grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v17 10/20] tpm2: Add TPM Software Stack (TSS)


From: Gary Lin
Subject: Re: [PATCH v17 10/20] tpm2: Add TPM Software Stack (TSS)
Date: Thu, 20 Jun 2024 14:13:02 +0800

On Wed, Jun 19, 2024 at 04:04:47PM +0200, Daniel Kiper wrote:
> On Wed, Jun 19, 2024 at 02:41:13PM +0800, Gary Lin wrote:
> > On Tue, Jun 18, 2024 at 03:30:03PM +0200, Daniel Kiper wrote:
> > > On Fri, Jun 14, 2024 at 02:45:43PM +0800, Gary Lin wrote:
> > > > From: Hernan Gatta <hegatta@linux.microsoft.com>
> > > >
> > > > A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
> > > > compose and submit TPM commands and parse reponses.
> > > >
> > > > A limited number of TPM commands may be accessed via the EFI TCG2
> > > > protocol. This protocol exposes functionality that is primarily geared
> > > > toward TPM usage within the context of Secure Boot. For all other TPM
> > > > commands, however, such as sealing and unsealing, this protocol does not
> > > > provide any help, with the exception of passthrough command submission.
> > > >
> > > > The SubmitCommand method allows a caller to send raw commands to the
> > > > system's TPM and to receive the corresponding response. These
> > > > command/response pairs are formatted using the TPM wire protocol. To
> > > > construct commands in this way, and to parse the TPM's response, it is
> > > > necessary to, first, possess knowledge of the various TPM structures, 
> > > > and,
> > > > second, of the TPM wire protocol itself.
> > > >
> > > > As such, this patch includes a set of header files that define the
> > > > necessary TPM structures and TSS functions, implementations of various
> > > > TPM2_* functions (inventoried below), and logic to write and read 
> > > > command
> > > > and response buffers, respectively, using the TPM wire protocol.
> > > >
> > > > Functions: TPM2_Create, TPM2_CreatePrimary, TPM2_EvictControl,
> > > > TPM2_FlushContext, TPM2_Load, TPM2_PCR_Read, TPM2_PolicyGetDigest,
> > > > TPM2_PolicyPCR, TPM2_ReadPublic, TPM2_StartAuthSession, TPM2_Unseal,
> > > > TPM2_LoadExternal, TPM2_Hash, TPM2_VerifySignature,
> > > > TPM2_PolicyAuthorize, TPM2_TestParms
> > > >
> > > > Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
> > > > Signed-off-by: Gary Lin <glin@suse.com>
> > > > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > ---
> > > >  grub-core/tpm2/buffer.c                |  145 +++
> > > >  grub-core/tpm2/mu.c                    | 1168 ++++++++++++++++++++++++
> > > >  grub-core/tpm2/tcg2.c                  |  143 +++
> > > >  grub-core/tpm2/tpm2.c                  | 1048 +++++++++++++++++++++
> > > >  include/grub/tpm2/buffer.h             |   65 ++
> > > >  include/grub/tpm2/internal/functions.h |  156 ++++
> > > >  include/grub/tpm2/internal/structs.h   |  768 ++++++++++++++++
> > > >  include/grub/tpm2/internal/types.h     |  403 ++++++++
> > > >  include/grub/tpm2/mu.h                 |  396 ++++++++
> > > >  include/grub/tpm2/tcg2.h               |   34 +
> > > >  include/grub/tpm2/tpm2.h               |   34 +
> > > >  11 files changed, 4360 insertions(+)
> > > >  create mode 100644 grub-core/tpm2/buffer.c
> > > >  create mode 100644 grub-core/tpm2/mu.c
> > > >  create mode 100644 grub-core/tpm2/tcg2.c
> > > >  create mode 100644 grub-core/tpm2/tpm2.c
> > > >  create mode 100644 include/grub/tpm2/buffer.h
> > > >  create mode 100644 include/grub/tpm2/internal/functions.h
> > > >  create mode 100644 include/grub/tpm2/internal/structs.h
> > > >  create mode 100644 include/grub/tpm2/internal/types.h
> > > >  create mode 100644 include/grub/tpm2/mu.h
> > > >  create mode 100644 include/grub/tpm2/tcg2.h
> > > >  create mode 100644 include/grub/tpm2/tpm2.h
> > > >
> > > > diff --git a/grub-core/tpm2/buffer.c b/grub-core/tpm2/buffer.c
> > > > new file mode 100644
> > > > index 000000000..cb9f29497
> > > > --- /dev/null
> > > > +++ b/grub-core/tpm2/buffer.c
> > >
> > > I think this together with other TPM2 driver files should go to the
> > > grub-core/commands/efi/tpm2 directory.
> > >
> > The TPM2 stack is not EFI only. The only EFI related code is in
> 
> Ah, right... Then I think we should have two GRUB modules. One TPM2
> generic and one strictly EFI which depends on generic one.
> 
> > grub-core/tpm2/tcg2.c which mainly implements how the TPM2 commands to
> > be submitted. I'd propose to move them to grub-core/commands/tpm2 and
> > rename tcg2.c to tcg2-efi.c.
> 
> One should land in the grub-core/commands/tss2 directory and another in
> the grub-core/commands/efi or grub-core/commands/efi/tmp2 if needed.
> 
> [...]
> 
Ok, I'll move most of files to grub-core/commands/tss2 and tcg2.c to
grub-core/commands/efi.

> > > > diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c
> > > > new file mode 100644
> > > > index 000000000..10ed71c04
> > > > --- /dev/null
> > > > +++ b/grub-core/tpm2/mu.c
> > >
> > > I can imagine where it comes from but I think it should be efi.c instead
> > > of mu.c.
> > >
> > No, it's not from the MU firmware but stands for Marshal/Unmarshal.
> > The similar naming policy from tpm2-tss:
> >
> > https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_mu.h
> 
> Then I would rename mu.c file to tss2_mu.c and replace "_tpm2_mu_"
> with "_Tss2_MU_" in function names.
> 
Then I think mu.h should be renamed too.

Gary Lin

> > > > @@ -0,0 +1,1168 @@
> > > > +/*
> > > > + *  GRUB  --  GRand Unified Bootloader
> > > > + *  Copyright (C) 2022 Microsoft Corporation
> > > > + *
> > > > + *  GRUB is free software: you can redistribute it and/or modify
> > > > + *  it under the terms of the GNU General Public License as published 
> > > > by
> > > > + *  the Free Software Foundation, either version 3 of the License, or
> > > > + *  (at your option) any later version.
> > > > + *
> > > > + *  GRUB is distributed in the hope that it will be useful,
> > > > + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
> > > > + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > > > + *  GNU General Public License for more details.
> > > > + *
> > > > + *  You should have received a copy of the GNU General Public License
> > > > + *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
> > > > + */
> > > > +
> > > > +#include <grub/misc.h>
> > > > +#include <grub/tpm2/mu.h>
> > > > +
> > > > +void
> > > > +grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (grub_tpm2_buffer_t buffer,
> > > > +                                       const TPMS_AUTH_COMMAND* 
> > > > authCommand)
> > >
> > > s/grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal/grub_efi_tpm2_TPMS_AUTH_COMMAND_Marshal/
> > >
> > > I would change "grub_tpm2_mu_" prefix to "grub_efi_tpm2_" everywhere.
> > >
> > As mentioned above, it's not EFI related, so the renaming is not
> > necessary.
> 
> Please look above...
> 
> Daniel



reply via email to

[Prev in Thread] Current Thread [Next in Thread]