE_ADDR, > > .rng_seed = EFI_INVALID_TABLE_ADDR, > > + .tpm_log= EFI_INVALID_TABLE_ADDR > > }; > > EXPORT_SYMBOL(efi); > > > > @@ -444,6 +445,7 @@ static __initdata efi_config_table_type_t common_tables[] = { > > {EFI_PROPERTIES_TABLE_GUID, "PROP", &efi.properties_table}, > > {EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMATTR", &efi.mem_attr_table}, > > {LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", &efi.rng_seed}, > > + {LINUX_EFI_TPM_EVENT_LOG_GUID, "TPMEventLog", &efi.tpm_log}, > > {NULL_GUID, NULL, NULL}, > > }; > > > > @@ -532,6 +534,8 @@ int __init efi_config_parse_tables(void *config_tables, int count, int sz, > > if (efi_enabled(EFI_MEMMAP)) > > efi_memattr_init(); > > > > + efi_tpm_eventlog_init(); > > + > > /* Parse the EFI Properties table if it exists */ > > if (efi.properties_table != EFI_INVALID_TABLE_ADDR) { > > efi_properties_table_t *tbl; > > diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile > > index dedf9bde44db..2abe6d22dc5f 100644 > > --- a/drivers/firmware/efi/libstub/Makefile > > +++ b/drivers/firmware/efi/libstub/Makefile > > @@ -29,8 +29,7 @@ OBJECT_FILES_NON_STANDARD := y > > # Prevents link failures: __sanitizer_cov_trace_pc() is not linked in. > > KCOV_INSTRUMENT:= n > > > > -lib-y := efi-stub-helper.o gop.o secureboot.o > > -lib-$(CONFIG_RESET_ATTACK_MITIGATION) += tpm.o > > +lib-y := efi-stub-helper.o gop.o secureboot.o tpm.o > > > > # include the stub's generic dependencies from lib/ when building for ARM/arm64 > > arm-deps := fdt_rw.c fdt_ro.c fdt_wip.c fdt.c fdt_empty_tree.c fdt_sw.c sort.c > > diff --git a/drivers/firmware/efi/libstub/tpm.c b/drivers/firmware/efi/libstub/tpm.
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
Hi Thiebaud On Wed, Sep 20, 2017 at 10:13 AM, Thiebaud Weksteen wrote: > With TPM 2.0 specification, the event logs may only be accessible by > calling an EFI Boot Service. Modify the EFI stub to copy the log area to > a new Linux-specific EFI configuration table so it remains accessible > once booted. > > When calling this service, it is possible to specify the expected format > of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the > first format is retrieved. > Do you have plans to add support for the crypto-agile format? I am working on uefi/ovmf support, and I am wondering if it is at all necessary to add support for the 1.2 format. What do you think? I can eventually try to work on 2.0 format support. Thanks > Signed-off-by: Thiebaud Weksteen > --- > arch/x86/boot/compressed/eboot.c | 1 + > drivers/firmware/efi/Makefile | 2 +- > drivers/firmware/efi/efi.c| 4 ++ > drivers/firmware/efi/libstub/Makefile | 3 +- > drivers/firmware/efi/libstub/tpm.c| 81 > +++ > drivers/firmware/efi/tpm.c| 40 + > include/linux/efi.h | 46 > 7 files changed, 174 insertions(+), 3 deletions(-) > create mode 100644 drivers/firmware/efi/tpm.c > > diff --git a/arch/x86/boot/compressed/eboot.c > b/arch/x86/boot/compressed/eboot.c > index a1686f3dc295..ef6abe8b3788 100644 > --- a/arch/x86/boot/compressed/eboot.c > +++ b/arch/x86/boot/compressed/eboot.c > @@ -999,6 +999,7 @@ struct boot_params *efi_main(struct efi_config *c, > > /* Ask the firmware to clear memory on unclean shutdown */ > efi_enable_reset_attack_mitigation(sys_table); > + efi_retrieve_tpm2_eventlog(sys_table); > > setup_graphics(boot_params); > > diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile > index 0329d319d89a..2f074b5cde87 100644 > --- a/drivers/firmware/efi/Makefile > +++ b/drivers/firmware/efi/Makefile > @@ -10,7 +10,7 @@ > KASAN_SANITIZE_runtime-wrappers.o := n > > obj-$(CONFIG_ACPI_BGRT)+= efi-bgrt.o > -obj-$(CONFIG_EFI) += efi.o vars.o reboot.o memattr.o > +obj-$(CONFIG_EFI) += efi.o vars.o reboot.o memattr.o > tpm.o > obj-$(CONFIG_EFI) += capsule.o memmap.o > obj-$(CONFIG_EFI_VARS) += efivars.o > obj-$(CONFIG_EFI_ESRT) += esrt.o > diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c > index f97f272e16ee..0308acfaaf76 100644 > --- a/drivers/firmware/efi/efi.c > +++ b/drivers/firmware/efi/efi.c > @@ -52,6 +52,7 @@ struct efi __read_mostly efi = { > .properties_table = EFI_INVALID_TABLE_ADDR, > .mem_attr_table = EFI_INVALID_TABLE_ADDR, > .rng_seed = EFI_INVALID_TABLE_ADDR, > + .tpm_log= EFI_INVALID_TABLE_ADDR > }; > EXPORT_SYMBOL(efi); > > @@ -444,6 +445,7 @@ static __initdata efi_config_table_type_t common_tables[] > = { > {EFI_PROPERTIES_TABLE_GUID, "PROP", &efi.properties_table}, > {EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMATTR", &efi.mem_attr_table}, > {LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", &efi.rng_seed}, > + {LINUX_EFI_TPM_EVENT_LOG_GUID, "TPMEventLog", &efi.tpm_log}, > {NULL_GUID, NULL, NULL}, > }; > > @@ -532,6 +534,8 @@ int __init efi_config_parse_tables(void *config_tables, > int count, int sz, > if (efi_enabled(EFI_MEMMAP)) > efi_memattr_init(); > > + efi_tpm_eventlog_init(); > + > /* Parse the EFI Properties table if it exists */ > if (efi.properties_table != EFI_INVALID_TABLE_ADDR) { > efi_properties_table_t *tbl; > diff --git a/drivers/firmware/efi/libstub/Makefile > b/drivers/firmware/efi/libstub/Makefile > index dedf9bde44db..2abe6d22dc5f 100644 > --- a/drivers/firmware/efi/libstub/Makefile > +++ b/drivers/firmware/efi/libstub/Makefile > @@ -29,8 +29,7 @@ OBJECT_FILES_NON_STANDARD := y > # Prevents link failures: __sanitizer_cov_trace_pc() is not linked in. > KCOV_INSTRUMENT:= n > > -lib-y := efi-stub-helper.o gop.o secureboot.o > -lib-$(CONFIG_RESET_ATTACK_MITIGATION) += tpm.o > +lib-y := efi-stub-helper.o gop.o secureboot.o tpm.o > > # include the stub's generic dependencies from lib/ when building for > ARM/arm64 > arm-deps := fdt_rw.c fdt_ro.c fdt_wip.c fdt.c fdt_empty_tree.c fdt_sw.c > sort.c > diff --git a/drivers/firmware/efi/libstub/tpm.c > b/drivers/firmware/efi/libstub/tpm.c > index 6224cdbc9669..da661bf8cb96 100644 > --- a/drivers/firmware/efi/libstub/tpm.c > +++ b/drivers/firmware/efi/libstub/tpm.c > @@ -4,15 +4,18 @@ > * Copyright (C) 2016 CoreOS, Inc > * Copyright (C) 2017 Google, Inc. > * Matthew Garrett > + * Thiebaud Weksteen > * > * This file is part of the Linux kernel, and is made availa
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Tue, Oct 17, 2017 at 10:00:15AM +0200, Thiebaud Weksteen wrote: > This patch was mainly developed and tested on Kabylake with PTT as well. > > It could be a few things. Are you booting with the EFI stub? Is the > TPM enabled within the BIOS? Does tpm_tis get loaded? Does it produce > any log? Nope, and it should not get loaded anyway as I'm using PTT. With PTT you use tpm_crb. TPM is working just fine. > If the logs are recovered (but not parsed), you should already see an > entry in the logs like: > > efi: SMBIOS=0x7fed6000 ACPI=0x7ff0 TPMEventLog=0x. > > Can you see the TPMEventLog part? I can check this when I'm back in Finland. Still in Prague. Tried to test this with my work laptop (XPS13 with dTPM) now but the USB stick I have with seems to be broken :-( This is anyway almost guaranteed to go to 4.16 and I don't want to push this to 4.15 so there is no rush right now (already sent my PR). > The issue with extra logging is that the log recovery happens within > the EFI stub phase where limited logging is available (which I think > has been limited to error and fatal message only). > For now, it cannot be a version mismatch as the stub will only request > the version 1.2 format. Right, I see. /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Tue, Oct 17, 2017 at 10:00:15AM +0200, Thiebaud Weksteen wrote: > On Mon, Oct 16, 2017 at 1:49 PM, Jarkko Sakkinen > wrote: > > On Mon, Oct 16, 2017 at 02:28:33PM +0300, Jarkko Sakkinen wrote: > >> On Wed, Oct 11, 2017 at 02:52:54PM +0300, Jarkko Sakkinen wrote: > >> > On Wed, Oct 11, 2017 at 12:54:26PM +1100, James Morris wrote: > >> > > On Tue, 10 Oct 2017, Jarkko Sakkinen wrote: > >> > > > >> > > > The way I've agreed with James Morris to have my tree is to be > >> > > > rooted to > >> > > > security trees next branch. > >> > > > > >> > > > James, what actions should we take? > >> > > > >> > > This process has changed recently -- I posted to lsm but forgot to > >> > > post to > >> > > linux-integrity. > >> > > > >> > > http://kernsec.org/pipermail/linux-security-module-archive/2017-September/003356.html > >> > > > >> > > Summary: please track the next-general branch in my tree for your > >> > > development, it replaces 'next'. > >> > > > >> > > > >> > > - James > >> > > -- > >> > > James Morris > >> > > > >> > > >> > Ah I'm subscribed to that list but lately been busy getting a huge patch > >> > set to platform-driver-x86 [1] for review, which has prioritized out > >> > reading much else than linux-integrity. > >> > > >> > Thank you. I'll retry the patches tomorrow. > >> > > >> > /Jarkko > >> > >> Cannot observer binary_bios_measuremens file. > >> > >> What kind of hardware was used to develop/test this? > >> > >> I tried it with Kabylake and PTT (firmware TPM). > >> > >> /Jarkko > > > > My guess would be wrong event log format. > > > > At minimum this patch set should add a klog (info level) message to tell > > that unsupported event log format is being used. > > > > /Jarkko > > This patch was mainly developed and tested on Kabylake with PTT as well. > > It could be a few things. Are you booting with the EFI stub? Is the > TPM enabled within the BIOS? Does tpm_tis get loaded? Does it produce > any log? > If the logs are recovered (but not parsed), you should already see an > entry in the logs like: > > efi: SMBIOS=0x7fed6000 ACPI=0x7ff0 TPMEventLog=0x. > > Can you see the TPMEventLog part? > > The issue with extra logging is that the log recovery happens within > the EFI stub phase where limited logging is available (which I think > has been limited to error and fatal message only). > For now, it cannot be a version mismatch as the stub will only request > the version 1.2 format. Thank you for the great tips. I'll retry tomorrow. /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Mon, Oct 16, 2017 at 1:49 PM, Jarkko Sakkinen wrote: > On Mon, Oct 16, 2017 at 02:28:33PM +0300, Jarkko Sakkinen wrote: >> On Wed, Oct 11, 2017 at 02:52:54PM +0300, Jarkko Sakkinen wrote: >> > On Wed, Oct 11, 2017 at 12:54:26PM +1100, James Morris wrote: >> > > On Tue, 10 Oct 2017, Jarkko Sakkinen wrote: >> > > >> > > > The way I've agreed with James Morris to have my tree is to be rooted >> > > > to >> > > > security trees next