security/tpm: Fix TCPA log feature
Until now the TCPA log wasn't working correctly. * Refactor TCPA log code. * Add TCPA log dump fucntion. * Make TCPA log available in bootblock. * Fix TCPA log formatting. * Add x86 and Cavium memory for early log. Change-Id: Ic93133531b84318f48940d34bded48cbae739c44 Signed-off-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/29563 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Patrick Rudolph <siro@das-labor.org>
This commit is contained in:
parent
7a732b4781
commit
c9b7d1fb57
|
@ -0,0 +1,7 @@
|
|||
# Security
|
||||
|
||||
This section describes documentation about the security architecture of coreboot.
|
||||
|
||||
## Vendor
|
||||
|
||||
- [Measured Boot](vboot/measured_boot.md)
|
|
@ -1,6 +1,8 @@
|
|||
# Measured Boot
|
||||
coreboot measured boot is implemented as Google Verified Boot extension. This
|
||||
means in order to use it, vboot needs to be available for your platform.
|
||||
means in order to use it, vboot needs to be available for your platform. The
|
||||
goal of this implementation is to implement an easy to understand and
|
||||
transparent measured boot mechanism.
|
||||
|
||||
## IBB/CRTM
|
||||
The "Initial Boot Block" or "Core Root of Trust for Measurement" is the first
|
||||
|
@ -21,10 +23,85 @@ measured boot extension because of platform constraints.
|
|||
The "Static Root of Trust for Measurement" is the easiest way doing measurements
|
||||
by measuring code before it is loaded.
|
||||
|
||||
### Measurements
|
||||
SRTM mode measurements are done starting with the IBB as root of trust.
|
||||
Only CBFS contents are measured at the moment.
|
||||
|
||||
#### CBFS files (stages, blobs)
|
||||
* CBFS data is measured as raw data before decompression happens.
|
||||
* CBFS header is excluded from measurements.
|
||||
* Measurements are stored in PCR 2.
|
||||
|
||||
#### Runtime Data
|
||||
* CBFS data which changes by external input dynamically. Never stays the same.
|
||||
* It is identified by VBOOT_MEASURED_BOOT_RUNTIME_DATA kconfig option and
|
||||
measured into a different PCR 3 in order to avoid PCR pre-calculation issues.
|
||||
|
||||
![][srtm]
|
||||
|
||||
[srtm]: srtm.png
|
||||
|
||||
### TCPA eventlog
|
||||
coreboot makes use of its own TCPA log implementation. Normally the eventlog
|
||||
specification can be found via the TCG homepage:
|
||||
|
||||
[UEFI Specification](https://trustedcomputinggroup.org/resource/tcg-efi-platform-specification/)
|
||||
|
||||
[BIOS Specification](https://www.trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientImplementation_1-21_1_00.pdf)
|
||||
|
||||
Both of them are not representing firmware measurements in a generalized way.
|
||||
Therefore we have to implement our own solution.
|
||||
|
||||
We decided to provide an easy to understand TCPA log which can be read out
|
||||
from the operating system and firmware itself.
|
||||
|
||||
#### Table Format
|
||||
The first column describes the PCR index used for measurement.
|
||||
The second column is the hash of the raw data. The third column contains
|
||||
the hash algorithm used in the operation. The last column provides
|
||||
information about what is measured. First the namespace from where the data
|
||||
came from, CBFS or FMAP, then the name used to look up the data
|
||||
(region or file name).
|
||||
|
||||
#### Example:
|
||||
```bash
|
||||
PCR-2 e8f2b57c9ec5ea06d1bbd3240a753974d4c3e7c8cd305c20a8ea26eed906dc89 SHA256 [FMAP: COREBOOT CBFS: bootblock]
