diff options
| author | Mauro S. M. Rodrigues <maurosr@linux.vnet.ibm.com> | 2020-06-01 17:34:37 -0300 |
|---|---|---|
| committer | Oliver O'Halloran <oohall@gmail.com> | 2020-10-01 13:42:40 +1000 |
| commit | 5d8e0e606c4d05b5196fe86c806b4853594a5fc7 (patch) | |
| tree | 41484200b409cb76f10ea9bdb329f600e240944f | |
| parent | a0ff20fcb2f44c007851c150e4984a881a66abc1 (diff) | |
| download | skiboot-5d8e0e606c4d05b5196fe86c806b4853594a5fc7.zip skiboot-5d8e0e606c4d05b5196fe86c806b4853594a5fc7.tar.gz skiboot-5d8e0e606c4d05b5196fe86c806b4853594a5fc7.tar.bz2 | |
libstb/tss2: Switch to new implementation of PCR Read/Extend and Eventlog
The new implementation of PCR_Read, PCR_Extend and Eventlog uses the
recently introduced standard TSS library.
Old TSS implementation will be removed in the following commit.
Signed-off-by: Mauro S. M. Rodrigues <maurosr@linux.vnet.ibm.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
| -rw-r--r-- | libstb/Makefile.inc | 3 | ||||
| -rw-r--r-- | libstb/drivers/tpm_i2c_nuvoton.c | 9 | ||||
| -rw-r--r-- | libstb/tpm_chip.c | 39 | ||||
| -rw-r--r-- | libstb/tpm_chip.h | 30 | ||||
| -rw-r--r-- | libstb/trustedboot.c | 31 | ||||
| -rw-r--r-- | libstb/trustedboot.h | 21 | ||||
| -rw-r--r-- | libstb/tss2/Makefile.inc | 4 |
7 files changed, 69 insertions, 68 deletions
diff --git a/libstb/Makefile.inc b/libstb/Makefile.inc index 0b4715b..b609801 100644 --- a/libstb/Makefile.inc +++ b/libstb/Makefile.inc @@ -12,7 +12,6 @@ LIBSTB = $(LIBSTB_DIR)/built-in.a include $(SRC)/$(LIBSTB_DIR)/secvar/Makefile.inc include $(SRC)/$(LIBSTB_DIR)/drivers/Makefile.inc -include $(SRC)/$(LIBSTB_DIR)/tss/Makefile.inc include $(SRC)/$(LIBSTB_DIR)/crypto/Makefile.inc include $(SRC)/$(LIBSTB_DIR)/tss2/Makefile.inc @@ -20,7 +19,7 @@ CPPFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/include CPPFLAGS += -I$(SRC)/$(LIBSTB_DIR)/ibmtpm20tss/utils CFLAGS += -DTPM_SKIBOOT -$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(SECVAR) $(CRYPTO) $(TSS2) +$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(SECVAR) $(CRYPTO) $(TSS2) libstb/create-container: libstb/create-container.c libstb/container-utils.c $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) \ diff --git a/libstb/drivers/tpm_i2c_nuvoton.c b/libstb/drivers/tpm_i2c_nuvoton.c index 9d3ff82..0aa9711 100644 --- a/libstb/drivers/tpm_i2c_nuvoton.c +++ b/libstb/drivers/tpm_i2c_nuvoton.c @@ -16,15 +16,6 @@ #define DRIVER_NAME "i2c_tpm_nuvoton" -/* - * Timings between various states or transitions within the interface protocol - * as defined in the TCG PC Client Platform TPM Profile specification, Revision - * 00.43. - */ -#define TPM_TIMEOUT_A 750 -#define TPM_TIMEOUT_B 2000 -#define TPM_TIMEOUT_D 30 - /* I2C interface offsets */ #define TPM_STS 0x00 #define TPM_BURST_COUNT 0x01 diff --git a/libstb/tpm_chip.c b/libstb/tpm_chip.c index