Message ID | 20200120023700.5373-4-erichte@linux.ibm.com |
---|---|
State | Superseded |
Headers | show |
Series | Add initial secure variable storage and backend drivers | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/apply_patch | warning | Failed to apply on branch master (d75e82dbfbb9443efeb3f9a5921ac23605aab469) |
snowpatch_ozlabs/apply_patch | fail | Failed to apply to any branch |
On 1/19/20 11:36 PM, Eric Richter wrote: > In order to support upcoming security features within skiboot (such as secure > boot and trusted boot), there needs to be an interface between skiboot and a > TPM 2.0 device. > > This patch adds IBM's TSS 2.0 as a submodule, with the intent of replacing the > current, barebones TSS implementation within skiboot. Also included are a few > minor files containing helper functions or definitions needed to build the > TSS. > > Signed-off-by: Eric Richter <erichte@linux.ibm.com> > --- > .gitmodules | 4 ++++ > libstb/Makefile.inc | 5 +++- > libstb/tss2/Makefile.inc | 39 ++++++++++++++++++++++++++++++++ > libstb/tss2/ibmtpm20tss | 1 + > libstb/tss2/netinet/in.h | 13 +++++++++++ > libstb/tss2/tpm2.c | 38 +++++++++++++++++++++++++++++++ > libstb/tss2/tpm2.h | 49 ++++++++++++++++++++++++++++++++++++++++ > 7 files changed, 148 insertions(+), 1 deletion(-) > create mode 100644 libstb/tss2/Makefile.inc > create mode 160000 libstb/tss2/ibmtpm20tss > create mode 100644 libstb/tss2/netinet/in.h > create mode 100644 libstb/tss2/tpm2.c > create mode 100644 libstb/tss2/tpm2.h > > diff --git a/.gitmodules b/.gitmodules > index 78998dae..c4a50464 100644 > --- a/.gitmodules > +++ b/.gitmodules > @@ -2,3 +2,7 @@ > path = libstb/crypto/mbedtls > url = https://github.com/ARMmbed/mbedtls > branch = mbedtls-2.16 > +[submodule "libstb/ibmtpm20tss"] > + path = libstb/tss2/ibmtpm20tss > + url = https://github.com/erichte-ibm/ibmtpm20tss > + branch = maurosr/v3-tss-skiboot > diff --git a/libstb/Makefile.inc b/libstb/Makefile.inc > index 1434b3d4..0b21971f 100644 > --- a/libstb/Makefile.inc > +++ b/libstb/Makefile.inc > @@ -12,10 +12,13 @@ include $(SRC)/$(LIBSTB_DIR)/secvar/Makefile.inc > include $(SRC)/$(LIBSTB_DIR)/drivers/Makefile.inc > include $(SRC)/$(LIBSTB_DIR)/tss/Makefile.inc > include $(SRC)/$(LIBSTB_DIR)/crypto/Makefile.inc > +include $(SRC)/$(LIBSTB_DIR)/tss2/Makefile.inc > > CPPFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/include > +CPPFLAGS += -I$(SRC)/$(LIBSTB_DIR)/ibmtpm20tss/utils > +CFLAGS += -DTPM_NOSOCKET -DTPM_SKIBOOT > > -$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(SECVAR) $(CRYPTO) > +$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(SECVAR) $(CRYPTO) $(TSS2) > > libstb/create-container: libstb/create-container.c libstb/container-utils.c > $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) \ > diff --git