efi-api: check the EFI_TCG2_FINAL_EVENTS_TABLE in efi_has_tpm2()

The EFI firmware may provide the TPM2 event log using EFI_TCG2_FINAL_EVENTS_TABLE stored in EFI configuration table, instead of the ACPI Table TPM2. If the ACPI Table TPM2 doesn't exist, try to check whether EFI_TCG2_FINAL_EVENTS_TABLE is available or not. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2024-11-23 10:13:34 +08:00 · 2022-12-24 17:46:01 +08:00 · 2022-12-24 17:46:01 +08:00 · 4b33911581
commit 4b33911581
parent f151abb0e5
1 changed files with 24 additions and 12 deletions
--- a/src/shared/efi-api.c
+++ b/src/shared/efi-api.c
@ -524,21 +524,33 @@ bool efi_has_tpm2(void) {

        /* Returns whether the system has a TPM2 chip which is known to the EFI firmware. */

-        if (cache < 0) {
+        if (cache >= 0)
+                return cache;

-                /* First, check if we are on an EFI boot at all. */
-                if (!is_efi_boot())
-                        cache = false;
-                else {
-                        /* Then, check if the ACPI table "TPM2" exists, which is the TPM2 event log table, see:
-                         * https://trustedcomputinggroup.org/wp-content/uploads/TCG_ACPIGeneralSpecification_v1.20_r8.pdf
-                         * This table exists whenever the firmware is hooked up to TPM2. */
-                        cache = access("/sys/firmware/acpi/tables/TPM2", F_OK) >= 0;
-                        if (!cache && errno != ENOENT)
-                                log_debug_errno(errno, "Unable to test whether /sys/firmware/acpi/tables/TPM2 exists, assuming it doesn't: %m");
-                }
+        /* First, check if we are on an EFI boot at all. */
+        if (!is_efi_boot()) {
+                cache = 0;
+                return cache;
        }

+        /* Then, check if the ACPI table "TPM2" exists, which is the TPM2 event log table, see:
+         * https://trustedcomputinggroup.org/wp-content/uploads/TCG_ACPIGeneralSpecification_v1.20_r8.pdf
+         * This table exists whenever the firmware is hooked up to TPM2. */
+        cache = access("/sys/firmware/acpi/tables/TPM2", F_OK) >= 0;
+        if (cache)
+                return cache;
+
+        if (errno != ENOENT)
+                log_debug_errno(errno, "Unable to test whether /sys/firmware/acpi/tables/TPM2 exists, assuming it doesn't: %m");
+
+        /* As the last try, check if the EFI firmware provides the EFI_TCG2_FINAL_EVENTS_TABLE
+         * stored in EFI configuration table, see:
+         * https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf
+         */
+        cache = access("/sys/kernel/security/tpm0/binary_bios_measurements", F_OK) >= 0;
+        if (!cache && errno != ENOENT)
+                log_debug_errno(errno, "Unable to test whether /sys/kernel/security/tpm0/binary_bios_measurements exists, assuming it doesn't: %m");
+
        return cache;
 }