From 90ce968a509c62962f1863dffd5ea3d2b64a2c64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= <michal.zygowski@3mdeb.com>
Date: Sun, 15 Sep 2024 14:03:13 +0200
Subject: [PATCH] grub-core/loader/i386/txt: Set proper capabilities for CBnT
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CBnT requires the auth PCR usage and no legacy PCR usage as per
TXT MLE Software Development Guide revision 017.4.

Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
---
 grub-core/loader/i386/txt/txt.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/grub-core/loader/i386/txt/txt.c b/grub-core/loader/i386/txt/txt.c
index fd133a1c9..4ab7736b6 100644
--- a/grub-core/loader/i386/txt/txt.c
+++ b/grub-core/loader/i386/txt/txt.c
@@ -764,6 +764,15 @@ init_txt_heap (struct grub_slaunch_params *slparams, struct grub_txt_acm_header
    */
   os_sinit_data->capabilities = GRUB_TXT_CAPS_TPM_12_AUTH_PCR_USAGE;
 
+  /* CBnT must set bits 4 and 5 */
+  if (sinit_caps & GRUB_TXT_CAPS_CBNT_SUPPORT)
+    {
+      os_sinit_data->capabilities |= GRUB_TXT_CAPS_CBNT_SUPPORT;
+
+      if (sinit_caps & GRUB_TXT_CAPS_TPM_12_NO_LEGACY_PCR_USAGE)
+        os_sinit_data->capabilities |= GRUB_TXT_CAPS_TPM_12_NO_LEGACY_PCR_USAGE;
+    }
+
   if (grub_get_tpm_ver () == GRUB_TPM_20)
     {
       if ((sinit_caps & os_sinit_data->capabilities) != os_sinit_data->capabilities)
@@ -773,14 +782,14 @@ init_txt_heap (struct grub_slaunch_params *slparams, struct grub_txt_acm_header
   else
     {
       if (!(sinit_caps & GRUB_TXT_CAPS_TPM_12_AUTH_PCR_USAGE))
-	{
-	  grub_dprintf ("slaunch", "Details/authorities PCR usage is not supported. Trying legacy");
-	  if (sinit_caps & GRUB_TXT_CAPS_TPM_12_NO_LEGACY_PCR_USAGE)
-	    return grub_error (GRUB_ERR_BAD_ARGUMENT,
-		N_("Not a single PCR usage available in SINIT capabilities"));
+        {
+          grub_dprintf ("slaunch", "Details/authorities PCR usage is not supported. Trying legacy");
+          if (sinit_caps & GRUB_TXT_CAPS_TPM_12_NO_LEGACY_PCR_USAGE)
+            return grub_error (GRUB_ERR_BAD_ARGUMENT,
+        	N_("Not a single PCR usage available in SINIT capabilities"));
 
-	  os_sinit_data->capabilities = 0;
-	}
+          os_sinit_data->capabilities = 0;
+        }
     }
 
   /* Use MAXPHYADDR for MTRR masks if available */