On 5/14/20 3:04 PM, Ard Biesheuvel wrote:
> On Thu, 14 May 2020 at 14:56, Javier Martinez Canillas
[snip]
>>
>> I still don't know if something like that would be acceptable or if we
>> should just consider a bug if a firmware doesn't conform with the spec.
>>
>
> I'd like Matt's and Jarkko's take on this - for me, considering it a
> bug is just fine. I just want to understand what exactly to warn
> about, since we currently silently ignore the lack of a final events
> table, while it apparently defeats the purpose of having a log in the
> first.
>
> So given that the ordinary event log will contain everything *except*
> the events that were logged during EBS(), I agree that the log may
> still be useful if those final events only affected PCRs that you
> don't care about.
>
Agreed.
> Something like the below perhaps? Should we suppress the warning for
> tables of size 0x0?
>
That's what is not clear to me. For example, if a firmware follows the
spec what happens during EBS() when a TPM2 only supports the SHA-1 format?
Does the firmware always log events during EBS() even when it won't provide
a Final Events Table? If so, are the SHA-1 logs always incomplete?
What I wonder is if the firmware bug error should always be printed if the
crypto agile log format isn't used or only if isn't used and the firmware
provides a Final Events Table, which is a behavior that's out of the spec.
> diff --git a/drivers/char/tpm/eventlog/efi.c b/drivers/char/tpm/eventlog/efi.c
> index 6bb023de17f1..65bfee8e636d 100644
> --- a/drivers/char/tpm/eventlog/efi.c
> +++ b/drivers/char/tpm/eventlog/efi.c
> @@ -62,8 +62,10 @@ int tpm_read_log_efi(struct tpm_chip *chip)
>
> if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR ||
> efi_tpm_final_log_size == 0 ||
> - tpm_log_version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2)
> + tpm_log_version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) {
> + pr_warn(FW_BUG "TPM Final Event table not found - some
> events may be missing\n");
Maybe mentioning that the missing logs are for events that happen during EBS()?
> goto out;
> + }
>
> final_tbl = memremap(efi.tpm_final_log,
> sizeof(*final_tbl) + efi_tpm_final_log_size,
>
Best regards,
--
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement
Red Hat
