On Thu, Jul 10, 2025 at 08:24:46PM +0530, Sudhakar Kuppusamy wrote:
>
>
> > On 8 Jul 2025, at 2:01 PM, Gary Lin via Grub-devel <grub-devel@gnu.org>
> > wrote:
> >
> > The TPM2_PCR_Event command is introduced to tss2 to allow the user to
> > extend a specific PCR. The related data structure and unmarshal function
> > are also introduced.
> >
> > However, simply invoking TPM2_PCR_Event does not automatically record
> > the event into the TPM event log. The TPM event log is primarily
> > maintained by the system firmware (e.g., BIOS/UEFI). Therefore, for most
> > standard use cases, the recommended method for extending PCRs and
> > ensuring proper event logging is to utilize the system firmware
> > functions.
> >
> > There are specific scenarios where direct use of TPM2_PCR_Event becomes
> > necessary. For instance, in environments lacking system firmware support
> > for PCR extension, such as the grub-emu, TPM2_PCR_Event serves as the
> > only available method to extend PCRs.
> >
> > Signed-off-by: Gary Lin <g...@suse.com>
> > ---
> > grub-core/lib/tss2/tpm2_cmd.c | 51 +++++++++++++++++++++++++++++++
> > grub-core/lib/tss2/tpm2_cmd.h | 7 +++++
> > grub-core/lib/tss2/tss2_mu.c | 18 +++++++++++
> > grub-core/lib/tss2/tss2_mu.h | 4 +++
> > grub-core/lib/tss2/tss2_structs.h | 7 +++++
> > grub-core/lib/tss2/tss2_types.h | 1 +
> > 6 files changed, 88 insertions(+)
> >
> > diff --git a/grub-core/lib/tss2/tpm2_cmd.c b/grub-core/lib/tss2/tpm2_cmd.c
> > index 6d25db1ab..37ca78aee 100644
> > --- a/grub-core/lib/tss2/tpm2_cmd.c
> > +++ b/grub-core/lib/tss2/tpm2_cmd.c
> > @@ -575,6 +575,57 @@ grub_tpm2_flushcontext (const TPMI_DH_CONTEXT_t handle)
> > return TPM_RC_SUCCESS;
> > }
> >
> > +extern TPM_RC_t
> Do you think the extern keyword is required for function definition as well?
>
Oops, that's a mistake.
> > +grub_tpm2_pcr_event (const TPMI_DH_PCR_t pcrHandle,
> > + const TPMS_AUTH_COMMAND_t *authCommand,
> > + const TPM2B_EVENT_t *eventData,
> > + TPML_DIGEST_VALUES_t *digests,
> > + TPMS_AUTH_RESPONSE_t *authResponse)
> > +{
> > + TPM_RC_t rc;
> > + struct grub_tpm2_buffer in;
> > + struct grub_tpm2_buffer out;
> > + TPML_DIGEST_VALUES_t digestsTmp;
> > + TPMS_AUTH_RESPONSE_t authResponseTmp;
> > + TPM_RC_t responseCode;
> > + grub_uint32_t parameterSize;
> > +
> > + if (eventData == NULL)
> > + return TPM_RC_VALUE;
> > + if (authCommand == NULL)
> > + return TPM_RC_VALUE;
> > +
> > + if (digests == NULL)
> > + digests = &digestsTmp;
> > + if (authResponse == NULL)
> > + authResponse = &authResponseTmp;
> > +
> > + /* Marshal */
> > + grub_tpm2_buffer_init (&in);
> > + grub_tpm2_buffer_pack_u32 (&in, pcrHandle);
> > + grub_Tss2_MU_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
> > + grub_Tss2_MU_TPM2B_Marshal (&in, eventData->size, eventData->buffer);
> > + if (in.error != 0)
>
> It would be better to use true/false for boolean.
>
> if (in.error == true)
>
Will fix it in v2.
> > + return TPM_RC_FAILURE;
> > +
> > + /* Submit */
> > + grub_tpm2_buffer_init (&out);
> > + rc = tpm2_submit_command (TPM_ST_SESSIONS, TPM_CC_PCR_Event,
> > &responseCode, &in, &out);
> > + if (rc != TPM_RC_SUCCESS)
> > + return rc;
> > + if (responseCode != TPM_RC_SUCCESS)
> > + return responseCode;
> > +
> > + /* Unmarshal */
> > + grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize);
> > + grub_Tss2_MU_TPML_DIGEST_VALUE_Unmarshal (&out, digests);
> > + grub_Tss2_MU_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
> > + if (out.error != 0)
>
> It would be better to use true/false for boolean.
>
> if (out.error == true)
>
Ditto.
