283 lines
8.4 KiB
C
283 lines
8.4 KiB
C
|
#include <grub/err.h>
|
||
|
#include <grub/i18n.h>
|
||
|
#include <grub/efi/api.h>
|
||
|
#include <grub/efi/efi.h>
|
||
|
#include <grub/efi/tpm.h>
|
||
|
#include <grub/mm.h>
|
||
|
#include <grub/tpm.h>
|
||
|
#include <grub/term.h>
|
||
|
|
||
|
static grub_efi_guid_t tpm_guid = EFI_TPM_GUID;
|
||
|
static grub_efi_guid_t tpm2_guid = EFI_TPM2_GUID;
|
||
|
|
||
|
static grub_efi_boolean_t grub_tpm_present(grub_efi_tpm_protocol_t *tpm)
|
||
|
{
|
||
|
grub_efi_status_t status;
|
||
|
TCG_EFI_BOOT_SERVICE_CAPABILITY caps;
|
||
|
grub_uint32_t flags;
|
||
|
grub_efi_physical_address_t eventlog, lastevent;
|
||
|
|
||
|
caps.Size = (grub_uint8_t)sizeof(caps);
|
||
|
|
||
|
status = efi_call_5(tpm->status_check, tpm, &caps, &flags, &eventlog,
|
||
|
&lastevent);
|
||
|
|
||
|
if (status != GRUB_EFI_SUCCESS || caps.TPMDeactivatedFlag
|
||
|
|| !caps.TPMPresentFlag)
|
||
|
return 0;
|
||
|
|
||
|
return 1;
|
||
|
}
|
||
|
|
||
|
static grub_efi_boolean_t grub_tpm2_present(grub_efi_tpm2_protocol_t *tpm)
|
||
|
{
|
||
|
grub_efi_status_t status;
|
||
|
EFI_TCG2_BOOT_SERVICE_CAPABILITY caps;
|
||
|
|
||
|
caps.Size = (grub_uint8_t)sizeof(caps);
|
||
|
|
||
|
status = efi_call_2(tpm->get_capability, tpm, &caps);
|
||
|
|
||
|
if (status != GRUB_EFI_SUCCESS || !caps.TPMPresentFlag)
|
||
|
return 0;
|
||
|
|
||
|
return 1;
|
||
|
}
|
||
|
|
||
|
static grub_efi_boolean_t grub_tpm_handle_find(grub_efi_handle_t *tpm_handle,
|
||
|
grub_efi_uint8_t *protocol_version)
|
||
|
{
|
||
|
grub_efi_handle_t *handles;
|
||
|
grub_efi_uintn_t num_handles;
|
||
|
|
||
|
handles = grub_efi_locate_handle (GRUB_EFI_BY_PROTOCOL, &tpm_guid, NULL,
|
||
|
&num_handles);
|
||
|
if (handles && num_handles > 0) {
|
||
|
*tpm_handle = handles[0];
|
||
|
*protocol_version = 1;
|
||
|
return 1;
|
||
|
}
|
||
|
|
||
|
handles = grub_efi_locate_handle (GRUB_EFI_BY_PROTOCOL, &tpm2_guid, NULL,
|
||
|
&num_handles);
|
||
|
if (handles && num_handles > 0) {
|
||
|
*tpm_handle = handles[0];
|
||
|
*protocol_version = 2;
|
||
|
return 1;
|
||
|
}
|
||
|
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
static grub_err_t
|
||
|
grub_tpm1_execute(grub_efi_handle_t tpm_handle,
|
||
|
PassThroughToTPM_InputParamBlock *inbuf,
|
||
|
PassThroughToTPM_OutputParamBlock *outbuf)
|
||
|
{
|
||
|
grub_efi_status_t status;
|
||
|
grub_efi_tpm_protocol_t *tpm;
|
||
|
grub_uint32_t inhdrsize = sizeof(*inbuf) - sizeof(inbuf->TPMOperandIn);
|
||
|
grub_uint32_t outhdrsize = sizeof(*outbuf) - sizeof(outbuf->TPMOperandOut);
|
||
|
|
||
|
tpm = grub_efi_open_protocol (tpm_handle, &tpm_guid,
|
||
|
GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
|
||
|
|
||
|
if (!grub_tpm_present(tpm))
|
||
|
return 0;
|
||
|
|
||
|
/* UEFI TPM protocol takes the raw operand block, no param block header */
|
||
|
status = efi_call_5 (tpm->pass_through_to_tpm, tpm,
|
||
|
inbuf->IPBLength - inhdrsize, inbuf->TPMOperandIn,
|
||
|
outbuf->OPBLength - outhdrsize, outbuf->TPMOperandOut);
|
||
|
|
||
|
switch (status) {
|
||
|
case GRUB_EFI_SUCCESS:
|
||
|
return 0;
|
||
|
case GRUB_EFI_DEVICE_ERROR:
|
||
|
return grub_error (GRUB_ERR_IO, N_("Command failed"));
|
||
|
case GRUB_EFI_INVALID_PARAMETER:
|
||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
