From patchwork Wed Dec 11 20:26:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207894 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7mR4Fpqz9sR8 for ; Thu, 12 Dec 2019 07:28:23 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7mR2gSKzDqc9 for ; Thu, 12 Dec 2019 07:28:23 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll2fDyzDqPN for ; Thu, 12 Dec 2019 07:27:43 +1100 (AEDT) Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGf9w041117; Wed, 11 Dec 2019 15:27:41 -0500 Received: from ppma05wdc.us.ibm.com (1b.90.2fa9.ip4.static.sl-reverse.com [169.47.144.27]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wsqc2pd1m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma05wdc.us.ibm.com [127.0.0.1]) by ppma05wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKJrls031541; Wed, 11 Dec 2019 20:27:39 GMT Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by ppma05wdc.us.ibm.com with ESMTP id 2wtdq7b85b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:39 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRdft38273310 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:39 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 45A2DB2067; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 252E0B2065; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:26:56 -0500 Message-Id: <20191211202728.127996-2-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 adultscore=0 malwarescore=0 suspectscore=0 clxscore=1015 mlxscore=0 phishscore=0 priorityscore=1501 mlxlogscore=999 spamscore=0 lowpriorityscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 01/33] tpm: Add a TPM driver implementation X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch adds a TPM driver for the CRQ interface as used by the QEMU PAPR implementation. Also add a Readme that explains the benefits and installation procedure for the vTPM. Signed-off-by: Stefan Berger --- include/helpers.h | 1 + lib/libtpm/Makefile | 50 ++++ lib/libtpm/Readme | 95 ++++++++ lib/libtpm/tpm_drivers.c | 478 +++++++++++++++++++++++++++++++++++++++ lib/libtpm/tpm_drivers.h | 81 +++++++ slof/helpers.c | 6 + 6 files changed, 711 insertions(+) create mode 100644 lib/libtpm/Makefile create mode 100644 lib/libtpm/Readme create mode 100644 lib/libtpm/tpm_drivers.c create mode 100644 lib/libtpm/tpm_drivers.h diff --git a/include/helpers.h b/include/helpers.h index 5834bce..aaef977 100644 --- a/include/helpers.h +++ b/include/helpers.h @@ -42,6 +42,7 @@ extern void SLOF_encode_bootp_response(void *addr, size_t size); extern void SLOF_encode_dhcp_response(void *addr, size_t size); extern int SLOF_get_property(const char *node, const char *propname, char **addr, int *len); +extern unsigned long SLOF_get_vtpm_unit(void); #define offset_of(type, member) ((long) &((type *)0)->member) #define container_of(ptr, type, member) ({ \ diff --git a/lib/libtpm/Makefile b/lib/libtpm/Makefile new file mode 100644 index 0000000..ff19e1c --- /dev/null +++ b/lib/libtpm/Makefile @@ -0,0 +1,50 @@ +# ***************************************************************************** +# * Copyright (c) 2015 IBM Corporation +# * All rights reserved. +# * This program and the accompanying materials +# * are made available under the terms of the BSD License +# * which accompanies this distribution, and is available at +# * http://www.opensource.org/licenses/bsd-license.php +# * +# * Contributors: +# * IBM Corporation - initial implementation +# ****************************************************************************/ + +TOPCMNDIR ?= ../.. + +CPPFLAGS = -I../libc/include $(CPUARCHDEF) -I$(INCLBRDDIR) \ + -I$(INCLCMNDIR) -I$(INCLCMNDIR)/$(CPUARCH) -I$(SLOFCMNDIR) +CPPFLAGS += -I../libhvcall + +LDFLAGS = -nostdlib + +TARGET = ../libtpm.a + + +all: $(TARGET) + +SRCS = tpm_drivers.c + +OBJS = $(SRCS:%.c=%.o) + +$(TARGET): $(OBJS) + $(AR) -rc $@ $(OBJS) + $(RANLIB) $@ + +clean: + $(RM) $(TARGET) $(OBJS) + +distclean: clean + $(RM) Makefile.dep + + +# Rules for creating the dependency file: +depend: + $(RM) Makefile.dep + $(MAKE) Makefile.dep + +Makefile.dep: Makefile + $(CC) -M $(CPPFLAGS) $(CFLAGS) $(SRCS) $(SRCSS) > Makefile.dep + +# Include dependency file if available: +-include Makefile.dep diff --git a/lib/libtpm/Readme b/lib/libtpm/Readme new file mode 100644 index 0000000..c59de10 --- /dev/null +++ b/lib/libtpm/Readme @@ -0,0 +1,95 @@ +This directory hosts (v)TPM related code. + +Background: +----------- + +A TPM is a crypto chip that is found in many systems. Besides it offering +a secure key store, among other functionality, it is also used to implement +'trusted boot'. This is realized by code in the firmware measuring parts of the +firmware's code and data as well as system data, such as the boot block, and +logging these measurements and storing (extending) them in the TPM's platform +configuration register (PCR). + +The benefits of having a TPM (or vTPM) in a system are: + +- enablement of trusted boot; this allow us to eventually extend the chain of + trust from the hypervisor to the guests +- enablement of attestation so that one can verify what software is running on + a machine (OpenPTS, OpenAttestation) +- provides TPM functionality to VMs, which includes a standardized mechanism + to store keys and other blobs (Linux trusted keys, GNU TLS's TPM extensions) + + +QEMU/KVM + SLOF support: +------------------------ + +To enable a vTPM with QEMU, the following steps need to be followed + +- build a recent version of libtpms + + #> git clone https://github.com/stefanberger/libtpms + #> cd libtpms + #> ./autogen.sh --prefix=/usr --with-tpm2 --with-openssl + + The following step may require to install dependencies + + #> make + #> make check + #> make install + +- build swtpm + + #> git clone https://github.com/stefanberger/swtpm + #> cd swtpm + #> ./autogen.sh --prefix=/usr --with-openssl + + The following step may require to install dependencies + + #> ./configure --prefix=/usr --with-openssl + #> make + #> make check + #> make install + +- build QEMU with vTPM support: + + #> git clone https://github.com/stefanberger/qemu-tpm + #> cd qemu-tpm + + The PPC64 patches are currently in the tpm-next+spapr.v3 branch + #> git checkout origin/tpm-next+spapr.v3 -b tpm-next+spapr.v3 + + The following step may require to install dependencies + + #> ./configure --prefix=/usr --enable-kvm --target-list="ppc64-softmmu" + #> make + #> make install + +To start a QEMU VM with an attached vTPM (swtpm), run the following commands +as 'root'. The following will setup the vTPM so that its state will be stored +in /tmp/mytpm1. A unique directory for each VM instance with attached vTPM +should be provided. Whenever QEMU is started, the swtpm has to be started +before it. The './boot_rom.bin' represents SLOF with vTPM extensions built-in. + + #> mkdir -p /tmp/mytpm1 + #> swtpm socket --tpmstate dir=/tmp \ + --ctrl type=unixio,path=/tmp/mytpm1/ctrl.sock + + In another terminal: + + #> qemu-system-ppc64 \ + -enable-kvm \ + -boot menu=on \ + --chardev socket,id=chrtpm,path=/tmp/mytpm1/ctrl.sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-spapr,tpmdev=tpm0 \ + -vnc 0.0.0.0:2 \ + [...] + + Add hard disk and other parameters as needed. + +Notes: + - The Linux kernel in the VM must have the tpm_ibmvtpm module available + or built-in. + + - 'swtpm_ioctl --unix /tmp/ctrl.sock -s' can be used to gracefully shut + down the vTPM. diff --git a/lib/libtpm/tpm_drivers.c b/lib/libtpm/tpm_drivers.c new file mode 100644 index 0000000..19e988d --- /dev/null +++ b/lib/libtpm/tpm_drivers.c @@ -0,0 +1,478 @@ +/***************************************************************************** + * Copyright (c) 2015 IBM Corporation + * All rights reserved. + * This program and the accompanying materials + * are made available under the terms of the BSD License + * which accompanies this distribution, and is available at + * http://www.opensource.org/licenses/bsd-license.php + * + * Contributors: + * IBM Corporation - initial implementation + *****************************************************************************/ + +#include +#include +#include + +#include "string.h" +#include "helpers.h" +#include "byteorder.h" +#include "tpm_drivers.h" +#include "libhvcall.h" +#include "paflof.h" + +#undef PAPR_VTPM_DEBUG +//#define PAPR_VTPM_DEBUG +#ifdef PAPR_VTPM_DEBUG +#define dprintf(_x ...) do { printf("VTPM CRQ: " _x); } while(0) +#else +#define dprintf(_x ...) +#endif + +#define MIN(a, b) ((a) > (b) ? (b) : (a)) + +/* layout of the command request queue for vTPM */ +struct crq { + uint8_t valid; + uint8_t msg; + uint16_t len; + uint32_t data; + uint64_t reserved; +} __attribute__((packed)); + +#define PAPR_VTPM_INIT_CRQ_COMMAND 0xC0 +#define PAPR_VTPM_VALID_COMMAND 0x80 +#define PAPR_VTPM_MSG_RESULT 0x80 + +/* crq.msg request types when crq.valid = PAPR_VTPM_INIT_CRQ_COMMAND */ +#define PAPR_VTPM_INIT_CRQ_RESULT 0x1 + +/* crq.msg request types when crq.valid = PAPR_VTPM_VALID_COMMAND */ +#define PAPR_VTPM_GET_VERSION 0x1 +#define PAPR_VTPM_TPM_COMMAND 0x2 +#define PAPR_VTPM_GET_RTCE_BUFFER_SIZE 0x3 + +static const uint32_t tpm_default_durations[TPM_NUM_DURATIONS] = { + TPM_DEFAULT_DURATION_SHORT, + TPM_DEFAULT_DURATION_MEDIUM, + TPM_DEFAULT_DURATION_LONG, +}; + +#define QUEUE_SIZE 4096 + +/* state of the PAPR CRQ VTPM driver */ +static struct spapr_vtpm_driver_state { + /* whether it driver been initialized */ + bool initialized; + + /* durations of short, medium, & long commands */ + uint32_t durations[TPM_NUM_DURATIONS]; + + /* unit number */ + unsigned long unit; + + /* CRQ queue address and size */ + unsigned char *qaddr; + unsigned long qsize; + + /* current q_entry */ + unsigned int curr_q_entry; + + /* current response CRQ */ + struct crq *response; + + /* power firmware defined state and error code */ + vtpm_drv_state driver_state; + vtpm_drv_error driver_error; + + /* size of buffer supported by hypervisor */ + unsigned int buffer_size; + + /* buffer for commands and responses */ + char *buffer; + + /* version of the TPM we talk to -- from CRQ message */ + uint32_t tpm_version; +} spapr_vtpm = { + .qsize = QUEUE_SIZE, + .driver_state = VTPM_DRV_STATE_INVALID, + .driver_error = VTPM_DRV_ERROR_NO_FAILURE, +}; + +static void vtpm_drv_state_set(vtpm_drv_state s, vtpm_drv_error e) +{ + spapr_vtpm.driver_state = s; + spapr_vtpm.driver_error = e; +} + +static vtpm_drv_state vtpm_drv_state_get(void) +{ + return spapr_vtpm.driver_state; +} + +static vtpm_drv_error vtpm_drv_error_get(void) +{ + return spapr_vtpm.driver_error; +} + +void spapr_vtpm_set_durations(const uint32_t durations[TPM_NUM_DURATIONS]) +{ + memcpy(spapr_vtpm.durations, durations, + TPM_NUM_DURATIONS * sizeof(durations[0])); +} + +static struct crq* get_crq(void *qaddr, unsigned long q_entry) +{ + return &((struct crq *)qaddr)[q_entry]; +} + +/* + * Get the crq where the response will be found. This + * function will clear the CRQ's valid field and advance + * the entry counter to the next entry. + */ +static struct crq *get_response_crq(void) +{ + struct crq *crq; + + dprintf("curr_q_entry = %d\n", spapr_vtpm.curr_q_entry); + + crq = get_crq(spapr_vtpm.qaddr, spapr_vtpm.curr_q_entry); + memset(crq, 0, sizeof(*crq)); + + spapr_vtpm.curr_q_entry += 1; + if (spapr_vtpm.curr_q_entry == (spapr_vtpm.qsize / sizeof(struct crq))) + spapr_vtpm.curr_q_entry = 0; + + return crq; +} + +/* + * Send a message via CRQ and wait for the response + */ +static bool spapr_send_crq_and_wait(unsigned long unit, + struct crq *crq, + struct crq **response, + unsigned timeout, + vtpm_drv_state state1, + vtpm_drv_state state2) +{ + long rc; + unsigned i; + + *response = get_response_crq(); + + vtpm_drv_state_set(state1, VTPM_DRV_ERROR_NO_FAILURE); + + rc = hv_send_crq(unit, (uint64_t *)crq); + if (rc != H_SUCCESS) { + vtpm_drv_state_set(VTPM_DRV_STATE_WAIT_INIT, + VTPM_DRV_ERROR_TPM_CRQ_ERROR); + return false; + } + + vtpm_drv_state_set(state2, VTPM_DRV_ERROR_NO_FAILURE); + + for (i = 0; i < timeout; i += 1000) { + if (((*response)->valid & PAPR_VTPM_MSG_RESULT)) + return true; + SLOF_usleep(1000); + } + + vtpm_drv_state_set(VTPM_DRV_STATE_FAILURE, + VTPM_DRV_ERROR_WAIT_TIMEOUT); + + dprintf("Received no response from CRQ\n"); + return false; +} + +/* + * Get parameters from the CRQ + */ +static bool spapr_vtpm_get_params(void) +{ + struct crq crq, *response; + static bool completed = false; /* only once */ + + if (completed) + return true; + + /* get the TPM version */ + crq.valid = PAPR_VTPM_VALID_COMMAND; + crq.msg = PAPR_VTPM_GET_VERSION; + + if (!spapr_send_crq_and_wait(spapr_vtpm.unit, &crq, &response, 10, + VTPM_DRV_STATE_SEND_GET_VERSION, + VTPM_DRV_STATE_WAIT_VERSION)) { + printf("%s: Failure getting TPM version from CRQ\n", __func__); + return false; + } + + vtpm_drv_state_set(VTPM_DRV_STATE_CHECK_VERSION, + VTPM_DRV_ERROR_NO_FAILURE); + + spapr_vtpm.tpm_version = be32_to_cpu(response->data); + dprintf("TPM backend version: %d\n", spapr_vtpm.tpm_version); + + /* get the TPM's buffer size */ + crq.valid = PAPR_VTPM_VALID_COMMAND; + crq.msg = PAPR_VTPM_GET_RTCE_BUFFER_SIZE; + + if (!spapr_send_crq_and_wait(spapr_vtpm.unit, &crq, &response, 10, + VTPM_DRV_STATE_SEND_BUFSIZE_REQ, + VTPM_DRV_STATE_WAIT_BUFSIZE)) { + printf("%s: Failure getting RTCE buffer size from CRQ\n", + __func__); + return false; + } + + vtpm_drv_state_set(VTPM_DRV_STATE_ALLOC_RTCE_BUF, + VTPM_DRV_ERROR_NO_FAILURE); + + dprintf("RTCE buffer size: %u\n", be16_to_cpu(response->len)); + spapr_vtpm.buffer_size = be16_to_cpu(response->len); + if (spapr_vtpm.buffer_size < 1024) { + printf("%s: RTCE buffer size of %u bytes is too small. " + "Minimum is 1024 bytes.\n", __func__, + spapr_vtpm.buffer_size); + vtpm_drv_state_set(VTPM_DRV_STATE_FAILURE, + VTPM_DRV_ERROR_BAD_RTCE_SIZE); + return false; + } + spapr_vtpm.buffer = SLOF_alloc_mem(spapr_vtpm.buffer_size); + if (!spapr_vtpm.buffer) { + printf("%s: Could not allocate buffer of size %u.\n", + __func__, spapr_vtpm.buffer_size); + vtpm_drv_state_set(VTPM_DRV_STATE_FAILURE, + VTPM_DRV_ERROR_BAD_RTCE_SIZE); + return false; + } + + completed = true; + + return true; +} + +static bool spapr_vtpm_activate(void) +{ + long rc; + struct crq crq, *response; + + if (vtpm_drv_error_get() != VTPM_DRV_ERROR_NO_FAILURE) { + printf("%s: CRQ: In failure mode\n", __func__); + return false; + } + + vtpm_drv_state_set(VTPM_DRV_STATE_REG_CRQ, + VTPM_DRV_ERROR_NO_FAILURE); + + rc = hv_reg_crq(spapr_vtpm.unit, (unsigned long)spapr_vtpm.qaddr, + spapr_vtpm.qsize); + if (rc != H_SUCCESS) { + vtpm_drv_state_set(VTPM_DRV_STATE_WAIT_INIT, + VTPM_DRV_ERROR_UNEXPECTED_REG_ERROR); + printf("%s: CRQ registration failed\n", __func__); + return false; + } + + /* we always start with curr_q_entry 0 */ + spapr_vtpm.curr_q_entry = 0; + + if (!spapr_vtpm.initialized) { + + crq.valid = PAPR_VTPM_INIT_CRQ_COMMAND; + crq.msg = PAPR_VTPM_INIT_CRQ_RESULT; + + if (!spapr_send_crq_and_wait(spapr_vtpm.unit, + &crq, + &response, + 10, + VTPM_DRV_STATE_SEND_INIT, + VTPM_DRV_STATE_WAIT_INIT_COMP)) { + printf("%s: Initializing CRQ failed\n", __func__); + goto err_exit; + } + dprintf("Successfully initialized CRQ\n"); + + spapr_vtpm.initialized = true; + } + + if (spapr_vtpm_get_params()) + return true; + +err_exit: + hv_free_crq(spapr_vtpm.unit); + spapr_vtpm.unit = 0; + + return false; +} + +static bool spapr_vtpm_init(void) +{ + spapr_vtpm_set_durations(tpm_default_durations); + + return true; +} + +void spapr_vtpm_finalize(void) +{ + if (spapr_vtpm.unit) + hv_free_crq(spapr_vtpm.unit); +} + +/* + * Check whether we have a CRQ underneath us; if we do, the CRQ will + * be left open. + */ +static bool spapr_vtpm_probe(void) +{ + spapr_vtpm_init(); + + if (!spapr_vtpm.qaddr) { + spapr_vtpm.qaddr = SLOF_alloc_mem(spapr_vtpm.qsize); + if (!spapr_vtpm.qaddr) { + printf("%s: Unable to allocate memory\n", __func__); + return false; + } + memset(spapr_vtpm.qaddr, 0, spapr_vtpm.qsize); + + dprintf("getting FORTH vtpm-unit\n"); + spapr_vtpm.unit = SLOF_get_vtpm_unit(); + if (!spapr_vtpm.unit) { + printf("%s: Could not get valid vtpm-unit\n", __func__); + return false; + } + } + + dprintf("vtpm_unit = %lx, buffer = %p\n", + spapr_vtpm.unit, spapr_vtpm.qaddr); + + if (!spapr_vtpm_activate()) + return false; + + return true; +} + +static bool spapr_vtpm_senddata(const uint8_t *const data, uint32_t len) +{ + struct crq crq; + long rc; + + if (vtpm_drv_error_get() != VTPM_DRV_ERROR_NO_FAILURE) { + printf("%s: VTPM CRQ: In failure mode\n", __func__); + return false; + } + + if (len > spapr_vtpm.buffer_size) { + printf("%s: VTPM CRQ: Send buffer too large: %u > %u\n", + __func__, len, spapr_vtpm.buffer_size); + return false; + } + + spapr_vtpm.response = get_response_crq(); + spapr_vtpm.response->data = (uint64_t)spapr_vtpm.buffer; + /* response CRQ has been set and valid field cleared */ + + crq.valid = PAPR_VTPM_VALID_COMMAND; + crq.msg = PAPR_VTPM_TPM_COMMAND; + crq.len = cpu_to_be16(len); + crq.data = (uint64_t)spapr_vtpm.buffer; + memcpy(spapr_vtpm.buffer, data, MIN(len, spapr_vtpm.buffer_size)); + + vtpm_drv_state_set(VTPM_DRV_STATE_SEND_TPM_CMD, + VTPM_DRV_ERROR_NO_FAILURE); + + rc = hv_send_crq(spapr_vtpm.unit, (uint64_t *)&crq); + + if (rc == H_SUCCESS) { + vtpm_drv_state_set(VTPM_DRV_STATE_WAIT_TPM_RSP, + VTPM_DRV_ERROR_NO_FAILURE); + } else { + vtpm_drv_state_set(VTPM_DRV_STATE_WAIT_INIT, + VTPM_DRV_ERROR_UNEXPECTED_SEND_ERROR); + } + + return (rc == H_SUCCESS); +} + +static bool spapr_vtpm_waitresponseready(enum tpm_duration_type to_t) +{ + uint32_t timeout = spapr_vtpm.durations[to_t]; + int i; + + if (vtpm_drv_error_get() != VTPM_DRV_ERROR_NO_FAILURE) { + printf("%s: VTPM CRQ: In failure mode\n", __func__); + return false; + } + + /* response CRQ has been set */ + + for (i = 0; i < timeout; i += 1000) { + if (spapr_vtpm.response->valid & PAPR_VTPM_MSG_RESULT) { + /* TPM responded: move to Send tpm-cmd state */ + vtpm_drv_state_set(VTPM_DRV_STATE_SEND_TPM_CMD, + VTPM_DRV_ERROR_NO_FAILURE); + dprintf("Received response to TPM command\n"); + return true; + } + SLOF_usleep(1000); + } + + vtpm_drv_state_set(VTPM_DRV_STATE_FAILURE, + VTPM_DRV_ERROR_WAIT_TIMEOUT); + + dprintf("Received NO response to TPM command"); + + return false; +} + +static bool spapr_vtpm_readresponse(uint8_t *buffer, uint32_t *len) +{ + uint32_t length; + + if (vtpm_drv_error_get() != VTPM_DRV_ERROR_NO_FAILURE) { + printf("%s: VTPM CRQ: In failure mode\n", __func__); + return false; + } + + /* response CRQ has been set */ + length = MIN(*len, be32_to_cpu(spapr_vtpm.response->len)); + + memcpy(buffer, (void *)(uint64_t)spapr_vtpm.response->data, length); + + dprintf("Length of copied response: %d\n", length); + + spapr_vtpm.response = NULL; + *len = length; + + return true; +} + +uint32_t spapr_vtpm_get_buffersize(void) +{ + return spapr_vtpm.buffer_size; +} + +vtpm_drv_state spapr_vtpm_get_state(void) +{ + return vtpm_drv_state_get(); +} + +vtpm_drv_error spapr_vtpm_get_error(void) +{ + return vtpm_drv_error_get(); +} + +/**** higher layer interface ****/ + +bool spapr_is_vtpm_present(void) +{ + bool rc = false; + + if (spapr_vtpm_probe()) { + spapr_vtpm_init(); + rc = true; + } + + return rc; +} diff --git a/lib/libtpm/tpm_drivers.h b/lib/libtpm/tpm_drivers.h new file mode 100644 index 0000000..5d19514 --- /dev/null +++ b/lib/libtpm/tpm_drivers.h @@ -0,0 +1,81 @@ +/***************************************************************************** + * Copyright (c) 2015 IBM Corporation + * All rights reserved. + * This program and the accompanying materials + * are made available under the terms of the BSD License + * which accompanies this distribution, and is available at + * http://www.opensource.org/licenses/bsd-license.php + * + * Contributors: + * IBM Corporation - initial implementation + *****************************************************************************/ + +#ifndef TPM_DRIVERS_H +#define TPM_DRIVERS_H + +#include +#include +#include + +enum tpm_duration_type { + TPM_DURATION_TYPE_SHORT = 0, + TPM_DURATION_TYPE_MEDIUM, + TPM_DURATION_TYPE_LONG, +}; + +#define TPM_NUM_DURATIONS 3 + +/* durations in microseconds per TPM spec. */ +#define TPM_DEFAULT_DURATION_SHORT 2000000 /* us */ +#define TPM_DEFAULT_DURATION_MEDIUM 20000000 /* us */ +#define TPM_DEFAULT_DURATION_LONG 60000000 /* us */ + +/* firmware driver states */ +typedef enum { + VTPM_DRV_STATE_INVALID = 0, + VTPM_DRV_STATE_INIT_CALLED = 1, + VTPM_DRV_STATE_REG_CRQ = 2, + VTPM_DRV_STATE_WAIT_INIT = 3, + VTPM_DRV_STATE_SEND_INIT = 4, + VTPM_DRV_STATE_FAILURE = 5, + VTPM_DRV_STATE_WAIT_INIT_COMP = 6, + VTPM_DRV_STATE_SEND_INIT_COMP = 7, + VTPM_DRV_STATE_SEND_GET_VERSION = 8, + VTPM_DRV_STATE_WAIT_VERSION = 9, + VTPM_DRV_STATE_CHECK_VERSION = 10, + VTPM_DRV_STATE_SEND_BUFSIZE_REQ = 11, + VTPM_DRV_STATE_WAIT_BUFSIZE = 12, + VTPM_DRV_STATE_ALLOC_RTCE_BUF = 13, + VTPM_DRV_STATE_SEND_TPM_CMD = 14, + VTPM_DRV_STATE_WAIT_TPM_RSP = 15, +} vtpm_drv_state; + +/* firmware driver errors */ +typedef enum { + VTPM_DRV_ERROR_NO_FAILURE = -1, + VTPM_DRV_ERROR_NOT_FOUND_TIMEOUT = 0, + VTPM_DRV_ERROR_UNEXPECTED_REG_ERROR = 1, + VTPM_DRV_ERROR_PARTNER_FAILED = 2, + VTPM_DRV_ERROR_UNEXPECTED_TSP_ERROR = 3, + VTPM_DRV_ERROR_TPM_PROTOCOL_ERROR = 4, + VTPM_DRV_ERROR_WAIT_TIMEOUT = 5, + VTPM_DRV_ERROR_UNEXPECTED_SEND_ERROR = 6, + VTPM_DRV_ERROR_CRQ_OPEN_FAIL = 7, + VTPM_DRV_ERROR_BAD_STATE = 8, + VTPM_DRV_ERROR_TPM_FAIL = 9, + VTPM_DRV_ERROR_TPM_CRQ_ERROR = 10, + VTPM_DRV_ERROR_BAD_VERSION = 11, + VTPM_DRV_ERROR_BAD_RTCE_SIZE = 12, + VTPM_DRV_ERROR_SML_FAILURE = 13, + VTPM_DRV_ERROR_SML_HANDED_OVER = 14, +} vtpm_drv_error; + +/* exported functions */ +bool spapr_is_vtpm_present(void); +void spapr_vtpm_finalize(void); +void spapr_vtpm_set_durations(const uint32_t durations[TPM_NUM_DURATIONS]); +uint32_t spapr_vtpm_get_buffersize(void); +vtpm_drv_state spapr_vtpm_get_state(void); +vtpm_drv_error spapr_vtpm_get_error(void); + +#endif /* TPM_DRIVERS_H */ diff --git a/slof/helpers.c b/slof/helpers.c index dfb0c13..a287c6b 100644 --- a/slof/helpers.c +++ b/slof/helpers.c @@ -224,3 +224,9 @@ int SLOF_get_property(const char *node, const char *propname, *addr = (char *)forth_pop(); return 0; } + +unsigned long SLOF_get_vtpm_unit(void) +{ + forth_eval("vtpm-unit"); + return forth_pop(); +} From patchwork Wed Dec 11 20:26:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207895 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7mZ21cqz9sR7 for ; Thu, 12 Dec 2019 07:28:30 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7mZ0fN7zDqhn for ; Thu, 12 Dec 2019 07:28:30 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll37wDzDqQY for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGgML020465; Wed, 11 Dec 2019 15:27:41 -0500 Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wtfbxur3m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKIKdL016878; Wed, 11 Dec 2019 20:27:39 GMT Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by ppma03wdc.us.ibm.com with ESMTP id 2wr3q6r3x1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:39 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRdUB45220186 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:39 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6AC25B205F; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 49CE3B206A; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:26:57 -0500 Message-Id: <20191211202728.127996-3-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=15 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 priorityscore=1501 bulkscore=0 adultscore=0 mlxscore=0 lowpriorityscore=0 clxscore=1015 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 02/33] tpm: Add TPM initialization support X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch implements the main part of the firmware extensions. It provides the following functionality: - initialization of the TPM by sending a sequence of commands to it - proper setup of the TPM before the firmware hands over control to the bootloader Structures that are needed in subsequent patches are also included in the private header file tcgbios_int.h at this point. Signed-off-by: Stefan Berger --- board-qemu/Makefile | 2 +- board-qemu/slof/Makefile | 13 +- board-qemu/slof/tree.fs | 3 + board-qemu/slof/vio-vtpm-cdriver.fs | 72 ++++++++ board-qemu/slof/vtpm-sml.fs | 62 +++++++ lib/Makefile | 2 +- lib/libtpm/Makefile | 2 +- lib/libtpm/tcgbios.c | 271 ++++++++++++++++++++++++++++ lib/libtpm/tcgbios.h | 22 +++ lib/libtpm/tcgbios_int.h | 153 ++++++++++++++++ lib/libtpm/tpm.code | 46 +++++ lib/libtpm/tpm.in | 18 ++ lib/libtpm/tpm_drivers.c | 13 ++ lib/libtpm/tpm_drivers.h | 5 + slof/fs/start-up.fs | 7 + 15 files changed, 685 insertions(+), 6 deletions(-) create mode 100644 board-qemu/slof/vio-vtpm-cdriver.fs create mode 100644 board-qemu/slof/vtpm-sml.fs create mode 100644 lib/libtpm/tcgbios.c create mode 100644 lib/libtpm/tcgbios.h create mode 100644 lib/libtpm/tcgbios_int.h create mode 100644 lib/libtpm/tpm.code create mode 100644 lib/libtpm/tpm.in diff --git a/board-qemu/Makefile b/board-qemu/Makefile index 61a1367..f419202 100644 --- a/board-qemu/Makefile +++ b/board-qemu/Makefile @@ -15,7 +15,7 @@ BOARD_TARGETS = tools_build romfs_build stage1 subdirs SUBDIRS = slof COMMON_LIBS = libc libbootmsg libbases libnvram libelf libhvcall libvirtio \ - libusb libveth libe1k libnet libbootmenu + libusb libveth libe1k libnet libbootmenu libtpm all: $(BOARD_TARGETS) $(MAKE) boot_rom.bin diff --git a/board-qemu/slof/Makefile b/board-qemu/slof/Makefile index d7ed2d7..a8cff6d 100644 --- a/board-qemu/slof/Makefile +++ b/board-qemu/slof/Makefile @@ -22,7 +22,8 @@ CPPFLAGS = -I$(LIBCMNDIR)/libbootmsg -I$(LIBCMNDIR)/libhvcall \ -I$(LIBCMNDIR)/libvirtio -I$(LIBCMNDIR)/libnvram \ -I$(LIBCMNDIR)/libusb -I$(LIBCMNDIR)/libveth \ -I$(LIBCMNDIR)/libe1k -I$(LIBCMNDIR)/libnet \ - -I$(LIBCMNDIR)/libbootmenu + -I$(LIBCMNDIR)/libbootmenu -I$(LIBCMNDIR)/libtpm + SLOF_LIBS = \ $(LIBCMNDIR)/libbootmsg.a \ $(LIBCMNDIR)/libelf.a \ @@ -33,7 +34,9 @@ SLOF_LIBS = \ $(LIBCMNDIR)/libveth.a \ $(LIBCMNDIR)/libe1k.a \ $(LIBCMNDIR)/libnet.a \ - $(LIBCMNDIR)/libbootmenu.a + $(LIBCMNDIR)/libbootmenu.a \ + $(LIBCMNDIR)/libtpm.a + BOARD_SLOF_IN = \ $(LIBCMNDIR)/libhvcall/hvcall.in \ $(LIBCMNDIR)/libvirtio/virtio.in \ @@ -45,7 +48,9 @@ BOARD_SLOF_IN = \ $(LIBCMNDIR)/libveth/veth.in \ $(LIBCMNDIR)/libe1k/e1k.in \ $(LIBCMNDIR)/libnet/libnet.in \ - $(LIBCMNDIR)/libbootmenu/bootmenu.in + $(LIBCMNDIR)/libbootmenu/bootmenu.in \ + $(LIBCMNDIR)/libtpm/tpm.in + BOARD_SLOF_CODE = $(BOARD_SLOF_IN:%.in=%.code) include $(SLOFCMNDIR)/Makefile.inc @@ -83,6 +88,7 @@ VIO_FFS_FILES = \ $(SLOFBRDDIR)/pci-device_1af4_1050.fs \ $(SLOFBRDDIR)/vio-hvterm.fs \ $(SLOFBRDDIR)/vio-vscsi.fs \ + $(SLOFBRDDIR)/vio-vtpm-cdriver.fs \ $(SLOFBRDDIR)/vio-veth.fs \ $(SLOFBRDDIR)/rtas-nvram.fs \ $(SLOFBRDDIR)/virtio-net.fs \ @@ -114,6 +120,7 @@ OF_FFS_FILES = \ $(SLOFBRDDIR)/default-font.bin \ $(SLOFBRDDIR)/pci-phb.fs \ $(SLOFBRDDIR)/rtas.fs \ + $(SLOFBRDDIR)/vtpm-sml.fs \ $(SLOFBRDDIR)/pci-device_1234_1111.fs \ $(SLOFBRDDIR)/pci-device_1013_00b8.fs \ $(SLOFBRDDIR)/pci-device_8086_100e.fs \ diff --git a/board-qemu/slof/tree.fs b/board-qemu/slof/tree.fs index d95fde3..39dc6f6 100644 --- a/board-qemu/slof/tree.fs +++ b/board-qemu/slof/tree.fs @@ -87,6 +87,9 @@ include fbuffer.fs 2dup " qemu,spapr-nvram" strequal IF " rtas-nvram.fs" included THEN + 2dup " IBM,vtpm" strequal IF + " vio-vtpm-cdriver.fs" included + THEN 2drop THEN peer diff --git a/board-qemu/slof/vio-vtpm-cdriver.fs b/board-qemu/slof/vio-vtpm-cdriver.fs new file mode 100644 index 0000000..f873456 --- /dev/null +++ b/board-qemu/slof/vio-vtpm-cdriver.fs @@ -0,0 +1,72 @@ +\ ***************************************************************************** +\ * Copyright (c) 2015 IBM Corporation +\ * All rights reserved. +\ * This program and the accompanying materials +\ * are made available under the terms of the BSD License +\ * which accompanies this distribution, and is available at +\ * http://www.opensource.org/licenses/bsd-license.php +\ * +\ * Contributors: +\ * IBM Corporation - initial implementation +\ ****************************************************************************/ + +." Populating " pwd + +false VALUE vtpm-debug? +0 VALUE vtpm-unit + +: setup-alias + " ibm,vtpm" find-alias 0= IF + " ibm,vtpm" get-node node>path set-alias + ELSE + drop + THEN +; + +: vtpm-cleanup ( ) + vtpm-debug? IF ." VTPM: Disabling RTAS bypass" cr THEN + tpm-finalize + vtpm-unit 0 rtas-set-tce-bypass +; + +: vtpm-init ( -- true | false ) + 0 0 get-node open-node ?dup 0= IF EXIT THEN + my-self >r + dup to my-self + + vtpm-debug? IF ." VTPM: Initializing for c-driver" cr THEN + + my-unit to vtpm-unit + + \ Enable TCE bypass special qemu feature + vtpm-unit 1 rtas-set-tce-bypass + + \ Have TCE bypass cleaned up + ['] vtpm-cleanup add-quiesce-xt + + tpm-start dup 0= IF + vtpm-debug? IF ." VTPM: Success from tpm-start" cr THEN + drop + setup-alias + ELSE + ." VTPM: Error code from tpm-start: " . cr + THEN + + close-node + r> to my-self +; + +: open ( ) + vtpm-debug? IF ." VTPM: vTPM open()" cr THEN + true +; + +: close ( ) + vtpm-debug? IF ." VTPM: vTPM close()" cr THEN +; + +\ setup alias and the RTAS bypass +vtpm-init + +\ setup the log +include vtpm-sml.fs diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs new file mode 100644 index 0000000..7cd3729 --- /dev/null +++ b/board-qemu/slof/vtpm-sml.fs @@ -0,0 +1,62 @@ +\ ***************************************************************************** +\ * Copyright (c) 2015 IBM Corporation +\ * All rights reserved. +\ * This program and the accompanying materials +\ * are made available under the terms of the BSD License +\ * which accompanies this distribution, and is available at +\ * http://www.opensource.org/licenses/bsd-license.php +\ * +\ * Contributors: +\ * IBM Corporation - initial implementation +\ ****************************************************************************/ + +\ KVM/qemu TPM Stored Measurement Log (SML) entries in /ibm,vtpm + +" /" find-device + +new-device + +false VALUE vtpm-debug? +0 VALUE log-base +40000 CONSTANT LOG-SIZE \ 256k per VTPM FW spec. + +LOG-SIZE BUFFER: log-base + +\ create /ibm,vtpm +s" ibm,vtpm" 2dup device-name device-type + +: sml-get-allocated-size ( -- buffer-size) + vtpm-debug? IF + ." Call to sml-get-allocated-size; size = 0x" LOG-SIZE . cr + THEN + LOG-SIZE +; + +: sml-handover ( dest size -- ) + vtpm-debug? IF + 2dup + ." Call to sml-handover; size = 0x" . ." dest = " . cr + THEN + log-base ( dest size src ) + -rot ( src dest size ) + move +; + +\ +\ internal API calls +\ + +: unassert-physical-presence ( -- ) + tpm-unassert-physical-presence ( errcode ) + dup 0<> IF + ." VTPM: Error code from tpm-unassert-physical-presence: " . cr + ELSE + drop + THEN +; + +: open true ; +: close ; + +finish-device +device-end diff --git a/lib/Makefile b/lib/Makefile index 1e8bb62..7369894 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -11,7 +11,7 @@ # ****************************************************************************/ SUBDIRS = libc libipmi libbootmsg libbases libnvram libelf libhvcall libvirtio \ - libusb libveth libe1k libbcm libnet libbootmenu + libusb libveth libe1k libbcm libnet libbootmenu libtpm all: subdirs diff --git a/lib/libtpm/Makefile b/lib/libtpm/Makefile index ff19e1c..012fe37 100644 --- a/lib/libtpm/Makefile +++ b/lib/libtpm/Makefile @@ -23,7 +23,7 @@ TARGET = ../libtpm.a all: $(TARGET) -SRCS = tpm_drivers.c +SRCS = tpm_drivers.c tcgbios.c OBJS = $(SRCS:%.c=%.o) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c new file mode 100644 index 0000000..5b12461 --- /dev/null +++ b/lib/libtpm/tcgbios.c @@ -0,0 +1,271 @@ + +/***************************************************************************** + * Copyright (c) 2015 IBM Corporation + * All rights reserved. + * This program and the accompanying materials + * are made available under the terms of the BSD License + * which accompanies this distribution, and is available at + * http://www.opensource.org/licenses/bsd-license.php + * + * Contributors: + * IBM Corporation - initial implementation + *****************************************************************************/ + +/* + * Implementation of the TPM BIOS extension according to the specification + * described in the IBM VTPM Firmware document and the TCG Specification + * that can be found here under the following link: + * http://www.trustedcomputinggroup.org/resources/pc_client_work_group_specific_implementation_specification_for_conventional_bios + */ + +#include "types.h" +#include "byteorder.h" +#include "tpm_drivers.h" +#include "string.h" +#include "tcgbios.h" +#include "tcgbios_int.h" +#include "stdio.h" + +#undef TCGBIOS_DEBUG +//#define TCGBIOS_DEBUG +#ifdef TCGBIOS_DEBUG +#define dprintf(_x ...) do { printf("TCGBIOS: " _x); } while(0) +#else +#define dprintf(_x ...) +#endif + +struct tpm_state { + unsigned tpm_probed:1; + unsigned tpm_found:1; + unsigned tpm_working:1; + unsigned has_physical_presence:1; +}; + +static struct tpm_state tpm_state; + +/******************************************************** + Extensions for TCG-enabled BIOS + *******************************************************/ + +static void probe_tpm(void) +{ + tpm_state.tpm_probed = true; + tpm_state.tpm_found = spapr_is_vtpm_present(); + tpm_state.tpm_working = tpm_state.tpm_found; +} + +/**************************************************************** + * TPM hardware command wrappers + ****************************************************************/ + +/* Helper function for sending TPM commands that take a single + * optional parameter (0, 1, or 2 bytes) and have no special response. + */ +static int +tpm_simple_cmd(uint8_t locty, uint32_t ordinal, int param_size, uint16_t param, + enum tpm_duration_type to_t) +{ + struct { + struct tpm_req_header trqh; + uint16_t param; + } __attribute__((packed)) req = { + .trqh.totlen = cpu_to_be32(sizeof(req.trqh) + param_size), + .trqh.tag = cpu_to_be16(TPM_TAG_RQU_CMD), + .trqh.ordinal = cpu_to_be32(ordinal), + }; + uint8_t obuffer[64]; + struct tpm_rsp_header *trsh = (void *)obuffer; + uint32_t obuffer_len = sizeof(obuffer); + int ret; + + switch (param_size) { + case 2: + req.param = cpu_to_be16(param); + break; + case 1: + *(uint8_t *)&req.param = param; + break; + } + + memset(obuffer, 0, sizeof(obuffer)); + ret = tpmhw_transmit(locty, &req.trqh, obuffer, &obuffer_len, to_t); + ret = ret ? -1 : be32_to_cpu(trsh->errcode); + dprintf("Return from tpm_simple_cmd(%x, %x) = %x\n", + ordinal, param, ret); + + return ret; +} + +static int tpm12_get_capability(uint32_t cap, uint32_t subcap, + struct tpm_rsp_header *rsp, uint32_t rsize) +{ + struct tpm_req_getcap trgc = { + .hdr.tag = cpu_to_be16(TPM_TAG_RQU_CMD), + .hdr.totlen = cpu_to_be32(sizeof(trgc)), + .hdr.ordinal = cpu_to_be32(TPM_ORD_GET_CAPABILITY), + .capArea = cpu_to_be32(cap), + .subCapSize = cpu_to_be32(sizeof(trgc.subCap)), + .subCap = cpu_to_be32(subcap) + }; + uint32_t resp_size = rsize; + int ret = tpmhw_transmit(0, &trgc.hdr, rsp, &resp_size, + TPM_DURATION_TYPE_SHORT); + ret = (ret || resp_size != rsize) ? -1 : be32_to_cpu(rsp->errcode); + dprintf("TCGBIOS: Return code from TPM_GetCapability(%d, %d) = %x\n", + cap, subcap, ret); + return ret; +} + +static int tpm12_read_permanent_flags(char *buf, size_t buf_len) +{ + struct tpm_rsp_getcap_perm_flags pf; + int ret; + + memset(buf, 0, buf_len); + ret = tpm12_get_capability(TPM_CAP_FLAG, TPM_CAP_FLAG_PERMANENT, + &pf.hdr, sizeof(pf)); + if (ret) + return -1; + + memcpy(buf, &pf.perm_flags, buf_len); + + return 0; +} + +static int tpm12_determine_timeouts(void) +{ + struct tpm_rsp_getcap_durations durations; + int i; + int ret = tpm12_get_capability(TPM_CAP_PROPERTY, TPM_CAP_PROP_DURATION, + &durations.hdr, sizeof(durations)); + + if (ret) + return ret; + + for (i = 0; i < TPM_NUM_DURATIONS; i++) + durations.durations[i] = be32_to_cpu(durations.durations[i]); + + dprintf("durations: %u %u %u\n", + durations.durations[0], + durations.durations[1], + durations.durations[2]); + + spapr_vtpm_set_durations(durations.durations); + + return 0; +} + +/**************************************************************** + * Setup and Measurements + ****************************************************************/ + +static bool tpm_is_working(void) +{ + if (!tpm_state.tpm_probed) + probe_tpm(); + + return tpm_state.tpm_working; +} + +static void tpm_set_failure(void) +{ + /* we will try to deactivate the TPM now - ignoring all errors */ + tpm_simple_cmd(0, TPM_ORD_SET_TEMP_DEACTIVATED, + 0, 0, TPM_DURATION_TYPE_SHORT); + + tpm_state.tpm_working = false; +} + +static int tpm12_assert_physical_presence(void) +{ + struct tpm_permanent_flags pf; + int ret = tpm_simple_cmd(0, TPM_ORD_PHYSICAL_PRESENCE, + 2, TPM_PP_PRESENT, TPM_DURATION_TYPE_SHORT); + if (!ret) + return 0; + + ret = tpm12_read_permanent_flags((char *)&pf, sizeof(pf)); + if (ret) + return -1; + + /* check if hardware physical presence is supported */ + if (pf.flags[PERM_FLAG_IDX_PHYSICAL_PRESENCE_HW_ENABLE]) { + /* HW. phys. presence may not be asserted ... */ + return 0; + } + + if (!pf.flags[PERM_FLAG_IDX_PHYSICAL_PRESENCE_LIFETIME_LOCK] + && !pf.flags[PERM_FLAG_IDX_PHYSICAL_PRESENCE_CMD_ENABLE]) { + tpm_simple_cmd(0, TPM_ORD_PHYSICAL_PRESENCE, + 2, TPM_PP_CMD_ENABLE, TPM_DURATION_TYPE_SHORT); + return tpm_simple_cmd(0, TPM_ORD_PHYSICAL_PRESENCE, + 2, TPM_PP_PRESENT, + TPM_DURATION_TYPE_SHORT); + } + return -1; +} + +static int tpm12_startup(void) +{ + dprintf("Starting with TPM_Startup(ST_CLEAR)\n"); + int ret = tpm_simple_cmd(0, TPM_ORD_STARTUP, + 2, TPM_ST_CLEAR, TPM_DURATION_TYPE_SHORT); + if (ret) + goto err_exit; + + /* asssertion of physical presence is only possible after startup */ + ret = tpm12_assert_physical_presence(); + if (!ret) + tpm_state.has_physical_presence = true; + + ret = tpm12_determine_timeouts(); + if (ret) + goto err_exit; + + ret = tpm_simple_cmd(0, TPM_ORD_SELF_TEST_FULL, + 0, 0, TPM_DURATION_TYPE_LONG); + if (ret) + goto err_exit; + + return 0; + +err_exit: + dprintf("TPM malfunctioning (line %d).\n", __LINE__); + + tpm_set_failure(); + return -1; +} + +uint32_t tpm_start(void) +{ + tpm_state.has_physical_presence = false; + + probe_tpm(); + + if (!tpm_is_working()) { + dprintf("%s: Machine does not have a working TPM\n", + __func__); + return TCGBIOS_FATAL_COM_ERROR; + } + + return tpm12_startup(); +} + +void tpm_finalize(void) +{ + spapr_vtpm_finalize(); +} + +/* + * Give up physical presence; this function has to be called before + * the firmware transitions to the boot loader. + */ +uint32_t tpm_unassert_physical_presence(void) +{ + if (tpm_state.has_physical_presence) + tpm_simple_cmd(0, TPM_ORD_PHYSICAL_PRESENCE, + 2, TPM_PP_NOT_PRESENT_LOCK, + TPM_DURATION_TYPE_SHORT); + + return 0; +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h new file mode 100644 index 0000000..5b5e481 --- /dev/null +++ b/lib/libtpm/tcgbios.h @@ -0,0 +1,22 @@ +/***************************************************************************** + * Copyright (c) 2015 IBM Corporation + * All rights reserved. + * This program and the accompanying materials + * are made available under the terms of the BSD License + * which accompanies this distribution, and is available at + * http://www.opensource.org/licenses/bsd-license.php + * + * Contributors: + * IBM Corporation - initial implementation + *****************************************************************************/ + +#ifndef TCGBIOS_H +#define TCGBIOS_H + +#include + +uint32_t tpm_start(void); +void tpm_finalize(void); +uint32_t tpm_unassert_physical_presence(void); + +#endif /* TCGBIOS_H */ diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h new file mode 100644 index 0000000..11f91a7 --- /dev/null +++ b/lib/libtpm/tcgbios_int.h @@ -0,0 +1,153 @@ +/***************************************************************************** + * Copyright (c) 2015 IBM Corporation + * All rights reserved. + * This program and the accompanying materials + * are made available under the terms of the BSD License + * which accompanies this distribution, and is available at + * http://www.opensource.org/licenses/bsd-license.php + * + * Contributors: + * IBM Corporation - initial implementation + *****************************************************************************/ + +#ifndef TCGBIOS_INT_H +#define TCGBIOS_INT_H + +#include + +#include "tpm_drivers.h" + +/* internal error codes */ +#define TCGBIOS_OK 0x0 +#define TCGBIOS_LOGOVERFLOW 0x1 +#define TCGBIOS_GENERAL_ERROR 0x2 +#define TCGBIOS_FIRMWARE_ERROR 0x3 +#define TCGBIOS_FATAL_COM_ERROR 0x4 +#define TCGBIOS_INVALID_INPUT_PARA 0x5 +#define TCGBIOS_COMMAND_ERROR 0x6 +#define TCGBIOS_INTERFACE_SHUTDOWN 0x7 + +#define TPM_ORD_SELF_TEST_FULL 0x00000050 +#define TPM_ORD_FORCE_CLEAR 0x0000005d +#define TPM_ORD_GET_CAPABILITY 0x00000065 +#define TPM_ORD_PHYSICAL_ENABLE 0x0000006f +#define TPM_ORD_PHYSICAL_DISABLE 0x00000070 +#define TPM_ORD_SET_OWNER_INSTALL 0x00000071 +#define TPM_ORD_PHYSICAL_SET_DEACTIVATED 0x00000072 +#define TPM_ORD_SET_TEMP_DEACTIVATED 0x00000073 +#define TPM_ORD_STARTUP 0x00000099 +#define TPM_ORD_PHYSICAL_PRESENCE 0x4000000a +#define TPM_ORD_EXTEND 0x00000014 + +#define TPM_ST_CLEAR 0x1 +#define TPM_ST_STATE 0x2 +#define TPM_ST_DEACTIVATED 0x3 + +#define TPM_PP_CMD_ENABLE 0x0020 +#define TPM_PP_PRESENT 0x0008 +#define TPM_PP_NOT_PRESENT_LOCK 0x0014 + +#define TPM_TAG_RQU_CMD 0x00c1 + +/* TPM command error codes */ +#define TPM_INVALID_POSTINIT 0x26 + +/* event types */ +#define EV_POST_CODE 1 +#define EV_SEPARATOR 4 +#define EV_ACTION 5 +#define EV_EVENT_TAG 6 +#define EV_IPL 13 +#define EV_IPL_PARTITION_DATA 14 + +#define SHA1_BUFSIZE 20 + +/* Input and Output blocks for the TCG BIOS commands */ + +/* PCClient_PCREventStruct -- format of log entries; compatible with x86 */ +struct pcpes { + uint32_t pcrindex; + uint32_t eventtype; + uint8_t digest[SHA1_BUFSIZE]; + uint32_t eventdatasize; + uint32_t event; +} __attribute__((packed)); + +struct tpm_req_header { + uint16_t tag; + uint32_t totlen; + uint32_t ordinal; +} __attribute__((packed)); + +#define TPM_REQ_HEADER_SIZE (sizeof(struct tpm_req_header)) + +struct tpm_rsp_header { + uint16_t tag; + uint32_t totlen; + uint32_t errcode; +} __attribute__((packed)); + +#define TPM_RSP_HEADER_SIZE (sizeof(struct tpm_rsp_header)) + +struct tpm_req_extend { + struct tpm_req_header hdr; + uint32_t pcrindex; + uint8_t digest[SHA1_BUFSIZE]; +} __attribute__((packed)); + +struct tpm_rsp_extend { + struct tpm_rsp_header hdr; + uint8_t digest[SHA1_BUFSIZE]; +} __attribute__((packed)); + +struct tpm_req_getcap { + struct tpm_req_header hdr; + uint32_t capArea; + uint32_t subCapSize; + uint32_t subCap; +} __attribute__((packed)); + +#define TPM_CAP_FLAG 0x04 +#define TPM_CAP_PROPERTY 0x05 +#define TPM_CAP_FLAG_PERMANENT 0x108 +#define TPM_CAP_PROP_DURATION 0x120 + +struct tpm_req_getcap_perm_flags { + struct tpm_req_header hdr; + uint32_t cap_area; + uint32_t sub_cap_zize; + uint32_t sub_cap; +} __attribute__((packed)); + +struct tpm_permanent_flags { + uint16_t tag; + uint8_t flags[20]; +} __attribute__((packed)); + +#define PERM_FLAG_IDX_DISABLE 0 +#define PERM_FLAG_IDX_OWNERSHIP 1 +#define PERM_FLAG_IDX_DEACTIVATED 2 +#define PERM_FLAG_IDX_DISABLEOWNERCLEAR 4 +#define PERM_FLAG_IDX_PHYSICAL_PRESENCE_LIFETIME_LOCK 6 +#define PERM_FLAG_IDX_PHYSICAL_PRESENCE_HW_ENABLE 7 +#define PERM_FLAG_IDX_PHYSICAL_PRESENCE_CMD_ENABLE 8 + +struct tpm_rsp_getcap_perm_flags { + struct tpm_rsp_header hdr; + uint32_t size; + struct tpm_permanent_flags perm_flags; +} __attribute__((packed)); + +struct tpm_rsp_getcap_ownerauth { + struct tpm_rsp_header hdr; + uint32_t size; + uint8_t flag; +} __attribute__((packed)); + +struct tpm_rsp_getcap_durations { + struct tpm_rsp_header hdr; + uint32_t size; + uint32_t durations[TPM_NUM_DURATIONS]; +} __attribute__((packed)); + +#endif /* TCGBIOS_INT_H */ diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code new file mode 100644 index 0000000..08f52e9 --- /dev/null +++ b/lib/libtpm/tpm.code @@ -0,0 +1,46 @@ +/****************************************************************************** + * Copyright (c) 2015 IBM Corporation + * All rights reserved. + * This program and the accompanying materials + * are made available under the terms of the BSD License + * which accompanies this distribution, and is available at + * http://www.opensource.org/licenses/bsd-license.php + * + * Contributors: + * IBM Corporation - initial implementation + *****************************************************************************/ +/* + * libtpm bindings for SLOF - implementation + */ + +#include + + +/************************************************/ +/* Startup TPM code */ +/* SLOF: tpm-start ( -- errcode ) */ +/* LIBTPM: tpm_start(void) */ +/************************************************/ +PRIM(tpm_X2d_start) + PUSH; + TOS.n = tpm_start(); +MIRP + +/************************************************/ +/* Shutdown TPM layer before OS takes over */ +/* SLOF: tpm-finalize ( -- ) */ +/* LIBTPM: tpm_finalize(void) */ +/************************************************/ +PRIM(tpm_X2d_finalize) + tpm_finalize(); +MIRP + +/***************************************************************/ +/* Prepare TPM state for bootloader */ +/* SLOF: tpm-unassert-physical-presence ( -- errcode ) */ +/* LIBTPM: tpm_unassert_physical-presence(void) */ +/***************************************************************/ +PRIM(tpm_X2d_unassert_X2d_physical_X2d_presence) + PUSH; + TOS.n = tpm_unassert_physical_presence(); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in new file mode 100644 index 0000000..e212483 --- /dev/null +++ b/lib/libtpm/tpm.in @@ -0,0 +1,18 @@ +/****************************************************************************** + * Copyright (c) 2015 IBM Corporation + * All rights reserved. + * This program and the accompanying materials + * are made available under the terms of the BSD License + * which accompanies this distribution, and is available at + * http://www.opensource.org/licenses/bsd-license.php + * + * Contributors: + * IBM Corporation - initial implementation + *****************************************************************************/ +/* + * libtpm bindings for SLOF - definitions + */ + +cod(tpm-start) +cod(tpm-finalize) +cod(tpm-unassert-physical-presence) diff --git a/lib/libtpm/tpm_drivers.c b/lib/libtpm/tpm_drivers.c index 19e988d..7b1c9c8 100644 --- a/lib/libtpm/tpm_drivers.c +++ b/lib/libtpm/tpm_drivers.c @@ -20,6 +20,7 @@ #include "tpm_drivers.h" #include "libhvcall.h" #include "paflof.h" +#include "tcgbios_int.h" #undef PAPR_VTPM_DEBUG //#define PAPR_VTPM_DEBUG @@ -476,3 +477,15 @@ bool spapr_is_vtpm_present(void) return rc; } + +int tpmhw_transmit(uint8_t locty, struct tpm_req_header *req, + void *respbuffer, uint32_t *respbufferlen, + enum tpm_duration_type to_t) +{ + if (!spapr_vtpm_senddata((uint8_t *)req, be32_to_cpu(req->totlen)) || + !spapr_vtpm_waitresponseready(to_t) || + !spapr_vtpm_readresponse(respbuffer, respbufferlen) || + *respbufferlen < sizeof(struct tpm_rsp_header)) + return -1; + return 0; +} diff --git a/lib/libtpm/tpm_drivers.h b/lib/libtpm/tpm_drivers.h index 5d19514..ab2e152 100644 --- a/lib/libtpm/tpm_drivers.h +++ b/lib/libtpm/tpm_drivers.h @@ -78,4 +78,9 @@ uint32_t spapr_vtpm_get_buffersize(void); vtpm_drv_state spapr_vtpm_get_state(void); vtpm_drv_error spapr_vtpm_get_error(void); +struct tpm_req_header; +int tpmhw_transmit(uint8_t locty, struct tpm_req_header *req, + void *respbuffer, uint32_t *respbufferlen, + enum tpm_duration_type to_t); + #endif /* TPM_DRIVERS_H */ diff --git a/slof/fs/start-up.fs b/slof/fs/start-up.fs index 7020f5c..0715357 100644 --- a/slof/fs/start-up.fs +++ b/slof/fs/start-up.fs @@ -56,6 +56,13 @@ ; : (boot?) ( -- ) + \ last step before we boot we give up physical presence on the TPM + s" /ibm,vtpm" find-node dup IF + s" unassert-physical-presence" rot $call-static + ELSE + drop + THEN + of-prompt? not auto-boot? and IF (boot) THEN From patchwork Wed Dec 11 20:26:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207898 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7mv5wzgz9sR8 for ; Thu, 12 Dec 2019 07:28:47 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7mv27QVzDqjh for ; Thu, 12 Dec 2019 07:28:47 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll4pwYzDqJ2 for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGfTJ105797; Wed, 11 Dec 2019 15:27:41 -0500 Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wsrdqkp01-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKLNbe020702; Wed, 11 Dec 2019 20:27:40 GMT Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by ppma02dal.us.ibm.com with ESMTP id 2wr3q723tn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:40 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRdqe38273314 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:39 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 793AAB2065; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6BDBFB2064; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:26:58 -0500 Message-Id: <20191211202728.127996-4-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 phishscore=0 impostorscore=0 mlxlogscore=999 priorityscore=1501 adultscore=0 bulkscore=0 mlxscore=0 malwarescore=0 suspectscore=1 lowpriorityscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 03/33] tpm: Add sha1 implementation X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" The following patch adds a SHA1 implementation based on the algorithm description in NIST FIPS PUB 180-4. Signed-off-by: Stefan Berger --- lib/libtpm/Makefile | 2 +- lib/libtpm/sha1.c | 197 ++++++++++++++++++++++++++++++++++++++++++++ lib/libtpm/sha1.h | 20 +++++ 3 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 lib/libtpm/sha1.c create mode 100644 lib/libtpm/sha1.h diff --git a/lib/libtpm/Makefile b/lib/libtpm/Makefile index 012fe37..1a67859 100644 --- a/lib/libtpm/Makefile +++ b/lib/libtpm/Makefile @@ -23,7 +23,7 @@ TARGET = ../libtpm.a all: $(TARGET) -SRCS = tpm_drivers.c tcgbios.c +SRCS = tpm_drivers.c tcgbios.c sha1.c OBJS = $(SRCS:%.c=%.o) diff --git a/lib/libtpm/sha1.c b/lib/libtpm/sha1.c new file mode 100644 index 0000000..2454b8f --- /dev/null +++ b/lib/libtpm/sha1.c @@ -0,0 +1,197 @@ +/***************************************************************************** + * Copyright (c) 2015 IBM Corporation + * All rights reserved. + * This program and the accompanying materials + * are made available under the terms of the BSD License + * which accompanies this distribution, and is available at + * http://www.opensource.org/licenses/bsd-license.php + * + * Contributors: + * IBM Corporation - initial implementation + *****************************************************************************/ + +/* + * See: NIST standard for SHA-1 in FIPS PUB 180-4 + */ + +#include "byteorder.h" +#include "sha1.h" +#include "string.h" + +typedef struct _sha1_ctx { + uint32_t h[5]; +} sha1_ctx; + +static uint32_t rol(uint32_t data, uint8_t n) +{ + if (!n) + return data; + return (data << n) | (data >> (32 - n)); +} + +static void sha1_block(uint32_t *w, sha1_ctx *ctx) +{ + uint32_t i; + uint32_t a,b,c,d,e,f; + uint32_t tmp; + uint32_t idx; + + /* + * FIPS 180-4 4.2.1: SHA1 Constants + */ + static const uint32_t sha_ko[4] = { + 0x5a827999, 0x6ed9eba1, 0x8f1bbcdc, 0xca62c1d6 + }; + + /* + * FIPS 180-4 6.1.2: step 1 + * + * 0 <= i <= 15: + * W(t) = M(t) + * 16 <= i <= 79: + * W(t) = ROTL(W(t-3) XOR W(t-8) XOR W(t-14) XOR W(t-16), 1) + */ + + /* w(0)..(w15) already in big endian format */ + + for (i = 16; i <= 79; i++) { + tmp = w[i-3] ^ w[i-8] ^ w[i-14] ^ w[i-16]; + w[i] = rol(tmp, 1); + } + + /* + * step 2: a = H0, b = H1, c = H2, d = H3, e = H4. + */ + a = ctx->h[0]; + b = ctx->h[1]; + c = ctx->h[2]; + d = ctx->h[3]; + e = ctx->h[4]; + + /* + * step 3: For i = 0 to 79: + * T = ROTL(a, 5) + f(i; b,c,d) + e + W(t) + K(t); + */ + for (i = 0; i <= 79; i++) { + /* + * FIPS 180-4: 4.1.1 : definition of f(i; b,c,d) + */ + if (i <= 19) { + /* + * 0 <= i <= 19: + * f(i; b,c,d) = (b AND c) OR ((NOT b) AND d) + */ + f = (b & c) | ((b ^ 0xffffffff) & d); + idx = 0; + } else if (i <= 39) { + /* + * 20 <= i <= 39: + * f(i; b,c,d) = b XOR c XOR d + */ + f = b ^ c ^ d; + idx = 1; + } else if (i <= 59) { + /* + * 40 <= i <= 59: + * f(i; b,c,d) = (b AND c) OR (b AND d) OR (c AND d) + */ + f = (b & c) | (b & d) | (c & d); + idx = 2; + } else { + /* + * 60 <= i <= 79: + * f(i; b,c,d) = b XOR c XOR d + */ + f = b ^ c ^ d; + idx = 3; + } + + /* + * step 3: + * t = ROTL(a, 5) + f(t;b,c,d) + e + K(t) + W(t); + * e = d; d = c; c = ROTL(b, 30); b = a; a = t; + */ + tmp = rol(a, 5) + + f + + e + + sha_ko[idx] + + w[i]; + e = d; + d = c; + c = rol(b, 30); + b = a; + a = tmp; + } + + /* + * step 4: + * H0 = a + H0, H1 = b + H1, H2 = c + H2, H3 = d + H3, H4 = e + H4 + */ + ctx->h[0] += a; + ctx->h[1] += b; + ctx->h[2] += c; + ctx->h[3] += d; + ctx->h[4] += e; +} + +static void sha1_do(sha1_ctx *ctx, const uint8_t*data32, uint32_t length) +{ + uint32_t offset; + uint16_t num; + uint32_t bits = 0; + uint32_t w[80]; + uint64_t tmp; + + /* treat data in 64-byte chunks */ + for (offset = 0; length - offset >= 64; offset += 64) { + memcpy(w, data32 + offset, 64); + sha1_block((uint32_t *)w, ctx); + bits += (64 * 8); + } + + /* last block with less than 64 bytes */ + num = length - offset; + bits += (num << 3); + + memcpy(w, data32 + offset, num); + /* + * FIPS 180-4 5.1: Padding the Message + */ + ((uint8_t *)w)[num] = 0x80; + if (64 - (num + 1) > 0) + memset( &((uint8_t *)w)[num + 1], 0, 64 - (num + 1)); + + if (num >= 56) { + /* cannot append number of bits here */ + sha1_block((uint32_t *)w, ctx); + memset(w, 0, 60); + } + + /* write number of bits to end of block */ + tmp = bits; + memcpy(&w[14], &tmp, 8); + + sha1_block(w, ctx); +} + +uint32_t sha1(const uint8_t *data, uint32_t length, uint8_t *hash) +{ + sha1_ctx ctx = { + .h = { + /* + * FIPS 180-4: 6.1.1 + * -> 5.3.1: initial hash value + */ + 0x67452301, + 0xefcdab89, + 0x98badcfe, + 0x10325476, + 0xc3d2e1f0, + } + }; + + sha1_do(&ctx, data, length); + memcpy(hash, &ctx.h[0], 20); + + return 0; +} diff --git a/lib/libtpm/sha1.h b/lib/libtpm/sha1.h new file mode 100644 index 0000000..7fa3e03 --- /dev/null +++ b/lib/libtpm/sha1.h @@ -0,0 +1,20 @@ +/***************************************************************************** + * Copyright (c) 2015 IBM Corporation + * All rights reserved. + * This program and the accompanying materials + * are made available under the terms of the BSD License + * which accompanies this distribution, and is available at + * http://www.opensource.org/licenses/bsd-license.php + * + * Contributors: + * IBM Corporation - initial implementation + *****************************************************************************/ + +#ifndef __SHA1_H +#define __SHA1_H + +#include "types.h" + +uint32_t sha1(const uint8_t *data, uint32_t length, uint8_t *hash); + +#endif /* __SHA1_H */ From patchwork Wed Dec 11 20:26:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207897 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7mn3ZBgz9sR7 for ; Thu, 12 Dec 2019 07:28:41 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7mn2BzYzDqgd for ; Thu, 12 Dec 2019 07:28:41 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll2Cy0zDqLs for ; Thu, 12 Dec 2019 07:27:43 +1100 (AEDT) Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGfIe131174; Wed, 11 Dec 2019 15:27:41 -0500 Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wtbt2hyem-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKIIk7026632; Wed, 11 Dec 2019 20:27:40 GMT Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by ppma04dal.us.ibm.com with ESMTP id 2wr3q723hg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:40 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRdJV38273316 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:39 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 86F43B2067; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7A873B2066; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:26:59 -0500 Message-Id: <20191211202728.127996-5-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 suspectscore=15 phishscore=0 malwarescore=0 bulkscore=0 mlxlogscore=999 impostorscore=0 clxscore=1015 adultscore=0 priorityscore=1501 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 04/33] tpm: Add initial support for logging X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch adds initial support for the logging that will be done following measurements done by further code added to SLOF. Signed-off-by: Stefan Berger Reviewed-by: Nikunj A Dadhania --- board-qemu/slof/vtpm-sml.fs | 3 +++ lib/libtpm/tcgbios.c | 18 ++++++++++++++++++ lib/libtpm/tcgbios.h | 1 + lib/libtpm/tpm.code | 11 +++++++++++ lib/libtpm/tpm.in | 1 + 5 files changed, 34 insertions(+) diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index 7cd3729..51c3db5 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -25,6 +25,9 @@ LOG-SIZE BUFFER: log-base \ create /ibm,vtpm s" ibm,vtpm" 2dup device-name device-type +\ convey logbase and size to the C driver +log-base LOG-SIZE tpm-set-log-parameters + : sml-get-allocated-size ( -- buffer-size) vtpm-debug? IF ." Call to sml-get-allocated-size; size = 0x" LOG-SIZE . cr diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 