From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 23 Sep 2025 11:18:56 +0000 (+0200)
Subject: measure: strip tpm 1.x remnants
X-Git-Tag: v259-rc1~458^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=496489c2a70b1675af679c1d33cee035fe7c9aff;p=thirdparty%2Fsystemd.git

measure: strip tpm 1.x remnants

Let's never bother with old TPM 1.x structures, they are not mentioned
in the TCG for TPM2 spec at all. However, the spec does say we should
check the Size field of the relevant structs, before accessing them,
hence do that.
---

diff --git a/src/boot/measure.c b/src/boot/measure.c
index 5cf6156d622..e097e6676e6 100644
--- a/src/boot/measure.c
+++ b/src/boot/measure.c
@@ -151,27 +151,24 @@ static EFI_CC_MEASUREMENT_PROTOCOL *cc_interface_check(void) {
 }
 
 static EFI_TCG2_PROTOCOL *tcg2_interface_check(void) {
-        EFI_TCG2_BOOT_SERVICE_CAPABILITY capability = {
-                .Size = sizeof(capability),
-        };
         EFI_STATUS err;
-        EFI_TCG2_PROTOCOL *tcg;
 
+        EFI_TCG2_PROTOCOL *tcg;
         err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_TCG2_PROTOCOL), NULL, (void **) &tcg);
         if (err != EFI_SUCCESS)
                 return NULL;
 
+        EFI_TCG2_BOOT_SERVICE_CAPABILITY capability = {
+                .Size = sizeof(capability),
+        };
         err = tcg->GetCapability(tcg, &capability);
         if (err != EFI_SUCCESS)
                 return NULL;
 
-        if (capability.StructureVersion.Major == 1 &&
-            capability.StructureVersion.Minor == 0) {
-                EFI_TCG_BOOT_SERVICE_CAPABILITY *caps_1_0 =
-                        (EFI_TCG_BOOT_SERVICE_CAPABILITY*) &capability;
-                if (caps_1_0->TPMPresentFlag)
-                        return tcg;
-        }
+        assert(capability.Size >= endoffsetof_field(EFI_TCG2_BOOT_SERVICE_CAPABILITY, Size));
+
+        if (capability.Size < endoffsetof_field(EFI_TCG2_BOOT_SERVICE_CAPABILITY, TPMPresentFlag))
+                return NULL;
 
         if (!capability.TPMPresentFlag)
                 return NULL;
diff --git a/src/boot/proto/tcg.h b/src/boot/proto/tcg.h
index e99c01a4ad1..7a93f5a56f7 100644
--- a/src/boot/proto/tcg.h
+++ b/src/boot/proto/tcg.h
@@ -10,27 +10,11 @@
 #define EV_IPL 13
 #define EV_EVENT_TAG UINT32_C(6)
 
-typedef struct {
-        uint8_t Major;
-        uint8_t Minor;
-        uint8_t RevMajor;
-        uint8_t RevMinor;
-} TCG_VERSION;
-
 typedef struct {
         uint8_t Major;
         uint8_t Minor;
 } EFI_TCG2_VERSION;
 
-typedef struct {
-        uint8_t Size;
-        TCG_VERSION StructureVersion;
-        TCG_VERSION ProtocolSpecVersion;
-        uint8_t HashAlgorithmBitmap;
-        bool TPMPresentFlag;
-        bool TPMDeactivatedFlag;
-} EFI_TCG_BOOT_SERVICE_CAPABILITY;
-
 typedef struct {
         uint8_t Size;
         EFI_TCG2_VERSION StructureVersion;