audk/SecurityPkg/Tcg/TrEEDxe/TrEEDxe.c

1956 lines
64 KiB
C

/** @file
This module implements TrEE Protocol.
Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include <PiDxe.h>
#include <IndustryStandard/Acpi.h>
#include <IndustryStandard/PeImage.h>
#include <IndustryStandard/SmBios.h>
#include <IndustryStandard/TcpaAcpi.h>
#include <Guid/GlobalVariable.h>
#include <Guid/SmBios.h>
#include <Guid/HobList.h>
#include <Guid/TcgEventHob.h>
#include <Guid/EventGroup.h>
#include <Guid/EventExitBootServiceFailed.h>
#include <Guid/ImageAuthentication.h>
#include <Guid/TpmInstance.h>
#include <Protocol/DevicePath.h>
#include <Protocol/AcpiTable.h>
#include <Protocol/MpService.h>
#include <Protocol/VariableWrite.h>
#include <Protocol/TrEEProtocol.h>
#include <Library/DebugLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiDriverEntryPoint.h>
#include <Library/HobLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/BaseLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/PrintLib.h>
#include <Library/Tpm2CommandLib.h>
#include <Library/PcdLib.h>
#include <Library/UefiLib.h>
#include <Library/Tpm2DeviceLib.h>
#include <Library/HashLib.h>
#include <Library/PerformanceLib.h>
#include <Library/ReportStatusCodeLib.h>
#define PERF_ID_TREE_DXE 0x3120
typedef struct {
CHAR16 *VariableName;
EFI_GUID *VendorGuid;
} VARIABLE_TYPE;
#define EFI_TCG_LOG_AREA_SIZE 0x10000
#define TREE_DEFAULT_MAX_COMMAND_SIZE 0x1000
#define TREE_DEFAULT_MAX_RESPONSE_SIZE 0x1000
typedef struct {
EFI_GUID *EventGuid;
TREE_EVENT_LOG_FORMAT LogFormat;
} TREE_EVENT_INFO_STRUCT;
TREE_EVENT_INFO_STRUCT mTreeEventInfo[] = {
{&gTcgEventEntryHobGuid, TREE_EVENT_LOG_FORMAT_TCG_1_2},
};
#define TCG_EVENT_LOG_AREA_COUNT_MAX 2
typedef struct {
TREE_EVENT_LOG_FORMAT EventLogFormat;
EFI_PHYSICAL_ADDRESS Lasa;
UINT64 Laml;
UINTN EventLogSize;
UINT8 *LastEvent;
BOOLEAN EventLogStarted;
BOOLEAN EventLogTruncated;
} TCG_EVENT_LOG_AREA_STRUCT;
typedef struct _TCG_DXE_DATA {
TREE_BOOT_SERVICE_CAPABILITY BsCap;
EFI_TCG_CLIENT_ACPI_TABLE *TcgClientAcpiTable;
EFI_TCG_SERVER_ACPI_TABLE *TcgServerAcpiTable;
TCG_EVENT_LOG_AREA_STRUCT EventLogAreaStruct[TCG_EVENT_LOG_AREA_COUNT_MAX];
} TCG_DXE_DATA;
EFI_TCG_CLIENT_ACPI_TABLE mTcgClientAcpiTemplate = {
{
EFI_ACPI_3_0_TRUSTED_COMPUTING_PLATFORM_ALLIANCE_CAPABILITIES_TABLE_SIGNATURE,
sizeof (mTcgClientAcpiTemplate),
0x02 //Revision
//
// Compiler initializes the remaining bytes to 0
// These fields should be filled in in production
//
},
0, // 0 for PC Client Platform Class
0, // Log Area Max Length
(EFI_PHYSICAL_ADDRESS) (SIZE_4GB - 1) // Log Area Start Address
};
//
// The following EFI_TCG_SERVER_ACPI_TABLE default setting is just one example,
// the TPM device connectes to LPC, and also defined the ACPI _UID as 0xFF,
// this _UID can be changed and should match with the _UID setting of the TPM
// ACPI device object
//
EFI_TCG_SERVER_ACPI_TABLE mTcgServerAcpiTemplate = {
{
EFI_ACPI_3_0_TRUSTED_COMPUTING_PLATFORM_ALLIANCE_CAPABILITIES_TABLE_SIGNATURE,
sizeof (mTcgServerAcpiTemplate),
0x02 //Revision
//
// Compiler initializes the remaining bytes to 0
// These fields should be filled in in production
//
},
1, // 1 for Server Platform Class
0, // Reserved
0, // Log Area Max Length
(EFI_PHYSICAL_ADDRESS) (SIZE_4GB - 1), // Log Area Start Address
0x0100, // TCG Specification revision 1.0
2, // Device Flags
0, // Interrupt Flags
0, // GPE
{0}, // Reserved 3 bytes
0, // Global System Interrupt
{
EFI_ACPI_3_0_SYSTEM_MEMORY,
0,
0,
EFI_ACPI_3_0_BYTE,
0x0 // Base Address
},
0, // Reserved
{0}, // Configuration Address
0xFF, // ACPI _UID value of the device, can be changed for different platforms
0, // ACPI _UID value of the device, can be changed for different platforms
0, // ACPI _UID value of the device, can be changed for different platforms
0 // ACPI _UID value of the device, can be changed for different platforms
};
TCG_DXE_DATA mTcgDxeData = {
{
sizeof (TREE_BOOT_SERVICE_CAPABILITY_1_0), // Size
{ 1, 0 }, // StructureVersion
{ 1, 0 }, // ProtocolVersion
TREE_BOOT_HASH_ALG_SHA1, // HashAlgorithmBitmap
TREE_EVENT_LOG_FORMAT_TCG_1_2, // SupportedEventLogs
TRUE, // TrEEPresentFlag
TREE_DEFAULT_MAX_COMMAND_SIZE, // MaxCommandSize
TREE_DEFAULT_MAX_RESPONSE_SIZE, // MaxResponseSize
0 // ManufacturerID
},
&mTcgClientAcpiTemplate,
&mTcgServerAcpiTemplate,
};
UINTN mBootAttempts = 0;
CHAR16 mBootVarName[] = L"BootOrder";
VARIABLE_TYPE mVariableType[] = {
{EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid},
{EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid},
{EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid},
{EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid},
{EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid},
};
EFI_HANDLE mImageHandle;
/**
Measure PE image into TPM log based on the authenticode image hashing in
PE/COFF Specification 8.0 Appendix A.
Caution: This function may receive untrusted input.
PE/COFF image is external input, so this function will validate its data structure
within this image buffer before use.
@param[in] PCRIndex TPM PCR index
@param[in] ImageAddress Start address of image buffer.
@param[in] ImageSize Image size
@param[out] DigestList Digeest list of this image.
@retval EFI_SUCCESS Successfully measure image.
@retval EFI_OUT_OF_RESOURCES No enough resource to measure image.
@retval other error value
**/
EFI_STATUS
MeasurePeImageAndExtend (
IN UINT32 PCRIndex,
IN EFI_PHYSICAL_ADDRESS ImageAddress,
IN UINTN ImageSize,
OUT TPML_DIGEST_VALUES *DigestList
);
/**
This function dump raw data.
@param Data raw data
@param Size raw data size
**/
VOID
InternalDumpData (
IN UINT8 *Data,
IN UINTN Size
)
{
UINTN Index;
for (Index = 0; Index < Size; Index++) {
DEBUG ((EFI_D_INFO, "%02x", (UINTN)Data[Index]));
}
}
/**
This function dump raw data with colume format.
@param Data raw data
@param Size raw data size
**/
VOID
InternalDumpHex (
IN UINT8 *Data,
IN UINTN Size
)
{
UINTN Index;
UINTN Count;
UINTN Left;
#define COLUME_SIZE (16 * 2)
Count = Size / COLUME_SIZE;
Left = Size % COLUME_SIZE;
for (Index = 0; Index < Count; Index++) {
DEBUG ((EFI_D_INFO, "%04x: ", Index * COLUME_SIZE));
InternalDumpData (Data + Index * COLUME_SIZE, COLUME_SIZE);
DEBUG ((EFI_D_INFO, "\n"));
}
if (Left != 0) {
DEBUG ((EFI_D_INFO, "%04x: ", Index * COLUME_SIZE));
InternalDumpData (Data + Index * COLUME_SIZE, Left);
DEBUG ((EFI_D_INFO, "\n"));
}
}
/**
Get All processors EFI_CPU_LOCATION in system. LocationBuf is allocated inside the function
Caller is responsible to free LocationBuf.