5b12461..31d3eb0 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -39,6 +39,12 @@ struct tpm_state { unsigned tpm_found:1; unsigned tpm_working:1; unsigned has_physical_presence:1; + + /* base address of the log area */ + uint8_t *log_base; + + /* size of the logging area */ + uint32_t log_area_size; }; static struct tpm_state tpm_state; @@ -269,3 +275,15 @@ uint32_t tpm_unassert_physical_presence(void) return 0; } + +/**************************************************************** + * Forth interface + ****************************************************************/ + +void tpm_set_log_parameters(void *addr, unsigned int size) +{ + dprintf("Log is at 0x%llx; size is %u bytes\n", + (uint64_t)addr, size); + tpm_state.log_base = addr; + tpm_state.log_area_size = size; +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 5b5e481..7f7691a 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -18,5 +18,6 @@ uint32_t tpm_start(void); void tpm_finalize(void); uint32_t tpm_unassert_physical_presence(void); +void tpm_set_log_parameters(void *address, unsigned int size); #endif /* TCGBIOS_H */ diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index 08f52e9..2f3e198 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -44,3 +44,14 @@ PRIM(tpm_X2d_unassert_X2d_physical_X2d_presence) PUSH; TOS.n = tpm_unassert_physical_presence(); MIRP + +/*************************************************************/ +/* Convey log address and size */ +/* SLOF: tpm-set-log-parameters ( addr size -- ) */ +/* LIBTPM: tpm_set_log_parameters(void *addr, uint64_t size) */ +/*************************************************************/ +PRIM(tpm_X2d_set_X2d_log_X2d_parameters) + int size = TOS.u; POP; + void *addr = TOS.a; POP; + tpm_set_log_parameters(addr, size); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index e212483..c6ad91c 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -16,3 +16,4 @@ cod(tpm-start) cod(tpm-finalize) cod(tpm-unassert-physical-presence) +cod(tpm-set-log-parameters) From patchwork Wed Dec 11 20:27:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207899 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7n246Qxz9sR7 for ; Thu, 12 Dec 2019 07:28:54 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7n23CQszDqjx for ; Thu, 12 Dec 2019 07:28:54 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll4lfPzDqHJ for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGYrO133902; Wed, 11 Dec 2019 15:27:41 -0500 Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wr8m09rky-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKFuQi031402; Wed, 11 Dec 2019 20:27:40 GMT Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by ppma04wdc.us.ibm.com with ESMTP id 2wr3q6r4kv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:40 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRdkV38273318 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:39 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AA08CB2064; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 923B7B205F; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:00 -0500 Message-Id: <20191211202728.127996-6-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 mlxlogscore=999 lowpriorityscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 phishscore=0 bulkscore=0 clxscore=1015 adultscore=0 spamscore=0 suspectscore=15 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 05/33] tpm: Extend firmware API X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Extend the internal API of the TPM firmware support with additional functions for hashing data, extending the TPM's platform configuration registers with a hash, and appending to the log that is recording what was hashed. Add the TPM firmware API calls hash-all, log-event, and hash-log-extend-event. These firmware calls are implemented in /vdevice/vtpm and /ibm,vtpm but the former merely forwards the calls to the latter. The implementation follows the Virtual TPM firmware documentation. These particular 3 API calls enable trusted grub extensions. Signed-off-by: Stefan Berger --- board-qemu/slof/vio-vtpm-cdriver.fs | 42 ++++++++ board-qemu/slof/vtpm-sml.fs | 32 +++++++ lib/libtpm/tcgbios.c | 143 ++++++++++++++++++++++++++++ lib/libtpm/tcgbios.h | 6 ++ lib/libtpm/tcgbios_int.h | 1 + lib/libtpm/tpm.code | 32 +++++++ lib/libtpm/tpm.in | 3 + 7 files changed, 259 insertions(+) diff --git a/board-qemu/slof/vio-vtpm-cdriver.fs b/board-qemu/slof/vio-vtpm-cdriver.fs index f873456..53aad4d 100644 --- a/board-qemu/slof/vio-vtpm-cdriver.fs +++ b/board-qemu/slof/vio-vtpm-cdriver.fs @@ -14,6 +14,7 @@ false VALUE vtpm-debug? 0 VALUE vtpm-unit +0 VALUE vtpm-ihandle : setup-alias " ibm,vtpm" find-alias 0= IF @@ -56,6 +57,47 @@ false VALUE vtpm-debug? r> to my-self ; +\ forward a call to /ibm,vtpm, which implements the function with the +\ given name +: vtpm-call-forward ( arg ... arg name namelen -- ret ... ret failure? ) + \ assign /ibm,vtpm node to vtpm-ihandle, if not assigned + vtpm-ihandle 0= IF + s" /ibm,vtpm" open-dev to vtpm-ihandle + THEN + + vtpm-ihandle 0<> IF + vtpm-ihandle ( arg ... arg name namelen ihandle ) + $call-method ( ret ... ret ) + false ( ret ... ret false ) + ELSE + true ( true ) + THEN +; + +\ firmware API call +: hash-all ( data-ptr data-len hash-ptr -- ) + " hash-all" vtpm-call-forward IF + \ vtpm-call-forward failed; clean up stack + 3drop + THEN +; + +\ firmware API call +: log-event ( event-ptr -- success? ) + " log-event" vtpm-call-forward IF + drop + false + THEN +; + +\ firmware API call +: hash-log-extend-event ( event-ptr -- rc ) + " hash-log-extend-event" vtpm-call-forward IF + drop + 9 \ TPM_FAIL + THEN +; + : open ( ) vtpm-debug? IF ." VTPM: vTPM open()" cr THEN true diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index 51c3db5..aa75f46 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -45,6 +45,38 @@ log-base LOG-SIZE tpm-set-log-parameters move ; +: hash-all ( data-ptr data-len hash-ptr -- ) + vtpm-debug? IF + ." Call to hash-all" cr + THEN + tpm-hash-all ( errcode ) + dup 0<> IF + ." VTPM: Error code from tpm-hash-all: " . cr + ELSE + drop + THEN +; + +: log-event ( event-ptr -- success? ) + vtpm-debug? IF + ." Call to log-event" cr + THEN + tpm-log-event ( success? ) + dup 0= IF + ." VTPM: Returned bool from tpm-log-event: " dup . cr + THEN +; + +: hash-log-extend-event ( event-ptr -- rc ) + vtpm-debug? IF + ." Call to hash-log-extend-event" cr + THEN + tpm-hash-log-extend-event ( rc ) + dup 0<> IF + ." VTPM: Error code from tpm-hash-log-extend-event: " dup . cr + THEN +; + \ \ internal API calls \ diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 31d3eb0..4a340d9 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -18,6 +18,8 @@ * http://www.trustedcomputinggroup.org/resources/pc_client_work_group_specific_implementation_specification_for_conventional_bios */ +#include + #include "types.h" #include "byteorder.h" #include "tpm_drivers.h" @@ -25,6 +27,8 @@ #include "tcgbios.h" #include "tcgbios_int.h" #include "stdio.h" +#include "sha1.h" +#include "helpers.h" #undef TCGBIOS_DEBUG //#define TCGBIOS_DEBUG @@ -45,6 +49,9 @@ struct tpm_state { /* size of the logging area */ uint32_t log_area_size; + + /* where to write the next log entry to */ + uint8_t *log_area_next_entry; }; static struct tpm_state tpm_state; @@ -161,6 +168,38 @@ static int tpm12_determine_timeouts(void) return 0; } +/* + * Extend a PCR of the TPM with the given hash + * + * @hash: sha1 hash (20 bytes) to extend PCR with + * @pcrindex: the PCR to extend [ 0..23 ] + */ +static int tpm_extend(uint8_t *hash, uint32_t pcrindex) +{ + struct tpm_req_extend tre = { + .hdr.tag = cpu_to_be16(TPM_TAG_RQU_CMD), + .hdr.totlen = cpu_to_be32(sizeof(tre)), + .hdr.ordinal = cpu_to_be32(TPM_ORD_EXTEND), + .pcrindex = cpu_to_be32(pcrindex), + }; + struct tpm_rsp_extend rsp; + uint32_t resp_length = sizeof(rsp); + int ret; + + memcpy(tre.digest, hash, sizeof(tre.digest)); + + ret = tpmhw_transmit(0, &tre.hdr, &rsp, &resp_length, + TPM_DURATION_TYPE_SHORT); + + if (ret || resp_length != sizeof(rsp) || rsp.hdr.errcode) { + dprintf("TPM_Extend response has unexpected size: %u\n", + resp_length); + return -1; + } + + return 0; +} + /**************************************************************** * Setup and Measurements ****************************************************************/ @@ -182,6 +221,58 @@ static void tpm_set_failure(void) tpm_state.tpm_working = false; } +/* + * Extend the OFDT log with the given entry by copying the + * entry data into the log. + * + * @pcpes: Pointer to the structure to be copied into the log + * @event: The event to be appended to 'pcpes' + * @event_length: The length of the event + * + * Returns 0 on success, an error code otherwise. + */ +static uint32_t tpm_log_event_long(struct pcpes *pcpes, + const void *event, uint32_t event_length) +{ + uint32_t size; + + dprintf("log base address = %p, next entry = %p\n", + tpm_state.log_base, tpm_state.log_area_next_entry); + + if (tpm_state.log_area_next_entry == NULL) + return TCGBIOS_LOGOVERFLOW; + + size = offset_of(struct pcpes, event) + event_length; + + if ((tpm_state.log_area_next_entry + size - tpm_state.log_base) > + tpm_state.log_area_size) { + dprintf("LOG OVERFLOW: size = %d\n", size); + return TCGBIOS_LOGOVERFLOW; + } + + pcpes->eventdatasize = event_length; + + memcpy(tpm_state.log_area_next_entry, pcpes, + offset_of(struct pcpes, event)); + memcpy(tpm_state.log_area_next_entry + offset_of(struct pcpes, event), + event, event_length); + + tpm_state.log_area_next_entry += size; + + return 0; +} + +bool tpm_log_event(struct pcpes *pcpes) +{ + const char *event = NULL; + uint32_t event_length = pcpes->eventdatasize; + + if (event_length) + event = (void *)pcpes + offset_of(struct pcpes, event); + + return (tpm_log_event_long(pcpes, event, event_length) == 0); +} + static int tpm12_assert_physical_presence(void) { struct tpm_permanent_flags pf; @@ -285,5 +376,57 @@ void tpm_set_log_parameters(void *addr, unsigned int size) dprintf("Log is at 0x%llx; size is %u bytes\n", (uint64_t)addr, size); tpm_state.log_base = addr; + tpm_state.log_area_next_entry = addr; tpm_state.log_area_size = size; } + +/* + * tpm_hash_all: Function for interfacing with the firmware API + */ +uint32_t tpm_hash_all(const void *data, uint32_t datalen, void *hashptr) +{ + return sha1(data, datalen, hashptr); +} + +static uint32_t hash_log_extend(struct pcpes *pcpes, + const void *hashdata, + uint32_t hashdata_length, + const char *event, uint32_t event_length, + bool extend) +{ + int ret; + + if (pcpes->pcrindex >= 24) + return TCGBIOS_INVALID_INPUT_PARA; + if (hashdata) + tpm_hash_all(hashdata, hashdata_length, pcpes->digest); + + if (extend) { + ret = tpm_extend(pcpes->digest, pcpes->pcrindex); + if (ret) + return TCGBIOS_COMMAND_ERROR; + } + ret = tpm_log_event_long(pcpes, event, event_length); + if (ret) + return TCGBIOS_LOGOVERFLOW; + return 0; +} + +/* + * tpm_hash_log_extend_event: Function for interfacing with the firmware API + */ +uint32_t tpm_hash_log_extend_event(struct pcpes *pcpes) +{ + const char *event = NULL; + uint32_t event_length = pcpes->eventdatasize; + + if (!tpm_is_working()) + return TCGBIOS_GENERAL_ERROR; + + if (event_length) + event = (void *)pcpes + offset_of(struct pcpes, event); + + return hash_log_extend(pcpes, + &pcpes->event, pcpes->eventdatasize, + event, event_length, true); +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 7f7691a..c54eb91 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -14,10 +14,16 @@ #define TCGBIOS_H #include +#include + +struct pcpes; uint32_t tpm_start(void); void tpm_finalize(void); uint32_t tpm_unassert_physical_presence(void); void tpm_set_log_parameters(void *address, unsigned int size); +uint32_t tpm_hash_log_extend_event(struct pcpes *pcpes); +bool tpm_log_event(struct pcpes *pcpes); +uint32_t tpm_hash_all(const void *data, uint32_t datalen, void *hashptr); #endif /* TCGBIOS_H */ diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index 11f91a7..b3ab0ad 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -48,6 +48,7 @@ #define TPM_PP_NOT_PRESENT_LOCK 0x0014 #define TPM_TAG_RQU_CMD 0x00c1 +#define TPM_TAG_RSP_CMD 0x00c4 /* TPM command error codes */ #define TPM_INVALID_POSTINIT 0x26 diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index 2f3e198..80a50f8 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -55,3 +55,35 @@ PRIM(tpm_X2d_set_X2d_log_X2d_parameters) void *addr = TOS.a; POP; tpm_set_log_parameters(addr, size); MIRP + +/**************************************************/ +/* Firmware API */ +/* SLOF: tpm-log-event ( eventptr -- success? ) */ +/* LIBTPM: success = tpm-log-event */ +/**************************************************/ +PRIM(tpm_X2d_log_X2d_event) + void *eventptr = TOS.a; + TOS.n = tpm_log_event(eventptr); +MIRP + +/********************************************************/ +/* Firmware API */ +/* SLOF: tpm-hash-log-extend-event ( eventptr -- rc ) */ +/* LIBTPM: errcode = tpm-hash-log-extend-event */ +/********************************************************/ +PRIM(tpm_X2d_hash_X2d_log_X2d_extend_X2d_event) + void *eventptr = TOS.a; + TOS.n = tpm_hash_log_extend_event(eventptr); +MIRP + +/*****************************************************************/ +/* Firmware API */ +/* SLOF: tpm-hash-all ( data-ptr data-len hash-ptr -- errcode) */ +/* LIBTPM: errcode = tpm-hash-all */ +/*****************************************************************/ +PRIM(tpm_X2d_hash_X2d_all) + void *hashptr = TOS.a; POP; + int datalen = TOS.n; POP; + void *dataptr = TOS.a; + TOS.n = tpm_hash_all(dataptr, datalen, hashptr); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index c6ad91c..0086f33 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -17,3 +17,6 @@ cod(tpm-start) cod(tpm-finalize) cod(tpm-unassert-physical-presence) cod(tpm-set-log-parameters) +cod(tpm-log-event) +cod(tpm-hash-log-extend-event) +cod(tpm-hash-all) From patchwork Wed Dec 11 20:27:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207903 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7nd6YV8z9sR8 for ; Thu, 12 Dec 2019 07:29:25 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7nd4qTHzDqnw for ; Thu, 12 Dec 2019 07:29:25 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll6lDgzDqYh for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGgtk028872; Wed, 11 Dec 2019 15:27:41 -0500 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wu4t6d3s7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKKVcI027519; Wed, 11 Dec 2019 20:27:40 GMT Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by ppma01dal.us.ibm.com with ESMTP id 2wr3q7a2t1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:40 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRdnW14418406 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:39 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C16CEB205F; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AB495B2065; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:01 -0500 Message-Id: <20191211202728.127996-7-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 spamscore=0 clxscore=1015 suspectscore=15 mlxscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 phishscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 06/33] tpm: Return value of actual log in sml-get-handover-size X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" With the functions for calculating the actual size of the log in place, use them to determine the exact size of the log that the firmware API call sml-get-handover-size now returns. Signed-off-by: Stefan Berger --- board-qemu/slof/vtpm-sml.fs | 7 +++++++ lib/libtpm/tcgbios.c | 9 +++++++++ lib/libtpm/tcgbios.h | 1 + lib/libtpm/tpm.code | 10 ++++++++++ lib/libtpm/tpm.in | 1 + 5 files changed, 28 insertions(+) diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index aa75f46..557aa62 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -35,6 +35,13 @@ log-base LOG-SIZE tpm-set-log-parameters LOG-SIZE ; +: sml-get-handover-size ( -- size ) + tpm-get-logsize + vtpm-debug? IF + ." Call to sml-get-handover-size; size = 0x" dup . cr + THEN +; + : sml-handover ( dest size -- ) vtpm-debug? IF 2dup diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 4a340d9..d655ae1 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -380,6 +380,15 @@ void tpm_set_log_parameters(void *addr, unsigned int size) tpm_state.log_area_size = size; } +uint32_t tpm_get_logsize(void) +{ + uint32_t logsize = tpm_state.log_area_next_entry - tpm_state.log_base; + + dprintf("log size: %u\n", logsize); + + return logsize; +} + /* * tpm_hash_all: Function for interfacing with the firmware API */ diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index c54eb91..592ae6d 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -22,6 +22,7 @@ uint32_t tpm_start(void); void tpm_finalize(void); uint32_t tpm_unassert_physical_presence(void); void tpm_set_log_parameters(void *address, unsigned int size); +uint32_t tpm_get_logsize(void); uint32_t tpm_hash_log_extend_event(struct pcpes *pcpes); bool tpm_log_event(struct pcpes *pcpes); uint32_t tpm_hash_all(const void *data, uint32_t datalen, void *hashptr); diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index 80a50f8..eed9fbf 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -87,3 +87,13 @@ PRIM(tpm_X2d_hash_X2d_all) void *dataptr = TOS.a; TOS.n = tpm_hash_all(dataptr, datalen, hashptr); MIRP + +/************************************************/ +/* Get the size of the log */ +/* SLOF: tpm-get-logsize ( -- size ) */ +/* LIBTPM: logsize = tpm_get_logsize(void) */ +/************************************************/ +PRIM(tpm_X2d_get_X2d_logsize) + PUSH; + TOS.n = tpm_get_logsize(); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index 0086f33..1e8ffc1 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -17,6 +17,7 @@ cod(tpm-start) cod(tpm-finalize) cod(tpm-unassert-physical-presence) cod(tpm-set-log-parameters) +cod(tpm-get-logsize) cod(tpm-log-event) cod(tpm-hash-log-extend-event) cod(tpm-hash-all) From patchwork Wed Dec 11 20:27:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207896 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7mh0NYyz9sRH for ; Thu, 12 Dec 2019 07:28:36 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7mg6KVNzDqhs for ; Thu, 12 Dec 2019 07:28:35 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll3FfXzDqQl for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGhGp105917; Wed, 11 Dec 2019 15:27:41 -0500 Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wsrdqkp0b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKJLRd024373; Wed, 11 Dec 2019 20:27:40 GMT Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by ppma03dal.us.ibm.com with ESMTP id 2wr3q7t23s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:40 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRddC49873308 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C78DEB206C; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C336FB206B; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:02 -0500 Message-Id: <20191211202728.127996-8-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 phishscore=0 impostorscore=0 mlxlogscore=999 priorityscore=1501 adultscore=0 bulkscore=0 mlxscore=0 malwarescore=0 suspectscore=1 lowpriorityscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 07/33] tpm: Add sml related nodes to vdevice/vtpm node X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Add stored measurement log (sml) related firmware API calls to the vdevice/vtpm node and forward calls to them to the ibm,vtpm node. Once this patch is applied the Linux TPM's securityfs file /sys/kernel/security/tpm0/ascii_bios_measurements shows the list of measurements, which is still empty at this point. Signed-off-by: Stefan Berger Reviewed-by: Thomas Huth --- board-qemu/slof/vio-vtpm-cdriver.fs | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/board-qemu/slof/vio-vtpm-cdriver.fs b/board-qemu/slof/vio-vtpm-cdriver.fs index 53aad4d..04b8ea5 100644 --- a/board-qemu/slof/vio-vtpm-cdriver.fs +++ b/board-qemu/slof/vio-vtpm-cdriver.fs @@ -74,6 +74,30 @@ false VALUE vtpm-debug? THEN ; +\ firmware API call +: sml-get-allocated-size ( -- buffer-size) + " sml-get-allocated-size" vtpm-call-forward IF + \ vtpm-call-forward failed + 0 + THEN +; + +\ firmware API call +: sml-get-handover-size ( -- size) + " sml-get-handover-size" vtpm-call-forward IF + \ vtpm-call-forward failed + 0 + THEN +; + +\ firmware API call +: sml-handover ( dest size -- ) + " sml-handover" vtpm-call-forward IF + \ vtpm-call-forward failed; clean up stack + 2drop + THEN +; + \ firmware API call : hash-all ( data-ptr data-len hash-ptr -- ) " hash-all" vtpm-call-forward IF From patchwork Wed Dec 11 20:27:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207890 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7m31sfHz9sR8 for ; Thu, 12 Dec 2019 07:28:03 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7m307fzzDqQl for ; Thu, 12 Dec 2019 07:28:03 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lk6ybJzDqKJ for ; Thu, 12 Dec 2019 07:27:43 +1100 (AEDT) Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGhGS004778; Wed, 11 Dec 2019 15:27:41 -0500 Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wtdp4tuee-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:40 -0500 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKNQbO021863; Wed, 11 Dec 2019 20:27:40 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma03wdc.us.ibm.com with ESMTP id 2wr3q6r3x2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:40 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRebH51053020 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EC825B2065; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D455DB2064; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:03 -0500 Message-Id: <20191211202728.127996-9-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 clxscore=1015 lowpriorityscore=0 malwarescore=0 spamscore=0 suspectscore=15 priorityscore=1501 mlxscore=0 phishscore=0 impostorscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 08/33] tpm: Implement measurements of the master boot record X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch adds support for measuring the boot block of the MBR and logging the measurement. It also puts an 'event' separator into the log that can then be seen in Linux's /sys/kernel/security/tpm0/ascii_bios_measurements. More low-level C functions are added for measuring and logging of disk related data, along with their FORTH-level counterparts. Logging follows the specifications found on the following page: http://www.trustedcomputinggroup.org/resources/pc_client_work_group_specific_implementation_specification_for_conventional_bios Signed-off-by: Stefan Berger --- board-qemu/slof/vtpm-sml.fs | 23 +++++++ lib/libtpm/tcgbios.c | 107 +++++++++++++++++++++++++++++++++ lib/libtpm/tcgbios.h | 6 ++ lib/libtpm/tpm.code | 23 +++++++ lib/libtpm/tpm.in | 2 + slof/fs/packages/disk-label.fs | 10 ++- 6 files changed, 170 insertions(+), 1 deletion(-) diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index 557aa62..b4a0fc1 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -88,6 +88,29 @@ log-base LOG-SIZE tpm-set-log-parameters \ internal API calls \ +: separator-event ( start-pcr end-pcr -- ) + tpm-add-event-separators ( errcode ) + dup 0<> IF + ." VTPM: Error code from tpm-add-event-separators: " . cr + ELSE + drop + THEN +; + +80 CONSTANT BCV_DEVICE_HDD + +: measure-hdd-mbr ( addr -- ) + 4 5 separator-event + 200 BCV_DEVICE_HDD ( addr length bootdrv ) + -rot ( bootdrv addr length ) + tpm-measure-bcv-mbr ( errcode ) + dup 0<> IF + ." VTPM: Error code from tpm-measure-hdd: " . cr + ELSE + drop + THEN +; + : unassert-physical-presence ( -- ) tpm-unassert-physical-presence ( errcode ) dup 0<> IF diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index d655ae1..401bb1c 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -421,6 +421,35 @@ static uint32_t hash_log_extend(struct pcpes *pcpes, return 0; } +/* + * Add a measurement to the log; + * + * Input parameters: + * @pcrindex : PCR to extend + * @event_type : type of event + * @info : pointer to info (i.e., string) to be added to the log as-is + * @info_length: length of the info + * @hashdata : pointer to data to be hashed + * @hashdata_length: length of the data + * + */ +static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex, + uint32_t eventtype, + const char *info, + uint32_t infolen, + const uint8_t *hashdata, + uint32_t hashdatalen) +{ + struct pcpes pcpes; + + pcpes.pcrindex = pcrindex; + pcpes.eventtype = eventtype; + memset(&pcpes.digest, 0, sizeof(pcpes.digest)); + + return hash_log_extend(&pcpes, hashdata, hashdatalen, + info, infolen, true); +} + /* * tpm_hash_log_extend_event: Function for interfacing with the firmware API */ @@ -439,3 +468,81 @@ uint32_t tpm_hash_log_extend_event(struct pcpes *pcpes) &pcpes->event, pcpes->eventdatasize, event, event_length, true); } + +/* + * Add an EV_ACTION measurement to the list of measurements + */ +static uint32_t tpm_add_action(uint32_t pcrIndex, const char *string) +{ + uint32_t len = strlen(string); + + return tpm_add_measurement_to_log(pcrIndex, EV_ACTION, + string, len, (uint8_t *)string, len); +} + +/* + * Add event separators for a range of PCRs + */ +uint32_t tpm_add_event_separators(uint32_t start_pcr, uint32_t end_pcr) +{ + static const uint8_t evt_separator[] = {0xff,0xff,0xff,0xff}; + uint32_t rc = 0; + uint32_t pcrIndex; + + if (!tpm_is_working()) + return TCGBIOS_GENERAL_ERROR; + + if (start_pcr >= 24 || start_pcr > end_pcr) + return TCGBIOS_INVALID_INPUT_PARA; + + /* event separators need to be extended and logged for PCRs 0-7 */ + for (pcrIndex = start_pcr; pcrIndex <= end_pcr; pcrIndex++) { + rc = tpm_add_measurement_to_log(pcrIndex, EV_SEPARATOR, + NULL, 0, + evt_separator, + sizeof(evt_separator)); + if (rc) + break; + } + + return rc; +} + +uint32_t tpm_measure_bcv_mbr(uint32_t bootdrv, const uint8_t *addr, + uint32_t length) +{ + uint32_t rc; + const char *string; + + if (!tpm_is_working()) + return TCGBIOS_GENERAL_ERROR; + + if (length < 0x200) + return TCGBIOS_INVALID_INPUT_PARA; + + string = "Booting BCV device 00h (Floppy)"; + if (bootdrv == BCV_DEVICE_HDD) + string = "Booting BCV device 80h (HDD)"; + + rc = tpm_add_action(4, string); + if (rc) + return rc; + + /* + * equivalent to: dd if=/dev/hda ibs=1 count=440 | sha1sum + */ + string = "MBR"; + rc = tpm_add_measurement_to_log(4, EV_IPL, + string, strlen(string), + addr, 0x1b8); + if (rc) + return rc; + + /* + * equivalent to: dd if=/dev/hda ibs=1 count=72 skip=440 | sha1sum + */ + string = "MBR PARTITION TABLE"; + return tpm_add_measurement_to_log(5, EV_IPL_PARTITION_DATA, + string, strlen(string), + addr + 0x1b8, 0x48); +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 592ae6d..3ccfca5 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -16,6 +16,9 @@ #include #include +#define BCV_DEVICE_FLOPPY 0x0 +#define BCV_DEVICE_HDD 0x80 + struct pcpes; uint32_t tpm_start(void); @@ -26,5 +29,8 @@ uint32_t tpm_get_logsize(void); uint32_t tpm_hash_log_extend_event(struct pcpes *pcpes); bool tpm_log_event(struct pcpes *pcpes); uint32_t tpm_hash_all(const void *data, uint32_t datalen, void *hashptr); +uint32_t tpm_measure_bcv_mbr(uint32_t bootdrv, const uint8_t *addr, + uint32_t length); +uint32_t tpm_add_event_separators(uint32_t start_pcr, uint32_t end_pcr); #endif /* TCGBIOS_H */ diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index eed9fbf..d4a1a72 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -97,3 +97,26 @@ PRIM(tpm_X2d_get_X2d_logsize) PUSH; TOS.n = tpm_get_logsize(); MIRP + +/**********************************************************************/ +/* Measure and log event separators */ +/* SLOF: tpm-add-event-separators ( start-pcr end-pcr -- errcode) */ +/* LIBTPM: errcode = tpm_add_event_separators(start_pcr, end_pcr) */ +/**********************************************************************/ +PRIM(tpm_X2d_add_X2d_event_X2d_separators) + int end_pcr = TOS.u; POP; + int start_pcr = TOS.u; + TOS.n = tpm_add_event_separators(start_pcr, end_pcr); +MIRP + +/*************************************************************************/ +/* Measure and log boot connect vector (bcv) device's master boot record */ +/* SLOF: tpm-measure-bcv-mbr ( bootdrv addr length -- errcode ) */ +/* LIBTPM: errcode = tpm_measure_bcv_mbr(bbotdrv, addr, length) */ +/*************************************************************************/ +PRIM(tpm_X2d_measure_X2d_bcv_X2d_mbr) + int length = TOS.u; POP; + void *addr = TOS.a; POP; + int bootdrv = TOS.u; + TOS.n = tpm_measure_bcv_mbr(bootdrv, addr, length); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index 1e8ffc1..2d3d75e 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -21,3 +21,5 @@ cod(tpm-get-logsize) cod(tpm-log-event) cod(tpm-hash-log-extend-event) cod(tpm-hash-all) +cod(tpm-add-event-separators) +cod(tpm-measure-bcv-mbr) diff --git a/slof/fs/packages/disk-label.fs b/slof/fs/packages/disk-label.fs index 8859fb0..b130743 100644 --- a/slof/fs/packages/disk-label.fs +++ b/slof/fs/packages/disk-label.fs @@ -550,7 +550,15 @@ B9E5 CONSTANT GPT-BASIC-DATA-PARTITION-2 \ load from a bootable partition : load-from-boot-partition ( addr -- size ) debug-disk-label? IF ." Trying DOS boot " .s cr THEN - dup load-from-dos-boot-partition ?dup 0 <> IF nip EXIT THEN + dup load-from-dos-boot-partition ?dup 0 <> IF + nip + block s" /ibm,vtpm" find-node dup IF + s" measure-hdd-mbr" rot $call-static + ELSE + 2drop + THEN + EXIT + THEN debug-disk-label? IF ." Trying CHRP boot " .s cr THEN 1 disk-chrp-boot ! From patchwork Wed Dec 11 20:27:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207911 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7pS4vrdz9sR8 for ; Thu, 12 Dec 2019 07:30:08 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7pS3c68zDqsM for ; Thu, 12 Dec 2019 07:30:08 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll6Y8NzDqWh for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGXX0133896; Wed, 11 Dec 2019 15:27:42 -0500 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wr8m09rma-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKQ0XD000622; Wed, 11 Dec 2019 20:27:40 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma01dal.us.ibm.com with ESMTP id 2wr3q7a2t3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:40 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKReMv51053022 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 11F54B2064; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EDF78B2066; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:39 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:04 -0500 Message-Id: <20191211202728.127996-10-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 mlxlogscore=999 lowpriorityscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 phishscore=0 bulkscore=0 clxscore=1015 adultscore=0 spamscore=0 suspectscore=15 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 09/33] tpm: Add support for controlling the states of the TPM X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch adds support for controlling the various states of the TPM, such as enabling and disabling the TPM, deactivating and activating it, and clearing ownership. The TPM menu implementation will call these functions by calling tpm_process_opcode with an opcode indicating as to how the state of the TPM is to be changed. Signed-off-by: Stefan Berger --- lib/libtpm/tcgbios.c | 203 +++++++++++++++++++++++++++++++++++++++ lib/libtpm/tcgbios.h | 1 + lib/libtpm/tcgbios_int.h | 35 +++++++ lib/libtpm/tpm.code | 12 +++ lib/libtpm/tpm.in | 1 + 5 files changed, 252 insertions(+) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 401bb1c..8bd684c 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -56,6 +56,8 @@ struct tpm_state { static struct tpm_state tpm_state; +typedef uint8_t tpm_ppi_op; + /******************************************************** Extensions for TCG-enabled BIOS *******************************************************/ @@ -546,3 +548,204 @@ uint32_t tpm_measure_bcv_mbr(uint32_t bootdrv, const uint8_t *addr, string, strlen(string), addr + 0x1b8, 0x48); } + +/**************************************************************** + * TPM Configuration Menu + ****************************************************************/ + +static int tpm12_read_has_owner(bool *has_owner) +{ + struct tpm_rsp_getcap_ownerauth oauth; + int ret = tpm12_get_capability(TPM_CAP_PROPERTY, TPM_CAP_PROP_OWNER, + &oauth.hdr, sizeof(oauth)); + if (ret) + return -1; + + *has_owner = oauth.flag; + + return 0; +} + +static int tpm12_enable_tpm(bool enable, bool verbose) +{ + struct tpm_permanent_flags pf; + int ret = tpm12_read_permanent_flags((char *)&pf, sizeof(pf)); + if (ret) + return -1; + + if (pf.flags[PERM_FLAG_IDX_DISABLE] && !enable) + return 0; + + ret = tpm_simple_cmd(0, enable ? TPM_ORD_PHYSICAL_ENABLE + : TPM_ORD_PHYSICAL_DISABLE, + 0, 0, TPM_DURATION_TYPE_SHORT); + if (ret) { + if (enable) { + dprintf("TCGBIOS: Enabling the TPM failed.\n"); + } else { + dprintf("TCGBIOS: Disabling the TPM failed.\n"); + } + } + return ret; +} + +static int tpm12_activate_tpm(bool activate, bool allow_reset, bool verbose) +{ + struct tpm_permanent_flags pf; + int ret = tpm12_read_permanent_flags((char *)&pf, sizeof(pf)); + if (ret) + return -1; + + if (pf.flags[PERM_FLAG_IDX_DEACTIVATED] && !activate) + return 0; + + if (pf.flags[PERM_FLAG_IDX_DISABLE]) + return 0; + + ret = tpm_simple_cmd(0, TPM_ORD_PHYSICAL_SET_DEACTIVATED, + 1, activate ? 0 : 1, + TPM_DURATION_TYPE_SHORT); + if (ret) + return ret; + + if (activate && allow_reset) { + if (verbose) + printf("Requiring a reboot to activate the TPM.\n"); + } + + return 0; +} + +static int tpm12_enable_activate(int allow_reset, bool verbose) +{ + int ret = tpm12_enable_tpm(true, verbose); + if (ret) + return ret; + + return tpm12_activate_tpm(true, allow_reset, verbose); +} + +static int tpm12_force_clear(bool enable_activate_before, + bool enable_activate_after, + bool verbose) +{ + bool has_owner; + int ret = tpm12_read_has_owner(&has_owner); + if (ret) + return -1; + if (!has_owner) { + if (verbose) + printf("TPM does not have an owner.\n"); + return 0; + } + + if (enable_activate_before) { + ret = tpm12_enable_activate(false, verbose); + if (ret) { + dprintf("TCGBIOS: Enabling/activating the TPM failed.\n"); + return ret; + } + } + + ret = tpm_simple_cmd(0, TPM_ORD_FORCE_CLEAR, + 0, 0, TPM_DURATION_TYPE_SHORT); + if (ret) + return ret; + + if (!enable_activate_after) { + if (verbose) + printf("Owner successfully cleared.\n" + "You will need to enable/activate the TPM again.\n\n"); + return 0; + } + + return tpm12_enable_activate(true, verbose); +} + +static int tpm12_set_owner_install(bool allow, bool verbose) +{ + bool has_owner; + struct tpm_permanent_flags pf; + int ret = tpm12_read_has_owner(&has_owner); + if (ret) + return -1; + + if (has_owner) { + if (verbose) + printf("Must first remove owner.\n"); + return 0; + } + + ret = tpm12_read_permanent_flags((char *)&pf, sizeof(pf)); + if (ret) + return -1; + + if (pf.flags[PERM_FLAG_IDX_DISABLE]) { + if (verbose) + printf("TPM must first be enable.\n"); + return 0; + } + + ret = tpm_simple_cmd(0, TPM_ORD_SET_OWNER_INSTALL, + 1, allow ? 1 : 0, TPM_DURATION_TYPE_SHORT); + if (ret) + return ret; + + if (verbose) + printf("Installation of owner %s.\n", + allow ? "enabled" : "disabled"); + + return 0; +} + +static int tpm12_process_cfg(tpm_ppi_op ppi_op, bool verbose) +{ + int ret = 0; + + switch (ppi_op) { + case TPM_PPI_OP_NOOP: /* no-op */ + break; + + case TPM_PPI_OP_ENABLE: + ret = tpm12_enable_tpm(true, verbose); + break; + + case TPM_PPI_OP_DISABLE: + ret = tpm12_enable_tpm(false, verbose); + break; + + case TPM_PPI_OP_ACTIVATE: + ret = tpm12_activate_tpm(true, true, verbose); + break; + + case TPM_PPI_OP_DEACTIVATE: + ret = tpm12_activate_tpm(false, true, verbose); + break; + + case TPM_PPI_OP_CLEAR: + ret = tpm12_force_clear(true, false, verbose); + break; + + case TPM_PPI_OP_SET_OWNERINSTALL_TRUE: + ret = tpm12_set_owner_install(true, verbose); + break; + + case TPM_PPI_OP_SET_OWNERINSTALL_FALSE: + ret = tpm12_set_owner_install(false, verbose); + break; + + default: + break; + } + + if (ret) + printf("Op %d: An error occurred: 0x%x TPM\n", + ppi_op, ret); + + return ret; +} + +uint32_t tpm_process_opcode(uint8_t op, bool verbose) +{ + return tpm12_process_cfg(op, verbose); +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 3ccfca5..b288778 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -32,5 +32,6 @@ uint32_t tpm_hash_all(const void *data, uint32_t datalen, void *hashptr); uint32_t tpm_measure_bcv_mbr(uint32_t bootdrv, const uint8_t *addr, uint32_t length); uint32_t tpm_add_event_separators(uint32_t start_pcr, uint32_t end_pcr); +uint32_t tpm_process_opcode(uint8_t op, bool verbose); #endif /* TCGBIOS_H */ diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index b3ab0ad..1893ab2 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -14,6 +14,7 @@ #define TCGBIOS_INT_H #include +#include #include "tpm_drivers.h" @@ -111,6 +112,7 @@ struct tpm_req_getcap { #define TPM_CAP_FLAG 0x04 #define TPM_CAP_PROPERTY 0x05 #define TPM_CAP_FLAG_PERMANENT 0x108 +#define TPM_CAP_PROP_OWNER 0x111 #define TPM_CAP_PROP_DURATION 0x120 struct tpm_req_getcap_perm_flags { @@ -139,6 +141,30 @@ struct tpm_rsp_getcap_perm_flags { struct tpm_permanent_flags perm_flags; } __attribute__((packed)); +struct tpm_req_getcap_stclear_flags { + struct tpm_req_header hdr; + uint32_t cap_area; + uint32_t sub_cap_size; + uint32_t sub_cap; +} __attribute__((packed)); + +struct tpm_stclear_flags { + uint16_t tag; + uint8_t flags[5]; +} __attribute__((packed)); + +#define STCLEAR_FLAG_IDX_DEACTIVATED 0 +#define STCLEAR_FLAG_IDX_DISABLE_FORCE_CLEAR 1 +#define STCLEAR_FLAG_IDX_PHYSICAL_PRESENCE 2 +#define STCLEAR_FLAG_IDX_PHYSICAL_PRESENCE_LOCK 3 +#define STCLEAR_FLAG_IDX_GLOBAL_LOCK 4 + +struct tpm_rsp_getcap_stclear_flags { + struct tpm_rsp_header hdr; + uint32_t size; + struct tpm_stclear_flags stclear_flags; +} __attribute__((packed)); + struct tpm_rsp_getcap_ownerauth { struct tpm_rsp_header hdr; uint32_t size; @@ -151,4 +177,13 @@ struct tpm_rsp_getcap_durations { uint32_t durations[TPM_NUM_DURATIONS]; } __attribute__((packed)); +#define TPM_PPI_OP_NOOP 0 +#define TPM_PPI_OP_ENABLE 1 +#define TPM_PPI_OP_DISABLE 2 +#define TPM_PPI_OP_ACTIVATE 3 +#define TPM_PPI_OP_DEACTIVATE 4 +#define TPM_PPI_OP_CLEAR 5 +#define TPM_PPI_OP_SET_OWNERINSTALL_TRUE 8 +#define TPM_PPI_OP_SET_OWNERINSTALL_FALSE 9 + #endif /* TCGBIOS_INT_H */ diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index d4a1a72..1a5273f 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -14,6 +14,7 @@ */ #include +#include /************************************************/ @@ -120,3 +121,14 @@ PRIM(tpm_X2d_measure_X2d_bcv_X2d_mbr) int bootdrv = TOS.u; TOS.n = tpm_measure_bcv_mbr(bootdrv, addr, length); MIRP + +/*************************************************************/ +/* Process an opcode to change state of the TPM */ +/* SLOF: tpm-process-opcode ( opcode verbose -- errcode) */ +/* LIBTPM: tpm_process_opcode(opcode, verbose) */ +/*************************************************************/ +PRIM(tpm_X2d_process_X2d_opcode) + int opcode = TOS.u; POP; + bool verbose = TOS.u; + TOS.n = tpm_process_opcode(opcode, verbose); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index 2d3d75e..9fb30bb 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -23,3 +23,4 @@ cod(tpm-hash-log-extend-event) cod(tpm-hash-all) cod(tpm-add-event-separators) cod(tpm-measure-bcv-mbr) +cod(tpm-process-opcode) From patchwork Wed Dec 11 20:27:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207904 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7nk6Q6Zz9sR7 for ; Thu, 12 Dec 2019 07:29:30 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7nk599MzDqv1 for ; Thu, 12 Dec 2019 07:29:30 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll6WMGzDqTh for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGgaK006159; Wed, 11 Dec 2019 15:27:42 -0500 Received: from ppma05wdc.us.ibm.com (1b.90.2fa9.ip4.static.sl-reverse.com [169.47.144.27]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wthkj76q7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma05wdc.us.ibm.com [127.0.0.1]) by ppma05wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKEtEd026499; Wed, 11 Dec 2019 20:27:40 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma05wdc.us.ibm.com with ESMTP id 2wtdq7b85j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:40 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKReL751053024 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2209CB2065; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 13728B2067; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:05 -0500 Message-Id: <20191211202728.127996-11-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 clxscore=1015 priorityscore=1501 mlxscore=0 suspectscore=15 spamscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 adultscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 10/33] tpm: Add support for a TPM menu to control the state of the TPM X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch provides an addtional menu that enables the user to control certain aspects of the TPM's state. If a working TPM has been detected, the menu will look like this: The TPM is enabled, active, does not have an owner but one can be installed. To configure the TPM, choose one of the following actions: d. Disable the TPM v. Deactivate the TPM p. Prevent installation of an owner Note: To fully use the TPM it must be enabled and activated. Press escape to continue boot. This menu can be access by pressing the 't' key during boot. The menu will not be shown if no TPM is available. Signed-off-by: Stefan Berger --- board-qemu/slof/OF.fs | 3 + board-qemu/slof/vtpm-sml.fs | 189 ++++++++++++++++++++++++++++++++++++ lib/libtpm/tcgbios.c | 30 +++++- lib/libtpm/tcgbios.h | 9 ++ lib/libtpm/tpm.code | 20 ++++ lib/libtpm/tpm.in | 2 + slof/fs/start-up.fs | 9 ++ 7 files changed, 261 insertions(+), 1 deletion(-) diff --git a/board-qemu/slof/OF.fs b/board-qemu/slof/OF.fs index 3e117ad..7bdd6ea 100644 --- a/board-qemu/slof/OF.fs +++ b/board-qemu/slof/OF.fs @@ -175,6 +175,9 @@ CREATE version-str 10 ALLOT version-str 8 + @ \ end over - dump-display-write " Press 's' to enter Open Firmware." dump-display-write + s" /ibm,vtpm" find-node IF + " Press 't' to enter TPM menu." terminal-write drop + THEN cr cr temp-ptr disp-size > IF temp-ptr disp-size MOD diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index b4a0fc1..60bd03c 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -120,6 +120,195 @@ log-base LOG-SIZE tpm-set-log-parameters THEN ; +\ +\ TPM menu +\ + +1 CONSTANT TPM_ST_ENABLED +2 CONSTANT TPM_ST_ACTIVE +4 CONSTANT TPM_ST_OWNED +8 CONSTANT TPM_ST_OWNERINSTALL + +\ helper to test whether the TPM is enabled and active +: is-enabled-active? ( state -- ok? ) + TPM_ST_ENABLED TPM_ST_ACTIVE OR dup rot AND = +; + +\ display the menu for manipulating TPM state; we get +\ the state of the TPM in form of flags from the C-driver +\ +\ Some info about the TPM's states: +\ - enabling/disabling can be done at any time +\ - activating/deactivating the TPM requires an enabled TPM +\ - clearing ownership can be done even if the TPM is deactivated and disabled +\ - allowing/preventing owner installation requires an enabled and active TPM +\ +: tpm12-menu-show ( -- ) + tpm-is-working IF + ." The TPM is " + + tpm-get-state ( flags ) + + dup TPM_ST_ENABLED AND TPM_ST_ENABLED <> IF + ." disabled" + ELSE + ." enabled" + THEN + + dup TPM_ST_ACTIVE AND TPM_ST_ACTIVE <> IF + ." , deactivated" + ELSE + ." , active" + THEN + + dup TPM_ST_OWNED AND TPM_ST_OWNED <> IF + ." , does not have an owner " + dup TPM_ST_OWNERINSTALL AND TPM_ST_OWNERINSTALL <> IF + ." and an owner cannot be installed." + ELSE + ." but one can be installed." + THEN + ELSE + ." , and has an owner." + THEN + + cr cr + ." To configure the TPM, choose one of the following actions:" + cr cr + + dup TPM_ST_ENABLED AND TPM_ST_ENABLED <> IF + ." e. Enable the TPM" cr + ELSE + ." d. Disable the TPM" cr + + dup TPM_ST_ACTIVE AND TPM_ST_ACTIVE <> IF + ." a. Activate the TPM" cr + ELSE + ." v. Deactivate the TPM" cr + + dup TPM_ST_OWNERINSTALL AND TPM_ST_OWNERINSTALL <> IF + ." s. Allow installation of an owner" cr + ELSE + ." p. Prevent installation of an owner" cr + THEN + THEN + + THEN + + dup TPM_ST_OWNED AND TPM_ST_OWNED = IF + ." c. Clear ownership" cr + THEN + + cr + \ If the TPM is either disabled or deactivated, show message + is-enabled-active? 0= IF + ." Note: To be able to use all features of the TPM, it must be enabled and active." + cr cr + THEN + + ELSE + ." The TPM is not working correctly." cr + THEN + + ." Press escape to continue boot." cr cr +; + +\ Send a code to the C-driver to change the state of the vTPM +: process-opcode ( verbose? opcode -- ) + tpm-process-opcode + dup 0<> IF + ." VTPM: Error code from tpm-process-opcode: " . cr + ELSE + drop + THEN +; + +1 CONSTANT PPI_OP_ENABLE +2 CONSTANT PPI_OP_DISABLE +3 CONSTANT PPI_OP_ACTIVATE +4 CONSTANT PPI_OP_DEACTIVATE +5 CONSTANT PPI_OP_CLEAR +8 CONSTANT PPI_OP_SETOWNERINSTALL_TRUE +9 CONSTANT PPI_OP_SETOWNERINSTALL_FALSE + +\ if there's a vtpm available, display the menu +\ wait for keyboard input and have the C-driver +\ process opcodes we derive from the chosen menu +\ item +: vtpm12-menu + tpm-is-working IF + \ vtpm-empty-keybuffer + tpm12-menu-show + BEGIN + 0 \ loop end-flag ( 0 ) + key CASE + [char] e OF tpm-get-state ( 0 flags ) + TPM_ST_ENABLED AND TPM_ST_ENABLED <> IF + 0 PPI_OP_ENABLE process-opcode + tpm12-menu-show + THEN + ENDOF + [char] d OF tpm-get-state ( 0 flags ) + TPM_ST_ENABLED AND TPM_ST_ENABLED = IF + 0 PPI_OP_DISABLE process-opcode + tpm12-menu-show + THEN + ENDOF + [char] a OF tpm-get-state ( 0 flags ) + TPM_ST_ACTIVE AND TPM_ST_ACTIVE <> IF + 0 PPI_OP_ACTIVATE process-opcode + tpm-get-state + TPM_ST_ACTIVE AND TPM_ST_ACTIVE = IF + ." The system needs to reboot to activate the TPM." + 100 MS \ so the message shows + reset-all + THEN + THEN + ENDOF + [char] v OF tpm-get-state ( 0 flags ) + TPM_ST_ACTIVE AND TPM_ST_ACTIVE = IF + 0 PPI_OP_DEACTIVATE process-opcode + tpm12-menu-show + THEN + ENDOF + [char] c OF tpm-get-state ( 0 flags ) + TPM_ST_OWNED AND TPM_ST_OWNED = IF + 0 PPI_OP_CLEAR process-opcode + tpm12-menu-show + THEN + ENDOF + [char] s OF tpm-get-state ( 0 flags ) + \ The TPM must be enabled and active to allow + \ owner installation mods + dup is-enabled-active? IF + TPM_ST_OWNERINSTALL AND TPM_ST_OWNERINSTALL <> IF + 0 PPI_OP_SETOWNERINSTALL_TRUE process-opcode + tpm12-menu-show + THEN + THEN + ENDOF + [char] p OF tpm-get-state ( 0 flags ) + \ The TPM must be enabled and active to allow + \ owner installation mods + dup is-enabled-active? IF + TPM_ST_OWNERINSTALL AND TPM_ST_OWNERINSTALL = IF + 0 PPI_OP_SETOWNERINSTALL_FALSE process-opcode + tpm12-menu-show + THEN + THEN + ENDOF + 1b OF ( 0 ) + drop 1 ( 1 ) + ENDOF + ENDCASE + UNTIL + THEN +; + +: vtpm-menu + vtpm12-menu +; + : open true ; : close ; diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 8bd684c..3c9d2d7 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -206,7 +206,7 @@ static int tpm_extend(uint8_t *hash, uint32_t pcrindex) * Setup and Measurements ****************************************************************/ -static bool tpm_is_working(void) +bool tpm_is_working(void) { if (!tpm_state.tpm_probed) probe_tpm(); @@ -749,3 +749,31 @@ uint32_t tpm_process_opcode(uint8_t op, bool verbose) { return tpm12_process_cfg(op, verbose); } + +int tpm_get_state(void) +{ + int state = 0; + struct tpm_permanent_flags pf; + bool has_owner; + + if (tpm12_read_permanent_flags((char *)&pf, sizeof(pf)) || + tpm12_read_has_owner(&has_owner)) + return ~0; + + if (!pf.flags[PERM_FLAG_IDX_DISABLE]) + state |= TPM_STATE_ENABLED; /* enabled */ + + if (!pf.flags[PERM_FLAG_IDX_DEACTIVATED]) + state |= TPM_STATE_ACTIVE; /* active */ + + if (has_owner) { + state |= TPM_STATE_OWNED; /* has owner */ + } else { + if (pf.flags[PERM_FLAG_IDX_OWNERSHIP]) + state |= TPM_STATE_OWNERINSTALL; /* owner can be installed */ + } + + dprintf("TPM state flags = 0x%x\n", state); + + return state; +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index b288778..956df43 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -34,4 +34,13 @@ uint32_t tpm_measure_bcv_mbr(uint32_t bootdrv, const uint8_t *addr, uint32_t tpm_add_event_separators(uint32_t start_pcr, uint32_t end_pcr); uint32_t tpm_process_opcode(uint8_t op, bool verbose); +/* flags returned by tpm_get_state */ +#define TPM_STATE_ENABLED 1 +#define TPM_STATE_ACTIVE 2 +#define TPM_STATE_OWNED 4 +#define TPM_STATE_OWNERINSTALL 8 + +int tpm_get_state(void); +bool tpm_is_working(void); + #endif /* TCGBIOS_H */ diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index 1a5273f..3957028 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -132,3 +132,23 @@ PRIM(tpm_X2d_process_X2d_opcode) bool verbose = TOS.u; TOS.n = tpm_process_opcode(opcode, verbose); MIRP + +/************************************************/ +/* Get state of the TPM in form of flags */ +/* SLOF: tpm-get-state ( -- flags ) */ +/* LIBTPM: state = tpm_get_state() */ +/************************************************/ +PRIM(tpm_X2d_get_X2d_state) + PUSH; + TOS.n = tpm_get_state(); +MIRP + +/************************************************/ +/* Check whether the TPM is working */ +/* SLOF: tpm-is-working ( -- true | false ) */ +/* LIBTPM: bool = tpm_is_working() */ +/************************************************/ +PRIM(tpm_X2d_is_X2d_working) + PUSH; + TOS.n = tpm_is_working(); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index 9fb30bb..0e942bc 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -24,3 +24,5 @@ cod(tpm-hash-all) cod(tpm-add-event-separators) cod(tpm-measure-bcv-mbr) cod(tpm-process-opcode) +cod(tpm-get-state) +cod(tpm-is-working) diff --git a/slof/fs/start-up.fs b/slof/fs/start-up.fs index 0715357..d72579b 100644 --- a/slof/fs/start-up.fs +++ b/slof/fs/start-up.fs @@ -55,6 +55,14 @@ nvramlog-write-string-cr ; +: (t-pressed) ( -- ) + s" /ibm,vtpm" find-node dup IF + s" vtpm-menu" rot $call-static + ELSE + drop + THEN +; + : (boot?) ( -- ) \ last step before we boot we give up physical presence on the TPM s" /ibm,vtpm" find-node dup IF @@ -107,6 +115,7 @@ TRUE VALUE use-load-watchdog? key? IF key CASE [char] s OF (s-pressed) ENDOF + [char] t OF (t-pressed) (boot?) ENDOF 1b OF (esc-sequence) CASE 1 OF From patchwork Wed Dec 11 20:27:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207912 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7pZ60gCz9sR7 for ; Thu, 12 Dec 2019 07:30:14 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7pZ4tlrzDqwL for ; Thu, 12 Dec 2019 07:30:14 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm0Mt3zDqKP for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGg3D020494; Wed, 11 Dec 2019 15:27:42 -0500 Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wtfbxur41-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKPUQm024782; Wed, 11 Dec 2019 20:27:41 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma02dal.us.ibm.com with ESMTP id 2wr3q723tu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKReo153215496 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 44AF3B205F; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2D499B2068; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:06 -0500 Message-Id: <20191211202728.127996-12-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=15 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 priorityscore=1501 bulkscore=0 adultscore=0 mlxscore=0 lowpriorityscore=0 clxscore=1015 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 11/33] tpm: Measure the static core root of trust for measurements X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch adds support for measuring the static core root of trust (S-CRTM) and logging the measurements. Signed-off-by: Stefan Berger --- board-qemu/slof/vio-vtpm-cdriver.fs | 6 +++++ board-qemu/slof/vtpm-sml.fs | 9 ++++++++ lib/libtpm/tcgbios.c | 36 +++++++++++++++++++++++++++++ lib/libtpm/tcgbios.h | 1 + lib/libtpm/tcgbios_int.h | 2 ++ lib/libtpm/tpm.code | 10 ++++++++ lib/libtpm/tpm.in | 1 + 7 files changed, 65 insertions(+) diff --git a/board-qemu/slof/vio-vtpm-cdriver.fs b/board-qemu/slof/vio-vtpm-cdriver.fs index 04b8ea5..d4d0690 100644 --- a/board-qemu/slof/vio-vtpm-cdriver.fs +++ b/board-qemu/slof/vio-vtpm-cdriver.fs @@ -136,3 +136,9 @@ vtpm-init \ setup the log include vtpm-sml.fs + +s" /ibm,vtpm" find-node dup IF + s" measure-scrtm" rot $call-static +ELSE + drop +THEN diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index 60bd03c..b7ecb4a 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -120,6 +120,15 @@ log-base LOG-SIZE tpm-set-log-parameters THEN ; +: measure-scrtm ( -- ) + tpm-measure-scrtm ( errcode ) + dup 0<> IF + ." VTPM: Error code from tpm-measure-scrtm: " . cr + ELSE + drop + THEN +; + \ \ TPM menu \ diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 3c9d2d7..e42b7e2 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -777,3 +777,39 @@ int tpm_get_state(void) return state; } + +uint32_t tpm_measure_scrtm(void) +{ + uint32_t rc; + + extern long print_version, print_version_end; + extern long _slof_data, _slof_data_end; + + char *version_start = (char *)&print_version; + uint32_t version_length = (long)&print_version_end - (long)&print_version; + + char *slof_start = (char *)&_slof_data; + uint32_t slof_length = (long)&_slof_data_end - (long)&_slof_data; + + const char *scrtm = "S-CRTM Contents"; + + dprintf("Measure S-CRTM Version: addr = %p, length = %d\n", + version_start, version_length); + + rc = tpm_add_measurement_to_log(0, EV_S_CRTM_VERSION, + version_start, version_length, + (uint8_t *)version_start, + version_length); + + if (rc) + return rc; + + dprintf("Measure S-CRTM Content: start = %p, length = %d\n", + &slof_start, slof_length); + + rc = tpm_add_measurement_to_log(0, EV_S_CRTM_CONTENTS, + scrtm, strlen(scrtm), + (uint8_t *)slof_start, slof_length); + + return rc; +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 956df43..b08e12f 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -24,6 +24,7 @@ struct pcpes; uint32_t tpm_start(void); void tpm_finalize(void); uint32_t tpm_unassert_physical_presence(void); +uint32_t tpm_measure_scrtm(void); void tpm_set_log_parameters(void *address, unsigned int size); uint32_t tpm_get_logsize(void); uint32_t tpm_hash_log_extend_event(struct pcpes *pcpes); diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index 1893ab2..77ed815 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -59,6 +59,8 @@ #define EV_SEPARATOR 4 #define EV_ACTION 5 #define EV_EVENT_TAG 6 +#define EV_S_CRTM_CONTENTS 7 +#define EV_S_CRTM_VERSION 8 #define EV_IPL 13 #define EV_IPL_PARTITION_DATA 14 diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index 3957028..67877c0 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -152,3 +152,13 @@ PRIM(tpm_X2d_is_X2d_working) PUSH; TOS.n = tpm_is_working(); MIRP + +/************************************************/ +/* Have the S-CRTM measured */ +/* SLOF: tpm-measure-scrtm ( -- errcode ) */ +/* LIBTPM: errcode = tpm_measure_scrtm */ +/************************************************/ +PRIM(tpm_X2d_measure_X2d_scrtm) + PUSH; + TOS.n = tpm_measure_scrtm(); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index 0e942bc..59a4ba6 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -26,3 +26,4 @@ cod(tpm-measure-bcv-mbr) cod(tpm-process-opcode) cod(tpm-get-state) cod(tpm-is-working) +cod(tpm-measure-scrtm) From patchwork Wed Dec 11 20:27:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207906 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7ny4nmGz9sR7 for ; Thu, 12 Dec 2019 07:29:42 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7ny1fQyzDqPN for ; Thu, 12 Dec 2019 07:29:42 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll6JzszDqKJ for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGfWT068511; Wed, 11 Dec 2019 15:27:42 -0500 Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wtf8jd2gs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKF9ZM030496; Wed, 11 Dec 2019 20:27:40 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma02wdc.us.ibm.com with ESMTP id 2wr3q6r2ra-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:40 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKReoA51053030 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 53173B2067; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 461ECB2064; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:07 -0500 Message-Id: <20191211202728.127996-13-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=15 bulkscore=0 clxscore=1015 priorityscore=1501 malwarescore=0 phishscore=0 mlxlogscore=999 impostorscore=0 mlxscore=0 spamscore=0 lowpriorityscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 12/33] tpm: Add TPM firmware API call get-maximum-cmd-size X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch adds support for the firmware API call