From patchwork Mon May 11 21:31:48 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Richter <erichte@linux.ibm.com>
X-Patchwork-Id: 1288092
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 49LZ5S247Gz9sRK
	for <incoming@patchwork.ozlabs.org>; Tue, 12 May 2020 07:37:00 +1000 (AEST)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=linux.ibm.com
Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	by lists.ozlabs.org (Postfix) with ESMTP id 49LZ5S06dRzDr6q
	for <incoming@patchwork.ozlabs.org>; Tue, 12 May 2020 07:37:00 +1000 (AEST)
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5;
 helo=mx0a-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org;
 dmarc=none (p=none dis=none) header.from=linux.ibm.com
Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com
 [148.163.158.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 49LYzy5StKzDqgN
 for <skiboot@lists.ozlabs.org>; Tue, 12 May 2020 07:32:14 +1000 (AEST)
Received: from pps.filterd (m0098421.ppops.net [127.0.0.1])
 by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
 04BLCbE7151635
 for <skiboot@lists.ozlabs.org>; Mon, 11 May 2020 17:32:12 -0400
Received: from ppma03fra.de.ibm.com (6b.4a.5195.ip4.static.sl-reverse.com
 [149.81.74.107])
 by mx0a-001b2d01.pphosted.com with ESMTP id 30wsc3jgw6-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
 for <skiboot@lists.ozlabs.org>; Mon, 11 May 2020 17:32:11 -0400
Received: from pps.filterd (ppma03fra.de.ibm.com [127.0.0.1])
 by ppma03fra.de.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 04BLPlSn027391
 for <skiboot@lists.ozlabs.org>; Mon, 11 May 2020 21:32:10 GMT
Received: from b06cxnps4075.portsmouth.uk.ibm.com
 (d06relay12.portsmouth.uk.ibm.com [9.149.109.197])
 by ppma03fra.de.ibm.com with ESMTP id 30wm56a2r5-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
 for <skiboot@lists.ozlabs.org>; Mon, 11 May 2020 21:32:10 +0000
Received: from b06wcsmtp001.portsmouth.uk.ibm.com
 (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160])
 by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 04BLW7dn52363422
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
 Mon, 11 May 2020 21:32:07 GMT
Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1])
 by IMSVA (Postfix) with ESMTP id 66943A4060;
 Mon, 11 May 2020 21:32:07 +0000 (GMT)
Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1])
 by IMSVA (Postfix) with ESMTP id BBCCFA4054;
 Mon, 11 May 2020 21:32:06 +0000 (GMT)
Received: from ceres.ibmuc.com (unknown [9.80.226.245])
 by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP;
 Mon, 11 May 2020 21:32:06 +0000 (GMT)
From: Eric Richter <erichte@linux.ibm.com>
To: skiboot@lists.ozlabs.org
Date: Mon, 11 May 2020 16:31:48 -0500
Message-Id: <20200511213152.24952-15-erichte@linux.ibm.com>
X-Mailer: git-send-email 2.21.1
In-Reply-To: <20200511213152.24952-1-erichte@linux.ibm.com>
References: <20200511213152.24952-1-erichte@linux.ibm.com>
MIME-Version: 1.0
X-TM-AS-GCONF: 00
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676
 definitions=2020-05-11_10:2020-05-11,
 2020-05-11 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 phishscore=0 mlxlogscore=999
 impostorscore=0 adultscore=0 mlxscore=0 malwarescore=0 priorityscore=1501
 spamscore=0 bulkscore=0 suspectscore=3 lowpriorityscore=0 clxscore=1015
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000
 definitions=main-2005110152
Subject: [Skiboot] [RFC PATCH v4 14/18] secvar/storage: add utility tool to
 generate NV public name hashes
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
 <mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Cc: nayna@linux.ibm.com
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
 <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

This patch adds a small userspace utility to locally generate the
expected hash returned by a TSS_NV_ReadPublic command for the NV
indices as defined by the secboot_tpm storage driver. This removes the
need for manually copying in the hash from the ReadPublic output if for some
reason the set of attributes used when defining the NV indices changes in the
future.

As this is an auxiliary tool, it is not built by default and must be
manually built using `make gen_tpmnv_public_name`.