branch. >> > > > >> > > > James, what actions should we take? >> > > >> > > This process has changed recently -- I posted to lsm but forgot to post >> > > to >> > > linux-integrity. >> > > >> > > http://kernsec.org/pipermail/linux-security-module-archive/2017-September/003356.html >> > > >> > > Summary: please track the next-general branch in my tree for your >> > > development, it replaces 'next'. >> > > >> > > >> > > - James >> > > -- >> > > James Morris >> > > >> > >> > Ah I'm subscribed to that list but lately been busy getting a huge patch >> > set to platform-driver-x86 [1] for review, which has prioritized out >> > reading much else than linux-integrity. >> > >> > Thank you. I'll retry the patches tomorrow. >> > >> > /Jarkko >> >> Cannot observer binary_bios_measuremens file. >> >> What kind of hardware was used to develop/test this? >> >> I tried it with Kabylake and PTT (firmware TPM). >> >> /Jarkko > > My guess would be wrong event log format. > > At minimum this patch set should add a klog (info level) message to tell > that unsupported event log format is being used. > > /Jarkko This patch was mainly developed and tested on Kabylake with PTT as well. It could be a few things. Are you booting with the EFI stub? Is the TPM enabled within the BIOS? Does tpm_tis get loaded? Does it produce any log? If the logs are recovered (but not parsed), you should already see an entry in the logs like: efi: SMBIOS=0x7fed6000 ACPI=0x7ff0 TPMEventLog=0x. Can you see the TPMEventLog part? The issue with extra logging is that the log recovery happens within the EFI stub phase where limited logging is available (which I think has been limited to error and fatal message only). For now, it cannot be a version mismatch as the stub will only request the version 1.2 format. -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Mon, Oct 16, 2017 at 02:28:33PM +0300, Jarkko Sakkinen wrote: > On Wed, Oct 11, 2017 at 02:52:54PM +0300, Jarkko Sakkinen wrote: > > On Wed, Oct 11, 2017 at 12:54:26PM +1100, James Morris wrote: > > > On Tue, 10 Oct 2017, Jarkko Sakkinen wrote: > > > > > > > The way I've agreed with James Morris to have my tree is to be rooted to > > > > security trees next branch. > > > > > > > > James, what actions should we take? > > > > > > This process has changed recently -- I posted to lsm but forgot to post > > > to > > > linux-integrity. > > > > > > http://kernsec.org/pipermail/linux-security-module-archive/2017-September/003356.html > > > > > > Summary: please track the next-general branch in my tree for your > > > development, it replaces 'next'. > > > > > > > > > - James > > > -- > > > James Morris > > > > > > > Ah I'm subscribed to that list but lately been busy getting a huge patch > > set to platform-driver-x86 [1] for review, which has prioritized out > > reading much else than linux-integrity. > > > > Thank you. I'll retry the patches tomorrow. > > > > /Jarkko > > Cannot observer binary_bios_measuremens file. > > What kind of hardware was used to develop/test this? > > I tried it with Kabylake and PTT (firmware TPM). > > /Jarkko My guess would be wrong event log format. At minimum this patch set should add a klog (info level) message to tell that unsupported event log format is being used. /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Fri, Oct 13, 2017 at 10:47:46PM +0300, Jarkko Sakkinen wrote: > On Thu, Oct 12, 2017 at 05:03:38PM +0200, Javier Martinez Canillas wrote: > > On Thu, Oct 12, 2017 at 1:38 PM, Jarkko Sakkinen > > wrote: > > > > [snip] > > > > > > > > Now all Thiebaud's patches have been applied to the master of > > > > > > git://git.infradead.org/users/jjs/linux-tpmdd.git > > > > > > Testing is still pending. > > > > > > > I provided my reviewed and tested by tags for the patches but I > > noticed that weren't picked. Probably my fault though since I answered > > to the cover letter instead of the individual patches. > > > > > /Jarkko > > > > Best regards, > > Javier > > I will add it. The master branch is bleeding edge where tags might be > sometimes (*not* usually) missing. The next branch is the one that goes > to linux-next. > > I'll check all tags from patchwork before moving any of these to next. > > /Jarkko Updated. /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Wed, Oct 11, 2017 at 02:52:54PM +0300, Jarkko Sakkinen wrote: > On Wed, Oct 11, 2017 at 12:54:26PM +1100, James Morris wrote: > > On Tue, 10 Oct 2017, Jarkko Sakkinen wrote: > > > > > The way I've agreed with James Morris to have my tree is to be rooted to > > > security trees next branch. > > > > > > James, what actions should we take? > > > > This process has changed recently -- I posted to lsm but forgot to post to > > linux-integrity. > > > > http://kernsec.org/pipermail/linux-security-module-archive/2017-September/003356.html > > > > Summary: please track the next-general branch in my tree for your > > development, it replaces 'next'. > > > > > > - James > > -- > > James Morris > > > > Ah I'm subscribed to that list but lately been busy getting a huge patch > set to platform-driver-x86 [1] for review, which has prioritized out > reading much else than linux-integrity. > > Thank you. I'll retry the patches