|
||||
PCR-2 309a5fcb231d3a39127de2521792f332f9a69e05675ec52535d2dcded756dc19 SHA256 [FMAP: COREBOOT CBFS: fallback/verstage]
|
||||
PCR-2 0fbba07a833d4dcfc7024eaf313661a0ba8f80a05c6d29b8801c612e10e60dee SHA256 [FMAP: RO_VPD]
|
||||
PCR-2 431681113ed44cbf6f68a12c6e5687e901052f1d728a4777b2ad36e559962047 SHA256 [FMAP: GBB]
|
||||
PCR-2 f47a8ec3e9aff2318d896942282ad4fe37d6391c82914f54a5da8a37de1300c6 SHA256 [FMAP: SI_DESC]
|
||||
PCR-3 237f6f567f8597dbdff0a00690d34d21616af0dbe434b9a2d432b136c012765f SHA256 [FMAP: SI_ME]
|
||||
PCR-2 7d2c7ac4888bfd75cd5f56e8d61f69595121183afc81556c876732fd3782c62f SHA256 [FMAP: SI_GBE]
|
||||
PCR-0 62571891215b4efc1ceab744ce59dd0b66ea6f73 SHA1 [GBB flags]
|
||||
PCR-1 a66c8c2cda246d332d0c2025b6266e1e23c89410051002f46bfad1c9265f43d0 SHA256 [GBB HWID]
|
||||
PCR-2 ceca357524caf8fc73f5fa130f05a75293031962af884e18990d281eb259f5ff SHA256 [FMAP: FW_MAIN_B CBFS: fallback/romstage]
|
||||
PCR-2 548a097604e0a975de76f98b04c7f0b0ddec03883dd69179e47a784704a1c571 SHA256 [FMAP: FW_MAIN_B CBFS: fspm.bin]
|
||||
PCR-2 1e86b27008818244c221df2436b0113bd20a86ec6ec9d8259defe87f45d2f604 SHA256 [FMAP: FW_MAIN_B CBFS: spd2.bin]
|
||||
PCR-2 05d78005fcfc9edd4ca5625f11b1f49991d17bdb7cee33b72e722bc785db55ae SHA256 [FMAP: FW_MAIN_B CBFS: fallback/postcar]
|
||||
PCR-2 c13e95829af12a584046f1a6f3e1f6e4af691209324cfeeec573633399384141 SHA256 [FMAP: FW_MAIN_B CBFS: fallback/ramstage]
|
||||
PCR-2 a6ec2761b597abd252dba2a7237140ef4a5a8e0d47cad8afb65fa16314413401 SHA256 [FMAP: FW_MAIN_B CBFS: cpu_microcode_blob.bin]
|
||||
PCR-2 c81ffa40df0b6cd6cfde4f476d452a1f6f2217bc96a3b98a4fa4a037ee7039cf SHA256 [FMAP: FW_MAIN_B CBFS: fsps.bin]
|
||||
PCR-2 4e95f57bbf3c6627eb1c72be9c48df3aaa8e6da4f5f63d85e554cf6803505609 SHA256 [FMAP: FW_MAIN_B CBFS: vbt.bin]
|
||||
PCR-3 b7663f611ecf8637a59d72f623ae92a456c30377d4175e96021c85362f0323c8 SHA256 [FMAP: RW_NVRAM]
|
||||
PCR-2 178561f046e2adbc621b12b47d65be82756128e2a1fe5116b53ef3637da700e8 SHA256 [FMAP: FW_MAIN_B CBFS: fallback/dsdt.aml]
|
||||
PCR-2 091706f5fce3eb123dd9b96c15a9dcc459a694f5e5a86e7bf6064b819a8575c7 SHA256 [FMAP: FW_MAIN_B CBFS: fallback/payload]
|
||||
```
|
||||
|
||||
#### Dump TCPA eventlog in the OS:
|
||||
```bash
|
||||
cbmem -L
|
||||
```
|
||||
|
||||
#### Get CBFS file and print the hash
|
||||
```bash
|
||||
cbfstool coreboot.rom extract -r COREBOOT -n fallback/romstage -U -f /dev/stdout | sha256sum
|
||||
```
|
||||
|
||||
#### Get FMAP partition and print the hash
|
||||
```bash
|
||||
cbfstool coreboot.rom read -n SI_ME -f /dev/stdout | sha256sum
|
||||
```
|
||||
|
||||
## DRTM Mode
|
||||
The "Dynamic Root of Trust for Measurement" is realised by platform features
|
||||
like Intel TXT or Boot Guard. The features provide a way of loading a signed
|
||||
|
@ -42,17 +119,21 @@ PCR-7 are left empty.
|
|||
|
||||
### PCR-0
|
||||
_Hash:_ SHA1
|
||||
|
||||
_Description:_ Google VBoot GBB flags.
|
||||
|
||||
### PCR-1
|
||||
_Hash:_ SHA1/SHA256
|
||||
|
||||
_Description:_ Google VBoot GBB HWID.
|
||||
|
||||
### PCR-2
|
||||
_Hash:_ SHA1/SHA256
|
||||
|
||||
_Description:_ Core Root of Trust for Measurement which includes all stages,
|
||||
data and blobs.
|
||||
|
||||
### PCR-3
|
||||
_Hash:_ SHA1/SHA256
|
||||
|
||||
_Description:_ Runtime data like hwinfo.hex or MRC cache.
|
||||
|
|
|
@ -31,6 +31,10 @@
|
|||
#if IS_ENABLED(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK)
|
||||
VBOOT2_WORK(., 16K)
|
||||
#endif
|
||||
/* Vboot measured boot TCPA log measurements.
