On 7/8/25 4:31 AM, Gary Lin wrote:
This commit implements grub_tcg2_cap_pcr() for ieee1275 with the
firmware function, 2hash-ext-log, to extend the target PCR with a
SEPARATOR event and record the event into the TPM event log.
To avoid duplicate code, ibmvtpm_2hash_ext_log() is moved to tcg2.c
and exported as a global function.
Signed-off-by: Gary Lin <g...@suse.com>
---
grub-core/commands/ieee1275/ibmvtpm.c | 52 ++-------------------
grub-core/lib/ieee1275/tcg2.c | 66 +++++++++++++++++++++++++++
include/grub/ieee1275/tpm.h | 5 ++
3 files changed, 74 insertions(+), 49 deletions(-)
diff --git a/grub-core/commands/ieee1275/ibmvtpm.c
b/grub-core/commands/ieee1275/ibmvtpm.c
index 4958b04a9..d0ddc06b0 100644
--- a/grub-core/commands/ieee1275/ibmvtpm.c
+++ b/grub-core/commands/ieee1275/ibmvtpm.c
@@ -27,52 +27,6 @@
#include <grub/mm.h>
#include <grub/misc.h>
-static int
-ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
- grub_uint32_t eventtype,
- const char *description,
- grub_size_t description_size,
- void *buf, grub_size_t size)
-{
- struct tpm_2hash_ext_log
- {
- struct grub_ieee1275_common_hdr common;
- grub_ieee1275_cell_t method;
- grub_ieee1275_cell_t ihandle;
- grub_ieee1275_cell_t size;
- grub_ieee1275_cell_t buf;
- grub_ieee1275_cell_t description_size;
- grub_ieee1275_cell_t description;
- grub_ieee1275_cell_t eventtype;
- grub_ieee1275_cell_t pcrindex;
- grub_ieee1275_cell_t catch_result;
- grub_ieee1275_cell_t rc;
- };
- struct tpm_2hash_ext_log args;
-
- INIT_IEEE1275_COMMON (&args.common, "call-method", 8, 2);
- args.method = (grub_ieee1275_cell_t) "2hash-ext-log";
- args.ihandle = grub_ieee1275_tpm_ihandle;
- args.pcrindex = pcrindex;
- args.eventtype = eventtype;
- args.description = (grub_ieee1275_cell_t) description;
- args.description_size = description_size;
- args.buf = (grub_ieee1275_cell_t) buf;
- args.size = (grub_ieee1275_cell_t) size;
-
- if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
- return -1;
-
- /*
- * catch_result is set if firmware does not support 2hash-ext-log
- * rc is GRUB_IEEE1275_CELL_FALSE (0) on failure
- */
- if ((args.catch_result) || args.rc == GRUB_IEEE1275_CELL_FALSE)
- return -1;
-
- return 0;
-}
-
static grub_err_t
tpm2_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
const char *description)
@@ -80,9 +34,9 @@ tpm2_log_event (unsigned char *buf, grub_size_t size,
grub_uint8_t pcr,
static int error_displayed = 0;
int rc;
- rc = ibmvtpm_2hash_ext_log (pcr, EV_IPL,
- description, grub_strlen(description) + 1,
- buf, size);
+ rc = grub_ieee1275_ibmvtpm_2hash_ext_log (pcr, EV_IPL,
+ description,
grub_strlen(description) + 1,
+ buf, size);
if (rc && !error_displayed)
{
error_displayed++;
diff --git a/grub-core/lib/ieee1275/tcg2.c b/grub-core/lib/ieee1275/tcg2.c
index 40161c2f9..945a3469b 100644
--- a/grub-core/lib/ieee1275/tcg2.c
+++ b/grub-core/lib/ieee1275/tcg2.c
@@ -56,6 +56,52 @@ grub_ieee1275_tpm_init (void)
return GRUB_ERR_NONE;
}
+int
+grub_ieee1275_ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
+ grub_uint32_t eventtype,
+ const char *description,
+ grub_size_t description_size,
+ void *buf, grub_size_t size)
+{
+ struct tpm_2hash_ext_log
+ {
+ struct grub_ieee1275_common_hdr common;
+ grub_ieee1275_cell_t method;
+ grub_ieee1275_cell_t ihandle;
+ grub_ieee1275_cell_t size;
+ grub_ieee1275_cell_t buf;
+ grub_ieee1275_cell_t description_size;
+ grub_ieee1275_cell_t description;
+ grub_ieee1275_cell_t eventtype;
+ grub_ieee1275_cell_t pcrindex;
+ grub_ieee1275_cell_t catch_result;
+ grub_ieee1275_cell_t rc;
+ };
+ struct tpm_2hash_ext_log args;
+
+ INIT_IEEE1275_COMMON (&args.common, "call-method", 8, 2);
+ args.method = (grub_ieee1275_cell_t) "2hash-ext-log";
+ args.ihandle = grub_ieee1275_tpm_ihandle;
+ args.pcrindex = pcrindex;
+ args.eventtype = eventtype;
+ args.description = (grub_ieee1275_cell_t) description;
+ args.description_size = description_size;
+ args.buf = (grub_ieee1275_cell_t) buf;
+ args.size = (grub_ieee1275_cell_t) size;
+
+ if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+ return -1;
+
+ /*
+ * catch_result is set if firmware does not support 2hash-ext-log
+ * rc is GRUB_IEEE1275_CELL_FALSE (0) on failure
+ */
+ if ((args.catch_result) || args.rc == GRUB_IEEE1275_CELL_FALSE)
+ return -1;
Now there are two callers of this function that each would create an
error hinting at the firmware being too old if the firmware call fails.
It's probably worth putting the grub_error call into this function here
to avoid replication.
The rest looks good.
+
+ return 0;
+}
+
grub_err_t
grub_tcg2_get_max_output_size (grub_size_t *size)
{
@@ -155,3 +201,23 @@ grub_tcg2_submit_command (grub_size_t input_size,
return GRUB_ERR_NONE;
}
+
+grub_err_t
+grub_tcg2_cap_pcr (grub_uint8_t pcr)
+{
+ grub_uint8_t separator[4] = {0};
+ static int error_displayed = 0;
+ int rc;
+
+ rc = grub_ieee1275_ibmvtpm_2hash_ext_log (pcr, EV_SEPARATOR,
+ separator, sizeof(separator),
+ separator, sizeof(separator));
+ if (rc && !error_displayed)
+ {
+ error_displayed++;
+ return grub_error (GRUB_ERR_BAD_DEVICE,
+ "2HASH-EXT-LOG failed: Firmware is likely too old.\n");
+ }
+
+ return GRUB_ERR_NONE;
+}
diff --git a/include/grub/ieee1275/tpm.h b/include/grub/ieee1275/tpm.h
index fe5cb4713..01065071b 100644
--- a/include/grub/ieee1275/tpm.h
+++ b/include/grub/ieee1275/tpm.h
@@ -27,4 +27,9 @@ extern grub_ieee1275_ihandle_t grub_ieee1275_tpm_ihandle;
extern grub_err_t grub_ieee1275_tpm_init (void);
+extern int grub_ieee1275_ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
+ grub_uint32_t eventtype,
+ const char *description,
+ grub_size_t description_size,
+ void *buf, grub_size_t size);
#endif
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
