u-boot.git/lib/efi_loader/efi_tcg2.c, branch master Unnamed repository; edit this file 'description' to name the repository. efi_loader: add missing EFI_CALL around tcg2 read_blocks calls 2026-02-15T07:26:33+00:00 Vincent Stehlé vincent.stehle@arm.com 2026-02-11T12:43:14+00:00 05b13c05896f43a25f07e01385f156b2142f69aa The read_blocks() function from the Block IO protocol is a UEFI function; make sure to call it from within U-Boot using the EFI_CALL() macro. To demonstrate the issue on an AArch64 machine, define the DEBUG macro in include/efi_loader.h and build u-boot with sandbox_defconfig, then download and uncompress the ACS-DT image [1], and finally execute the following command: $ ./u-boot -T -c " \ host bind 0 systemready-dt_acs_live_image.wic; \ setenv loadaddr 0x10000; \ load host 0 \${loadaddr} EFI/BOOT/Shell.efi; \ bootefi \${loadaddr} \${fdtcontroladdr}" The following assertion should fail: lib/efi_loader/efi_net.c:858: efi_network_timer_notify: Assertion `__efi_entry_check()' failed. This happens due to the following EFIAPI functions call chain: efi_start_image() efi_disk_read_blocks() (due to the missing EFI_CALL, entry_count == 2) efi_network_timer_notify() Link: https://github.com/ARM-software/arm-systemready/releases/download/v25.12_DT_3.1.1/systemready-dt_acs_live_image.wic.xz [1] Fixes: ce3dbc5d080d ("efi_loader: add UEFI GPT measurement") Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org> Cc: Tom Rini <trini@konsulko.com> Cc: Masahisa Kojima <kojima.masahisa@socionext.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Acked-by: Masahisa Kojima <kojima.masahisa@socionext.com> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
The read_blocks() function from the Block IO protocol is a UEFI function;
make sure to call it from within U-Boot using the EFI_CALL() macro.

To demonstrate the issue on an AArch64 machine, define the DEBUG macro in
include/efi_loader.h and build u-boot with sandbox_defconfig, then download
and uncompress the ACS-DT image [1], and finally execute the following
command:

  $ ./u-boot -T -c " \
      host bind 0 systemready-dt_acs_live_image.wic; \
      setenv loadaddr 0x10000; \
      load host 0 \${loadaddr} EFI/BOOT/Shell.efi; \
      bootefi \${loadaddr} \${fdtcontroladdr}"

The following assertion should fail:

  lib/efi_loader/efi_net.c:858: efi_network_timer_notify: Assertion `__efi_entry_check()' failed.

This happens due to the following EFIAPI functions call chain:

  efi_start_image()
    efi_disk_read_blocks()
      (due to the missing EFI_CALL, entry_count == 2)
      efi_network_timer_notify()

Link: https://github.com/ARM-software/arm-systemready/releases/download/v25.12_DT_3.1.1/systemready-dt_acs_live_image.wic.xz [1]
Fixes: ce3dbc5d080d ("efi_loader: add UEFI GPT measurement")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Tom Rini <trini@konsulko.com>
Cc: Masahisa Kojima <kojima.masahisa@socionext.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Masahisa Kojima <kojima.masahisa@socionext.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
tpm2: add sm3 256 hash support 2025-12-04T15:38:58+00:00 Heiko Schocher hs@nabladev.com 2025-11-18T04:30:41+00:00 7c3f05ad51e4bc23dd4f411f28968f1d8f43099c add sm3 256 hash support, so TPM2 chips which report 5 pcrs with sm3 hash do not fail with: u-boot=> tpm2 autostart tpm2_get_pcr_info: too many pcrs: 5 Error: -90 Signed-off-by: Heiko Schocher <hs@nabladev.com> 
add sm3 256 hash support, so TPM2 chips which report
5 pcrs with sm3 hash do not fail with:

  u-boot=> tpm2 autostart
  tpm2_get_pcr_info: too many pcrs: 5
  Error: -90

Signed-off-by: Heiko Schocher <hs@nabladev.com>
efi_loader: Separate device path into its own header 2025-05-25T09:27:18+00:00 Simon Glass sjg@chromium.org 2025-05-24T17:28:21+00:00 f4bbd7b9faa4c20e5b838d7ea609ebadc7305ba0 These functions are useful for the EFI app. As a first step towards making these available outside lib/efi_loader, create a separate header file and include it where needed. Add proper comments to the functions, since many are missing at present. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
These functions are useful for the EFI app. As a first step towards
making these available outside lib/efi_loader, create a separate header
file and include it where needed. Add proper comments to the functions,
since many are missing at present.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
tcg2: decouple eventlog size from efi 2025-01-28T06:59:23+00:00 Raymond Mao raymond.mao@linaro.org 2025-01-27T14:49:35+00:00 afe26a74ddfe183b7ea76d5b36d33d2318d02c28 Move default eventlog size from efi to tpm for using in both efi and measured boot. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Move default eventlog size from efi to tpm for using in both
efi and measured boot.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_loader: use LOGC_EFI consistently 2025-01-26T10:06:56+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2025-01-16T19:26:59+00:00 e9c34fab18a9a0022b36729afd8e262e062764e2 The log category should be LOGC_EFI all over the EFI sub-system. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The log category should be LOGC_EFI all over the EFI sub-system.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_loader: Don't warn if the TCG2 FinalEvents table is not installed 2025-01-05T01:30:48+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-11-28T07:11:20+00:00 6f1251a78b13c2f7c1c68fbca39c28b65cf28453 When the TCG2 protocol installation fails, we are trying to remove all the objects we created in tcg2_uninit(). However, there are cases when this function runs before the config table was installed. So instead of printing an error unconditionally check against EFI_NOT_FOUND and don't print anything if the table wasn't installed to begin with. Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
When the TCG2 protocol installation fails, we are trying to remove
all the objects we created in tcg2_uninit().

However, there are cases when this function runs before the config
table was installed. So instead of printing an error unconditionally
check against EFI_NOT_FOUND and don't print anything if the table wasn't
installed to begin with.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_loader: simplify efi_tcg2_hash_log_extend_event() 2024-11-23T22:14:15+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2024-11-05T04:20:45+00:00 a152e149991dd062ba47f41c06cc44723c30375f The value of variable nt is never used. Just use NULL when calling efi_check_pe(). The API function is not expected to write to the console. Such output might have unwanted side effects on the screen layout of an EFI application. Leave error handling to the caller. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The value of variable nt is never used. Just use NULL when calling
efi_check_pe().

The API function is not expected to write to the console. Such output might
have unwanted side effects on the screen layout of an EFI application.

Leave error handling to the caller.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_loader: Make tcg2_uninit() static 2024-10-31T05:05:08+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-10-30T20:40:59+00:00 c8c10b83ef0a7a04ba40223c841f6f721d9a28a3 This function is only used locally, so make it static and quiesce the W=1 warning Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
This function is only used locally, so make it static and quiesce
the W=1 warning

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
tpm: Untangle tpm2_get_pcr_info() 2024-06-30T11:58:31+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-06-23T11:48:17+00:00 cba3fa90240df783cb040f25833dd420f7f39f16 This function was used on measured boot to retrieve the number of active PCR banks and was designed to work with the TCG protocols. Since we now have the need to retrieve the active PCRs outside the measured boot context -- e.g use the in the command line, decouple the function. Create one that will only adheres to TCG TSS2.0 [0] specification called tpm2_get_pcr_info() which can be used by the TPM2.0 APIs and a new one that is called from the measured boot context called tcg2_get_pcr_info() [0] https://trustedcomputinggroup.org/wp-content/uploads/TSS_Overview_Common_Structures_Version-0.9_Revision-03_Review_030918.pdf Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
This function was used on measured boot to retrieve the number of active
PCR banks and was designed to work with the TCG protocols.
Since we now have the need to retrieve the active PCRs outside the
measured boot context -- e.g use the in the command line, decouple the
function.

Create one that will only adheres to TCG TSS2.0 [0] specification called
tpm2_get_pcr_info() which can be used by the TPM2.0 APIs and a new one that
is called from the measured boot context called tcg2_get_pcr_info()

[0] https://trustedcomputinggroup.org/wp-content/uploads/TSS_Overview_Common_Structures_Version-0.9_Revision-03_Review_030918.pdf

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_loader: remove unneeded header files 2024-06-30T11:58:31+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-06-23T11:48:16+00:00 fed9c11c3b58de804059915b33f9e9263ce6ce75 efi_tcg2.h already includes tpm-v2.h. Remove it Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
efi_tcg2.h already includes tpm-v2.h. Remove it

Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>