diff options
| author | Masahisa Kojima <masahisa.kojima@linaro.org> | 2021-10-26 11:27:27 +0300 |
|---|---|---|
| committer | Heinrich Schuchardt <heinrich.schuchardt@canonical.com> | 2021-10-26 22:33:19 +0300 |
| commit | 65aa259aa723793f394abf81b7b0d639826e35b7 (patch) | |
| tree | 6383fc0e442a999d51765bcf95d290b780bc39da /lib | |
| parent | 96485d2f3f30c1f482bd138752188cbbc64fb307 (diff) | |
| download | u-boot-65aa259aa723793f394abf81b7b0d639826e35b7.tar.xz | |
efi_loader: add DeployedMode and AuditMode variable measurement
This commit adds the DeployedMode and AuditMode variable
measurement required in TCG PC Client Platform Firmware
Profile Specification.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/efi_loader/efi_tcg2.c | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index d1ccd8e3b6..ec20530b6b 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -84,16 +84,19 @@ static const struct digest_info hash_algo_list[] = { struct variable_info { const u16 *name; bool accept_empty; + u32 pcr_index; }; static struct variable_info secure_variables[] = { - {u"SecureBoot", true}, - {u"PK", true}, - {u"KEK", true}, - {u"db", true}, - {u"dbx", true}, - {u"dbt", false}, - {u"dbr", false}, + {u"SecureBoot", true, 7}, + {u"PK", true, 7}, + {u"KEK", true, 7}, + {u"db", true, 7}, + {u"dbx", true, 7}, + {u"dbt", false, 7}, + {u"dbr", false, 7}, + {u"DeployedMode", false, 1}, + {u"AuditMode", false, 1}, }; #define MAX_HASH_COUNT ARRAY_SIZE(hash_algo_list) @@ -1822,6 +1825,15 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) efi_uintn_t data_size; u32 count, i; efi_status_t ret; + u8 deployed_mode; + efi_uintn_t size; + u32 deployed_audit_pcr_index = 1; + + size = sizeof(deployed_mode); + ret = efi_get_variable_int(u"DeployedMode", &efi_global_variable_guid, + NULL, &size, &deployed_mode, NULL); + if (ret != EFI_SUCCESS || !deployed_mode) + deployed_audit_pcr_index = 7; count = ARRAY_SIZE(secure_variables); for (i = 0; i < count; i++) { @@ -1833,7 +1845,12 @@ static efi_status_t tcg2_measure_secure_boot_variable(struct udevice *dev) if (!data && !secure_variables[i].accept_empty) continue; - ret = tcg2_measure_variable(dev, 7, + if (u16_strcmp(u"DeployedMode", secure_variables[i].name)) + secure_variables[i].pcr_index = deployed_audit_pcr_index; + if (u16_strcmp(u"AuditMode", secure_variables[i].name)) + secure_variables[i].pcr_index = deployed_audit_pcr_index; + + ret = tcg2_measure_variable(dev, secure_variables[i].pcr_index, EV_EFI_VARIABLE_DRIVER_CONFIG, secure_variables[i].name, guid, data_size, data); |