Re: [PATCH] Fix missing measurements on confidential computing enabled platform

[Daniel Kiper]

On Fri, May 31, 2024 at 02:42:38PM +0200, Hector Cao wrote:
> The measurements for confidential computing has been introduced in the commit
> 4c76565b6 (efi/tpm: Add EFI_CC_MEASUREMENT_PROTOCOL support). Recently
> this patch 30708dfe3 (tpm: Disable the tpm verifier if the TPM device
> is not present) has been introduced to optimize the memory usage when
> TPM device is not available on the platform. This patch will prevent the
> tpm module to be loaded on confidential computing platform (for example
> Intel TDX) where no TPM device is available.
>
> In this patch, we propose to load the tpm module for this use case
> by generalizing the tpm feature detection in order to cover CC platforms.
> Basically, do we it by detecting the availability of the EFI protocol
> EFI_CC_MEASUREMENT_PROTOCOL.
>
> Fixes bug : https://savannah.gnu.org/bugs/?65821

Missing SOB...

> ---
>  grub-core/commands/efi/tpm.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c
> index f250c30db..386ea3d66 100644
> --- a/grub-core/commands/efi/tpm.c
> +++ b/grub-core/commands/efi/tpm.c
> @@ -292,6 +292,13 @@ grub_tpm_present (void)
>  {
>    grub_efi_handle_t tpm_handle;
>    grub_efi_uint8_t protocol_version;
> +  grub_efi_cc_protocol_t *cc;
> +
> +  // if confidential computing measurement protocol is enabled
> +  // we consider TPM is present

Please be in line with the GRUB coding style [1].

Otherwise patch LGTM.

> +  cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);
> +  if (cc != NULL)
> +    return 1;

Daniel

[1] https://www.gnu.org/software/grub/manual/grub-dev/grub-dev.html#Comments