This commit implements grub_tcg2_cap_pcr() for EFI by using the UEFI
TCG2 protocol, HashLogExtendEvent, to extend the specified PCR with an
EV_SEPARATOR event and ensure the event will be recorded properly in the
TPM event log.
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
compose and submit TPM commands and parse responses.
A limited number of TPM commands may be accessed via the EFI TCG2
protocol. This protocol exposes functionality that is primarily geared
toward TPM usage within the context of Secure Boot. For all other TPM
commands, however, such as sealing and unsealing, this protocol does not
provide any help, with the exception of passthrough command submission.
The SubmitCommand method allows a caller to send raw commands to the
system's TPM and to receive the corresponding response. These
command/response pairs are formatted using the TPM wire protocol. To
construct commands in this way, and to parse the TPM's response, it is
necessary to, first, possess knowledge of the various TPM structures, and,
second, of the TPM wire protocol itself.
As such, this patch includes implementations of various grub_tpm2_* functions
(inventoried below), and logic to write and read command and response
buffers, respectively, using the TPM wire protocol.
Functions:
- grub_tpm2_create(),
- grub_tpm2_createprimary(),
- grub_tpm2_evictcontrol(),
- grub_tpm2_flushcontext(),
- grub_tpm2_load(),
- grub_tpm2_pcr_read(),
- grub_tpm2_policygetdigest(),
- grub_tpm2_policypcr(),
- grub_tpm2_readpublic(),
- grub_tpm2_startauthsession(),
- grub_tpm2_unseal(),
- grub_tpm2_loadexternal(),
- grub_tpm2_hash(),
- grub_tpm2_verifysignature(),
- grub_tpm2_policyauthorize(),
- grub_tpm2_testparms().
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Now that GCC can generate function calls using the correct calling
convention for us, we can stop using the efi_call_XX() wrappers, and
just dereference the function pointers directly.
This avoids the untyped variadic wrapper routines, which means better
type checking for the method calls.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Add support for manipulating architectural cache and timers, and EFI
memory maps.
Signed-off-by: Zhou Yang <zhouyang@loongson.cn>
Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
commit 92bfc33db984 ("efi: Free malloc regions on exit")
introduced memory freeing in grub_efi_fini(), which is
used not only by exit path but by halt/reboot one as well.
As result of memory freeing, code and data regions used by
modules, such as halt, reboot, acpi (used by halt) also got
freed. After return to module code, CPU executes, filled
by UEFI firmware (tested with edk2), 0xAFAFAFAF pattern as
a code. Which leads to #UD exception later.
grub> halt
!!!! X64 Exception Type - 06(#UD - Invalid Opcode) CPU Apic ID - 00000000 !!!!
RIP - 0000000003F4EC28, CS - 0000000000000038, RFLAGS - 0000000000200246
RAX - 0000000000000000, RCX - 00000000061DA188, RDX - 0A74C0854DC35D41
RBX - 0000000003E10E08, RSP - 0000000007F0F860, RBP - 0000000000000000
RSI - 00000000064DB768, RDI - 000000000832C5C3
R8 - 0000000000000002, R9 - 0000000000000000, R10 - 00000000061E2E52
R11 - 0000000000000020, R12 - 0000000003EE5C1F, R13 - 00000000061E0FF4
R14 - 0000000003E10D80, R15 - 00000000061E2F60
DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030
GS - 0000000000000030, SS - 0000000000000030
CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 0000000007C01000
CR4 - 0000000000000668, CR8 - 0000000000000000
DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000
DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400
GDTR - 00000000079EEA98 0000000000000047, LDTR - 0000000000000000
IDTR - 0000000007598018 0000000000000FFF, TR - 0000000000000000
FXSAVE_STATE - 0000000007F0F4C0
Proposal here is to continue to free allocated memory for
exit boot services path but keep it for halt/reboot path
as it won't be much security concern here.
Introduced GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY
loader flag to be used by efi halt/reboot path.
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This patch adds support for RISC-V to the grub build system. With this
patch, I can successfully build grub on RISC-V as a UEFI application.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The reboot function calls machine_fini() and then reboots the system.
Currently it lives in lib/ which means it gets compiled into the
reboot module which lives on the heap.
In a following patch, I want to free the heap on machine_fini()
though, so we would free the memory that the code is running in. That
obviously breaks with smarter UEFI implementations.
So this patch moves it into the core. That way we ensure that all
code running after machine_fini() in the UEFI case is running from
memory that got allocated (and gets deallocated) by the UEFI core.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
* Makefile.util.def (libgrubmods.a): Add grub-core/kern/ia64/dl_helper.c
* configure.ac: Add ia64-efi target.
Probe for __ia64_trampoline, __udivsi3, __umoddi3, __udivdi3,
__divsi3, __modsi3, __umodsi3, __moddi3 and __divdi3 symbols.
* gentpl.py: Add ia64_efi platform.
Rename x86_efi to efi and Add ia64-efi. All users updated.
* grub-core/Makefile.am: Set KERNEL_HEADER_FILES for ia64-efi.
* grub-core/Makefile.core.def (kernel.img): Add compile flags for ia64.
Remove kern/generic/rtc_get_time_ms.c on EFI.
