Skip to content

Commit 9b2c8ae

Browse files
blucaDaniel Kiper
bluca
authored and
Daniel Kiper
committed
commands/bli: Set UINT32_MAX in LoaderTpm2ActivePcrBanks if TPM2 present but no banks protocol
The implementation in sd-boot was changed to return UINT32_MAX when the EFI environment detects a working TPM2, but with an older firmware that doesn't implement the protocol to get the list of active banks. This allows distinguishing with the case where there is no working TPM2, in which case userspace just gives up, and instead lets userspace try to figure it out later. Fixes: f326c5c (commands/bli: Set LoaderTpm2ActivePcrBanks runtime variable) Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1 parent c0669af commit 9b2c8ae

File tree

1 file changed

+25
-40
lines changed
  • grub-core/commands/efi

1 file changed

+25
-40
lines changed

grub-core/commands/efi/tpm.c

Lines changed: 25 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ static grub_uint8_t grub_tpm_version;
3939

4040
static grub_int8_t tpm1_present = -1;
4141
static grub_int8_t tpm2_present = -1;
42-
static grub_int8_t tpm2_pcr_banks_reporting_present = -1;
42+
static grub_efi_int64_t tpm2_active_pcr_banks = -1;
4343

4444
static grub_efi_boolean_t
4545
grub_tpm1_present (grub_efi_tpm_protocol_t *tpm)
@@ -90,34 +90,6 @@ grub_tpm2_present (grub_efi_tpm2_protocol_t *tpm)
9090
return (grub_efi_boolean_t) tpm2_present;
9191
}
9292

93-
static grub_efi_boolean_t
94-
grub_tpm2_pcr_banks_reporting_present (grub_efi_tpm2_protocol_t *tpm)
95-
{
96-
grub_efi_status_t status;
97-
EFI_TCG2_BOOT_SERVICE_CAPABILITY caps;
98-
99-
caps.Size = (grub_uint8_t) sizeof (caps);
100-
101-
if (tpm2_pcr_banks_reporting_present != -1)
102-
return (grub_efi_boolean_t) tpm2_pcr_banks_reporting_present;
103-
104-
if (!grub_tpm2_present (tpm))
105-
return (grub_efi_boolean_t) (tpm2_pcr_banks_reporting_present = 0);
106-
107-
status = tpm->get_capability (tpm, &caps);
108-
109-
if (status != GRUB_EFI_SUCCESS || caps.StructureVersion.Major < 1
110-
|| (caps.StructureVersion.Major == 1 && caps.StructureVersion.Minor < 1))
111-
tpm2_pcr_banks_reporting_present = 0;
112-
else
113-
tpm2_pcr_banks_reporting_present = 1;
114-
115-
grub_dprintf ("tpm", "tpm2 PCR banks reporting%s present\n",
116-
tpm2_pcr_banks_reporting_present ? "" : " NOT");
117-
118-
return (grub_efi_boolean_t) tpm2_pcr_banks_reporting_present;
119-
}
120-
12193
static grub_efi_boolean_t
12294
grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
12395
grub_efi_uint8_t *protocol_version)
@@ -365,32 +337,45 @@ grub_tpm_present (void)
365337
grub_uint32_t
366338
grub_tpm2_active_pcr_banks (void)
367339
{
340+
EFI_TCG2_BOOT_SERVICE_CAPABILITY caps;
368341
grub_efi_handle_t tpm_handle;
369342
grub_efi_uint8_t protocol_version;
370343
grub_efi_tpm2_protocol_t *tpm;
371-
grub_efi_uint32_t active_pcr_banks = 0;
344+
grub_efi_uint32_t active_pcr_banks;
345+
grub_efi_status_t status;
346+
347+
if (tpm2_active_pcr_banks >= 0)
348+
return (grub_uint32_t) tpm2_active_pcr_banks;
372349

373350
if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
374-
return 0;
351+
return (grub_uint32_t) (tpm2_active_pcr_banks = 0);
375352

376353
if (protocol_version == 1)
377-
return 0; /* We report TPM2 status */
354+
return (grub_uint32_t) (tpm2_active_pcr_banks = 0); /* We report TPM2 status. */
378355

379356
tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
380357
GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
381358
if (tpm == NULL)
382359
{
383360
grub_dprintf ("tpm", "Cannot open TPM2 protocol\n");
384-
return 0;
361+
return (grub_uint32_t) (tpm2_active_pcr_banks = 0);
385362
}
386363

387-
if (grub_tpm2_pcr_banks_reporting_present (tpm))
388-
{
389-
grub_efi_status_t status = tpm->get_active_pcr_banks (tpm, &active_pcr_banks);
364+
if (!grub_tpm2_present (tpm))
365+
return (grub_uint32_t) (tpm2_active_pcr_banks = 0);
390366

391-
if (status != GRUB_EFI_SUCCESS)
392-
return 0; /* Assume none available if the call fails. */
393-
}
367+
caps.Size = (grub_uint8_t) sizeof (caps);
368+
status = tpm->get_capability (tpm, &caps);
369+
if (status != GRUB_EFI_SUCCESS)
370+
return (grub_uint32_t) (tpm2_active_pcr_banks = 0);
371+
if (caps.StructureVersion.Major < 1 ||
372+
(caps.StructureVersion.Major == 1 && caps.StructureVersion.Minor < 1))
373+
/* There's a working TPM2 but without querying protocol, let userspace figure it out. */
374+
return (grub_uint32_t) (tpm2_active_pcr_banks = GRUB_UINT_MAX);
375+
376+
status = tpm->get_active_pcr_banks (tpm, &active_pcr_banks);
377+
if (status != GRUB_EFI_SUCCESS)
378+
return (grub_uint32_t) (tpm2_active_pcr_banks = 0); /* Assume none available if the call fails. */
394379

395-
return active_pcr_banks;
380+
return (grub_uint32_t) (tpm2_active_pcr_banks = active_pcr_banks);
396381
}

0 commit comments

Comments
 (0)