security/tpm: Add TCPA logging functionality
* TCG spec only applies to BIOS or UEFI. * Therefore implement coreboot TCPA compliant log in CBMEM. * Write CBMEM log into the coreboot table for CBMEM tool access Change-Id: I0a52494f647d21e2587231af26ed13d62b3a72f5 Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/22867 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Patrick Rudolph <siro@das-labor.org>
This commit is contained in:
parent
ef8c559e53
commit
f18dc5c72c
|
@ -64,6 +64,7 @@
|
||||||
#define CBMEM_ID_STAGEx_RAW 0x57a9e200
|
#define CBMEM_ID_STAGEx_RAW 0x57a9e200
|
||||||
#define CBMEM_ID_STORAGE_DATA 0x53746f72
|
#define CBMEM_ID_STORAGE_DATA 0x53746f72
|
||||||
#define CBMEM_ID_TCPA_LOG 0x54435041
|
#define CBMEM_ID_TCPA_LOG 0x54435041
|
||||||
|
#define CBMEM_ID_TCPA_COMPLIANT_LOG 0x54445041
|
||||||
#define CBMEM_ID_TIMESTAMP 0x54494d45
|
#define CBMEM_ID_TIMESTAMP 0x54494d45
|
||||||
#define CBMEM_ID_VBOOT_HANDOFF 0x780074f0
|
#define CBMEM_ID_VBOOT_HANDOFF 0x780074f0
|
||||||
#define CBMEM_ID_VBOOT_SEL_REG 0x780074f1
|
#define CBMEM_ID_VBOOT_SEL_REG 0x780074f1
|
||||||
|
@ -120,6 +121,7 @@
|
||||||
{ CBMEM_ID_SMM_SAVE_SPACE, "SMM BACKUP " }, \
|
{ CBMEM_ID_SMM_SAVE_SPACE, "SMM BACKUP " }, \
|
||||||
{ CBMEM_ID_STORAGE_DATA, "SD/MMC/eMMC" }, \
|
{ CBMEM_ID_STORAGE_DATA, "SD/MMC/eMMC" }, \
|
||||||
{ CBMEM_ID_TCPA_LOG, "TCPA LOG " }, \
|
{ CBMEM_ID_TCPA_LOG, "TCPA LOG " }, \
|
||||||
|
{ CBMEM_ID_TCPA_COMPLIANT_LOG, "TCPA COMPLIANT LOG " }, \
|
||||||
{ CBMEM_ID_TIMESTAMP, "TIME STAMP " }, \
|
{ CBMEM_ID_TIMESTAMP, "TIME STAMP " }, \
|
||||||
{ CBMEM_ID_VBOOT_HANDOFF, "VBOOT " }, \
|
{ CBMEM_ID_VBOOT_HANDOFF, "VBOOT " }, \
|
||||||
{ CBMEM_ID_VBOOT_SEL_REG, "VBOOT SEL " }, \
|
{ CBMEM_ID_VBOOT_SEL_REG, "VBOOT SEL " }, \
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
/*
|
||||||
|
* This file is part of the coreboot project.
|
||||||
|
*
|
||||||
|
* Copyright (C) 2018 Facebook Inc.
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU General Public License as published by
|
||||||
|
* the Free Software Foundation; version 2 of the License.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef __TCPA_LOG_SERIALIZED_H__
|
||||||
|
#define __TCPA_LOG_SERIALIZED_H__
|
||||||
|
|
||||||
|
#include <compiler.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
#define MAX_TCPA_LOG_ENTRIES 50
|
||||||
|
#define TCPA_LOG_STRING_LENGTH 512
|
||||||
|
#define TCPA_FORMAT_HASH_LENGTH 128
|
||||||
|
#define TCPA_DIGEST_MAX_LENGTH 64
|
||||||
|
#define TCPA_PCR_HASH_NAME 256
|
||||||
|
|
||||||
|
struct tcpa_entry {
|
||||||
|
uint32_t pcr;
|
||||||
|
uint8_t digest[TCPA_DIGEST_MAX_LENGTH];
|
||||||
|
uint32_t digest_length;
|
||||||
|
uint8_t name[TCPA_PCR_HASH_NAME];
|
||||||
|
} __packed;
|
||||||
|
|
||||||
|
struct tcpa_table {
|
||||||
|
uint16_t max_entries;
|
||||||
|
uint16_t num_entries;
|
||||||
|
struct tcpa_entry entries[0]; /* Variable number of entries */
|
||||||
|
} __packed;
|
||||||
|
|
||||||
|
#endif
|
|
@ -30,6 +30,9 @@ static void init_tpm_dev(void *unused)
|
||||||
#else
|
#else
|
||||||
tpm_setup(false);
|
tpm_setup(false);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
// TCPA cbmem log
|
||||||
|
tcpa_log_init();
|
||||||
}
|
}
|
||||||
|
|
||||||
BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_ENTRY, init_tpm_dev, NULL);
|
BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_ENTRY, init_tpm_dev, NULL);
|
||||||
|
|
|
@ -12,11 +12,11 @@ postcar-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c
|
||||||
|
|
||||||
## TSPI
|
## TSPI
|
||||||
|
|
||||||
ramstage-y += tspi/tspi.c
|
ramstage-y += tspi/tspi.c tspi/log.c
|
||||||
romstage-y += tspi/tspi.c
|
romstage-y += tspi/tspi.c tspi/log.c
|
||||||
|
|
||||||
verstage-$(CONFIG_VBOOT) += tspi/tspi.c
|
verstage-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
|
||||||
postcar-$(CONFIG_VBOOT) += tspi/tspi.c
|
postcar-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
|
||||||
|
|
||||||
endif # CONFIG_TPM1
|
endif # CONFIG_TPM1
|
||||||
|
|
||||||
|
@ -36,10 +36,10 @@ postcar-$(CONFIG_VBOOT) += tss/tcg-2.0/tss.c
|
||||||
|
|
||||||
## TSPI
|
## TSPI
|
||||||
|
|
||||||
ramstage-y += tspi/tspi.c
|
ramstage-y += tspi/tspi.c tspi/log.c
|
||||||
romstage-y += tspi/tspi.c
|
romstage-y += tspi/tspi.c tspi/log.c
|
||||||
|
|
||||||
verstage-$(CONFIG_VBOOT) += tspi/tspi.c
|
verstage-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
|
||||||
postcar-$(CONFIG_VBOOT) += tspi/tspi.c
|
postcar-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
|
||||||
|
|
||||||
endif # CONFIG_TPM2
|
endif # CONFIG_TPM2
|
||||||
|
|
|
@ -18,6 +18,18 @@
|
||||||
#define TSPI_H_
|
#define TSPI_H_
|
||||||
|
|
||||||
#include <security/tpm/tss.h>
|
#include <security/tpm/tss.h>
|
||||||
|
#include <commonlib/tcpa_log_serialized.h>
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Setup TCPA cbmem log.
|
||||||
|
*/
|
||||||
|
void tcpa_log_init(void);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add table entry for cbmem TCPA log.
|
||||||
|
*/
|
||||||
|
int tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
|
||||||
|
const uint8_t *digest, const size_t digest_length);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Ask vboot for a digest and extend a TPM PCR with it.
|
* Ask vboot for a digest and extend a TPM PCR with it.
|
||||||
|
|
|
@ -0,0 +1,75 @@
|
||||||
|
/*
|
||||||
|
* This file is part of the coreboot project.
|
||||||
|
*
|
||||||
|
* Copyright 2018 Facebook Inc.
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU General Public License as published by
|
||||||
|
* the Free Software Foundation; version 2 of the License.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU General Public License for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
#include <cbmem.h>
|
||||||
|
#include <console/console.h>
|
||||||
|
#include <security/tpm/tspi.h>
|
||||||
|
|
||||||
|
void tcpa_log_init(void)
|
||||||
|
{
|
||||||
|
const struct cbmem_entry *ce;
|
||||||
|
struct tcpa_table *tclt;
|
||||||
|
|
||||||
|
if (!cbmem_possibly_online())
|
||||||
|
return;
|
||||||
|
|
||||||
|
ce = cbmem_entry_find(CBMEM_ID_TCPA_LOG);
|
||||||
|
if (ce)
|
||||||
|
return;
|
||||||
|
|
||||||
|
tclt = cbmem_add(CBMEM_ID_TCPA_LOG,
|
||||||
|
sizeof(struct tcpa_table) +
|
||||||
|
MAX_TCPA_LOG_ENTRIES *
|
||||||
|
sizeof(struct tcpa_entry));
|
||||||
|
|
||||||
|
if (!tclt)
|
||||||
|
return;
|
||||||
|
|
||||||
|
tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
|
||||||
|
tclt->num_entries = 0;
|
||||||
|
|
||||||
|
printk(BIOS_DEBUG, "TCPA log created at %p\n", tclt);
|
||||||
|
}
|
||||||
|
|
||||||
|
int tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
|
||||||
|
const uint8_t *digest, const size_t digest_length)
|
||||||
|
{
|
||||||
|
MAYBE_STATIC struct tcpa_table *tclt = NULL;
|
||||||
|
struct tcpa_entry *tce;
|
||||||
|
|
||||||
|
if (!cbmem_possibly_online())
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
tclt = cbmem_find(CBMEM_ID_TCPA_LOG);
|
||||||
|
if (!tclt) {
|
||||||
|
printk(BIOS_ERR, "ERROR: No TCPA log table found\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (tclt->num_entries == tclt->max_entries) {
|
||||||
|
printk(BIOS_WARNING, "ERROR: TCPA log table is full\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
tce = &tclt->entries[tclt->num_entries++];
|
||||||
|
|
||||||
|
memcpy(tce->name, name, TCPA_PCR_HASH_NAME);
|
||||||
|
tce->pcr = pcr;
|
||||||
|
memcpy(tce->digest, digest, digest_length);
|
||||||
|
tce->digest_length = digest_length;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
Loading…
Reference in New Issue