|
||||
* Needs to be transferred until CBMEM is available
|
||||
*/
|
||||
VBOOT2_TPM_LOG(., 2K)
|
||||
/* Stack for CAR stages. Since it persists across all stages that
|
||||
* use CAR it can be reused. The chipset/SoC is expected to provide
|
||||
* the stack size. */
|
||||
|
|
|
@ -19,13 +19,15 @@
|
|||
#include <stdint.h>
|
||||
|
||||
#define MAX_TCPA_LOG_ENTRIES 50
|
||||
#define TCPA_LOG_STRING_LENGTH 512
|
||||
#define TCPA_FORMAT_HASH_LENGTH 128
|
||||
#define TCPA_DIGEST_MAX_LENGTH 64
|
||||
#define TCPA_PCR_HASH_NAME 256
|
||||
#define TCPA_PCR_HASH_NAME 50
|
||||
#define TCPA_PCR_HASH_LEN 10
|
||||
/* Assumption of 2K TCPA log size reserved for CAR/SRAM */
|
||||
#define MAX_PRERAM_TCPA_LOG_ENTRIES 15
|
||||
|
||||
struct tcpa_entry {
|
||||
uint32_t pcr;
|
||||
char digest_type[TCPA_PCR_HASH_LEN];
|
||||
uint8_t digest[TCPA_DIGEST_MAX_LENGTH];
|
||||
uint32_t digest_length;
|
||||
char name[TCPA_PCR_HASH_NAME];
|
||||
|
|
|
@ -164,6 +164,10 @@
|
|||
REGION(vboot2_work, addr, size, 16) \
|
||||
_ = ASSERT(size >= 12K, "vboot2 work buffer must be at least 12K!");
|
||||
|
||||
#define VBOOT2_TPM_LOG(addr, size) \
|
||||
REGION(vboot2_tpm_log, addr, size, 16) \
|
||||
_ = ASSERT(size >= 2K, "vboot2 tpm log buffer must be at least 2K!");
|
||||
|
||||
#if ENV_VERSTAGE
|
||||
#define VERSTAGE(addr, sz) \
|
||||
SYMBOL(verstage, addr) \
|
||||
|
|
|
@ -12,11 +12,16 @@ postcar-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c
|
|||
|
||||
## TSPI
|
||||
|
||||
ramstage-y += tspi/tspi.c tspi/log.c
|
||||
romstage-y += tspi/tspi.c tspi/log.c
|
||||
ramstage-y += tspi/tspi.c
|
||||
romstage-y += tspi/tspi.c
|
||||
|
||||
verstage-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
|
||||
postcar-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
|
||||
verstage-$(CONFIG_VBOOT) += tspi/tspi.c
|
||||
postcar-$(CONFIG_VBOOT) += tspi/tspi.c
|
||||
|
||||
ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
|
||||
romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
|
||||
verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
|
||||
postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
|
||||
|
||||
endif # CONFIG_TPM1
|
||||
|
||||
|
@ -36,10 +41,15 @@ postcar-$(CONFIG_VBOOT) += tss/tcg-2.0/tss.c
|
|||
|
||||
## TSPI
|
||||
|
||||
ramstage-y += tspi/tspi.c tspi/log.c
|
||||
romstage-y += tspi/tspi.c tspi/log.c
|
||||
ramstage-y += tspi/tspi.c
|
||||
romstage-y += tspi/tspi.c
|
||||
|
||||
verstage-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
|
||||
postcar-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
|
||||
verstage-$(CONFIG_VBOOT) += tspi/tspi.c
|
||||
postcar-$(CONFIG_VBOOT) += tspi/tspi.c
|
||||
|
||||
ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
|
||||
romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
|
||||
verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
|
||||
postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
|
||||
|
||||
endif # CONFIG_TPM2
|
||||
|
|
|
@ -21,26 +21,46 @@
|
|||
#include <security/tpm/tss.h>
|
||||
#include <commonlib/tcpa_log_serialized.h>
|
||||
#include <commonlib/region.h>
|
||||
#include <vb2_api.h>
|
||||
|
||||
#define TPM_PCR_MAX_LEN 64
|
||||
#define HASH_DATA_CHUNK_SIZE 1024
|
||||
#define TPM_PCR_MAX_LEN 64
|
||||
#define HASH_DATA_CHUNK_SIZE 1024
|
||||
|
||||
/**
|
||||
* Clears the pre-RAM tcpa log data and initializes
|
||||
* any content with default values
|
||||
*/
|
||||
void tcpa_preram_log_clear(void);
|
||||
|
||||
/**
|
||||
* Add table entry for cbmem TCPA log.
|
||||
* @param name Name of the hashed data
|
||||
* @param pcr PCR used to extend hashed data
|
||||
* @param diget_algo sets the digest algorithm
|
||||
* @param digest sets the hash extended into the tpm
|
||||
* @param digest_len the length of the digest
|
||||
*/
|
||||
void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
|
||||
enum vb2_hash_algorithm digest_algo,
|
||||
const uint8_t *digest,
|
||||
const size_t digest_length);
|
||||
const size_t digest_len);
|
||||
|
||||
/**
|
||||
* Dump TCPA log entries on console
|
||||
*/
|
||||
void tcpa_log_dump(void *unused);
|
||||
|
||||
/**
|
||||
* Ask vboot for a digest and extend a TPM PCR with it.
