From patchwork Fri Jul 9 02:53:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 1502830 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=FfSMi4EL; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GLd5R3V3sz9sXV for ; Fri, 9 Jul 2021 12:53:31 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4GLd5R2GTQz3bZv for ; Fri, 9 Jul 2021 12:53:31 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=FfSMi4EL; dkim-atps=neutral X-Original-To: slof@lists.ozlabs.org Delivered-To: slof@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=FfSMi4EL; dkim-atps=neutral Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4GLd5H04Fhz3bTh for ; Fri, 9 Jul 2021 12:53:22 +1000 (AEST) Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1692Xnfx068373; Thu, 8 Jul 2021 22:53:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=RnG8t0qs3lg6mpF6GfatvpQNVQWC4P6/v33km/CDzV0=; b=FfSMi4ELf6dPJBEjjYrsjVAFuTeejEWER89VDqtMmd5roZJA8mUFVvFlFf5is0mpmjRl 9x8YqJuKEZltMecrOZrg6tGlfz5RwgmIpvk3D/AH46rBjv6mmthw8hq0l/P/dPAXBjGJ pR2ykE9E852TYFdbcwKhhU6djnQF1OgHcJnA87BonGF4JXx2qyJ7Cl+NAiQ5ghqNQHb7 Gh8oKn8oKjAuXCvqrkkY5ScrolTtuX3PzEciDdNQIiaSe1LI1m5GSyPfzgSmx6d0zFd3 GK4dlmNo4dlDR/CAv6YaYoCl+LU8ksFLZpboSa0vZUZ2HYUjR/M1oCE0nuklAE7qVbuX 4w== Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0b-001b2d01.pphosted.com with ESMTP id 39nwn0wfcx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 08 Jul 2021 22:53:20 -0400 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1692qAZr021592; Fri, 9 Jul 2021 02:53:19 GMT Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by ppma02wdc.us.ibm.com with ESMTP id 39jfhdbwm9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 09 Jul 2021 02:53:19 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1692rI6a9306610 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 9 Jul 2021 02:53:18 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EA968C605B; Fri, 9 Jul 2021 02:53:17 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B3D09C6055; Fri, 9 Jul 2021 02:53:17 +0000 (GMT) Received: from localhost.localdomain (unknown [9.47.158.152]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP; Fri, 9 Jul 2021 02:53:17 +0000 (GMT) From: Stefan Berger To: slof@lists.ozlabs.org Date: Thu, 8 Jul 2021 22:53:11 -0400 Message-Id: <20210709025313.674287-6-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210709025313.674287-1-stefanb@linux.vnet.ibm.com> References: <20210709025313.674287-1-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: HLPa_Rs-4_MlXwxNnofSwkT_kwKI_48t X-Proofpoint-ORIG-GUID: HLPa_Rs-4_MlXwxNnofSwkT_kwKI_48t X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-09_01:2021-07-09, 2021-07-08 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 spamscore=0 clxscore=1015 impostorscore=0 lowpriorityscore=0 adultscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 mlxlogscore=948 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107090010 Subject: [SLOF] [PATCH v3 5/7] tcgbios: Use The proper sha function for each PCR bank X-BeenThere: slof@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Patches for https://github.com/aik/SLOF" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefan Berger Errors-To: slof-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "SLOF" From: Stefan Berger Instead of just using sha256 for all PCR banks (and truncating the value or zero-padding it) use the proper hash function for each one of the banks. For unimplemented hashes, fill the buffer with 0xff. Signed-off-by: Stefan Berger --- lib/libtpm/tcgbios.c | 42 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c