1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
|
// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
/* Copyright 2013-2019 IBM Corp. */
#ifndef pr_fmt
#define pr_fmt(fmt) "STB: " fmt
#endif
#include <skiboot.h>
#include <device.h>
#include <nvram.h>
#include <opal-api.h>
#include "secureboot.h"
#include "trustedboot.h"
#include "tpm_chip.h"
#include "ibmtss/TPM_Types.h"
/* For debugging only */
//#define STB_DEBUG
static bool trusted_mode = false;
static bool trusted_init = false;
static bool boot_services_exited = false;
/*
* Partitions retrieved from PNOR must be extended to the proper PCR and
* recorded in the event log. Later, customers may use: the PCR values to attest
* the boot security, and the event log to inspect what measurements were
* extended to the PCRs.
*
* The list below should map every skiboot event (or resource) to a PCR
* following the TCG PC Client Platform Firmware Profile specification,
* Family 2.0, Level 00, Revision 1.03 v51.
*
* Convention for skiboot events:
* - Events that represents data should be extended to PCR 4.
* - Events that represents config should be extended to PCR 5.
* - For the lack of an event type that fits the specific purpose,
* both data and config events should be logged as EV_COMPACT_HASH.
*/
static struct {
enum resource_id id;
TPMI_DH_PCR pcr;
} resources[] = {
{ RESOURCE_ID_IMA_CATALOG, PCR_4},
{ RESOURCE_ID_KERNEL, PCR_4},
{ RESOURCE_ID_CAPP, PCR_4},
{ RESOURCE_ID_VERSION, PCR_4}, /* Also data for Hostboot */
};
/*
* Event Separator - digest of 0xFFFFFFFF
*/
static struct {
const unsigned char *event;
const unsigned char *sha1;
const unsigned char *sha256;
} ev_separator = {
.event = "\xff\xff\xff\xff",
.sha1 = "\xd9\xbe\x65\x24\xa5\xf5\x04\x7d\xb5\x86"
"\x68\x13\xac\xf3\x27\x78\x92\xa7\xa3\x0a",
.sha256 = "\xad\x95\x13\x1b\xc0\xb7\x99\xc0\xb1\xaf"
"\x47\x7f\xb1\x4f\xcf\x26\xa6\xa9\xf7\x60"
"\x79\xe4\x8b\xf0\x90\xac\xb7\xe8\x36\x7b"
"\xfd\x0e"
};
static TPM_Pcr map_pcr(enum resource_id id)
{
int i;
for (i = 0; i < ARRAY_SIZE(resources); i++) {
if (resources[i].id == id)
return resources[i].pcr;
}
return -1;
}
void trustedboot_init(void)
{
struct dt_node *node;
node = dt_find_by_path(dt_root, "/ibm,secureboot");
if (!node) {
prlog(PR_NOTICE, "trusted boot not supported\n");
return;
}
if (!secureboot_is_compatible(node, NULL, NULL)) {
/**
* @fwts-label TrustedBootNotCompatible
* @fwts-advice Compatible trustedboot driver not found. Probably,
* hostboot/mambo/skiboot has updated the
* /ibm,secureboot/compatible without adding a driver that
* supports it.