@param[out] LocationBuf Returns Processor Location Buffer.
@param[out] Num Returns processor number.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_UNSUPPORTED MpService protocol not found.
**/
EFI_STATUS
GetProcessorsCpuLocation (
OUT EFI_CPU_PHYSICAL_LOCATION **LocationBuf,
OUT UINTN *Num
)
{
EFI_STATUS Status;
EFI_MP_SERVICES_PROTOCOL *MpProtocol;
UINTN ProcessorNum;
UINTN EnabledProcessorNum;
EFI_PROCESSOR_INFORMATION ProcessorInfo;
EFI_CPU_PHYSICAL_LOCATION *ProcessorLocBuf;
UINTN Index;
Status = gBS->LocateProtocol (&gEfiMpServiceProtocolGuid, NULL, (VOID **) &MpProtocol);
if (EFI_ERROR (Status)) {
//
// MP protocol is not installed
//
return EFI_UNSUPPORTED;
}
Status = MpProtocol->GetNumberOfProcessors(
MpProtocol,
&ProcessorNum,
&EnabledProcessorNum
);
if (EFI_ERROR(Status)){
return Status;
}
Status = gBS->AllocatePool(
EfiBootServicesData,
sizeof(EFI_CPU_PHYSICAL_LOCATION) * ProcessorNum,
(VOID **) &ProcessorLocBuf
);
if (EFI_ERROR(Status)){
return Status;
}
//
// Get each processor Location info
//
for (Index = 0; Index < ProcessorNum; Index++) {
Status = MpProtocol->GetProcessorInfo(
MpProtocol,
Index,
&ProcessorInfo
);
if (EFI_ERROR(Status)){
FreePool(ProcessorLocBuf);
return Status;
}
//
// Get all Processor Location info & measure
//
CopyMem(
&ProcessorLocBuf[Index],
&ProcessorInfo.Location,
sizeof(EFI_CPU_PHYSICAL_LOCATION)
);
}
*LocationBuf = ProcessorLocBuf;
*Num = ProcessorNum;
return Status;
}
/**
The EFI_TREE_PROTOCOL GetCapability function call provides protocol
capability information and state information about the TrEE.
@param[in] This Indicates the calling context
@param[in, out] ProtocolCapability The caller allocates memory for a TREE_BOOT_SERVICE_CAPABILITY
structure and sets the size field to the size of the structure allocated.
The callee fills in the fields with the EFI protocol capability information
and the current TrEE state information up to the number of fields which
fit within the size of the structure passed in.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_DEVICE_ERROR The command was unsuccessful.
The ProtocolCapability variable will not be populated.
@retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect.
The ProtocolCapability variable will not be populated.
@retval EFI_BUFFER_TOO_SMALL The ProtocolCapability variable is too small to hold the full response.
It will be partially populated (required Size field will be set).
**/
EFI_STATUS
EFIAPI
TreeGetCapability (
IN EFI_TREE_PROTOCOL *This,
IN OUT TREE_BOOT_SERVICE_CAPABILITY *ProtocolCapability
)
{
DEBUG ((EFI_D_INFO, "TreeGetCapability ...\n"));
if ((This == NULL) || (ProtocolCapability == NULL)) {
return EFI_INVALID_PARAMETER;
}
if (ProtocolCapability->Size < mTcgDxeData.BsCap.Size) {
ProtocolCapability->Size = mTcgDxeData.BsCap.Size;
return EFI_BUFFER_TOO_SMALL;
}
CopyMem (ProtocolCapability, &mTcgDxeData.BsCap, mTcgDxeData.BsCap.Size);
DEBUG ((EFI_D_INFO, "TreeGetCapability - %r\n", EFI_SUCCESS));
return EFI_SUCCESS;
}
/**
This function dump event log.
@param[in] EventLogFormat The type of the event log for which the information is requested.
@param[in] EventLogLocation A pointer to the memory address of the event log.
@param[in] EventLogLastEntry If the Event Log contains more than one entry, this is a pointer to the
address of the start of the last entry in the event log in memory.
**/
VOID
DumpEventLog (
IN TREE_EVENT_LOG_FORMAT EventLogFormat,
IN EFI_PHYSICAL_ADDRESS EventLogLocation,
IN EFI_PHYSICAL_ADDRESS EventLogLastEntry
)
{
TCG_PCR_EVENT_HDR *EventHdr;
UINTN Index;
DEBUG ((EFI_D_INFO, "EventLogFormat: (0x%x)\n", EventLogFormat));
switch (EventLogFormat) {
case TREE_EVENT_LOG_FORMAT_TCG_1_2:
EventHdr = (TCG_PCR_EVENT_HDR *)(UINTN)EventLogLocation;
while ((UINTN)EventHdr <= EventLogLastEntry) {
DEBUG ((EFI_D_INFO, " Event:\n"));
DEBUG ((EFI_D_INFO, " PCRIndex - %d\n", EventHdr->PCRIndex));
DEBUG ((EFI_D_INFO, " EventType - 0x%08x\n", EventHdr->EventType));
DEBUG ((EFI_D_INFO, " Digest - "));
for (Index = 0; Index < sizeof(TCG_DIGEST); Index++) {
DEBUG ((EFI_D_INFO, "%02x ", EventHdr->Digest.digest[Index]));
}
DEBUG ((EFI_D_INFO, "\n"));
DEBUG ((EFI_D_INFO, " EventSize - 0x%08x\n", EventHdr->EventSize));
InternalDumpHex ((UINT8 *)(EventHdr + 1), EventHdr->EventSize);
EventHdr = (TCG_PCR_EVENT_HDR *)((UINTN)EventHdr + sizeof(TCG_PCR_EVENT_HDR) + EventHdr->EventSize);
}
break;
}
return ;
}
/**
The EFI_TREE_PROTOCOL Get Event Log function call allows a caller to
retrieve the address of a given event log and its last entry.
@param[in] This Indicates the calling context
@param[in] EventLogFormat The type of the event log for which the information is requested.
@param[out] EventLogLocation A pointer to the memory address of the event log.
@param[out] EventLogLastEntry If the Event Log contains more than one entry, this is a pointer to the
address of the start of the last entry in the event log in memory.
@param[out] EventLogTruncated If the Event Log is missing at least one entry because an event would
have exceeded the area allocated for events, this value is set to TRUE.
Otherwise, the value will be FALSE and the Event Log will be complete.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect
(e.g. asking for an event log whose format is not supported).