f90282f..22d2d3b 100644 --- a/libstb/tpm_chip.c +++ b/libstb/tpm_chip.c @@ -11,7 +11,7 @@ #include "container.h" #include "tpm_chip.h" #include "drivers/tpm_i2c_nuvoton.h" -#include "tss/trustedbootCmds.H" +#include <eventlog.h> /* For debugging only */ //#define STB_DEBUG @@ -44,7 +44,7 @@ struct tpm_driver* tpm_get_driver(void) } #ifdef STB_DEBUG -static void tpm_print_pcr(struct tpm_chip *tpm, TPM_Pcr pcr, TPM_Alg_Id alg, +static void tpm_print_pcr(TPMI_DH_PCR pcr, TPM_ALG_ID alg, size_t size) { int rc; @@ -52,7 +52,7 @@ static void tpm_print_pcr(struct tpm_chip *tpm, TPM_Pcr pcr, TPM_Alg_Id alg, memset(digest, 0, size); - rc = tpmCmdPcrRead(tpm, pcr, alg, digest, size); + rc = tss_pcr_read(pcr, &alg, 1); if (rc) { /** * @fwts-label STBPCRReadFailed @@ -145,8 +145,7 @@ int tpm_register_chip(struct dt_node *node, struct tpm_dev *dev, * Initialize the event log manager by walking through the log to identify * what is the next free position in the log */ - rc = TpmLogMgr_initializeUsingExistingLog(&tpm->logmgr, - (uint8_t*) sml_base, sml_size); + rc = load_eventlog(&tpm->logmgr, (int8_t*) sml_base, sml_size); if (rc) { /** @@ -224,14 +223,18 @@ static void tpm_disable(struct tpm_chip *tpm) prlog(PR_NOTICE, "tpm%d disabled\n", tpm->id); } -int tpm_extendl(TPM_Pcr pcr, - TPM_Alg_Id alg1, uint8_t* digest1, size_t size1, - TPM_Alg_Id alg2, uint8_t* digest2, size_t size2, - uint32_t event_type, const char* event_msg) +int tpm_extendl(TPMI_DH_PCR pcr, + TPMI_ALG_HASH alg1, uint8_t *digest1, + TPMI_ALG_HASH alg2, uint8_t *digest2, + uint32_t event_type, const char *event_msg, + uint32_t event_msg_len) { int rc, failed; - TCG_PCR_EVENT2 event; + TCG_PCR_EVENT2 *event = calloc(1, sizeof(TCG_PCR_EVENT2)); struct tpm_chip *tpm = NULL; + uint8_t hashes_len = 2; + TPMI_ALG_HASH hashes[2] = {alg1, alg2}; + const uint8_t *digests[] = {digest1, digest2}; failed = 0; @@ -246,11 +249,13 @@ int tpm_extendl(TPM_Pcr pcr, list_for_each(&tpm_list, tpm, link) { if (!tpm->enabled) continue; - event = TpmLogMgr_genLogEventPcrExtend(pcr, alg1, digest1, size1, - alg2, digest2, size2, - event_type, event_msg); - /* eventlog recording */ - rc = TpmLogMgr_addEvent(&tpm->logmgr, &event); + /* instantiate eventlog */ + rc = build_event(event, pcr, hashes, hashes_len, digests, + event_type, event_msg, event_msg_len); + + if (rc == 0) + /* eventlog recording */ + rc = add_to_eventlog(&tpm->logmgr, event); if (rc) { /** * @fwts-label STBAddEventFailed @@ -280,9 +285,7 @@ int tpm_extendl(TPM_Pcr pcr, tpm_print_pcr(tpm, pcr, alg2, size2); #endif /* extend the pcr number in both sha1 and sha256 banks*/ - rc = tpmCmdPcrExtend2Hash(tpm, pcr, - alg1, digest1, size1, - alg2, digest2, size2); + rc = tss_pcr_extend(pcr, hashes, hashes_len, digests); if (rc) { /** * @fwts-label STBPCRExtendFailed diff --git a/libstb/tpm_chip.h b/libstb/tpm_chip.h index 