> > + return TPM_RC_FAILURE;
> > +
> > + return TPM_RC_SUCCESS;
> > +}
> > +
> > TPM_RC_t
> > grub_tpm2_pcr_read (const TPMS_AUTH_COMMAND_t *authCommand,
> > const TPML_PCR_SELECTION_t *pcrSelectionIn,
> > diff --git a/grub-core/lib/tss2/tpm2_cmd.h b/grub-core/lib/tss2/tpm2_cmd.h
> > index 90b42efec..d7ad962ab 100644
> > --- a/grub-core/lib/tss2/tpm2_cmd.h
> > +++ b/grub-core/lib/tss2/tpm2_cmd.h
> > @@ -89,6 +89,13 @@ grub_tpm2_unseal (const TPMI_DH_OBJECT_t item_handle,
> > extern TPM_RC_t
> > grub_tpm2_flushcontext (const TPMI_DH_CONTEXT_t handle);
> >
> > +extern TPM_RC_t
> > +grub_tpm2_pcr_event (const TPMI_DH_PCR_t pcrHandle,
> > + const TPMS_AUTH_COMMAND_t *authCommand,
> > + const TPM2B_EVENT_t *eventData,
> > + TPML_DIGEST_VALUES_t *digests,
> > + TPMS_AUTH_RESPONSE_t *authResponse);
> > +
> > extern TPM_RC_t
> > grub_tpm2_pcr_read (const TPMS_AUTH_COMMAND_t *authCommand,
> > const TPML_PCR_SELECTION_t *pcrSelectionIn,
> > diff --git a/grub-core/lib/tss2/tss2_mu.c b/grub-core/lib/tss2/tss2_mu.c
> > index 816e5b37f..675a0009a 100644
> > --- a/grub-core/lib/tss2/tss2_mu.c
> > +++ b/grub-core/lib/tss2/tss2_mu.c
> > @@ -1118,6 +1118,24 @@ grub_Tss2_MU_TPML_DIGEST_Unmarshal
> > (grub_tpm2_buffer_t buffer,
> > grub_Tss2_MU_TPM2B_DIGEST_Unmarshal (buffer, &digest->digests[i]);
> > }
> >
> > +void
> > +grub_Tss2_MU_TPML_DIGEST_VALUE_Unmarshal (grub_tpm2_buffer_t buffer,
> > + TPML_DIGEST_VALUES_t *digests)
> > +{
> > + grub_uint32_t i;
> > +
> > + grub_tpm2_buffer_unpack_u32 (buffer, &digests->count);
> > +
> > + if (digests->count > TPM_NUM_PCR_BANKS)
> > + {
> > + buffer->error = 1;
>
> It would be better to use true/false for boolean.
> buffer->error = true;
>
Will fix it in v2.
Thanks,
Gary Lin
> Thanks,
> Sudhakar
>
> > + return;
> > + }
> > +
> > + for (i = 0; i < digests->count; i++)
> > + grub_Tss2_MU_TPMT_HA_Unmarshal (buffer, &digests->digests[i]);
> > +}
> > +
> > void
> > grub_Tss2_MU_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buffer,
> > TPMS_SIGNATURE_RSA_t *rsa)
> > diff --git a/grub-core/lib/tss2/tss2_mu.h b/grub-core/lib/tss2/tss2_mu.h
> > index 6440de57c..76eebc994 100644
> > --- a/grub-core/lib/tss2/tss2_mu.h
> > +++ b/grub-core/lib/tss2/tss2_mu.h
> > @@ -380,6 +380,10 @@ extern void
> > grub_Tss2_MU_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buffer,
> > TPML_DIGEST_t *digest);
> >
> > +extern void
> > +grub_Tss2_MU_TPML_DIGEST_VALUE_Unmarshal (grub_tpm2_buffer_t buffer,
> > + TPML_DIGEST_VALUES_t *digests);
> > +
> > extern void
> > grub_Tss2_MU_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buffer,
> > TPMS_SIGNATURE_RSA_t *p);
> > diff --git a/grub-core/lib/tss2/tss2_structs.h
> > b/grub-core/lib/tss2/tss2_structs.h
> > index 2eefba87c..0ac09f50f 100644
> > --- a/grub-core/lib/tss2/tss2_structs.h
> > +++ b/grub-core/lib/tss2/tss2_structs.h
> > @@ -144,6 +144,13 @@ typedef struct TPML_DIGEST TPML_DIGEST_t;
> > /* TPM2B_NONCE Type */
> > typedef TPM2B_DIGEST_t TPM2B_NONCE_t;
> >
> > +/* TPM2B_EVENT Structure */
> > +struct TPM2B_EVENT {
> > + grub_uint16_t size;
> > + grub_uint8_t buffer[1024];
> > +};
> > +typedef struct TPM2B_EVENT TPM2B_EVENT_t;
> > +
> > /* TPMA_SESSION Structure */
> > struct TPMA_SESSION
> > {
> > diff --git a/grub-core/lib/tss2/tss2_types.h
> > b/grub-core/lib/tss2/tss2_types.h
> > index bddde7191..52d304b90 100644
> > --- a/grub-core/lib/tss2/tss2_types.h
> > +++ b/grub-core/lib/tss2/tss2_types.h
> > @@ -343,6 +343,7 @@ typedef grub_uint32_t TPM_CC_t;
> > #define TPM_CC_NV_Write ((TPM_CC_t) 0x00000137)
> > #define TPM_CC_NV_UndefineSpace ((TPM_CC_t) 0x00000122)
> > #define TPM_CC_GetCapability ((TPM_CC_t) 0x0000017a)
> > +#define TPM_CC_PCR_Event ((TPM_CC_t) 0x0000013c)
> > #define TPM_CC_PCR_Read ((TPM_CC_t) 0x0000017e)
> > #define TPM_CC_Load ((TPM_CC_t) 0x00000157)
> > #define TPM_CC_LoadExternal ((TPM_CC_t) 0x00000167)
> > --
> > 2.43.0
> >
> >
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > https://lists.gnu.org/mailman/listinfo/grub-devel
>
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