|
||||
* @param pcr sets the pcr index
|
||||
* @param diget_algo sets the digest algorithm
|
||||
* @param digest sets the hash to extend into the tpm
|
||||
* @param digest_len the length of the digest
|
||||
* @param name sets additional info where the digest comes from
|
||||
* @return TPM_SUCCESS on success. If not a tpm error is returned
|
||||
*/
|
||||
uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, size_t digest_len,
|
||||
uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo,
|
||||
uint8_t *digest, size_t digest_len,
|
||||
const char *name);
|
||||
|
||||
/**
|
||||
|
|
|
@ -14,67 +14,162 @@
|
|||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <cbmem.h>
|
||||
#include <console/console.h>
|
||||
#include <security/tpm/tspi.h>
|
||||
#include <arch/early_variables.h>
|
||||
#include <fmap.h>
|
||||
#include <region_file.h>
|
||||
#include <string.h>
|
||||
#include <security/vboot/symbols.h>
|
||||
#include <cbmem.h>
|
||||
#include <bootstate.h>
|
||||
|
||||
static struct tcpa_table *tcpa_cbmem_init(void)
|
||||
{
|
||||
MAYBE_STATIC struct tcpa_table *tclt = NULL;
|
||||
if (tclt)
|
||||
return tclt;
|
||||
|
||||
if (cbmem_possibly_online()) {
|
||||
tclt = cbmem_find(CBMEM_ID_TCPA_LOG);
|
||||
if (!tclt) {
|
||||
size_t tcpa_log_len = sizeof(struct tcpa_table) +
|
||||
MAX_TCPA_LOG_ENTRIES * sizeof(struct tcpa_entry);
|
||||
tclt = cbmem_add(CBMEM_ID_TCPA_LOG, tcpa_log_len);
|
||||
if (tclt) {
|
||||
tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
|
||||
tclt->num_entries = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
return tclt;
|
||||
}
|
||||
|
||||
static struct tcpa_table *tcpa_log_init(void)
|
||||
{
|
||||
MAYBE_STATIC struct tcpa_table *tclt = NULL;
|
||||
|
||||
if (!cbmem_possibly_online())
|
||||
return NULL;
|
||||
|
||||
if (tclt != NULL)
|
||||
return tclt;
|
||||
|
||||
tclt = (struct tcpa_table *) cbmem_entry_find(CBMEM_ID_TCPA_LOG);
|
||||
if (tclt)
|
||||
return tclt;
|
||||
|
||||
tclt = cbmem_add(CBMEM_ID_TCPA_LOG,
|
||||
sizeof(struct tcpa_table) +
|
||||
MAX_TCPA_LOG_ENTRIES *
|
||||
sizeof(struct tcpa_entry));
|
||||
|
||||
if (!tclt) {
|
||||
printk(BIOS_ERR, "ERROR: Could not create TCPA log table\n");
|
||||
return NULL;
|
||||
/* We are dealing here with pre CBMEM environment.
|
||||
* If cbmem isn't available use CAR or SRAM */
|
||||
if (!cbmem_possibly_online() &&
|
||||
!IS_ENABLED(CONFIG_VBOOT_RETURN_FROM_VERSTAGE))
|
||||
return (struct tcpa_table *)_vboot2_tpm_log;
|
||||
else if (ENV_ROMSTAGE &&
|
||||
!IS_ENABLED(CONFIG_VBOOT_RETURN_FROM_VERSTAGE)) {
|
||||
tclt = tcpa_cbmem_init();
|
||||
if (!tclt)
|
||||
return (struct tcpa_table *)_vboot2_tpm_log;
|
||||
} else {
|
||||
tclt = tcpa_cbmem_init();
|
||||
}
|
||||
|
||||
tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
|
||||
tclt->num_entries = 0;
|
||||
|
||||
printk(BIOS_DEBUG, "TCPA log created at %p\n", tclt);
|
||||
|
||||
return tclt;
|
||||
}
|
||||
|
||||
void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
|
||||
const uint8_t *digest, const size_t digest_length)
|
||||
void tcpa_log_dump(void *unused)
|
||||
{
|
||||
int i, j;
|
||||
struct tcpa_table *tclt;
|
||||
struct tcpa_entry *tce;
|
||||
|
||||
tclt = tcpa_log_init();
|
||||
|
||||
if (!tclt)
|
||||
return;
|
||||
|
||||
if (tclt->num_entries == tclt->max_entries) {
|
||||
printk(BIOS_WARNING, "ERROR: TCPA log table is full\n");
|
||||
printk(BIOS_INFO, "coreboot TCPA measurements:\n\n");
|
||||
for (i = 0; i < tclt->num_entries; i++) {
|
||||
struct tcpa_entry *tce = &tclt->entries[i];
|
||||
if (tce) {
|
||||