|
||
|
case GRUB_EFI_BUFFER_TOO_SMALL:
|
||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Output buffer too small"));
|
||
|
case GRUB_EFI_NOT_FOUND:
|
||
|
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
|
||
|
default:
|
||
|
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
static grub_err_t
|
||
|
grub_tpm2_execute(grub_efi_handle_t tpm_handle,
|
||
|
PassThroughToTPM_InputParamBlock *inbuf,
|
||
|
PassThroughToTPM_OutputParamBlock *outbuf)
|
||
|
{
|
||
|
grub_efi_status_t status;
|
||
|
grub_efi_tpm2_protocol_t *tpm;
|
||
|
grub_uint32_t inhdrsize = sizeof(*inbuf) - sizeof(inbuf->TPMOperandIn);
|
||
|
grub_uint32_t outhdrsize = sizeof(*outbuf) - sizeof(outbuf->TPMOperandOut);
|
||
|
|
||
|
tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
|
||
|
GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
|
||
|
|
||
|
if (!grub_tpm2_present(tpm))
|
||
|
return 0;
|
||
|
|
||
|
/* UEFI TPM protocol takes the raw operand block, no param block header */
|
||
|
status = efi_call_5 (tpm->submit_command, tpm,
|
||
|
inbuf->IPBLength - inhdrsize, inbuf->TPMOperandIn,
|
||
|
outbuf->OPBLength - outhdrsize, outbuf->TPMOperandOut);
|
||
|
|
||
|
switch (status) {
|
||
|
case GRUB_EFI_SUCCESS:
|
||
|
return 0;
|
||
|
case GRUB_EFI_DEVICE_ERROR:
|
||
|
return grub_error (GRUB_ERR_IO, N_("Command failed"));
|
||
|
case GRUB_EFI_INVALID_PARAMETER:
|
||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
|
||
|
case GRUB_EFI_BUFFER_TOO_SMALL:
|
||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Output buffer too small"));
|
||
|
case GRUB_EFI_NOT_FOUND:
|
||
|
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
|
||
|
default:
|
||
|
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
grub_err_t
|
||
|
grub_tpm_execute(PassThroughToTPM_InputParamBlock *inbuf,
|
||
|
PassThroughToTPM_OutputParamBlock *outbuf)
|
||
|
{
|
||
|
grub_efi_handle_t tpm_handle;
|
||
|
grub_uint8_t protocol_version;
|
||
|
|
||
|
/* It's not a hard failure for there to be no TPM */
|
||
|
if (!grub_tpm_handle_find(&tpm_handle, &protocol_version))
|
||
|
return 0;
|
||
|
|
||
|
if (protocol_version == 1) {
|
||
|
return grub_tpm1_execute(tpm_handle, inbuf, outbuf);
|
||
|
} else {
|
||
|
return grub_tpm2_execute(tpm_handle, inbuf, outbuf);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
typedef struct {
|
||
|
grub_uint32_t pcrindex;
|
||
|
grub_uint32_t eventtype;
|
||
|
grub_uint8_t digest[20];
|
||
|
grub_uint32_t eventsize;
|
||
|
grub_uint8_t event[1];
|
||
|
} Event;
|
||
|
|
||
|
|
||
|
static grub_err_t
|
||
|
grub_tpm1_log_event(grub_efi_handle_t tpm_handle, unsigned char *buf,
|
||
|
grub_size_t size, grub_uint8_t pcr,
|
||
|
const char *description)
|
||
|
{
|
||
|
Event *event;
|
||
|
grub_efi_status_t status;
|
||
|
grub_efi_tpm_protocol_t *tpm;
|
||
|
grub_efi_physical_address_t lastevent;
|
||
|
grub_uint32_t algorithm;
|
||
|
grub_uint32_t eventnum = 0;
|
||
|
|
||
|
tpm = grub_efi_open_protocol (tpm_handle, &tpm_guid,
|
||
|
GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
|
||
|
|
||
|
if (!grub_tpm_present(tpm))
|
||
|
return 0;
|
||
|
|
||
|
event = grub_zalloc(sizeof (Event) + grub_strlen(description) + 1);
|
||
|
if (!event)
|
||
|
return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||
