| Message ID | 20220813195639.1824765-2-sjg@chromium.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | tpm: Various minor fixes and enhancements | expand |
On 8/13/22 21:56, Simon Glass wrote: > This feature is used for measured boot, so we can add a log entry to the > TCPA with some information about where the digest comes from. It is not > currently supported in the TPM drivers, but add it to the API so that > code which expects it can signal its request. > > Signed-off-by: Simon Glass <sjg@chromium.org> > --- > > Changes in v2: > - Drop limits on the TPM hash size > - Update commit message > > cmd/tpm-v1.c | 3 ++- > cmd/tpm_test.c | 5 +++-- > include/tpm_api.h | 8 +++++--- > lib/tpm-v2.c | 2 ++ > lib/tpm_api.c | 10 ++++++---- > 5 files changed, 18 insertions(+), 10 deletions(-) > > diff --git a/cmd/tpm-v1.c b/cmd/tpm-v1.c > index bf238a9f2e3..0869b707757 100644 > --- a/cmd/tpm-v1.c > +++ b/cmd/tpm-v1.c > @@ -131,7 +131,8 @@ static int do_tpm_extend(struct cmd_tbl *cmdtp, int flag, int argc, > return CMD_RET_FAILURE; > } > > - rc = tpm_pcr_extend(dev, index, in_digest, out_digest); > + rc = tpm_pcr_extend(dev, index, in_digest, sizeof(in_digest), > + out_digest, "test"); The value "test" seems inadequate in this context. Should this be a command line argument? Or how about "cmd". > if (!rc) { > puts("PCR value after execution of the command:\n"); > print_byte_string(out_digest, sizeof(out_digest)); > diff --git a/cmd/tpm_test.c b/cmd/tpm_test.c > index a3ccb12f53a..b35eae81dc3 100644 > --- a/cmd/tpm_test.c > +++ b/cmd/tpm_test.c > @@ -91,7 +91,8 @@ static int test_early_extend(struct udevice *dev) > tpm_init(dev); > TPM_CHECK(tpm_startup(dev, TPM_ST_CLEAR)); > TPM_CHECK(tpm_continue_self_test(dev)); > - TPM_CHECK(tpm_pcr_extend(dev, 1, value_in, value_out)); > + TPM_CHECK(tpm_pcr_extend(dev, 1, value_in, sizeof(value_in), value_out, > + "test")); Here the string "test" is adequate. > printf("done\n"); > return 0; > } > @@ -438,7 +439,7 @@ static int test_timing(struct udevice *dev) > 100); > TTPM_CHECK(tpm_nv_read_value(dev, INDEX0, (uint8_t *)&x, sizeof(x)), > 100); > - TTPM_CHECK(tpm_pcr_extend(dev, 0, in, out), 200); > + TTPM_CHECK(tpm_pcr_extend(dev, 0, in, sizeof(in), out, "test"), 200); > TTPM_CHECK(tpm_set_global_lock(dev), 50); > TTPM_CHECK(tpm_tsc_physical_presence(dev, PHYS_PRESENCE), 100); > printf("done\n"); > diff --git a/include/tpm_api.h b/include/tpm_api.h > index 11aa14eb793..3c8e48bc255 100644 > --- a/include/tpm_api.h > +++ b/include/tpm_api.h > @@ -81,14 +81,16 @@ u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data, > * > * @param dev TPM device > * @param index index of the PCR > - * @param in_digest 160-bit value representing the event to be > + * @param in_digest 160/256-bit value representing the event to be > * recorded > - * @param out_digest 160-bit PCR value after execution of the > + * @param size size of digest in bytes > + * @param out_digest 160/256-bit PCR value after execution of the > * command > + * @param name additional info about where the digest comes from This does not indicate the usage and if the argument will be stored on the TPM. I would prefer: "digest source used for log output" Best regards Heinrich > * Return: return code of the operation > */ > u32 tpm_pcr_extend(struct udevice *dev, u32 index, const void *in_digest, > - void *out_digest); > + uint size, void *out_digest, const char *name); > > /** > * Issue a TPM_PCRRead command. > diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c > index 1bf627853af..6058f2e1e4f 100644 > --- a/lib/tpm-v2.c > +++ b/lib/tpm-v2.c > @@ -157,6 +157,8 @@ u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm, > }; > int ret; > > + if (!digest) > + return -EINVAL; > /* > * Fill the command structure starting from the first buffer: > * - the digest > diff --git a/lib/tpm_api.c b/lib/tpm_api.c > index 032f383ca04..aa4a9fd406c 100644 > --- a/lib/tpm_api.c > +++ b/lib/tpm_api.c > @@ -140,15 +140,17 @@ u32 tpm_write_lock(struct udevice *dev, u32 index) > } > > u32 tpm_pcr_extend(struct udevice *dev, u32 index, const void *in_digest, > - void *out_digest) > + uint size, void *out_digest, const char *name) > { > - if (tpm_is_v1(dev)) > + if (tpm_is_v1(dev)) { > return tpm1_extend(dev, index, in_digest, out_digest); > - else if (tpm_is_v2(dev)) > + } else if (tpm_is_v2(dev)) { > return tpm2_pcr_extend(dev, index, TPM2_ALG_SHA256, in_digest, > TPM2_DIGEST_LEN); > - else > + /* @name is ignored as we do not support measured boot */ > + } else { > return -ENOSYS; > + } > } > > u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