get-maximum-cmd-size. Signed-off-by: Stefan Berger --- board-qemu/slof/vio-vtpm-cdriver.fs | 7 +++++++ board-qemu/slof/vtpm-sml.fs | 10 ++++++++++ lib/libtpm/tcgbios.c | 24 ++++++++++++++++++++++++ lib/libtpm/tcgbios.h | 1 + lib/libtpm/tcgbios_int.h | 7 +++++++ lib/libtpm/tpm.code | 10 ++++++++++ lib/libtpm/tpm.in | 1 + 7 files changed, 60 insertions(+) diff --git a/board-qemu/slof/vio-vtpm-cdriver.fs b/board-qemu/slof/vio-vtpm-cdriver.fs index d4d0690..de69e2d 100644 --- a/board-qemu/slof/vio-vtpm-cdriver.fs +++ b/board-qemu/slof/vio-vtpm-cdriver.fs @@ -122,6 +122,13 @@ false VALUE vtpm-debug? THEN ; +\ firmware API call +: get-maximum-cmd-size ( -- maximum-size ) + " get-maximum-cmd-size" vtpm-call-forward IF + 0 + THEN +; + : open ( ) vtpm-debug? IF ." VTPM: vTPM open()" cr THEN true diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index b7ecb4a..bf0d55e 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -84,6 +84,16 @@ log-base LOG-SIZE tpm-set-log-parameters THEN ; +: get-maximum-cmd-size ( -- max-size ) + vtpm-debug? IF + ." Call to get-maximum-cmd-size" cr + THEN + tpm-get-maximum-cmd-size ( max-size ) + dup 0= IF \ Display if return value is 0 + ." VTPM: Return value from tpm-get-maximum-cmd-size: " dup . cr + THEN +; + \ \ internal API calls \ diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index e42b7e2..9114d64 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -38,6 +38,8 @@ #define dprintf(_x ...) #endif +#define MIN(a, b) ((a) < (b) ? (a) : (b)) + struct tpm_state { unsigned tpm_probed:1; unsigned tpm_found:1; @@ -813,3 +815,25 @@ uint32_t tpm_measure_scrtm(void) return rc; } + +/* + * tpm_get_maximum_cmd_size: Function for interfacing with the firmware API + * + * This function returns the maximum size a TPM command (or response) may have. + */ +uint32_t tpm_get_maximum_cmd_size(void) +{ + struct tpm_rsp_getcap_buffersize trgb; + int ret; + + if (!tpm_is_working()) + return 0; + + ret = tpm12_get_capability(TPM_CAP_PROPERTY, TPM_CAP_PROP_INPUT_BUFFER, + &trgb.hdr, sizeof(trgb)); + if (ret) + return 0; + + return MIN(cpu_to_be32(trgb.buffersize), + spapr_vtpm_get_buffersize()); +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index b08e12f..6eb6751 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -34,6 +34,7 @@ uint32_t tpm_measure_bcv_mbr(uint32_t bootdrv, const uint8_t *addr, uint32_t length); uint32_t tpm_add_event_separators(uint32_t start_pcr, uint32_t end_pcr); uint32_t tpm_process_opcode(uint8_t op, bool verbose); +uint32_t tpm_get_maximum_cmd_size(void); /* flags returned by tpm_get_state */ #define TPM_STATE_ENABLED 1 diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index 77ed815..39e1ea4 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -116,6 +116,7 @@ struct tpm_req_getcap { #define TPM_CAP_FLAG_PERMANENT 0x108 #define TPM_CAP_PROP_OWNER 0x111 #define TPM_CAP_PROP_DURATION 0x120 +#define TPM_CAP_PROP_INPUT_BUFFER 0x124 struct tpm_req_getcap_perm_flags { struct tpm_req_header hdr; @@ -179,6 +180,12 @@ struct tpm_rsp_getcap_durations { uint32_t durations[TPM_NUM_DURATIONS]; } __attribute__((packed)); +struct tpm_rsp_getcap_buffersize { + struct tpm_rsp_header hdr; + uint32_t size; + uint32_t buffersize; +} __attribute__((packed)); + #define TPM_PPI_OP_NOOP 0 #define TPM_PPI_OP_ENABLE 1 #define TPM_PPI_OP_DISABLE 2 diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index 67877c0..ecfba8c 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -162,3 +162,13 @@ PRIM(tpm_X2d_measure_X2d_scrtm) PUSH; TOS.n = tpm_measure_scrtm(); MIRP + +/****************************************************/ +/* Firmware API */ +/* SLOF: tpm-get-maximum-cmd-size ( -- max-size) */ +/* LIBTPM: maxsize = tpm_get_maximum_cmd_size() */ +/****************************************************/ +PRIM(tpm_X2d_get_X2d_maximum_X2d_cmd_X2d_size) + PUSH; + TOS.n = tpm_get_maximum_cmd_size(); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index 59a4ba6..1bd393e 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -27,3 +27,4 @@ cod(tpm-process-opcode) cod(tpm-get-state) cod(tpm-is-working) cod(tpm-measure-scrtm) +cod(tpm-get-maximum-cmd-size) From patchwork Wed Dec 11 20:27:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207905 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7ns173kz9sRH for ; Thu, 12 Dec 2019 07:29:37 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7nr61bnzDqYh for ; Thu, 12 Dec 2019 07:29:36 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll5Y56zDqJc for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGgtj028872; Wed, 11 Dec 2019 15:27:41 -0500 Received: from ppma05wdc.us.ibm.com (1b.90.2fa9.ip4.static.sl-reverse.com [169.47.144.27]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wu4t6d3s8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma05wdc.us.ibm.com [127.0.0.1]) by ppma05wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKEuaP026508; Wed, 11 Dec 2019 20:27:40 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma05wdc.us.ibm.com with ESMTP id 2wtdq7b85k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:40 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKReMx45416840 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6BB65B205F; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5E60AB206B; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:08 -0500 Message-Id: <20191211202728.127996-14-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 spamscore=0 clxscore=1015 suspectscore=15 mlxscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 phishscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 13/33] tpm: Add TPM firmware API call pass-through-to-tpm X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch adds support for the firmware API call pass-through-to-tpm. Signed-off-by: Stefan Berger Reviewed-by: Nikunj A Dadhania --- board-qemu/slof/vio-vtpm-cdriver.fs | 8 +++++ board-qemu/slof/vtpm-sml.fs | 10 ++++++ lib/libtpm/tcgbios.c | 52 +++++++++++++++++++++++++++++ lib/libtpm/tcgbios.h | 1 + lib/libtpm/tpm.code | 11 ++++++ lib/libtpm/tpm.in | 1 + lib/libtpm/tpm_drivers.h | 3 ++ 7 files changed, 86 insertions(+) diff --git a/board-qemu/slof/vio-vtpm-cdriver.fs b/board-qemu/slof/vio-vtpm-cdriver.fs index de69e2d..0699c4d 100644 --- a/board-qemu/slof/vio-vtpm-cdriver.fs +++ b/board-qemu/slof/vio-vtpm-cdriver.fs @@ -122,6 +122,14 @@ false VALUE vtpm-debug? THEN ; +\ firmware API call +: pass-through-to-tpm ( buf-addr buf-size -- response-size ) + " pass-through-to-tpm" vtpm-call-forward IF + 2drop + 0 + THEN +; + \ firmware API call : get-maximum-cmd-size ( -- maximum-size ) " get-maximum-cmd-size" vtpm-call-forward IF diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index bf0d55e..c51765b 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -94,6 +94,16 @@ log-base LOG-SIZE tpm-set-log-parameters THEN ; +: pass-through-to-tpm ( buf-addr cmd-size -- rsp-size ) + vtpm-debug? IF + ." Call to pass-through-to-tpm" cr + THEN + tpm-pass-through-to-tpm ( rsp-size ) + vtpm-debug? IF + ." VTPM: Return value from tpm-pass-through-to-tpm: " dup . cr + THEN +; + \ \ internal API calls \ diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 9114d64..38fa545 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -837,3 +837,55 @@ uint32_t tpm_get_maximum_cmd_size(void) return MIN(cpu_to_be32(trgb.buffersize), spapr_vtpm_get_buffersize()); } + +static bool pass_through_to_tpm(unsigned char *req, + uint32_t reqlen, + enum tpm_duration_type to_t, + unsigned char *rsp, + uint32_t *rsplen) +{ + struct tpm_req_header *trqh; + int ret; + + if (!tpm_is_working()) + return TCGBIOS_FATAL_COM_ERROR; + + trqh = (struct tpm_req_header *)req; + if (reqlen < sizeof(*trqh)) + return TCGBIOS_INVALID_INPUT_PARA; + + ret = tpmhw_transmit(0, trqh, rsp, rsplen, to_t); + if (ret) + return TCGBIOS_FATAL_COM_ERROR; + + return 0; +} + +/* + * tpm_pass_through_to_tpm: Function for interfacing with the firmware API + * + * buf: buffer holding the command; also used for holding the entire response + * cmdlen: length of the command in the buffer + * + * Returns 0 in case of failure, the size of the response otherwise. + */ +uint32_t tpm_pass_through_to_tpm(unsigned char *buf, uint32_t cmdlen) +{ + uint32_t resplen = PAPR_VTPM_MAX_BUFFER_SIZE; + + /* + * API spec: caller must ensure that the buffer is large + * enough to receive the full response into + * the same buffer where the command is in. + * We anticipate the largest possible buffer + * the driver supports in 'resplen'. + * For duration we use the worst-case timeout 'LONG' + * so that any command can be sent and will not time out. + */ + if (pass_through_to_tpm(buf, cmdlen, + TPM_DURATION_TYPE_LONG, + buf, &resplen)) + return 0; + + return resplen; +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 6eb6751..5beaa53 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -35,6 +35,7 @@ uint32_t tpm_measure_bcv_mbr(uint32_t bootdrv, const uint8_t *addr, uint32_t tpm_add_event_separators(uint32_t start_pcr, uint32_t end_pcr); uint32_t tpm_process_opcode(uint8_t op, bool verbose); uint32_t tpm_get_maximum_cmd_size(void); +uint32_t tpm_pass_through_to_tpm(unsigned char *buf, uint32_t cmdlen); /* flags returned by tpm_get_state */ #define TPM_STATE_ENABLED 1 diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index ecfba8c..adf1f01 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -172,3 +172,14 @@ PRIM(tpm_X2d_get_X2d_maximum_X2d_cmd_X2d_size) PUSH; TOS.n = tpm_get_maximum_cmd_size(); MIRP + +/*******************************************************************/ +/* Firmware API */ +/* SLOF: tpm-pass-through-to-tpm (buf-addr cmd-size -- rsp-size) */ +/* LIBTPM: respsize = tpm_pass_through_to_tpm(buf, cmdsize) */ +/*******************************************************************/ +PRIM(tpm_X2d_pass_X2d_through_X2d_to_X2d_tpm) + int cmdsize = TOS.n; POP; + void *buf = TOS.a; + TOS.n = tpm_pass_through_to_tpm(buf, cmdsize); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index 1bd393e..f0c92e2 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -28,3 +28,4 @@ cod(tpm-get-state) cod(tpm-is-working) cod(tpm-measure-scrtm) cod(tpm-get-maximum-cmd-size) +cod(tpm-pass-through-to-tpm) diff --git a/lib/libtpm/tpm_drivers.h b/lib/libtpm/tpm_drivers.h index ab2e152..96bd32d 100644 --- a/lib/libtpm/tpm_drivers.h +++ b/lib/libtpm/tpm_drivers.h @@ -70,6 +70,9 @@ typedef enum { VTPM_DRV_ERROR_SML_HANDED_OVER = 14, } vtpm_drv_error; +/* the max. buffer size by the external TPM is 4k */ +#define PAPR_VTPM_MAX_BUFFER_SIZE 4096 + /* exported functions */ bool spapr_is_vtpm_present(void); void spapr_vtpm_finalize(void); From patchwork Wed Dec 11 20:27:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207900 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7n96pt3z9sRH for ; Thu, 12 Dec 2019 07:29:01 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7n93ZZqzDqc9 for ; Thu, 12 Dec 2019 07:29:01 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll4w2bzDqSW for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGY7D133958; Wed, 11 Dec 2019 15:27:42 -0500 Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wr8m09rmf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:42 -0500 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKG74v014967; Wed, 11 Dec 2019 20:27:41 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma02dal.us.ibm.com with ESMTP id 2wr3q723tv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRe3O45416842 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 79FC0B2065; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 76F4BB2064; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:09 -0500 Message-Id: <20191211202728.127996-15-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 mlxlogscore=999 lowpriorityscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 phishscore=0 bulkscore=0 clxscore=1015 adultscore=0 spamscore=0 suspectscore=15 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 14/33] tpm: Add TPM firmware API call get-state X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch adds support for the TPM firmware API call get-state. Signed-off-by: Stefan Berger Reviewed-by: Nikunj A Dadhania --- board-qemu/slof/vio-vtpm-cdriver.fs | 8 ++++++++ board-qemu/slof/vtpm-sml.fs | 10 ++++++++++ lib/libtpm/tcgbios.c | 12 ++++++++++++ lib/libtpm/tcgbios.h | 1 + lib/libtpm/tpm.code | 10 ++++++++++ lib/libtpm/tpm.in | 1 + 6 files changed, 42 insertions(+) diff --git a/board-qemu/slof/vio-vtpm-cdriver.fs b/board-qemu/slof/vio-vtpm-cdriver.fs index 0699c4d..667f321 100644 --- a/board-qemu/slof/vio-vtpm-cdriver.fs +++ b/board-qemu/slof/vio-vtpm-cdriver.fs @@ -98,6 +98,14 @@ false VALUE vtpm-debug? THEN ; +\ firmware API call +: get-state ( -- state ) + " get-state" vtpm-call-forward IF + \ vtpm-call-forward failed; return a value + 0 \ invalid + THEN +; + \ firmware API call : hash-all ( data-ptr data-len hash-ptr -- ) " hash-all" vtpm-call-forward IF diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index c51765b..5349786 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -52,6 +52,16 @@ log-base LOG-SIZE tpm-set-log-parameters move ; +: get-state ( -- state ) + vtpm-debug? IF + ." Call to get-state" cr + THEN + tpm-driver-get-state ( state ) + vtpm-debug? IF + ." VTPM: Return value from tpm-driver-get-state: " dup . cr + THEN +; + : hash-all ( data-ptr data-len hash-ptr -- ) vtpm-debug? IF ." Call to hash-all" cr diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 38fa545..05e5e18 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -889,3 +889,15 @@ uint32_t tpm_pass_through_to_tpm(unsigned char *buf, uint32_t cmdlen) return resplen; } + +/* + * tpm_driver_get_state: Function for interfacing with the firmware API + */ +uint32_t tpm_driver_get_state(void) +{ + /* do not check for a working TPM here */ + if (!tpm_state.tpm_found) + return VTPM_DRV_STATE_INVALID; + + return spapr_vtpm_get_state(); +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 5beaa53..25c7518 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -36,6 +36,7 @@ uint32_t tpm_add_event_separators(uint32_t start_pcr, uint32_t end_pcr); uint32_t tpm_process_opcode(uint8_t op, bool verbose); uint32_t tpm_get_maximum_cmd_size(void); uint32_t tpm_pass_through_to_tpm(unsigned char *buf, uint32_t cmdlen); +uint32_t tpm_driver_get_state(void); /* flags returned by tpm_get_state */ #define TPM_STATE_ENABLED 1 diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index adf1f01..6f1a85c 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -77,6 +77,16 @@ PRIM(tpm_X2d_hash_X2d_log_X2d_extend_X2d_event) TOS.n = tpm_hash_log_extend_event(eventptr); MIRP +/****************************************************/ +/* Firmware API */ +/* SLOF: tpm-driver-get-state ( -- state) */ +/* LIBTPM: state = tpm_driver_get_state(void) */ +/****************************************************/ +PRIM(tpm_X2d_driver_X2d_get_X2d_state) + PUSH; + TOS.n = tpm_driver_get_state(); +MIRP + /*****************************************************************/ /* Firmware API */ /* SLOF: tpm-hash-all ( data-ptr data-len hash-ptr -- errcode) */ diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index f0c92e2..52b4b4f 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -29,3 +29,4 @@ cod(tpm-is-working) cod(tpm-measure-scrtm) cod(tpm-get-maximum-cmd-size) cod(tpm-pass-through-to-tpm) +cod(tpm-driver-get-state) From patchwork Wed Dec 11 20:27:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207915 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7pv0s3Gz9sR8 for ; Thu, 12 Dec 2019 07:30:31 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7pt636PzDqwJ for ; Thu, 12 Dec 2019 07:30:30 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm4FDfzDqHJ for ; Thu, 12 Dec 2019 07:27:45 +1100 (AEDT) Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGYSn133957; Wed, 11 Dec 2019 15:27:43 -0500 Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wr8m09rmj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:42 -0500 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKLv0p030914; Wed, 11 Dec 2019 20:27:41 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma04dal.us.ibm.com with ESMTP id 2wr3q723hq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRe8c45416844 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8816FB2068; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8540BB2067; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:10 -0500 Message-Id: <20191211202728.127996-16-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 mlxlogscore=999 lowpriorityscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 phishscore=0 bulkscore=0 clxscore=1015 adultscore=0 spamscore=0 suspectscore=15 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 15/33] tpm: Add TPM firmware API call get-failure-reason X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch adds support for the TPM firmware API call get-failure-reason. Signed-off-by: Stefan Berger Reviewed-by: Nikunj A Dadhania --- board-qemu/slof/vio-vtpm-cdriver.fs | 8 ++++++++ board-qemu/slof/vtpm-sml.fs | 7 +++++++ lib/libtpm/tcgbios.c | 13 +++++++++++++ lib/libtpm/tcgbios.h | 1 + lib/libtpm/tpm.code | 10 ++++++++++ lib/libtpm/tpm.in | 1 + 6 files changed, 40 insertions(+) diff --git a/board-qemu/slof/vio-vtpm-cdriver.fs b/board-qemu/slof/vio-vtpm-cdriver.fs index 667f321..c13a063 100644 --- a/board-qemu/slof/vio-vtpm-cdriver.fs +++ b/board-qemu/slof/vio-vtpm-cdriver.fs @@ -106,6 +106,14 @@ false VALUE vtpm-debug? THEN ; +\ firmware API call +: get-failure-reason ( -- reason ) + " get-failure-reason" vtpm-call-forward IF + \ vtpm-call-forward failed; return a value + 0 \ invalid + THEN +; + \ firmware API call : hash-all ( data-ptr data-len hash-ptr -- ) " hash-all" vtpm-call-forward IF diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index 5349786..43e4f1e 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -62,6 +62,13 @@ log-base LOG-SIZE tpm-set-log-parameters THEN ; +: get-failure-reason ( -- reason ) + tpm-driver-get-failure-reason ( reason ) + vtpm-debug? IF + ." VTPM: Return value from tpm-driver-get-failure-reason: " dup . cr + THEN +; + : hash-all ( data-ptr data-len hash-ptr -- ) vtpm-debug? IF ." Call to hash-all" cr diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 05e5e18..66b1cca 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -901,3 +901,16 @@ uint32_t tpm_driver_get_state(void) return spapr_vtpm_get_state(); } + +/* + * tpm_driver_get_failure_reason: Function for interfacing with the firmware + * API + */ +uint32_t tpm_driver_get_failure_reason(void) +{ + /* do not check for a working TPM here */ + if (!tpm_state.tpm_found) + return VTPM_DRV_STATE_INVALID; + + return spapr_vtpm_get_error(); +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 25c7518..0ddd537 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -37,6 +37,7 @@ uint32_t tpm_process_opcode(uint8_t op, bool verbose); uint32_t tpm_get_maximum_cmd_size(void); uint32_t tpm_pass_through_to_tpm(unsigned char *buf, uint32_t cmdlen); uint32_t tpm_driver_get_state(void); +uint32_t tpm_driver_get_failure_reason(void); /* flags returned by tpm_get_state */ #define TPM_STATE_ENABLED 1 diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index 6f1a85c..3f2bd7f 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -87,6 +87,16 @@ PRIM(tpm_X2d_driver_X2d_get_X2d_state) TOS.n = tpm_driver_get_state(); MIRP +/*********************************************************/ +/* Firmware API */ +/* SLOF: tpm-driver-get_failure-reason ( -- errcode) */ +/* LIBTPM: errcode = tpm_driver_get_failure_reason(void) */ +/*********************************************************/ +PRIM(tpm_X2d_driver_X2d_get_X2d_failure_X2d_reason) + PUSH; + TOS.n = tpm_driver_get_failure_reason(); +MIRP + /*****************************************************************/ /* Firmware API */ /* SLOF: tpm-hash-all ( data-ptr data-len hash-ptr -- errcode) */ diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index 52b4b4f..88d8a14 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -30,3 +30,4 @@ cod(tpm-measure-scrtm) cod(tpm-get-maximum-cmd-size) cod(tpm-pass-through-to-tpm) cod(tpm-driver-get-state) +cod(tpm-driver-get-failure-reason) From patchwork Wed Dec 11 20:27:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207910 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7pL4jV0z9sR7 for ; Thu, 12 Dec 2019 07:30:02 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7pL3FKWzDqtR for ; Thu, 12 Dec 2019 07:30:02 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm2rQvzDqQl for ; Thu, 12 Dec 2019 07:27:45 +1100 (AEDT) Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGtnr132094; Wed, 11 Dec 2019 15:27:42 -0500 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wsu3rb30h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:42 -0500 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKGM9Y023187; Wed, 11 Dec 2019 20:27:41 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma01dal.us.ibm.com with ESMTP id 2wr3q7a2t6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKReDQ32768424 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9691EB206E; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 93D11B205F; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:11 -0500 Message-Id: <20191211202728.127996-17-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1015 bulkscore=0 spamscore=0 lowpriorityscore=0 adultscore=0 impostorscore=0 mlxlogscore=999 mlxscore=0 suspectscore=1 malwarescore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 16/33] tpm: Add TPM firmware API call reformat-sml-to-efi-alignment X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" This patch adds support for the TPM firmware API call reformat-sml-to-efi-alignment. It also adds the required entry 'ibm,sml-efi-reformat-supported' entry to the /vdevice/vtpm node. This entry indicates that the API call exists. Signed-off-by: Stefan Berger Reviewed-by: Thomas Huth --- board-qemu/slof/vio-vtpm-cdriver.fs | 9 +++++++++ board-qemu/slof/vtpm-sml.fs | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/board-qemu/slof/vio-vtpm-cdriver.fs b/board-qemu/slof/vio-vtpm-cdriver.fs index c13a063..4392615 100644 --- a/board-qemu/slof/vio-vtpm-cdriver.fs +++ b/board-qemu/slof/vio-vtpm-cdriver.fs @@ -153,6 +153,15 @@ false VALUE vtpm-debug? THEN ; +0 0 s" ibm,sml-efi-reformat-supported" property + +\ firmware API call +: reformat-sml-to-efi-alignment ( -- success ) + " reformat-sml-to-efi-alignment" vtpm-call-forward IF + false + THEN +; + : open ( ) vtpm-debug? IF ." VTPM: vTPM open()" cr THEN true diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index 43e4f1e..8d57c22 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -121,6 +121,14 @@ log-base LOG-SIZE tpm-set-log-parameters THEN ; +: reformat-sml-to-efi-alignment ( -- success? ) + vtpm-debug? IF + ." Call to reformat-sml-to-efi-alignment" cr + THEN + \ a no-op since already byte aligned + true +; + \ \ internal API calls \ From patchwork Wed Dec 11 20:27:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207909 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7pD46YHz9sRH for ; Thu, 12 Dec 2019 07:29:56 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7pC1wcwzDqnZ for ; Thu, 12 Dec 2019 07:29:55 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm0CBrzDqJ3 for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGgFH027867; Wed, 11 Dec 2019 15:27:41 -0500 Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wu1fmpjnj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:41 -0500 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKIKdM016878; Wed, 11 Dec 2019 20:27:41 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma03wdc.us.ibm.com with ESMTP id 2wr3q6r3x8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRe5H21234120 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AF226B205F; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A23A4B2065; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:12 -0500 Message-Id: <20191211202728.127996-18-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 bulkscore=0 spamscore=0 lowpriorityscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 impostorscore=0 phishscore=0 adultscore=0 suspectscore=15 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 17/33] tpm: Set the driver in pseudo failure state after handover X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Once sml-handover has been called, set the driver into pseudo failure state. Signed-off-by: Stefan Berger Reviewed-by: Thomas Huth --- board-qemu/slof/vtpm-sml.fs | 4 ++++ lib/libtpm/tcgbios.c | 12 ++++++++++++ lib/libtpm/tcgbios.h | 1 + lib/libtpm/tpm.code | 10 ++++++++++ lib/libtpm/tpm.in | 1 + lib/libtpm/tpm_drivers.c | 5 +++++ lib/libtpm/tpm_drivers.h | 1 + 7 files changed, 34 insertions(+) diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index 8d57c22..3752700 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -20,6 +20,8 @@ false VALUE vtpm-debug? 