tpcm: support control switch

Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
2023-06-14 15:28:19 +08:00 · 2023-06-14 15:28:19 +08:00 · 8157957a9e
commit 8157957a9e
parent 2b708750bd
3 changed files with 115 additions and 1 deletions
--- a/grub.patches
+++ b/grub.patches
@ -448,3 +448,4 @@ Patch0447: backport-fs-iso9660-Avoid-reading-past-the-entry-boundary.patch
 Patch0448: backport-net-bootp-Fix-unchecked-return-value.patch
 Patch0449: backport-osdep-linux-hostdisk-Modify-sector-by-sysfs-as-disk-sector.patch
 Patch0450: skip-verification-when-not-loading-grub.cfg.patch
+Patch0451: tpcm-support-control-switch.patch
--- a/grub2.spec
+++ b/grub2.spec
@ -8,7 +8,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.04
-Release:	33
+Release:	34
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@ -442,6 +442,12 @@ rm -r /boot/grub2.tmp/ || :
 %{_datadir}/man/man*

 %changelog
+* Wed Jun 14 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.04-34
+- Type:requirement
+- CVE:NA
+- SUG:NA
+- DESC:tpcm: support control switch
+
 * Wed May 31 2023 zhangqiumiao <zhangqiumiao1@huawei.com> - 1:2.04-33
 - Type:bugfix
 - CVE:NA
--- a/tpcm-support-control-switch.patch
+++ b/tpcm-support-control-switch.patch
@ -0,0 +1,107 @@
+From f8e4b65322175ac66e0b1392826b1c4b99db38a9 Mon Sep 17 00:00:00 2001
+From: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+Date: Thu, 15 Jun 2023 10:29:32 +0800
+Subject: [PATCH] tpcm: support control switch
+
+Signed-off-by: Qiumiao Zhang <zhangqiumiao1@huawei.com>
+---
+ grub-core/commands/efi/tpcm.c | 38 ++++++++++++++++++++++++++---------
+ include/grub/efi/tpcm.h       |  3 ++-
+ 2 files changed, 30 insertions(+), 11 deletions(-)
+
+diff --git a/grub-core/commands/efi/tpcm.c b/grub-core/commands/efi/tpcm.c
+index 0803b9b..57a4cea 100644
+--- a/grub-core/commands/efi/tpcm.c
+++ b/grub-core/commands/efi/tpcm.c
+@@ -25,6 +25,7 @@ static grub_efi_ipmi_interface_protocol_t *tpcm_ipmi;
+ static grub_efi_uint16_t grub_tcpm_file_type = GRUB_FILE_TYPE_NONE;
+ 
+ static grub_uint32_t bm_stage_base = 2000;
+static grub_efi_uint8_t permissive = 0;
+ 
+ static grub_efi_handle_t
+ grub_efi_service_binding (grub_efi_guid_t *service_binding_guid)
+@@ -325,8 +326,13 @@ grub_tpcm_log_event (unsigned char *buf, grub_size_t size, const char *descripti
+   status = get_firmware_hash_content (buf, size, output);
+   if (status != GRUB_EFI_SUCCESS)
+     {
+-      grub_printf ("get firmware hash content failed\n");
+-      err = GRUB_ERR_BUG;
+      if (permissive)
+        grub_dprintf ("tpcm", "tpcm control switch turned off, ignore get firmware hash content failure.\n");
+      else
+        {
+          grub_printf ("get firmware hash content failed\n");
+          err = GRUB_ERR_BUG;
+        }
+       goto fail;
+     }
+ 
+@@ -338,9 +344,14 @@ grub_tpcm_log_event (unsigned char *buf, grub_size_t size, const char *descripti
+                                        &response_length, NULL);
+   if (status != GRUB_EFI_SUCCESS)
+     {
+-      err = grub_error (GRUB_ERR_BUG,
+-                        "excute_ipmi_cmd failed, request sub_cmd:0x%x, ret:%lu\n",
+-                        request_data->SubCmd, status);
+      if (permissive)
+        grub_dprintf ("tpcm", "tpcm control switch turned off, ignore excute_ipmi_cmd failure.\n");
+      else
+        {
+          err = grub_error (GRUB_ERR_BUG,
+                            "excute_ipmi_cmd failed, request sub_cmd:0x%x, ret:%lu\n",
+                            request_data->SubCmd, status);
+        }
+       goto fail;
+     }
+   grub_dprintf ("tpcm", "send tpcm measure request success\n");
+@@ -348,10 +359,16 @@ grub_tpcm_log_event (unsigned char *buf, grub_size_t size, const char *descripti
+   status = grub_tpcm_request_result ();
+   if (status != GRUB_EFI_SUCCESS)
+     {
+-      err = grub_error (GRUB_ERR_BAD_SIGNATURE, "bad tpcm signature");
+-      goto fail;
+      if (permissive)
+        grub_dprintf ("tpcm", "tpcm control switch turned off, ignore measurement failure.\n");
+      else
+        {
+          err = grub_error (GRUB_ERR_BAD_SIGNATURE, "bad tpcm signature");
+          goto fail;
+        }
+     }
+-  grub_dprintf ("tpcm", "tpcm hash verify success, file:%s\n", description);
+  else
+    grub_dprintf ("tpcm", "tpcm hash verify success, file:%s\n", description);
+ 
+  fail:
+   if (request_data)
+@@ -400,9 +417,10 @@ tpcm_ipmi_get_switch (void)
+       goto out;
+     }
+ 
+-  if (response_data.ControlResult == IPMI_TPCM_OPEN)
+  if (response_data.ControlResult == IPMI_TPCM_OPEN || response_data.ControlResult == IPMI_TPCM_PERMISSIVE)
+     {
+-      grub_dprintf ("tpcm", "tpcm: Enabled\n");
+      permissive = (response_data.ControlResult == IPMI_TPCM_PERMISSIVE) ? 1 : 0;
+      grub_dprintf ("tpcm", "tpcm: Enabled, ControlResult: %d\n", response_data.ControlResult);
+       return 1;
+     }
+ 
+diff --git a/include/grub/efi/tpcm.h b/include/grub/efi/tpcm.h
+index eea1387..b0265e2 100644
+--- a/include/grub/efi/tpcm.h
+++ b/include/grub/efi/tpcm.h
+@@ -158,7 +158,8 @@ typedef enum {
+ typedef enum {
+     IPMI_TPCM_UNKNOW,
+     IPMI_TPCM_OPEN,
+-    IPMI_TPCM_CLOSE
+    IPMI_TPCM_CLOSE,
+    IPMI_TPCM_PERMISSIVE
+ } grub_ipmi_tpcm_result_type;
+ 
+ 
+-- 
+2.27.0
+