Re: [PATCH 4/7] tss2: Implement grub_tcg2_cap_pcr() for ieee1275

Tue, 08 Jul 2025 19:09:03 -0700 

On Tue, Jul 08, 2025 at 11:52:48AM -0400, Stefan Berger wrote:
> 
> 
> On 7/8/25 4:31 AM, Gary Lin wrote:
> > This commit implements grub_tcg2_cap_pcr() for ieee1275 with the
> > firmware function, 2hash-ext-log, to extend the target PCR with a
> > SEPARATOR event and record the event into the TPM event log.
> > 
> > To avoid duplicate code, ibmvtpm_2hash_ext_log() is moved to tcg2.c
> > and exported as a global function.
> > 
> > Signed-off-by: Gary Lin <g...@suse.com>
> > ---
> >   grub-core/commands/ieee1275/ibmvtpm.c | 52 ++-------------------
> >   grub-core/lib/ieee1275/tcg2.c         | 66 +++++++++++++++++++++++++++
> >   include/grub/ieee1275/tpm.h           |  5 ++
> >   3 files changed, 74 insertions(+), 49 deletions(-)
> > 
> > diff --git a/grub-core/commands/ieee1275/ibmvtpm.c 
> > b/grub-core/commands/ieee1275/ibmvtpm.c
> > index 4958b04a9..d0ddc06b0 100644
> > --- a/grub-core/commands/ieee1275/ibmvtpm.c
> > +++ b/grub-core/commands/ieee1275/ibmvtpm.c
> > @@ -27,52 +27,6 @@
> >   #include <grub/mm.h>
> >   #include <grub/misc.h>
> > -static int
> > -ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
> > -                  grub_uint32_t eventtype,
> > -                  const char *description,
> > -                  grub_size_t description_size,
> > -                  void *buf, grub_size_t size)
> > -{
> > -  struct tpm_2hash_ext_log
> > -  {
> > -    struct grub_ieee1275_common_hdr common;
> > -    grub_ieee1275_cell_t method;
> > -    grub_ieee1275_cell_t ihandle;
> > -    grub_ieee1275_cell_t size;
> > -    grub_ieee1275_cell_t buf;
> > -    grub_ieee1275_cell_t description_size;
> > -    grub_ieee1275_cell_t description;
> > -    grub_ieee1275_cell_t eventtype;
> > -    grub_ieee1275_cell_t pcrindex;
> > -    grub_ieee1275_cell_t catch_result;
> > -    grub_ieee1275_cell_t rc;
> > -  };
> > -  struct tpm_2hash_ext_log args;
> > -
> > -  INIT_IEEE1275_COMMON (&args.common, "call-method", 8, 2);
> > -  args.method = (grub_ieee1275_cell_t) "2hash-ext-log";
> > -  args.ihandle = grub_ieee1275_tpm_ihandle;
> > -  args.pcrindex = pcrindex;
> > -  args.eventtype = eventtype;
> > -  args.description = (grub_ieee1275_cell_t) description;
> > -  args.description_size = description_size;
> > -  args.buf = (grub_ieee1275_cell_t) buf;
> > -  args.size = (grub_ieee1275_cell_t) size;
> > -
> > -  if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
> > -    return -1;
> > -
> > -  /*
> > -   * catch_result is set if firmware does not support 2hash-ext-log
> > -   * rc is GRUB_IEEE1275_CELL_FALSE (0) on failure
> > -   */
> > -  if ((args.catch_result) || args.rc == GRUB_IEEE1275_CELL_FALSE)
> > -    return -1;
> > -
> > -  return 0;
> > -}
> > -
> >   static grub_err_t
> >   tpm2_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
> >             const char *description)
> > @@ -80,9 +34,9 @@ tpm2_log_event (unsigned char *buf, grub_size_t size, 
> > grub_uint8_t pcr,
> >     static int error_displayed = 0;
> >     int rc;
> > -  rc = ibmvtpm_2hash_ext_log (pcr, EV_IPL,
> > -                         description, grub_strlen(description) + 1,
> > -                         buf, size);
> > +  rc = grub_ieee1275_ibmvtpm_2hash_ext_log (pcr, EV_IPL,
> > +                                       description, 
> > grub_strlen(description) + 1,
> > +                                       buf, size);
> >     if (rc && !error_displayed)
> >       {
> >         error_displayed++;
> > diff --git a/grub-core/lib/ieee1275/tcg2.c b/grub-core/lib/ieee1275/tcg2.c
> > index 40161c2f9..945a3469b 100644
> > --- a/grub-core/lib/ieee1275/tcg2.c
> > +++ b/grub-core/lib/ieee1275/tcg2.c
> > @@ -56,6 +56,52 @@ grub_ieee1275_tpm_init (void)
> >     return GRUB_ERR_NONE;
> >   }
> > +int
> > +grub_ieee1275_ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
> > +                                grub_uint32_t eventtype,
> > +                                const char *description,
> > +                                grub_size_t description_size,
> > +                                void *buf, grub_size_t size)
> > +{
> > +  struct tpm_2hash_ext_log
> > +  {
> > +    struct grub_ieee1275_common_hdr common;
> > +    grub_ieee1275_cell_t method;
> > +    grub_ieee1275_cell_t ihandle;
> > +    grub_ieee1275_cell_t size;
> > +    grub_ieee1275_cell_t buf;
> > +    grub_ieee1275_cell_t description_size;
> > +    grub_ieee1275_cell_t description;
> > +    grub_ieee1275_cell_t eventtype;
> > +    grub_ieee1275_cell_t pcrindex;
> > +    grub_ieee1275_cell_t catch_result;
> > +    grub_ieee1275_cell_t rc;
> > +  };
> > +  struct tpm_2hash_ext_log args;
> > +
> > +  INIT_IEEE1275_COMMON (&args.common, "call-method", 8, 2);
> > +  args.method = (grub_ieee1275_cell_t) "2hash-ext-log";
> > +  args.ihandle = grub_ieee1275_tpm_ihandle;
> > +  args.pcrindex = pcrindex;
> > +  args.eventtype = eventtype;
> > +  args.description = (grub_ieee1275_cell_t) description;
> > +  args.description_size = description_size;
> > +  args.buf = (grub_ieee1275_cell_t) buf;
> > +  args.size = (grub_ieee1275_cell_t) size;
> > +
> > +  if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
> > +    return -1;
> > +
> > +  /*
> > +   * catch_result is set if firmware does not support 2hash-ext-log
> > +   * rc is GRUB_IEEE1275_CELL_FALSE (0) on failure
> > +   */
> > +  if ((args.catch_result) || args.rc == GRUB_IEEE1275_CELL_FALSE)
> > +    return -1;
> 
> Now there are two callers of this function that each would create an error
> hinting at the firmware being too old if the firmware call fails. It's
> probably worth putting the grub_error call into this function here to avoid
> replication.
> 
Ok, I'll update the function to return a proper grub_err.