|
N_("cannot allocate TPM event buffer"));
|
||
|
|
||
|
event->pcrindex = pcr;
|
||
|
event->eventtype = EV_IPL;
|
||
|
event->eventsize = grub_strlen(description) + 1;
|
||
|
grub_memcpy(event->event, description, event->eventsize);
|
||
|
|
||
|
algorithm = TCG_ALG_SHA;
|
||
|
status = efi_call_7 (tpm->log_extend_event, tpm, buf, (grub_uint64_t) size,
|
||
|
algorithm, event, &eventnum, &lastevent);
|
||
|
|
||
|
switch (status) {
|
||
|
case GRUB_EFI_SUCCESS:
|
||
|
return 0;
|
||
|
case GRUB_EFI_DEVICE_ERROR:
|
||
|
return grub_error (GRUB_ERR_IO, N_("Command failed"));
|
||
|
case GRUB_EFI_INVALID_PARAMETER:
|
||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
|
||
|
case GRUB_EFI_BUFFER_TOO_SMALL:
|
||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Output buffer too small"));
|
||
|
case GRUB_EFI_NOT_FOUND:
|
||
|
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
|
||
|
default:
|
||
|
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
static grub_err_t
|
||
|
grub_tpm2_log_event(grub_efi_handle_t tpm_handle, unsigned char *buf,
|
||
|
grub_size_t size, grub_uint8_t pcr,
|
||
|
const char *description)
|
||
|
{
|
||
|
EFI_TCG2_EVENT *event;
|
||
|
grub_efi_status_t status;
|
||
|
grub_efi_tpm2_protocol_t *tpm;
|
||
|
|
||
|
tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
|
||
|
GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
|
||
|
|
||
|
if (!grub_tpm2_present(tpm))
|
||
|
return 0;
|
||
|
|
||
|
event = grub_zalloc(sizeof (EFI_TCG2_EVENT) + grub_strlen(description) + 1);
|
||
|
if (!event)
|
||
|
return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||
|
N_("cannot allocate TPM event buffer"));
|
||
|
|
||
|
event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
|
||
|
event->Header.HeaderVersion = 1;
|
||
|
event->Header.PCRIndex = pcr;
|
||
|
event->Header.EventType = EV_IPL;
|
||
|
event->Size = sizeof(*event) - sizeof(event->Event) + grub_strlen(description) + 1;
|
||
|
grub_memcpy(event->Event, description, grub_strlen(description) + 1);
|
||
|
|
||
|
status = efi_call_5 (tpm->hash_log_extend_event, tpm, 0, buf,
|
||
|
(grub_uint64_t) size, event);
|
||
|
|
||
|
switch (status) {
|
||
|
case GRUB_EFI_SUCCESS:
|
||
|
return 0;
|
||
|
case GRUB_EFI_DEVICE_ERROR:
|
||
|
return grub_error (GRUB_ERR_IO, N_("Command failed"));
|
||
|
case GRUB_EFI_INVALID_PARAMETER:
|
||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
|
||
|
case GRUB_EFI_BUFFER_TOO_SMALL:
|
||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Output buffer too small"));
|
||
|
case GRUB_EFI_NOT_FOUND:
|
||
|
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
|
||
|
default:
|
||
|
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
grub_err_t
|
||
|
grub_tpm_log_event(unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
|
||
|
const char *description)
|
||
|
{
|
||
|
grub_efi_handle_t tpm_handle;
|
||
|
grub_efi_uint8_t protocol_version;
|
||
|
|
||
|
if (!grub_tpm_handle_find(&tpm_handle, &protocol_version))
|
||
|
return 0;
|
||
|
|
||
|
if (protocol_version == 1) {
|
||
|
return grub_tpm1_log_event(tpm_handle, buf, size, pcr, description);
|
||
|
} else {
|
||
|
return grub_tpm2_log_event(tpm_handle, buf, size, pcr, description);
|
||
|
}
|
||
|
}
|