index 8a0f6cc..8af6289 100644 --- a/lib/libtpm/tcgbios.c +++ b/lib/libtpm/tcgbios.c @@ -127,28 +127,32 @@ static const struct hash_parameters { uint8_t hashalg_flag; uint8_t hash_buffersize; const char *name; + void (*hashfunc)(const uint8_t *data, uint32_t length, uint8_t *hash); } hash_parameters[] = { { .hashalg = TPM2_ALG_SHA1, .hashalg_flag = TPM2_ALG_SHA1_FLAG, .hash_buffersize = SHA1_BUFSIZE, .name = "SHA1", + .hashfunc = sha1, }, { .hashalg = TPM2_ALG_SHA256, .hashalg_flag = TPM2_ALG_SHA256_FLAG, .hash_buffersize = SHA256_BUFSIZE, .name = "SHA256", + .hashfunc = sha256, }, { .hashalg = TPM2_ALG_SHA384, .hashalg_flag = TPM2_ALG_SHA384_FLAG, .hash_buffersize = SHA384_BUFSIZE, .name = "SHA384", - + .hashfunc = sha384, }, { .hashalg = TPM2_ALG_SHA512, .hashalg_flag = TPM2_ALG_SHA512_FLAG, .hash_buffersize = SHA512_BUFSIZE, .name = "SHA512", + .hashfunc = sha512, }, { .hashalg = TPM2_ALG_SM3_256, .hashalg_flag = TPM2_ALG_SM3_256_FLAG, @@ -233,6 +237,25 @@ static const char * tpm20_hashalg_flag_to_name(uint8_t hashalg_flag) return NULL; } +static void tpm2_hash_data(uint16_t hashAlg, + const uint8_t *data, uint32_t data_len, + uint8_t *hash) +{ + unsigned i; + + for (i = 0; i < ARRAY_SIZE(hash_parameters); i++) { + if (hash_parameters[i].hashalg == hashAlg) { + if (hash_parameters[i].hashfunc) { + hash_parameters[i].hashfunc(data, data_len, + hash); + } else { + memset(hash, 0xff, + hash_parameters[i].hash_buffersize); + } + } + } +} + /* * Build the TPM2 TPML_DIGEST_VALUES data structure from the given hash. * Follow the PCR bank configuration of the TPM and write the same hash @@ -242,13 +265,15 @@ static const char * tpm20_hashalg_flag_to_name(uint8_t hashalg_flag) * hash when writing it in the area of the sha1 hash. * * le: the log entry to build the digest in - * sha1: the sha1 hash value to use + * hashdata: the data to hash + * hashdata_len: the length of the hashdata * bigEndian: whether to build in big endian format for the TPM or log * little endian for the log (TPM 2.0) * * Returns the digest size; -1 on fatal error */ -static int tpm20_build_digest(struct tpm_log_entry *le, const uint8_t *sha256, +static int tpm20_build_digest(struct tpm_log_entry *le, + const uint8_t *hashdata, uint32_t hashdata_len, bool bigEndian) { struct tpms_pcr_selection *sel; @@ -297,9 +322,8 @@ static int tpm20_build_digest(struct tpm_log_entry *le, const uint8_t *sha256, else v->hashAlg = cpu_to_le16(be16_to_cpu(sel->hashAlg)); - memset(v->hash, 0, hsize); - memcpy(v->hash, sha256, - hsize < SHA256_BUFSIZE ? hsize : SHA256_BUFSIZE); + tpm2_hash_data(be16_to_cpu(sel->hashAlg), hashdata, hashdata_len, + v->hash); dest += sizeof(*v) + hsize; sel = nsel; @@ -865,7 +889,6 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex, const uint8_t *hashdata, uint32_t hashdatalen) { - uint8_t hash[SHA256_BUFSIZE]; struct tpm_log_entry le = { .hdr.pcrindex = cpu_to_log32(pcrindex), .hdr.eventtype = cpu_to_log32(eventtype), @@ -873,8 +896,7 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex, int digest_len; int ret; - sha256(hashdata, hashdatalen, hash); - digest_len = tpm20_build_digest(&le, hash, true); + digest_len = tpm20_build_digest(&le, hashdata, hashdatalen, true); if (digest_len < 0) return TCGBIOS_GENERAL_ERROR; ret = tpm20_extend(&le, digest_len); @@ -882,7 +904,7 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex, tpm_set_failure(); return TCGBIOS_COMMAND_ERROR; } - tpm20_build_digest(&le, hash, false); + tpm20_build_digest(&le, hashdata, hashdatalen, false); return tpm_log_event_long(&le.hdr, digest_len, info, infolen); }