Add kern/ia64/efi/startup.S, kern/ia64/efi/init.c, kern/ia64/dl.c,
kern/ia64/dl_helper.c on ia64-efi.
Add kern/emu/cache.c on emu.
(linux): Use on loader/ia64/efi/linux.c on ia64.
* grub-core/gensymlist.sh (grub_register_exported_symbols): Check
whether symbol is a function.
* grub-core/kern/dl.c [GRUB_MACHINE_EMU]: Include sys/mman.h.
(grub_symbol): New field 'isfunc'.
(grub_dl_resolve_symbol): Return whole symbol rather than just address.
(grub_dl_register_symbol): New argument 'isfunc'. All users updated.
(grub_dl_load_segments): Place all sections into the same region.
[__ia64__]: Create trampolines and got.
[GRUB_MACHINE_EMU]: Call mprotect.
(grub_dl_resolve_symbols): Resolve symbol type as well.
[__ia64__]: Create function descriptors.
* grub-core/kern/efi/efi.c (grub_get_rtc): Renamed to ...
(grub_rtc_get_time_ms): ... this. Expressions simplified.
(grub_get_rtc): New function.
* grub-core/kern/emu/cache.c [__ia64__]: New file.
* grub-core/kern/emu/cache.S: Renamed to ...
* grub-core/kern/emu/cache_s.S: ... this.
[__ia64__]: Add a nop.
* grub-core/kern/emu/full.c (grub_arch_dl_get_tramp_got_size)
[__ia64__]: New function.
* grub-core/kern/emu/lite.c [__ia64__]: Include ../ia64/dl.c.
* grub-core/kern/ia64/dl.c: New file.
* grub-core/kern/ia64/dl_helper.c: Likewise.
* grub-core/kern/ia64/efi/init.c: New file.
* grub-core/kern/ia64/efi/startup.S: Likewise.
* grub-core/lib/efi/halt.c [__ia64__]: Don't try acpi.
* grub-core/lib/ia64/longjmp.S: New file (from glibc).
* grub-core/lib/ia64/setjmp.S: Likewise (from glibc).
* grub-core/lib/setjmp.S [__ia64__]: Include ./ia64/setjmp.S.
* grub-core/loader/ia64/efi/linux.c: New file.
* include/grub/dl.h (GRUB_MOD_NAME): Redefined using C rather than asm.
(GRUB_MOD_DEP): Likewise.
(grub_dl) [__ia64__]: New fields got and tramp.
(grub_dl): New field 'base'.
(grub_dl_register_symbol): New argument isfunc. All users updated.
(GRUB_IA64_DL_TRAMP_ALIGN): New definition.
(GRUB_IA64_DL_TRAMP_SIZE): Likewise.
(GRUB_IA64_DL_GOT_ALIGN): Likewise.
(grub_ia64_dl_get_tramp_got_size): New proto.
(GRUB_ARCH_DL_TRAMP_ALIGN) [__ia64__]: Likewise
(GRUB_ARCH_DL_GOT_ALIGN) [__ia64__]: Likewise
(grub_arch_dl_get_tramp_got_size) [__ia64__]: Likewise
* include/grub/efi/api.h: Skip call wrappers on ia64.
* include/grub/efi/pe32.h (GRUB_PE32_MACHINE_IA64): New definition.
* include/grub/efi/time.h (GRUB_TICKS_PER_SECOND): Change to 1000.
* include/grub/elf.h (ELF_ST_INFO): New definition.
* include/grub/ia64/efi/kernel.h: New file.
* include/grub/ia64/efi/memory.h: Likewise.
* include/grub/ia64/efi/time.h: Likewise.
* include/grub/ia64/kernel.h: Likewise.
* include/grub/ia64/setjmp.h: Likewise (from glibc).
* include/grub/ia64/time.h: New file.
* include/grub/ia64/types.h: Likewise.
* include/grub/libgcc.h (__udivsi3, __umodsi3, __umoddi3, __udivdi3,
__moddi3, __divdi3, __divsi3, __modsi3, __ia64_trampoline):
New protos.
* include/grub/offsets.h (GRUB_KERNEL_IA64_EFI_PREFIX): New definition.
(GRUB_KERNEL_IA64_EFI_PREFIX_END): Likewise.
* include/grub/types.h (PRIxGRUB_ADDR): Likewise.
* util/grub-mkimage.c (image_target_desc): New field pe_target.
All users updated.
(EFI64_HEADER_SIZE): New definition. All users updated.
(image_targets): Add ia64-efi.
* util/grub-mkimagexx.c (relocate_symbols): New arguments jumpers and
jumpers_addr. All users updated.
Create function descriptors.
(count_funcs): New function.
(unaligned_uint32): New struct.
(MASK20): New definition.
(MASK19): Likewise.
(MASKF21): Likewise.
(add_value_to_slot_20b): New function.
(add_value_to_slot_21_real): Likewise.
(add_value_to_slot_21): Likewise.
(ia64_kernel_trampoline): New struct.
(nopm): New variable.
(jump): Likewise.
(make_trampoline): New function.
(relocate_addresses): Handle ia64.
(make_reloc_section): Likewise.
(load_image): Likewise.
Also-By: Robert Millan <rmh.grub@aybabtu.com>
Also-By: Vladimir Serbinenko <phcoder@gmail.com>
