tablet/grub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

commands/efi/tpm: Call get_active_pcr_banks() only with TCG2 1.1 or newer

Browse Source 
The call was added in the 1.1 revision of the spec, 1.0 does
not have it, and there are some machines out there with a TPM2
and a UEFI firmware that only supports version 1.0, so the
call fails in those cases. Check the reported version before
calling get_active_pcr_banks().

See Table 4 in section 6.2 of the TCG EFI Protocol Specification:

  https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf

Fixes: f326c5c47 (commands/bli: Set LoaderTpm2ActivePcrBanks runtime variable)

Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
Reviewed-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Luca Boccassi 2025-09-20 02:12:32 +01:00 committed by Daniel Kiper
parent 894241c854
commit 9a725391f1
1 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
grub-core/commands/efi/tpm.c
View File

@ -39,6 +39,7 @@ static grub_uint8_t grub_tpm_version;
static grub_int8_t tpm1_present = -1;
static grub_int8_t tpm2_present = -1;
static grub_int8_t tpm2_pcr_banks_reporting_present = -1;
static grub_efi_boolean_t
grub_tpm1_present (grub_efi_tpm_protocol_t *tpm)
@ -89,6 +90,34 @@ grub_tpm2_present (grub_efi_tpm2_protocol_t *tpm)
return (grub_efi_boolean_t) tpm2_present;
}
static grub_efi_boolean_t
grub_tpm2_pcr_banks_reporting_present (grub_efi_tpm2_protocol_t *tpm)
{
grub_efi_status_t status;
EFI_TCG2_BOOT_SERVICE_CAPABILITY caps;
caps.Size = (grub_uint8_t) sizeof (caps);
if (tpm2_pcr_banks_reporting_present != -1)
return (grub_efi_boolean_t) tpm2_pcr_banks_reporting_present;
if (!grub_tpm2_present (tpm))
return (grub_efi_boolean_t) (tpm2_pcr_banks_reporting_present = 0);
status = tpm->get_capability (tpm, &caps);
if (status != GRUB_EFI_SUCCESS || caps.StructureVersion.Major < 1
|| (caps.StructureVersion.Major == 1 && caps.StructureVersion.Minor < 1))
tpm2_pcr_banks_reporting_present = 0;
else
tpm2_pcr_banks_reporting_present = 1;
grub_dprintf ("tpm", "tpm2 PCR banks reporting%s present\n",
tpm2_pcr_banks_reporting_present ? "" : " NOT");
return (grub_efi_boolean_t) tpm2_pcr_banks_reporting_present;
}
static grub_efi_boolean_t
grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
grub_efi_uint8_t *protocol_version)
@ -355,7 +384,7 @@ grub_tpm2_active_pcr_banks (void)
return 0;
}
if (grub_tpm2_present (tpm))
if (grub_tpm2_pcr_banks_reporting_present (tpm))
{
grub_efi_status_t status = tpm->get_active_pcr_banks (tpm, &active_pcr_banks);