**/
EFI_STATUS
EFIAPI
TreeGetEventLog (
IN EFI_TREE_PROTOCOL *This,
IN TREE_EVENT_LOG_FORMAT EventLogFormat,
OUT EFI_PHYSICAL_ADDRESS *EventLogLocation,
OUT EFI_PHYSICAL_ADDRESS *EventLogLastEntry,
OUT BOOLEAN *EventLogTruncated
)
{
UINTN Index;
DEBUG ((EFI_D_INFO, "TreeGetEventLog ...\n"));
if (This == NULL) {
return EFI_INVALID_PARAMETER;
}
for (Index = 0; Index < sizeof(mTreeEventInfo)/sizeof(mTreeEventInfo[0]); Index++) {
if (EventLogFormat == mTreeEventInfo[Index].LogFormat) {
break;
}
}
if (Index == sizeof(mTreeEventInfo)/sizeof(mTreeEventInfo[0])) {
return EFI_INVALID_PARAMETER;
}
if (!mTcgDxeData.BsCap.TrEEPresentFlag) {
if (EventLogLocation != NULL) {
*EventLogLocation = 0;
}
if (EventLogLastEntry != NULL) {
*EventLogLastEntry = 0;
}
if (EventLogTruncated != NULL) {
*EventLogTruncated = FALSE;
}
return EFI_SUCCESS;
}
if (EventLogLocation != NULL) {
*EventLogLocation = mTcgDxeData.EventLogAreaStruct[Index].Lasa;
DEBUG ((EFI_D_INFO, "TreeGetEventLog (EventLogLocation - %x)\n", *EventLogLocation));
}
if (EventLogLastEntry != NULL) {
if (!mTcgDxeData.EventLogAreaStruct[Index].EventLogStarted) {
*EventLogLastEntry = (EFI_PHYSICAL_ADDRESS)(UINTN)0;
} else {
*EventLogLastEntry = (EFI_PHYSICAL_ADDRESS)(UINTN)mTcgDxeData.EventLogAreaStruct[Index].LastEvent;
}
DEBUG ((EFI_D_INFO, "TreeGetEventLog (EventLogLastEntry - %x)\n", *EventLogLastEntry));
}
if (EventLogTruncated != NULL) {
*EventLogTruncated = mTcgDxeData.EventLogAreaStruct[Index].EventLogTruncated;
DEBUG ((EFI_D_INFO, "TreeGetEventLog (EventLogTruncated - %x)\n", *EventLogTruncated));
}
DEBUG ((EFI_D_INFO, "TreeGetEventLog - %r\n", EFI_SUCCESS));
// Dump Event Log for debug purpose
if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) {
DumpEventLog (EventLogFormat, *EventLogLocation, *EventLogLastEntry);
}
return EFI_SUCCESS;
}
/**
Add a new entry to the Event Log.
@param[in, out] EventLogPtr Pointer to the Event Log data.
@param[in, out] LogSize Size of the Event Log.
@param[in] MaxSize Maximum size of the Event Log.
@param[in] NewEventHdr Pointer to a TCG_PCR_EVENT_HDR/TCG_PCR_EVENT_EX data structure.
@param[in] NewEventHdrSize New event header size.
@param[in] NewEventData Pointer to the new event data.
@param[in] NewEventSize New event data size.
@retval EFI_SUCCESS The new event log entry was added.
@retval EFI_OUT_OF_RESOURCES No enough memory to log the new event.
**/
EFI_STATUS
TcgCommLogEvent (
IN OUT UINT8 **EventLogPtr,
IN OUT UINTN *LogSize,
IN UINTN MaxSize,
IN VOID *NewEventHdr,
IN UINT32 NewEventHdrSize,
IN UINT8 *NewEventData,
IN UINT32 NewEventSize
)
{
UINTN NewLogSize;
if (NewEventSize > MAX_ADDRESS - NewEventHdrSize) {
return EFI_OUT_OF_RESOURCES;
}
NewLogSize = NewEventHdrSize + NewEventSize;
if (NewLogSize > MAX_ADDRESS - *LogSize) {
return EFI_OUT_OF_RESOURCES;
}
if (NewLogSize + *LogSize > MaxSize) {
DEBUG ((EFI_D_INFO, " MaxSize - 0x%x\n", MaxSize));
DEBUG ((EFI_D_INFO, " NewLogSize - 0x%x\n", NewLogSize));
DEBUG ((EFI_D_INFO, " LogSize - 0x%x\n", *LogSize));
DEBUG ((EFI_D_INFO, "TcgCommLogEvent - %r\n", EFI_OUT_OF_RESOURCES));
return EFI_OUT_OF_RESOURCES;
}
*EventLogPtr += *LogSize;
*LogSize += NewLogSize;
CopyMem (*EventLogPtr, NewEventHdr, NewEventHdrSize);
CopyMem (
*EventLogPtr + NewEventHdrSize,
NewEventData,
NewEventSize
);
return EFI_SUCCESS;
}
/**
Add a new entry to the Event Log.
@param[in] EventLogFormat The type of the event log for which the information is requested.
@param[in] NewEventHdr Pointer to a TCG_PCR_EVENT_HDR/TCG_PCR_EVENT_EX data structure.
@param[in] NewEventHdrSize New event header size.
@param[in] NewEventData Pointer to the new event data.
@param[in] NewEventSize New event data size.
@retval EFI_SUCCESS The new event log entry was added.
@retval EFI_OUT_OF_RESOURCES No enough memory to log the new event.
**/
EFI_STATUS
TcgDxeLogEvent (
IN TREE_EVENT_LOG_FORMAT EventLogFormat,
IN VOID *NewEventHdr,
IN UINT32 NewEventHdrSize,
IN UINT8 *NewEventData,
IN UINT32 NewEventSize
)
{
EFI_STATUS Status;
UINTN Index;
for (Index = 0; Index < sizeof(mTreeEventInfo)/sizeof(mTreeEventInfo[0]); Index++) {
if (EventLogFormat == mTreeEventInfo[Index].LogFormat) {
break;
}
}
if (Index == sizeof(mTreeEventInfo)/sizeof(mTreeEventInfo[0])) {
return EFI_INVALID_PARAMETER;
}
if (mTcgDxeData.EventLogAreaStruct[Index].EventLogTruncated) {
return EFI_VOLUME_FULL;
}
mTcgDxeData.EventLogAreaStruct[Index].LastEvent = (UINT8*)(UINTN)mTcgDxeData.EventLogAreaStruct[Index].Lasa;
Status = TcgCommLogEvent (
&mTcgDxeData.EventLogAreaStruct[Index].LastEvent,
&mTcgDxeData.EventLogAreaStruct[Index].EventLogSize,
(UINTN)mTcgDxeData.EventLogAreaStruct[Index].Laml,
NewEventHdr,
NewEventHdrSize,
NewEventData,
NewEventSize
);
if (Status == EFI_DEVICE_ERROR) {
return EFI_DEVICE_ERROR;
} else if (Status == EFI_OUT_OF_RESOURCES) {
mTcgDxeData.EventLogAreaStruct[Index].EventLogTruncated = TRUE;
return EFI_VOLUME_FULL;
} else if (Status == EFI_SUCCESS) {
mTcgDxeData.EventLogAreaStruct[Index].EventLogStarted = TRUE;
}
return Status;
}
/**
This function get digest from digest list.
@param HashAlg digest algorithm
@param DigestList digest list
@param Digest digest
@retval EFI_SUCCESS Sha1Digest is found and returned.
@retval EFI_NOT_FOUND Sha1Digest is not found.
**/
EFI_STATUS
Tpm2GetDigestFromDigestList (
IN TPMI_ALG_HASH HashAlg,
IN TPML_DIGEST_VALUES *DigestList,
IN VOID *Digest
)
{
UINTN Index;
UINT16 DigestSize;
DigestSize = GetHashSizeFromAlgo (HashAlg);
for (Index = 0; Index < DigestList->count; Index++) {
if (DigestList->digests[Index].hashAlg == HashAlg) {
CopyMem (
Digest,
&DigestList->digests[Index].digest,
DigestSize
);
return EFI_SUCCESS;
}
}
return EFI_NOT_FOUND;
}
/**
Add a new entry to the Event Log.
@param[in] DigestList A list of digest.
@param[in,out] NewEventHdr Pointer to a TCG_PCR_EVENT_HDR data structure.
@param[in] NewEventData Pointer to the new event data.
@retval EFI_SUCCESS The new event log entry was added.
@retval EFI_OUT_OF_RESOURCES No enough memory to log the new event.
**/
EFI_STATUS
TcgDxeLogHashEvent (
IN TPML_DIGEST_VALUES *DigestList,
IN OUT TCG_PCR_EVENT_HDR *NewEventHdr,
IN UINT8 *NewEventData
)
{
EFI_STATUS Status;
EFI_TPL OldTpl;
UINTN Index;
EFI_STATUS RetStatus;
RetStatus = EFI_SUCCESS;
for (Index = 0; Index < sizeof(mTreeEventInfo)/sizeof(mTreeEventInfo[0]); Index++) {
DEBUG ((EFI_D_INFO, " LogFormat - 0x%08x\n", mTreeEventInfo[Index].LogFormat));
switch (mTreeEventInfo[Index].LogFormat) {
case TREE_EVENT_LOG_FORMAT_TCG_1_2:
Status = Tpm2GetDigestFromDigestList (TPM_ALG_SHA1, DigestList, &NewEventHdr->Digest);
if (!EFI_ERROR (Status)) {
//
// Enter critical region
//
OldTpl = gBS->RaiseTPL (TPL_HIGH_LEVEL);
Status = TcgDxeLogEvent (
mTreeEventInfo[Index].LogFormat,
NewEventHdr,
sizeof(TCG_PCR_EVENT_HDR),
NewEventData,
NewEventHdr->EventSize
);
if (Status != EFI_SUCCESS) {
RetStatus = Status;
}
gBS->RestoreTPL (OldTpl);
//
// Exit critical region
//
}
break;
}
}
return RetStatus;
}
/**
Do a hash operation on a data buffer, extend a specific TPM PCR with the hash result,
and add an entry to the Event Log.
