From patchwork Mon Sep 28 22:06:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 1372910 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4C0c814lTJz9s1t for ; Tue, 29 Sep 2020 08:07:29 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=linux.ibm.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=mh3BXzjf; dkim-atps=neutral Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 4C0c812BqrzDqQk for ; Tue, 29 Sep 2020 08:07:29 +1000 (AEST) X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0b-001b2d01.pphosted.com; envelope-from=erichte@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=mh3BXzjf; dkim-atps=neutral Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4C0c6k3KK5zDqLC for ; Tue, 29 Sep 2020 08:06:21 +1000 (AEST) Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 08SM3QMN139754 for ; Mon, 28 Sep 2020 18:06:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=XA6dHPIYd0pxx9CEqUOhaS0QPinbQwts08c1MbhyrK4=; b=mh3BXzjfiBw8p4DOJShuXyl0gIb4VxRei5MyB/+UXg0K7E6PWwH9NQhoDuWYCUtXCyR/ OdKneRwGYy0BaWFiWijcPq6clQSG1japQO6Qc2SW9DdomFxnBs5Md++XuA0bmfNjlEJ1 PidjVIR2Sk4t4AdVOZXDiQrVKdFJOA13OIk6PT9fECm93DIVcZ8g217nrsEAAuOmAtMB 9Lb0zu3pjKUjEs5cOS82rlRMZqhUmYGpcU4dTffO0qaYVZJW/yCEqKn7d4csu4YjONkE SU0QnpUEfWCc86u5kH78KM5KdAa28mpnovnlCPT1As6ow1t1VCFNd6URyapltCYZIjCh Lw== Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 33upamu8bu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 28 Sep 2020 18:06:19 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 08SM2ofD031536 for ; Mon, 28 Sep 2020 22:06:18 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma04ams.nl.ibm.com with ESMTP id 33sw97tk8b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 28 Sep 2020 22:06:17 +0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 08SM6EAg24379792 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 28 Sep 2020 22:06:15 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C3091AE053; Mon, 28 Sep 2020 22:06:14 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D2AD6AE04D; Mon, 28 Sep 2020 22:06:13 +0000 (GMT) Received: from ceres.ibmuc.com (unknown [9.211.92.104]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 28 Sep 2020 22:06:13 +0000 (GMT) From: Eric Richter To: skiboot@lists.ozlabs.org Date: Mon, 28 Sep 2020 17:06:07 -0500 Message-Id: <20200928220609.10479-3-erichte@linux.ibm.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200928220609.10479-1-erichte@linux.ibm.com> References: <20200928220609.10479-1-erichte@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-28_25:2020-09-28, 2020-09-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 lowpriorityscore=0 phishscore=0 impostorscore=0 suspectscore=1 priorityscore=1501 adultscore=0 spamscore=0 mlxlogscore=685 clxscore=1015 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2009280167 Subject: [Skiboot] [PATCH v6a 2/4] secboot_tpm.c: increase tpmnv vars index size X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: klaus@linux.ibm.com, nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" The TPM NV index size for storing the PK was originally set to 1024, which was determined to be a "smallest maximum" size that we determined to be enough to store the PK. However with overhead, this only allowed for about ~912 bytes, which is far too small to store a certificate, as it only permits about ~10 characters in the x509 subject field. This patch increases the TPM NV Vars index to 2048 bytes, which is the largest size a single NV index can be on the Nuvoton npct650 chip. Signed-off-by: Eric Richter --- libstb/secvar/storage/fakenv_ops.c | 2 +- libstb/secvar/storage/gen_tpmnv_public_name.c | 2 +- libstb/secvar/storage/secboot_tpm.c | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libstb/secvar/storage/fakenv_ops.c b/libstb/secvar/storage/fakenv_ops.c index 64d5d51e..77ae6c3e 100644 --- a/libstb/secvar/storage/fakenv_ops.c +++ b/libstb/secvar/storage/fakenv_ops.c @@ -9,7 +9,7 @@ static size_t fakenv_offset = sizeof(struct secboot); struct fake_tpmnv { struct { struct secboot_header header; - char vars[1024]; // Hardcode the size to 1024 for now + char vars[2048]; // Hardcode the size to 2048 for now } vars; struct tpmnv_control control; int defined[2]; diff --git a/libstb/secvar/storage/gen_tpmnv_public_name.c b/libstb/secvar/storage/gen_tpmnv_public_name.c index bfeb9743..7af51312 100644 --- a/libstb/secvar/storage/gen_tpmnv_public_name.c +++ b/libstb/secvar/storage/gen_tpmnv_public_name.c @@ -21,7 +21,7 @@ int verbose; TPMS_NV_PUBLIC vars = { .nvIndex = 0x01c10190, .nameAlg = TPM_ALG_SHA256, - .dataSize = 1024, + .dataSize = 2048, .attributes.val = TPMA_NVA_PPWRITE | TPMA_NVA_ORDINARY | TPMA_NVA_WRITE_STCLEAR | diff --git a/libstb/secvar/storage/secboot_tpm.c b/libstb/secvar/storage/secboot_tpm.c index b6a294b0..129f674a 100644 --- a/libstb/secvar/storage/secboot_tpm.c +++ b/libstb/secvar/storage/secboot_tpm.c @@ -22,7 +22,7 @@ struct secboot *secboot_image = NULL; struct tpmnv_vars *tpmnv_vars_image = NULL; struct tpmnv_control *tpmnv_control_image = NULL; -const size_t tpmnv_vars_size = 1024; +const size_t tpmnv_vars_size = 2048; /* Expected TPM NV index name field from NV_ReadPublic given our known * set of attributes (see tss_nv_define_space). @@ -33,9 +33,9 @@ const size_t tpmnv_vars_size = 1024; * which alters the hash slightly as it sets TPMA_NV_WRITELOCKED */ const uint8_t tpmnv_vars_name[] = { - 0x00, 0x0b, 0x94, 0x64, 0x36, 0x25, 0xfc, 0xc1, 0x1d, 0xc1, 0x0e, 0x28, 0xe7, - 0xac, 0xaf, 0xc6, 0x08, 0x8e, 0xda, 0x21, 0xd6, 0x43, 0xd2, 0x77, 0xe7, 0x2d, - 0x83, 0x39, 0x0f, 0xa6, 0xdf, 0xc0, 0x59, 0x37, + 0x00, 0x0b, 0x7a, 0xdb, 0x70, 0xdd, 0x27, 0x94, 0x93, 0x26, 0x11, 0xe2, 0x97, + 0x00, 0x77, 0x22, 0x4d, 0x5a, 0x74, 0xf8, 0x91, 0x6f, 0xbf, 0xf8, 0x51, 0x4a, + 0x67, 0x6f, 0xd9, 0xa8, 0xc3, 0xfc, 0x39, 0xed, }; const uint8_t tpmnv_control_name[] = {