49bf2f5..54b0b63 100644 --- a/libstb/tpm_chip.h +++ b/libstb/tpm_chip.h @@ -6,8 +6,9 @@ #include <device.h> -#include "tss/tpmLogMgr.H" -#include "tss/trustedTypes.H" +#include <eventlib.h> +#include <tss2/eventlog.h> +#include <tss2/tssskiboot.h> struct tpm_dev { @@ -51,9 +52,6 @@ struct tpm_chip { struct list_node link; }; -/* TSS tweak */ -typedef struct tpm_chip TpmTarget; - void tss_tpm_register(struct tpm_dev *dev, struct tpm_driver *driver); void tss_tpm_unregister(void); struct tpm_dev* tpm_get_device(void); @@ -72,24 +70,12 @@ extern int tpm_register_chip(struct dt_node *node, struct tpm_dev *dev, * in the event log * This calls a TSS extend function that supports multibank. Both sha1 and * sha256 digests are extended in a single operation sent to the TPM device. - * - * @pcr: PCR number to be extended and recorded in the event log. The same PCR - * number is extende for both sha1 and sha256 banks. - * @alg1: SHA algorithm of digest1. Either TPM_ALG_SHA1 or TPM_ALG_SHA256 - * @digest1: digest1 buffer - * @size1: size of digest1. Either TPM_ALG_SHA1_SIZE or TPM_ALG_SHA256_SIZE - * @alg2: SHA algorithm of digest2. Either TPM_ALG_SHA1 or TPM_ALG_SHA256 - * @digest2: digest2 buffer - * @size2: size of digest2. Either TPM_ALG_SHA1_SIZE or TPM_ALG_SHA256_SIZE - * @event_type: event type log. In skiboot, either EV_ACTION or EV_SEPARATOR. - * @event_msg: event log message that describes the event - * - * Returns O for success or a negative number if it fails. */ -extern int tpm_extendl(TPM_Pcr pcr, - TPM_Alg_Id alg1, uint8_t* digest1, size_t size1, - TPM_Alg_Id alg2, uint8_t* digest2, size_t size2, - uint32_t event_type, const char* event_msg); +int tpm_extendl(TPMI_DH_PCR pcr, + TPMI_ALG_HASH alg1, uint8_t *digest1, + TPMI_ALG_HASH alg2, uint8_t *digest2, + uint32_t event_type, const char *event_msg, + uint32_t event_msg_len); /* Add status property to the TPM devices */ extern void tpm_add_status_property(void); diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c index b1f86cc..b940ba1 100644 --- a/libstb/trustedboot.c +++ b/libstb/trustedboot.c @@ -12,7 +12,7 @@ #include "secureboot.h" #include "trustedboot.h" #include "tpm_chip.h" -#include "tss/trustedTypes.H" +#include "ibmtss/TPM_Types.h" /* For debugging only */ //#define STB_DEBUG @@ -39,7 +39,7 @@ static bool boot_services_exited = false; */ static struct { enum resource_id id; - TPM_Pcr pcr; + TPMI_DH_PCR pcr; } resources[] = { { RESOURCE_ID_IMA_CATALOG, PCR_4}, { RESOURCE_ID_KERNEL, PCR_4}, @@ -137,21 +137,20 @@ int trustedboot_exit_boot_services(void) #ifdef STB_DEBUG prlog(PR_NOTICE, "ev_separator.event: %s\n", ev_separator.event); prlog(PR_NOTICE, "ev_separator.sha1:\n"); - stb_print_data((uint8_t*) ev_separator.sha1, TPM_ALG_SHA1_SIZE); + stb_print_data((uint8_t*) ev_separator.sha1, SHA1_DIGEST_SIZE); prlog(PR_NOTICE, "ev_separator.sha256:\n"); - stb_print_data((uint8_t*) ev_separator.sha256, TPM_ALG_SHA256_SIZE); + stb_print_data((uint8_t*) ev_separator.sha256, SHA256_DIGEST_SIZE); #endif /* * Extend the digest of 0xFFFFFFFF to PCR[0-7] and record it as * EV_SEPARATOR */ for (pcr = 0; pcr < 8; pcr++) { - rc = tpm_extendl(pcr, TPM_ALG_SHA256, - (uint8_t*) ev_separator.sha256, - TPM_ALG_SHA256_SIZE, TPM_ALG_SHA1, - (uint8_t*) ev_separator.sha1, - TPM_ALG_SHA1_SIZE, EV_SEPARATOR, - ev_separator.event); + rc = tpm_extendl(pcr, + TPM_ALG_SHA256, (uint8_t*) ev_separator.sha256, + TPM_ALG_SHA1, (uint8_t*) ev_separator.sha1, + EV_SEPARATOR, ev_separator.event, + strlen(ev_separator.event)); if (rc) failed = true; } @@ -169,7 +168,7 @@ int trustedboot_measure(enum resource_id id, void *buf, size_t len) void *buf_aux; size_t len_aux; const char *name; - TPM_Pcr pcr; + TPMI_DH_PCR pcr; int rc = -1; if (!trusted_mode) @@ -244,15 +243,15 @@ int trustedboot_measure(enum resource_id id, void *buf, size_t len) } #ifdef STB_DEBUG - stb_print_data(digest, TPM_ALG_SHA256_SIZE); + stb_print_data(digest, SHA256_DIGEST_SIZE); + #endif /* * Extend the given PCR number in both sha256 and sha1 banks with the * sha512 hash calculated. The hash is truncated accordingly to fit the * PCR. */ - return tpm_extendl(pcr, - TPM_ALG_SHA256, digest, TPM_ALG_SHA256_SIZE, - TPM_ALG_SHA1, digest, TPM_ALG_SHA1_SIZE, - EV_COMPACT_HASH, name); + return tpm_extendl(pcr, TPM_ALG_SHA256, (uint8_t*) digest, + TPM_ALG_SHA1, (uint8_t*) digest, + EV_COMPACT_HASH, name, strlen(name)); } diff --git a/libstb/trustedboot.h b/libstb/trustedboot.h index 3b39ee3..934cea7 100644 --- a/libstb/trustedboot.h +++ b/libstb/trustedboot.h @@ -6,6 +6,27 @@ #include <platform.h> +typedef enum { + PCR_0 = 0, + PCR_1 = 1, + PCR_2 = 2, + PCR_3 = 3, + PCR_4 = 4, + PCR_5 = 5, + PCR_6 = 6, + PCR_7 = 7, + PCR_DEBUG = 16, + PCR_DRTM_17 = 17, + PCR_DRTM_18 = 18, + PCR_DRTM_19 = 19, + PCR_DRTM_20 = 20, + PCR_DRTM_21 = 21, + PCR_DRTM_22 = 22, + PLATFORM_PCR = 24, ///< The number of PCR required by the platform spec + IMPLEMENTATION_PCR = 24, ///< The number of PCRs implemented by TPM +} TPM_Pcr; + + void trustedboot_init(void); /** diff --git a/libstb/tss2/Makefile.inc b/libstb/tss2/Makefile.inc index 15514ae..3d023ce 100644 --- a/libstb/tss2/Makefile.inc +++ b/libstb/tss2/Makefile.inc @@ -14,8 +14,10 @@ CPPFLAGS += -I$(SRC)/$(IBMTSS_DIR) TSS2LIB_SRCS = tssprint.c tssprintcmd.c tssmarshal.c Unmarshal.c Commands.c TSS2LIB_SRCS += CommandAttributeData.c tssresponsecode.c tssccattributes.c +TSS2LIB_SRCS += tss.c tss20.c tssauth.c tssauth20.c tssproperties.c tssutils.c +TSS2LIB_SRCS += tsstransmit.c tssdevskiboot.c eventlib.c -TSS2_SRCS = $(addprefix ibmtpm20tss/utils/,$(TSS2LIB_SRCS)) +TSS2_SRCS = $(addprefix ibmtpm20tss/utils/,$(TSS2LIB_SRCS)) tssskiboot.c eventlog.c TSS2_OBJS = $(TSS2_SRCS:%.c=%.o) |