@param[in] Flags Bitmap providing additional information.
@param[in] HashData Physical address of the start of the data buffer
to be hashed, extended, and logged.
@param[in] HashDataLen The length, in bytes, of the buffer referenced by HashData
@param[in, out] NewEventHdr Pointer to a TCG_PCR_EVENT_HDR data structure.
@param[in] NewEventData Pointer to the new event data.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_OUT_OF_RESOURCES No enough memory to log the new event.
@retval EFI_DEVICE_ERROR The command was unsuccessful.
**/
EFI_STATUS
TcgDxeHashLogExtendEvent (
IN UINT64 Flags,
IN UINT8 *HashData,
IN UINT64 HashDataLen,
IN OUT TCG_PCR_EVENT_HDR *NewEventHdr,
IN UINT8 *NewEventData
)
{
EFI_STATUS Status;
TPML_DIGEST_VALUES DigestList;
if (!mTcgDxeData.BsCap.TrEEPresentFlag) {
return EFI_DEVICE_ERROR;
}
Status = HashAndExtend (
NewEventHdr->PCRIndex,
HashData,
(UINTN)HashDataLen,
&DigestList
);
if (!EFI_ERROR (Status)) {
if ((Flags & TREE_EXTEND_ONLY) == 0) {
Status = TcgDxeLogHashEvent (&DigestList, NewEventHdr, NewEventData);
}
}
if (Status == EFI_DEVICE_ERROR) {
DEBUG ((EFI_D_ERROR, "TcgDxeHashLogExtendEvent - %r. Disable TPM.\n", Status));
mTcgDxeData.BsCap.TrEEPresentFlag = FALSE;
REPORT_STATUS_CODE (
EFI_ERROR_CODE | EFI_ERROR_MINOR,
(PcdGet32 (PcdStatusCodeSubClassTpmDevice) | EFI_P_EC_INTERFACE_ERROR)
);
}
return Status;
}
/**
The EFI_TREE_PROTOCOL HashLogExtendEvent function call provides callers with
an opportunity to extend and optionally log events without requiring
knowledge of actual TPM commands.
The extend operation will occur even if this function cannot create an event
log entry (e.g. due to the event log being full).
@param[in] This Indicates the calling context
@param[in] Flags Bitmap providing additional information.
@param[in] DataToHash Physical address of the start of the data buffer to be hashed.
@param[in] DataToHashLen The length in bytes of the buffer referenced by DataToHash.
@param[in] Event Pointer to data buffer containing information about the event.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_DEVICE_ERROR The command was unsuccessful.
@retval EFI_VOLUME_FULL The extend operation occurred, but the event could not be written to one or more event logs.
@retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect.
@retval EFI_UNSUPPORTED The PE/COFF image type is not supported.
**/
EFI_STATUS
EFIAPI
TreeHashLogExtendEvent (
IN EFI_TREE_PROTOCOL *This,
IN UINT64 Flags,
IN EFI_PHYSICAL_ADDRESS DataToHash,
IN UINT64 DataToHashLen,
IN TrEE_EVENT *Event
)
{
EFI_STATUS Status;
TCG_PCR_EVENT_HDR NewEventHdr;
TPML_DIGEST_VALUES DigestList;
DEBUG ((EFI_D_INFO, "TreeHashLogExtendEvent ...\n"));
if ((This == NULL) || (DataToHash == 0) || (Event == NULL)) {
return EFI_INVALID_PARAMETER;
}
if (!mTcgDxeData.BsCap.TrEEPresentFlag) {
return EFI_UNSUPPORTED;
}
if (Event->Size < Event->Header.HeaderSize + sizeof(UINT32)) {
return EFI_INVALID_PARAMETER;
}
if (Event->Header.PCRIndex > MAX_PCR_INDEX) {
return EFI_INVALID_PARAMETER;
}
NewEventHdr.PCRIndex = Event->Header.PCRIndex;
NewEventHdr.EventType = Event->Header.EventType;
NewEventHdr.EventSize = Event->Size - sizeof(UINT32) - Event->Header.HeaderSize;
if ((Flags & PE_COFF_IMAGE) != 0) {
Status = MeasurePeImageAndExtend (
NewEventHdr.PCRIndex,
DataToHash,
(UINTN)DataToHashLen,
&DigestList
);
if (!EFI_ERROR (Status)) {
if ((Flags & TREE_EXTEND_ONLY) == 0) {
Status = TcgDxeLogHashEvent (&DigestList, &NewEventHdr, Event->Event);
}
}
if (Status == EFI_DEVICE_ERROR) {
DEBUG ((EFI_D_ERROR, "MeasurePeImageAndExtend - %r. Disable TPM.\n", Status));
mTcgDxeData.BsCap.TrEEPresentFlag = FALSE;
REPORT_STATUS_CODE (
EFI_ERROR_CODE | EFI_ERROR_MINOR,
(PcdGet32 (PcdStatusCodeSubClassTpmDevice) | EFI_P_EC_INTERFACE_ERROR)
);
}
} else {
Status = TcgDxeHashLogExtendEvent (
Flags,
(UINT8 *) (UINTN) DataToHash,
DataToHashLen,
&NewEventHdr,
Event->Event
);
}
DEBUG ((EFI_D_INFO, "TreeHashLogExtendEvent - %r\n", Status));
return Status;
}
/**
This service enables the sending of commands to the TrEE.
@param[in] This Indicates the calling context
@param[in] InputParameterBlockSize Size of the TrEE input parameter block.
@param[in] InputParameterBlock Pointer to the TrEE input parameter block.
@param[in] OutputParameterBlockSize Size of the TrEE output parameter block.
@param[in] OutputParameterBlock Pointer to the TrEE output parameter block.
@retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
@retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
@retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect.
@retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
**/
EFI_STATUS
EFIAPI
TreeSubmitCommand (
IN EFI_TREE_PROTOCOL *This,
IN UINT32 InputParameterBlockSize,
IN UINT8 *InputParameterBlock,
IN UINT32 OutputParameterBlockSize,
IN UINT8 *OutputParameterBlock
)
{
EFI_STATUS Status;
DEBUG ((EFI_D_INFO, "TreeSubmitCommand ...\n"));
if ((This == NULL) ||
(InputParameterBlockSize == 0) || (InputParameterBlock == NULL) ||
(OutputParameterBlockSize == 0) || (OutputParameterBlock == NULL)) {
return EFI_INVALID_PARAMETER;
}
if (!mTcgDxeData.BsCap.TrEEPresentFlag) {
return EFI_UNSUPPORTED;
}
if (InputParameterBlockSize >= mTcgDxeData.BsCap.MaxCommandSize) {
return EFI_INVALID_PARAMETER;
}
if (OutputParameterBlockSize >= mTcgDxeData.BsCap.MaxResponseSize) {
return EFI_INVALID_PARAMETER;
}
Status = Tpm2SubmitCommand (
InputParameterBlockSize,
InputParameterBlock,
&OutputParameterBlockSize,
OutputParameterBlock
);
DEBUG ((EFI_D_INFO, "TreeSubmitCommand - %r\n", Status));
return Status;
}
EFI_TREE_PROTOCOL mTreeProtocol = {
TreeGetCapability,
TreeGetEventLog,
TreeHashLogExtendEvent,
TreeSubmitCommand
};
/**
Initialize the Event Log and log events passed from the PEI phase.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_OUT_OF_RESOURCES Out of memory.
