From patchwork Mon May 11 21:31:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1288089 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49LZ4H4hQpz9sRK for ; Tue, 12 May 2020 07:35:59 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49LZ4H3flczDr28 for ; Tue, 12 May 2020 07:35:59 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzw3QDjzDqgN for ; Tue, 12 May 2020 07:32:12 +1000 (AEST) Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04BLCSBj020591 for ; Mon, 11 May 2020 17:32:10 -0400 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 30wry0tx0u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 17:32:09 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPNRE000488 for ; Mon, 11 May 2020 21:32:08 GMT Received: from b06avi18878370.portsmouth.uk.ibm.com (b06avi18878370.portsmouth.uk.ibm.com [9.149.26.194]) by ppma04ams.nl.ibm.com with ESMTP id 30wm55d4sk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 May 2020 21:32:08 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04BLW5PV59834832 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 11 May 2020 21:32:05 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 991F3A405B; Mon, 11 May 2020 21:32:05 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EE00AA4054; Mon, 11 May 2020 21:32:04 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.226.245]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 May 2020 21:32:04 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 11 May 2020 16:31:46 -0500 Message-Id: <20200511213152.24952-13-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com> References: <20200511213152.24952-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-11_10:2020-05-11, 2020-05-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 priorityscore=1501 mlxscore=0 clxscore=1015 lowpriorityscore=0 spamscore=0 suspectscore=1 mlxlogscore=999 malwarescore=0 impostorscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005110159 Subject: [Skiboot] [PATCH v4 12/18] secvar/storage/fakenv: add fake tpm operations for testing X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" The secboot_tpm storage driver heavily relies on the TPM to ensure data integrity, which makes it difficult to test in userspace or on hardware without a TPM. This patch adds a bunch of functions that implement the tssskiboot interface, and simulates the expected TPM behavior utilizing PNOR space instead. THIS IS NOT INTENDED FOR PRODUCTION USE. Signed-off-by: Eric Richter --- libstb/secvar/storage/Makefile.inc | 3 + libstb/secvar/storage/fakenv_ops.c | 175 +++++++++++++++++++++++++++++ 2 files changed, 178 insertions(+) create mode 100644 libstb/secvar/storage/fakenv_ops.c diff --git a/libstb/secvar/storage/Makefile.inc b/libstb/secvar/storage/Makefile.inc index 35fba723..99f7b073 100644 --- a/libstb/secvar/storage/Makefile.inc +++ b/libstb/secvar/storage/Makefile.inc @@ -5,8 +5,11 @@ SECVAR_STORAGE_DIR = $(SRC)/libstb/secvar/storage SUBDIRS += $(SECVAR_STORAGE_DIR) +# Swap the comment on these two lines to use the fake TPM NV +# implementation hardware without a TPM SECVAR_STORAGE_SRCS = secboot_tpm.c tpmnv_ops.c #SECVAR_STORAGE_SRCS = secboot_tpm.c fakenv_ops.c + SECVAR_STORAGE_OBJS = $(SECVAR_STORAGE_SRCS:%.c=%.o) SECVAR_STORAGE = $(SECVAR_STORAGE_DIR)/built-in.a diff --git a/libstb/secvar/storage/fakenv_ops.c b/libstb/secvar/storage/fakenv_ops.c new file mode 100644 index 00000000..4e341536 --- /dev/null +++ b/libstb/secvar/storage/fakenv_ops.c @@ -0,0 +1,175 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +/* Copyright 