From patchwork Sat Oct 26 09:45:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1184597 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 470bjv2WY8z9s7T for ; Sat, 26 Oct 2019 20:47:15 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 470bjv1DYRzDqlm for ; Sat, 26 Oct 2019 20:47:15 +1100 (AEDT) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 470bhm2ctQzDqlZ for ; Sat, 26 Oct 2019 20:46:16 +1100 (AEDT) Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x9Q9bKZF049538 for ; Sat, 26 Oct 2019 05:46:13 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2vvja0a477-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sat, 26 Oct 2019 05:46:12 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 26 Oct 2019 10:46:10 +0100 Received: from b06avi18626390.portsmouth.uk.ibm.com (9.149.26.192) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Sat, 26 Oct 2019 10:46:08 +0100 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x9Q9jXR635586552 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 26 Oct 2019 09:45:33 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 79A854C04A; Sat, 26 Oct 2019 09:46:06 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C41334C058; Sat, 26 Oct 2019 09:46:05 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.80.231.2]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Sat, 26 Oct 2019 09:46:05 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Sat, 26 Oct 2019 04:45:44 -0500 X-Mailer: git-send-email 2.21.0 In-Reply-To: <20191026094553.26635-1-erichte@linux.ibm.com> References: <20191026094553.26635-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 x-cbid: 19102609-0008-0000-0000-00000327CA04 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19102609-0009-0000-0000-00004A47036D Message-Id: <20191026094553.26635-3-erichte@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-26_02:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910260100 Subject: [Skiboot] [PATCH v4 02/11] secvar_tpmnv: add high-level tpm nv index abstraction for secvar X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" Multiple components, like the storage driver or backend driver, need to store information in the one reserved TPM NV index. This abstraction provides a method for components to share the index space without stomping on each other's data, and without them needing to understand anything about the other. This is probably an overengineered solution to the problem, but the intent is to keep the drivers as isolated from one another as possible. Signed-off-by: Eric Richter --- libstb/secvar/Makefile.inc | 2 +- libstb/secvar/secvar_tpmnv.c | 167 +++++++++++++++++++++++++++++++++++ libstb/secvar/secvar_tpmnv.h | 11 +++ 3 files changed, 179 insertions(+), 1 deletion(-) create mode 100644 libstb/secvar/secvar_tpmnv.c create mode 100644 libstb/secvar/secvar_tpmnv.h diff --git a/libstb/secvar/Makefile.inc b/libstb/secvar/Makefile.inc index e1e6e5c7..e36186b5 100644 --- a/libstb/secvar/Makefile.inc +++ b/libstb/secvar/Makefile.inc @@ -7,7 +7,7 @@ SUBDIRS += $(SECVAR_DIR) include $(SECVAR_DIR)/storage/Makefile.inc include $(SECVAR_DIR)/backend/Makefile.inc -SECVAR_SRCS = secvar_main.c secvar_util.c secvar_devtree.c +SECVAR_SRCS = secvar_main.c secvar_util.c secvar_devtree.c secvar_tpmnv.c SECVAR_OBJS = $(SECVAR_SRCS:%.c=%.o) SECVAR = $(SECVAR_DIR)/built-in.a diff --git a/libstb/secvar/secvar_tpmnv.c b/libstb/secvar/secvar_tpmnv.c new file mode 100644 index 00000000..2da8a92b --- /dev/null +++ b/libstb/secvar/secvar_tpmnv.c @@ -0,0 +1,167 @@ +#include +#include +#include "secvar_tpmnv.h" +//#include + +#define TPM_SECVAR_NV_INDEX 0x01c10191 + +struct tpm_nv_id { + uint32_t id; + uint32_t size; + char