**/
EFI_STATUS
SetupEventLog (
VOID
)
{
EFI_STATUS Status;
VOID *TcgEvent;
EFI_PEI_HOB_POINTERS GuidHob;
EFI_PHYSICAL_ADDRESS Lasa;
UINTN Index;
DEBUG ((EFI_D_INFO, "SetupEventLog\n"));
//
// 1. Create Log Area
//
for (Index = 0; Index < sizeof(mTreeEventInfo)/sizeof(mTreeEventInfo[0]); Index++) {
mTcgDxeData.EventLogAreaStruct[Index].EventLogFormat = mTreeEventInfo[Index].LogFormat;
Lasa = (EFI_PHYSICAL_ADDRESS) (SIZE_4GB - 1);
Status = gBS->AllocatePages (
AllocateMaxAddress,
EfiACPIMemoryNVS,
EFI_SIZE_TO_PAGES (EFI_TCG_LOG_AREA_SIZE),
&Lasa
);
if (EFI_ERROR (Status)) {
return Status;
}
mTcgDxeData.EventLogAreaStruct[Index].Lasa = Lasa;
mTcgDxeData.EventLogAreaStruct[Index].Laml = EFI_TCG_LOG_AREA_SIZE;
//
// To initialize them as 0xFF is recommended
// because the OS can know the last entry for that.
//
SetMem ((VOID *)(UINTN)Lasa, EFI_TCG_LOG_AREA_SIZE, 0xFF);
}
//
// 2. Create ACPI table for TCG1.2 only
//
if (PcdGet8 (PcdTpmPlatformClass) == TCG_PLATFORM_TYPE_CLIENT) {
mTcgClientAcpiTemplate.Lasa = mTcgDxeData.EventLogAreaStruct[0].Lasa;
mTcgClientAcpiTemplate.Laml = EFI_TCG_LOG_AREA_SIZE;
} else {
mTcgServerAcpiTemplate.Lasa = mTcgDxeData.EventLogAreaStruct[0].Lasa;
mTcgServerAcpiTemplate.Laml = EFI_TCG_LOG_AREA_SIZE;
}
//
// 3. Sync data from PEI to DXE
//
Status = EFI_SUCCESS;
for (Index = 0; Index < sizeof(mTreeEventInfo)/sizeof(mTreeEventInfo[0]); Index++) {
GuidHob.Raw = GetHobList ();
Status = EFI_SUCCESS;
while (!EFI_ERROR (Status) &&
(GuidHob.Raw = GetNextGuidHob (mTreeEventInfo[Index].EventGuid, GuidHob.Raw)) != NULL) {
TcgEvent = GET_GUID_HOB_DATA (GuidHob.Guid);
GuidHob.Raw = GET_NEXT_HOB (GuidHob);
switch (mTreeEventInfo[Index].LogFormat) {
case TREE_EVENT_LOG_FORMAT_TCG_1_2:
Status = TcgDxeLogEvent (
mTreeEventInfo[Index].LogFormat,
TcgEvent,
sizeof(TCG_PCR_EVENT_HDR),
((TCG_PCR_EVENT*)TcgEvent)->Event,
((TCG_PCR_EVENT_HDR*)TcgEvent)->EventSize
);
break;
}
}
}
return Status;
}
/**
Measure and log an action string, and extend the measurement result into PCR[5].
@param[in] String A specific string that indicates an Action event.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
EFI_STATUS
TcgMeasureAction (
IN CHAR8 *String
)
{
TCG_PCR_EVENT_HDR TcgEvent;
TcgEvent.PCRIndex = 5;
TcgEvent.EventType = EV_EFI_ACTION;
TcgEvent.EventSize = (UINT32)AsciiStrLen (String);
return TcgDxeHashLogExtendEvent (
0,
(UINT8*)String,
TcgEvent.EventSize,
&TcgEvent,
(UINT8 *) String
);
}
/**
Measure and log EFI handoff tables, and extend the measurement result into PCR[1].
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
EFI_STATUS
MeasureHandoffTables (
VOID
)
{
EFI_STATUS Status;
SMBIOS_TABLE_ENTRY_POINT *SmbiosTable;
TCG_PCR_EVENT_HDR TcgEvent;
EFI_HANDOFF_TABLE_POINTERS HandoffTables;
UINTN ProcessorNum;
EFI_CPU_PHYSICAL_LOCATION *ProcessorLocBuf;
ProcessorLocBuf = NULL;
//
// Measure SMBIOS with EV_EFI_HANDOFF_TABLES to PCR[1]
//
Status = EfiGetSystemConfigurationTable (
&gEfiSmbiosTableGuid,
(VOID **) &SmbiosTable
);
if (!EFI_ERROR (Status) && SmbiosTable != NULL) {
TcgEvent.PCRIndex = 1;
TcgEvent.EventType = EV_EFI_HANDOFF_TABLES;
TcgEvent.EventSize = sizeof (HandoffTables);
HandoffTables.NumberOfTables = 1;
HandoffTables.TableEntry[0].VendorGuid = gEfiSmbiosTableGuid;
HandoffTables.TableEntry[0].VendorTable = SmbiosTable;
DEBUG ((DEBUG_INFO, "The Smbios Table starts at: 0x%x\n", SmbiosTable->TableAddress));
DEBUG ((DEBUG_INFO, "The Smbios Table size: 0x%x\n", SmbiosTable->TableLength));
Status = TcgDxeHashLogExtendEvent (
0,
(UINT8*)(UINTN)SmbiosTable->TableAddress,
SmbiosTable->TableLength,
&TcgEvent,
(UINT8*)&HandoffTables
);
}
if (PcdGet8 (PcdTpmPlatformClass) == TCG_PLATFORM_TYPE_SERVER) {
//
// Tcg Server spec.
// Measure each processor EFI_CPU_PHYSICAL_LOCATION with EV_TABLE_OF_DEVICES to PCR[1]
//
Status = GetProcessorsCpuLocation(&ProcessorLocBuf, &ProcessorNum);
if (!EFI_ERROR(Status)){
TcgEvent.PCRIndex = 1;
TcgEvent.EventType = EV_TABLE_OF_DEVICES;
TcgEvent.EventSize = sizeof (HandoffTables);
HandoffTables.NumberOfTables = 1;
HandoffTables.TableEntry[0].VendorGuid = gEfiMpServiceProtocolGuid;
HandoffTables.TableEntry[0].VendorTable = ProcessorLocBuf;
Status = TcgDxeHashLogExtendEvent (
0,
(UINT8*)(UINTN)ProcessorLocBuf,
sizeof(EFI_CPU_PHYSICAL_LOCATION) * ProcessorNum,
&TcgEvent,
(UINT8*)&HandoffTables
);
FreePool(ProcessorLocBuf);
}
}
return Status;
}
/**
Measure and log Separator event, and extend the measurement result into a specific PCR.
@param[in] PCRIndex PCR index.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
EFI_STATUS
MeasureSeparatorEvent (
IN TPM_PCRINDEX PCRIndex
)
{
TCG_PCR_EVENT_HDR TcgEvent;
UINT32 EventData;
DEBUG ((EFI_D_INFO, "MeasureSeparatorEvent Pcr - %x\n", PCRIndex));
EventData = 0;
TcgEvent.PCRIndex = PCRIndex;
TcgEvent.EventType = EV_SEPARATOR;
TcgEvent.EventSize = (UINT32)sizeof (EventData);
return TcgDxeHashLogExtendEvent (
0,
(UINT8 *)&EventData,
sizeof (EventData),
&TcgEvent,
(UINT8 *)&EventData
);
}
/**
Measure and log an EFI variable, and extend the measurement result into a specific PCR.
@param[in] PCRIndex PCR Index.
@param[in] EventType Event type.
@param[in] VarName A Null-terminated string that is the name of the vendor's variable.
@param[in] VendorGuid A unique identifier for the vendor.
@param[in] VarData The content of the variable data.