printk(BIOS_INFO, " PCR-%u ", tce->pcr);
|
||||
|
||||
for (j = 0; j < tce->digest_length; j++)
|
||||
printk(BIOS_INFO, "%02x", tce->digest[j]);
|
||||
|
||||
printk(BIOS_INFO, " %s [%s]\n",
|
||||
tce->digest_type, tce->name);
|
||||
}
|
||||
}
|
||||
printk(BIOS_INFO, "\n");
|
||||
}
|
||||
|
||||
void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
|
||||
enum vb2_hash_algorithm digest_algo,
|
||||
const uint8_t *digest,
|
||||
const size_t digest_len)
|
||||
{
|
||||
struct tcpa_table *tclt = tcpa_log_init();
|
||||
if (!tclt) {
|
||||
printk(BIOS_WARNING, "TCPA: Log non-existent!\n");
|
||||
return;
|
||||
}
|
||||
|
||||
tce = &tclt->entries[tclt->num_entries++];
|
||||
if (tclt->num_entries >= tclt->max_entries) {
|
||||
printk(BIOS_WARNING, "TCPA: TCPA log table is full\n");
|
||||
return;
|
||||
}
|
||||
|
||||
if (!name) {
|
||||
printk(BIOS_WARNING, "TCPA: TCPA entry name not set\n");
|
||||
return;
|
||||
}
|
||||
|
||||
struct tcpa_entry *tce = &tclt->entries[tclt->num_entries++];
|
||||
strncpy(tce->name, name, TCPA_PCR_HASH_NAME - 1);
|
||||
tce->pcr = pcr;
|
||||
|
||||
if (digest_length > TCPA_DIGEST_MAX_LENGTH) {
|
||||
printk(BIOS_WARNING, "ERROR: PCR digest too long for TCPA log entry\n");
|
||||
if (digest_len > TCPA_DIGEST_MAX_LENGTH) {
|
||||
printk(BIOS_WARNING, "TCPA: PCR digest too long for TCPA log entry\n");
|
||||
return;
|
||||
}
|
||||
memcpy(tce->digest, digest, digest_length);
|
||||
tce->digest_length = digest_length;
|
||||
|
||||
strncpy(tce->digest_type,
|
||||
vb2_get_hash_algorithm_name(digest_algo),
|
||||
TCPA_PCR_HASH_LEN - 1);
|
||||
tce->digest_length = digest_len;
|
||||
memcpy(tce->digest, digest, tce->digest_length);
|
||||
}
|
||||
|
||||
void tcpa_preram_log_clear(void)
|
||||
{
|
||||
printk(BIOS_INFO, "TCPA: Clearing coreboot TCPA log\n");
|
||||
struct tcpa_table *tclt = (struct tcpa_table *)_vboot2_tpm_log;
|
||||
tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
|
||||
tclt->num_entries = 0;
|
||||
}
|
||||
|
||||
#if !IS_ENABLED(CONFIG_VBOOT_RETURN_FROM_VERSTAGE)
|
||||
static void recover_tcpa_log(int is_recovery)
|
||||
{
|
||||
struct tcpa_table *preram_log = (struct tcpa_table *)_vboot2_tpm_log;
|
||||
struct tcpa_table *ram_log = NULL;
|
||||
int i;
|
||||
|
||||
if (preram_log->num_entries > MAX_PRERAM_TCPA_LOG_ENTRIES) {
|
||||
printk(BIOS_WARNING, "TCPA: Pre-RAM TCPA log is too full, possible corruption\n");
|
||||
return;
|
||||
}
|
||||
|
||||
ram_log = tcpa_cbmem_init();
|
||||
if (!ram_log) {
|
||||
printk(BIOS_WARNING, "TCPA: CBMEM not available something went wrong\n");
|
||||
return;
|
||||
}
|
||||
|
||||
for (i = 0; i < preram_log->num_entries; i++) {
|
||||
struct tcpa_entry *tce = &ram_log->entries[ram_log->num_entries++];
|
||||
strncpy(tce->name, preram_log->entries[i].name, TCPA_PCR_HASH_NAME - 1);
|
||||
tce->pcr = preram_log->entries[i].pcr;
|
||||
|
||||
if (preram_log->entries[i].digest_length > TCPA_DIGEST_MAX_LENGTH) {
|
||||
printk(BIOS_WARNING, "TCPA: PCR digest too long for TCPA log entry\n");
|
||||
return;
|
||||
}
|
||||
|
||||
strncpy(tce->digest_type, preram_log->entries[i].digest_type, TCPA_PCR_HASH_LEN - 1);
|
||||
tce->digest_length = MIN(preram_log->entries[i].digest_length, TCPA_DIGEST_MAX_LENGTH);
|
||||
memcpy(tce->digest, preram_log->entries[i].digest, tce->digest_length);
|
||||
}
|
||||
}
|
||||
ROMSTAGE_CBMEM_INIT_HOOK(recover_tcpa_log);
|
||||
#endif
|
||||
|
||||
BOOT_STATE_INIT_ENTRY(BS_PAYLOAD_BOOT, BS_ON_ENTRY, tcpa_log_dump, NULL);
|
||||
|
|
|
@ -202,8 +202,8 @@ uint32_t tpm_clear_and_reenable(void)
|
|||
