<p>Werner Zeh has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/29234">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">security/tpm: Add function to measure a region device<br><br>Add a new function which can hash a given region device and extend a PCR<br>in the TPM with the result. The needed SHA algorithms are included from<br>3rdparty/vboot and thus not duplicated in the coreboot tree.<br><br>Change-Id: I126cc3500fd039d63743db78002a04d201ab18aa<br>Signed-off-by: Werner Zeh <werner.zeh@siemens.com><br>---<br>M src/security/tpm/Makefile.inc<br>M src/security/tpm/tspi.h<br>M src/security/tpm/tspi/tspi.c<br>M src/security/tpm/tss_errors.h<br>4 files changed, 92 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/34/29234/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc</span><br><span>index 34ead8f..9473083 100644</span><br><span>--- a/src/security/tpm/Makefile.inc</span><br><span>+++ b/src/security/tpm/Makefile.inc</span><br><span>@@ -43,3 +43,26 @@</span><br><span> postcar-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c</span><br><span> </span><br><span> endif # CONFIG_TPM2</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+## Hashing functions form VBOOT are common to all TPM versions</span><br><span style="color: hsl(120, 100%, 40%);">+CFLAGS_common += -I3rdparty/vboot/firmware/2lib/include</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+verstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha1.c</span><br><span style="color: hsl(120, 100%, 40%);">+verstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha256.c</span><br><span style="color: hsl(120, 100%, 40%);">+verstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha512.c</span><br><span style="color: hsl(120, 100%, 40%);">+verstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha_utility.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+postcar-y += ../../../3rdparty/vboot/firmware/2lib/2sha1.c</span><br><span style="color: hsl(120, 100%, 40%);">+postcar-y += ../../../3rdparty/vboot/firmware/2lib/2sha256.c</span><br><span style="color: hsl(120, 100%, 40%);">+postcar-y += ../../../3rdparty/vboot/firmware/2lib/2sha512.c</span><br><span style="color: hsl(120, 100%, 40%);">+postcar-y += ../../../3rdparty/vboot/firmware/2lib/2sha_utility.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha1.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha256.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha512.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha_utility.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha1.c</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha256.c</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha512.c</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha_utility.c</span><br><span>diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h</span><br><span>index e4ddefc..a1fd1a8 100644</span><br><span>--- a/src/security/tpm/tspi.h</span><br><span>+++ b/src/security/tpm/tspi.h</span><br><span>@@ -3,6 +3,7 @@</span><br><span> *</span><br><span> * Copyright (c) 2013 The Chromium OS Authors. All rights reserved.</span><br><span> * Copyright 2018 Facebook Inc.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright 2018 Siemens AG</span><br><span> *</span><br><span> * This program is free software; you can redistribute it and/or modify</span><br><span> * it under the terms of the GNU General Public License as published by</span><br><span>@@ -19,6 +20,9 @@</span><br><span> </span><br><span> #include <security/tpm/tss.h></span><br><span> #include <commonlib/tcpa_log_serialized.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <commonlib/region.h></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_PCR_MAX_LEN 64</span><br><span> </span><br><span> /**</span><br><span> * Add table entry for cbmem TCPA log.</span><br><span>@@ -51,4 +55,14 @@</span><br><span> */</span><br><span> uint32_t tpm_setup(int s3flag);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/**</span><br><span style="color: hsl(120, 100%, 40%);">+ * Measure a given region device and extend given PCR with the result.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param *rdev Pointer to the region device to measure</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param pcr Index of the PCR which will be extended by this measure</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param *rname Name of the region that is measured</span><br><span style="color: hsl(120, 100%, 40%);">+ * @return TPM error code in case of error otherwise TPM_SUCCESS</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr,</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *rname);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> #endif /* TSPI_H_ */</span><br><span>diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c</span><br><span>index c1779e6..fbe138f 100644</span><br><span>--- a/src/security/tpm/tspi/tspi.c</span><br><span>+++ b/src/security/tpm/tspi/tspi.c</span><br><span>@@ -3,6 +3,7 @@</span><br><span> *</span><br><span> * Copyright (c) 2013 The Chromium OS Authors. All rights reserved.