Age | Commit message (Collapse) | Author | Files | Lines |
|
Found with the "codespell" utility.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
In the rare case of a TPM 2 failure, disable the platform hierarchy after
disabling the endorsement and owner hierarchies.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Instead of just using sha256 for all PCR banks (and truncating
the value or zero-padding it) use the proper hash function for
each one of the banks. For unimplemented hashes, fill the buffer
with 0xff.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Change the format of the S_CRTM_VERSION string to ucs-2 since this
is what seems to be commonly used by other firmwares following
insight from a TCG work group member.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Add a new firmware API call with the name 2HASH-EXT-LOG that will be used
by trusted grub for measuring, logging, and extending TPM PCRs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Fix two details of the logs:
- Set the filed SpecErrata to 2 as required by specs.
- Write the separator into the log entry's event field.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
-Wextra enables a bunch of rather useful checks which this fixes.
Note this adds MIN() in tpm_gpt_set_lba1() so it may potentially fail
which is unlikely as the length comes from disk-label's block-size which
is used in other places.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
We already have MAX() defined, add MIN() to the common helpers header.
Using the common helper also fixes a bug in tpmdrivers's MIN() where
it was reverted.
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
---
Changes:
v2:
* updated the comment about a fixed bug
|
|
Implement tpm_hash_log_extend_event_buffer() that allows to measure
the contents of a buffer into a given PCR and log it with the
given event type and description. The caller may choose to have
the size of an ELF image file detected so that only data from the
ELF image are hashed rather than the much larger buffer.
Besides using this function call now for measuring the bootloader
read from a GPT partition, we also intend to use it for calls from
the firmware API that allow us to measure and log data from a boot
loader, such as grub. Grub will then invoke this function with a
buffer whose size it knows and will not need the ELF file size
detection.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Add support for SHA3 type of algorithms that the vTPM may support
some time in the future.
The algorithms are assigned in "TCG Algorithm Registry"
https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
The vendorInfoSize is a uint8_t rather than a uint32_t.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Only write the logs for those PCRs that are allocated in
banks.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Measure and log the GPT table including LBA1 and all GPT table entries
with a non-zero Type GUID.
We follow the specification "TCG PC Client Platform Firmware Profile
Specification" for the format of what needs to be logged and measured.
See section "Event Logging" subsection "Measuring UEFI Variables" for
the UEFI_GPT_DATA structure.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Implement a TPM 2 menu and enable the user to clear the TPM
and its activate PCR banks.
The main TPM menu is activated by pressing the 't' key during
firmware startup.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
This patch adds TPM 2.0 support along with the firmware API that Linux
uses to transfer the firmware log.
The firmware API follows the "PFW Virtual TPM Driver" specification.
The API has callers in existing Linux code (prom_init.c) from TPM 1.2
times but the API also works for TPM 2.0 without modifications.
The TPM 2.0 support logs PCR extensions of measurements of code and data.
For this part we follow the TCG specification "TCG PC Client
Platform Firmware Profile Specification" (section "Event Logging").
Other relevant specs for the construction of TPM commands are:
- Trusted Platform Module Library; Part 2 Structures
- Trusted Platform Module Library; Part 3 Commands
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
[aik: removed new blank lines at EOF]
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|