grub2/backport-commands-efi-tpm-Re-enable-measurements-on-confident.patch

From 86df79275d065d87f4de5c97e456973e8b4a649c Mon Sep 17 00:00:00 2001
From: Hector Cao <hector.cao@canonical.com>
Date: Mon, 3 Jun 2024 23:36:25 +0200
Subject: [PATCH] commands/efi/tpm: Re-enable measurements on confidential
 computing platforms

The measurements for confidential computing has been introduced in the
commit 4c76565b6 (efi/tpm: Add EFI_CC_MEASUREMENT_PROTOCOL support).
Recently the patch 30708dfe3 (tpm: Disable the tpm verifier if the TPM
device is not present) has been introduced to optimize the memory usage
when a TPM device is not available on platforms. This fix prevents the
tpm module to be loaded on confidential computing platforms, e.g. Intel
machines with TDX enabled, where the TPM device is not available.

In this patch, we propose to load the tpm module for this use case by
generalizing the tpm feature detection in order to cover CC platforms.
Basically, we do it by detecting the availability of the
EFI_CC_MEASUREMENT_PROTOCOL EFI protocol.

Fixes: https://savannah.gnu.org/bugs/?65821
Fixes: 30708dfe3 (tpm: Disable the tpm verifier if the TPM device is not present)

Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=86df79275d065d87f4de5c97e456973e8b4a649c
Conflict:NA

Signed-off-by: Hector Cao <hector.cao@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
---
 grub-core/commands/efi/tpm.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c
index f250c30db..cbac69866 100644
--- a/grub-core/commands/efi/tpm.c
+++ b/grub-core/commands/efi/tpm.c
@@ -292,6 +292,15 @@ grub_tpm_present (void)
 {
   grub_efi_handle_t tpm_handle;
   grub_efi_uint8_t protocol_version;
+  grub_efi_cc_protocol_t *cc;
+
+  /*
+   * When confidential computing measurement protocol is enabled
+   * we assume the TPM is present.
+   */
+  cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);
+  if (cc != NULL)
+    return 1;
 
   if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
     return 0;
-- 
2.33.0
commands/efi/tpm: Re-enable measurements on confidential computing platforms Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com> (cherry picked from commit c76475ce1e25392e52d1dc6740fc3f4c7f8f1129) 2024-12-12 07:23:24 +00:00			`From 86df79275d065d87f4de5c97e456973e8b4a649c Mon Sep 17 00:00:00 2001`
			`From: Hector Cao <hector.cao@canonical.com>`
			`Date: Mon, 3 Jun 2024 23:36:25 +0200`
			`Subject: [PATCH] commands/efi/tpm: Re-enable measurements on confidential`
			`computing platforms`

			`The measurements for confidential computing has been introduced in the`
			`commit 4c76565b6 (efi/tpm: Add EFI_CC_MEASUREMENT_PROTOCOL support).`
			`Recently the patch 30708dfe3 (tpm: Disable the tpm verifier if the TPM`
			`device is not present) has been introduced to optimize the memory usage`
			`when a TPM device is not available on platforms. This fix prevents the`
			`tpm module to be loaded on confidential computing platforms, e.g. Intel`
			`machines with TDX enabled, where the TPM device is not available.`

			`In this patch, we propose to load the tpm module for this use case by`
			`generalizing the tpm feature detection in order to cover CC platforms.`
			`Basically, we do it by detecting the availability of the`
			`EFI_CC_MEASUREMENT_PROTOCOL EFI protocol.`

			`Fixes: https://savannah.gnu.org/bugs/?65821`
			`Fixes: 30708dfe3 (tpm: Disable the tpm verifier if the TPM device is not present)`

			`Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=86df79275d065d87f4de5c97e456973e8b4a649c`
			`Conflict:NA`

			`Signed-off-by: Hector Cao <hector.cao@canonical.com>`
			`Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>`
			`Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>`
			`---`
			`grub-core/commands/efi/tpm.c \| 9 +++++++++`
			`1 file changed, 9 insertions(+)`

			`diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c`
			`index f250c30db..cbac69866 100644`
			`--- a/grub-core/commands/efi/tpm.c`
			`+++ b/grub-core/commands/efi/tpm.c`
			`@@ -292,6 +292,15 @@ grub_tpm_present (void)`
			`{`
			`grub_efi_handle_t tpm_handle;`
			`grub_efi_uint8_t protocol_version;`
			`+ grub_efi_cc_protocol_t *cc;`
			`+`
			`+ /*`
			`+ * When confidential computing measurement protocol is enabled`
			`+ * we assume the TPM is present.`
			`+ */`
			`+ cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);`
			`+ if (cc != NULL)`
			`+ return 1;`

			`if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))`
			`return 0;`
			`--`
			`2.33.0`