From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Sat, 20 Sep 2025 01:12:32 +0000 (+0100)
Subject: commands/efi/tpm: Call get_active_pcr_banks() only with TCG2 1.1 or newer
X-Git-Tag: grub-2.14-rc1~71
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a725391f1a70b8a0ae4acde8fbb22a78e52697d;p=thirdparty%2Fgrub.git

commands/efi/tpm: Call get_active_pcr_banks() only with TCG2 1.1 or newer

The call was added in the 1.1 revision of the spec, 1.0 does
not have it, and there are some machines out there with a TPM2
and a UEFI firmware that only supports version 1.0, so the
call fails in those cases. Check the reported version before
calling get_active_pcr_banks().

See Table 4 in section 6.2 of the TCG EFI Protocol Specification:

  https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf

Fixes: f326c5c47 (commands/bli: Set LoaderTpm2ActivePcrBanks runtime variable)

Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
Reviewed-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/commands/efi/tpm.c b/grub-core/commands/efi/tpm.c
index 59d0b6708..7b493c890 100644
--- a/grub-core/commands/efi/tpm.c
+++ b/grub-core/commands/efi/tpm.c
@@ -39,6 +39,7 @@ static grub_uint8_t grub_tpm_version;
 
 static grub_int8_t tpm1_present = -1;
 static grub_int8_t tpm2_present = -1;
+static grub_int8_t tpm2_pcr_banks_reporting_present = -1;
 
 static grub_efi_boolean_t
 grub_tpm1_present (grub_efi_tpm_protocol_t *tpm)
@@ -89,6 +90,34 @@ grub_tpm2_present (grub_efi_tpm2_protocol_t *tpm)
   return (grub_efi_boolean_t) tpm2_present;
 }
 
+static grub_efi_boolean_t
+grub_tpm2_pcr_banks_reporting_present (grub_efi_tpm2_protocol_t *tpm)
+{
+  grub_efi_status_t status;
+  EFI_TCG2_BOOT_SERVICE_CAPABILITY caps;
+
+  caps.Size = (grub_uint8_t) sizeof (caps);
+
+  if (tpm2_pcr_banks_reporting_present != -1)
+    return (grub_efi_boolean_t) tpm2_pcr_banks_reporting_present;
+
+  if (!grub_tpm2_present (tpm))
+    return (grub_efi_boolean_t) (tpm2_pcr_banks_reporting_present = 0);
+
+  status = tpm->get_capability (tpm, &caps);
+
+  if (status != GRUB_EFI_SUCCESS || caps.StructureVersion.Major < 1
+      || (caps.StructureVersion.Major == 1 && caps.StructureVersion.Minor < 1))
+    tpm2_pcr_banks_reporting_present = 0;
+  else
+    tpm2_pcr_banks_reporting_present = 1;
+
+  grub_dprintf ("tpm", "tpm2 PCR banks reporting%s present\n",
+		tpm2_pcr_banks_reporting_present ? "" : " NOT");
+
+  return (grub_efi_boolean_t) tpm2_pcr_banks_reporting_present;
+}
+
 static grub_efi_boolean_t
 grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
 		      grub_efi_uint8_t *protocol_version)
@@ -355,7 +384,7 @@ grub_tpm2_active_pcr_banks (void)
       return 0;
     }
 
-  if (grub_tpm2_present (tpm))
+  if (grub_tpm2_pcr_banks_reporting_present (tpm))
     {
       grub_efi_status_t status = tpm->get_active_pcr_banks (tpm, &active_pcr_banks);