From patchwork Tue May 12 15:44:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1288568 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49M2Fh5jNtz9sSr for ; Wed, 13 May 2020 01:45:44 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49M2Fh14lgzDqjb for ; Wed, 13 May 2020 01:45:44 +1000 (AEST) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49M2F11BSVzDqX7 for ; Wed, 13 May 2020 01:45:02 +1000 (AEST) Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04CFZJ1v006559; Tue, 12 May 2020 11:44:59 -0400 Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0b-001b2d01.pphosted.com with ESMTP id 30yv20wmm8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 May 2020 11:44:59 -0400 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04CFfpBH027368; Tue, 12 May 2020 15:44:59 GMT Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by ppma02wdc.us.ibm.com with ESMTP id 30wm56jefm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 May 2020 15:44:58 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04CFivXR52887934 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 12 May 2020 15:44:57 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 650A4C6059; Tue, 12 May 2020 15:44:57 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F3D71C6055; Tue, 12 May 2020 15:44:56 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 12 May 2020 15:44:56 +0000 (GMT) From: Stefan Berger To: aik@ozlabs.ru, slof@lists.ozlabs.org Date: Tue, 12 May 2020 11:44:50 -0400 Message-Id: <20200512154452.1702985-2-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200512154452.1702985-1-stefanb@linux.vnet.ibm.com> References: <20200512154452.1702985-1-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-12_04:2020-05-11, 2020-05-12 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 mlxscore=0 suspectscore=0 bulkscore=0 clxscore=1015 spamscore=0 phishscore=0 priorityscore=1501 mlxlogscore=999 adultscore=0 impostorscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005120115 Subject: [SLOF] [PATCH 1/3] elf: Implement elf_get_file_size to determine size of an ELF image X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefan Berger Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" From: Stefan Berger Implement elf_get_file_size to determine the size of an ELF image that has been loaded into a buffer much larger than the actual size of the original file. We determine the size by searching for the farthest offset declared by the ELF headers. Signed-off-by: Stefan Berger --- include/helpers.h | 2 ++ include/libelf.h | 14 ++++++++++ lib/libelf/elf.c | 26 +++++++++++++++++ lib/libelf/elf32.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++ lib/libelf/elf64.c | 57 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 168 insertions(+) diff --git a/include/helpers.h b/include/helpers.h index 47b2674..112184f 100644 --- a/include/helpers.h +++ b/include/helpers.h @@ -51,5 +51,7 @@ extern unsigned long SLOF_get_vtpm_unit(void); const typeof(((type *)0)->member)* struct_ptr = (ptr); \ (type *)((char *)struct_ptr - offset_of(type, member)); }) #define ARRAY_SIZE(x) (sizeof(x) / sizeof(x[0])) +#define ROUNDUP(x,v) ((((x) + ((v) - 1)) / (v)) * (v)) +#define MAX(x,y) ((x) > (y) ? (x) : (y)) #endif diff --git a/include/libelf.h b/include/libelf.h index 5fbf279..48ff4d7 100644 --- a/include/libelf.h +++ b/include/libelf.h @@ -96,4 +96,18 @@ void elf_relocate64(void *file_addr, signed long offset); int elf_forth_claim(void *addr, long size); +long elf_get_file_size(const void *buffer, const long buffer_size); +long elf_get_file_size32(const void *buffer, const long buffer_size); +long elf_get_file_size64(const void *buffer, const long buffer_size); + +#ifdef __BIG_ENDIAN__ +#define elf64_to_cpu(x, ehdr) ((ehdr)->ei_data == ELFDATA2MSB ? (x) : bswap_64(x)) +#define elf32_to_cpu(x, ehdr) ((ehdr)->ei_data == ELFDATA2MSB ? (x) : bswap_32(x)) +#define elf16_to_cpu(x, ehdr) ((ehdr)->ei_data == ELFDATA2MSB ? (x) : bswap_16(x)) +#else +#define elf64_to_cpu(x, ehdr) ((ehdr)->ei_data == ELFDATA2LSB ? (x) : bswap_64(x)) +#define elf32_to_cpu(x, ehdr) ((ehdr)->ei_data == ELFDATA2LSB ? (x) : bswap_32(x)) +#define elf16_to_cpu(x, ehdr) ((ehdr)->ei_data == ELFDATA2LSB ? (x) : bswap_16(x)) +#endif + #endif /* __LIBELF_H */ diff --git a/lib/libelf/elf.c b/lib/libelf/elf.c index 5204bc3..d368454 100644 --- a/lib/libelf/elf.c +++ b/lib/libelf/elf.c @@ -196,3 +196,29 @@ elf_get_base_addr(void *file_addr) return -1; } + +/** + * Get the file size of the ELF image that has been loaded into a + * buffer larger than the size of the file + * @return The size of the ELF image or < 0 for error + */ +long elf_get_file_size(const void *buffer, const long buffer_size) +{ + const struct ehdr *ehdr = (const struct ehdr *)buffer; + + if (buffer_size < sizeof(struct ehdr)) + return -1; + + /* check if it is an ELF image at all */ + if (cpu_to_be32(ehdr->ei_ident) != 0x7f454c46) + return -1; + + switch (ehdr->ei_class) { + case 1: + return elf_get_file_size32(buffer, buffer_size); + case 2: + return elf_get_file_size64(buffer, buffer_size); + } + + return -1; +} diff --git a/lib/libelf/elf32.c b/lib/libelf/elf32.c index fea5cf4..64ea386 100644 --- a/lib/libelf/elf32.c +++ b/lib/libelf/elf32.c @@ -17,6 +17,7 @@ #include #include #include +#include struct ehdr32 { uint32_t ei_ident; @@ -50,6 +51,18 @@ struct phdr32 { uint32_t p_align; }; +struct shdr32 { + uint32_t sh_name; + uint32_t sh_type; + uint32_t sh_flags; + uint32_t sh_addr; + uint32_t sh_offset; + uint32_t sh_size; + uint32_t sh_link; + uint32_t sh_info; + uint32_t sh_addralign; + uint32_t sh_entsize; +}; static struct phdr32* get_phdr32(void *file_addr) @@ -191,3 +204,59 @@ elf_byteswap_header32(void *file_addr) phdr = (struct phdr32 *)(((uint8_t *)phdr) + ehdr->e_phentsize); } } + +/* + * Determine the size of an ELF image that has been loaded into + * a buffer larger than its size. We search all program headers + * and sections for the one that shows the farthest extent of the + * file. + * @return Return -1 on error, size of file otherwise. + */ +long elf_get_file_size32(const void *buffer, const long buffer_size) +{ + const struct ehdr32 *ehdr = (const struct ehdr32 *) buffer; + const uint8_t *buffer_end = buffer + buffer_size; + const struct phdr32 *phdr; + const struct shdr32 *shdr; + long elf_size = -1; + uint16_t entsize; + unsigned i; + + if (buffer_size < sizeof(struct ehdr) || + ehdr->e_ehsize != sizeof(struct ehdr32)) + return -1; + + phdr = buffer + elf32_to_cpu(ehdr->e_phoff, ehdr); + entsize = elf16_to_cpu(ehdr->e_phentsize, ehdr); + for (i = 0; i < elf16_to_cpu(ehdr->e_phnum, ehdr); i++) { + if (((uint8_t *)phdr) + entsize > buffer_end) + return -1; + + elf_size = MAX(elf32_to_cpu(phdr->p_offset, ehdr) + + elf32_to_cpu(phdr->p_filesz, ehdr), + elf_size); + + /* step to next header */ + phdr = (struct phdr32 *)(((uint8_t *)phdr) + entsize); + } + + shdr = buffer + elf32_to_cpu(ehdr->e_shoff, ehdr); + entsize = elf16_to_cpu(ehdr->e_shentsize, ehdr); + for (i = 0; i < elf16_to_cpu(ehdr->e_shnum, ehdr); i++) { + if (((uint8_t *)shdr) + entsize > buffer_end) + return -1; + + elf_size = MAX(elf32_to_cpu(shdr->sh_offset, ehdr) + + elf32_to_cpu(shdr->sh_size, ehdr), + elf_size); + + /* step to next header */ + shdr = (struct shdr32 *)(((uint8_t *)shdr) + entsize); + } + + elf_size = ROUNDUP(elf_size, 4); + if (elf_size > buffer_size) + return -1; + + return elf_size; +} diff --git a/lib/libelf/elf64.c b/lib/libelf/elf64.c index 775cdee..0f30267 100644 --- a/lib/libelf/elf64.c +++ b/lib/libelf/elf64.c @@ -20,6 +20,7 @@ #include #include #include +#include struct ehdr64 { @@ -472,3 +473,59 @@ uint32_t elf_get_eflags_64(void *file_addr) return ehdr->e_flags; } + +/* + * Determine the size of an ELF image that has been loaded into + * a buffer larger than its size. We search all program headers + * and sections for the one that shows the farthest extent of the + * file. + * @return Return -1 on error, size