@param[in] VarSize The size of the variable data.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_OUT_OF_RESOURCES Out of memory.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
EFI_STATUS
MeasureVariable (
IN TPM_PCRINDEX PCRIndex,
IN TCG_EVENTTYPE EventType,
IN CHAR16 *VarName,
IN EFI_GUID *VendorGuid,
IN VOID *VarData,
IN UINTN VarSize
)
{
EFI_STATUS Status;
TCG_PCR_EVENT_HDR TcgEvent;
UINTN VarNameLength;
EFI_VARIABLE_DATA_TREE *VarLog;
DEBUG ((EFI_D_INFO, "TrEEDxe: MeasureVariable (Pcr - %x, EventType - %x, ", (UINTN)PCRIndex, (UINTN)EventType));
DEBUG ((EFI_D_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, VendorGuid));
VarNameLength = StrLen (VarName);
TcgEvent.PCRIndex = PCRIndex;
TcgEvent.EventType = EventType;
TcgEvent.EventSize = (UINT32)(sizeof (*VarLog) + VarNameLength * sizeof (*VarName) + VarSize
- sizeof (VarLog->UnicodeName) - sizeof (VarLog->VariableData));
VarLog = (EFI_VARIABLE_DATA_TREE*)AllocatePool (TcgEvent.EventSize);
if (VarLog == NULL) {
return EFI_OUT_OF_RESOURCES;
}
VarLog->VariableName = *VendorGuid;
VarLog->UnicodeNameLength = VarNameLength;
VarLog->VariableDataLength = VarSize;
CopyMem (
VarLog->UnicodeName,
VarName,
VarNameLength * sizeof (*VarName)
);
if (VarSize != 0 && VarData != NULL) {
CopyMem (
(CHAR16 *)VarLog->UnicodeName + VarNameLength,
VarData,
VarSize
);
}
if (EventType == EV_EFI_VARIABLE_DRIVER_CONFIG) {
//
// Digest is the event data (EFI_VARIABLE_DATA_TREE)
//
Status = TcgDxeHashLogExtendEvent (
0,
(UINT8*)VarLog,
TcgEvent.EventSize,
&TcgEvent,
(UINT8*)VarLog
);
} else {
Status = TcgDxeHashLogExtendEvent (
0,
(UINT8*)VarData,
VarSize,
&TcgEvent,
(UINT8*)VarLog
);
}
FreePool (VarLog);
return Status;
}
/**
Read then Measure and log an EFI variable, and extend the measurement result into a specific PCR.
@param[in] PCRIndex PCR Index.
@param[in] EventType Event type.
@param[in] VarName A Null-terminated string that is the name of the vendor's variable.
@param[in] VendorGuid A unique identifier for the vendor.
@param[out] VarSize The size of the variable data.
@param[out] VarData Pointer to the content of the variable.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_OUT_OF_RESOURCES Out of memory.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
EFI_STATUS
ReadAndMeasureVariable (
IN TPM_PCRINDEX PCRIndex,
IN TCG_EVENTTYPE EventType,
IN CHAR16 *VarName,
IN EFI_GUID *VendorGuid,
OUT UINTN *VarSize,
OUT VOID **VarData
)
{
EFI_STATUS Status;
Status = GetVariable2 (VarName, VendorGuid, VarData, VarSize);
if (EventType == EV_EFI_VARIABLE_DRIVER_CONFIG) {
if (EFI_ERROR (Status)) {
//
// It is valid case, so we need handle it.
//
*VarData = NULL;
*VarSize = 0;
}
} else {
//
// if status error, VarData is freed and set NULL by GetVariable2
//
if (EFI_ERROR (Status)) {
return EFI_NOT_FOUND;
}
}
Status = MeasureVariable (
PCRIndex,
EventType,
VarName,
VendorGuid,
*VarData,
*VarSize
);
return Status;
}
/**
Read then Measure and log an EFI boot variable, and extend the measurement result into PCR[5].
@param[in] VarName A Null-terminated string that is the name of the vendor's variable.
@param[in] VendorGuid A unique identifier for the vendor.
@param[out] VarSize The size of the variable data.
@param[out] VarData Pointer to the content of the variable.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_OUT_OF_RESOURCES Out of memory.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
EFI_STATUS
ReadAndMeasureBootVariable (
IN CHAR16 *VarName,
IN EFI_GUID *VendorGuid,
OUT UINTN *VarSize,
OUT VOID **VarData
)
{
return ReadAndMeasureVariable (
5,
EV_EFI_VARIABLE_BOOT,
VarName,
VendorGuid,
VarSize,
VarData
);
}
/**
Read then Measure and log an EFI Secure variable, and extend the measurement result into PCR[7].
@param[in] VarName A Null-terminated string that is the name of the vendor's variable.
@param[in] VendorGuid A unique identifier for the vendor.
@param[out] VarSize The size of the variable data.
@param[out] VarData Pointer to the content of the variable.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_OUT_OF_RESOURCES Out of memory.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
EFI_STATUS
ReadAndMeasureSecureVariable (
IN CHAR16 *VarName,
IN EFI_GUID *VendorGuid,
OUT UINTN *VarSize,
OUT VOID **VarData
)
{
return ReadAndMeasureVariable (
7,
EV_EFI_VARIABLE_DRIVER_CONFIG,
VarName,
VendorGuid,
VarSize,
VarData
);
}
/**
Measure and log all EFI boot variables, and extend the measurement result into a specific PCR.
The EFI boot variables are BootOrder and Boot#### variables.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_OUT_OF_RESOURCES Out of memory.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
EFI_STATUS
MeasureAllBootVariables (
VOID
)
{
EFI_STATUS Status;
UINT16 *BootOrder;
UINTN BootCount;
UINTN Index;
VOID *BootVarData;
UINTN Size;
Status = ReadAndMeasureBootVariable (
mBootVarName,
&gEfiGlobalVariableGuid,
&BootCount,
(VOID **) &BootOrder
);
if (Status == EFI_NOT_FOUND || BootOrder == NULL) {
return EFI_SUCCESS;
}
if (EFI_ERROR (Status)) {
//
// BootOrder can't be NULL if status is not EFI_NOT_FOUND
//
FreePool (BootOrder);
return Status;
}
BootCount /= sizeof (*BootOrder);
for (Index = 0; Index < BootCount; Index++) {
UnicodeSPrint (mBootVarName, sizeof (mBootVarName), L"Boot%04x", BootOrder[Index]);
Status = ReadAndMeasureBootVariable (
mBootVarName,
&gEfiGlobalVariableGuid,
&Size,
&BootVarData
);
if (!EFI_ERROR (Status)) {
FreePool (BootVarData);
}
}
FreePool (BootOrder);
return EFI_SUCCESS;
}
/**
Measure and log all EFI Secure variables, and extend the measurement result into a specific PCR.
The EFI boot variables are BootOrder and Boot#### variables.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_OUT_OF_RESOURCES Out of memory.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
EFI_STATUS
MeasureAllSecureVariables (
VOID
)
{
EFI_STATUS Status;
VOID *Data;
UINTN DataSize;
UINTN Index;
Status = EFI_NOT_FOUND;
for (Index = 0; Index < sizeof(mVariableType)/sizeof(mVariableType[0]); Index++) {
Status = ReadAndMeasureSecureVariable (
mVariableType[Index].VariableName,
mVariableType[Index].VendorGuid,
&DataSize,
&Data
);
if (!EFI_ERROR (Status)) {
if (Data != NULL) {
FreePool (Data);
}
}
}
return EFI_SUCCESS;
}
/**
Measure and log launch of FirmwareDebugger, and extend the measurement result into a specific PCR.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_OUT_OF_RESOURCES Out of memory.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
EFI_STATUS
MeasureLaunchOfFirmwareDebugger (
VOID
)
{
TCG_PCR_EVENT_HDR TcgEvent;
TcgEvent.PCRIndex = 7;
TcgEvent.EventType = EV_EFI_ACTION;
TcgEvent.EventSize = sizeof(FIRMWARE_DEBUGGER_EVENT_STRING) - 1;
return TcgDxeHashLogExtendEvent (
0,
(UINT8 *)FIRMWARE_DEBUGGER_EVENT_STRING,
sizeof(FIRMWARE_DEBUGGER_EVENT_STRING) - 1,
&TcgEvent,
(UINT8 *)FIRMWARE_DEBUGGER_EVENT_STRING
);
}
/**
Measure and log all Secure Boot Policy, and extend the measurement result into a specific PCR.