return TPM_SUCCESS;
|
||||
}
|
||||
|
||||
uint32_t tpm_extend_pcr(int pcr, uint8_t *digest,
|
||||
size_t digest_len, const char *name)
|
||||
uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo,
|
||||
uint8_t *digest, size_t digest_len, const char *name)
|
||||
{
|
||||
uint32_t result;
|
||||
|
||||
|
@ -214,6 +214,10 @@ uint32_t tpm_extend_pcr(int pcr, uint8_t *digest,
|
|||
if (result != TPM_SUCCESS)
|
||||
return result;
|
||||
|
||||
if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT))
|
||||
tcpa_log_add_table_entry(name, pcr, digest_algo,
|
||||
digest, digest_len);
|
||||
|
||||
return TPM_SUCCESS;
|
||||
}
|
||||
|
||||
|
@ -235,10 +239,11 @@ uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr,
|
|||
printk(BIOS_ERR, "TPM: Can't initialize library.\n");
|
||||
return result;
|
||||
}
|
||||
if (IS_ENABLED(CONFIG_TPM1))
|
||||
if (IS_ENABLED(CONFIG_TPM1)) {
|
||||
hash_alg = VB2_HASH_SHA1;
|
||||
else /* CONFIG_TPM2 */
|
||||
} else { /* CONFIG_TPM2 */
|
||||
hash_alg = VB2_HASH_SHA256;
|
||||
}
|
||||
|
||||
digest_len = vb2_digest_size(hash_alg);
|
||||
assert(digest_len <= sizeof(digest));
|
||||
|
@ -267,7 +272,7 @@ uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr,
|
|||
printk(BIOS_ERR, "TPM: Error finalizing hash.\n");
|
||||
return TPM_E_HASH_ERROR;
|
||||
}
|
||||
result = tpm_extend_pcr(pcr, digest, digest_len, rname);
|
||||
result = tpm_extend_pcr(pcr, hash_alg, digest, digest_len, rname);
|
||||
if (result != TPM_SUCCESS) {
|
||||
printk(BIOS_ERR, "TPM: Extending hash into PCR failed.\n");
|
||||
return result;
|
||||
|
|
|
@ -80,10 +80,11 @@ uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
|
|||
|
||||
switch (which_digest) {
|
||||
case BOOT_MODE_PCR:
|
||||
return tpm_extend_pcr(pcr, buffer, size,
|
||||
return tpm_extend_pcr(pcr, VB2_HASH_SHA1, buffer, size,
|
||||
TPM_PCR_GBB_FLAGS_NAME);
|
||||
case HWID_DIGEST_PCR:
|
||||
return tpm_extend_pcr(pcr, buffer, size, TPM_PCR_GBB_HWID_NAME);
|
||||
return tpm_extend_pcr(pcr, VB2_HASH_SHA256, buffer,
|
||||
size, TPM_PCR_GBB_HWID_NAME);
|
||||
default:
|
||||
return VB2_ERROR_UNKNOWN;
|
||||
}
|
||||
|
|
|
@ -20,4 +20,6 @@
|
|||
|
||||
DECLARE_REGION(vboot2_work)
|
||||
|
||||
DECLARE_REGION(vboot2_tpm_log)
|
||||
|
||||
#endif /* __VBOOT_SYMBOLS_H__ */
|
||||
|
|
|
@ -18,6 +18,36 @@
|
|||
#include <security/vboot/vboot_crtm.h>
|
||||
#include <security/vboot/misc.h>
|
||||
|
||||
/*
|
||||
* This functions sets the TCPA log namespace
|
||||
* for the cbfs file (region) lookup.
|
||||
*/
|
||||
static int create_tcpa_metadata(const struct region_device *rdev,
|
||||
const char *cbfs_name, char log_string[TCPA_PCR_HASH_NAME])
|
||||
{
|
||||
int i;
|
||||
struct region_device fmap;
|
||||
const static char *fmap_cbfs_names[] = {
|
||||
"COREBOOT",
|
||||
"FW_MAIN_A",
|
||||
"FW_MAIN_B",
|
||||
"RW_LEGACY"};
|
||||
|
||||
for (i = 0; i < ARRAY_SIZE(fmap_cbfs_names); i++) {
|
||||
if (fmap_locate_area_as_rdev(fmap_cbfs_names[i], &fmap) == 0) {
|
||||
if (region_is_subregion(region_device_region(&fmap),
|
||||
region_device_region(rdev))) {
|
||||
snprintf(log_string, TCPA_PCR_HASH_NAME,
|
||||
"FMAP: %s CBFS: %s",
|
||||
fmap_cbfs_names[i], cbfs_name);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
uint32_t vboot_init_crtm(void)
|
||||
{
|
||||
struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock");
|
||||
|
@ -25,6 +55,10 @@ uint32_t vboot_init_crtm(void)
|
|||
PROG_INIT(PROG_VERSTAGE, CONFIG_CBFS_PREFIX "/verstage");
|
||||
struct prog romstage =
|
||||
PROG_INIT(PROG_ROMSTAGE, CONFIG_CBFS_PREFIX "/romstage");
