[13/19] libstb/trustedboot.c: import stb_final() from stb.c

Message ID 1510421322-27237-14-git-send-email-cclaudio@linux.vnet.ibm.com
State New
Headers show
Series
  • libstb: add support for secure and trusted boot in P9
Related show

Commit Message

Claudio Carvalho Nov. 11, 2017, 5:28 p.m.
The stb_final() primary goal is to measure the event EV_SEPARATOR
into PCR[0-7] when trusted boot is about to exit the boot services.

This imports the stb_final() from stb.c into trustedboot.c, but making
the following changes:
- Rename it to trustedboot_exit_boot_services().
- As specified in the TCG PC Client spec, EV_SEPARATOR events must be
  logged with the name 0xFFFFFF.
- Remove the rom driver clean-up call.
- Don't allow code to be measured in skiboot after
  trustedboot_exit_boot_services() is called.

Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
---
 libstb/trustedboot.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 libstb/trustedboot.h | 11 +++++++++
 2 files changed, 79 insertions(+)

Patch

diff --git a/libstb/trustedboot.c b/libstb/trustedboot.c
index 39310e4..0684840 100644
--- a/libstb/trustedboot.c
+++ b/libstb/trustedboot.c
@@ -31,6 +31,7 @@ 
 //#define STB_DEBUG
 
 static bool trusted_mode = false;
+static bool boot_services_exited = false;
 
 /*
  * This maps a PCR for each resource we can measure. The PCR number is
@@ -47,6 +48,26 @@  static struct {
 	{ RESOURCE_ID_CAPP,   PCR_2 },
 };
 
+/*
+ * Event Separator - digest of 0xFFFFFFFF
+ */
+static struct {
+	const unsigned char *event;
+	const unsigned char *sha1;
+	const unsigned char *sha256;
+} ev_separator = {
+
+	.event = "\xff\xff\xff\xff",
+
+	.sha1   = "\xd9\xbe\x65\x24\xa5\xf5\x04\x7d\xb5\x86"
+		  "\x68\x13\xac\xf3\x27\x78\x92\xa7\xa3\x0a",
+
+	.sha256 = "\xad\x95\x13\x1b\xc0\xb7\x99\xc0\xb1\xaf"
+		  "\x47\x7f\xb1\x4f\xcf\x26\xa6\xa9\xf7\x60"
+		  "\x79\xe4\x8b\xf0\x90\xac\xb7\xe8\x36\x7b"
+		  "\xfd\x0e"
+};
+
 static TPM_Pcr map_pcr(enum resource_id id)
 {
 	int i;
@@ -105,6 +126,48 @@  void trustedboot_init(void)
 		prlog(PR_ERR, "tpm init FAILED\n");
 }
 
+int trustedboot_exit_boot_services(void)
+{
+	uint32_t pcr;
+	int rc = 0;
+	bool failed = false;
+
+	boot_services_exited = true;
+
+	if (!trusted_mode)
+		goto out_free;
+
+#ifdef STB_DEBUG
+	prlog(PR_NOTICE, "ev_separator.event: %s\n", ev_separator.event);
+	prlog(PR_NOTICE, "ev_separator.sha1:\n");
+	stb_print_data((uint8_t*) ev_separator.sha1, TPM_ALG_SHA1_SIZE);
+	prlog(PR_NOTICE, "ev_separator.sha256:\n");
+	stb_print_data((uint8_t*) ev_separator.sha256, TPM_ALG_SHA256_SIZE);
+#endif
+	/*
+	 * As defined in the TCG Platform Firmware PWe are done. Extending the digest of 0xFFFFFFFF
+	 * in PCR[0-7], and recording an EV_SEPARATOR event in
+	 * event log as defined in the TCG Platform Firmware Profile
+	 * specification, Revision 00.21
+	 */
+	for (pcr = 0; pcr < 8; pcr++) {
+		rc = tpm_extendl(pcr, TPM_ALG_SHA256,
+				(uint8_t*) ev_separator.sha256,
+				TPM_ALG_SHA256_SIZE, TPM_ALG_SHA1,
+				(uint8_t*) ev_separator.sha1,
+				TPM_ALG_SHA1_SIZE, EV_SEPARATOR,
+				ev_separator.event);
+		if (rc)
+			failed = true;
+	}
+	tpm_add_status_property();
+
+out_free:
+	tpm_cleanup();
+
+	return (failed) ? -1 : 0;
+}
+
 int trustedboot_measure(enum resource_id id, void *buf, size_t len)
 {
 	uint8_t digest[SHA512_DIGEST_LENGTH];
@@ -127,6 +190,11 @@  int trustedboot_measure(enum resource_id id, void *buf, size_t len)
 		prlog(PR_ERR, "resource NOT MEASURED, resource_id=%d unknown\n", id);
 		return -1;
 	}
+	if (boot_services_exited) {
+		prlog(PR_ERR, "%s NOT MEASURED. Already exited from boot "
+		      "services\n", name);
+		return -1;
+	}
 	pcr = map_pcr(id);
 	if (pcr == -1) {
 		/**
diff --git a/libstb/trustedboot.h b/libstb/trustedboot.h
index bd5ac91..3003c80 100644
--- a/libstb/trustedboot.h
+++ b/libstb/trustedboot.h
@@ -22,6 +22,17 @@ 
 void trustedboot_init(void);
 
 /**
+ * As defined in the TCG Platform Firmware Profile specification, the
+ * digest of 0xFFFFFFFF or 0x00000000  must be extended in PCR[0-7] and
+ * an EV_SEPARATOR event must be recorded in the event log for PCR[0-7]
+ * prior to the first invocation of the first Ready to Boot call.
+ *
+ * This function must be called just before BOOTKERNEL is executed. Every call
+ * to trustedboot_measure() will fail afterwards.
+ */
+int trustedboot_exit_boot_services(void);
+
+/**
  * trustedboot_measure - measure a resource
  * @id    : resource id
  * @buf   : data to be measured