a/libstb/tss2/Makefile.inc b/libstb/tss2/Makefile.inc > new file mode 100644 > index 00000000..b2536faf > --- /dev/null > +++ b/libstb/tss2/Makefile.inc > @@ -0,0 +1,39 @@ > +# -*-Makefile-*- > + > +TSS2_DIR = libstb/tss2 > +IBMTSS_DIR = $(TSS2_DIR)/ibmtpm20tss/utils > + > +SUBDIRS += $(TSS2_DIR) $(IBMTSS_DIR) > + > +CPPFLAGS += -I$(SRC)/$(TSS2_DIR) > +CPPFLAGS += -I$(SRC)/$(IBMTSS_DIR) > + > +TSS2LIB_SRCS = tss.c tss20.c tssauth.c tssauth20.c tssccattributes.c > +#TSS2LIB_SRCS += tsscryptoh.c > +TSS2LIB_SRCS += tssmarshal.c tssprint.c tssprintcmd.c tssproperties.c > +TSS2LIB_SRCS += tssresponsecode.c tsstransmit.c tssutils.c tssntc.c > +TSS2LIB_SRCS += Commands.c CommandAttributeData.c Unmarshal.c > +TSS2LIB_SRCS += tssdevskiboot.c > + > +TSS2_SRCS = $(addprefix ibmtpm20tss/utils/,$(TSS2LIB_SRCS)) > +TSS2_SRCS += tpm2.c > + > +#tsscryptombed.c tsscryptouv.c tssdevuv.c tssuv.c > +#tssskiboot.c eventlog.c eventlib.c tpm_nv.c opalcreate.c > + > +TSS2_OBJS = $(TSS2_SRCS:%.c=%.o) > + > +CFLAGS_$(TSS2_DIR)/ = -DTPM_POSIX -DTPM_TPM20 -DTPM_SKIBOOT > +CFLAGS_$(TSS2_DIR)/ += -DTPM_NOSOCKET > +CFLAGS_$(TSS2_DIR)/ += -DTPM_TSS_NOECC -DTPM_TSS_NORSA -DTPM_TSS_NOCRYPTO > +CFLAGS_$(TSS2_DIR)/ += -DTPM_TSS_NOFILE -DTPM_TSS_NOENV > +CFLAGS_$(TSS2_DIR)/ += -Wstack-usage=4096 -Wframe-larger-than=4096 > + > +CFLAGS_$(IBMTSS_DIR)/ = $(CFLAGS_$(TSS2_DIR)/) > + > +CFLAGS_SKIP_$(TSS2_DIR)/ = -Wsuggest-attribute=const > +CFLAGS_SKIP_$(IBMTSS_DIR)/ = $(CFLAGS_SKIP_$(TSS2_DIR)/) > + > +TSS2 = $(TSS2_DIR)/built-in.a > + > +$(TSS2): $(TSS2_OBJS:%=$(TSS2_DIR)/%) > diff --git a/libstb/tss2/ibmtpm20tss b/libstb/tss2/ibmtpm20tss > new file mode 160000 > index 00000000..3ad7b8b0 > --- /dev/null > +++ b/libstb/tss2/ibmtpm20tss > @@ -0,0 +1 @@ > +Subproject commit 3ad7b8b0915888fb5e3012c86063c5cbc50eb3e1 > diff --git a/libstb/tss2/netinet/in.h b/libstb/tss2/netinet/in.h > new file mode 100644 > index 00000000..ecb8a001 > --- /dev/null > +++ b/libstb/tss2/netinet/in.h > @@ -0,0 +1,13 @@ > +#ifndef _NETINIT_IN_H > +#define _NETINIT_IN_H Need SPDX annotation. > + > +//#pragma message "Implment in.h functions \n" > + > +#include <include/types.h> > + > +#define htonl(x) cpu_to_be32(x) > +#define ntohl(x) be32_to_cpu(x) > +#define htons(x) cpu_to_be16(x) > +#define ntohs(x) be16_to_cpu(x) > + > +#endif /* _NETINIT_IN_H */ > diff --git a/libstb/tss2/tpm2.c b/libstb/tss2/tpm2.c > new file mode 100644 > index 00000000..1daa648e > --- /dev/null > +++ b/libstb/tss2/tpm2.c > @@ -0,0 +1,38 @@ > +/* Copyright 2013-2016 IBM Corp. > + * > + * Licensed under the Apache License, Version 2.0 (the "License"); > + * you may not use this file except in compliance with the License. > + * You may obtain a copy of the License at > + * > + * http://www.apache.org/licenses/LICENSE-2.0 > + * > + * Unless required by applicable