On Mon, Jun 03, 2024 at 11:36:25PM +0200, Hector Cao wrote:
> The measurements for confidential computing has been introduced in the commit
> 4c76565b6 (efi/tpm: Add EFI_CC_MEASUREMENT_PROTOCOL support). Recently
> this patch 30708dfe3 (tpm: Disable the tpm verifier if the TPM device
> is not present) has been introduced to optimize the memory usage when
> TPM device is not available on the platform. This patch will prevent the
> tpm module to be loaded on confidential computing platform (for example
> Intel TDX) where no TPM device is available.
>
> In this patch, we propose to load the tpm module for this use case
> by generalizing the tpm feature detection in order to cover CC platforms.
> Basically, do we it by detecting the availability of the EFI protocol
> EFI_CC_MEASUREMENT_PROTOCOL.
>
> Fixes bug : https://savannah.gnu.org/bugs/?65821
>
> Signed-off-by: Hector Cao <hector....@canonical.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> but a nit below...
> ---
> grub-core/commands/efi/tpm.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c
> index f250c30db..40845af7a 100644
> --- a/grub-core/commands/efi/tpm.c
> +++ b/grub-core/commands/efi/tpm.c
> @@ -292,6 +292,13 @@ grub_tpm_present (void)
> {
> grub_efi_handle_t tpm_handle;
> grub_efi_uint8_t protocol_version;
> + grub_efi_cc_protocol_t *cc;
> +
> + /* if confidential computing measurement protocol is enabled
> + we consider TPM is present */
This is still not in line with the GRUB coding style. Though I will fix
it for you this time.
> + cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);
> + if (cc != NULL)
> + return 1;
>
> if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
> return 0;
Daniel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
