On Thu, Sep 14, 2017 at 9:02 PM, Jarkko Sakkinen
[off-list ref] wrote:

On Thu, Sep 14, 2017 at 11:48:54AM -0700, Matthew Garrett wrote:

quoted

On Thu, Sep 14, 2017 at 11:43 AM, Jarkko Sakkinen
[off-list ref] wrote:

quoted

On Mon, Sep 11, 2017 at 12:00:21PM +0200, Thiebaud Weksteen wrote:

quoted

With TPM 2.0 specification, the event logs may only be accessible by
calling an EFI Boot Service. Modify the EFI stub to copy the log area to
a new Linux-specific EFI configuration table so it remains accessible
once booted.

When calling this service, it is possible to specify the expected format
of the logs: TPM 1.2 (SHA1) or TPM 2.0 ("Crypto Agile"). For now, only the
first format is retrieved.

Signed-off-by: Thiebaud Weksteen <redacted>

With a quick skim the code change looks good but I remember from
Matthew's talk that there was this issue that ExitBootServices() would
cause a yet another event?

I guess you could manually synthetize that event by reading the PCR
values right after ExitBootServices()?

I think that would involve breaking SHA1… the information should be

You are absolutely right, was not thinking clearly :-)

quoted

available in the TCG_TREE_FINAL_EVENTS configuration table, so it
/should/ just be a matter of merging the events from that into the
event log.

Right, it is available through runtime services. Why this isn't part
of the patch set?

This is not included yet as this table
(EFI_TCG2_FINAL_EVENTS_TABLE_GUID) relies on the TPM2 format for the
log entries (TCG_PCR_EVENT2, "Crypto Agile"). I first plan to add the
parsing of this log version (ie, efi_retrieve_tpm2_eventlog_2) before
adding the merging of both tables. But these will be separate patch
sets.

/Jrakko

/Jarkko