tss2: Add TPM2_PCR_Event command

The TPM2_PCR_Event command is introduced to tss2 to allow the user to extend a specific PCR. The related data structure and unmarshal function are also introduced. However, simply invoking TPM2_PCR_Event does not automatically record the event into the TPM event log. The TPM event log is primarily maintained by the system firmware (e.g., BIOS/UEFI). Therefore, for most standard use cases, the recommended method for extending PCRs and ensuring proper event logging is to utilize the system firmware functions. There are specific scenarios where direct use of TPM2_PCR_Event becomes necessary. For instance, in environments lacking system firmware support for PCR extension, such as the grub-emu, TPM2_PCR_Event serves as the only available method to extend PCRs. Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2025-10-03 11:22:02 +08:00 · 2025-10-03 11:22:02 +08:00 · b2549b4d34
commit b2549b4d34
parent e1b9d92a8b
6 changed files with 88 additions and 0 deletions
--- a/grub-core/lib/tss2/tpm2_cmd.c
+++ b/grub-core/lib/tss2/tpm2_cmd.c
@ -575,6 +575,57 @@ grub_tpm2_flushcontext (const TPMI_DH_CONTEXT_t handle)
  return TPM_RC_SUCCESS;
 }

+TPM_RC_t
+grub_tpm2_pcr_event (const TPMI_DH_PCR_t pcrHandle,
+		     const TPMS_AUTH_COMMAND_t *authCommand,
+		     const TPM2B_EVENT_t *eventData,
+		     TPML_DIGEST_VALUES_t *digests,
+		     TPMS_AUTH_RESPONSE_t *authResponse)
+{
+  TPM_RC_t rc;
+  struct grub_tpm2_buffer in;
+  struct grub_tpm2_buffer out;
+  TPML_DIGEST_VALUES_t digestsTmp;
+  TPMS_AUTH_RESPONSE_t authResponseTmp;
+  TPM_RC_t responseCode;
+  grub_uint32_t parameterSize;
+
+  if (eventData == NULL)
+    return TPM_RC_VALUE;
+  if (authCommand == NULL)
+    return TPM_RC_VALUE;
+
+  if (digests == NULL)
+    digests = &digestsTmp;
+  if (authResponse == NULL)
+    authResponse = &authResponseTmp;
+
+  /* Marshal */
+  grub_tpm2_buffer_init (&in);
+  grub_tpm2_buffer_pack_u32 (&in, pcrHandle);
+  grub_Tss2_MU_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+  grub_Tss2_MU_TPM2B_Marshal (&in, eventData->size, eventData->buffer);
+  if (in.error == true)
+    return TPM_RC_FAILURE;
+
+  /* Submit */
+  grub_tpm2_buffer_init (&out);
+  rc = tpm2_submit_command (TPM_ST_SESSIONS, TPM_CC_PCR_Event, &responseCode, &in, &out);
+  if (rc != TPM_RC_SUCCESS)
+    return rc;
+  if (responseCode != TPM_RC_SUCCESS)
+    return responseCode;
+
+  /* Unmarshal */
+  grub_tpm2_buffer_unpack_u32 (&out, &parameterSize);
+  grub_Tss2_MU_TPML_DIGEST_VALUE_Unmarshal (&out, digests);
+  grub_Tss2_MU_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+  if (out.error == true)
+    return TPM_RC_FAILURE;
+
+  return TPM_RC_SUCCESS;
+}
+
 TPM_RC_t
 grub_tpm2_pcr_read (const TPMS_AUTH_COMMAND_t *authCommand,
 		    const TPML_PCR_SELECTION_t *pcrSelectionIn,
--- a/grub-core/lib/tss2/tpm2_cmd.h
+++ b/grub-core/lib/tss2/tpm2_cmd.h
@ -89,6 +89,13 @@ grub_tpm2_unseal (const TPMI_DH_OBJECT_t item_handle,
 extern TPM_RC_t
 grub_tpm2_flushcontext (const TPMI_DH_CONTEXT_t handle);

