@@ -52,7 +52,9 @@ discover_pb_discover_SOURCES = \
discover/user-event.h \
discover/kboot-parser.c \
discover/yaboot-parser.c \
- discover/pxe-parser.c
+ discover/pxe-parser.c \
+ discover/pb-secure.c \
+ discover/pb-secure.h
discover_pb_discover_LDADD = \
discover/grub2/grub2-parser.ro \
@@ -19,6 +19,7 @@
#include "device-handler.h"
#include "sysinfo.h"
#include "platform.h"
+#include "pb-secure.h"
static void print_version(void)
{
@@ -127,6 +128,7 @@ int main(int argc, char *argv[])
struct procset *procset;
struct opts opts;
FILE *log;
+ int rc = 0;
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
@@ -188,6 +190,13 @@ int main(int argc, char *argv[])
if (config_get()->debug)
pb_log_set_debug(true);
+ rc = secure_and_trusted_init();
+ if (rc == -1)
+ {
+ pb_log("Failed to initialize trust\n");
+ //Yet to finalize for action on failure of initializing trust\n");
+ }
+
system_info_init(server);
handler = device_handler_init(server, waitset, opts.dry_run == opt_yes);
new file mode 100644
@@ -0,0 +1,69 @@
+#include <string.h>
+
+#include <log/log.h>
+#include <util/util.h>
+#include <types/types.h>
+#include <security/crypto.h>
+#include <security/tpmOperations.h>
+
+#include "platform.h"
+#include "pb-secure.h"
+
+int secure_and_trusted_init()
+{
+ int rc = 0;
+ rc = measure_boot_policy();
+ return rc;
+}
+
+int measure_boot_policy()
+{
+ const struct config* config;
+ unsigned char* config_str = 0;
+
+ uint8_t digest[SHA256_DIGEST_SIZE];
+ int rc = 0;
+ unsigned int i = 0;
+
+ config = config_get();
+
+ //Record ipmi boot params
+ config_str = get_ipmi_boot_policy_as_string(config);
+
+ memset(digest, 0, SHA256_DIGEST_SIZE);
+ rc = calc_digest("sha256", config_str, digest);
+ if (rc == -1)
+ return rc;
+
+ for (i=0; i < sizeof(digest); i++)
+ {
+ pb_log("%02x ", digest[i]);
+ }
+
+ pb_log("\n");
+ rc = tpm_extend(5, "sha256", digest, SHA256_DIGEST_SIZE);
+ if (rc == -1)
+ return rc;
+
+
+ //Record nvram boot params
+ config_str = get_nvram_boot_policy_as_string(config);
+
+ memset(digest, 0, SHA256_DIGEST_SIZE);
+ rc = calc_digest("sha256", config_str, digest);
+ if (rc == -1)
+ return rc;
+
+ for (i=0; i < sizeof(digest); i++)
+ {
+ pb_log("%02x ", digest[i]);
+ }
+
+ pb_log("\n");
+ rc = tpm_extend(5, "sha256", digest, SHA256_DIGEST_SIZE);
+
+ if (rc == -1)
+ return rc;
+ return 0;
+
+}
new file mode 100644
@@ -0,0 +1,17 @@
+#ifndef _PB_SECURE_H
+#define _PB_SECURE_H
+
+/**
+ * Setups and performs any security related operations or calls.
+ * Currently it just calls measure_boot_policy.
+ */
+int secure_and_trusted_init(void);
+
+/**
+ * Reads the boot policy, calculates the digest and extends to
+ * TPM to measure and record boot policy config values.
+ * It extends ipmi and nvram boot policy separately.
+ */
+int measure_boot_policy(void);
+
+#endif /* _PB_SECURE_H */
Modifies discover/pb-discover.c to initialize trusted boot. Add discover/pb-secure.c to keep security initialization separate from other functionality. Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> --- discover/Makefile.am | 4 ++- discover/pb-discover.c | 9 +++++++ discover/pb-secure.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++ discover/pb-secure.h | 17 +++++++++++++ 4 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 discover/pb-secure.c create mode 100644 discover/pb-secure.h