2020 IBM Corp. */ +#include +#include "secboot_tpm.h" + +/* Offset into the SECBOOT PNOR partition to write "TPMNV" data */ +static size_t fakenv_offset = sizeof(struct secboot); + +struct fake_tpmnv { + struct { + struct secboot_header header; + char vars[1024]; // Hardcode the size to 1024 for now + } vars; + struct tpmnv_control control; + int defined[2]; +} __attribute__((packed)); + +static struct fake_tpmnv fakenv = {0}; +static int tpm_ready = 0; + + +static inline void *nv_index_address(int index) +{ + switch (index) { + case SECBOOT_TPMNV_VARS_INDEX: + return &fakenv.vars; + case SECBOOT_TPMNV_CONTROL_INDEX: + return &fakenv.control; + default: + return 0; + } +} + + +static int tpm_init(void) +{ + int rc; + + if (tpm_ready) + return 0; + + rc = platform.secboot_read(&fakenv, fakenv_offset, sizeof(struct fake_tpmnv)); + if (rc) + return rc; + + tpm_ready = 1; + + return 0; +} + +static int fakenv_read(TPMI_RH_NV_INDEX nvIndex, void *buf, + size_t bufsize, uint16_t off) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + memcpy(buf, nv_index_address(nvIndex) + off, bufsize); + + return 0; +} + +static int fakenv_write(TPMI_RH_NV_INDEX nvIndex, void *buf, + size_t bufsize, uint16_t off) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + memcpy(nv_index_address(nvIndex) + off, buf, bufsize); + + /* Just write the whole NV struct for now */ + return platform.secboot_write(fakenv_offset, &fakenv, sizeof(struct fake_tpmnv)); +} + +static int fakenv_definespace(TPMI_RH_NV_INDEX nvIndex, uint16_t dataSize) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + (void) dataSize; + + switch (nvIndex) { + case SECBOOT_TPMNV_VARS_INDEX: + fakenv.defined[0] = 1; + return 0; + case SECBOOT_TPMNV_CONTROL_INDEX: + fakenv.defined[1] = 1; + return 0; + } + + return OPAL_INTERNAL_ERROR; +} + +static int fakenv_writelock(TPMI_RH_NV_INDEX nvIndex) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + (void) nvIndex; + + return 0; +} + +static int fakenv_get_defined_indices(TPMI_RH_NV_INDEX **indices, size_t *count) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + *indices = zalloc(sizeof(fakenv.defined)); + if (*indices == NULL) + return OPAL_NO_MEM; + + *count = 0; + + if (fakenv.defined[0]) { + *indices[0] = SECBOOT_TPMNV_VARS_INDEX; + (*count)++; + } + if (fakenv.defined[1]) { + *indices[1] = SECBOOT_TPMNV_CONTROL_INDEX; + (*count)++; + } + + return 0; +} + +static int fakenv_undefinespace(TPMI_RH_NV_INDEX index) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + switch (index) { + case SECBOOT_TPMNV_VARS_INDEX: + fakenv.defined[0] = 0; + memset(&fakenv.vars, 0, sizeof(fakenv.vars)); + return 0; + case SECBOOT_TPMNV_CONTROL_INDEX: + fakenv.defined[1] = 0; + memset(&fakenv.control, 0, sizeof(fakenv.control)); + return 0; + } + + return -1; +} + +static int fakenv_readpublic(TPMI_RH_NV_INDEX index, TPMS_NV_PUBLIC *nv_public, + TPM2B_NAME *nv_name) +{ + if (tpm_init()) + return OPAL_INTERNAL_ERROR; + + (void) nv_public; + + switch (index) { + case SECBOOT_TPMNV_VARS_INDEX: + memcpy(&nv_name->t.name, tpmnv_vars_name, sizeof(TPM2B_NAME)); + break; + case SECBOOT_TPMNV_CONTROL_INDEX: + memcpy(&nv_name->t.name, tpmnv_control_name, sizeof(TPM2B_NAME)); + break; + default: + return OPAL_INTERNAL_ERROR; + } + + return 0; +} + +struct tpmnv_ops_s tpmnv_ops = { + .read = fakenv_read, + .write = fakenv_write, + .writelock = fakenv_writelock, + .definespace = fakenv_definespace, + .getindices = fakenv_get_defined_indices, + .undefinespace = fakenv_undefinespace, + .readpublic = fakenv_readpublic, +};