tomorrow. > > /Jarkko Cannot observer binary_bios_measuremens file. What kind of hardware was used to develop/test this? I tried it with Kabylake and PTT (firmware TPM). /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Wed, Oct 11, 2017 at 02:53:18PM +0300, Jarkko Sakkinen wrote: > On Wed, Oct 11, 2017 at 02:52:54PM +0300, Jarkko Sakkinen wrote: > > On Wed, Oct 11, 2017 at 12:54:26PM +1100, James Morris wrote: > > > On Tue, 10 Oct 2017, Jarkko Sakkinen wrote: > > > > > > > The way I've agreed with James Morris to have my tree is to be rooted to > > > > security trees next branch. > > > > > > > > James, what actions should we take? > > > > > > This process has changed recently -- I posted to lsm but forgot to post > > > to > > > linux-integrity. > > > > > > http://kernsec.org/pipermail/linux-security-module-archive/2017-September/003356.html > > > > > > Summary: please track the next-general branch in my tree for your > > > development, it replaces 'next'. > > > > > > > > > - James > > > -- > > > James Morris > > > > > > > Ah I'm subscribed to that list but lately been busy getting a huge patch > > set to platform-driver-x86 [1] for review, which has prioritized out > > reading much else than linux-integrity. > > > > Thank you. I'll retry the patches tomorrow. > > > > /Jarkko > > [1] http://www.spinics.net/lists/platform-driver-x86/msg13260.html > > /Jarkko Now all Thiebaud's patches have been applied to the master of git://git.infradead.org/users/jjs/linux-tpmdd.git Testing is still pending. /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Wed, Oct 11, 2017 at 12:54:26PM +1100, James Morris wrote: > On Tue, 10 Oct 2017, Jarkko Sakkinen wrote: > > > The way I've agreed with James Morris to have my tree is to be rooted to > > security trees next branch. > > > > James, what actions should we take? > > This process has changed recently -- I posted to lsm but forgot to post to > linux-integrity. > > http://kernsec.org/pipermail/linux-security-module-archive/2017-September/003356.html > > Summary: please track the next-general branch in my tree for your > development, it replaces 'next'. > > > - James > -- > James Morris > Ah I'm subscribed to that list but lately been busy getting a huge patch set to platform-driver-x86 [1] for review, which has prioritized out reading much else than linux-integrity. Thank you. I'll retry the patches tomorrow. /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Wed, Oct 11, 2017 at 02:52:54PM +0300, Jarkko Sakkinen wrote: > On Wed, Oct 11, 2017 at 12:54:26PM +1100, James Morris wrote: > > On Tue, 10 Oct 2017, Jarkko Sakkinen wrote: > > > > > The way I've agreed with James Morris to have my tree is to be rooted to > > > security trees next branch. > > > > > > James, what actions should we take? > > > > This process has changed recently -- I posted to lsm but forgot to post to > > linux-integrity. > > > > http://kernsec.org/pipermail/linux-security-module-archive/2017-September/003356.html > > > > Summary: please track the next-general branch in my tree for your > > development, it replaces 'next'. > > > > > > - James > > -- > > James Morris > > > > Ah I'm subscribed to that list but lately been busy getting a huge patch > set to platform-driver-x86 [1] for review, which has prioritized out > reading much else than linux-integrity. > > Thank you. I'll retry the patches tomorrow. > > /Jarkko [1] http://www.spinics.net/lists/platform-driver-x86/msg13260.html /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Tue, 10 Oct 2017, Jarkko Sakkinen wrote: > The way I've agreed with James Morris to have my tree is to be rooted to > security trees next branch. > > James, what actions should we take? This process has changed recently -- I posted to lsm but forgot to post to linux-integrity. http://kernsec.org/pipermail/linux-security-module-archive/2017-September/003356.html Summary: please track the next-general branch in my tree for your development, it replaces 'next'. - James -- James Morris -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Wed, Oct 04, 2017 at 01:12:27PM +0200, Thiebaud Weksteen wrote: > On Wed, Oct 4, 2017 at 12:51 PM, Jarkko Sakkinen > wrote: > > On Fri, Sep 29, 2017 at 08:16:17PM +0300, Jarkko Sakkinen wrote: > >> On Tue, Sep 26, 2017 at 02:49:31PM +0200, Thiebaud Weksteen wrote: > >> > On Tue, Sep 26, 2017 at 1:45 PM, Jarkko Sakkinen > >> > wrote: > >> > > On Wed, Sep 20, 2017 at 10:13:39AM +0200, Thiebaud Weksteen wrote: > >> > >> With TPM 2.0 specification, the event logs may only be accessible by > >> > >> calling an EFI Boot Service. Modify the EFI stub to copy the log area > >> > >> to > >> > >> a new Linux-specific EFI configuration table so it remains accessible > >> > >> once booted. > >> > >> > >> > >> When calling this service, it is possible to specify the expected > >> > >> format > >> > >> of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, > >> > >> only the > >> > >> first format is retrieved. > >> > >> > >> > >> Signed-off-by: Thiebaud Weksteen > >> > > > >> > > Does not apply: > >> > > > >> > > Applying: tpm: move tpm_eventlog.h outside of drivers folder > >> > > Applying: tpm: rename event log provider files > >> > > Applying: