commands/efi/tpm: Re-enable measurements on confidential computing platforms

Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
(cherry picked from commit c76475ce1e25392e52d1dc6740fc3f4c7f8f1129)

backport-commands-efi-tpm-Re-enable-measurements-on-confident.patch

@@ -0,0 +1,55 @@
+From 86df79275d065d87f4de5c97e456973e8b4a649c Mon Sep 17 00:00:00 2001
+From: Hector Cao <hector.cao@canonical.com>
+Date: Mon, 3 Jun 2024 23:36:25 +0200
+Subject: [PATCH] commands/efi/tpm: Re-enable measurements on confidential
+ computing platforms
+
+The measurements for confidential computing has been introduced in the
+commit 4c76565b6 (efi/tpm: Add EFI_CC_MEASUREMENT_PROTOCOL support).
+Recently the patch 30708dfe3 (tpm: Disable the tpm verifier if the TPM
+device is not present) has been introduced to optimize the memory usage
+when a TPM device is not available on platforms. This fix prevents the
+tpm module to be loaded on confidential computing platforms, e.g. Intel
+machines with TDX enabled, where the TPM device is not available.
+
+In this patch, we propose to load the tpm module for this use case by
+generalizing the tpm feature detection in order to cover CC platforms.
+Basically, we do it by detecting the availability of the
+EFI_CC_MEASUREMENT_PROTOCOL EFI protocol.
+
+Fixes: https://savannah.gnu.org/bugs/?65821
+Fixes: 30708dfe3 (tpm: Disable the tpm verifier if the TPM device is not present)
+
+Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=86df79275d065d87f4de5c97e456973e8b4a649c
+Conflict:NA
+
+Signed-off-by: Hector Cao <hector.cao@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+---
+ grub-core/commands/efi/tpm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c
+index f250c30db..cbac69866 100644
+--- a/grub-core/commands/efi/tpm.c
++++ b/grub-core/commands/efi/tpm.c
+@@ -292,6 +292,15 @@ grub_tpm_present (void)
+ {
+   grub_efi_handle_t tpm_handle;
+   grub_efi_uint8_t protocol_version;
++  grub_efi_cc_protocol_t *cc;
++
++  /*
++   * When confidential computing measurement protocol is enabled
++   * we assume the TPM is present.
++   */
++  cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);
++  if (cc != NULL)
++    return 1;
+ 
+   if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
+     return 0;
+-- 
+2.33.0
+

grub.patches

@@ -244,3 +244,4 @@ Patch243:       10_linux-fix-missing-ro-in-kernel-boot-parameters.patch
 Patch244:       0001-cryptodisk-add-OS-provided-secret-support.patch
 Patch245:       0002-efi-Add-API-for-retrieving-the-EFI-secret-for-crypto.patch
 Patch246:       backport-acpi-Fix-out-of-bounds-access-in-grub_acpi_xsdt_find.patch
+Patch247:       backport-commands-efi-tpm-Re-enable-measurements-on-confident.patch

grub2.spec

@@ -19,7 +19,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.12
-Release:	27
+Release:	28
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -461,6 +461,12 @@ fi
 %{_datadir}/man/man*
 
 %changelog
+* Thu Dec 12 2024 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.12-28
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:commands/efi/tpm: Re-enable measurements on confidential computing platforms
+
 * Wed Nov 13 2024 yueyuankun <yueyuankun@kylinos.cn> - 1:2.12-27
 - Type:bugfix
 - CVE:NA