Platform firmware adhering to the policy must therefore measure the following values into PCR[7]: (in order listed)
- The contents of the SecureBoot variable
- The contents of the PK variable
- The contents of the KEK variable
- The contents of the EFI_IMAGE_SECURITY_DATABASE variable
- The contents of the EFI_IMAGE_SECURITY_DATABASE1 variable
- Separator
- Entries in the EFI_IMAGE_SECURITY_DATABASE that are used to validate EFI Drivers or EFI Boot Applications in the boot path
NOTE: Because of the above, UEFI variables PK, KEK, EFI_IMAGE_SECURITY_DATABASE,
EFI_IMAGE_SECURITY_DATABASE1 and SecureBoot SHALL NOT be measured into PCR[3].
@param[in] Event Event whose notification function is being invoked
@param[in] Context Pointer to the notification function's context
**/
VOID
EFIAPI
MeasureSecureBootPolicy (
IN EFI_EVENT Event,
IN VOID *Context
)
{
EFI_STATUS Status;
VOID *Protocol;
Status = gBS->LocateProtocol (&gEfiVariableWriteArchProtocolGuid, NULL, (VOID **)&Protocol);
if (EFI_ERROR (Status)) {
return;
}
if (PcdGetBool (PcdFirmwareDebuggerInitialized)) {
Status = MeasureLaunchOfFirmwareDebugger ();
DEBUG ((EFI_D_INFO, "MeasureLaunchOfFirmwareDebugger - %r\n", Status));
}
Status = MeasureAllSecureVariables ();
DEBUG ((EFI_D_INFO, "MeasureAllSecureVariables - %r\n", Status));
//
// We need measure Separator(7) here, because this event must be between SecureBootPolicy (Configure)
// and ImageVerification (Authority)
// There might be a case that we need measure UEFI image from DriverOrder, besides BootOrder. So
// the Authority measurement happen before ReadToBoot event.
//
Status = MeasureSeparatorEvent (7);
DEBUG ((EFI_D_INFO, "MeasureSeparatorEvent - %r\n", Status));
return ;
}
/**
Ready to Boot Event notification handler.
Sequence of OS boot events is measured in this event notification handler.
@param[in] Event Event whose notification function is being invoked
@param[in] Context Pointer to the notification function's context
**/
VOID
EFIAPI
OnReadyToBoot (
IN EFI_EVENT Event,
IN VOID *Context
)
{
EFI_STATUS Status;
TPM_PCRINDEX PcrIndex;
PERF_START_EX (mImageHandle, "EventRec", "TrEEDxe", 0, PERF_ID_TREE_DXE);
if (mBootAttempts == 0) {
//
// Measure handoff tables.
//
Status = MeasureHandoffTables ();
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "HOBs not Measured. Error!\n"));
}
//
// Measure BootOrder & Boot#### variables.
//
Status = MeasureAllBootVariables ();
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "Boot Variables not Measured. Error!\n"));
}
//
// 1. This is the first boot attempt.
//
Status = TcgMeasureAction (
EFI_CALLING_EFI_APPLICATION
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "%s not Measured. Error!\n", EFI_CALLING_EFI_APPLICATION));
}
//
// 2. Draw a line between pre-boot env and entering post-boot env.
// PCR[7] is already done.
//
for (PcrIndex = 0; PcrIndex < 7; PcrIndex++) {
Status = MeasureSeparatorEvent (PcrIndex);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "Seperator Event not Measured. Error!\n"));
}
}
//
// 3. Measure GPT. It would be done in SAP driver.
//
//
// 4. Measure PE/COFF OS loader. It would be done in SAP driver.
//
//
// 5. Read & Measure variable. BootOrder already measured.
//
} else {
//
// 6. Not first attempt, meaning a return from last attempt
//
Status = TcgMeasureAction (
EFI_RETURNING_FROM_EFI_APPLICATOIN
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "%s not Measured. Error!\n", EFI_RETURNING_FROM_EFI_APPLICATOIN));
}
}
DEBUG ((EFI_D_INFO, "TPM2 TrEEDxe Measure Data when ReadyToBoot\n"));
//
// Increase boot attempt counter.
//
mBootAttempts++;
PERF_END_EX (mImageHandle, "EventRec", "TrEEDxe", 0, PERF_ID_TREE_DXE + 1);
}
/**
Install TCG ACPI Table when ACPI Table Protocol is available.
A system's firmware uses an ACPI table to identify the system's TCG capabilities
to the Post-Boot environment. The information in this ACPI table is not guaranteed
to be valid until the Host Platform transitions from pre-boot state to post-boot state.
@param[in] Event Event whose notification function is being invoked
@param[in] Context Pointer to the notification function's context
**/
VOID
EFIAPI
InstallAcpiTable (
IN EFI_EVENT Event,
IN VOID *Context
)
{
UINTN TableKey;
EFI_STATUS Status;
EFI_ACPI_TABLE_PROTOCOL *AcpiTable;
UINT8 Checksum;
UINT64 OemTableId;
Status = gBS->LocateProtocol (&gEfiAcpiTableProtocolGuid, NULL, (VOID **)&AcpiTable);
if (EFI_ERROR (Status)) {
return;
}
if (PcdGet8 (PcdTpmPlatformClass) == TCG_PLATFORM_TYPE_CLIENT) {
CopyMem (mTcgClientAcpiTemplate.Header.OemId, PcdGetPtr (PcdAcpiDefaultOemId), sizeof (mTcgClientAcpiTemplate.Header.OemId));
OemTableId = PcdGet64 (PcdAcpiDefaultOemTableId);
CopyMem (&mTcgClientAcpiTemplate.Header.OemTableId, &OemTableId, sizeof (UINT64));
mTcgClientAcpiTemplate.Header.OemRevision = PcdGet32 (PcdAcpiDefaultOemRevision);
mTcgClientAcpiTemplate.Header.CreatorId = PcdGet32 (PcdAcpiDefaultCreatorId);
mTcgClientAcpiTemplate.Header.CreatorRevision = PcdGet32 (PcdAcpiDefaultCreatorRevision);
//
// The ACPI table must be checksumed before calling the InstallAcpiTable()
// service of the ACPI table protocol to install it.
//
Checksum = CalculateCheckSum8 ((UINT8 *)&mTcgClientAcpiTemplate, sizeof (mTcgClientAcpiTemplate));
mTcgClientAcpiTemplate.Header.Checksum = Checksum;
Status = AcpiTable->InstallAcpiTable (
AcpiTable,
&mTcgClientAcpiTemplate,
sizeof (mTcgClientAcpiTemplate),
&TableKey
);
} else {
CopyMem (mTcgServerAcpiTemplate.Header.OemId, PcdGetPtr (PcdAcpiDefaultOemId), sizeof (mTcgServerAcpiTemplate.Header.OemId));
OemTableId = PcdGet64 (PcdAcpiDefaultOemTableId);
CopyMem (&mTcgServerAcpiTemplate.Header.OemTableId, &OemTableId, sizeof (UINT64));
mTcgServerAcpiTemplate.Header.OemRevision = PcdGet32 (PcdAcpiDefaultOemRevision);
mTcgServerAcpiTemplate.Header.CreatorId = PcdGet32 (PcdAcpiDefaultCreatorId);
mTcgServerAcpiTemplate.Header.CreatorRevision = PcdGet32 (PcdAcpiDefaultCreatorRevision);
//
// The ACPI table must be checksumed before calling the InstallAcpiTable()
// service of the ACPI table protocol to install it.
//
Checksum = CalculateCheckSum8 ((UINT8 *)&mTcgServerAcpiTemplate, sizeof (mTcgServerAcpiTemplate));
mTcgServerAcpiTemplate.Header.Checksum = Checksum;
mTcgServerAcpiTemplate.BaseAddress.Address = PcdGet64 (PcdTpmBaseAddress);
Status = AcpiTable->InstallAcpiTable (
AcpiTable,
&mTcgServerAcpiTemplate,
sizeof (mTcgServerAcpiTemplate),
&TableKey
);
}
if (EFI_ERROR (Status)) {
DEBUG((EFI_D_ERROR, "Tcg Acpi Table installation failure"));
}
}
/**
Exit Boot Services Event notification handler.
Measure invocation and success of ExitBootServices.
