<p>Philipp Deppenwiese <strong>merged</strong> this change.</p><p><a href="https://review.coreboot.org/27727">View Change</a></p><div style="white-space:pre-wrap">Approvals:
build bot (Jenkins): Verified
Patrick Rudolph: Looks good to me, approved
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">security/vboot: Enable TCPA log extension<br><br>* Implement TCPA log for tspi extend function.<br>* Hook tcpa_log_init into vboot tpm_setup function.<br>* Add TCPA log output for vboot GBB flags and HWID<br><br>Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f<br>Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org><br>Reviewed-on: https://review.coreboot.org/27727<br>Tested-by: build bot (Jenkins) <no-reply@coreboot.org><br>Reviewed-by: Patrick Rudolph <siro@das-labor.org><br>---<br>M src/security/tpm/tspi.h<br>M src/security/tpm/tspi/tspi.c<br>M src/security/vboot/secdata_tpm.c<br>3 files changed, 31 insertions(+), 8 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h</span><br><span>index 01b2984..43254c1 100644</span><br><span>--- a/src/security/tpm/tspi.h</span><br><span>+++ b/src/security/tpm/tspi.h</span><br><span>@@ -35,10 +35,12 @@</span><br><span> * Ask vboot for a digest and extend a TPM PCR with it.</span><br><span> * @param pcr sets the pcr index</span><br><span> * @param digest sets the hash to extend into the tpm</span><br><span style="color: hsl(0, 100%, 40%);">- * @param out_digest get extended hash</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param digest_len the length of the digest</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param name sets additional info where the digest comes from</span><br><span> * @return TPM_SUCCESS on success. If not a tpm error is returned</span><br><span> */</span><br><span style="color: hsl(0, 100%, 40%);">-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest);</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, size_t digest_len,</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *name);</span><br><span> </span><br><span> /**</span><br><span> * Issue a TPM_Clear and reenable/reactivate the TPM.</span><br><span>diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c</span><br><span>index 407e1fa..48b6219 100644</span><br><span>--- a/src/security/tpm/tspi/tspi.c</span><br><span>+++ b/src/security/tpm/tspi/tspi.c</span><br><span>@@ -178,13 +178,21 @@</span><br><span> return TPM_SUCCESS;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest)</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tpm_extend_pcr(int pcr, uint8_t *digest,</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t digest_len, const char *name)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t result;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> if (!digest)</span><br><span> return TPM_E_IOERROR;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (out_digest)</span><br><span style="color: hsl(0, 100%, 40%);">- return tlcl_extend(pcr, digest, out_digest);</span><br><span style="color: hsl(120, 100%, 40%);">+ result = tlcl_extend(pcr, digest, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (result != TPM_SUCCESS)</span><br><span style="color: hsl(120, 100%, 40%);">+ return result;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- return tlcl_extend(pcr, digest, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ result = tcpa_log_add_table_entry(name, pcr, digest, digest_len);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (result != 0)</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "ERROR: Couldn't create TCPA log entry\n");</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span> }</span><br><span>diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c</span><br><span>index 57c107b..d3f4a11 100644</span><br><span>--- a/src/security/vboot/secdata_tpm.c</span><br><span>+++ b/src/security/vboot/secdata_tpm.c</span><br><span>@@ -61,11 +61,13 @@</span><br><span> } \</span><br><span> } while (0)</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_PCR_GBB_FLAGS_NAME "GBB flags"</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_PCR_GBB_HWID_NAME "GBB HWID"</span><br><span> </span><br><span> static uint32_t safe_write(uint32_t index, const void *data, uint32_t length);</span><br><span> </span><br><span> uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,</span><br><span style="color: hsl(0, 100%, 40%);">- enum vb2_pcr_digest which_digest)</span><br><span style="color: hsl(120, 100%, 40%);">+ enum vb2_pcr_digest which_digest)</span><br><span> {</span><br><span> uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE];</span><br><span> uint32_t size = sizeof(buffer);</span><br><span>@@ -77,7 +79,15 @@</span><br><span> if (size < TPM_PCR_MINIMUM_DIGEST_SIZE)</span><br><span> return VB2_ERROR_UNKNOWN;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- return tpm_extend_pcr(pcr, buffer, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ switch (which_digest) {</span><br><span style="color: hsl(120, 100%, 40%);">+ case BOOT_MODE_PCR:</span><br><span style="color: hsl(120, 100%, 40%);">+ return tpm_extend_pcr(pcr, buffer, size,</span><br><span style="color: hsl(120, 100%, 40%);">+ TPM_PCR_GBB_FLAGS_NAME);</span><br><span style="color: hsl(120, 100%, 40%);">+ case HWID_DIGEST_PCR:</span><br><span style="color: hsl(120, 100%, 40%);">+ return tpm_extend_pcr(pcr, buffer, size, TPM_PCR_GBB_HWID_NAME);</span><br><span style="color: hsl(120, 100%, 40%);">+ default:</span><br><span style="color: hsl(120, 100%, 40%);">+ return VB2_ERROR_UNKNOWN;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> }</span><br><span> </span><br><span> static uint32_t read_space_firmware(struct vb2_context *ctx)</span><br><span>@@ -441,6 +451,9 @@</span><br><span> if (result == TPM_E_MUST_REBOOT)</span><br><span> ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ // TCPA cbmem log</span><br><span style="color: hsl(120, 100%, 40%);">+ tcpa_log_init();</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> return result;</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/27727">change 27727</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/27727"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f </div>
<div style="display:none"> Gerrit-Change-Number: 27727 </div>
<div style="display:none"> Gerrit-PatchSet: 10 </div>
<div style="display:none"> Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: Patrick Rudolph <siro@das-labor.org> </div>
<div style="display:none"> Gerrit-Reviewer: Paul Menzel <paulepanter@users.sourceforge.net> </div>
<div style="display:none"> Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org> </div>