of file otherwise. + */ +long elf_get_file_size64(const void *buffer, const long buffer_size) +{ + const struct ehdr64 *ehdr = (const struct ehdr64 *) buffer; + const uint8_t *buffer_end = buffer + buffer_size; + const struct phdr64 *phdr; + const struct shdr64 *shdr; + long elf_size = -1; + uint16_t entsize; + unsigned i; + + if (buffer_size < sizeof(struct ehdr) || + ehdr->e_ehsize != sizeof(struct ehdr64)) + return -1; + + phdr = buffer + elf64_to_cpu(ehdr->e_phoff, ehdr); + entsize = elf16_to_cpu(ehdr->e_phentsize, ehdr); + for (i = 0; i < elf16_to_cpu(ehdr->e_phnum, ehdr); i++) { + if (((uint8_t *)phdr) + entsize > buffer_end) + return -1; + + elf_size = MAX(elf64_to_cpu(phdr->p_offset, ehdr) + + elf64_to_cpu(phdr->p_filesz, ehdr), + elf_size); + + /* step to next header */ + phdr = (struct phdr64 *)(((uint8_t *)phdr) + entsize); + } + + shdr = buffer + elf64_to_cpu(ehdr->e_shoff, ehdr); + entsize = elf16_to_cpu(ehdr->e_shentsize, ehdr); + for (i = 0; i < elf16_to_cpu(ehdr->e_shnum, ehdr); i++) { + if (((uint8_t *)shdr) + entsize > buffer_end) + return -1; + + elf_size = MAX(elf64_to_cpu(shdr->sh_offset, ehdr) + + elf64_to_cpu(shdr->sh_size, ehdr), + elf_size); + + /* step to next header */ + shdr = (struct shdr64 *)(((uint8_t *)shdr) + entsize); + } + + elf_size = ROUNDUP(elf_size, 4); + if (elf_size > buffer_size) + return -1; + + return elf_size; +} From patchwork Tue May 12 15:44:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1288567 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49M2FQ6byTz9sRR for ; Wed, 13 May 2020 01:45:30 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49M2FQ4WjKzDqXB for ; Wed, 13 May 2020 01:45:30 +1000 (AEST) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49M2Dz03CNzDqVx for ; Wed, 13 May 2020 01:45:03 +1000 (AEST) Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04CFXNAX151851; Tue, 12 May 2020 11:45:00 -0400 Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com with ESMTP id 30wry1qh0n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 May 2020 11:45:00 -0400 Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04CFfq72023714; Tue, 12 May 2020 15:44:59 GMT Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by ppma03dal.us.ibm.com with ESMTP id 30wm56rytv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 May 2020 15:44:59 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04CFiwN652887936 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 12 May 2020 15:44:58 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DF78AC6057; Tue, 12 May 2020 15:44:57 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 84F3DC6055; Tue, 12 May 2020 15:44:57 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 12 May 2020 15:44:57 +0000 (GMT) From: Stefan Berger To: aik@ozlabs.ru, slof@lists.ozlabs.org Date: Tue, 12 May 2020 11:44:51 -0400 Message-Id: <20200512154452.1702985-3-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200512154452.1702985-1-stefanb@linux.vnet.ibm.com> References: <20200512154452.1702985-1-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-12_04:2020-05-11, 2020-05-12 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 priorityscore=1501 mlxscore=0 clxscore=1015 lowpriorityscore=0 spamscore=0 suspectscore=9 mlxlogscore=999 malwarescore=0 impostorscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005120117 Subject: [SLOF] [PATCH 2/3] tcgbios: Implement tpm_hash_log_extend_event_buffer X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefan Berger Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" From: Stefan Berger Implement tpm_hash_log_extend_event_buffer() that allows to measure the contents of a buffer into a given PCR and log it with the given event type and description. The caller may choose to have the size of an ELF image file detected so that only data from the ELF image are hashed rather than the much larger buffer. Besides using this function call now for measuring the bootloader read from a GPT partition, we also intend to use it for calls from the firmware API that allow us to measure and log data from a boot loader, such as grub. Grub will then invoke this function with a buffer whose size it knows and will not need the ELF file size detection. Signed-off-by: Stefan Berger --- lib/libtpm/tcgbios.