law or agreed to in writing, software > + * distributed under the License is distributed on an "AS IS" BASIS, > + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or > + * implied. > + * See the License for the specific language governing permissions and > + * limitations under the License. > + */ Use SPDX instead. // SPDX-License-Identifier: Apache-2.0 /* Copyright 2020 IBM Corp. */ > + > +#include <device.h> > +#include "tpm2.h" > + > +static struct tpm_dev *tpm_device; > +static struct tpm_driver *tpm_driver; > + > +void tpm2_register(struct tpm_dev *dev, struct tpm_driver *driver) > +{ > + tpm_device = dev; > + tpm_driver = driver; > +} > + > + > +struct tpm_dev* tpm2_get_device(void) > +{ > + return tpm_device; > +} > + > +struct tpm_driver* tpm2_get_driver(void) > +{ > + return tpm_driver; > +} > diff --git a/libstb/tss2/tpm2.h b/libstb/tss2/tpm2.h > new file mode 100644 > index 00000000..d7dd8f30 > --- /dev/null > +++ b/libstb/tss2/tpm2.h > @@ -0,0 +1,49 @@ > +/* Copyright 2013-2016 IBM Corp. > + * > + * Licensed under the Apache License, Version 2.0 (the "License"); > + * you may not use this file except in compliance with the License. > + * You may obtain a copy of the License at > + * > + * http://www.apache.org/licenses/LICENSE-2.0 > + * > + * Unless required by applicable law or agreed to in writing, software > + * distributed under the License is distributed on an "AS IS" BASIS, > + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or > + * implied. > + * See the License for the specific language governing permissions and > + * limitations under the License. > + */ Use SPDX instead. // SPDX-License-Identifier: Apache-2.0 /* Copyright 2013-2018 IBM Corp. */ Claudio > + > +#ifndef __TPM2_H > +#define __TPM2_H > + > +#include <device.h> > + > +struct tpm_dev { > + > + /* TPM bus id */ > + int bus_id; > + > + /* TPM address in the bus */ > + int i2c_addr; > +}; > + > +struct tpm_driver { > + > + /* Driver name */ > + const char* name; > + > + /* Transmit the TPM command stored in buf to the tpm device */ > + int (*transmit)(struct tpm_dev *dev, uint8_t* buf, size_t cmdlen, > + size_t *buflen); > + > + int (*send)(struct tpm_dev *dev, const uint8_t *buf, uint32_t len); > + > + int (*receive)(struct tpm_dev *dev, uint8_t *buf, uint32_t *len); > +}; > + > +void tpm2_register(struct tpm_dev *dev, struct tpm_driver *driver); > +struct tpm_dev* tpm2_get_device(void); > +struct tpm_driver* tpm2_get_driver(void); > + > +#endif /* __TPM2_H */