0 VALUE log-base 40000 CONSTANT LOG-SIZE \ 256k per VTPM FW spec. +e CONSTANT VTPM_DRV_ERROR_SML_HANDED_OVER + LOG-SIZE BUFFER: log-base \ create /ibm,vtpm @@ -50,6 +52,8 @@ log-base LOG-SIZE tpm-set-log-parameters log-base ( dest size src ) -rot ( src dest size ) move + + VTPM_DRV_ERROR_SML_HANDED_OVER tpm-driver-set-failure-reason ; : get-state ( -- state ) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 66b1cca..b7f86d4 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -914,3 +914,15 @@ uint32_t tpm_driver_get_failure_reason(void) return spapr_vtpm_get_error(); } + +/* + * tpm_driver_set_failure_reason: Function for interfacing with the firmware + * API + */ +void tpm_driver_set_failure_reason(uint32_t errcode) +{ + if (!tpm_state.tpm_found) + return; + + spapr_vtpm_set_error(errcode); +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 0ddd537..e37d075 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -38,6 +38,7 @@ uint32_t tpm_get_maximum_cmd_size(void); uint32_t tpm_pass_through_to_tpm(unsigned char *buf, uint32_t cmdlen); uint32_t tpm_driver_get_state(void); uint32_t tpm_driver_get_failure_reason(void); +void tpm_driver_set_failure_reason(uint32_t errcode); /* flags returned by tpm_get_state */ #define TPM_STATE_ENABLED 1 diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index 3f2bd7f..235f368 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -97,6 +97,16 @@ PRIM(tpm_X2d_driver_X2d_get_X2d_failure_X2d_reason) TOS.n = tpm_driver_get_failure_reason(); MIRP +/********************************************************/ +/* Firmware API */ +/* SLOF: tpm-driver-set-failure_reason ( errcode -- ) */ +/* LIBTPM: tpm_driver_set_failure_reason(errcode) */ +/********************************************************/ +PRIM(tpm_X2d_driver_X2d_set_X2d_failure_X2d_reason) + int errcode = TOS.u; POP; + tpm_driver_set_failure_reason(errcode); +MIRP + /*****************************************************************/ /* Firmware API */ /* SLOF: tpm-hash-all ( data-ptr data-len hash-ptr -- errcode) */ diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index 88d8a14..3c3b745 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -31,3 +31,4 @@ cod(tpm-get-maximum-cmd-size) cod(tpm-pass-through-to-tpm) cod(tpm-driver-get-state) cod(tpm-driver-get-failure-reason) +cod(tpm-driver-set-failure-reason) diff --git a/lib/libtpm/tpm_drivers.c b/lib/libtpm/tpm_drivers.c index 7b1c9c8..4384f7f 100644 --- a/lib/libtpm/tpm_drivers.c +++ b/lib/libtpm/tpm_drivers.c @@ -464,6 +464,11 @@ vtpm_drv_error spapr_vtpm_get_error(void) return vtpm_drv_error_get(); } +void spapr_vtpm_set_error(vtpm_drv_error errcode) +{ + spapr_vtpm.driver_error = errcode; +} + /**** higher layer interface ****/ bool spapr_is_vtpm_present(void) diff --git a/lib/libtpm/tpm_drivers.h b/lib/libtpm/tpm_drivers.h index 96bd32d..38976d0 100644 --- a/lib/libtpm/tpm_drivers.h +++ b/lib/libtpm/tpm_drivers.h @@ -80,6 +80,7 @@ void spapr_vtpm_set_durations(const uint32_t durations[TPM_NUM_DURATIONS]); uint32_t spapr_vtpm_get_buffersize(void); vtpm_drv_state spapr_vtpm_get_state(void); vtpm_drv_error spapr_vtpm_get_error(void); +void spapr_vtpm_set_error(vtpm_drv_error errcode); struct tpm_req_header; int tpmhw_transmit(uint8_t locty, struct tpm_req_header *req, From patchwork Wed Dec 11 20:27:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207908 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7p73yzDz9sR8 for ; Thu, 12 Dec 2019 07:29:51 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7p72wmnzDqpd for ; Thu, 12 Dec 2019 07:29:51 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm1VDwzDqPN for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGiu3020672; Wed, 11 Dec 2019 15:27:42 -0500 Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wtfbxur4d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:42 -0500 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKLNbh020702; Wed, 11 Dec 2019 20:27:41 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma02dal.us.ibm.com with ESMTP id 2wr3q723tw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKReaO22216970 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C82D4B2065; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BAB44B2064; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:13 -0500 Message-Id: <20191211202728.127996-19-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=15 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 priorityscore=1501 bulkscore=0 adultscore=0 mlxscore=0 lowpriorityscore=0 clxscore=1015 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 18/33] tpm: Add function to for getting version of TPM X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Signed-off-by: Stefan Berger --- board-qemu/slof/vtpm-sml.fs | 6 +++++- lib/libtpm/tcgbios.c | 7 +++++++ lib/libtpm/tcgbios.h | 1 + lib/libtpm/tpm.code | 10 ++++++++++ lib/libtpm/tpm.in | 1 + lib/libtpm/tpm_drivers.c | 5 +++++ lib/libtpm/tpm_drivers.h | 5 +++++ 7 files changed, 34 insertions(+), 1 deletion(-) diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index 3752700..25918b8 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -364,7 +364,11 @@ log-base LOG-SIZE tpm-set-log-parameters ; : vtpm-menu - vtpm12-menu + tpm-get-tpm-version CASE + 1 OF + vtpm12-menu + ENDOF + ENDCASE ; : open true ; diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index b7f86d4..7554bd3 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -60,6 +60,8 @@ static struct tpm_state tpm_state; typedef uint8_t tpm_ppi_op; +#define TPM_version spapr_get_tpm_version() + /******************************************************** Extensions for TCG-enabled BIOS *******************************************************/ @@ -926,3 +928,8 @@ void tpm_driver_set_failure_reason(uint32_t errcode) spapr_vtpm_set_error(errcode); } + +uint32_t tpm_get_tpm_version(void) +{ + return TPM_version; +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index e37d075..398834a 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -39,6 +39,7 @@ uint32_t tpm_pass_through_to_tpm(unsigned char *buf, uint32_t cmdlen); uint32_t tpm_driver_get_state(void); uint32_t tpm_driver_get_failure_reason(void); void tpm_driver_set_failure_reason(uint32_t errcode); +uint32_t tpm_get_tpm_version(void); /* flags returned by tpm_get_state */ #define TPM_STATE_ENABLED 1 diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index 235f368..c63b21c 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -213,3 +213,13 @@ PRIM(tpm_X2d_pass_X2d_through_X2d_to_X2d_tpm) void *buf = TOS.a; TOS.n = tpm_pass_through_to_tpm(buf, cmdsize); MIRP + +/*******************************************************************/ +/* Firmware API */ +/* SLOF: tpm-get-tpm-version ( -- tpm-version ) */ +/* LIBTPM: tpm_version = tpm_get_tpm_version() */ +/*******************************************************************/ +PRIM(tpm_X2d_get_X2d_tpm_X2d_version) + PUSH; + TOS.n = tpm_get_tpm_version(); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index 3c3b745..1261ac8 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -32,3 +32,4 @@ cod(tpm-pass-through-to-tpm) cod(tpm-driver-get-state) cod(tpm-driver-get-failure-reason) cod(tpm-driver-set-failure-reason) +cod(tpm-get-tpm-version) diff --git a/lib/libtpm/tpm_drivers.c b/lib/libtpm/tpm_drivers.c index 4384f7f..78d0adc 100644 --- a/lib/libtpm/tpm_drivers.c +++ b/lib/libtpm/tpm_drivers.c @@ -469,6 +469,11 @@ void spapr_vtpm_set_error(vtpm_drv_error errcode) spapr_vtpm.driver_error = errcode; } +uint32_t spapr_get_tpm_version(void) +{ + return spapr_vtpm.tpm_version; +} + /**** higher layer interface ****/ bool spapr_is_vtpm_present(void) diff --git a/lib/libtpm/tpm_drivers.h b/lib/libtpm/tpm_drivers.h index 38976d0..5b7f84d 100644 --- a/lib/libtpm/tpm_drivers.h +++ b/lib/libtpm/tpm_drivers.h @@ -73,6 +73,10 @@ typedef enum { /* the max. buffer size by the external TPM is 4k */ #define PAPR_VTPM_MAX_BUFFER_SIZE 4096 +/* TPM version */ +#define TPM_VERSION_1_2 1 +#define TPM_VERSION_2 2 + /* exported functions */ bool spapr_is_vtpm_present(void); void spapr_vtpm_finalize(void); @@ -81,6 +85,7 @@ uint32_t spapr_vtpm_get_buffersize(void); vtpm_drv_state spapr_vtpm_get_state(void); vtpm_drv_error spapr_vtpm_get_error(void); void spapr_vtpm_set_error(vtpm_drv_error errcode); +uint32_t spapr_get_tpm_version(void); struct tpm_req_header; int tpmhw_transmit(uint8_t locty, struct tpm_req_header *req, From patchwork Wed Dec 11 20:27:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207913 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7pg39fBz9sR8 for ; Thu, 12 Dec 2019 07:30:19 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7pg27BnzDqwN for ; Thu, 12 Dec 2019 07:30:19 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm2zVszDqZq for ; Thu, 12 Dec 2019 07:27:45 +1100 (AEDT) Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGjVg065888; Wed, 11 Dec 2019 15:27:42 -0500 Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wsm2g0et8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:42 -0500 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKIIkA026632; Wed, 11 Dec 2019 20:27:41 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma04dal.us.ibm.com with ESMTP id 2wr3q723hs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRent51577308 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D6F2FB205F; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D3942B2066; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:14 -0500 Message-Id: <20191211202728.127996-20-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=999 clxscore=1015 bulkscore=0 mlxscore=0 impostorscore=0 adultscore=0 suspectscore=1 lowpriorityscore=0 priorityscore=1501 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 19/33] tpm: Implement log related 32 bit endian conversion functions X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Implement log related endian conversion functions for 32 bit numbers. This is necessary since TPM 1.2 logs are written in big endian format and TPM 2.0 logs in little endia format. Use the conversion function when we read or write 32 bit numbers to/from the 'pcpes' structure. Signed-off-by Stefan Berger --- lib/libtpm/tcgbios.c | 48 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 7554bd3..af29406 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -62,6 +62,37 @@ typedef uint8_t tpm_ppi_op; #define TPM_version spapr_get_tpm_version() +/* + * TPM 1.2 logs are written in big endian format and TPM 2 logs + * are written in little endian format. + */ +static inline uint32_t log32_to_cpu(uint32_t val) +{ + switch (TPM_version) { + case TPM_VERSION_1_2: + return be32_to_cpu(val); + case TPM_VERSION_2: + return le32_to_cpu(val); + } + return 0; +} + +static inline uint32_t cpu_to_log32(uint32_t val) +{ + switch (TPM_version) { + case TPM_VERSION_1_2: + return cpu_to_be32(val); + case TPM_VERSION_2: + return cpu_to_le32(val); + } + return 0; +} + +static inline bool tpm_log_is_be(void) +{ + return TPM_version == TPM_VERSION_1_2; +} + /******************************************************** Extensions for TCG-enabled BIOS *******************************************************/ @@ -256,7 +287,7 @@ static uint32_t tpm_log_event_long(struct pcpes *pcpes, return TCGBIOS_LOGOVERFLOW; } - pcpes->eventdatasize = event_length; + pcpes->eventdatasize = cpu_to_log32(event_length); memcpy(tpm_state.log_area_next_entry, pcpes, offset_of(struct pcpes, event)); @@ -271,7 +302,7 @@ static uint32_t tpm_log_event_long(struct pcpes *pcpes, bool tpm_log_event(struct pcpes *pcpes) { const char *event = NULL; - uint32_t event_length = pcpes->eventdatasize; + uint32_t event_length = log32_to_cpu(pcpes->eventdatasize); if (event_length) event = (void *)pcpes + offset_of(struct pcpes, event); @@ -411,13 +442,13 @@ static uint32_t hash_log_extend(struct pcpes *pcpes, { int ret; - if (pcpes->pcrindex >= 24) + if (log32_to_cpu(pcpes->pcrindex) >= 24) return TCGBIOS_INVALID_INPUT_PARA; if (hashdata) tpm_hash_all(hashdata, hashdata_length, pcpes->digest); if (extend) { - ret = tpm_extend(pcpes->digest, pcpes->pcrindex); + ret = tpm_extend(pcpes->digest, log32_to_cpu(pcpes->pcrindex)); if (ret) return TCGBIOS_COMMAND_ERROR; } @@ -448,8 +479,8 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex, { struct pcpes pcpes; - pcpes.pcrindex = pcrindex; - pcpes.eventtype = eventtype; + pcpes.pcrindex = cpu_to_log32(pcrindex); + pcpes.eventtype = cpu_to_log32(eventtype); memset(&pcpes.digest, 0, sizeof(pcpes.digest)); return hash_log_extend(&pcpes, hashdata, hashdatalen, @@ -462,7 +493,7 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex, uint32_t tpm_hash_log_extend_event(struct pcpes *pcpes) { const char *event = NULL; - uint32_t event_length = pcpes->eventdatasize; + uint32_t event_length = log32_to_cpu(pcpes->eventdatasize); if (!tpm_is_working()) return TCGBIOS_GENERAL_ERROR; @@ -471,7 +502,8 @@ uint32_t tpm_hash_log_extend_event(struct pcpes *pcpes) event = (void *)pcpes + offset_of(struct pcpes, event); return hash_log_extend(pcpes, - &pcpes->event, pcpes->eventdatasize, + &pcpes->event, + log32_to_cpu(pcpes->eventdatasize), event, event_length, true); } From patchwork Wed Dec 11 20:27:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207918 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7qF25Vmz9sR7 for ; Thu, 12 Dec 2019 07:30:49 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7qF0nKHzDqwH for ; Thu, 12 Dec 2019 07:30:49 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm5t83zDqcF for ; Thu, 12 Dec 2019 07:27:45 +1100 (AEDT) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGgMO006136; Wed, 11 Dec 2019 15:27:43 -0500 Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wthkj76rb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:42 -0500 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKJ4JF027385; Wed, 11 Dec 2019 20:27:41 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma04dal.us.ibm.com with ESMTP id 2wr3q723ht-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRfIw55378366 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E5A9FB2067; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E1F2CB2064; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:15 -0500 Message-Id: <20191211202728.127996-21-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 clxscore=1015 priorityscore=1501 mlxscore=0 suspectscore=1 spamscore=0 mlxlogscore=870 bulkscore=0 phishscore=0 adultscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 20/33] tpm2: prepare tpmhw_transmit for TPM2 commands X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" --- lib/libtpm/tcgbios.c | 10 +++++++++- lib/libtpm/tcgbios_int.h | 8 ++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index af29406..6762bcc 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -120,7 +120,6 @@ tpm_simple_cmd(uint8_t locty, uint32_t ordinal, int param_size, uint16_t param, uint16_t param; } __attribute__((packed)) req = { .trqh.totlen = cpu_to_be32(sizeof(req.trqh) + param_size), - .trqh.tag = cpu_to_be16(TPM_TAG_RQU_CMD), .trqh.ordinal = cpu_to_be32(ordinal), }; uint8_t obuffer[64]; @@ -128,6 +127,15 @@ tpm_simple_cmd(uint8_t locty, uint32_t ordinal, int param_size, uint16_t param, uint32_t obuffer_len = sizeof(obuffer); int ret; + switch (TPM_version) { + case TPM_VERSION_1_2: + req.trqh.tag = cpu_to_be16(TPM_TAG_RQU_CMD); + break; + case TPM_VERSION_2: + req.trqh.tag = cpu_to_be16(TPM2_ST_NO_SESSIONS); + break; + } + switch (param_size) { case 2: req.param = cpu_to_be16(param); diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index 39e1ea4..473de3a 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -195,4 +195,12 @@ struct tpm_rsp_getcap_buffersize { #define TPM_PPI_OP_SET_OWNERINSTALL_TRUE 8 #define TPM_PPI_OP_SET_OWNERINSTALL_FALSE 9 +/**************************************************************** + * TPM v2.0 hardware commands + ****************************************************************/ + +/* TPM 2 command tags */ +#define TPM2_ST_NO_SESSIONS 0x8001 +#define TPM2_ST_SESSIONS 0x8002 + #endif /* TCGBIOS_INT_H */ From patchwork Wed Dec 11 20:27:16 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207919 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7qN1xsFz9sR8 for ; Thu, 12 Dec 2019 07:30:56 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7qN07KRzDqwJ for ; Thu, 12 Dec 2019 07:30:56 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm5x3xzDqdP for ; Thu, 12 Dec 2019 07:27:45 +1100 (AEDT) Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGvOI132245; Wed, 11 Dec 2019 15:27:42 -0500 Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wsu3rb30c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:42 -0500 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKJMpO001794; Wed, 11 Dec 2019 20:27:41 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma04wdc.us.ibm.com with ESMTP id 2wr3q6r4m3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRfsD55378368 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 00484B2068; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F11C2B2066; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:40 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:16 -0500 Message-Id: <20191211202728.127996-22-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1015 bulkscore=0 spamscore=0 lowpriorityscore=0 adultscore=0 impostorscore=0 mlxlogscore=999 mlxscore=0 suspectscore=1 malwarescore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 21/33] tpm2: support TPM2 in tpm_set_failure X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Signed-off-by: Stefan Berger --- lib/libtpm/tcgbios.c | 45 +++++++++++++++++++++++++++++++++++++--- lib/libtpm/tcgbios_int.h | 27 ++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 3 deletions(-) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 6762bcc..f41db64 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -245,6 +245,37 @@ static int tpm_extend(uint8_t *hash, uint32_t pcrindex) return 0; } +static int tpm20_hierarchycontrol(uint32_t hierarchy, uint8_t state) +{ + /* we will try to deactivate the TPM now - ignoring all errors */ + struct tpm2_req_hierarchycontrol trh = { + .hdr.tag = cpu_to_be16(TPM2_ST_SESSIONS), + .hdr.totlen = cpu_to_be32(sizeof(trh)), + .hdr.ordinal = cpu_to_be32(TPM2_CC_HierarchyControl), + .authhandle = cpu_to_be32(TPM2_RH_PLATFORM), + .authblocksize = cpu_to_be32(sizeof(trh.authblock)), + .authblock = { + .handle = cpu_to_be32(TPM2_RS_PW), + .noncesize = cpu_to_be16(0), + .contsession = TPM2_YES, + .pwdsize = cpu_to_be16(0), + }, + .enable = cpu_to_be32(hierarchy), + .state = state, + }; + struct tpm_rsp_header rsp; + uint32_t resp_length = sizeof(rsp); + int ret = tpmhw_transmit(0, &trh.hdr, &rsp, &resp_length, + TPM_DURATION_TYPE_MEDIUM); + if (ret || resp_length != sizeof(rsp) || rsp.errcode) + ret = -1; + + dprintf("TCGBIOS: Return value from sending TPM2_CC_HierarchyControl = 0x%08x\n", + ret); + + return ret; +} + /**************************************************************** * Setup and Measurements ****************************************************************/ @@ -259,9 +290,17 @@ bool tpm_is_working(void) static void tpm_set_failure(void) { - /* we will try to deactivate the TPM now - ignoring all errors */ - tpm_simple_cmd(0, TPM_ORD_SET_TEMP_DEACTIVATED, - 0, 0, TPM_DURATION_TYPE_SHORT); + switch (TPM_version) { + case TPM_VERSION_1_2: + /* we will try to deactivate the TPM now - ignoring all errors */ + tpm_simple_cmd(0, TPM_ORD_SET_TEMP_DEACTIVATED, + 0, 0, TPM_DURATION_TYPE_SHORT); + break; + case TPM_VERSION_2: + tpm20_hierarchycontrol(TPM2_RH_ENDORSEMENT, TPM2_NO); + tpm20_hierarchycontrol(TPM2_RH_OWNER, TPM2_NO); + break; + } tpm_state.tpm_working = false; } diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index 473de3a..7e9d0f2 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -199,8 +199,35 @@ struct tpm_rsp_getcap_buffersize { * TPM v2.0 hardware commands ****************************************************************/ +#define TPM2_NO 0 +#define TPM2_YES 1 + +#define TPM2_RH_OWNER 0x40000001 +#define TPM2_RS_PW 0x40000009 +#define TPM2_RH_ENDORSEMENT 0x4000000b +#define TPM2_RH_PLATFORM 0x4000000c + /* TPM 2 command tags */ #define TPM2_ST_NO_SESSIONS 0x8001 #define TPM2_ST_SESSIONS 0x8002 +/* TPM 2 commands */ +#define TPM2_CC_HierarchyControl 0x121 + +struct tpm2_authblock { + uint32_t handle; + uint16_t noncesize; /* always 0 */ + uint8_t contsession; /* always TPM2_YES */ + uint16_t pwdsize; /* always 0 */ +} __attribute__((packed)); + +struct tpm2_req_hierarchycontrol { + struct tpm_req_header hdr; + uint32_t authhandle; + uint32_t authblocksize; + struct tpm2_authblock authblock; + uint32_t enable; + uint8_t state; +} __attribute__((packed)); + #endif /* TCGBIOS_INT_H */ From patchwork Wed Dec 11 20:27:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207907 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7p30nFwz9sR8 for ; Thu, 12 Dec 2019 07:29:47 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7p24xGkzDqw1 for ; Thu, 12 Dec 2019 07:29:46 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm1tTyzDqLs for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGfcJ006045; Wed, 11 Dec 2019 15:27:42 -0500 Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wthkj76r5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:42 -0500 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKLt3B005161; Wed, 11 Dec 2019 20:27:41 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma02wdc.us.ibm.com with ESMTP id 2wr3q6r2rf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRfZB55378370 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0F0CCB2064; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0BA47B205F; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:17 -0500 Message-Id: <20191211202728.127996-23-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 clxscore=1015 priorityscore=1501 mlxscore=0 suspectscore=1 spamscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 adultscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 22/33] tpm2: Implement tpm20_startup() X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Rename the existing startup() function to tpm12_startup and also prefix all the function it calls with tpm12_. Then implement tpm20_startup(). Signed-off-by: Stefan Berger --- lib/libtpm/tcgbios.c | 56 +++++++++++++++++++++++++++++++++++++++- lib/libtpm/tcgbios_int.h | 5 ++++ lib/libtpm/tpm_drivers.h | 9 +++++++ 3 files changed, 69 insertions(+), 1 deletion(-) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index f41db64..cd5e13c 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -213,6 +213,17 @@ static int tpm12_determine_timeouts(void) return 0; } +static void tpm20_set_timeouts(void) +{ + uint32_t durations[3] = { + TPM2_DEFAULT_DURATION_SHORT, + TPM2_DEFAULT_DURATION_MEDIUM, + TPM2_DEFAULT_DURATION_LONG, + }; + + spapr_vtpm_set_durations(durations); +} + /* * Extend a PCR of the TPM with the given hash * @@ -417,6 +428,49 @@ err_exit: return -1; } +static int tpm20_startup(void) +{ + int ret; + + tpm20_set_timeouts(); + + ret = tpm_simple_cmd(0, TPM2_CC_Startup, + 2, TPM2_SU_CLEAR, TPM_DURATION_TYPE_SHORT); + dprintf("TCGBIOS: Return value from sending TPM2_CC_Startup(SU_CLEAR) = 0x%08x\n", + ret); + + if (ret) + goto err_exit; + + ret = tpm_simple_cmd(0, TPM2_CC_SelfTest, + 1, TPM2_YES, TPM_DURATION_TYPE_LONG); + + dprintf("TCGBIOS: Return value from sending TPM2_CC_SELF_TEST = 0x%08x\n", + ret); + + if (ret) + goto err_exit; + + return 0; + +err_exit: + dprintf("TCGBIOS: TPM malfunctioning (line %d).\n", __LINE__); + + tpm_set_failure(); + return -1; +} + +static int tpm_startup(void) +{ + switch (TPM_version) { + case TPM_VERSION_1_2: + return tpm12_startup(); + case TPM_VERSION_2: + return tpm20_startup(); + } + return -1; +} + uint32_t tpm_start(void) { tpm_state.has_physical_presence = false; @@ -429,7 +483,7 @@ uint32_t tpm_start(void) return TCGBIOS_FATAL_COM_ERROR; } - return tpm12_startup(); + return tpm_startup(); } void tpm_finalize(void) diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index 7e9d0f2..aeba9d9 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -202,6 +202,9 @@ struct tpm_rsp_getcap_buffersize { #define TPM2_NO 0 #define TPM2_YES 1 +#define TPM2_SU_CLEAR 0x0000 +#define TPM2_SU_STATE 0x0001 + #define TPM2_RH_OWNER 0x40000001 #define TPM2_RS_PW 0x40000009 #define TPM2_RH_ENDORSEMENT 0x4000000b @@ -213,6 +216,8 @@ struct tpm_rsp_getcap_buffersize { /* TPM 2 commands */ #define TPM2_CC_HierarchyControl 0x121 +#define TPM2_CC_SelfTest 0x143 +#define TPM2_CC_Startup 0x144 struct tpm2_authblock { uint32_t handle; diff --git a/lib/libtpm/tpm_drivers.h b/lib/libtpm/tpm_drivers.h index 5b7f84d..cfb7b72 100644 --- a/lib/libtpm/tpm_drivers.h +++ b/lib/libtpm/tpm_drivers.h @@ -30,6 +30,15 @@ enum tpm_duration_type { #define TPM_DEFAULT_DURATION_MEDIUM 20000000 /* us */ #define TPM_DEFAULT_DURATION_LONG 60000000 /* us */ +/* + * TPM 2 command durations; we set them to the timeout values + * given in TPM Profile (PTP) Specification; exceeding those + * timeout values indicates a faulty TPM. + */ +#define TPM2_DEFAULT_DURATION_SHORT 750000 /* us */ +#define TPM2_DEFAULT_DURATION_MEDIUM 2000000 /* us */ +#define TPM2_DEFAULT_DURATION_LONG 2000000 /* us */ + /* firmware driver states */ typedef enum { VTPM_DRV_STATE_INVALID = 0, From patchwork Wed Dec 11 20:27:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207902 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7nQ4WV7z9sRf for ; Thu, 12 Dec 2019 07:29:14 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7nP59TBzDqkL for ; Thu, 12 Dec 2019 07:29:13 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm2ZyvzDqQY for ; Thu, 12 Dec 2019 07:27:44 +1100 (AEDT) Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGft1068529; Wed, 11 Dec 2019 15:27:42 -0500 Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wtf8jd2hs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:42 -0500 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKIIkB026632; Wed, 11 Dec 2019 20:27:42 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma04dal.us.ibm.com with ESMTP id 2wr3q723hv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRfJt55378372 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 27F3BB205F; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1A6B2B2065; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:18 -0500 Message-Id: <20191211202728.127996-24-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=1 bulkscore=0 clxscore=1015 priorityscore=1501 malwarescore=0 phishscore=0 mlxlogscore=999 impostorscore=0 mlxscore=0 spamscore=0 lowpriorityscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 23/33] tpm2: implement 2nd part of tpm20_start() X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Signed-off-by: Stefan Berger --- lib/libtpm/tcgbios.c | 69 ++++++++++++++++++++++++++++++++++++++++ lib/libtpm/tcgbios_int.h | 31 ++++++++++++++++++ 2 files changed, 100 insertions(+) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index cd5e13c..3f1dca8 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -104,6 +104,9 @@ static void probe_tpm(void) tpm_state.tpm_working = tpm_state.tpm_found; } +static uint32_t tpm20_pcr_selection_size; +static struct tpml_pcr_selection *tpm20_pcr_selection; + /**************************************************************** * TPM hardware command wrappers ****************************************************************/ @@ -154,6 +157,68 @@ tpm_simple_cmd(uint8_t locty, uint32_t ordinal, int param_size, uint16_t param, return ret; } +static int +tpm20_getcapability(uint32_t capability, uint32_t property, uint32_t count, + struct tpm_rsp_header *rsp, uint32_t rsize) +{ + struct tpm2_req_getcapability trg = { + .hdr.tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), + .hdr.totlen = cpu_to_be32(sizeof(trg)), + .hdr.ordinal = cpu_to_be32(TPM2_CC_GetCapability), + .capability = cpu_to_be32(capability), + .property = cpu_to_be32(property), + .propertycount = cpu_to_be32(count), + }; + + uint32_t resp_size = rsize; + int ret = tpmhw_transmit(0, &trg.hdr, rsp, &resp_size, + TPM_DURATION_TYPE_SHORT); + ret = (ret || + rsize < be32_to_cpu(rsp->totlen)) ? -1 + : be32_to_cpu(rsp->errcode); + + dprintf("TCGBIOS: Return value from sending TPM2_CC_GetCapability = 0x%08x\n", + ret); + + return ret; +} + +static int +tpm20_get_pcrbanks(void) +{ + uint8_t buffer[128]; + uint32_t size; + struct tpm2_res_getcapability *trg = + (struct tpm2_res_getcapability *)&buffer; + + int ret = tpm20_getcapability(TPM2_CAP_PCRS, 0, 8, &trg->hdr, + sizeof(buffer)); + if (ret) + return ret; + + /* defend against (broken) TPM sending packets that are too short */ + uint32_t resplen = be32_to_cpu(trg->hdr.totlen); + if (resplen <= offset_of(struct tpm2_res_getcapability, data)) + return -1; + + size = resplen - offset_of(struct tpm2_res_getcapability, data); + /* we need a valid tpml_pcr_selection up to and including sizeOfSelect*/ + if (size < offset_of(struct tpml_pcr_selection, selections) + + offset_of(struct tpms_pcr_selection, pcrSelect)) + return -1; + + tpm20_pcr_selection = SLOF_alloc_mem(size); + if (tpm20_pcr_selection) { + memcpy(tpm20_pcr_selection, &trg->data, size); + tpm20_pcr_selection_size = size; + } else { + printf("TCGBIOS: Failed to allocated %u bytes.