When the TCG2 protocol is installed in efi_tcg2_register(),
TPM2 device must be present.
tcg2_measure_pe_image() expects that TCP2 protocol is installed
and TPM device is available. If TCG2 Protocol is installed but
TPM device is not found, tcg2_measure_pe_image() returns
EFI_SECURITY_VIOLATION efi_load_image() ends with failure.
Signed-off-by: Masahisa Kojima <masahisa.koj...@linaro.org>
---
lib/efi_loader/efi_image_loader.c | 11 +++++++++--
lib/efi_loader/efi_tcg2.c | 2 +-
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/lib/efi_loader/efi_image_loader.c
b/lib/efi_loader/efi_image_loader.c
index eb95580538..426f096574 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -934,9 +934,16 @@ efi_status_t efi_load_pe(struct efi_loaded_image_obj
*handle,
#if CONFIG_IS_ENABLED(EFI_TCG2_PROTOCOL)
/* Measure an PE/COFF image */
- if (tcg2_measure_pe_image(efi, efi_size, handle,
- loaded_image_info))
+ ret = tcg2_measure_pe_image(efi, efi_size, handle, loaded_image_info);
+ if (ret == EFI_SECURITY_VIOLATION) {
+ /*
+ * TCG2 Protocol is installed but no TPM device found,
+ * this is not expected.
+ */
log_err("PE image measurement failed\n");
+ goto err;
+ }
+
#endif
/* Copy PE headers */
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 2b7b7cbbae..c19f73dc10 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -977,7 +977,7 @@ efi_status_t tcg2_measure_pe_image(void *efi, u64 efi_size,
ret = platform_get_tpm2_device(&dev);
if (ret != EFI_SUCCESS)
- return ret;
+ return EFI_SECURITY_VIOLATION;
switch (handle->image_type) {
case IMAGE_SUBSYSTEM_EFI_APPLICATION:
--
2.17.1
