GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security/vboot: Enable TCPA log extension 

* Implement TCPA log for tspi extend function.
* Hook tcpa_log_init into vboot tpm_setup function.
* Add TCPA log output for vboot GBB flags and HWID

Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/27727
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
This commit is contained in:
Philipp Deppenwiese 2018-07-30 01:27:47 +02:00 committed by Philipp Deppenwiese
parent 405a0f5230
commit f849972f65
3 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/security/tpm/tspi.h
View File

@ -35,10 +35,12 @@ int tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
* Ask vboot for a digest and extend a TPM PCR with it. * Ask vboot for a digest and extend a TPM PCR with it.
* @param pcr sets the pcr index * @param pcr sets the pcr index
* @param digest sets the hash to extend into the tpm * @param digest sets the hash to extend into the tpm
* @param out_digest get extended hash * @param digest_len the length of the digest
* @param name sets additional info where the digest comes from
* @return TPM_SUCCESS on success. If not a tpm error is returned * @return TPM_SUCCESS on success. If not a tpm error is returned
*/ */
uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest); uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, size_t digest_len,
const char *name);
/** /**
* Issue a TPM_Clear and reenable/reactivate the TPM. * Issue a TPM_Clear and reenable/reactivate the TPM.

16
src/security/tpm/tspi/tspi.c
View File

@ -178,13 +178,21 @@ uint32_t tpm_clear_and_reenable(void)
return TPM_SUCCESS; return TPM_SUCCESS;
} }
uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest) uint32_t tpm_extend_pcr(int pcr, uint8_t *digest,
size_t digest_len, const char *name)
{ {
uint32_t result;
if (!digest) if (!digest)
return TPM_E_IOERROR; return TPM_E_IOERROR;
if (out_digest) result = tlcl_extend(pcr, digest, NULL);
return tlcl_extend(pcr, digest, out_digest); if (result != TPM_SUCCESS)
return result;
return tlcl_extend(pcr, digest, NULL); result = tcpa_log_add_table_entry(name, pcr, digest, digest_len);
if (result != 0)
printk(BIOS_ERR, "ERROR: Couldn't create TCPA log entry\n");
return 0;
} }

17
src/security/vboot/secdata_tpm.c
View File

@ -61,11 +61,13 @@
} \ } \
} while (0) } while (0)
#define TPM_PCR_GBB_FLAGS_NAME "GBB flags"
#define TPM_PCR_GBB_HWID_NAME "GBB HWID"
static uint32_t safe_write(uint32_t index, const void *data, uint32_t length); static uint32_t safe_write(uint32_t index, const void *data, uint32_t length);
uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr, uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
enum vb2_pcr_digest which_digest) enum vb2_pcr_digest which_digest)
{ {
uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE]; uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE];
uint32_t size = sizeof(buffer); uint32_t size = sizeof(buffer);
@ -77,7 +79,15 @@ uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
if (size < TPM_PCR_MINIMUM_DIGEST_SIZE) if (size < TPM_PCR_MINIMUM_DIGEST_SIZE)
return VB2_ERROR_UNKNOWN; return VB2_ERROR_UNKNOWN;
return tpm_extend_pcr(pcr, buffer, NULL); switch (which_digest) {
case BOOT_MODE_PCR:
return tpm_extend_pcr(pcr, buffer, size,
TPM_PCR_GBB_FLAGS_NAME);
case HWID_DIGEST_PCR:
return tpm_extend_pcr(pcr, buffer, size, TPM_PCR_GBB_HWID_NAME);
default:
return VB2_ERROR_UNKNOWN;
}
} }
static uint32_t read_space_firmware(struct vb2_context *ctx) static uint32_t read_space_firmware(struct vb2_context *ctx)
@ -441,6 +451,9 @@ uint32_t vboot_setup_tpm(struct vb2_context *ctx)
if (result == TPM_E_MUST_REBOOT) if (result == TPM_E_MUST_REBOOT)
ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT; ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT;
// TCPA cbmem log
tcpa_log_init();
return result; return result;
} }