\n", size); + ret = -1; + } + + return ret; +} + static int tpm12_get_capability(uint32_t cap, uint32_t subcap, struct tpm_rsp_header *rsp, uint32_t rsize) { @@ -451,6 +516,10 @@ static int tpm20_startup(void) if (ret) goto err_exit; + ret = tpm20_get_pcrbanks(); + if (ret) + goto err_exit; + return 0; err_exit: diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index aeba9d9..581424f 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -218,6 +218,12 @@ struct tpm_rsp_getcap_buffersize { #define TPM2_CC_HierarchyControl 0x121 #define TPM2_CC_SelfTest 0x143 #define TPM2_CC_Startup 0x144 +#define TPM2_CC_GetCapability 0x17a + +/* TPM 2 Capabilities */ +#define TPM2_CAP_PCRS 0x00000005 + +/* TPM 2 data structures */ struct tpm2_authblock { uint32_t handle; @@ -235,4 +241,29 @@ struct tpm2_req_hierarchycontrol { uint8_t state; } __attribute__((packed)); +struct tpm2_req_getcapability { + struct tpm_req_header hdr; + uint32_t capability; + uint32_t property; + uint32_t propertycount; +} __attribute__((packed)); + +struct tpm2_res_getcapability { + struct tpm_rsp_header hdr; + uint8_t moreData; + uint32_t capability; + uint8_t data[0]; /* capability dependent data */ +} __attribute__((packed)); + +struct tpms_pcr_selection { + uint16_t hashAlg; + uint8_t sizeOfSelect; + uint8_t pcrSelect[0]; +} __attribute__((packed)); + +struct tpml_pcr_selection { + uint32_t count; + struct tpms_pcr_selection selections[0]; +} __attribute__((packed)); + #endif /* TCGBIOS_INT_H */ From patchwork Wed Dec 11 20:27:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207917 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7q81Dwfz9sR8 for ; Thu, 12 Dec 2019 07:30:44 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7q75S7PzDqwY for ; Thu, 12 Dec 2019 07:30:43 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm62slzDqf0 for ; Thu, 12 Dec 2019 07:27:45 +1100 (AEDT) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGfJN006042; Wed, 11 Dec 2019 15:27:43 -0500 Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wthkj76rn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:42 -0500 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKPTDb007965; Wed, 11 Dec 2019 20:27:41 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma04wdc.us.ibm.com with ESMTP id 2wr3q6r4m6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRfE955378374 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5679BB205F; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 33403B2066; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:19 -0500 Message-Id: <20191211202728.127996-25-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 clxscore=1015 priorityscore=1501 mlxscore=0 suspectscore=1 spamscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 adultscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 24/33] tpm2: Rework the logging and implement tpm20_extend() X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Signed-off-by: Stefan Berger --- lib/libtpm/tcgbios.c | 363 ++++++++++++++++++++++++++++++++++++--- lib/libtpm/tcgbios_int.h | 69 ++++++++ 2 files changed, 406 insertions(+), 26 deletions(-) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 3f1dca8..c8759cb 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -88,6 +88,17 @@ static inline uint32_t cpu_to_log32(uint32_t val) return 0; } +static inline uint16_t cpu_to_log16(uint16_t val) +{ + switch (TPM_version) { + case TPM_VERSION_1_2: + return cpu_to_be16(val); + case TPM_VERSION_2: + return cpu_to_le16(val); + } + return 0; +} + static inline bool tpm_log_is_be(void) { return TPM_version == TPM_VERSION_1_2; @@ -104,9 +115,144 @@ static void probe_tpm(void) tpm_state.tpm_working = tpm_state.tpm_found; } + +/**************************************************************** + * Digest formatting + ****************************************************************/ + static uint32_t tpm20_pcr_selection_size; static struct tpml_pcr_selection *tpm20_pcr_selection; +/* A 'struct tpm_log_entry' is a local data structure containing a + * 'tpm_log_header' followed by space for the maximum supported + * digest. (The digest is a sha1 hash on tpm1.2 or a series of + * tpm2_digest_value structs on tpm2.0) + */ +struct tpm_log_entry { + struct tpm_log_header hdr; + uint8_t pad[sizeof(struct tpm2_digest_values) + + 5 * sizeof(struct tpm2_digest_value) + + SHA1_BUFSIZE + SHA256_BUFSIZE + SHA384_BUFSIZE + + SHA512_BUFSIZE + SM3_256_BUFSIZE]; +} __attribute__((packed)); + +static int +tpm20_get_hash_buffersize(uint16_t hashAlg) +{ + switch (hashAlg) { + case TPM2_ALG_SHA1: + return SHA1_BUFSIZE; + case TPM2_ALG_SHA256: + return SHA256_BUFSIZE; + case TPM2_ALG_SHA384: + return SHA384_BUFSIZE; + case TPM2_ALG_SHA512: + return SHA512_BUFSIZE; + case TPM2_ALG_SM3_256: + return SM3_256_BUFSIZE; + default: + return -1; + } +} + +/* + * Build the TPM2 tpm2_digest_values data structure from the given hash. + * Follow the PCR bank configuration of the TPM and write the same hash + * in either truncated or zero-padded form in the areas of all the other + * hashes. For example, write the sha1 hash in the area of the sha256 + * hash and fill the remaining bytes with zeros. Or truncate the sha256 + * hash when writing it in the area of the sha1 hash. + * + * le: the log entry to build the digest in + * sha1: the sha1 hash value to use + * bigEndian: whether to build in big endian format for the TPM or log + * little endian for the log (TPM 2.0) + * + * Returns the digest size; -1 on fatal error + */ +static int tpm20_build_digest(struct tpm_log_entry *le, const uint8_t *sha1, + bool bigEndian) +{ + struct tpms_pcr_selection *sel; + void *nsel, *end; + void *dest = le->hdr.digest + sizeof(struct tpm2_digest_values); + uint32_t count; + struct tpm2_digest_value *v; + struct tpm2_digest_values *vs; + + if (!tpm20_pcr_selection) + return -1; + + sel = tpm20_pcr_selection->selections; + end = (void *)tpm20_pcr_selection + tpm20_pcr_selection_size; + + for (count = 0; count < be32_to_cpu(tpm20_pcr_selection->count); count++) { + int hsize; + uint8_t sizeOfSelect = sel->sizeOfSelect; + + nsel = (void*)sel + sizeof(*sel) + sizeOfSelect; + if (nsel > end) + break; + + hsize = tpm20_get_hash_buffersize(be16_to_cpu(sel->hashAlg)); + if (hsize < 0) { + dprintf("TPM is using an unsupported hash: %d\n", + be16_to_cpu(sel->hashAlg)); + return -1; + } + + /* buffer size sanity check before writing */ + v = dest; + if (dest + sizeof(*v) + hsize > (void*)le + sizeof(*le)) { + dprintf("tpm_log_entry is too small\n"); + return -1; + } + + if (bigEndian) + v->hashAlg = sel->hashAlg; + else + v->hashAlg = cpu_to_le16(be16_to_cpu(sel->hashAlg)); + + memset(v->hash, 0, hsize); + memcpy(v->hash, sha1, hsize > SHA1_BUFSIZE ? SHA1_BUFSIZE : hsize); + + dest += sizeof(*v) + hsize; + sel = nsel; + } + + if (sel != end) { + dprintf("Malformed pcr selection structure fron TPM\n"); + return -1; + } + + vs = (void*)le->hdr.digest; + if (bigEndian) + vs->count = cpu_to_be32(count); + else + vs->count = cpu_to_le32(count); + + return dest - (void*)le->hdr.digest; +} + +static int tpm12_build_digest(struct tpm_log_entry *le, const uint8_t *sha1) +{ + // On TPM 1.2 the digest contains just the SHA1 hash + memcpy(le->hdr.digest, sha1, SHA1_BUFSIZE); + return SHA1_BUFSIZE; +} + +static int +tpm_build_digest(struct tpm_log_entry *le, const uint8_t *sha1, bool bigEndian) +{ + switch (TPM_version) { + case TPM_VERSION_1_2: + return tpm12_build_digest(le, sha1); + case TPM_VERSION_2: + return tpm20_build_digest(le, sha1, bigEndian); + } + return -1; +} + /**************************************************************** * TPM hardware command wrappers ****************************************************************/ @@ -295,19 +441,19 @@ static void tpm20_set_timeouts(void) * @hash: sha1 hash (20 bytes) to extend PCR with * @pcrindex: the PCR to extend [ 0..23 ] */ -static int tpm_extend(uint8_t *hash, uint32_t pcrindex) +static int tpm12_extend(struct tpm_log_entry *le, int digest_len) { struct tpm_req_extend tre = { .hdr.tag = cpu_to_be16(TPM_TAG_RQU_CMD), .hdr.totlen = cpu_to_be32(sizeof(tre)), .hdr.ordinal = cpu_to_be32(TPM_ORD_EXTEND), - .pcrindex = cpu_to_be32(pcrindex), + .pcrindex = cpu_to_be32(log32_to_cpu(le->hdr.pcrindex)), }; struct tpm_rsp_extend rsp; uint32_t resp_length = sizeof(rsp); int ret; - memcpy(tre.digest, hash, sizeof(tre.digest)); + memcpy(tre.digest, le->hdr.digest, sizeof(tre.digest)); ret = tpmhw_transmit(0, &tre.hdr, &rsp, &resp_length, TPM_DURATION_TYPE_SHORT); @@ -321,6 +467,50 @@ static int tpm_extend(uint8_t *hash, uint32_t pcrindex) return 0; } +static int tpm20_extend(struct tpm_log_entry *le, int digest_len) +{ + struct tpm2_req_extend tmp_tre = { + .hdr.tag = cpu_to_be16(TPM2_ST_SESSIONS), + .hdr.totlen = cpu_to_be32(0), + .hdr.ordinal = cpu_to_be32(TPM2_CC_PCR_Extend), + .pcrindex = cpu_to_be32(log32_to_cpu(le->hdr.pcrindex)), + .authblocksize = cpu_to_be32(sizeof(tmp_tre.authblock)), + .authblock = { + .handle = cpu_to_be32(TPM2_RS_PW), + .noncesize = cpu_to_be16(0), + .contsession = TPM2_YES, + .pwdsize = cpu_to_be16(0), + }, + }; + uint8_t buffer[sizeof(tmp_tre) + sizeof(le->pad)]; + struct tpm2_req_extend *tre = (struct tpm2_req_extend *)buffer; + + memcpy(tre, &tmp_tre, sizeof(tmp_tre)); + memcpy(&tre->digest[0], le->hdr.digest, digest_len); + + tre->hdr.totlen = cpu_to_be32(sizeof(tmp_tre) + digest_len); + + struct tpm_rsp_header rsp; + uint32_t resp_length = sizeof(rsp); + int ret = tpmhw_transmit(0, &tre->hdr, &rsp, &resp_length, + TPM_DURATION_TYPE_SHORT); + if (ret || resp_length != sizeof(rsp) || rsp.errcode) + return -1; + + return 0; +} + +static int tpm_extend(struct tpm_log_entry *le, int digest_len) +{ + switch (TPM_version) { + case TPM_VERSION_1_2: + return tpm12_extend(le, digest_len); + case TPM_VERSION_2: + return tpm20_extend(le, digest_len); + } + return -1; +} + static int tpm20_hierarchycontrol(uint32_t hierarchy, uint8_t state) { /* we will try to deactivate the TPM now - ignoring all errors */ @@ -391,10 +581,12 @@ static void tpm_set_failure(void) * * Returns 0 on success, an error code otherwise. */ -static uint32_t tpm_log_event_long(struct pcpes *pcpes, +static uint32_t tpm_log_event_long(struct tpm_log_header *entry, + int digest_len, const void *event, uint32_t event_length) { - uint32_t size; + uint32_t size, logsize; + void *dest; dprintf("log base address = %p, next entry = %p\n", tpm_state.log_base, tpm_state.log_area_next_entry); @@ -402,20 +594,21 @@ static uint32_t tpm_log_event_long(struct pcpes *pcpes, if (tpm_state.log_area_next_entry == NULL) return TCGBIOS_LOGOVERFLOW; - size = offset_of(struct pcpes, event) + event_length; - - if ((tpm_state.log_area_next_entry + size - tpm_state.log_base) > - tpm_state.log_area_size) { - dprintf("LOG OVERFLOW: size = %d\n", size); + size = sizeof(*entry) + digest_len + + sizeof(struct tpm_log_trailer) + event_length; + logsize = (tpm_state.log_area_next_entry + size - + tpm_state.log_base); + if (logsize > tpm_state.log_area_size) { + dprintf("TCGBIOS: LOG OVERFLOW: size = %u\n", size); return TCGBIOS_LOGOVERFLOW; } - pcpes->eventdatasize = cpu_to_log32(event_length); - - memcpy(tpm_state.log_area_next_entry, pcpes, - offset_of(struct pcpes, event)); - memcpy(tpm_state.log_area_next_entry + offset_of(struct pcpes, event), - event, event_length); + dest = tpm_state.log_area_next_entry; + memcpy(dest, entry, sizeof(*entry) + digest_len); + struct tpm_log_trailer *t = dest + sizeof(*entry) + digest_len; + t->eventdatasize = cpu_to_log32(event_length); + if (event_length) + memcpy(t->event, event, event_length); tpm_state.log_area_next_entry += size; @@ -426,11 +619,97 @@ bool tpm_log_event(struct pcpes *pcpes) { const char *event = NULL; uint32_t event_length = log32_to_cpu(pcpes->eventdatasize); + struct tpm_log_entry le = { + .hdr.pcrindex = pcpes->pcrindex, + .hdr.eventtype = pcpes->eventtype, + }; + int digest_len, ret; if (event_length) event = (void *)pcpes + offset_of(struct pcpes, event); - return (tpm_log_event_long(pcpes, event, event_length) == 0); + digest_len = tpm_build_digest(&le, pcpes->digest, tpm_log_is_be()); + if (digest_len < 0) + return false; + + ret = tpm_log_event_long(&le.hdr, digest_len, event, event_length); + if (ret) + return false; + return true; +} + +/* Add an entry at the start of the log describing digest formats + */ +static int tpm20_write_EfiSpecIdEventStruct(void) +{ + if (!tpm20_pcr_selection) + return -1; + + struct { + struct TCG_EfiSpecIdEventStruct hdr; + uint32_t pad[256]; + } event = { + .hdr.signature = "Spec ID Event03", + .hdr.platformClass = TPM_TCPA_ACPI_CLASS_CLIENT, + .hdr.specVersionMinor = 0, + .hdr.specVersionMajor = 2, + .hdr.specErrata = 0, + .hdr.uintnSize = 2, + }; + + struct tpms_pcr_selection *sel = tpm20_pcr_selection->selections; + void *nsel, *end = (void*)tpm20_pcr_selection + tpm20_pcr_selection_size; + int event_size; + uint32_t *vendorInfoSize; + struct tpm_log_entry le = { + .hdr.eventtype = cpu_to_log32(EV_NO_ACTION), + }; + uint32_t count; + + for (count = 0; + count < be32_to_cpu(tpm20_pcr_selection->count); + count++) { + int hsize; + uint8_t sizeOfSelect = sel->sizeOfSelect; + + nsel = (void*)sel + sizeof(*sel) + sizeOfSelect; + if (nsel > end) + break; + + hsize = tpm20_get_hash_buffersize(be16_to_cpu(sel->hashAlg)); + if (hsize < 0) { + dprintf("TPM is using an unsupported hash: %d\n", + be16_to_cpu(sel->hashAlg)); + return -1; + } + + event_size = offset_of(struct TCG_EfiSpecIdEventStruct, + digestSizes[count+1]); + if (event_size > sizeof(event) - sizeof(uint32_t)) { + dprintf("EfiSpecIdEventStruct pad too small\n"); + return -1; + } + + event.hdr.digestSizes[count].algorithmId = + cpu_to_log16(be16_to_cpu(sel->hashAlg)); + event.hdr.digestSizes[count].digestSize = cpu_to_log16(hsize); + + sel = nsel; + } + + if (sel != end) { + dprintf("Malformed pcr selection structure fron TPM\n"); + return -1; + } + + event.hdr.numberOfAlgorithms = cpu_to_log32(count); + event_size = offset_of(struct TCG_EfiSpecIdEventStruct, + digestSizes[count]); + vendorInfoSize = (void*)&event + event_size; + *vendorInfoSize = 0; + event_size += sizeof(*vendorInfoSize); + + return tpm_log_event_long(&le.hdr, SHA1_BUFSIZE, &event, event_size); } static int tpm12_assert_physical_presence(void) @@ -520,6 +799,8 @@ static int tpm20_startup(void) if (ret) goto err_exit; + /* the log parameters will be passed from Forth layer */ + return 0; err_exit: @@ -580,11 +861,20 @@ uint32_t tpm_unassert_physical_presence(void) void tpm_set_log_parameters(void *addr, unsigned int size) { + int ret; + dprintf("Log is at 0x%llx; size is %u bytes\n", (uint64_t)addr, size); tpm_state.log_base = addr; tpm_state.log_area_next_entry = addr; tpm_state.log_area_size = size; + + switch (TPM_version) { + case TPM_VERSION_2: + ret = tpm20_write_EfiSpecIdEventStruct(); + if (ret) + tpm_set_failure(); + } } uint32_t tpm_get_logsize(void) @@ -611,18 +901,29 @@ static uint32_t hash_log_extend(struct pcpes *pcpes, bool extend) { int ret; + struct tpm_log_entry le; + int digest_len; if (log32_to_cpu(pcpes->pcrindex) >= 24) return TCGBIOS_INVALID_INPUT_PARA; if (hashdata) tpm_hash_all(hashdata, hashdata_length, pcpes->digest); + le = (struct tpm_log_entry) { + .hdr.pcrindex = pcpes->pcrindex, + .hdr.eventtype = pcpes->eventtype, + }; + digest_len = tpm_build_digest(&le, pcpes->digest, true); + if (digest_len < 0) + return TCGBIOS_GENERAL_ERROR; + if (extend) { - ret = tpm_extend(pcpes->digest, log32_to_cpu(pcpes->pcrindex)); + ret = tpm_extend(&le, digest_len); if (ret) return TCGBIOS_COMMAND_ERROR; } - ret = tpm_log_event_long(pcpes, event, event_length); + tpm_build_digest(&le, pcpes->digest, tpm_log_is_be()); + ret = tpm_log_event_long(&le.hdr, digest_len, event, event_length); if (ret) return TCGBIOS_LOGOVERFLOW; return 0; @@ -647,14 +948,24 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex, const uint8_t *hashdata, uint32_t hashdatalen) { - struct pcpes pcpes; - - pcpes.pcrindex = cpu_to_log32(pcrindex); - pcpes.eventtype = cpu_to_log32(eventtype); - memset(&pcpes.digest, 0, sizeof(pcpes.digest)); + uint8_t hash[SHA1_BUFSIZE]; + struct tpm_log_entry le = { + .hdr.pcrindex = cpu_to_log32(pcrindex), + .hdr.eventtype = cpu_to_log32(eventtype), + }; + int digest_len; - return hash_log_extend(&pcpes, hashdata, hashdatalen, - info, infolen, true); + sha1(hashdata, hashdatalen, hash); + digest_len = tpm_build_digest(&le, hash, true); + if (digest_len < 0) + return TCGBIOS_GENERAL_ERROR; + int ret = tpm_extend(&le, digest_len); + if (ret) { + tpm_set_failure(); + return TCGBIOS_COMMAND_ERROR; + } + tpm_build_digest(&le, hash, tpm_log_is_be()); + return tpm_log_event_long(&le.hdr, digest_len, info, infolen); } /* diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index 581424f..3aab7ed 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -56,6 +56,7 @@ /* event types */ #define EV_POST_CODE 1 +#define EV_NO_ACTION 3 #define EV_SEPARATOR 4 #define EV_ACTION 5 #define EV_EVENT_TAG 6 @@ -65,6 +66,59 @@ #define EV_IPL_PARTITION_DATA 14 #define SHA1_BUFSIZE 20 +#define SHA256_BUFSIZE 32 +#define SHA384_BUFSIZE 48 +#define SHA512_BUFSIZE 64 +#define SM3_256_BUFSIZE 32 + +struct tpm2_digest_value { + uint16_t hashAlg; + uint8_t hash[0]; /* size depends on hashAlg */ +} __attribute__((packed)); + +struct tpm2_digest_values { + uint32_t count; + struct tpm2_digest_value digest[0]; +} __attribute__((packed)); + +/* Each entry in the TPM log contains: a tpm_log_header, a variable + * length digest, a tpm_log_trailer, and a variable length event. The + * 'digest' matches what is sent to the TPM hardware via the Extend + * command. On TPM1.2 the digest is a SHA1 hash; on TPM2.0 the digest + * contains a tpm2_digest_values struct followed by a variable number + * of tpm2_digest_value structs (as specified by the hardware via the + * TPM2_CAP_PCRS request). + */ +struct tpm_log_header { + uint32_t pcrindex; + uint32_t eventtype; + uint8_t digest[0]; +} __attribute__((packed)); + +struct tpm_log_trailer { + uint32_t eventdatasize; + uint8_t event[0]; +} __attribute__((packed)); + +struct TCG_EfiSpecIdEventStruct { + uint8_t signature[16]; + uint32_t platformClass; + uint8_t specVersionMinor; + uint8_t specVersionMajor; + uint8_t specErrata; + uint8_t uintnSize; + uint32_t numberOfAlgorithms; + struct TCG_EfiSpecIdEventAlgorithmSize { + uint16_t algorithmId; + uint16_t digestSize; + } digestSizes[0]; + /* + uint8_t vendorInfoSize; + uint8_t vendorInfo[0]; + */ +} __attribute__((packed)); + +#define TPM_TCPA_ACPI_CLASS_CLIENT 0 /* Input and Output blocks for the TCG BIOS commands */ @@ -210,6 +264,12 @@ struct tpm_rsp_getcap_buffersize { #define TPM2_RH_ENDORSEMENT 0x4000000b #define TPM2_RH_PLATFORM 0x4000000c +#define TPM2_ALG_SHA1 0x0004 +#define TPM2_ALG_SHA256 0x000b +#define TPM2_ALG_SHA384 0x000c +#define TPM2_ALG_SHA512 0x000d +#define TPM2_ALG_SM3_256 0x0012 + /* TPM 2 command tags */ #define TPM2_ST_NO_SESSIONS 0x8001 #define TPM2_ST_SESSIONS 0x8002 @@ -219,6 +279,7 @@ struct tpm_rsp_getcap_buffersize { #define TPM2_CC_SelfTest 0x143 #define TPM2_CC_Startup 0x144 #define TPM2_CC_GetCapability 0x17a +#define TPM2_CC_PCR_Extend 0x182 /* TPM 2 Capabilities */ #define TPM2_CAP_PCRS 0x00000005 @@ -232,6 +293,14 @@ struct tpm2_authblock { uint16_t pwdsize; /* always 0 */ } __attribute__((packed)); +struct tpm2_req_extend { + struct tpm_req_header hdr; + uint32_t pcrindex; + uint32_t authblocksize; + struct tpm2_authblock authblock; + uint8_t digest[0]; +} __attribute__((packed)); + struct tpm2_req_hierarchycontrol { struct tpm_req_header hdr; uint32_t authhandle; From patchwork Wed Dec 11 20:27:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207914 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7pn0RW8z9sR7 for ; Thu, 12 Dec 2019 07:30:25 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7pm6990zDqwJ for ; Thu, 12 Dec 2019 07:30:24 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm4rBczDqc9 for ; Thu, 12 Dec 2019 07:27:45 +1100 (AEDT) Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGgXl068624; Wed, 11 Dec 2019 15:27:43 -0500 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wtf8jd2hw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:43 -0500 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKQBK9000713; Wed, 11 Dec 2019 20:27:42 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma01dal.us.ibm.com with ESMTP id 2wr3q7a2te-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:42 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRfEA50856384 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6DA7AB206A; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5699EB2065; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:20 -0500 Message-Id: <20191211202728.127996-26-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=1 bulkscore=0 clxscore=1015 priorityscore=1501 malwarescore=0 phishscore=0 mlxlogscore=843 impostorscore=0 mlxscore=0 spamscore=0 lowpriorityscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 25/33] tpm2: refactor tpm_unassert_physical_presence for TPM2 X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Signed-off-by: Stefan Berger --- lib/libtpm/tcgbios.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index c8759cb..bc54c8d 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -847,10 +847,14 @@ void tpm_finalize(void) */ uint32_t tpm_unassert_physical_presence(void) { - if (tpm_state.has_physical_presence) - tpm_simple_cmd(0, TPM_ORD_PHYSICAL_PRESENCE, - 2, TPM_PP_NOT_PRESENT_LOCK, - TPM_DURATION_TYPE_SHORT); + switch (TPM_version) { + case TPM_VERSION_1_2: + if (tpm_state.has_physical_presence) + tpm_simple_cmd(0, TPM_ORD_PHYSICAL_PRESENCE, + 2, TPM_PP_NOT_PRESENT_LOCK, + TPM_DURATION_TYPE_SHORT); + break; + } return 0; } From patchwork Wed Dec 11 20:27:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207916 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7q126qWz9sR7 for ; Thu, 12 Dec 2019 07:30:37 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7q10dwZzDqwY for ; Thu, 12 Dec 2019 07:30:37 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm4nXlzDqJ2 for ; Thu, 12 Dec 2019 07:27:45 +1100 (AEDT) Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGf9o041125; Wed, 11 Dec 2019 15:27:43 -0500 Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wsqc2pd38-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:43 -0500 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKLNbj020702; Wed, 11 Dec 2019 20:27:42 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma02dal.us.ibm.com with ESMTP id 2wr3q723u1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:42 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRf8I54591994 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7A02FB2064; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6D7AFB2068; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:21 -0500 Message-Id: <20191211202728.127996-27-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 adultscore=0 malwarescore=0 suspectscore=1 clxscore=1015 mlxscore=0 phishscore=0 priorityscore=1501 mlxlogscore=999 spamscore=0 lowpriorityscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 26/33] tpm2: Prefix functions with tpm12_ and adapt for TPM 2 case X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Prefex remaining TPM 1.2 related function with tpm12_ and adapt some functions to handle the TPM 2 case in the switch statement. Signed-off-by: Stefan Berger --- lib/libtpm/tcgbios.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index bc54c8d..02b5ba8 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -1268,10 +1268,16 @@ static int tpm12_process_cfg(tpm_ppi_op ppi_op, bool verbose) uint32_t tpm_process_opcode(uint8_t op, bool verbose) { - return tpm12_process_cfg(op, verbose); + switch (TPM_version) { + case TPM_VERSION_1_2: + return tpm12_process_cfg(op, verbose); + case TPM_VERSION_2: + break; + } + return TCGBIOS_GENERAL_ERROR; } -int tpm_get_state(void) +static int tpm12_get_state(void) { int state = 0; struct tpm_permanent_flags pf; @@ -1299,6 +1305,17 @@ int tpm_get_state(void) return state; } +int tpm_get_state(void) +{ + switch (TPM_version) { + case TPM_VERSION_1_2: + return tpm12_get_state(); + case TPM_VERSION_2: + break; + } + return ~0; +} + uint32_t tpm_measure_scrtm(void) { uint32_t rc; From patchwork Wed Dec 11 20:27:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207921 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7qb1Dvrz9sR8 for ; Thu, 12 Dec 2019 07:31:07 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7qZ5GKDzDqwH for ; Thu, 12 Dec 2019 07:31:06 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm6tPqzDqf5 for ; Thu, 12 Dec 2019 07:27:45 +1100 (AEDT) Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGgqO131261; Wed, 11 Dec 2019 15:27:43 -0500 Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wtbt2hyfh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:43 -0500 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKJ4JG027385; Wed, 11 Dec 2019 20:27:42 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma04dal.us.ibm.com with ESMTP id 2wr3q723hx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:42 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRfcG50856388 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 880A7B2066; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 84FDBB2065; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:22 -0500 Message-Id: <20191211202728.127996-28-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 suspectscore=1 phishscore=0 malwarescore=0 bulkscore=0 mlxlogscore=999 impostorscore=0 clxscore=1015 adultscore=0 priorityscore=1501 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 27/33] tpm2: Implement tpm20_process_cfg, tpm20_clear, and tpm20_clearcontrol X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Signed-off-by: Stefan Berger --- lib/libtpm/tcgbios.c | 82 +++++++++++++++++++++++++++++++++++++++- lib/libtpm/tcgbios_int.h | 17 +++++++++ 2 files changed, 98 insertions(+), 1 deletion(-) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 02b5ba8..ea00c9f 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -1266,13 +1266,93 @@ static int tpm12_process_cfg(tpm_ppi_op ppi_op, bool verbose) return ret; } +static int +tpm20_clearcontrol(uint8_t disable, bool verbose) +{ + struct tpm2_req_clearcontrol trc = { + .hdr.tag = cpu_to_be16(TPM2_ST_SESSIONS), + .hdr.totlen = cpu_to_be32(sizeof(trc)), + .hdr.ordinal = cpu_to_be32(TPM2_CC_ClearControl), + .authhandle = cpu_to_be32(TPM2_RH_PLATFORM), + .authblocksize = cpu_to_be32(sizeof(trc.authblock)), + .authblock = { + .handle = cpu_to_be32(TPM2_RS_PW), + .noncesize = cpu_to_be16(0), + .contsession = TPM2_YES, + .pwdsize = cpu_to_be16(0), + }, + .disable = disable, + }; + struct tpm_rsp_header rsp; + uint32_t resp_length = sizeof(rsp); + int ret = tpmhw_transmit(0, &trc.hdr, &rsp, &resp_length, + TPM_DURATION_TYPE_SHORT); + if (ret || resp_length != sizeof(rsp) || rsp.errcode) + ret = -1; + + dprintf("TCGBIOS: Return value from sending TPM2_CC_ClearControl = 0x%08x\n", + ret); + + return ret; +} + +static int +tpm20_clear(void) +{ + struct tpm2_req_clear trq = { + .hdr.tag = cpu_to_be16(TPM2_ST_SESSIONS), + .hdr.totlen = cpu_to_be32(sizeof(trq)), + .hdr.ordinal = cpu_to_be32(TPM2_CC_Clear), + .authhandle = cpu_to_be32(TPM2_RH_PLATFORM), + .authblocksize = cpu_to_be32(sizeof(trq.authblock)), + .authblock = { + .handle = cpu_to_be32(TPM2_RS_PW), + .noncesize = cpu_to_be16(0), + .contsession = TPM2_YES, + .pwdsize = cpu_to_be16(0), + }, + }; + struct tpm_rsp_header rsp; + uint32_t resp_length = sizeof(rsp); + int ret = tpmhw_transmit(0, &trq.hdr, &rsp, &resp_length, + TPM_DURATION_TYPE_MEDIUM); + if (ret || resp_length != sizeof(rsp) || rsp.errcode) + ret = -1; + + dprintf("TCGBIOS: Return value from sending TPM2_CC_Clear = 0x%08x\n", + ret); + + return ret; +} + +static int tpm20_process_cfg(tpm_ppi_op msgCode, bool verbose) +{ + int ret = 0; + + switch (msgCode) { + case TPM_PPI_OP_NOOP: /* no-op */ + break; + + case TPM_PPI_OP_CLEAR: + ret = tpm20_clearcontrol(false, verbose); + if (!ret) + ret = tpm20_clear(); + break; + } + + if (ret) + dprintf("Op %d: An error occurred: 0x%x\n", msgCode, ret); + + return ret; +} + uint32_t tpm_process_opcode(uint8_t op, bool verbose) { switch (TPM_version) { case TPM_VERSION_1_2: return tpm12_process_cfg(op, verbose); case TPM_VERSION_2: - break; + return tpm20_process_cfg(op, verbose); } return TCGBIOS_GENERAL_ERROR; } diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index 3aab7ed..3dc7199 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -276,6 +276,8 @@ struct tpm_rsp_getcap_buffersize { /* TPM 2 commands */ #define TPM2_CC_HierarchyControl 0x121 +#define TPM2_CC_Clear 0x126 +#define TPM2_CC_ClearControl 0x127 #define TPM2_CC_SelfTest 0x143 #define TPM2_CC_Startup 0x144 #define TPM2_CC_GetCapability 0x17a @@ -301,6 +303,21 @@ struct tpm2_req_extend { uint8_t digest[0]; } __attribute__((packed)); +struct tpm2_req_clearcontrol { + struct tpm_req_header hdr; + uint32_t authhandle; + uint32_t authblocksize; + struct tpm2_authblock authblock; + uint8_t disable; +} __attribute__((packed)); + +struct tpm2_req_clear { + struct tpm_req_header hdr; + uint32_t authhandle; + uint32_t authblocksize; + struct tpm2_authblock authblock; +} __attribute__((packed)); + struct tpm2_req_hierarchycontrol { struct tpm_req_header hdr; uint32_t authhandle; From patchwork Wed Dec 11 20:27:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207892 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7mC2dhLz9sR8 for ; Thu, 12 Dec 2019 07:28:11 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7mC1WqYzDqYh for ; Thu, 12 Dec 2019 07:28:11 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lk3ZT8zDqJ3 for ; Thu, 12 Dec 2019 07:27:46 +1100 (AEDT) Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGf5B041149; Wed, 11 Dec 2019 15:27:44 -0500 Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wsqc2pd32-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:42 -0500 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKF9ZO030496; Wed, 11 Dec 2019 20:27:42 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma02wdc.us.ibm.com with ESMTP id 2wr3q6r2rj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:42 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRfHQ50856390 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9FE3EB2068; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 935A2B2067; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:23 -0500 Message-Id: <20191211202728.127996-29-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 adultscore=0 malwarescore=0 suspectscore=13 clxscore=1015 mlxscore=0 phishscore=0 priorityscore=1501 mlxlogscore=968 spamscore=0 lowpriorityscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 28/33] slof: Implement SLOF_get_keystroke X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefan Berger , kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Signed-off-by: Stefan Berger --- include/helpers.h | 1 + slof/helpers.c | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/include/helpers.h b/include/helpers.h index aaef977..4353b3b 100644 --- a/include/helpers.h +++ b/include/helpers.h @@ -43,6 +43,7 @@ extern void SLOF_encode_dhcp_response(void *addr, size_t size); extern int SLOF_get_property(const char *node, const char *propname, char **addr, int *len); extern unsigned long SLOF_get_vtpm_unit(void); +extern int SLOF_get_keystroke(void); #define offset_of(type, member) ((long) &((type *)0)->member) #define container_of(ptr, type, member) ({ \ diff --git a/slof/helpers.c b/slof/helpers.c index a287c6b..a651c17 100644 --- a/slof/helpers.c +++ b/slof/helpers.c @@ -230,3 +230,9 @@ unsigned long SLOF_get_vtpm_unit(void) forth_eval("vtpm-unit"); return forth_pop(); } + +int SLOF_get_keystroke(void) +{ + forth_eval("key"); + return forth_pop(); +} From patchwork Wed Dec 11 20:27:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207920 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7qV2vHSz9sR7 for ; Thu, 12 Dec 2019 07:31:02 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7qV1VR0zDqwV for ; Thu, 12 Dec 2019 07:31:02 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lm6G3CzDqf3 for ; Thu, 12 Dec 2019 07:27:45 +1100 (AEDT) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGfEr006060; Wed, 11 Dec 2019 15:27:43 -0500 Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wthkj76s2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:43 -0500 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKFuQm031402; Wed, 11 Dec 2019 20:27:42 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma04wdc.us.ibm.com with ESMTP id 2wr3q6r4m9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:42 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRfjQ54591744 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B76EFB2066; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AB11AB2064; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:24 -0500 Message-Id: <20191211202728.127996-30-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 clxscore=1015 priorityscore=1501 mlxscore=0 suspectscore=15 spamscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 adultscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 29/33] tpm2: Implement TPM 2 menu with choice to clear the TPM 2 X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Implement a TPM 2 menu with one item to be able to clear the TPM. Signed-off-by: Stefan Berger --- board-qemu/slof/vtpm-sml.fs | 9 +++++++++ lib/libtpm/tcgbios.c | 35 +++++++++++++++++++++++++++++++++++ lib/libtpm/tcgbios.h | 1 + lib/libtpm/tpm.code | 9 +++++++++ lib/libtpm/tpm.in | 1 + 5 files changed, 55 insertions(+) diff --git a/board-qemu/slof/vtpm-sml.fs b/board-qemu/slof/vtpm-sml.fs index 25918b8..1e0c41a 100644 --- a/board-qemu/slof/vtpm-sml.fs +++ b/board-qemu/slof/vtpm-sml.fs @@ -363,11 +363,20 @@ log-base LOG-SIZE tpm-set-log-parameters THEN ; +: vtpm20-menu + tpm-is-working IF + tpm20-menu + THEN +; + : vtpm-menu tpm-get-tpm-version CASE 1 OF vtpm12-menu ENDOF + 2 OF + vtpm20-menu + ENDOF ENDCASE ; diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index ea00c9f..c28385e 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -1547,3 +1547,38 @@ uint32_t tpm_get_tpm_version(void) { return TPM_version; } + +void tpm20_menu(void) +{ + int key_code; + int waitkey; + tpm_ppi_op msgCode; + + for (;;) { + printf("1. Clear TPM\n"); + + printf("\nIf not change is desired or if this menu was reached by " + "mistake, press ESC to\ncontinue the boot.