@param[in] Event Event whose notification function is being invoked
@param[in] Context Pointer to the notification function's context
**/
VOID
EFIAPI
OnExitBootServices (
IN EFI_EVENT Event,
IN VOID *Context
)
{
EFI_STATUS Status;
//
// Measure invocation of ExitBootServices,
//
Status = TcgMeasureAction (
EFI_EXIT_BOOT_SERVICES_INVOCATION
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "%s not Measured. Error!\n", EFI_EXIT_BOOT_SERVICES_INVOCATION));
}
//
// Measure success of ExitBootServices
//
Status = TcgMeasureAction (
EFI_EXIT_BOOT_SERVICES_SUCCEEDED
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "%s not Measured. Error!\n", EFI_EXIT_BOOT_SERVICES_SUCCEEDED));
}
}
/**
Exit Boot Services Failed Event notification handler.
Measure Failure of ExitBootServices.
@param[in] Event Event whose notification function is being invoked
@param[in] Context Pointer to the notification function's context
**/
VOID
EFIAPI
OnExitBootServicesFailed (
IN EFI_EVENT Event,
IN VOID *Context
)
{
EFI_STATUS Status;
//
// Measure Failure of ExitBootServices,
//
Status = TcgMeasureAction (
EFI_EXIT_BOOT_SERVICES_FAILED
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "%s not Measured. Error!\n", EFI_EXIT_BOOT_SERVICES_FAILED));
}
}
/**
The function install TrEE protocol.
@retval EFI_SUCCESS TrEE protocol is installed.
@retval other Some error occurs.
**/
EFI_STATUS
InstallTrEE (
VOID
)
{
EFI_STATUS Status;
EFI_HANDLE Handle;
Handle = NULL;
Status = gBS->InstallMultipleProtocolInterfaces (
&Handle,
&gEfiTrEEProtocolGuid,
&mTreeProtocol,
NULL
);
return Status;
}
/**
The driver's entry point. It publishes EFI TrEE Protocol.
@param[in] ImageHandle The firmware allocated handle for the EFI image.
@param[in] SystemTable A pointer to the EFI System Table.
@retval EFI_SUCCESS The entry point is executed successfully.
@retval other Some error occurs when executing this entry point.
**/
EFI_STATUS
EFIAPI
DriverEntry (
IN EFI_HANDLE ImageHandle,
IN EFI_SYSTEM_TABLE *SystemTable
)
{
EFI_STATUS Status;
EFI_EVENT Event;
VOID *Registration;
UINT32 MaxCommandSize;
UINT32 MaxResponseSize;
TPML_PCR_SELECTION Pcrs;
UINTN Index;
UINT32 TpmHashAlgorithmBitmap;
mImageHandle = ImageHandle;
if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNoneGuid) ||
CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)){
DEBUG ((EFI_D_ERROR, "No TPM2 instance required!\n"));
return EFI_UNSUPPORTED;
}
if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) {
DEBUG ((EFI_D_ERROR, "TPM2 error!\n"));
return EFI_DEVICE_ERROR;
}
Status = Tpm2RequestUseTpm ();
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n"));
return Status;
}
//
// Fill information
//
DEBUG ((EFI_D_INFO, "TrEE.ProtocolVersion - %02x.%02x\n", mTcgDxeData.BsCap.ProtocolVersion.Major, mTcgDxeData.BsCap.ProtocolVersion.Minor));
DEBUG ((EFI_D_INFO, "TrEE.StructureVersion - %02x.%02x\n", mTcgDxeData.BsCap.StructureVersion.Major, mTcgDxeData.BsCap.StructureVersion.Minor));
Status = Tpm2GetCapabilityManufactureID (&mTcgDxeData.BsCap.ManufacturerID);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n"));
} else {
DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", mTcgDxeData.BsCap.ManufacturerID));
}
DEBUG_CODE (
UINT32 FirmwareVersion1;
UINT32 FirmwareVersion2;
Status = Tpm2GetCapabilityFirmwareVersion (&FirmwareVersion1, &FirmwareVersion2);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityFirmwareVersion fail!\n"));
} else {
DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityFirmwareVersion - %08x %08x\n", FirmwareVersion1, FirmwareVersion2));
}
);
Status = Tpm2GetCapabilityMaxCommandResponseSize (&MaxCommandSize, &MaxResponseSize);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityMaxCommandResponseSize fail!\n"));
} else {
mTcgDxeData.BsCap.MaxCommandSize = (UINT16)MaxCommandSize;
mTcgDxeData.BsCap.MaxResponseSize = (UINT16)MaxResponseSize;
DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityMaxCommandResponseSize - %08x, %08x\n", MaxCommandSize, MaxResponseSize));
}
Status = Tpm2GetCapabilityPcrs (&Pcrs);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
TpmHashAlgorithmBitmap = TREE_BOOT_HASH_ALG_SHA1;
} else {
DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityPcrs Count - %08x\n", Pcrs.count));
TpmHashAlgorithmBitmap = 0;
for (Index = 0; Index < Pcrs.count; Index++) {
DEBUG ((EFI_D_INFO, "hash - %x\n", Pcrs.pcrSelections[Index].hash));
switch (Pcrs.pcrSelections[Index].hash) {
case TPM_ALG_SHA1:
TpmHashAlgorithmBitmap |= TREE_BOOT_HASH_ALG_SHA1;
break;
case TPM_ALG_SHA256:
TpmHashAlgorithmBitmap |= TREE_BOOT_HASH_ALG_SHA256;
break;
case TPM_ALG_SHA384:
TpmHashAlgorithmBitmap |= TREE_BOOT_HASH_ALG_SHA384;
break;
case TPM_ALG_SHA512:
TpmHashAlgorithmBitmap |= TREE_BOOT_HASH_ALG_SHA512;
break;
case TPM_ALG_SM3_256:
// TBD: Spec not define TREE_BOOT_HASH_ALG_SM3_256 yet
break;
}
}
}
DEBUG ((EFI_D_INFO, "TPM.HashAlgorithmBitmap - 0x%08x\n", TpmHashAlgorithmBitmap));
DEBUG ((EFI_D_INFO, "TrEE.SupportedEventLogs - 0x%08x\n", mTcgDxeData.BsCap.SupportedEventLogs));
mTcgDxeData.BsCap.HashAlgorithmBitmap = TpmHashAlgorithmBitmap;
DEBUG ((EFI_D_INFO, "TrEE.HashAlgorithmBitmap - 0x%08x\n", mTcgDxeData.BsCap.HashAlgorithmBitmap));
if (mTcgDxeData.BsCap.TrEEPresentFlag) {
//
// Setup the log area and copy event log from hob list to it
//
Status = SetupEventLog ();
ASSERT_EFI_ERROR (Status);
//
// Measure handoff tables, Boot#### variables etc.
//
Status = EfiCreateEventReadyToBootEx (
TPL_CALLBACK,
OnReadyToBoot,
NULL,
&Event
);
Status = gBS->CreateEventEx (
EVT_NOTIFY_SIGNAL,
TPL_NOTIFY,
OnExitBootServices,
NULL,
&gEfiEventExitBootServicesGuid,
&Event
);
//
// Measure Exit Boot Service failed
//
Status = gBS->CreateEventEx (
EVT_NOTIFY_SIGNAL,
TPL_NOTIFY,
OnExitBootServicesFailed,
NULL,
&gEventExitBootServicesFailedGuid,
&Event
);
//
// Create event callback, because we need access variable on SecureBootPolicyVariable
// We should use VariableWriteArch instead of VariableArch, because Variable driver
// may update SecureBoot value based on last setting.
//
EfiCreateProtocolNotifyEvent (&gEfiVariableWriteArchProtocolGuid, TPL_CALLBACK, MeasureSecureBootPolicy, NULL, &Registration);
}
//
// Install ACPI Table
//
EfiCreateProtocolNotifyEvent (&gEfiAcpiTableProtocolGuid, TPL_CALLBACK, InstallAcpiTable, NULL, &Registration);
//
// Install TrEEProtocol
//
Status = InstallTrEE ();
DEBUG ((EFI_D_INFO, "InstallTrEE - %r\n", Status));
return Status;
}