f326c5c475
It turns out checking from userspace is not 100% reliable to figure out whether the firmware had TPM2 support enabled or not. For example with EDK2 arm64, the default upstream build config bundles TPM2 support with SecureBoot support, so if the latter is disabled, TPM2 is also unavailable. But still, the ACPI TPM2 table is created just as if it was enabled. So, /sys/firmware/acpi/tables/TPM2 exists and looks correct but there are no measurements, neither the firmware nor the loader/stub can do them, and /sys/kernel/security/tpm0/binary_bios_measurements does not exist. So, userspace cannot really tell what was going on in UEFI mode. The loader can use the apposite UEFI protocol to check, which is a more definitive answer. Export the bitmask with the list of active banks as-is. If it's not 0, then in userspace we can be sure a working TPM2 was available in UEFI mode. systemd-boot and systemd-stub v258 (current main) set this variable and userspace portion consumes it to be able to tell what was available in the firmware context. Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
51 lines
1.4 KiB
C
51 lines
1.4 KiB
C
/*
|
|
* GRUB -- GRand Unified Bootloader
|
|
* Copyright (C) 2018 Free Software Foundation, Inc.
|
|
*
|
|
* GRUB is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* GRUB is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#ifndef GRUB_TPM_HEADER
|
|
#define GRUB_TPM_HEADER 1
|
|
|
|
#include <grub/env.h>
|
|
|
|
#define GRUB_STRING_PCR 8
|
|
#define GRUB_BINARY_PCR 9
|
|
|
|
#define SHA1_DIGEST_SIZE 20
|
|
|
|
#define TPM_BASE 0x0
|
|
#define TPM_SUCCESS TPM_BASE
|
|
#define TPM_AUTHFAIL (TPM_BASE + 0x1)
|
|
#define TPM_BADINDEX (TPM_BASE + 0x2)
|
|
|
|
#define TPM_TAG_RQU_COMMAND 0x00C1
|
|
#define TPM_ORD_Extend 0x14
|
|
|
|
#define EV_IPL 0x0d
|
|
|
|
grub_err_t grub_tpm_measure (unsigned char *buf, grub_size_t size,
|
|
grub_uint8_t pcr, const char *description);
|
|
int grub_tpm_present (void);
|
|
grub_uint32_t grub_tpm2_active_pcr_banks (void);
|
|
|
|
static inline bool
|
|
grub_is_tpm_fail_fatal (void)
|
|
{
|
|
return grub_env_get_bool ("tpm_fail_fatal", false);
|
|
}
|
|
|
|
#endif
|