|
||||
char tcpa_metadata[TCPA_PCR_HASH_NAME];
|
||||
|
||||
/* Initialize TCPE PRERAM log. */
|
||||
tcpa_preram_log_clear();
|
||||
|
||||
/* measure bootblock from RO */
|
||||
struct cbfsf bootblock_data;
|
||||
|
@ -32,16 +66,20 @@ uint32_t vboot_init_crtm(void)
|
|||
if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) {
|
||||
if (tpm_measure_region(&bootblock_fmap,
|
||||
TPM_CRTM_PCR,
|
||||
prog_name(&bootblock)))
|
||||
"FMAP: BOOTBLOCK"))
|
||||
return VB2_ERROR_UNKNOWN;
|
||||
} else {
|
||||
if (cbfs_boot_locate(&bootblock_data,
|
||||
prog_name(&bootblock), NULL) == 0) {
|
||||
cbfs_file_data(prog_rdev(&bootblock), &bootblock_data);
|
||||
|
||||
if (create_tcpa_metadata(prog_rdev(&bootblock),
|
||||
prog_name(&bootblock), tcpa_metadata) < 0)
|
||||
return VB2_ERROR_UNKNOWN;
|
||||
|
||||
if (tpm_measure_region(prog_rdev(&bootblock),
|
||||
TPM_CRTM_PCR,
|
||||
prog_name(&bootblock)))
|
||||
TPM_CRTM_PCR,
|
||||
tcpa_metadata))
|
||||
return VB2_ERROR_UNKNOWN;
|
||||
} else {
|
||||
printk(BIOS_INFO,
|
||||
|
@ -57,9 +95,13 @@ uint32_t vboot_init_crtm(void)
|
|||
prog_name(&romstage), NULL) == 0) {
|
||||
cbfs_file_data(prog_rdev(&romstage), &romstage_data);
|
||||
|
||||
if (create_tcpa_metadata(prog_rdev(&romstage),
|
||||
prog_name(&romstage), tcpa_metadata) < 0)
|
||||
return VB2_ERROR_UNKNOWN;
|
||||
|
||||
if (tpm_measure_region(prog_rdev(&romstage),
|
||||
TPM_CRTM_PCR,
|
||||
CONFIG_CBFS_PREFIX "/romstage"))
|
||||
TPM_CRTM_PCR,
|
||||
tcpa_metadata))
|
||||
return VB2_ERROR_UNKNOWN;
|
||||
} else {
|
||||
printk(BIOS_INFO,
|
||||
|
@ -76,9 +118,13 @@ uint32_t vboot_init_crtm(void)
|
|||
prog_name(&verstage), NULL) == 0) {
|
||||
cbfs_file_data(prog_rdev(&verstage), &verstage_data);
|
||||
|
||||
if (create_tcpa_metadata(prog_rdev(&verstage),
|
||||
prog_name(&verstage), tcpa_metadata) < 0)
|
||||
return VB2_ERROR_UNKNOWN;
|
||||
|
||||
if (tpm_measure_region(prog_rdev(&verstage),
|
||||
TPM_CRTM_PCR,
|
||||
CONFIG_CBFS_PREFIX "/verstage"))
|
||||
TPM_CRTM_PCR,
|
||||
tcpa_metadata))
|
||||
return VB2_ERROR_UNKNOWN;
|
||||
} else {
|
||||
printk(BIOS_INFO,
|
||||
|
@ -114,6 +160,7 @@ uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name)
|
|||
uint32_t pcr_index;
|
||||
uint32_t cbfs_type;
|
||||
struct region_device rdev;
|
||||
char tcpa_metadata[TCPA_PCR_HASH_NAME];
|
||||
|
||||
if (!vb2_logic_executed())
|
||||
return 0;
|
||||
|
@ -139,6 +186,8 @@ uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name)
|
|||
break;
|
||||
}
|
||||
|
||||
return tpm_measure_region(&rdev, pcr_index,
|
||||
name);
|
||||
if (create_tcpa_metadata(&rdev, name, tcpa_metadata) < 0)
|
||||
return VB2_ERROR_UNKNOWN;
|
||||
|
||||
return tpm_measure_region(&rdev, pcr_index, tcpa_metadata);
|
||||
}
|
||||
|
|
|
@ -35,7 +35,8 @@ SECTIONS
|
|||
PRERAM_CBMEM_CONSOLE(BOOTROM_OFFSET + 0x8000, 8K)
|
||||
BOOTBLOCK(BOOTROM_OFFSET + 0x20000, 64K)
|
||||
VBOOT2_WORK(BOOTROM_OFFSET + 0x30000, 12K)
|
||||
VERSTAGE(BOOTROM_OFFSET + 0x33000, 52K)
|
||||
VBOOT2_TPM_LOG(BOOTROM_OFFSET + 0x33000, 2K)
|
||||
VERSTAGE(BOOTROM_OFFSET + 0x33800, 50K)
|
||||
ROMSTAGE(BOOTROM_OFFSET + 0x40000, 256K)
|
||||
|
||||
SRAM_END(BOOTROM_OFFSET + 0x80000)
|
||||
|
|
|
@ -46,7 +46,8 @@ SECTIONS
|
|||
REGION(gram_bootblock, 0x1a000000, 28K, 1)
|
||||
ROMSTAGE(0x1a007000, 60K)
|
||||
VBOOT2_WORK(0x1a016000, 12K)
|
||||
PRERAM_CBFS_CACHE(0x1a019000, 48K)
|
||||
VBOOT2_TPM_LOG(0x1a019000, 2K)
|
||||
PRERAM_CBFS_CACHE(0x1a019800, 46K)
|
||||
SRAM_END(0x1a066000)
|
||||
|
||||
/* Bootblock executes out of KSEG0 and sets up the identity mapping.