data[0]; +}; + +struct tpm_nv { + uint32_t magic_num; + uint32_t version; + struct tpm_nv_id vars[0]; +}; + +int tpm_ready = 0; +struct tpm_nv *tpm_image; +size_t tpm_nv_size = 0; + +// Here just for size purposes, delete when using TSS +#define SECBOOT_VARIABLE_BANK_SIZE 32000 +#define SECBOOT_UPDATE_BANK_SIZE 32000 +#define SECBOOT_VARIABLE_BANK_NUM 2 +#ifndef _secboot_header_ // stupid fix for the test, delete with the rest +struct secboot_header { + uint32_t magic_number; + uint8_t version; + uint8_t reserved[3]; // Fix alignment +} __packed; +struct secboot { + struct secboot_header header; + char bank[SECBOOT_VARIABLE_BANK_NUM][SECBOOT_VARIABLE_BANK_SIZE]; + char update[SECBOOT_UPDATE_BANK_SIZE]; +} __packed; +#endif + + +static int secvar_tpmnv_init(void) +{ + if (tpm_ready) + return 0; + + // Check if defined, if so, load + // and set tpm_nv_size + // TSS_NV_Define_Space + // TSS_NV_Read + + tpm_nv_size = 1024; + + tpm_image = zalloc(tpm_nv_size); + if (!tpm_image) + return -1; + + // TEMP use pnor space for now, stored after the secboot sections + if (platform.secboot_read(tpm_image, sizeof(struct secboot), tpm_nv_size)) + return -1; + + tpm_ready = 1; + + return 0; +} + + +static struct tpm_nv_id *find_tpmnv_id(uint32_t id) +{ + struct tpm_nv_id *cur; + + for (cur = tpm_image->vars; + (char *) cur < ((char *) tpm_image) + tpm_nv_size; + cur += sizeof(struct tpm_nv_id) + cur->size) { + if (cur->id == 0) + return NULL; + if (cur->id == id) + return cur; + } + + return NULL; +} + + +// "Allocate" space within the secvar tpm +int secvar_tpmnv_alloc(uint32_t id, int32_t size) +{ + struct tpm_nv_id *cur; + + if (!tpm_ready && secvar_tpmnv_init()) + return -1; + + for (cur = tpm_image->vars; + (char *) cur < ((char *) tpm_image) + tpm_nv_size; + cur += sizeof(struct tpm_nv_id) + cur->size) { + if (cur->id == 0) + goto allocate; + if (cur->id == id) + return 0; // Already allocated + } + +allocate: + // Special case: size of -1 gives remaining space + if (size == -1) { + cur->id = id; + cur->size = tpm_nv_size - (cur - tpm_image->vars); + } + + if ((((char *) cur) + size) - (char *) tpm_image > tpm_nv_size) + return -2; + + cur->id = id; + cur->size = size; + + return 0; +} + + +int secvar_tpmnv_read(uint32_t id, void *buf, size_t size, size_t off) +{ + struct tpm_nv_id *var; + + if (!tpm_ready && secvar_tpmnv_init()) + return -1; + + var = find_tpmnv_id(id); + if (!var) + return -1; + + size = MIN(size, var->size); + memcpy(buf + off, var->data, size); + + return 0; +} + + +int secvar_tpmnv_write(uint32_t id, void *buf, size_t size, size_t off) +{ + struct tpm_nv_id *var; + + if (!tpm_ready && secvar_tpmnv_init()) + return -1; + + var = find_tpmnv_id(id); + if (!var) + return -1; + + size = MIN(size, var->size); + memcpy(var->data, buf + off, size); + // TSS_NV_Write(TPM_SECVAR_NV_INDEX, var->data, size + sizeof(struct tpm_nv_id), tpm_image - var) + + platform.secboot_write(sizeof(struct secboot), tpm_image, tpm_nv_size); + return 0; +} + +uint32_t secvar_tpmnv_size(uint32_t id) +{ + struct tpm_nv_id *var; + + if (!tpm_ready && secvar_tpmnv_init()) + return -1; + + var = find_tpmnv_id(id); + if (!var) + return 0; + return var->size; +} diff --git a/libstb/secvar/secvar_tpmnv.h b/libstb/secvar/secvar_tpmnv.h new file mode 100644 index 00000000..3b4a620e --- /dev/null +++ b/libstb/secvar/secvar_tpmnv.h @@ -0,0 +1,11 @@ +#ifndef _SECVAR_TPMNV_H_ +#define _SECVAR_TPMNV_H_ +#include + +int secvar_tpmnv_alloc(uint32_t id, int32_t size); +int secvar_tpmnv_read(uint32_t id, void *buf, size_t size, size_t off); +int secvar_tpmnv_write(uint32_t id, void *buf, size_t size, size_t off); +uint32_t secvar_tpmnv_size(uint32_t id); + +#endif +