> The rest looks good.

Thanks!

Gary Lin

> 
> > +
> > +  return 0;
> > +}
> > +
> >   grub_err_t
> >   grub_tcg2_get_max_output_size (grub_size_t *size)
> >   {
> > @@ -155,3 +201,23 @@ grub_tcg2_submit_command (grub_size_t input_size,
> >     return GRUB_ERR_NONE;
> >   }
> > +
> > +grub_err_t
> > +grub_tcg2_cap_pcr (grub_uint8_t pcr)
> > +{
> > +  grub_uint8_t separator[4] = {0};
> > +  static int error_displayed = 0;
> > +  int rc;
> > +
> > +  rc = grub_ieee1275_ibmvtpm_2hash_ext_log (pcr, EV_SEPARATOR,
> > +                                       separator, sizeof(separator),
> > +                                       separator, sizeof(separator));
> > +  if (rc && !error_displayed)
> > +    {
> > +      error_displayed++;
> > +      return grub_error (GRUB_ERR_BAD_DEVICE,
> > +                    "2HASH-EXT-LOG failed: Firmware is likely too old.\n");
> > +    }
> > +
> > +  return GRUB_ERR_NONE;
> > +}
> > diff --git a/include/grub/ieee1275/tpm.h b/include/grub/ieee1275/tpm.h
> > index fe5cb4713..01065071b 100644
> > --- a/include/grub/ieee1275/tpm.h
> > +++ b/include/grub/ieee1275/tpm.h
> > @@ -27,4 +27,9 @@ extern grub_ieee1275_ihandle_t grub_ieee1275_tpm_ihandle;
> >   extern grub_err_t grub_ieee1275_tpm_init (void);
> > +extern int grub_ieee1275_ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
> > +                                           grub_uint32_t eventtype,
> > +                                           const char *description,
> > +                                           grub_size_t description_size,
> > +                                           void *buf, grub_size_t size);
> >   #endif
> 

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to