@@ -14,3 +14,6 @@ SECVAR_STORAGE_OBJS = $(SECVAR_STORAGE_SRCS:%.c=%.o)
SECVAR_STORAGE = $(SECVAR_STORAGE_DIR)/built-in.a
$(SECVAR_STORAGE): $(SECVAR_STORAGE_OBJS:%=$(SECVAR_STORAGE_DIR)/%)
+
+gen_tpmnv_public_name: $@
+ gcc -o $@ $(SECVAR_STORAGE_DIR)/$@.c -I $(SRC)/libstb/tss2/ibmtpm20tss/utils/ -lmbedcrypto
new file mode 100644
@@ -0,0 +1,107 @@
+#include <mbedtls/sha256.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <ibmtss/TPM_Types.h>
+#include <ibmtss/tssmarshal.h>
+#include <netinet/in.h>
+
+#define TPM_TPM20
+#include "../../tss2/ibmtpm20tss/utils/tssmarshal.c"
+#include "../../tss2/ibmtpm20tss/utils/Unmarshal.c"
+
+#define zalloc(a) calloc(1,a)
+// Silence linking complaints
+int verbose;
+
+#define COPYRIGHT_YEAR "2020"
+
+
+TPMS_NV_PUBLIC vars = {
+ .nvIndex = 0x01c10190,
+ .nameAlg = TPM_ALG_SHA256,
+ .dataSize = 1024,
+ .attributes.val = TPMA_NVA_PPWRITE |
+ TPMA_NVA_ORDINARY |
+ TPMA_NVA_WRITE_STCLEAR |
+ TPMA_NVA_AUTHREAD |
+ TPMA_NVA_NO_DA |
+ TPMA_NVA_WRITTEN |
+ TPMA_NVA_PLATFORMCREATE,
+};
+
+TPMS_NV_PUBLIC control = {
+ .nvIndex = 0x01c10191,
+ .nameAlg = TPM_ALG_SHA256,
+ .dataSize = 73,
+ .attributes.val = TPMA_NVA_PPWRITE |
+ TPMA_NVA_ORDINARY |
+ TPMA_NVA_WRITE_STCLEAR |
+ TPMA_NVA_AUTHREAD |
+ TPMA_NVA_NO_DA |
+ TPMA_NVA_WRITTEN |
+ TPMA_NVA_PLATFORMCREATE,
+};
+
+int calc_hash(TPMS_NV_PUBLIC *public, char *name)
+{
+ uint16_t written = 0;
+ uint32_t size = 4096;
+ unsigned char *buffer = zalloc(size);
+ unsigned char *buffer_tmp = buffer;
+ char output[34];
+ mbedtls_sha256_context cxt;
+ int ret = 0;
+ int i;
+
+ // Output hash includes the hash algorithm in the first two bytes
+ *((uint16_t *) output) = htons(public->nameAlg);
+
+ // Serialize the NV Public struct
+ ret = TSS_TPMS_NV_PUBLIC_Marshalu(public, &written, &buffer_tmp, &size);
+ if (ret) return ret;
+
+ // Hash it
+ mbedtls_sha256_init(&cxt);
+ ret = mbedtls_sha256_starts_ret(&cxt, 0);
+ if (ret) return ret;
+
+ ret = mbedtls_sha256_update_ret(&cxt, buffer, written);
+ if (ret) return ret;
+
+ mbedtls_sha256_finish_ret(&cxt, output+2);
+ mbedtls_sha256_free(&cxt);
+
+ free(buffer);
+
+ // Print it
+ printf("\nconst uint8_t tpmnv_%s_name[] = {", name);
+ for (i = 0; i < sizeof(output); i++) {
+ if (!(i % 13))
+ printf("\n\t");
+ printf("0x%02x, ", output[i] & 0xff);
+ }
+ printf("\n};\n");
+
+ return 0;
+}
+
+
+int main()
+{
+ printf("// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later\n");
+ printf("/* Copyright " COPYRIGHT_YEAR " IBM Corp. */\n");
+
+ printf("#ifndef _SECBOOT_TPM_PUBLIC_NAME_H_\n");
+ printf("#define _SECBOOT_TPM_PUBLIC_NAME_H_\n");
+
+ calc_hash(&vars, "vars");
+ calc_hash(&control, "control");
+
+ printf("\n");
+ printf("#endif\n");
+
+ return 0;
+}
+
This patch adds a small userspace utility to locally generate the expected hash returned by a TSS_NV_ReadPublic command for the NV indices as defined by the secboot_tpm storage driver. This removes the need for manually copying in the hash from the ReadPublic output if for some reason the set of attributes used when defining the NV indices changes in the future. As this is an auxiliary tool, it is not built by default and must be manually built using `make gen_tpmnv_public_name`. This patch has been marked as RFC as it is a draft implementation that I'm looking for feedback on whether it is worth keeping in-tree, and if so, what a more proper integration should look like. Signed-off-by: Eric Richter <erichte@linux.ibm.com> --- libstb/secvar/storage/Makefile.inc | 3 + libstb/secvar/storage/gen_tpmnv_public_name.c | 107 ++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 libstb/secvar/storage/gen_tpmnv_public_name.c