tpm: add event log format version > >> > > Applying: efi: call get_event_log before ExitBootServices > >> > > error: sha1 information is lacking or useless > >> > > (drivers/firmware/efi/efi.c). > >> > > error: could not build fake ancestor > >> > > Patch failed at 0004 efi: call get_event_log before ExitBootServices > >> > > The copy of the patch that failed is found in: .git/rebase-apply/patch > >> > > When you have resolved this problem, run "git am --continue". > >> > > If you prefer to skip this patch, run "git am --skip" instead. > >> > > To restore the original branch and stop patching, run "git am --abort". > >> > > > >> > > Just rebased my tree to the latest security-next. > >> > > >> > It applies fine on security/next-general which is more up-to-date. > >> > (security/next does not include > >> > ccc829ba3624beb9a703fc995d016b836d9eead8 on which this patch set is > >> > based) > >> > >> Thanks, my bad, I though that I had it updated. > >> > >> I'll update my tree and retry. > >> > >> /Jarkko > > > > My master is up to date with security/next. > > > > Still get the same result: > > > > $ git am -3 > > ~/Downloads/v3-4-5-efi-call-get_event_log-before-ExitBootServices.patch > > Applying: efi: call get_event_log before ExitBootServices > > error: sha1 information is lacking or useless (drivers/firmware/efi/efi.c). > > error: could not build fake ancestor > > Patch failed at 0001 efi: call get_event_log before ExitBootServices > > The copy of the patch that failed is found in: .git/rebase-apply/patch > > When you have resolved this problem, run "git am --continue". > > If you prefer to skip this patch, run "git am --skip" instead. > > To restore the original branch and stop patching, run "git am --abort". > > > > Maybe you have some other trees fetched in your local GIT so that it > > finds the ancestors? Anyway, cannot test this at this point. > > > > /Jarkko > > The security/next branch still does not contain the commit I mentioned > (ccc829ba3624beb9a703fc995d016b836d9eead8), which is already part of > torvalds/master now. > > $ git branch -a --contains ccc829ba3624beb9a703fc995d016b836d9eead8 > efi_tpm2_eventlog > master > remotes/linux-next/akpm > remotes/linux-next/akpm-base > remotes/linux-next/master > remotes/linux-next/stable > remotes/security/fixes-v4.14-rc3 > remotes/security/fixes-v4.14-rc4 > remotes/security/next-general > remotes/security/next-testing > remotes/torvalds/master > > Is there any reason why you are trying to merge on that specific > branch and not next-general or next-testing? Would you know the > purpose of all these next-* branches? > > Thanks, > Thiebaud The way I've agreed with James Morris to have my tree is to be rooted to security trees next branch. James, what actions should we take? /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Wed, Oct 04, 2017 at 01:51:13PM +0300, Jarkko Sakkinen wrote: > On Fri, Sep 29, 2017 at 08:16:17PM +0300, Jarkko Sakkinen wrote: > > On Tue, Sep 26, 2017 at 02:49:31PM +0200, Thiebaud Weksteen wrote: > > > On Tue, Sep 26, 2017 at 1:45 PM, Jarkko Sakkinen > > > wrote: > > > > On Wed, Sep 20, 2017 at 10:13:39AM +0200, Thiebaud Weksteen wrote: > > > >> With TPM 2.0 specification, the event logs may only be accessible by > > > >> calling an EFI Boot Service. Modify the EFI stub to copy the log area > > > >> to > > > >> a new Linux-specific EFI configuration table so it remains accessible > > > >> once booted. > > > >> > > > >> When calling this service, it is possible to specify the expected > > > >> format > > > >> of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only > > > >> the > > > >> first format is retrieved. > > > >> > > > >> Signed-off-by: Thiebaud Weksteen > > > > > > > > Does not apply: > > > > > > > > Applying: tpm: move tpm_eventlog.h outside of drivers folder > > > > Applying: tpm: rename event log provider files > > > > Applying: tpm: add event log format version > > > > Applying: efi: call get_event_log before ExitBootServices > > > > error: sha1 information is lacking or useless > > > > (drivers/firmware/efi/efi.c). > > > > error: could not build fake ancestor > > > > Patch failed at 0004 efi: call get_event_log before ExitBootServices > > > > The copy of the patch that failed is found in: .git/rebase-apply/patch > > > > When you have resolved this problem, run "git am --continue". > > > > If you prefer to skip this patch, run "git am --skip" instead. > > > > To restore the original branch and stop patching, run "git am --abort". > > > > > > > > Just rebased my tree to the latest security-next. > > > > > > It applies fine on security/next-general which is more up-to-date. > > > (security/next does not include > > > ccc829ba3624beb9a703fc995d016b836d9eead8 on which this patch set is > > > based) > > > > Thanks, my bad, I though that I had it updated. > > > > I'll update my tree and retry. > > > > /Jarkko > > My master is up to date with security/next. > > Still get the same result: > > $ git am -3 > ~/Downloads/v3-4-5-efi-call-get_event_log-before-ExitBootServices.patch > Applying: efi: call get_event_log before ExitBootServices > error: sha1 information is lacking or useless (drivers/firmware/efi/efi.c). > error: could not build fake ancestor > Patch failed at 0001 efi: call get_event_log before ExitBootServices > The copy of the patch that failed is found in: .git/rebase-apply/patch > When you have resolved this problem, run "git am --continue". > If you prefer to skip this patch, run "git am --skip" instead. > To restore the original branch and stop patching, run "git am --abort". > > Maybe you have some other trees fetched in your local GIT so that it > finds the ancestors? Anyway, cannot test this at this point. > > /Jarkko I pushed the first three patches to my master as they looked OK. You should still consider them unreviewed. /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Wed, Oct 4, 2017 at 12:51 PM, Jarkko Sakkinen wrote: > On Fri, Sep 29, 2017 at 08:16:17PM +0300, Jarkko Sakkinen wrote: >> On Tue, Sep 26, 2017 at 02:49:31PM +0200, Thiebaud Weksteen wrote: >> > On Tue, Sep 26, 2017 at 1:45 PM, Jarkko Sakkinen >> > wrote: >> > > On Wed, Sep 20, 2017 at 10:13:39AM +0200, Thiebaud Weksteen wrote: >> > >> With TPM 2.0 specification, the event logs may only be accessible by >> > >> calling an EFI Boot Service. Modify the EFI stub to copy the log area to >> > >> a new Linux-specific EFI configuration table so it remains accessible >> > >> once booted. >> > >> >> > >> When calling this service, it is possible to specify the expected format >> > >> of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only >> > >> the >> > >> first format is retrieved. >> > >> >> > >> Signed-off-by: Thiebaud Weksteen >> > > >> > > Does not apply: >> > > >> > > Applying: tpm: move tpm_eventlog.h outside of drivers folder >> > > Applying: tpm: rename event log provider files >> > > Applying: tpm: add event log format version >> > > Applying: efi: call get_event_log before ExitBootServices >> > > error: sha1 information is lacking or useless >> > > (drivers/firmware/efi/efi.c). >> > > error: could not build fake ancestor >> > > Patch failed at 0004 efi: call get_event_log before ExitBootServices >> > > The copy of the patch that failed is found in: .git/rebase-apply/patch >> > > When you have resolved this problem, run "git am --continue". >> > > If you prefer to skip this patch, run "git am --skip" instead. >> > > To restore the original branch and stop patching, run "git am --abort". >> > > >> > > Just rebased my tree to the latest security-next. >> > >> > It applies fine on security/next-general which is more up-to-date. >> > (security/next does not include >> > ccc829ba3624beb9a703fc995d016b836d9eead8 on which this patch set is >> > based) >> >> Thanks, my bad, I though that I had it updated. >> >> I'll update my tree and retry. >> >> /Jarkko > > My master is up to date with security/next. > > Still get the same result: > > $ git am -3 > ~/Downloads/v3-4-5-efi-call-get_event_log-before-ExitBootServices.patch > Applying: efi: call get_event_log before ExitBootServices > error: sha1 information is lacking or useless (drivers/firmware/efi/efi.c). > error: could not build fake ancestor > Patch failed at 0001 efi: call get_event_log before ExitBootServices > The copy of the patch that failed is found in: .git/rebase-apply/patch > When you have resolved this problem, run "git am --continue". > If you prefer to skip this patch, run "git am --skip" instead. > To restore the original branch and stop patching, run "git am --abort". > > Maybe you have some other trees fetched in your local GIT so that it > finds the ancestors? Anyway, cannot test this at this point. > > /Jarkko The security/next branch still does not contain the commit I mentioned (ccc829ba3624beb9a703fc995d016b836d9eead8), which is already part of torvalds/master now. $ git branch -a --contains ccc829ba3624beb9a703fc995d016b836d9eead8 efi_tpm2_eventlog master remotes/linux-next/akpm remotes/linux-next/akpm-base remotes/linux-next/master remotes/linux-next/stable remotes/security/fixes-v4.14-rc3 remotes/security/fixes-v4.14-rc4 remotes/security/next-general remotes/security/next-testing remotes/torvalds/master Is there any reason why you are trying to merge on that specific branch and not next-general or next-testing? Would you know the purpose of all these next-* branches? Thanks, Thiebaud -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Fri, Sep 29, 2017 at 08:16:17PM +0300, Jarkko Sakkinen wrote: > On Tue, Sep 26, 2017 at 02:49:31PM +0200, Thiebaud Weksteen wrote: > > On Tue, Sep 26, 2017 at 1:45 PM, Jarkko Sakkinen > > wrote: > > > On Wed, Sep 20, 2017 at 10:13:39AM +0200, Thiebaud Weksteen wrote: > > >> With TPM 2.0 specification, the event logs may only be accessible by > > >> calling an EFI Boot Service. Modify the EFI stub to copy the log area to > > >> a new Linux-specific EFI configuration table so it remains accessible > > >> once booted. > > >> > > >> When calling this service, it is possible to specify the expected format > > >> of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only > > >> the > > >> first format is retrieved. > > >> > > >> Signed-off-by: Thiebaud Weksteen > > > > > > Does not apply: > > > > > > Applying: tpm: move tpm_eventlog.h outside of drivers folder > > > Applying: tpm: rename event log provider files > > > Applying: tpm: add event log format version > > > Applying: efi: call get_event_log before ExitBootServices > > > error: sha1 information is lacking or useless > > > (drivers/firmware/efi/efi.c). > > > error: could not build fake ancestor > > > Patch failed at 0004 efi: call get_event_log before ExitBootServices > > > The copy of the patch that failed is found in: .git/rebase-apply/patch > > > When you have resolved this problem, run "git am --continue". > > > If you prefer to skip this patch, run "git am --skip" instead. > > > To restore the original branch and stop patching, run "git am --abort". > > > > > > Just rebased my tree to the latest security-next. > > > > It applies fine on security/next-general which is more up-to-date. > > (security/next does not include > > ccc829ba3624beb9a703fc995d016b836d9eead8 on which this patch set is > > based) > > Thanks, my bad, I though that I had it updated. > > I'll update my tree and retry. > > /Jarkko My master is up to date with security/next. Still get the same result: $ git am -3 ~/Downloads/v3-4-5-efi-call-get_event_log-before-ExitBootServices.patch Applying: efi: call get_event_log before ExitBootServices error: sha1 information is lacking or useless (drivers/firmware/efi/efi.c). error: could not build fake ancestor Patch failed at 0001 efi: call get_event_log before ExitBootServices The copy of the patch that failed is found in: .git/rebase-apply/patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". Maybe you have some other trees fetched in your local GIT so that it finds the ancestors? Anyway, cannot test this at this point. /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Tue, Sep 26, 2017 at 02:49:31PM +0200, Thiebaud Weksteen wrote: > On Tue, Sep 26, 2017 at 1:45 PM, Jarkko Sakkinen > wrote: > > On Wed, Sep 20, 2017 at 10:13:39AM +0200, Thiebaud Weksteen wrote: > >> With TPM 2.0 specification, the event logs may only be accessible by > >> calling an EFI Boot Service. Modify the EFI stub to copy the log area to > >> a new Linux-specific EFI configuration table so it remains accessible > >> once booted. > >> > >> When calling this service, it is possible to specify the expected format > >> of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the > >> first format is retrieved. > >> > >> Signed-off-by: Thiebaud Weksteen > > > > Does not apply: > > > > Applying: tpm: move tpm_eventlog.h outside of drivers folder > > Applying: tpm: rename event log provider files > > Applying: tpm: add event log format version > > Applying: efi: call get_event_log before ExitBootServices > > error: sha1 information is lacking or useless (drivers/firmware/efi/efi.c). > > error: could not build fake ancestor > > Patch failed at 0004 efi: call get_event_log before ExitBootServices > > The copy of the patch that failed is found in: .git/rebase-apply/patch > > When you have resolved this problem, run "git am --continue". > > If you prefer to skip this patch, run "git am --skip" instead. > > To restore the original branch and stop patching, run "git am --abort". > > > > Just rebased my tree to the latest security-next. > > It applies fine on security/next-general which is more up-to-date. > (security/next does not include > ccc829ba3624beb9a703fc995d016b836d9eead8 on which this patch set is > based) Thanks, my bad, I though that I had it updated. I'll update my tree and retry. /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Tue, Sep 26, 2017 at 1:45 PM, Jarkko Sakkinen wrote: > On Wed, Sep 20, 2017 at 10:13:39AM +0200, Thiebaud Weksteen wrote: >> With TPM 2.0 specification, the event logs may only be accessible by >> calling an EFI Boot Service. Modify the EFI stub to copy the log area to >> a new Linux-specific EFI configuration table so it remains accessible >> once booted. >> >> When calling this service, it is possible to specify the expected format >> of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the >> first format is retrieved. >> >> Signed-off-by: Thiebaud Weksteen > > Does not apply: > > Applying: tpm: move tpm_eventlog.h outside of drivers folder > Applying: tpm: rename event log provider files > Applying: tpm: add event log format version > Applying: efi: call get_event_log before ExitBootServices > error: sha1 information is lacking or useless (drivers/firmware/efi/efi.c). > error: could not build fake ancestor > Patch failed at 0004 efi: call get_event_log before ExitBootServices > The copy of the patch that failed is found in: .git/rebase-apply/patch > When you have resolved this problem, run "git am --continue". > If you prefer to skip this patch, run "git am --skip" instead. > To restore the original branch and stop patching, run "git am --abort". > > Just rebased my tree to the latest security-next. It applies fine on security/next-general which is more up-to-date. (security/next does not include ccc829ba3624beb9a703fc995d016b836d9eead8 on which this patch set is based) > > /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices
On Wed, Sep 20, 2017 at 10:13:39AM +0200, Thiebaud Weksteen wrote: > With TPM 2.0 specification, the event logs may only be accessible by > calling an EFI Boot Service. Modify the EFI stub to copy the log area to > a new Linux-specific EFI configuration table so it remains accessible > once booted. > > When calling this service, it is possible to specify the expected format > of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the > first format is retrieved. > > Signed-off-by: Thiebaud Weksteen Does not apply: Applying: tpm: move tpm_eventlog.h outside of drivers folder Applying: tpm: rename event log provider files Applying: tpm: add event log format version Applying: efi: call get_event_log before ExitBootServices error: sha1 information is lacking or useless (drivers/firmware/efi/efi.c). error: could not build fake ancestor Patch failed at 0004 efi: call get_event_log before ExitBootServices The copy of the patch that failed is found in: .git/rebase-apply/patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". Just rebased my tree to the latest security-next. /Jarkko -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v3 4/5] efi: call get_event_log before ExitBootServices
With TPM 2.0 specification, the event logs may only be accessible by calling an EFI Boot Service. Modify the EFI stub to copy the log area to a new Linux-specific EFI configuration table so it remains accessible once booted. When calling this service, it is possible to specify the expected format of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the first format is retrieved. Signed-off-by: Thiebaud Weksteen --- arch/x86/boot/compressed/eboot.c | 1 + drivers/firmware/efi/Makefile | 2 +- drivers/firmware/efi/efi.c| 4 ++ drivers/firmware/efi/libstub/Makefile | 3 +- drivers/firmware/efi/libstub/tpm.c| 81 +++ drivers/firmware/efi/tpm.c| 40 + include/linux/efi.h | 46 7 files changed, 174 insertions(+), 3 deletions(-) create mode 100644 drivers/firmware/efi/tpm.c diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c index a1686f3dc295..ef6abe8b3788 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -999,6 +999,7 @@ struct boot_params *efi_main(struct efi_config *c, /* Ask the firmware to clear memory on unclean shutdown */ efi_enable_reset_attack_mitigation(sys_table); + efi_retrieve_tpm2_eventlog(sys_table); setup_graphics(boot_params); diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile index 0329d319d89a..2f074b5cde87 100644 --- a/drivers/firmware/efi/Makefile +++ b/drivers/firmware/efi/Makefile @@ -10,7 +10,7 @@ KASAN_SANITIZE_runtime-wrappers.o := n obj-$(CONFIG_ACPI_BGRT)+= efi-bgrt.o -obj-$(CONFIG_EFI) += efi.o vars.o reboot.o memattr.o +obj-$(CONFIG_EFI) += efi.o vars.o reboot.o memattr.o tpm.o obj-$(CONFIG_EFI) += capsule.o memmap.o obj-$(CONFIG_EFI_VARS) += efivars.o obj-$(CONFIG_EFI_ESRT) += esrt.o diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index f97f272e16ee..0308acfaaf76 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -52,6 +52,7 @@ struct efi __read_mostly efi = { .properties_table = EFI_INVALID_TABLE_ADDR, .mem_attr_table = EFI_INVALID_TABLE_ADDR, .rng_seed = EFI_INVALID_TABLE_ADDR, + .tpm_log= EFI_INVALID_TABLE_ADDR }; EXPORT_SYMBOL(efi); @@ -444,6 +445,7 @@ static __initdata efi_config_table_type_t common_tables[] = { {EFI_PROPERTIES_TABLE_GUID, "PROP", &efi.properties_table}, {EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMATTR", &efi.mem_attr_table}, {LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", &efi.rng_seed}, + {LINUX_EFI_TPM_EVENT_LOG_GUID, "TPMEventLog", &efi.tpm_log}, {NULL_GUID, NULL, NULL}, }; @@ -532,6 +534,8 @@ int __init efi_config_parse_tables(void *config_tables, int count, int sz, if (efi_enabled(EFI_MEMMAP)) efi_memattr_init(); + efi_tpm_eventlog_init(); + /* Parse the EFI Properties table if it exists */ if (efi.properties_table != EFI_INVALID_TABLE_ADDR) { efi_properties_table_t *tbl; diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile index dedf9bde44db..2abe6d22dc5f 100644 --- a/drivers/firmware/efi/libstub/Makefile +++ b/drivers/firmware/efi/libstub/Makefile @@ -29,8 +29,7 @@ OBJECT_FILES_NON_STANDARD := y # Prevents link failures: __sanitizer_cov_trace_pc() is not linked in. KCOV_INSTRUMENT:= n -lib-y := efi-stub-helper.o gop.o secureboot.o -lib-$(CONFIG_RESET_ATTACK_MITIGATION) += tpm.o +lib-y := efi-stub-helper.o gop.o secureboot.o tpm.o # include the stub's generic dependencies from lib/ when building for ARM/arm64 arm-deps := fdt_rw.c fdt_ro.c fdt_wip.c fdt.c fdt_empty_tree.c fdt_sw.c sort.c diff --git a/drivers/firmware/efi/libstub/tpm.c b/drivers/firmware/efi/libstub/tpm.c index 6224cdbc9669..da661bf8cb96 100644 --- a/drivers/firmware/efi/libstub/tpm.c +++ b/drivers/firmware/efi/libstub/tpm.c @@ -4,15 +4,18 @@ * Copyright (C) 2016 CoreOS, Inc * Copyright (C) 2017 Google, Inc. * Matthew Garrett + * Thiebaud Weksteen * * This file is part of the Linux kernel, and is made available under the * terms of the GNU General Public License version 2. */ #include +#include #include #include "efistub.h" +#ifdef CONFIG_RESET_ATTACK_MITIGATION static const efi_char16_t efi_MemoryOverWriteRequest_name[] = { 'M', 'e', 'm', 'o', 'r', 'y', 'O', 'v', 'e', 'r', 'w', 'r', 'i', 't', 'e', 'R', 'e', 'q', 'u', 'e', 's', 't', 'C', 'o', 'n', 't', 'r', 'o', @@ -56,3 +59,81 @@ void efi_enable_reset_attack_mitigation(efi_system_table_t *sys_table_arg) EFI_VARIABLE_BOOTSERVICE_