<p>Philipp Deppenwiese has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/27727">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">security/vboot: Enable TCPA log extension<br><br>* Implement TCPA log for tspi extend function.<br>* Hook tcpa_log_init into vboot tpm_setup function.<br><br>Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f<br>Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org><br>---<br>M src/security/tpm/tspi.h<br>M src/security/tpm/tspi/tspi.c<br>M src/security/vboot/secdata_tpm.c<br>3 files changed, 29 insertions(+), 8 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/27/27727/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h</span><br><span>index 01b2984..2660750 100644</span><br><span>--- a/src/security/tpm/tspi.h</span><br><span>+++ b/src/security/tpm/tspi.h</span><br><span>@@ -33,12 +33,14 @@</span><br><span> </span><br><span> /**</span><br><span>  * Ask vboot for a digest and extend a TPM PCR with it.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param name sets additional info where the digest comes from</span><br><span>  * @param pcr sets the pcr index</span><br><span>  * @param digest sets the hash to extend into the tpm</span><br><span style="color: hsl(0, 100%, 40%);">- * @param out_digest get extended hash</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param digest_len the length of the digest</span><br><span>  * @return TPM_SUCCESS on success. If not a tpm error is returned</span><br><span>  */</span><br><span style="color: hsl(0, 100%, 40%);">-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest);</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tpm_extend_pcr(const char *name, int pcr, uint8_t *digest,</span><br><span style="color: hsl(120, 100%, 40%);">+                  size_t digest_len);</span><br><span> </span><br><span> /**</span><br><span>  * Issue a TPM_Clear and reenable/reactivate the TPM.</span><br><span>diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c</span><br><span>index 407e1fa..862a286 100644</span><br><span>--- a/src/security/tpm/tspi/tspi.c</span><br><span>+++ b/src/security/tpm/tspi/tspi.c</span><br><span>@@ -178,13 +178,21 @@</span><br><span>         return TPM_SUCCESS;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest)</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tpm_extend_pcr(const char *name, int pcr, uint8_t *digest,</span><br><span style="color: hsl(120, 100%, 40%);">+                       size_t digest_len)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+       uint32_t result;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>   if (!digest)</span><br><span>                 return TPM_E_IOERROR;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-       if (out_digest)</span><br><span style="color: hsl(0, 100%, 40%);">-         return tlcl_extend(pcr, digest, out_digest);</span><br><span style="color: hsl(120, 100%, 40%);">+  result = tlcl_extend(pcr, digest, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+      if (result != TPM_SUCCESS)</span><br><span style="color: hsl(120, 100%, 40%);">+            return result;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-      return tlcl_extend(pcr, digest, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+        result = tcpa_log_add_table_entry(name, pcr, digest, digest_len);</span><br><span style="color: hsl(120, 100%, 40%);">+     if (result != 0)</span><br><span style="color: hsl(120, 100%, 40%);">+              printk(BIOS_ERR, "ERROR: Couldn't creat TCPA log entry\n");</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+   return 0;</span><br><span> }</span><br><span>diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c</span><br><span>index 57c107b..b443200 100644</span><br><span>--- a/src/security/vboot/secdata_tpm.c</span><br><span>+++ b/src/security/vboot/secdata_tpm.c</span><br><span>@@ -65,7 +65,7 @@</span><br><span> static uint32_t safe_write(uint32_t index, const void *data, uint32_t length);</span><br><span> </span><br><span> uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,</span><br><span style="color: hsl(0, 100%, 40%);">-                    enum vb2_pcr_digest which_digest)</span><br><span style="color: hsl(120, 100%, 40%);">+                       enum vb2_pcr_digest which_digest)</span><br><span> {</span><br><span>     uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE];</span><br><span>     uint32_t size = sizeof(buffer);</span><br><span>@@ -77,7 +77,15 @@</span><br><span>         if (size < TPM_PCR_MINIMUM_DIGEST_SIZE)</span><br><span>           return VB2_ERROR_UNKNOWN;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-   return tpm_extend_pcr(pcr, buffer, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+   switch (which_digest) {</span><br><span style="color: hsl(120, 100%, 40%);">+       case BOOT_MODE_PCR:</span><br><span style="color: hsl(120, 100%, 40%);">+           return tpm_extend_pcr("GBB flags", pcr, buffer, size);</span><br><span style="color: hsl(120, 100%, 40%);">+      case HWID_DIGEST_PCR:</span><br><span style="color: hsl(120, 100%, 40%);">+         return tpm_extend_pcr("GBB HWID", pcr, buffer, size);</span><br><span style="color: hsl(120, 100%, 40%);">+       default:</span><br><span style="color: hsl(120, 100%, 40%);">+              return VB2_ERROR_UNKNOWN;</span><br><span style="color: hsl(120, 100%, 40%);">+     }</span><br><span> }</span><br><span> </span><br><span> static uint32_t read_space_firmware(struct vb2_context *ctx)</span><br><span>@@ -441,6 +449,9 @@</span><br><span>     if (result == TPM_E_MUST_REBOOT)</span><br><span>             ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+        // TCPA cbmem log</span><br><span style="color: hsl(120, 100%, 40%);">+     tcpa_log_init();</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>   return result;</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/27727">change 27727</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/27727"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f </div>
<div style="display:none"> Gerrit-Change-Number: 27727 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki@gmail.com> </div>