Age | Commit message (Collapse) | Author | Files | Lines |
|
In the rare case of a TPM 2 failure, disable the platform hierarchy after
disabling the endorsement and owner hierarchies.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Add test cases for sha1, sha256, sha384, and sha512 and a test script
to run the test cases.
The tests are passing on little and big endian machines (Fedora 28).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Instead of just using sha256 for all PCR banks (and truncating
the value or zero-padding it) use the proper hash function for
each one of the banks. For unimplemented hashes, fill the buffer
with 0xff.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Use assembly for the 32 bit rotr in the sha256 implementation
similar to the assembly used in the sha1 and sha512 implementations.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Change the format of the S_CRTM_VERSION string to ucs-2 since this
is what seems to be commonly used by other firmwares following
insight from a TCG work group member.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Add a new firmware API call with the name 2HASH-EXT-LOG that will be used
by trusted grub for measuring, logging, and extending TPM PCRs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
This fixes gcc warnings from -Waddress-of-packed-member and -Wzero-length-bounds.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
---
tpm_drivers.c: In function ‘spapr_send_crq_and_wait’:
tpm_drivers.c:153:2: warning: converting a packed ‘struct crq’ pointer (alignment 1) to a ‘uint64_t’ {aka ‘long long unsigned int’} pointer alignment 8) may result in an unaligned pointer value [-Waddress-of-packed-member]
153 | rc = hv_send_crq(unit, (uint64_t *)crq);
| ^~
tpm_drivers.c:34:8: note: defined here
34 | struct crq {
| ^~~
tpm_drivers.c: In function ‘spapr_vtpm_senddata’:
tpm_drivers.c:346:2: warning: converting a packed ‘struct crq’ pointer (alignment 1) to a ‘uint64_t’ {aka ‘long long unsigned int’} pointer (alignment 8) may result in an unaligned pointer value [-Waddress-of-packed-member]
346 | rc = hv_send_crq(spapr_vtpm.unit, (uint64_t *)&crq);
| ^~
tpm_drivers.c:34:8: note: defined here
34 | struct crq {
| ^~~
[CC] common-libs
[CC] common-libs
tcgbios.c: In function ‘tpm20_write_EfiSpecIdEventStruct’:
tcgbios.c:708:24: warning: array subscript ‘numAlgs’ is outside the bounds of an interior zero-length array ‘struct TCG_EfiSpecIdEventAlgorithmSize[0]’ [-Wzero-length-bounds]
708 | event.hdr.digestSizes[numAlgs].algorithmId =
| ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~
In file included from tpm_drivers.h:20,
from tcgbios.c:27:
tcgbios_int.h:92:4: note: while referencing ‘digestSizes’
92 | } digestSizes[0];
| ^~~~~~~~~~~
tcgbios.c:710:24: warning: array subscript ‘numAlgs’ is outside the bounds of an interior zero-length array ‘struct TCG_EfiSpecIdEventAlgorithmSize[0]’ [-Wzero-length-bounds]
710 | event.hdr.digestSizes[numAlgs].digestSize = cpu_to_log16(hsize);
| ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~
In file included from tpm_drivers.h:20,
from tcgbios.c:27:
tcgbios_int.h:92:4: note: while referencing ‘digestSizes’
92 | } digestSizes[0];
| ^~~~~~~~~~~
|
|
Fix two details of the logs:
- Set the filed SpecErrata to 2 as required by specs.
- Write the separator into the log entry's event field.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
-Wextra enables a bunch of rather useful checks which this fixes.
Note this adds MIN() in tpm_gpt_set_lba1() so it may potentially fail
which is unlikely as the length comes from disk-label's block-size which
is used in other places.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
We already have MAX() defined, add MIN() to the common helpers header.
Using the common helper also fixes a bug in tpmdrivers's MIN() where
it was reverted.
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
---
Changes:
v2:
* updated the comment about a fixed bug
|
|
Implement tpm_hash_log_extend_event_buffer() that allows to measure
the contents of a buffer into a given PCR and log it with the
given event type and description. The caller may choose to have
the size of an ELF image file detected so that only data from the
ELF image are hashed rather than the much larger buffer.
Besides using this function call now for measuring the bootloader
read from a GPT partition, we also intend to use it for calls from
the firmware API that allow us to measure and log data from a boot
loader, such as grub. Grub will then invoke this function with a
buffer whose size it knows and will not need the ELF file size
detection.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Add support for SHA3 type of algorithms that the vTPM may support
some time in the future.
The algorithms are assigned in "TCG Algorithm Registry"
https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
The vendorInfoSize is a uint8_t rather than a uint32_t.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Only write the logs for those PCRs that are allocated in
banks.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Measure and log the GPT table including LBA1 and all GPT table entries
with a non-zero Type GUID.
We follow the specification "TCG PC Client Platform Firmware Profile
Specification" for the format of what needs to be logged and measured.
See section "Event Logging" subsection "Measuring UEFI Variables" for
the UEFI_GPT_DATA structure.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
Implement a TPM 2 menu and enable the user to clear the TPM
and its activate PCR banks.
The main TPM menu is activated by pressing the 't' key during
firmware startup.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
This patch adds TPM 2.0 support along with the firmware API that Linux
uses to transfer the firmware log.
The firmware API follows the "PFW Virtual TPM Driver" specification.
The API has callers in existing Linux code (prom_init.c) from TPM 1.2
times but the API also works for TPM 2.0 without modifications.
The TPM 2.0 support logs PCR extensions of measurements of code and data.
For this part we follow the TCG specification "TCG PC Client
Platform Firmware Profile Specification" (section "Event Logging").
Other relevant specs for the construction of TPM commands are:
- Trusted Platform Module Library; Part 2 Structures
- Trusted Platform Module Library; Part 3 Commands
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
[aik: removed new blank lines at EOF]
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
The following patch adds a SHA256 implementation based on the algorithm
description in NIST FIPS PUB 180-4. The patch includes test cases that test
the sha256 implementation and pass on big and little endian ppc64 hosts.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
This patch adds a TPM driver for the CRQ interface as used by
the QEMU PAPR implementation.
Also add a Readme that explains the benefits and installation procedure
for the vTPM.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|