|
||||
|
|
|
@ -39,7 +39,8 @@ SECTIONS
|
|||
|
||||
SRAM_START(0x00100000)
|
||||
VBOOT2_WORK(0x00100000, 12K)
|
||||
PRERAM_CBMEM_CONSOLE(0x00103000, 16K)
|
||||
VBOOT2_TPM_LOG(0x00103000, 2K)
|
||||
PRERAM_CBMEM_CONSOLE(0x00103800, 14K)
|
||||
WATCHDOG_TOMBSTONE(0x00107000, 4)
|
||||
PRERAM_CBFS_CACHE(0x00107004, 16K - 4)
|
||||
TIMESTAMP(0x0010B000, 4K)
|
||||
|
|
|
@ -29,7 +29,8 @@ SECTIONS
|
|||
{
|
||||
SRAM_START(0x00100000)
|
||||
VBOOT2_WORK(0x00100000, 12K)
|
||||
PRERAM_CBMEM_CONSOLE(0x00103000, 16K)
|
||||
VBOOT2_TPM_LOG(0x00103000, 2K)
|
||||
PRERAM_CBMEM_CONSOLE(0x00103800, 14K)
|
||||
WATCHDOG_TOMBSTONE(0x00107000, 4)
|
||||
PRERAM_CBFS_CACHE(0x00107004, 16K - 4)
|
||||
TIMESTAMP(0x0010B000, 4K)
|
||||
|
|
|
@ -27,9 +27,10 @@ SECTIONS
|
|||
{
|
||||
SRAM_START(0x40000000)
|
||||
TTB(0x40000000, 16K + 32)
|
||||
PRERAM_CBMEM_CONSOLE(0x40004020, 8K - 32)
|
||||
PRERAM_CBFS_CACHE(0x40006000, 16K)
|
||||
VBOOT2_WORK(0x4000A000, 16K)
|
||||
PRERAM_CBMEM_CONSOLE(0x40004020, 6K - 32)
|
||||
PRERAM_CBFS_CACHE(0x40005800, 16K)
|
||||
VBOOT2_WORK(0x40009800, 16K)
|
||||
VBOOT2_TPM_LOG(0x4000D800, 2K)
|
||||
STACK(0x4000E000, 8K)
|
||||
BOOTBLOCK(0x40010000, 30K)
|
||||
VERSTAGE(0x40017800, 72K)
|
||||
|
|
|
@ -28,18 +28,19 @@
|
|||
SECTIONS
|
||||
{
|
||||
SRAM_START(0x40000000)
|
||||
PRERAM_CBMEM_CONSOLE(0x40000000, 4K)
|
||||
PRERAM_CBFS_CACHE(0x40001000, 36K)
|
||||
VBOOT2_WORK(0x4000A000, 12K)
|
||||
PRERAM_CBMEM_CONSOLE(0x40000000, 2K)
|
||||
PRERAM_CBFS_CACHE(0x40000800, 32K)
|
||||
VBOOT2_WORK(0x40008800, 12K)
|
||||
VBOOT2_TPM_LOG(0x4000B800, 2K)
|
||||
#if ENV_ARM64
|
||||
STACK(0x4000D000, 3K)
|
||||
STACK(0x4000C000, 3K)
|
||||
#else /* AVP gets a separate stack to avoid any chance of handoff races. */
|
||||
STACK(0x4000DC00, 3K)
|
||||
STACK(0x4000CC00, 3K)
|
||||
#endif
|
||||
TIMESTAMP(0x4000E800, 2K)
|
||||
BOOTBLOCK(0x4000F000, 28K)
|
||||
VERSTAGE(0x40016000, 64K)
|
||||
ROMSTAGE(0x40026000, 104K)
|
||||
TIMESTAMP(0x4000D800, 2K)
|
||||
BOOTBLOCK(0x4000E000, 28K)
|
||||
VERSTAGE(0x40015000, 66K)
|
||||
ROMSTAGE(0x40025800, 106K)
|
||||
SRAM_END(0x40040000)
|
||||
|
||||
DRAM_START(0x80000000)
|
||||
|
|
|
@ -31,7 +31,8 @@ SECTIONS
|
|||
ROMSTAGE(0x2030000, 128K)
|
||||
/* 32K hole */
|
||||
TTB(0x2058000, 16K)
|
||||
PRERAM_CBFS_CACHE(0x205C000, 80K)
|
||||
PRERAM_CBFS_CACHE(0x205C000, 78K)
|
||||
VBOOT2_TPM_LOG(0x206F800, 2K)
|
||||
VBOOT2_WORK(0x2070000, 16K)
|
||||
STACK(0x2074000, 16K)
|
||||
SRAM_END(0x2078000)
|
||||
|
|
|
@ -690,8 +690,6 @@ static void dump_tcpa_log(void)
|
|||
const struct tcpa_table *tclt_p;
|
||||
size_t size;
|
||||
struct mapping tcpa_mapping;
|
||||
char log_string[TCPA_LOG_STRING_LENGTH];
|
||||
char hash[TCPA_FORMAT_HASH_LENGTH];
|
||||
|
||||
if (tcpa_log.tag != LB_TAG_TCPA_LOG) {
|
||||
fprintf(stderr, "No tcpa log found in coreboot table.\n");
|
||||
|
@ -716,13 +714,12 @@ static void dump_tcpa_log(void)
|
|||
for (i = 0; i < tclt_p->num_entries; i++) {
|
||||
const struct tcpa_entry *tce = &tclt_p->entries[i];
|
||||
|
||||
memset(log_string, 0, TCPA_LOG_STRING_LENGTH);
|
||||
for (j = 0; j < tce->digest_length; j++)
|
||||
sprintf((char *)&(hash[j * 2]), "%02x", tce->digest[j]);
|
||||
printf(" PCR-%u ", tce->pcr);
|
||||
|
||||
snprintf(log_string, TCPA_LOG_STRING_LENGTH, "%u %s 00 [%s]\n",
|
||||
tce->pcr, hash, tce->name);
|
||||
printf("%s", log_string);
|
||||
for (j = 0; j < tce->digest_length; j++)
|
||||
printf("%02x", tce->digest[j]);
|
||||
|
||||
printf(" %s [%s]\n", tce->digest_type, tce->name);
|
||||
}
|
||||
|
||||
unmap_memory(&tcpa_mapping);
|
||||
|
|
Loading…
Reference in New Issue