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ lib/libtpm/tcgbios.h | 5 +++++ lib/libtpm/tpm.code | 19 +++++++++++++++++++ lib/libtpm/tpm.in | 1 + 4 files changed, 69 insertions(+) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index be6c3d1..e4d6a3f 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -33,6 +33,7 @@ #include "helpers.h" #include "version.h" #include "OF.h" +#include "libelf.h" #undef TCGBIOS_DEBUG //#define TCGBIOS_DEBUG @@ -852,6 +853,49 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex, return tpm_log_event_long(&le.hdr, digest_len, info, infolen); } +/* + * Measure the contents of a buffer into the given PCR and log it with the + * given eventtype. If is_elf is true, try to determine the size of the + * ELF file in the buffer and use its size rather than the much larger data + * buffer it is held in. In case of failure to detect the ELF file size, + * log an error. + * + * Input parameters: + * @pcrindex : PCR to extend + * @eventtype : type of event + * @data: the buffer to measure + * @datalen: length of the buffer + * @desc: The description to log + * @desclen: The length of the description + * @is_elf: Whether data buffer holds an ELF file and we should determine + * the original file size. + * + * Returns 0 on success, an error code otherwise. + */ +uint32_t tpm_hash_log_extend_event_buffer(uint32_t pcrindex, uint32_t eventtype, + const void *data, uint64_t datalen, + const char *desc, uint32_t desclen, + bool is_elf) +{ + long len; + char buf[256]; + + if (is_elf) { + len = elf_get_file_size(data, datalen); + if (len > 0) { + datalen = len; + } else { + snprintf(buf, sizeof(buf), "BAD ELF FILE: %s", desc); + return tpm_add_measurement_to_log(pcrindex, eventtype, + buf, strlen(buf), + (uint8_t *)buf, strlen(buf)); + } + } + return tpm_add_measurement_to_log(pcrindex, eventtype, + desc, desclen, + data, datalen); +} + /* * Add an EV_ACTION measurement to the list of measurements */ diff --git a/lib/libtpm/tcgbios.h b/lib/libtpm/tcgbios.h index 8174d86..0e7fb8c 100644 --- a/lib/libtpm/tcgbios.h +++ b/lib/libtpm/tcgbios.h @@ -32,5 +32,10 @@ void tpm20_menu(void); void tpm_gpt_set_lba1(const uint8_t *addr, uint32_t length); void tpm_gpt_add_entry(const uint8_t *addr, uint32_t length); uint32_t tpm_measure_gpt(void); +uint32_t tpm_hash_log_extend_event_buffer(uint32_t pcrindex, + uint32_t eventtype, + const void *data, uint64_t datalen, + const char *desc, uint32_t desclen, + bool is_elf); #endif /* TCGBIOS_H */ diff --git a/lib/libtpm/tpm.code b/lib/libtpm/tpm.code index 205c608..d67d2c3 100644 --- a/lib/libtpm/tpm.code +++ b/lib/libtpm/tpm.code @@ -169,3 +169,22 @@ PRIM(tpm_X2d_measure_X2d_gpt) PUSH; TOS.n = tpm_measure_gpt(); MIRP + +/***********************************************************************************************************/ +/* Firmware API */ +/* SLOF: tpm-hash-log-extend-event-buffer ( pcr evt data-ptr data-len desc-ptr desclen is_elf -- errcode ) */ +/* LIBTPM: errcode = tpm-hash-log-extend-event-buffer */ +/***********************************************************************************************************/ +PRIM(tpm_X2d_hash_X2d_log_X2d_extend_X2d_event_X2d_buffer) + uint32_t is_elf = TOS.u; POP; + uint32_t desclen = TOS.u; POP; + const char *desc = TOS.a; POP; + uint64_t datalen = TOS.u; POP; + const void *data = TOS.a; POP; + uint32_t eventtype = TOS.u; POP; + uint32_t pcrindex = TOS.u; + + TOS.n = tpm_hash_log_extend_event_buffer(pcrindex, eventtype, + data, datalen, + desc, desclen, is_elf); +MIRP diff --git a/lib/libtpm/tpm.in b/lib/libtpm/tpm.in index bdbc47d..fb54754 100644 --- a/lib/libtpm/tpm.in +++ b/lib/libtpm/tpm.in @@ -28,3 +28,4 @@ cod(tpm20-menu) cod(tpm-gpt-set-lba1) cod(tpm-gpt-add-entry) cod(tpm-measure-gpt) +cod(tpm-hash-log-extend-event-buffer) From patchwork Tue May 12 15:44:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1288566 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49M2FC4ZGLz9sRY for ; Wed, 13 May 2020 01:45:19 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 49M2FB26lszDqZF for ; Wed, 13 May 2020 01:45:18 +1000 (AEST) X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.vnet.