diff options
| author | Claudio Carvalho <cclaudio@linux.vnet.ibm.com> | 2016-11-01 20:40:25 -0200 |
|---|---|---|
| committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2016-11-02 17:06:03 +1100 |
| commit | f9f3d0e2b20e01c32baf6546137dc9cdf0bc516e (patch) | |
| tree | af8a8cd8208ea691b39b433086dec028639afdec | |
| parent | 20db137e82039f9dafd42352525f1e8a8b7995ea (diff) | |
| download | skiboot-f9f3d0e2b20e01c32baf6546137dc9cdf0bc516e.zip skiboot-f9f3d0e2b20e01c32baf6546137dc9cdf0bc516e.tar.gz skiboot-f9f3d0e2b20e01c32baf6546137dc9cdf0bc516e.tar.bz2 | |
tpm_extendl: disable all failed tpms rather than only the first
Each tpm_chip structure is associated with one tpm device and one firmware
event log. If tpm_extendl() returns when the first tpm_chip operation (pcr
extend or event log record) fails, the remaining registered tpm_chips will be
in an inconsistent state, i.e, missing one measurement.
This walks through all registered tpm_chips and disable all tpm_chips that
failed rather than only first one.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
[stewart@linux.vnet.ibm.com: assert(tpm) in disable_tpm]
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
| -rw-r--r-- | libstb/status_codes.h | 3 | ||||
| -rw-r--r-- | libstb/tpm_chip.c | 44 |
2 files changed, 29 insertions, 18 deletions
diff --git a/libstb/status_codes.h b/libstb/status_codes.h index 64f9325..e67c17b 100644 --- a/libstb/status_codes.h +++ b/libstb/status_codes.h @@ -28,8 +28,7 @@ /* trusted boot */ #define STB_TRUSTED_MODE_DISABLED 200 -#define STB_EVENTLOG_FAILED -200 -#define STB_PCR_EXTEND_FAILED -201 +#define STB_MEASURE_FAILED -200 /* TPM */ #define STB_TPM_OVERFLOW -300 diff --git a/libstb/tpm_chip.c b/libstb/tpm_chip.c index 1bfeb9a..93a8e04 100644 --- a/libstb/tpm_chip.c +++ b/libstb/tpm_chip.c @@ -214,16 +214,23 @@ void tpm_cleanup(void) list_head_init(&tpm_list); } +static void tpm_disable(struct tpm_chip *tpm) +{ + assert(tpm); + tpm->enabled = false; + prlog(PR_NOTICE, "STB: tpm%d disabled\n", tpm->id); +} + int tpm_extendl(TPM_Pcr pcr, TPM_Alg_Id alg1, uint8_t* digest1, size_t size1, TPM_Alg_Id alg2, uint8_t* digest2, size_t size2, uint32_t event_type, const char* event_msg) { - int rc; + int rc, failed; TCG_PCR_EVENT2 event; struct tpm_chip *tpm = NULL; - rc = 0; + failed = 0; list_for_each(&tpm_list, tpm, link) { if (!tpm->enabled) @@ -247,12 +254,15 @@ int tpm_extendl(TPM_Pcr pcr, */ prlog(PR_ERR, "TPM: %s -> elog%d FAILED: pcr%d et=%x rc=%d\n", event_msg, tpm->id, pcr, event_type, rc); - rc = STB_EVENTLOG_FAILED; - goto error; + tpm_disable(tpm); + failed++; + continue; } #ifdef STB_DEBUG - prlog(PR_NOTICE, "TPM: %s -> elog%d: pcr%d et=%x ls=%d\n", - event_msg, tpm->id, pcr, event_type, tpm->logmgr.logSize); + if (rc == 0) + prlog(PR_NOTICE, "TPM: %s -> elog%d: pcr%d et=%x " + "ls=%d\n", event_msg, tpm->id, pcr, + event_type, tpm->logmgr.logSize); tpm_print_pcr(tpm, pcr, alg1, size1); tpm_print_pcr(tpm, pcr, alg2, size2); #endif @@ -275,20 +285,22 @@ int tpm_extendl(TPM_Pcr pcr, */ prlog(PR_ERR, "TPM: %s -> tpm%d FAILED: pcr%d rc=%d\n", event_msg, tpm->id, pcr, rc); - rc = STB_PCR_EXTEND_FAILED; - goto error; + tpm_disable(tpm); + failed++; + continue; } #ifdef STB_DEBUG - prlog(PR_NOTICE, "TPM: %s -> tpm%d: pcr%d\n", event_msg, - tpm->id, pcr); - tpm_print_pcr(tpm, pcr, alg1, size1); - tpm_print_pcr(tpm, pcr, alg2, size2); + if (rc == 0) { + prlog(PR_NOTICE, "TPM: %s -> tpm%d: pcr%d\n", + event_msg, tpm->id, pcr); + tpm_print_pcr(tpm, pcr, alg1, size1); + tpm_print_pcr(tpm, pcr, alg2, size2); + } #endif } - return rc; -error: - tpm->enabled = false; - return rc; + if (failed > 0) + return STB_MEASURE_FAILED; + return 0; } void tpm_add_status_property(void) { |