This patch has been marked as RFC as it is a draft implementation that
I'm looking for feedback on whether it is worth keeping in-tree, and if
so, what a more proper integration should look like.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
---
 libstb/secvar/storage/Makefile.inc            |   3 +
 libstb/secvar/storage/gen_tpmnv_public_name.c | 107 ++++++++++++++++++
 2 files changed, 110 insertions(+)
 create mode 100644 libstb/secvar/storage/gen_tpmnv_public_name.c

diff --git a/libstb/secvar/storage/Makefile.inc b/libstb/secvar/storage/Makefile.inc
index 99f7b073..dc5353ff 100644
--- a/libstb/secvar/storage/Makefile.inc
+++ b/libstb/secvar/storage/Makefile.inc
@@ -14,3 +14,6 @@ SECVAR_STORAGE_OBJS = $(SECVAR_STORAGE_SRCS:%.c=%.o)
 SECVAR_STORAGE = $(SECVAR_STORAGE_DIR)/built-in.a
 
 $(SECVAR_STORAGE): $(SECVAR_STORAGE_OBJS:%=$(SECVAR_STORAGE_DIR)/%)
+
+gen_tpmnv_public_name: $@
+	gcc -o $@ $(SECVAR_STORAGE_DIR)/$@.c -I $(SRC)/libstb/tss2/ibmtpm20tss/utils/ -lmbedcrypto
diff --git a/libstb/secvar/storage/gen_tpmnv_public_name.c b/libstb/secvar/storage/gen_tpmnv_public_name.c
new file mode 100644
index 00000000..bfeb9743
--- /dev/null
+++ b/libstb/secvar/storage/gen_tpmnv_public_name.c
@@ -0,0 +1,107 @@
+#include <mbedtls/sha256.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <ibmtss/TPM_Types.h>
+#include <ibmtss/tssmarshal.h>
+#include <netinet/in.h>
+
+#define TPM_TPM20
+#include "../../tss2/ibmtpm20tss/utils/tssmarshal.c"
+#include "../../tss2/ibmtpm20tss/utils/Unmarshal.c"
+
+#define zalloc(a) calloc(1,a)
+// Silence linking complaints
+int verbose;
+
+#define COPYRIGHT_YEAR "2020"
+
+
+TPMS_NV_PUBLIC vars = {
+	.nvIndex = 0x01c10190,
+	.nameAlg = TPM_ALG_SHA256,
+	.dataSize = 1024,
+	.attributes.val = TPMA_NVA_PPWRITE		|
+			  TPMA_NVA_ORDINARY             |
+			  TPMA_NVA_WRITE_STCLEAR        |
+			  TPMA_NVA_AUTHREAD             |
+			  TPMA_NVA_NO_DA                |
+			  TPMA_NVA_WRITTEN              |
+			  TPMA_NVA_PLATFORMCREATE,
+};
+
+TPMS_NV_PUBLIC control = {
+	.nvIndex = 0x01c10191,
+	.nameAlg = TPM_ALG_SHA256,
+	.dataSize = 73,
+	.attributes.val = TPMA_NVA_PPWRITE		|
+			  TPMA_NVA_ORDINARY             |
+			  TPMA_NVA_WRITE_STCLEAR        |
+			  TPMA_NVA_AUTHREAD             |
+			  TPMA_NVA_NO_DA                |
+			  TPMA_NVA_WRITTEN              |
+			  TPMA_NVA_PLATFORMCREATE,
+};
+
+int calc_hash(TPMS_NV_PUBLIC *public, char *name)
+{
+	uint16_t written = 0;
+	uint32_t size = 4096;
+	unsigned char *buffer = zalloc(size);
+	unsigned char *buffer_tmp = buffer;
+	char output[34];
+	mbedtls_sha256_context cxt;
+	int ret = 0;
+	int i;
+
+	// Output hash includes the hash algorithm in the first two bytes
+	*((uint16_t *) output) = htons(public->nameAlg);
+
+	// Serialize the NV Public struct
+	ret = TSS_TPMS_NV_PUBLIC_Marshalu(public, &written, &buffer_tmp, &size);
+	if (ret) return ret;
+
+	// Hash it
+	mbedtls_sha256_init(&cxt);
+	ret = mbedtls_sha256_starts_ret(&cxt, 0);
+	if (ret) return ret;
+
+	ret = mbedtls_sha256_update_ret(&cxt, buffer, written);
+	if (ret) return ret;
+
+	mbedtls_sha256_finish_ret(&cxt, output+2);
+	mbedtls_sha256_free(&cxt);
+
+	free(buffer);
+
+	// Print it
+	printf("\nconst uint8_t tpmnv_%s_name[] = {", name);
+	for (i = 0; i < sizeof(output); i++) {
+		if (!(i % 13))
+			printf("\n\t");
+		printf("0x%02x, ", output[i] & 0xff);
+	}
+	printf("\n};\n");
+
+	return 0;
+}
+
+
+int main()
+{
+	printf("// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later\n");
+	printf("/* Copyright " COPYRIGHT_YEAR " IBM Corp. */\n");
+
+	printf("#ifndef _SECBOOT_TPM_PUBLIC_NAME_H_\n");
+	printf("#define _SECBOOT_TPM_PUBLIC_NAME_H_\n");
+
+	calc_hash(&vars, "vars");
+	calc_hash(&control, "control");
+
+	printf("\n");
+	printf("#endif\n");
+
+	return 0;
+}
+