\n"); + + msgCode = TPM_PPI_OP_NOOP; + + waitkey = 1; + + while (waitkey) { + key_code = SLOF_get_keystroke(); + switch (key_code) { + case 27: + // ESC + return; + case '1': + msgCode = TPM_PPI_OP_CLEAR; + break; + default: + continue; + } + + tpm20_process_cfg(msgCode, 0); + waitkey = 0; + } + } +} diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 398834a..35631e0 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -40,6 +40,7 @@ uint32_t tpm_driver_get_state(void); uint32_t tpm_driver_get_failure_reason(void); void tpm_driver_set_failure_reason(uint32_t errcode); uint32_t tpm_get_tpm_version(void); +void tpm20_menu(void); /* flags returned by tpm_get_state */ #define TPM_STATE_ENABLED 1 diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index c63b21c..2e8edad 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -223,3 +223,12 @@ PRIM(tpm_X2d_get_X2d_tpm_X2d_version) PUSH; TOS.n = tpm_get_tpm_version(); MIRP + +/*******************************************************************/ +/* Firmware API */ +/* SLOF: tpm20-menu ( -- tpm-version ) */ +/* LIBTPM: tpm20_menu() */ +/*******************************************************************/ +PRIM(tpm20_X2d_menu) + tpm20_menu(); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index 1261ac8..cac261f 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -33,3 +33,4 @@ cod(tpm-driver-get-state) cod(tpm-driver-get-failure-reason) cod(tpm-driver-set-failure-reason) cod(tpm-get-tpm-version) +cod(tpm20-menu) From patchwork Wed Dec 11 20:27:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207893 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7mK1djtz9sR7 for ; Thu, 12 Dec 2019 07:28:17 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7mJ4SrnzDqYh for ; Thu, 12 Dec 2019 07:28:16 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ll01VYzDqKP for ; Thu, 12 Dec 2019 07:27:46 +1100 (AEDT) Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGgmZ041261; Wed, 11 Dec 2019 15:27:44 -0500 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0b-001b2d01.pphosted.com with ESMTP id 2wtcd27tev-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:43 -0500 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKGM9c023187; Wed, 11 Dec 2019 20:27:43 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma01dal.us.ibm.com with ESMTP id 2wr3q7a2tk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:43 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRfNO54460722 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:42 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CFC36B2064; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C2CC8B205F; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:25 -0500 Message-Id: <20191211202728.127996-31-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 lowpriorityscore=0 bulkscore=0 mlxscore=0 impostorscore=0 malwarescore=0 mlxlogscore=999 adultscore=0 clxscore=1015 priorityscore=1501 suspectscore=1 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 30/33] tpm2: implement tpm20_prepboot X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Signed-off-by: Stefan Berger --- lib/libtpm/tcgbios.c | 108 +++++++++++++++++++++++++++++++++++++++ lib/libtpm/tcgbios_int.h | 32 ++++++++++++ 2 files changed, 140 insertions(+) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index c28385e..db1e4f0 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -19,6 +19,7 @@ */ #include +#include #include "types.h" #include "byteorder.h" @@ -511,6 +512,88 @@ static int tpm_extend(struct tpm_log_entry *le, int digest_len) return -1; } +static int tpm20_stirrandom(void) +{ + struct tpm2_req_stirrandom stir = { + .hdr.tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), + .hdr.totlen = cpu_to_be32(sizeof(stir)), + .hdr.ordinal = cpu_to_be32(TPM2_CC_StirRandom), + .size = cpu_to_be16(sizeof(stir.stir)), + .stir = rand(), + }; + struct tpm_rsp_header rsp; + uint32_t resp_length = sizeof(rsp); + int ret = tpmhw_transmit(0, &stir.hdr, &rsp, &resp_length, + TPM_DURATION_TYPE_SHORT); + if (ret || resp_length != sizeof(rsp) || rsp.errcode) + ret = -1; + + dprintf("TCGBIOS: Return value from sending TPM2_CC_StirRandom = 0x%08x\n", + ret); + + return ret; +} + +static int tpm20_getrandom(uint8_t *buf, uint16_t buf_len) +{ + struct tpm2_res_getrandom rsp; + struct tpm2_req_getrandom trgr = { + .hdr.tag = cpu_to_be16(TPM2_ST_NO_SESSIONS), + .hdr.totlen = cpu_to_be32(sizeof(trgr)), + .hdr.ordinal = cpu_to_be32(TPM2_CC_GetRandom), + .bytesRequested = cpu_to_be16(buf_len), + }; + uint32_t resp_length = sizeof(rsp); + + if (buf_len > sizeof(rsp.rnd.buffer)) + return -1; + + int ret = tpmhw_transmit(0, &trgr.hdr, &rsp, &resp_length, + TPM_DURATION_TYPE_MEDIUM); + if (ret || resp_length != sizeof(rsp) || rsp.hdr.errcode) + ret = -1; + else + memcpy(buf, rsp.rnd.buffer, buf_len); + + dprintf("TCGBIOS: Return value from sending TPM2_CC_GetRandom = 0x%08x\n", + ret); + + return ret; +} + +static int tpm20_hierarchychangeauth(uint8_t auth[20]) +{ + struct tpm2_req_hierarchychangeauth trhca = { + .hdr.tag = cpu_to_be16(TPM2_ST_SESSIONS), + .hdr.totlen = cpu_to_be32(sizeof(trhca)), + .hdr.ordinal = cpu_to_be32(TPM2_CC_HierarchyChangeAuth), + .authhandle = cpu_to_be32(TPM2_RH_PLATFORM), + .authblocksize = cpu_to_be32(sizeof(trhca.authblock)), + .authblock = { + .handle = cpu_to_be32(TPM2_RS_PW), + .noncesize = cpu_to_be16(0), + .contsession = TPM2_YES, + .pwdsize = cpu_to_be16(0), + }, + .newAuth = { + .size = cpu_to_be16(sizeof(trhca.newAuth.buffer)), + }, + }; + memcpy(trhca.newAuth.buffer, auth, sizeof(trhca.newAuth.buffer)); + + struct tpm_rsp_header rsp; + uint32_t resp_length = sizeof(rsp); + int ret = tpmhw_transmit(0, &trhca.hdr, &rsp, &resp_length, + TPM_DURATION_TYPE_MEDIUM); + if (ret || resp_length != sizeof(rsp) || rsp.errcode) + ret = -1; + + dprintf("TCGBIOS: Return value from sending TPM2_CC_HierarchyChangeAuth = 0x%08x\n", + ret); + + return ret; +} + static int tpm20_hierarchycontrol(uint32_t hierarchy, uint8_t state) { /* we will try to deactivate the TPM now - ignoring all errors */ @@ -841,6 +924,29 @@ void tpm_finalize(void) spapr_vtpm_finalize(); } +static void tpm20_prepboot(void) +{ + uint8_t auth[20]; + int ret = tpm20_stirrandom(); + if (ret) + goto err_exit; + + ret = tpm20_getrandom(&auth[0], sizeof(auth)); + if (ret) + goto err_exit; + + ret = tpm20_hierarchychangeauth(auth); + if (ret) + goto err_exit; + + return; + +err_exit: + dprintf("TCGBIOS: TPM malfunctioning (line %d).\n", __LINE__); + + tpm_set_failure(); +} + /* * Give up physical presence; this function has to be called before * the firmware transitions to the boot loader. @@ -854,6 +960,8 @@ uint32_t tpm_unassert_physical_presence(void) 2, TPM_PP_NOT_PRESENT_LOCK, TPM_DURATION_TYPE_SHORT); break; + case TPM_VERSION_2: + tpm20_prepboot(); } return 0; diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index 3dc7199..ce4d9c2 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -278,9 +278,12 @@ struct tpm_rsp_getcap_buffersize { #define TPM2_CC_HierarchyControl 0x121 #define TPM2_CC_Clear 0x126 #define TPM2_CC_ClearControl 0x127 +#define TPM2_CC_HierarchyChangeAuth 0x129 #define TPM2_CC_SelfTest 0x143 #define TPM2_CC_Startup 0x144 +#define TPM2_CC_StirRandom 0x146 #define TPM2_CC_GetCapability 0x17a +#define TPM2_CC_GetRandom 0x17b #define TPM2_CC_PCR_Extend 0x182 /* TPM 2 Capabilities */ @@ -288,6 +291,27 @@ struct tpm_rsp_getcap_buffersize { /* TPM 2 data structures */ +struct tpm2_req_stirrandom { + struct tpm_req_header hdr; + uint16_t size; + uint64_t stir; +} __attribute__((packed)); + +struct tpm2_req_getrandom { + struct tpm_req_header hdr; + uint16_t bytesRequested; +} __attribute__((packed)); + +struct tpm2b_20 { + uint16_t size; + uint8_t buffer[20]; +} __attribute__((packed)); + +struct tpm2_res_getrandom { + struct tpm_rsp_header hdr; + struct tpm2b_20 rnd; +} __attribute__((packed)); + struct tpm2_authblock { uint32_t handle; uint16_t noncesize; /* always 0 */ @@ -295,6 +319,14 @@ struct tpm2_authblock { uint16_t pwdsize; /* always 0 */ } __attribute__((packed)); +struct tpm2_req_hierarchychangeauth { + struct tpm_req_header hdr; + uint32_t authhandle; + uint32_t authblocksize; + struct tpm2_authblock authblock; + struct tpm2b_20 newAuth; +} __attribute__((packed)); + struct tpm2_req_extend { struct tpm_req_header hdr; uint32_t pcrindex; From patchwork Wed Dec 11 20:27:26 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207889 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7lx4tW9z9sR7 for ; Thu, 12 Dec 2019 07:27:57 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7lx2gQkzDqJ2 for ; Thu, 12 Dec 2019 07:27:57 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lk31z3zDqHJ for ; Thu, 12 Dec 2019 07:27:46 +1100 (AEDT) Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGihU065762; Wed, 11 Dec 2019 15:27:43 -0500 Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wsm2g0eu0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:43 -0500 Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKLSHp001572; Wed, 11 Dec 2019 20:27:47 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma01wdc.us.ibm.com with ESMTP id 2wr3q6r5rt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:47 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRgVp35782970 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:42 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DDFFDB206B; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DAE90B2068; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:26 -0500 Message-Id: <20191211202728.127996-32-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=999 clxscore=1015 bulkscore=0 mlxscore=0 impostorscore=0 adultscore=0 suspectscore=1 lowpriorityscore=0 priorityscore=1501 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 31/33] tpm2: Use a table to convert the hash to the buffer size it needs. X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefan Berger , kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Signed-off-by: Stefan Berger --- include/helpers.h | 1 + lib/libtpm/tcgbios.c | 41 ++++++++++++++++++++++++++++------------- 2 files changed, 29 insertions(+), 13 deletions(-) diff --git a/include/helpers.h b/include/helpers.h index 4353b3b..c6a2ccd 100644 --- a/include/helpers.h +++ b/include/helpers.h @@ -49,5 +49,6 @@ extern int SLOF_get_keystroke(void); #define container_of(ptr, type, member) ({ \ const typeof(((type *)0)->member)* struct_ptr = (ptr); \ (type *)((char *)struct_ptr - offset_of(type, member)); }) +#define ARRAY_SIZE(x) (sizeof(x) / sizeof(x[0])) #endif diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index db1e4f0..d0a4c9c 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -137,23 +137,38 @@ struct tpm_log_entry { + SHA512_BUFSIZE + SM3_256_BUFSIZE]; } __attribute__((packed)); +static const struct hash_parameters { + uint16_t hashalg; + uint8_t hash_buffersize; +} hash_parameters[] = { + { + .hashalg = TPM2_ALG_SHA1, + .hash_buffersize = SHA1_BUFSIZE, + }, { + .hashalg = TPM2_ALG_SHA256, + .hash_buffersize = SHA256_BUFSIZE, + }, { + .hashalg = TPM2_ALG_SHA384, + .hash_buffersize = SHA384_BUFSIZE, + }, { + .hashalg = TPM2_ALG_SHA512, + .hash_buffersize = SHA512_BUFSIZE, + }, { + .hashalg = TPM2_ALG_SM3_256, + .hash_buffersize = SM3_256_BUFSIZE, + } +}; + static int tpm20_get_hash_buffersize(uint16_t hashAlg) { - switch (hashAlg) { - case TPM2_ALG_SHA1: - return SHA1_BUFSIZE; - case TPM2_ALG_SHA256: - return SHA256_BUFSIZE; - case TPM2_ALG_SHA384: - return SHA384_BUFSIZE; - case TPM2_ALG_SHA512: - return SHA512_BUFSIZE; - case TPM2_ALG_SM3_256: - return SM3_256_BUFSIZE; - default: - return -1; + unsigned i; + + for (i = 0; i < ARRAY_SIZE(hash_parameters); i++) { + if (hash_parameters[i].hashalg == hashAlg) + return hash_parameters[i].hash_buffersize; } + return -1; } /* From patchwork Wed Dec 11 20:27:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207888 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7lr6LTyz9sR7 for ; Thu, 12 Dec 2019 07:27:52 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7lr5Sq3zDqQY for ; Thu, 12 Dec 2019 07:27:52 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7lk2y23zDqJ2 for ; Thu, 12 Dec 2019 07:27:46 +1100 (AEDT) Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGgxF020480; Wed, 11 Dec 2019 15:27:43 -0500 Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wtfbxur5a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:43 -0500 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKI4qH026508; Wed, 11 Dec 2019 20:27:42 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma04dal.us.ibm.com with ESMTP id 2wr3q723j3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:42 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRgLM35782972 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:42 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 02AC4B205F; Wed, 11 Dec 2019 20:27:42 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E943EB2066; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:41 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:27 -0500 Message-Id: <20191211202728.127996-33-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=1 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 priorityscore=1501 bulkscore=0 adultscore=0 mlxscore=0 lowpriorityscore=0 clxscore=1015 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 32/33] tpm2: Implement TPM 2.0 menu item to activate and deactivte PCR banks X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefan Berger , kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" Implement a TPM 2.0 menu item that allows a user to toggle the activation of PCR banks of the TPM 2.0. After successful activation we shut down the TPM 2.0 and reset the machine. Background: A TPM 2.0 may have multiple PCR banks, such as for SHA1, SHA256, SHA384, SHA512, and SM3-256. One or multiple of those banks may be active (by factory for example) and modifying the set of active PCR banks is only possible while in the firmware since it requires platform authorization. Platform authorization is not possible for a user when in the OS since the firmware generates a random password for the platform authorization before booting the system and it throws that password away. Signed-off-by: Stefan Berger --- include/helpers.h | 1 + lib/libtpm/tcgbios.c | 225 +++++++++++++++++++++++++++++++++++++++ lib/libtpm/tcgbios_int.h | 17 +++ slof/helpers.c | 5 + 4 files changed, 248 insertions(+) diff --git a/include/helpers.h b/include/helpers.h index c6a2ccd..e4aa8fa 100644 --- a/include/helpers.h +++ b/include/helpers.h @@ -44,6 +44,7 @@ extern int SLOF_get_property(const char *node, const char *propname, char **addr, int *len); extern unsigned long SLOF_get_vtpm_unit(void); extern int SLOF_get_keystroke(void); +extern void SLOF_reset(void); #define offset_of(type, member) ((long) &((type *)0)->member) #define container_of(ptr, type, member) ({ \ diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index d0a4c9c..eef42ba 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -139,23 +139,36 @@ struct tpm_log_entry { static const struct hash_parameters { uint16_t hashalg; + uint8_t hashalg_flag; uint8_t hash_buffersize; + const char *name; } hash_parameters[] = { { .hashalg = TPM2_ALG_SHA1, + .hashalg_flag = TPM2_ALG_SHA1_FLAG, .hash_buffersize = SHA1_BUFSIZE, + .name = "SHA1", }, { .hashalg = TPM2_ALG_SHA256, + .hashalg_flag = TPM2_ALG_SHA256_FLAG, .hash_buffersize = SHA256_BUFSIZE, + .name = "SHA256", }, { .hashalg = TPM2_ALG_SHA384, + .hashalg_flag = TPM2_ALG_SHA384_FLAG, .hash_buffersize = SHA384_BUFSIZE, + .name = "SHA384", + }, { .hashalg = TPM2_ALG_SHA512, + .hashalg_flag = TPM2_ALG_SHA512_FLAG, .hash_buffersize = SHA512_BUFSIZE, + .name = "SHA512", }, { .hashalg = TPM2_ALG_SM3_256, + .hashalg_flag = TPM2_ALG_SM3_256_FLAG, .hash_buffersize = SM3_256_BUFSIZE, + .name = "SM3-256", } }; @@ -171,6 +184,42 @@ tpm20_get_hash_buffersize(uint16_t hashAlg) return -1; } +static uint8_t +tpm20_hashalg_to_flag(uint16_t hashAlg) +{ + unsigned i; + + for (i = 0; i < ARRAY_SIZE(hash_parameters); i++) { + if (hash_parameters[i].hashalg == hashAlg) + return hash_parameters[i].hashalg_flag; + } + return 0; +} + +static uint16_t +tpm20_hashalg_flag_to_hashalg(uint8_t hashalg_flag) +{ + unsigned i; + + for (i = 0; i < ARRAY_SIZE(hash_parameters); i++) { + if (hash_parameters[i].hashalg_flag == hashalg_flag) + return hash_parameters[i].hashalg; + } + return 0; +} + +static const char * +tpm20_hashalg_flag_to_name(uint8_t hashalg_flag) +{ + unsigned i; + + for (i = 0; i < ARRAY_SIZE(hash_parameters); i++) { + if (hash_parameters[i].hashalg_flag == hashalg_flag) + return hash_parameters[i].name; + } + return NULL; +} + /* * Build the TPM2 tpm2_digest_values data structure from the given hash. * Follow the PCR bank configuration of the TPM and write the same hash @@ -381,6 +430,116 @@ tpm20_get_pcrbanks(void) return ret; } +static int +tpm20_get_suppt_pcrbanks(uint8_t *suppt_pcrbanks, uint8_t *active_pcrbanks) +{ + *suppt_pcrbanks = 0; + *active_pcrbanks = 0; + + if (!tpm20_pcr_selection) + return -1; + + struct tpms_pcr_selection *sel = tpm20_pcr_selection->selections; + void *end = (void*)tpm20_pcr_selection + tpm20_pcr_selection_size; + + while (1) { + uint8_t sizeOfSelect = sel->sizeOfSelect; + void *nsel = (void*)sel + sizeof(*sel) + sizeOfSelect; + if (nsel > end) + return 0; + + uint16_t hashalg = be16_to_cpu(sel->hashAlg); + uint8_t hashalg_flag = tpm20_hashalg_to_flag(hashalg); + + *suppt_pcrbanks |= hashalg_flag; + + unsigned i; + for (i = 0; i < sizeOfSelect; i++) { + if (sel->pcrSelect[i]) { + *active_pcrbanks |= hashalg_flag; + break; + } + } + + sel = nsel; + } +} + +static int +tpm20_set_pcrbanks(uint32_t active_banks) +{ + struct tpm2_req_pcr_allocate trpa = { + .hdr.tag = cpu_to_be16(TPM2_ST_SESSIONS), + .hdr.ordinal = cpu_to_be32(TPM2_CC_PCR_Allocate), + .authhandle = cpu_to_be32(TPM2_RH_PLATFORM), + .authblocksize = cpu_to_be32(sizeof(trpa.authblock)), + .authblock = { + .handle = cpu_to_be32(TPM2_RS_PW), + .noncesize = cpu_to_be16(0), + .contsession = TPM2_YES, + .pwdsize = cpu_to_be16(0), + }, + }; + struct tpms_pcr_selection3 { + uint16_t hashAlg; + uint8_t sizeOfSelect; + uint8_t pcrSelect[3]; + } tps[ARRAY_SIZE(trpa.tpms_pcr_selections)]; + int i = 0; + uint8_t hashalg_flag = TPM2_ALG_SHA1_FLAG; + uint8_t dontcare, suppt_banks; + + tpm20_get_suppt_pcrbanks(&suppt_banks, &dontcare); + + while (hashalg_flag) { + if ((hashalg_flag & suppt_banks)) { + uint16_t hashalg = tpm20_hashalg_flag_to_hashalg(hashalg_flag); + + if (hashalg) { + uint8_t mask = 0; + + tps[i].hashAlg = cpu_to_be16(hashalg); + tps[i].sizeOfSelect = 3; + + if (active_banks & hashalg_flag) + mask = 0xff; + + tps[i].pcrSelect[0] = mask; + tps[i].pcrSelect[1] = mask; + tps[i].pcrSelect[2] = mask; + i++; + } + } + hashalg_flag <<= 1; + } + + trpa.count = cpu_to_be32(i); + memcpy(trpa.tpms_pcr_selections, tps, i * sizeof(tps[0])); + trpa.hdr.totlen = cpu_to_be32(offset_of(struct tpm2_req_pcr_allocate, + tpms_pcr_selections) + + i * sizeof(tps[0])); + + struct tpm_rsp_header rsp; + uint32_t resp_length = sizeof(rsp); + + int ret = tpmhw_transmit(0, &trpa.hdr, &rsp, &resp_length, + TPM_DURATION_TYPE_SHORT); + ret = ret ? -1 : be32_to_cpu(rsp.errcode); + + return ret; +} + +static int tpm20_activate_pcrbanks(uint32_t active_banks) +{ + int ret = tpm20_set_pcrbanks(active_banks); + if (!ret) + ret = tpm_simple_cmd(0, TPM2_CC_Shutdown, + 2, TPM2_SU_CLEAR, TPM_DURATION_TYPE_SHORT); + if (!ret) + SLOF_reset(); + return ret; +} + static int tpm12_get_capability(uint32_t cap, uint32_t subcap, struct tpm_rsp_header *rsp, uint32_t rsize) { @@ -1671,6 +1830,67 @@ uint32_t tpm_get_tpm_version(void) return TPM_version; } +static int tpm20_menu_change_active_pcrbanks(void) +{ + uint8_t active_banks, suppt_banks; + + tpm20_get_suppt_pcrbanks(&suppt_banks, &active_banks); + + uint8_t activate_banks = active_banks; + + while (1) { + uint8_t hashalg_flag = TPM2_ALG_SHA1_FLAG; + uint8_t i = 0; + + printf("\nToggle active PCR banks by pressing number key\n\n"); + + while (hashalg_flag) { + uint8_t flag = hashalg_flag & suppt_banks; + const char *hashname = tpm20_hashalg_flag_to_name(flag); + + i++; + if (hashname) { + printf(" %d: %s", i, hashname); + if (activate_banks & hashalg_flag) + printf(" (enabled)"); + printf("\n"); + } + + hashalg_flag <<= 1; + } + printf("\n" + "ESC: return to previous menu without changes\n"); + if (activate_banks) + printf("A : activate selection\n"); + + uint8_t flagnum; + int show = 0; + while (!show) { + int key_code = SLOF_get_keystroke(); + + switch (key_code) { + case ~0: + continue; + case 27: /* ESC */ + printf("\n"); + return -1; + case '1' ... '5': /* keys 1 .. 5 */ + flagnum = key_code - '0'; + if (flagnum > i) + continue; + if (suppt_banks & (1 << (flagnum - 1))) { + activate_banks ^= 1 << (flagnum - 1); + show = 1; + } + break; + case 'a': /* a */ + if (activate_banks) + tpm20_activate_pcrbanks(activate_banks); + } + } + } +} + void tpm20_menu(void) { int key_code; @@ -1679,6 +1899,7 @@ void tpm20_menu(void) for (;;) { printf("1. Clear TPM\n"); + printf("2. Change active PCR banks\n"); printf("\nIf not change is desired or if this menu was reached by " "mistake, press ESC to\ncontinue the boot.\n"); @@ -1696,6 +1917,10 @@ void tpm20_menu(void) case '1': msgCode = TPM_PPI_OP_CLEAR; break; + case '2': + tpm20_menu_change_active_pcrbanks(); + waitkey = 0; + continue; default: continue; } diff --git a/lib/libtpm/tcgbios_int.h b/lib/libtpm/tcgbios_int.h index ce4d9c2..67b0854 100644 --- a/lib/libtpm/tcgbios_int.h +++ b/lib/libtpm/tcgbios_int.h @@ -270,6 +270,12 @@ struct tpm_rsp_getcap_buffersize { #define TPM2_ALG_SHA512 0x000d #define TPM2_ALG_SM3_256 0x0012 +#define TPM2_ALG_SHA1_FLAG (1 << 0) +#define TPM2_ALG_SHA256_FLAG (1 << 1) +#define TPM2_ALG_SHA384_FLAG (1 << 2) +#define TPM2_ALG_SHA512_FLAG (1 << 3) +#define TPM2_ALG_SM3_256_FLAG (1 << 4) + /* TPM 2 command tags */ #define TPM2_ST_NO_SESSIONS 0x8001 #define TPM2_ST_SESSIONS 0x8002 @@ -279,8 +285,10 @@ struct tpm_rsp_getcap_buffersize { #define TPM2_CC_Clear 0x126 #define TPM2_CC_ClearControl 0x127 #define TPM2_CC_HierarchyChangeAuth 0x129 +#define TPM2_CC_PCR_Allocate 0x12b #define TPM2_CC_SelfTest 0x143 #define TPM2_CC_Startup 0x144 +#define TPM2_CC_Shutdown 0x145 #define TPM2_CC_StirRandom 0x146 #define TPM2_CC_GetCapability 0x17a #define TPM2_CC_GetRandom 0x17b @@ -373,6 +381,15 @@ struct tpm2_res_getcapability { uint8_t data[0]; /* capability dependent data */ } __attribute__((packed)); +struct tpm2_req_pcr_allocate { + struct tpm_req_header hdr; + uint32_t authhandle; + uint32_t authblocksize; + struct tpm2_authblock authblock; + uint32_t count; + uint8_t tpms_pcr_selections[4]; +} __attribute__((packed)); + struct tpms_pcr_selection { uint16_t hashAlg; uint8_t sizeOfSelect; diff --git a/slof/helpers.c b/slof/helpers.c index a651c17..354d690 100644 --- a/slof/helpers.c +++ b/slof/helpers.c @@ -236,3 +236,8 @@ int SLOF_get_keystroke(void) forth_eval("key"); return forth_pop(); } + +void SLOF_reset(void) +{ + forth_eval("reset-all"); +} From patchwork Wed Dec 11 20:27:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1207922 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Y7qg2Q1Mz9sR7 for ; Thu, 12 Dec 2019 07:31:11 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Y7qg1N8jzDqsQ for ; Thu, 12 Dec 2019 07:31:11 +1100 (AEDT) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Y7ln293fzDqQY for ; Thu, 12 Dec 2019 07:27:45 +1100 (AEDT) Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBBKGgef004601; Wed, 11 Dec 2019 15:27:43 -0500 Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com with ESMTP id 2wtdp4tug5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 15:27:43 -0500 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id xBBKIUQO017057; Wed, 11 Dec 2019 20:27:43 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma02dal.us.ibm.com with ESMTP id 2wr3q723u7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Dec 2019 20:27:43 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xBBKRgI935782974 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Dec 2019 20:27:42 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 19C9DB2064; Wed, 11 Dec 2019 20:27:42 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0D96DB2068; Wed, 11 Dec 2019 20:27:42 +0000 (GMT) Received: from newfield.pok.ibm.com (unknown [9.47.158.66]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 11 Dec 2019 20:27:42 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Wed, 11 Dec 2019 15:27:28 -0500 Message-Id: <20191211202728.127996-34-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> References: <20191211202728.127996-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95, 18.0.572 definitions=2019-12-11_06:2019-12-11, 2019-12-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=859 clxscore=1015 lowpriorityscore=0 malwarescore=0 spamscore=0 suspectscore=1 priorityscore=1501 mlxscore=0 phishscore=0 impostorscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912110168 Subject: [SLOF] [PATCH v4 33/33] tpm2: Include vio-vtpm-cdriver.fs if IBM, vtpm20 is specified X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kevin@koconnor.net MIME-Version: 1.0 Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" --- board-qemu/slof/tree.fs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/board-qemu/slof/tree.fs b/board-qemu/slof/tree.fs index 39dc6f6..4779c74 100644 --- a/board-qemu/slof/tree.fs +++ b/board-qemu/slof/tree.fs @@ -90,6 +90,9 @@ include fbuffer.fs 2dup " IBM,vtpm" strequal IF " vio-vtpm-cdriver.fs" included THEN + 2dup " IBM,vtpm20" strequal IF + " vio-vtpm-cdriver.fs" included + THEN 2drop THEN peer