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49M2Dz082DzDqX3 for ; Wed, 13 May 2020 01:45:03 +1000 (AEST) Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04CFVbbm004554; Tue, 12 May 2020 11:45:00 -0400 Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0b-001b2d01.pphosted.com with ESMTP id 30wsa0qfun-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 May 2020 11:45:00 -0400 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04CFh6EU017885; Tue, 12 May 2020 15:44:59 GMT Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma03wdc.us.ibm.com with ESMTP id 30wm56ae71-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 May 2020 15:44:59 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 04CFiwq849742182 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 12 May 2020 15:44:58 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 66A6EC605A; Tue, 12 May 2020 15:44:58 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0BFACC6057; Tue, 12 May 2020 15:44:58 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 12 May 2020 15:44:57 +0000 (GMT) From: Stefan Berger To: aik@ozlabs.ru, slof@lists.ozlabs.org Date: Tue, 12 May 2020 11:44:52 -0400 Message-Id: <20200512154452.1702985-4-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200512154452.1702985-1-stefanb@linux.vnet.ibm.com> References: <20200512154452.1702985-1-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-12_04:2020-05-11, 2020-05-12 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 bulkscore=0 malwarescore=0 clxscore=1015 priorityscore=1501 adultscore=0 impostorscore=0 phishscore=0 mlxlogscore=999 mlxscore=0 spamscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2005120115 Subject: [SLOF] [PATCH 3/3] tcgbios: Measure the bootloader file read from disk X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefan Berger Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" From: Stefan Berger Measure the bootloader file read from disk into PCR 4 and log it with the description 'BOOTLOADER' and the event type EV_COMPACT_HASH (code 0xc). Since the loaded file should be an ELF file, have its size determined and only the bytes from the ELF image measured rather than the whole buffer that it was read into and is much bigger (0x700000 bytes). Signed-off-by: Stefan Berger --- slof/fs/packages/disk-label.fs | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/slof/fs/packages/disk-label.fs b/slof/fs/packages/disk-label.fs index bb64022..661c6b0 100644 --- a/slof/fs/packages/disk-label.fs +++ b/slof/fs/packages/disk-label.fs @@ -452,6 +452,20 @@ CREATE GPT-LINUX-PARTITION 10 allot THEN ; +\ Measure the boot loader file into PCR 4 as event type EV_COMPACT_HASH (0xc) + +: measure-bootloader ( data-ptr data-len -- ) + s" /ibm,vtpm" find-node IF + 4 -rot ( 4 data-ptr data-len ) + c -rot ( 4 c data-ptr data-len ) + s" BOOTLOADER" ( 4 c data-ptr data-len desc-ptr desc-len ) + true tpm-hash-log-extend-event-buffer ( errcode ) + drop + ELSE + 2drop + THEN +; + : load-from-gpt-prep-partition ( addr -- size ) get-gpt-partition 0= IF false EXIT THEN block gpt>num-part-entry l@-le dup 0= IF false exit THEN @@ -465,7 +479,10 @@ CREATE GPT-LINUX-PARTITION 10 allot swap ( addr blocks first-lba ) block-size * to part-offset ( addr blocks ) 0 0 seek drop ( addr blocks ) - block-size * read ( size ) + over swap ( addr addr blocks) + block-size * read ( addr size ) + 2dup measure-bootloader ( addr size ) + nip ( size) UNLOOP EXIT THEN seek-pos gpt-part-size + to seek-pos