[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v3] tpm: Disable tpm verifier if tpm is not present
|
From: |
Michael Chang |
|
Subject: |
[PATCH v3] tpm: Disable tpm verifier if tpm is not present |
|
Date: |
Mon, 20 Feb 2023 14:36:18 +0800 |
This helps to prevent out of memory error when reading large files via
disabling tpm device as verifier has to read all content into memory in
one chunk to measure the hash and extend to tpm.
For ibmvtpm driver support this change here would be needed. It helps to
prevent much memory consuming tpm subsystem from being activated when no
vtpm device present.
Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/commands/efi/tpm.c | 37 +++++++++++++++++++++++++++
grub-core/commands/ieee1275/ibmvtpm.c | 20 +++++++--------
grub-core/commands/tpm.c | 11 ++++++++
include/grub/tpm.h | 1 +
4 files changed, 59 insertions(+), 10 deletions(-)
diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c
index ae09c1bf8..e1f343fea 100644
--- a/grub-core/commands/efi/tpm.c
+++ b/grub-core/commands/efi/tpm.c
@@ -287,3 +287,40 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size,
grub_uint8_t pcr,
else
return grub_tpm2_log_event (tpm_handle, buf, size, pcr, description);
}
+
+int
+grub_tpm_present (void)
+{
+ grub_efi_handle_t tpm_handle;
+ grub_efi_uint8_t protocol_version;
+
+ if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
+ return 0;
+
+ if (protocol_version == 1)
+ {
+ grub_efi_tpm_protocol_t *tpm;
+
+ tpm = grub_efi_open_protocol (tpm_handle, &tpm_guid,
+ GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
+ if (!tpm)
+ {
+ grub_dprintf ("tpm", "Cannot open TPM protocol\n");
+ return 0;
+ }
+ return grub_tpm1_present (tpm);
+ }
+ else
+ {
+ grub_efi_tpm2_protocol_t *tpm;
+
+ tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
+ GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
+ if (!tpm)
+ {
+ grub_dprintf ("tpm", "Cannot open TPM protocol\n");
+ return 0;
+ }
+ return grub_tpm2_present (tpm);
+ }
+}
diff --git a/grub-core/commands/ieee1275/ibmvtpm.c
b/grub-core/commands/ieee1275/ibmvtpm.c
index 239942d27..e01759c17 100644
--- a/grub-core/commands/ieee1275/ibmvtpm.c
+++ b/grub-core/commands/ieee1275/ibmvtpm.c
@@ -135,16 +135,6 @@ grub_err_t
grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
const char *description)
{
- /*
- * Call tpm_init() 'late' rather than from GRUB_MOD_INIT() so that device
nodes
- * can be found.
- */
- grub_err_t err = tpm_init ();
-
- /* Absence of a TPM isn't a failure. */
- if (err != GRUB_ERR_NONE)
- return GRUB_ERR_NONE;
-
grub_dprintf ("tpm", "log_event, pcr = %d, size = 0x%" PRIxGRUB_SIZE ",
%s\n",
pcr, size, description);
@@ -153,3 +143,13 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size,
grub_uint8_t pcr,
return GRUB_ERR_NONE;
}
+
+int
+grub_tpm_present (void)
+{
+ /*
+ * Call tpm_init() 'late' rather than from GRUB_MOD_INIT() so that device
nodes
+ * can be found.
+ */
+ return tpm_init() == GRUB_ERR_NONE;
+}
diff --git a/grub-core/commands/tpm.c b/grub-core/commands/tpm.c
index 3437e8e03..3128bede0 100644
--- a/grub-core/commands/tpm.c
+++ b/grub-core/commands/tpm.c
@@ -103,10 +103,21 @@ struct grub_file_verifier grub_tpm_verifier = {
GRUB_MOD_INIT (tpm)
{
+ /*
+ * Even though this now calls ibmvtpm's grub_tpm_present() from
+ * GRUB_MOD_INIT(), it does seem to call it late enough in the initialization
+ * sequence so that whatever discovered 'device nodes' before this
+ * GRUB_MOD_INIT() is called, enables the ibmvtpm driver to see the device
+ * nodes.
+ */
+ if (!grub_tpm_present())
+ return;
grub_verifier_register (&grub_tpm_verifier);
}
GRUB_MOD_FINI (tpm)
{
+ if (!grub_tpm_present())
+ return;
grub_verifier_unregister (&grub_tpm_verifier);
}
diff --git a/include/grub/tpm.h b/include/grub/tpm.h
index 5c285cbc5..c19fcbd0a 100644
--- a/include/grub/tpm.h
+++ b/include/grub/tpm.h
@@ -36,4 +36,5 @@
grub_err_t grub_tpm_measure (unsigned char *buf, grub_size_t size,
grub_uint8_t pcr, const char *description);
+int grub_tpm_present (void);
#endif
--
2.39.1
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [PATCH v3] tpm: Disable tpm verifier if tpm is not present,
Michael Chang <=