diff --git a/.gitmodules b/.gitmodules index 78998dae..c4a50464 100644 --- a/.gitmodules +++ b/.gitmodules @@ -2,3 +2,7 @@ path = libstb/crypto/mbedtls url = https://github.com/ARMmbed/mbedtls branch = mbedtls-2.16 +[submodule "libstb/ibmtpm20tss"] + path = libstb/tss2/ibmtpm20tss + url = https://github.com/erichte-ibm/ibmtpm20tss + branch = maurosr/v3-tss-skiboot diff --git a/libstb/Makefile.inc b/libstb/Makefile.inc index 1434b3d4..0b21971f 100644 --- a/libstb/Makefile.inc +++ b/libstb/Makefile.inc @@ -12,10 +12,13 @@ include $(SRC)/$(LIBSTB_DIR)/secvar/Makefile.inc include $(SRC)/$(LIBSTB_DIR)/drivers/Makefile.inc include $(SRC)/$(LIBSTB_DIR)/tss/Makefile.inc include $(SRC)/$(LIBSTB_DIR)/crypto/Makefile.inc +include $(SRC)/$(LIBSTB_DIR)/tss2/Makefile.inc CPPFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/include +CPPFLAGS += -I$(SRC)/$(LIBSTB_DIR)/ibmtpm20tss/utils +CFLAGS += -DTPM_NOSOCKET -DTPM_SKIBOOT -$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(SECVAR) $(CRYPTO) +$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(SECVAR) $(CRYPTO) $(TSS2) libstb/create-container: libstb/create-container.c libstb/container-utils.c $(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) \ diff --git a/libstb/tss2/Makefile.inc b/libstb/tss2/Makefile.inc new file mode 100644 index 00000000..b2536faf --- /dev/null +++ b/libstb/tss2/Makefile.inc @@ -0,0 +1,39 @@ +# -*-Makefile-*- + +TSS2_DIR = libstb/tss2 +IBMTSS_DIR = $(TSS2_DIR)/ibmtpm20tss/utils + +SUBDIRS += $(TSS2_DIR) $(IBMTSS_DIR) + +CPPFLAGS += -I$(SRC)/$(TSS2_DIR) +CPPFLAGS += -I$(SRC)/$(IBMTSS_DIR) + +TSS2LIB_SRCS = tss.c tss20.c tssauth.c tssauth20.c tssccattributes.c +#TSS2LIB_SRCS += tsscryptoh.c +TSS2LIB_SRCS += tssmarshal.c tssprint.c tssprintcmd.c tssproperties.c +TSS2LIB_SRCS += tssresponsecode.c tsstransmit.c tssutils.c tssntc.c +TSS2LIB_SRCS += Commands.c CommandAttributeData.c Unmarshal.c +TSS2LIB_SRCS += tssdevskiboot.c + +TSS2_SRCS = $(addprefix ibmtpm20tss/utils/,$(TSS2LIB_SRCS)) +TSS2_SRCS += tpm2.c + +#tsscryptombed.c tsscryptouv.c tssdevuv.c tssuv.c +#tssskiboot.c eventlog.c eventlib.c tpm_nv.c opalcreate.c + +TSS2_OBJS = $(TSS2_SRCS:%.c=%.o) + +CFLAGS_$(TSS2_DIR)/ = -DTPM_POSIX -DTPM_TPM20 -DTPM_SKIBOOT +CFLAGS_$(TSS2_DIR)/ += -DTPM_NOSOCKET +CFLAGS_$(TSS2_DIR)/ += -DTPM_TSS_NOECC -DTPM_TSS_NORSA -DTPM_TSS_NOCRYPTO +CFLAGS_$(TSS2_DIR)/ += -DTPM_TSS_NOFILE -DTPM_TSS_NOENV +CFLAGS_$(TSS2_DIR)/ += -Wstack-usage=4096 -Wframe-larger-than=4096 + +CFLAGS_$(IBMTSS_DIR)/ = $(CFLAGS_$(TSS2_DIR)/) + +CFLAGS_SKIP_$(TSS2_DIR)/ = -Wsuggest-attribute=const +CFLAGS_SKIP_$(IBMTSS_DIR)/ = $(CFLAGS_SKIP_$(TSS2_DIR)/) + +TSS2 = $(TSS2_DIR)/built-in.a + +$(TSS2): $(TSS2_OBJS:%=$(TSS2_DIR)/%) diff --git a/libstb/tss2/ibmtpm20tss b/libstb/tss2/ibmtpm20tss new file mode 160000 index 00000000..3ad7b8b0 --- /dev/null +++ b/libstb/tss2/ibmtpm20tss @@ -0,0 +1 @@ +Subproject commit 3ad7b8b0915888fb5e3012c86063c5cbc50eb3e1 diff --git a/libstb/tss2/netinet/in.h b/libstb/tss2/netinet/in.h new file mode 100644 index 00000000..ecb8a001 --- /dev/null +++ b/libstb/tss2/netinet/in.h @@ -0,0 +1,13 @@ +#ifndef _NETINIT_IN_H +#define _NETINIT_IN_H + +//#pragma message "Implment in.h functions \n" + +#include <include/types.h> + +#define htonl(x) cpu_to_be32(x) +#define ntohl(x) be32_to_cpu(x) +#define htons(x) cpu_to_be16(x) +#define ntohs(x) be16_to_cpu(x) + +#endif /* _NETINIT_IN_H */ diff --git a/libstb/tss2/tpm2.c b/libstb/tss2/tpm2.c new file mode 100644 index 00000000..1daa648e --- /dev/null +++ b/libstb/tss2/tpm2.c @@ -0,0 +1,38 @@ +/* Copyright 2013-2016 IBM Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <device.h> +#include "tpm2.h" + +static struct tpm_dev *tpm_device; +static struct tpm_driver *tpm_driver; + +void tpm2_register(struct tpm_dev *dev, struct tpm_driver *driver) +{ + tpm_device = dev; + tpm_driver = driver; +} + + +struct tpm_dev* tpm2_get_device(void) +{ + return tpm_device; +} + +struct tpm_driver* tpm2_get_driver(void) +{ + return tpm_driver; +} diff --git a/libstb/tss2/tpm2.h b/libstb/tss2/tpm2.h new file mode 100644 index 00000000..d7dd8f30 --- /dev/null +++ b/libstb/tss2/tpm2.h @@ -0,0 +1,49 @@ +/* Copyright 2013-2016 IBM Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __TPM2_H +#define __TPM2_H + +#include <device.h> + +struct tpm_dev { + + /* TPM bus id */ + int bus_id; + + /* TPM address in the bus */ + int i2c_addr; +}; + +struct tpm_driver { + + /* Driver name */ + const char* name; + + /* Transmit the TPM command stored in buf to the tpm device */ + int (*transmit)(struct tpm_dev *dev, uint8_t* buf, size_t cmdlen, + size_t *buflen); + + int (*send)(struct tpm_dev *dev, const uint8_t *buf, uint32_t len); + + int (*receive)(struct tpm_dev *dev, uint8_t *buf, uint32_t *len); +}; + +void tpm2_register(struct tpm_dev *dev, struct tpm_driver *driver); +struct tpm_dev* tpm2_get_device(void); +struct tpm_driver* tpm2_get_driver(void); + +#endif /* __TPM2_H */
In order to support upcoming security features within skiboot (such as secure boot and trusted boot), there needs to be an interface between skiboot and a TPM 2.0 device. This patch adds IBM's TSS 2.0 as a submodule, with the intent of replacing the current, barebones TSS implementation within skiboot. Also included are a few minor files containing helper functions or definitions needed to build the TSS. Signed-off-by: Eric Richter <erichte@linux.ibm.com> --- .gitmodules | 4 ++++ libstb/Makefile.inc | 5 +++- libstb/tss2/Makefile.inc | 39 ++++++++++++++++++++++++++++++++ libstb/tss2/ibmtpm20tss | 1 + libstb/tss2/netinet/in.h | 13 +++++++++++ libstb/tss2/tpm2.c | 38 +++++++++++++++++++++++++++++++ libstb/tss2/tpm2.h | 49 ++++++++++++++++++++++++++++++++++++++++ 7 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 libstb/tss2/Makefile.inc create mode 160000 libstb/tss2/ibmtpm20tss create mode 100644 libstb/tss2/netinet/in.h create mode 100644 libstb/tss2/tpm2.c create mode 100644 libstb/tss2/tpm2.h