Re: [PATCH v2] efi_loader: tcg2: Return success even when TPM device is not found
On Mon, 29 Nov 2021 at 18:50, Ilias Apalodimas
wrote:
>
> Heinrich,
>
> On Mon, 29 Nov 2021 at 18:41, Heinrich Schuchardt wrote:
> >
> > On 11/29/21 15:55, Ilias Apalodimas wrote:
> > > On Mon, 29 Nov 2021 at 16:26, Michal Simek
> > > wrote:
> > >>
> > >> For systems which have TPM support enabled but actual device is missing
> > >> there is no reason to show a message that measurement failed in
> > >> efi_load_pe(). To ensure that the patch is returning EFI_SUCCESS even for
> > >> cases where TPM device is not found.
> > >> The reason is that other parts of the code return also EFI_NOT_FOUND in
> > >> tcg2_measure_pe_image() (e.g efi_search_protocol) that's why this error
> > >> code can't be checked but still it needs to be reported.
> > >>
> > >> The same logic is also used in efi_tcg2_get_eventlog() added by
> > >> commit c8d0fd582576 ("efi_loader: Introduce eventlog support for
> > >> TCG2_PROTOCOL").
> > >>
> > >> Signed-off-by: Michal Simek
> > >> ---
> > >>
> > >> Changes in v2:
> > >> - Change subject and description
> > >> - Change logic in different location
> > >> - Origin thread was
> > >> https://lore.kernel.org/r/657a869c04e9b09e3bd2e6fd74ff94320b7fbe9b.1638191161.git.michal.si...@xilinx.com
> > >>
> > >> lib/efi_loader/efi_tcg2.c | 3 ++-
> > >> 1 file changed, 2 insertions(+), 1 deletion(-)
> > >>
> > >> diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> > >> index 8c1f22e3377b..db785f4d8c27 100644
> > >> --- a/lib/efi_loader/efi_tcg2.c
> > >> +++ b/lib/efi_loader/efi_tcg2.c
> > >> @@ -888,7 +888,8 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64
> > >> efi_size,
> > >>
> > >> ret = platform_get_tpm2_device();
> > >> if (ret != EFI_SUCCESS)
> > >> - return ret;
> > >> + /* don't fail when TPM is not found */
> > >> + return EFI_SUCCESS;
> > >>
> > >> switch (handle->image_type) {
> > >> case IMAGE_SUBSYSTEM_EFI_APPLICATION:
> > >> --
> > >> 2.33.1
> > >>
> > >
> > > Reviewed-by: Ilias Apalodimas
> > >
> >
> > This patch means:
> >
> > You can run some command that initializes the TCG2 protocol (e.g.
> > debug_hd), then unbind the TPM, run a first EFI binary which diverts EFI
> > API addresses, bind the TPM again and run the normal binary and nobody
> > will see the first binary in boot measurement.
>
> Why? What you describe is an issue with, or without this patch. The
> code never stops if tcg2_measure_pe_image() fails. The only thing
> this patch does is silence a print if a TPM device is not found.
>
But tbh we can sort out Heinrich's concern while not printing that
error message. I'll come up with a patch shortly.
Cheers
/Ilias
> Regards
> /Ilias
>
> >
> > Best regards
> >
> > Heinrich
Re: [PATCH v2] efi_loader: tcg2: Return success even when TPM device is not found
Heinrich,
On Mon, 29 Nov 2021 at 18:41, Heinrich Schuchardt wrote:
>
> On 11/29/21 15:55, Ilias Apalodimas wrote:
> > On Mon, 29 Nov 2021 at 16:26, Michal Simek wrote:
> >>
> >> For systems which have TPM support enabled but actual device is missing
> >> there is no reason to show a message that measurement failed in
> >> efi_load_pe(). To ensure that the patch is returning EFI_SUCCESS even for
> >> cases where TPM device is not found.
> >> The reason is that other parts of the code return also EFI_NOT_FOUND in
> >> tcg2_measure_pe_image() (e.g efi_search_protocol) that's why this error
> >> code can't be checked but still it needs to be reported.
> >>
> >> The same logic is also used in efi_tcg2_get_eventlog() added by
> >> commit c8d0fd582576 ("efi_loader: Introduce eventlog support for
> >> TCG2_PROTOCOL").
> >>
> >> Signed-off-by: Michal Simek
> >> ---
> >>
> >> Changes in v2:
> >> - Change subject and description
> >> - Change logic in different location
> >> - Origin thread was
> >> https://lore.kernel.org/r/657a869c04e9b09e3bd2e6fd74ff94320b7fbe9b.1638191161.git.michal.si...@xilinx.com
> >>
> >> lib/efi_loader/efi_tcg2.c | 3 ++-
> >> 1 file changed, 2 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> >> index 8c1f22e3377b..db785f4d8c27 100644
> >> --- a/lib/efi_loader/efi_tcg2.c
> >> +++ b/lib/efi_loader/efi_tcg2.c
> >> @@ -888,7 +888,8 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64
> >> efi_size,
> >>
> >> ret = platform_get_tpm2_device();
> >> if (ret != EFI_SUCCESS)
> >> - return ret;
> >> + /* don't fail when TPM is not found */
> >> + return EFI_SUCCESS;
> >>
> >> switch (handle->image_type) {
> >> case IMAGE_SUBSYSTEM_EFI_APPLICATION:
> >> --
> >> 2.33.1
> >>
> >
> > Reviewed-by: Ilias Apalodimas
> >
>
> This patch means:
>
> You can run some command that initializes the TCG2 protocol (e.g.
