From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1dMnWp-0002dA-9X for mharc-grub-devel@gnu.org; Sun, 18 Jun 2017 23:39:03 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49584) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dMnWn-0002cm-1a for grub-devel@gnu.org; Sun, 18 Jun 2017 23:39:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dMnWm-0003Ph-3W for grub-devel@gnu.org; Sun, 18 Jun 2017 23:39:01 -0400 Received: from cavan.codon.org.uk ([2a00:1098:0:80:1000:c:0:1]:36262) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dMnWl-0003NM-PI for grub-devel@gnu.org; Sun, 18 Jun 2017 23:39:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codon.org.uk; s=63138784; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=+Lk9F20ySp6p7qoixi3DAX/hiM/dUvjhr03FapFWkas=; b=F4zQNV2FLG3DLuKWo8GP6xDpm9qQkIO4nNuYGT8y2krQEVU2UCB5gNlBhnGugl6nWZrDerTG93mKh0yQOlqaeshd+S0J8crSgClkhdBpPKiiyJHHVV/JhAhbQakMewz4EhTYbZ5a1bVMIM6RNyFMc+VihRuqe2zJ63GSyFQXfcA=; Received: from mjg59 by cavan.codon.org.uk with local (Exim 4.84_2) (envelope-from ) id 1dMnWd-0005Vt-SU for grub-devel@gnu.org; Mon, 19 Jun 2017 04:38:51 +0100 Date: Mon, 19 Jun 2017 04:38:51 +0100 From: Matthew Garrett To: The development of GNU GRUB Subject: Re: [PATCH 3/3] Core TPM support Message-ID: <20170619033851.GA18928@srcf.ucam.org> References: <20170615002102.123757-1-mjg59@google.com> <20170615002102.123757-4-mjg59@google.com> <88a4eb73-a76b-0afe-c3d6-8be2a2fa0e2c@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <88a4eb73-a76b-0afe-c3d6-8be2a2fa0e2c@redhat.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: mjg59@cavan.codon.org.uk X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1098:0:80:1000:c:0:1 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jun 2017 03:39:02 -0000 On Fri, Jun 16, 2017 at 03:51:38PM +0200, Javier Martinez Canillas wrote: > The TCG EFI Protocol Specification (rev 00.13, March 2016) mentions that the > tdEFI_TCG2_BOOT_SERVICE_CAPABILITY StructureVersion Major and Minor should > be checked to determine the EFI_TCG2_BOOT_SERVICE_CAPABILITY struct version. > > In fact, shim checks for this and instead use tdTREE_BOOT_SERVICE_CAPABILITY > if Major == 1 && Minor == 0. The EFI firmware on my Lenovo X1 Carbon reports > these values for the FW TPM2.0 so I first was expecting the code to fail. But > it works and I now see that the structures layout are equal so doesn't matter. > > Do you think that we should be more strict on this? Or instead the shim code > could be simplified as you did here and avoid distinguish between the two? There's an argument for improving the correctness of this, yeah. As you say I don't think it actually makes any meaningful difference, but it'll help anyone who's comparing it to the spec. > Have you looked at how to get the TPM2.0 event logs from Linux? The TCG EFI Protocol > Specification mentions that all events generated after a EFI_TCG2_GET_EVENT_LOG call > shall be stored in a EFI_CONFIGURATION_TABLE that could be retrieved by the OS before > a call to ExitBootServices(). > > I see that shim calls GetEventLogs() to trigger this switch and your patch doesn't. > But Linux still doesn't have support to lookup this table anyways, so I think it's OK. I think this is a bug in shim. The right place to do this is in the EFI boot stub in the kernel - otherwise the kernel has to source this event information from multiple locations. But now that it's out there, we'll probably have to handle the configurationt able as well. > It's also mentioned in the TCG ACPI (1.2 rev 8, February 2017) and TCG PC Client PFP > (rev 00.49, January 2017) specifications, that the TPM2 ACPI table has optional fields > for the Log Area Start Address (LASA) and Log Area Minimum Length (LAML). So that would > be similar to the TPM1.2 TCPA ACPI table. I guess Linux should need support for both? I really hope that there are no implementations where there's a difference between the information in ACPI and any other source, but I guess we'll find out. That's going to end up being a problem for the kernel rather than grub, anyway. -- Matthew Garrett | mjg59@srcf.ucam.org