*/
prlog(PR_ERR, "trustedboot init FAILED, '%s' node not "
"compatible.\n", node->name);
return;
}
if (nvram_query_eq_dangerous("force-trusted-mode", "true")) {
trusted_mode = true;
prlog(PR_NOTICE, "trusted mode on (FORCED by nvram)\n");
} else {
trusted_mode = dt_has_node_property(node, "trusted-enabled", NULL);
prlog(PR_INFO, "trusted mode %s\n",
trusted_mode ? "on" : "off");
}
if (!trusted_mode)
return;
cvc_init();
tpm_init();
trusted_init = true;
boot_services_exited = false;
}
int trustedboot_exit_boot_services(void)
{
uint32_t pcr;
int rc = 0;
bool failed = false;
if (!trusted_mode)
goto out_free;
if (boot_services_exited) {
prlog(PR_WARNING, "Trusted boot services exited before.\n");
goto out_free;
}
boot_services_exited = true;
#ifdef STB_DEBUG
prlog(PR_NOTICE, "ev_separator.event: %s\n", ev_separator.event);
prlog(PR_NOTICE, "ev_separator.sha1:\n");
stb_print_data((uint8_t*) ev_separator.sha1, SHA1_DIGEST_SIZE);
prlog(PR_NOTICE, "ev_separator.sha256:\n");
stb_print_data((uint8_t*) ev_separator.sha256, SHA256_DIGEST_SIZE);
#endif
/*
* Extend the digest of 0xFFFFFFFF to PCR[0-7] and record it as
* EV_SEPARATOR
*/
for (pcr = 0; pcr < 8; pcr++) {
rc = tpm_extendl(pcr,
TPM_ALG_SHA256, (uint8_t*) ev_separator.sha256,
TPM_ALG_SHA1, (uint8_t*) ev_separator.sha1,
EV_SEPARATOR, ev_separator.event,
strlen(ev_separator.event));
if (rc)
failed = true;
}
tpm_add_status_property();
tss_set_platform_auth();
out_free:
tpm_cleanup();
return (failed) ? -1 : 0;
}
int trustedboot_measure(enum resource_id id, void *buf, size_t len)
{
uint8_t digest[SHA512_DIGEST_LENGTH];
void *buf_aux;
size_t len_aux;
const char *name;
TPMI_DH_PCR pcr;
int rc = -1;
if (!trusted_mode)
return 1;
name = flash_map_resource_name(id);
if (!name) {
/**
* @fwts-label ResourceNotMeasuredUnknown
* @fwts-advice This is a bug in the trustedboot_measure()
* caller, which is passing an unknown resource_id.
*/
prlog(PR_ERR, "resource NOT MEASURED, resource_id=%d unknown\n", id);
return -1;
}
if (!trusted_init) {
prlog(PR_ERR, "resource NOT MEASURED, resource_id=%d "
"trustedboot not yet initialized\n", id);
return -1;
}
if (boot_services_exited) {
prlog(PR_ERR, "%s NOT MEASURED. Already exited from boot "
"services\n", name);
return -1;
}
pcr = map_pcr(id);
if (pcr == -1) {
/**
* @fwts-label ResourceNotMappedToPCR
* @fwts-advice This is a bug. The resource cannot be measured
* because it is not mapped to a PCR in the resources[] array.
*/
prlog(PR_ERR, "%s NOT MEASURED, it's not mapped to a PCR\n", name);
return -1;
}
if (!buf) {
/**
* @fwts-label ResourceNotMeasuredNull
* @fwts-advice This is a bug. The trustedboot_measure() caller
* provided a NULL container.
*/
prlog(PR_ERR, "%s NOT MEASURED, it's null\n", name);
return -1;
}
if (stb_is_container(buf, len)) {
buf_aux = buf + SECURE_BOOT_HEADERS_SIZE;
len_aux = len - SECURE_BOOT_HEADERS_SIZE;
} else {
buf_aux = buf;
len_aux = len;
}
rc = call_cvc_sha512(buf_aux, len_aux, digest, SHA512_DIGEST_LENGTH);
if (rc == OPAL_SUCCESS) {
prlog(PR_NOTICE, "%s hash calculated\n", name);
} else if (rc == OPAL_PARAMETER) {
prlog(PR_ERR, "%s NOT MEASURED, invalid param. buf=%p, "
"len=%zd, digest=%p\n", name, buf_aux,
len_aux, digest);
return -1;
} else if (rc == OPAL_UNSUPPORTED) {
prlog(PR_ERR, "%s NOT MEASURED, CVC-sha512 service not "
"supported\n", name);
return -1;
} else {
prlog(PR_ERR, "%s NOT MEASURED, unknown CVC-sha512 error. "
"rc=%d\n", name, rc);
return -1;
}
#ifdef STB_DEBUG
stb_print_data(digest, SHA256_DIGEST_SIZE);
#endif
/*
* Extend the given PCR number in both sha256 and sha1 banks with the
* sha512 hash calculated. The hash is truncated accordingly to fit the
* PCR.
*/
return tpm_extendl(pcr, TPM_ALG_SHA256, (uint8_t*) digest,
TPM_ALG_SHA1, (uint8_t*) digest,
EV_COMPACT_HASH, name, strlen(name));
}
|
