[PATCH] efi: expose TPM event log to userspace via sysfs

Linux EFI development
 help / color / mirror / Atom feed

From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: Ard Biesheuvel <ardb@kernel.org>, linux-efi@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ilias Apalodimas <ilias.apalodimas@linaro.org>,
	Lennart Poettering <lennart@poettering.net>
Subject: [PATCH] efi: expose TPM event log to userspace via sysfs
Date: Mon, 22 Apr 2024 14:27:11 +0300	[thread overview]
Message-ID: <20240422112711.362779-1-mikko.rapeli@linaro.org> (raw)

Userspace needs to know if TPM kernel drivers need to be loaded
and related services started early in the boot if TPM device
is used and available. If EFI firmware has used TPM device
to e.g. measure binaries, then many of them also provide the TPM
log to kernel in addition to the actual TPM device side measurements.
Expose availability of TPM event log to userspace via
/sys/firmware/efi/tpm_log. If the file exists, then firmware
provided a TPM event log to kernel, and userspace init should also
queue TPM module loading and other early boot services for TPM support.

Enables systemd to support TPM drivers as modules when rootfs is
encrypted with the TPM device.

Sample output from a arm64 qemu machine with u-boot based EFI firmware
and swtpm:

root@trs-qemuarm64:~# dmesg|grep TPMEvent
[    0.000000] efi: TPMFinalLog=0xbd648040 RTPROP=0xbd646040 SMBIOS3.0=0xbe6ad000 TPMEventLog=0xbd5f9040 INITRD=0xbd5f7040 RNG=0xbd5f6040  MEMRESERVE=0xbd5f5040
root@trs-qemuarm64:~# ls -l /sys/firmware/efi/tpm_log
-r-------- 1 root root 4096 Apr 22 10:31 /sys/firmware/efi/tpm_log
root@trs-qemuarm64:~# cat /sys/firmware/efi/tpm_log
TPMEventLog=0xbd5f9040
root@trs-qemuarm64:~# cat /sys/firmware/efi/systab
SMBIOS3=0xbe6ad000

Other similar information is currently in /sys/firmware/efi/systab but
for new exported variables a one-variable-per-file sysfs interface
is preferred according to comments in systab_show()
drivers/firmware/efi/efi.c

See also:
https://github.com/systemd/systemd/pull/32314
https://lists.freedesktop.org/archives/systemd-devel/2024-April/050206.html

Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Lennart Poettering <lennart@poettering.net>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 Documentation/ABI/testing/sysfs-firmware-efi | 12 ++++++++++++
 drivers/firmware/efi/efi.c                   | 13 +++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/Documentation/ABI/testing/sysfs-firmware-efi b/Documentation/ABI/testing/sysfs-firmware-efi
index 5e4d0b27cdfe..caaff27cc73e 100644
--- a/Documentation/ABI/testing/sysfs-firmware-efi
+++ b/Documentation/ABI/testing/sysfs-firmware-efi
@@ -36,3 +36,15 @@ Description:	Displays the content of the Runtime Configuration Interface
 		Table version 2 on Dell EMC PowerEdge systems in binary format
 Users:		It is used by Dell EMC OpenManage Server Administrator tool to
 		populate BIOS setup page.
+
+What:		/sys/firmware/efi/tpm_log
+Date:		April 2024
+Contact:	Mikko Rapeli <mikko.rapeli@linaro.org>
+Description:	If EFI firmware supports TPM device and measurements were done
+		then a TPM event log has very likely been generated and provided
+		to the kernel. This serves as indicator for userspace to load
+		TPM drivers and to start related service early in the boot sequence,
+		e.g. initramfs, where full bus probes and device scans are not yet
+		done.
+Users:		systemd will use this interface to support TPM drivers as modules also
+		for early initramfs
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 4fcda50acfa4..94773e8b8806 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -162,6 +162,13 @@ static ssize_t fw_platform_size_show(struct kobject *kobj,
 	return sprintf(buf, "%d\n", efi_enabled(EFI_64BIT) ? 64 : 32);
 }
 
+static ssize_t tpm_log_show(struct kobject *kobj,
+				     struct kobj_attribute *attr, char *buf)
+{
+	return sprintf(buf, "TPMEventLog=0x%lx", efi.tpm_log);
+}
+static struct kobj_attribute efi_attr_tpm_log = __ATTR_RO_MODE(tpm_log, 0400);
+
 extern __weak struct kobj_attribute efi_attr_fw_vendor;
 extern __weak struct kobj_attribute efi_attr_runtime;
 extern __weak struct kobj_attribute efi_attr_config_table;
@@ -459,6 +466,12 @@ static int __init efisubsys_init(void)
 		platform_device_register_simple("efi_secret", 0, NULL, 0);
 #endif
 
+	if (efi.tpm_log != EFI_INVALID_TABLE_ADDR) {
+		error = sysfs_create_file(efi_kobj, &efi_attr_tpm_log.attr);
+		if (error)
+			pr_err("sysfs create file failed with error %d.\n", error);
+	}
+
 	return 0;
 
 err_remove_group:
-- 
2.34.1

next             reply	other threads:[~2024-04-22 11:27 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-22 11:27 Mikko Rapeli [this message]
2024-04-22 12:42 ` [PATCH] efi: expose TPM event log to userspace via sysfs James Bottomley
2024-04-22 13:08   ` Mikko Rapeli
2024-04-22 13:32     ` Ilias Apalodimas
2024-04-22 13:38       ` James Bottomley
2024-04-22 13:54         ` Ilias Apalodimas
2024-04-22 14:31           ` James Bottomley
2024-04-22 15:22             ` Ilias Apalodimas
2024-04-24 17:15               ` Ard Biesheuvel
2024-04-25  8:56                 ` Mikko Rapeli
2024-04-25 13:50                   ` Jarkko Sakkinen
2024-04-25  9:58                 ` Lennart Poettering
2024-04-25 10:36                   ` Ard Biesheuvel
2024-04-25 11:13                     ` Lennart Poettering
2024-04-25 11:47                       ` Ilias Apalodimas
2024-04-25 13:36                         ` Lennart Poettering
2024-04-25 13:46                           ` James Bottomley
2024-04-25 13:24                   ` James Bottomley
2024-04-25 13:39                     ` Mikko Rapeli
2024-04-25 13:40                     ` Lennart Poettering
2024-04-25 14:01                   ` Jarkko Sakkinen
2024-04-26  7:35                     ` Jarkko Sakkinen
2024-04-26  7:40                       ` Jarkko Sakkinen
2024-04-26  8:19                         ` Mikko Rapeli
2024-04-26  8:23                           ` Jarkko Sakkinen
2024-04-22 14:57           ` Mikko Rapeli
2024-04-26 11:41 ` Jarkko Sakkinen
2024-04-26 11:48 ` Jarkko Sakkinen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5e4d0b27cdf dfblob:caaff27cc73 dfblob:4fcda50acfa
dfblob:94773e8b880 )
 OR (
bs:"[PATCH] efi: expose TPM event log to userspace via sysfs" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240422112711.362779-1-mikko.rapeli@linaro.org \
    --to=mikko.rapeli@linaro.org \
    --cc=ardb@kernel.org \
    --cc=ilias.apalodimas@linaro.org \
    --cc=lennart@poettering.net \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox