| Message ID | 20200326202054.826301-3-stefanb@linux.vnet.ibm.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | vTPM: Measure the bootloader | expand |
On 27/03/2020 07:20, Stefan Berger wrote: > From: Stefan Berger <stefanb@linux.ibm.com> > > Implement tpm_hash_log_extend_event_file() that allows to measure > the contents of a file into a given PCR and log it with the > given event type and description. The caller may choose to have > the size of the original ELF image detected so that only data > from the ELF image are hashed. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > lib/libtpm/tcgbios.c | 35 +++++++++++++++++++++++++++++++++++ > lib/libtpm/tcgbios.h | 4 ++++ > lib/libtpm/tpm.code | 19 +++++++++++++++++++ > lib/libtpm/tpm.in | 1 + > 4 files changed, 59 insertions(+) > > diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c > index be6c3d1..fa2ab2b 100644 > --- a/lib/libtpm/tcgbios.c > +++ b/lib/libtpm/tcgbios.c > @@ -33,6 +33,7 @@ > #include "helpers.h" > #include "version.h" > #include "OF.h" > +#include "libelf.h" > > #undef TCGBIOS_DEBUG > //#define TCGBIOS_DEBUG > @@ -852,6 +853,40 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex, > return tpm_log_event_long(&le.hdr, digest_len, info, infolen); > } > > +/* > + * Measure a file into the given PCR and log it with the given > + * eventtype. If is_elf is true, try to determine the size of the > + * ELF file and use its size rather than the much larger data buffer > + * it is held in. In case of failure to detect the ELF file size, > + * log an additional error. > + */ > +uint32_t tpm_hash_log_extend_event_file(uint32_t pcrindex, uint32_t eventtype, > + const void *data, uint32_t datalen, > + const char *desc, uint32_t desclen, > + bool is_elf) This @is_elf flag does not seem useful, it is always "true". > +{ > + long len; > + const char *string; > + uint32_t ret; > + > + if (is_elf) { > + len = elf_get_file_size(data, datalen); > + if (len > 0) { > + datalen = len; > + } else { > + string = "BAD ELF FILE"; > + ret = tpm_add_measurement_to_log(pcrindex, eventtype, > + string, strlen(string), > + (uint8_t *)string, strlen(string)); > + if (ret) > + return ret; You logged "BAD ELF FILE" here and you still want to add measurement below? > + } > + } > + return tpm_add_measurement_to_log(pcrindex, eventtype, > + desc, desclen, > + data, datalen); > +} > + > /* > * Add an EV_ACTION measurement to the list of measurements > */ > diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h > index 8174d86..1ef72e9 100644 > --- a/lib/libtpm/tcgbios.h > +++ b/lib/libtpm/tcgbios.h > @@ -32,5 +32,9 @@ void tpm20_menu(void); > void tpm_gpt_set_lba1(const uint8_t *addr, uint32_t length); > void tpm_gpt_add_entry(const uint8_t *addr, uint32_t length); > uint32_t tpm_measure_gpt(void); > +uint32_t tpm_hash_log_extend_event_file(uint32_t pcrindex, uint32_t eventtype, > + const void *data, uint32_t datalen, > + const char *desc, uint32_t desclen, > + bool is_elf); This one and tpm-hash-log-extend-event-file return a code which nobody looks at. > > #endif /* TCGBIOS_H */ > diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code > index 205c608..598280d 100644 > --- a/lib/libtpm/tpm.code > +++ b/lib/libtpm/tpm.code > @@ -169,3 +169,22 @@ PRIM(tpm_X2d_measure_X2d_gpt) > PUSH; > TOS.n = tpm_measure_gpt(); > MIRP > + > +/*****************************************************************************************************/ > +/* Firmware API */ > +/* SLOF: tpm-hash-log-extend-event-raw ( pcr evt data-ptr data-len desc-ptr desclen is_elf -- rc ) */ it is tpm-hash-log-extend-event-file now, not ...-raw. Thanks, > +/* LIBTPM: errcode = tpm-hash-log-extend-event-raw */ > +/*****************************************************************************************************/ > +PRIM(tpm_X2d_hash_X2d_log_X2d_extend_X2d_event_X2d_file) > + uint32_t is_elf = TOS.u; POP; > + uint32_t desclen = TOS.u; POP; > + const char *desc = TOS.a; POP; > + uint32_t datalen = TOS.u; POP; > + const void *data = TOS.a; POP; > + uint32_t eventtype = TOS.u; POP; > + uint32_t pcrindex = TOS.u; > + > + TOS.n = tpm_hash_log_extend_event_file(pcrindex, eventtype, > + data, datalen, > + desc, desclen, is_elf); > +MIRP > diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in > index bdbc47d..db8bea0 100644 > --- a/lib/libtpm/tpm.in > +++ b/lib/libtpm/tpm.in > @@ -28,3 +28,4 @@ cod(tpm20-menu) > cod(tpm-gpt-set-lba1) > cod(tpm-gpt-add-entry) > cod(tpm-measure-gpt) > +cod(tpm-hash-log-extend-event-file) >
On 4/1/20 12:31 AM, Alexey Kardashevskiy wrote: > > On 27/03/2020 07:20, Stefan Berger wrote: >> From: Stefan Berger <stefanb@linux.ibm.com> >> >> Implement tpm_hash_log_extend_event_file() that allows to measure >> the contents of a file into a given PCR and log it with the >> given event type and description. The caller may choose to have >> the size of the original ELF image detected so that only data >> from the ELF image are hashed. >> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> --- >> lib/libtpm/tcgbios.c | 35 +++++++++++++++++++++++++++++++++++ >> lib/libtpm/tcgbios.h | 4 ++++ >> lib/libtpm/tpm.code | 19 +++++++++++++++++++ >> lib/libtpm/tpm.in | 1 + >> 4 files changed, 59 insertions(+) >> >> diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c >> index be6c3d1..fa2ab2b 100644 >> --- a/lib/libtpm/tcgbios.c >> +++ b/lib/libtpm/tcgbios.c >> @@ -33,6 +33,7 @@ >> #include "helpers.h" >> #include "version.h" >> #include "OF.h" >> +#include "libelf.h" >> >> #undef TCGBIOS_DEBUG >> //#define TCGBIOS_DEBUG >> @@ -852,6 +853,40 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex, >> return tpm_log_event_long(&le.hdr, digest_len, info, infolen); >> } >> >> +/* >> + * Measure a file into the given PCR and log it with the given >> + * eventtype. If is_elf is true, try to determine the size of the >> + * ELF file and use its size rather than the much larger data buffer >> + * it is held in. In case of failure to detect the ELF file size, >> + * log an additional error. >> + */ >> +uint32_t tpm_hash_log_extend_event_file(uint32_t pcrindex, uint32_t eventtype, >> + const void *data, uint32_t datalen, >> + const char *desc, uint32_t desclen, >> + bool is_elf) > > This @is_elf flag does not seem useful, it is always "true". In this patch series it would always be true, yes. Though when we will extend the API for supported of grub I can see grub invoking a firmware API that will invoke this call with 'data' carrying files whose sizes are known and need not be determined, thus passing 'is_elf = false'. The loaded kernel and initramfs are such examples. > >> +{ >> + long len; >> + const char *string; >> + uint32_t ret; >> + >> + if (is_elf) { >> + len = elf_get_file_size(data, datalen); >> + if (len > 0) { >> + datalen = len; >> + } else { >> + string = "BAD ELF FILE"; >> + ret = tpm_add_measurement_to_log(pcrindex, eventtype, >> + string, strlen(string), >> + (uint8_t *)string, strlen(string)); >> + if (ret) >> + return ret; > > You logged "BAD ELF FILE" here and you still want to add measurement below? I wasn't sure about this. But on second thought I think we could just return after this. > >> + } >> + } >> + return tpm_add_measurement_to_log(pcrindex, eventtype, >> + desc, desclen, >> + data, datalen); >> +} >> + >> /* >> * Add an EV_ACTION measurement to the list of measurements >> */ >> diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h >> index 8174d86..1ef72e9 100644 >> --- a/lib/libtpm/tcgbios.h >> +++ b/lib/libtpm/tcgbios.h >> @@ -32,5 +32,9 @@ void tpm20_menu(void); >> void tpm_gpt_set_lba1(const uint8_t *addr, uint32_t length); >> void tpm_gpt_add_entry(const uint8_t *addr, uint32_t length); >> uint32_t tpm_measure_gpt(void); >> +uint32_t tpm_hash_log_extend_event_file(uint32_t pcrindex, uint32_t eventtype, >> + const void *data, uint32_t datalen, >> + const char *desc, uint32_t desclen, >> + bool is_elf); > > This one and tpm-hash-log-extend-event-file return a code which nobody > looks at. > >> >> #endif /* TCGBIOS_H */ >> diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code >> index 205c608..598280d 100644 >> --- a/lib/libtpm/tpm.code >> +++ b/lib/libtpm/tpm.code >> @@ -169,3 +169,22 @@ PRIM(tpm_X2d_measure_X2d_gpt) >> PUSH; >> TOS.n = tpm_measure_gpt(); >> MIRP >> + >> +/*****************************************************************************************************/ >> +/* Firmware API */ >> +/* SLOF: tpm-hash-log-extend-event-raw ( pcr evt data-ptr data-len desc-ptr desclen is_elf -- rc ) */ > > it is tpm-hash-log-extend-event-file now, not ...-raw. Thanks, Oh yes, will fix. > >> +/* LIBTPM: errcode = tpm-hash-log-extend-event-raw */ >> +/*****************************************************************************************************/ >> +PRIM(tpm_X2d_hash_X2d_log_X2d_extend_X2d_event_X2d_file) >> + uint32_t is_elf = TOS.u; POP; >> + uint32_t desclen = TOS.u; POP; >> + const char *desc = TOS.a; POP; >> + uint32_t datalen = TOS.u; POP; >> + const void *data = TOS.a; POP; >> + uint32_t eventtype = TOS.u; POP; >> + uint32_t pcrindex = TOS.u; >> + >> + TOS.n = tpm_hash_log_extend_event_file(pcrindex, eventtype, >> + data, datalen, >> + desc, desclen, is_elf); >> +MIRP >> diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in >> index bdbc47d..db8bea0 100644 >> --- a/lib/libtpm/tpm.in >> +++ b/lib/libtpm/tpm.in >> @@ -28,3 +28,4 @@ cod(tpm20-menu) >> cod(tpm-gpt-set-lba1) >> cod(tpm-gpt-add-entry) >> cod(tpm-measure-gpt) >> +cod(tpm-hash-log-extend-event-file) >>
diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index be6c3d1..fa2ab2b 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -33,6 +33,7 @@ #include "helpers.h" #include "version.h" #include "OF.h" +#include "libelf.h" #undef TCGBIOS_DEBUG //#define TCGBIOS_DEBUG @@ -852,6 +853,40 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex, return tpm_log_event_long(&le.hdr, digest_len, info, infolen); } +/* + * Measure a file into the given PCR and log it with the given + * eventtype. If is_elf is true, try to determine the size of the + * ELF file and use its size rather than the much larger data buffer + * it is held in. In case of failure to detect the ELF file size, + * log an additional error. + */ +uint32_t tpm_hash_log_extend_event_file(uint32_t pcrindex, uint32_t eventtype, + const void *data, uint32_t datalen, + const char *desc, uint32_t desclen, + bool is_elf) +{ + long len; + const char *string; + uint32_t ret; + + if (is_elf) { + len = elf_get_file_size(data, datalen); + if (len > 0) { + datalen = len; + } else { + string = "BAD ELF FILE"; + ret = tpm_add_measurement_to_log(pcrindex, eventtype, + string, strlen(string), + (uint8_t *)string, strlen(string)); + if (ret) + return ret; + } + } + return tpm_add_measurement_to_log(pcrindex, eventtype, + desc, desclen, + data, datalen); +} + /* * Add an EV_ACTION measurement to the list of measurements */ diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 8174d86..1ef72e9 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -32,5 +32,9 @@ void tpm20_menu(void); void tpm_gpt_set_lba1(const uint8_t *addr, uint32_t length); void tpm_gpt_add_entry(const uint8_t *addr, uint32_t length); uint32_t tpm_measure_gpt(void); +uint32_t tpm_hash_log_extend_event_file(uint32_t pcrindex, uint32_t eventtype, + const void *data, uint32_t datalen, + const char *desc, uint32_t desclen, + bool is_elf); #endif /* TCGBIOS_H */ diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index 205c608..598280d 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -169,3 +169,22 @@ PRIM(tpm_X2d_measure_X2d_gpt) PUSH; TOS.n = tpm_measure_gpt(); MIRP + +/*****************************************************************************************************/ +/* Firmware API */ +/* SLOF: tpm-hash-log-extend-event-raw ( pcr evt data-ptr data-len desc-ptr desclen is_elf -- rc ) */ +/* LIBTPM: errcode = tpm-hash-log-extend-event-raw */ +/*****************************************************************************************************/ +PRIM(tpm_X2d_hash_X2d_log_X2d_extend_X2d_event_X2d_file) + uint32_t is_elf = TOS.u; POP; + uint32_t desclen = TOS.u; POP; + const char *desc = TOS.a; POP; + uint32_t datalen = TOS.u; POP; + const void *data = TOS.a; POP; + uint32_t eventtype = TOS.u; POP; + uint32_t pcrindex = TOS.u; + + TOS.n = tpm_hash_log_extend_event_file(pcrindex, eventtype, + data, datalen, + desc, desclen, is_elf); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index bdbc47d..db8bea0 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -28,3 +28,4 @@ cod(tpm20-menu) cod(tpm-gpt-set-lba1) cod(tpm-gpt-add-entry) cod(tpm-measure-gpt) +cod(tpm-hash-log-extend-event-file)