!480 [sync] PR-477: commands/efi/tpm: Re-enable measurements on confidential computing platforms

From: @openeuler-sync-bot Reviewed-by: @zhangqiumiao Signed-off-by: @zhangqiumiao
2024-12-12 08:49:45 +00:00 · 2024-12-12 08:49:45 +00:00 · aa99319978
commit aa99319978
parent 3ce9cd3d61 0818f4ebf0
3 changed files with 63 additions and 1 deletions
--- a/backport-commands-efi-tpm-Re-enable-measurements-on-confident.patch
+++ b/backport-commands-efi-tpm-Re-enable-measurements-on-confident.patch
@ -0,0 +1,55 @@
 From 86df79275d065d87f4de5c97e456973e8b4a649c Mon Sep 17 00:00:00 2001
 From: Hector Cao <hector.cao@canonical.com>
 Date: Mon, 3 Jun 2024 23:36:25 +0200
 Subject: [PATCH] commands/efi/tpm: Re-enable measurements on confidential
 computing platforms
 The measurements for confidential computing has been introduced in the
 commit 4c76565b6 (efi/tpm: Add EFI_CC_MEASUREMENT_PROTOCOL support).
 Recently the patch 30708dfe3 (tpm: Disable the tpm verifier if the TPM
 device is not present) has been introduced to optimize the memory usage
 when a TPM device is not available on platforms. This fix prevents the
 tpm module to be loaded on confidential computing platforms, e.g. Intel
 machines with TDX enabled, where the TPM device is not available.
 In this patch, we propose to load the tpm module for this use case by
 generalizing the tpm feature detection in order to cover CC platforms.
 Basically, we do it by detecting the availability of the
 EFI_CC_MEASUREMENT_PROTOCOL EFI protocol.
 Fixes: https://savannah.gnu.org/bugs/?65821
 Fixes: 30708dfe3 (tpm: Disable the tpm verifier if the TPM device is not present)
 Reference:https://git.savannah.gnu.org/cgit/grub.git/commit/?id=86df79275d065d87f4de5c97e456973e8b4a649c
 Conflict:NA
 Signed-off-by: Hector Cao <hector.cao@canonical.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
 ---
 grub-core/commands/efi/tpm.c | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c
 index f250c30db..cbac69866 100644
 --- a/grub-core/commands/efi/tpm.c
 +++ b/grub-core/commands/efi/tpm.c
@@ -292,6 +292,15 @@ grub_tpm_present (void)
 {
   grub_efi_handle_t tpm_handle;
   grub_efi_uint8_t protocol_version;
 +  grub_efi_cc_protocol_t *cc;
 +
 +  /*
 +   * When confidential computing measurement protocol is enabled
 +   * we assume the TPM is present.
 +   */
 +  cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);
 +  if (cc != NULL)
 +    return 1;
   if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
     return 0;
 -- 
 2.33.0
--- a/grub.patches
+++ b/grub.patches
@ -244,3 +244,4 @@ Patch243:       10_linux-fix-missing-ro-in-kernel-boot-parameters.patch
 Patch244:       0001-cryptodisk-add-OS-provided-secret-support.patch
 Patch245:       0002-efi-Add-API-for-retrieving-the-EFI-secret-for-crypto.patch
 Patch246:       backport-acpi-Fix-out-of-bounds-access-in-grub_acpi_xsdt_find.patch
 Patch247:       backport-commands-efi-tpm-Re-enable-measurements-on-confident.patch
--- a/grub2.spec
+++ b/grub2.spec
@ -19,7 +19,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.12
-Release:	27
+Release:	28
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@ -461,6 +461,12 @@ fi
 %{_datadir}/man/man*
 %changelog
 * Thu Dec 12 2024 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.12-28
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC:commands/efi/tpm: Re-enable measurements on confidential computing platforms
 * Wed Nov 13 2024 yueyuankun <yueyuankun@kylinos.cn> - 1:2.12-27
 - Type:bugfix
 - CVE:NA