diff --git a/cmd/tpm-v1.c b/cmd/tpm-v1.c index bf238a9f2e3..0869b707757 100644 --- a/cmd/tpm-v1.c +++ b/cmd/tpm-v1.c @@ -131,7 +131,8 @@ static int do_tpm_extend(struct cmd_tbl *cmdtp, int flag, int argc, return CMD_RET_FAILURE; } - rc = tpm_pcr_extend(dev, index, in_digest, out_digest); + rc = tpm_pcr_extend(dev, index, in_digest, sizeof(in_digest), + out_digest, "test"); if (!rc) { puts("PCR value after execution of the command:\n"); print_byte_string(out_digest, sizeof(out_digest)); diff --git a/cmd/tpm_test.c b/cmd/tpm_test.c index a3ccb12f53a..b35eae81dc3 100644 --- a/cmd/tpm_test.c +++ b/cmd/tpm_test.c @@ -91,7 +91,8 @@ static int test_early_extend(struct udevice *dev) tpm_init(dev); TPM_CHECK(tpm_startup(dev, TPM_ST_CLEAR)); TPM_CHECK(tpm_continue_self_test(dev)); - TPM_CHECK(tpm_pcr_extend(dev, 1, value_in, value_out)); + TPM_CHECK(tpm_pcr_extend(dev, 1, value_in, sizeof(value_in), value_out, + "test")); printf("done\n"); return 0; } @@ -438,7 +439,7 @@ static int test_timing(struct udevice *dev) 100); TTPM_CHECK(tpm_nv_read_value(dev, INDEX0, (uint8_t *)&x, sizeof(x)), 100); - TTPM_CHECK(tpm_pcr_extend(dev, 0, in, out), 200); + TTPM_CHECK(tpm_pcr_extend(dev, 0, in, sizeof(in), out, "test"), 200); TTPM_CHECK(tpm_set_global_lock(dev), 50); TTPM_CHECK(tpm_tsc_physical_presence(dev, PHYS_PRESENCE), 100); printf("done\n"); diff --git a/include/tpm_api.h b/include/tpm_api.h index 11aa14eb793..3c8e48bc255 100644 --- a/include/tpm_api.h +++ b/include/tpm_api.h @@ -81,14 +81,16 @@ u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data, * * @param dev TPM device * @param index index of the PCR - * @param in_digest 160-bit value representing the event to be + * @param in_digest 160/256-bit value representing the event to be * recorded - * @param out_digest 160-bit PCR value after execution of the + * @param size size of digest in bytes + * @param out_digest 160/256-bit PCR value after execution of the * command + * @param name additional info about where the digest comes from * Return: return code of the operation */ u32 tpm_pcr_extend(struct udevice *dev, u32 index, const void *in_digest, - void *out_digest); + uint size, void *out_digest, const char *name); /** * Issue a TPM_PCRRead command. diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c index 1bf627853af..6058f2e1e4f 100644 --- a/lib/tpm-v2.c +++ b/lib/tpm-v2.c @@ -157,6 +157,8 @@ u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm, }; int ret; + if (!digest) + return -EINVAL; /* * Fill the command structure starting from the first buffer: * - the digest diff --git a/lib/tpm_api.c b/lib/tpm_api.c index 032f383ca04..aa4a9fd406c 100644 --- a/lib/tpm_api.c +++ b/lib/tpm_api.c @@ -140,15 +140,17 @@ u32 tpm_write_lock(struct udevice *dev, u32 index) } u32 tpm_pcr_extend(struct udevice *dev, u32 index, const void *in_digest, - void *out_digest) + uint size, void *out_digest, const char *name) { - if (tpm_is_v1(dev)) + if (tpm_is_v1(dev)) { return tpm1_extend(dev, index, in_digest, out_digest); - else if (tpm_is_v2(dev)) + } else if (tpm_is_v2(dev)) { return tpm2_pcr_extend(dev, index, TPM2_ALG_SHA256, in_digest, TPM2_DIGEST_LEN); - else + /* @name is ignored as we do not support measured boot */ + } else { return -ENOSYS; + } } u32 tpm_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
This feature is used for measured boot, so we can add a log entry to the TCPA with some information about where the digest comes from. It is not currently supported in the TPM drivers, but add it to the API so that code which expects it can signal its request. Signed-off-by: Simon Glass <sjg@chromium.org> --- Changes in v2: - Drop limits on the TPM hash size - Update commit message cmd/tpm-v1.c | 3 ++- cmd/tpm_test.c | 5 +++-- include/tpm_api.h | 8 +++++--- lib/tpm-v2.c | 2 ++ lib/tpm_api.c | 10 ++++++---- 5 files changed, 18 insertions(+), 10 deletions(-)