> debug_hd), then unbind the TPM, run a first EFI binary which diverts EFI
> API addresses, bind the TPM again and run the normal binary and nobody
> will see the first binary in boot measurement.
Why? What you describe is an issue with, or without this patch. The
code never stops if tcg2_measure_pe_image() fails. The only thing
this patch does is silence a print if a TPM device is not found.
Regards
/Ilias
>
> Best regards
>
> Heinrich
Re: [PATCH v2] efi_loader: tcg2: Return success even when TPM device is not found
On 11/29/21 15:55, Ilias Apalodimas wrote:
On Mon, 29 Nov 2021 at 16:26, Michal Simek wrote:
For systems which have TPM support enabled but actual device is missing
there is no reason to show a message that measurement failed in
efi_load_pe(). To ensure that the patch is returning EFI_SUCCESS even for
cases where TPM device is not found.
The reason is that other parts of the code return also EFI_NOT_FOUND in
tcg2_measure_pe_image() (e.g efi_search_protocol) that's why this error
code can't be checked but still it needs to be reported.
The same logic is also used in efi_tcg2_get_eventlog() added by
commit c8d0fd582576 ("efi_loader: Introduce eventlog support for
TCG2_PROTOCOL").
Signed-off-by: Michal Simek
---
Changes in v2:
- Change subject and description
- Change logic in different location
- Origin thread was
https://lore.kernel.org/r/657a869c04e9b09e3bd2e6fd74ff94320b7fbe9b.1638191161.git.michal.si...@xilinx.com
lib/efi_loader/efi_tcg2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 8c1f22e3377b..db785f4d8c27 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -888,7 +888,8 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
ret = platform_get_tpm2_device();
if (ret != EFI_SUCCESS)
- return ret;
+ /* don't fail when TPM is not found */
+ return EFI_SUCCESS;
switch (handle->image_type) {
case IMAGE_SUBSYSTEM_EFI_APPLICATION:
--
2.33.1
Reviewed-by: Ilias Apalodimas
This patch means:
You can run some command that initializes the TCG2 protocol (e.g.
debug_hd), then unbind the TPM, run a first EFI binary which diverts EFI
API addresses, bind the TPM again and run the normal binary and nobody
will see the first binary in boot measurement.
Best regards
Heinrich
Re: [PATCH v2] efi_loader: tcg2: Return success even when TPM device is not found
On Mon, 29 Nov 2021 at 16:26, Michal Simek wrote:
>
> For systems which have TPM support enabled but actual device is missing
> there is no reason to show a message that measurement failed in
> efi_load_pe(). To ensure that the patch is returning EFI_SUCCESS even for
> cases where TPM device is not found.
> The reason is that other parts of the code return also EFI_NOT_FOUND in
> tcg2_measure_pe_image() (e.g efi_search_protocol) that's why this error
> code can't be checked but still it needs to be reported.
>
> The same logic is also used in efi_tcg2_get_eventlog() added by
> commit c8d0fd582576 ("efi_loader: Introduce eventlog support for
> TCG2_PROTOCOL").
>
> Signed-off-by: Michal Simek
> ---
>
> Changes in v2:
> - Change subject and description
> - Change logic in different location
> - Origin thread was
> https://lore.kernel.org/r/657a869c04e9b09e3bd2e6fd74ff94320b7fbe9b.1638191161.git.michal.si...@xilinx.com
>
> lib/efi_loader/efi_tcg2.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
> index 8c1f22e3377b..db785f4d8c27 100644
> --- a/lib/efi_loader/efi_tcg2.c
> +++ b/lib/efi_loader/efi_tcg2.c
> @@ -888,7 +888,8 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64
> efi_size,
>
> ret = platform_get_tpm2_device();
> if (ret != EFI_SUCCESS)
> - return ret;
> + /* don't fail when TPM is not found */
> + return EFI_SUCCESS;
>
> switch (handle->image_type) {
> case IMAGE_SUBSYSTEM_EFI_APPLICATION:
> --
> 2.33.1
>
Reviewed-by: Ilias Apalodimas
[PATCH v2] efi_loader: tcg2: Return success even when TPM device is not found
For systems which have TPM support enabled but actual device is missing
there is no reason to show a message that measurement failed in
efi_load_pe(). To ensure that the patch is returning EFI_SUCCESS even for
cases where TPM device is not found.
The reason is that other parts of the code return also EFI_NOT_FOUND in
tcg2_measure_pe_image() (e.g efi_search_protocol) that's why this error
code can't be checked but still it needs to be reported.
The same logic is also used in efi_tcg2_get_eventlog() added by
commit c8d0fd582576 ("efi_loader: Introduce eventlog support for
TCG2_PROTOCOL").
Signed-off-by: Michal Simek
---
Changes in v2:
- Change subject and description
- Change logic in different location
- Origin thread was
https://lore.kernel.org/r/657a869c04e9b09e3bd2e6fd74ff94320b7fbe9b.1638191161.git.michal.si...@xilinx.com
lib/efi_loader/efi_tcg2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 8c1f22e3377b..db785f4d8c27 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -888,7 +888,8 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
ret = platform_get_tpm2_device();
if (ret != EFI_SUCCESS)
- return ret;
+ /* don't fail when TPM is not found */
+ return EFI_SUCCESS;
switch (handle->image_type) {
case IMAGE_SUBSYSTEM_EFI_APPLICATION:
--
2.33.1
