grub2/0002-tpm-Disable-tpm-verifier-if-tpm-is-not-present.patch
Michael Chang 23aa9ce4c5 Accepting request 1067109 from home:michael-chang:branches:Base:System
- Fix out of memory error on lpar installation from virtual cdrom (bsc#1208024)
  * 0001-ieee1275-Further-increase-initially-allocated-heap-f.patch
  * 0002-tpm-Disable-tpm-verifier-if-tpm-is-not-present.patch
- Fix lpar got hung at grub after inactive migration (bsc#1207684)
  * 0002-ieee1275-implement-vec5-for-cas-negotiation.patch
- Rediff
  * safe_tpm_pcr_snapshot.patch
- Patch supersceded
  * 0001-tpm-Disable-tpm-verifier-if-tpm-is-not-present.patch

OBS-URL: https://build.opensuse.org/request/show/1067109
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=441
2023-02-24 05:42:16 +00:00

124 lines
3.3 KiB
Diff

From e5bba1012e34597215684aa948bbc30093faa750 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 7 Oct 2022 13:37:10 +0800
Subject: [PATCH 2/2] tpm: Disable tpm verifier if tpm is not present
This helps to prevent out of memory error when reading large files via
disabling tpm device as verifier has to read all content into memory in
one chunk to measure the hash and extend to tpm.
For ibmvtpm driver support this change here would be needed. It helps to
prevent much memory consuming tpm subsystem from being activated when no
vtpm device present.
Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/commands/efi/tpm.c | 37 +++++++++++++++++++++++++++
grub-core/commands/ieee1275/ibmvtpm.c | 16 +++++++-----
grub-core/commands/tpm.c | 4 +++
include/grub/tpm.h | 1 +
4 files changed, 52 insertions(+), 6 deletions(-)
--- a/grub-core/commands/efi/tpm.c
+++ b/grub-core/commands/efi/tpm.c
@@ -397,3 +397,40 @@
return result;
}
+
+int
+grub_tpm_present (void)
+{
+ grub_efi_handle_t tpm_handle;
+ grub_efi_uint8_t protocol_version;
+
+ if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
+ return 0;
+
+ if (protocol_version == 1)
+ {
+ grub_efi_tpm_protocol_t *tpm;
+
+ tpm = grub_efi_open_protocol (tpm_handle, &tpm_guid,
+ GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
+ if (!tpm)
+ {
+ grub_dprintf ("tpm", "Cannot open TPM protocol\n");
+ return 0;
+ }
+ return grub_tpm1_present (tpm);
+ }
+ else
+ {
+ grub_efi_tpm2_protocol_t *tpm;
+
+ tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
+ GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
+ if (!tpm)
+ {
+ grub_dprintf ("tpm", "Cannot open TPM protocol\n");
+ return 0;
+ }
+ return grub_tpm2_present (tpm);
+ }
+}
--- a/grub-core/commands/ieee1275/ibmvtpm.c
+++ b/grub-core/commands/ieee1275/ibmvtpm.c
@@ -136,12 +136,6 @@
grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
const char *description)
{
- grub_err_t err = tpm_init();
-
- /* Absence of a TPM isn't a failure. */
- if (err != GRUB_ERR_NONE)
- return GRUB_ERR_NONE;
-
grub_dprintf ("tpm", "log_event, pcr = %d, size = 0x%" PRIxGRUB_SIZE ", %s\n",
pcr, size, description);
@@ -150,3 +144,13 @@
return GRUB_ERR_NONE;
}
+
+int
+grub_tpm_present (void)
+{
+ /*
+ * Call tpm_init() 'late' rather than from GRUB_MOD_INIT() so that device nodes
+ * can be found.
+ */
+ return tpm_init() == GRUB_ERR_NONE;
+}
--- a/grub-core/commands/tpm.c
+++ b/grub-core/commands/tpm.c
@@ -311,6 +311,8 @@
GRUB_MOD_INIT (tpm)
{
+ if (!grub_tpm_present())
+ return;
grub_verifier_register (&grub_tpm_verifier);
cmd = grub_register_extcmd ("tpm_record_pcrs", grub_tpm_record_pcrs, 0,
@@ -321,6 +323,8 @@
GRUB_MOD_FINI (tpm)
{
+ if (!grub_tpm_present())
+ return;
grub_verifier_unregister (&grub_tpm_verifier);
grub_unregister_extcmd (cmd);
}
--- a/include/grub/tpm.h
+++ b/include/grub/tpm.h
@@ -44,5 +44,6 @@
grub_uint8_t pcr, const char *description);
struct grub_tpm_digest *grub_tpm_read_pcr (grub_uint8_t index, const char *algo);
void grub_tpm_digest_free (struct grub_tpm_digest *d);
+int grub_tpm_present (void);
#endif