+extern TPM_RC_t
+grub_tpm2_pcr_event (const TPMI_DH_PCR_t pcrHandle,
+		     const TPMS_AUTH_COMMAND_t *authCommand,
+		     const TPM2B_EVENT_t *eventData,
+		     TPML_DIGEST_VALUES_t *digests,
+		     TPMS_AUTH_RESPONSE_t *authResponse);
+
 extern TPM_RC_t
 grub_tpm2_pcr_read (const TPMS_AUTH_COMMAND_t *authCommand,
 		    const TPML_PCR_SELECTION_t *pcrSelectionIn,
--- a/grub-core/lib/tss2/tss2_mu.c
+++ b/grub-core/lib/tss2/tss2_mu.c
@ -1118,6 +1118,24 @@ grub_Tss2_MU_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buffer,
    grub_Tss2_MU_TPM2B_DIGEST_Unmarshal (buffer, &digest->digests[i]);
 }

+void
+grub_Tss2_MU_TPML_DIGEST_VALUE_Unmarshal (grub_tpm2_buffer_t buffer,
+					  TPML_DIGEST_VALUES_t *digests)
+{
+  grub_uint32_t i;
+
+  grub_tpm2_buffer_unpack_u32 (buffer, &digests->count);
+
+  if (digests->count > TPM_NUM_PCR_BANKS)
+    {
+      buffer->error = true;
+      return;
+    }
+
+  for (i = 0; i < digests->count; i++)
+    grub_Tss2_MU_TPMT_HA_Unmarshal (buffer, &digests->digests[i]);
+}
+
 void
 grub_Tss2_MU_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buffer,
                                           TPMS_SIGNATURE_RSA_t *rsa)
--- a/grub-core/lib/tss2/tss2_mu.h
+++ b/grub-core/lib/tss2/tss2_mu.h
@ -380,6 +380,10 @@ extern void
 grub_Tss2_MU_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buffer,
 				    TPML_DIGEST_t *digest);

+extern void
+grub_Tss2_MU_TPML_DIGEST_VALUE_Unmarshal (grub_tpm2_buffer_t buffer,
+					  TPML_DIGEST_VALUES_t *digests);
+
 extern void
 grub_Tss2_MU_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buffer,
                                           TPMS_SIGNATURE_RSA_t *p);
--- a/grub-core/lib/tss2/tss2_structs.h
+++ b/grub-core/lib/tss2/tss2_structs.h
@ -144,6 +144,13 @@ typedef struct TPML_DIGEST TPML_DIGEST_t;
 /* TPM2B_NONCE Type */
 typedef TPM2B_DIGEST_t TPM2B_NONCE_t;

+/* TPM2B_EVENT Structure */
+struct TPM2B_EVENT {
+    grub_uint16_t size;
+    grub_uint8_t buffer[1024];
+};
+typedef struct TPM2B_EVENT TPM2B_EVENT_t;
+
 /* TPMA_SESSION Structure */
 struct TPMA_SESSION
 {
--- a/grub-core/lib/tss2/tss2_types.h
+++ b/grub-core/lib/tss2/tss2_types.h
@ -343,6 +343,7 @@ typedef grub_uint32_t TPM_CC_t;
 #define TPM_CC_NV_Write         ((TPM_CC_t) 0x00000137)
 #define TPM_CC_NV_UndefineSpace ((TPM_CC_t) 0x00000122)
 #define TPM_CC_GetCapability    ((TPM_CC_t) 0x0000017a)
+#define TPM_CC_PCR_Event        ((TPM_CC_t) 0x0000013c)
 #define TPM_CC_PCR_Read         ((TPM_CC_t) 0x0000017e)
 #define TPM_CC_Load             ((TPM_CC_t) 0x00000157)
 #define TPM_CC_LoadExternal     ((TPM_CC_t) 0x00000167)