</span><br><span> * Copyright 2017 Facebook Inc.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright 2018 Siemens AG</span><br><span> *</span><br><span> * This program is free software; you can redistribute it and/or modify</span><br><span> * it under the terms of the GNU General Public License as published by</span><br><span>@@ -21,6 +22,7 @@</span><br><span> #include <security/tpm/tss.h></span><br><span> #include <stdlib.h></span><br><span> #include <string.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <2sha.h></span><br><span> </span><br><span> #if IS_ENABLED(CONFIG_TPM1)</span><br><span> static uint32_t tpm1_invoke_state_machine(void)</span><br><span>@@ -206,3 +208,54 @@</span><br><span> </span><br><span> return TPM_SUCCESS;</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr,</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *rname)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t digset[TPM_PCR_MAX_LEN], digset_len;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t result;</span><br><span style="color: hsl(120, 100%, 40%);">+ void *buf;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct vb2_digest_context ctx;</span><br><span style="color: hsl(120, 100%, 40%);">+ enum vb2_hash_algorithm hash_alg;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!rdev || !rname)</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_BAD_PARAMETER;</span><br><span style="color: hsl(120, 100%, 40%);">+ result = tlcl_lib_init();</span><br><span style="color: hsl(120, 100%, 40%);">+ if (result != TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "TPM: Can't initialize library.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return result;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ buf = rdev_mmap_full(rdev);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!buf) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "TPM: Not able to map region device for %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ rname);</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_E_IOERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ if (IS_ENABLED(CONFIG_TPM1))</span><br><span style="color: hsl(120, 100%, 40%);">+ hash_alg = VB2_HASH_SHA1;</span><br><span style="color: hsl(120, 100%, 40%);">+ else if (IS_ENABLED(CONFIG_TPM2))</span><br><span style="color: hsl(120, 100%, 40%);">+ hash_alg = VB2_HASH_SHA256;</span><br><span style="color: hsl(120, 100%, 40%);">+ else</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_BAD_PARAMETER;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ digset_len = vb2_digest_size(hash_alg);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (vb2_digest_init(&ctx, hash_alg)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "TPM: Error initializing hash.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_E_SHA_ERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ if (vb2_digest_extend(&ctx, buf, region_device_sz(rdev))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "TPM: Error extending hash.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_E_SHA_ERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ if (vb2_digest_finalize(&ctx, digset, digset_len)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "TPM: Error finalizing hash.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_E_SHA_ERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ result = tpm_extend_pcr(pcr, digset, digset_len, rname);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (result != TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "TPM: Extending hash into PCR failed.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return result;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "TPM: Measured %s into PCR %d\n", rname, pcr);</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span>diff --git a/src/security/tpm/tss_errors.h b/src/security/tpm/tss_errors.h</span><br><span>index e2f1486..7c5d465 100644</span><br><span>--- a/src/security/tpm/tss_errors.h</span><br><span>+++ b/src/security/tpm/tss_errors.h</span><br><span>@@ -17,6 +17,8 @@</span><br><span> </span><br><span> #define TPM_E_AREA_LOCKED ((uint32_t)0x0000003c)</span><br><span> #define TPM_E_BADINDEX ((uint32_t)0x00000002)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_BAD_PARAMETER ((uint32_t)0x00000003)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_E_SHA_ERROR ((uint32_t)0x0000001b)</span><br><span> #define TPM_E_BAD_PRESENCE ((uint32_t)0x0000002d)</span><br><span> #define TPM_E_IOERROR ((uint32_t)0x0000001f)</span><br><span> #define TPM_E_INVALID_POSTINIT ((uint32_t)0x00000026)</span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/29234">change 29234</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/29234"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I126cc3500fd039d63743db78002a04d201ab18aa </div>
<div style="display:none"> Gerrit-Change-Number: 29234 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Werner Zeh <werner.zeh@siemens.com> </div>