Julius Werner has submitted this change. ( https://review.coreboot.org/c/coreboot/+/40579 )
Change subject: vboot: Add permission check for kernel space ......................................................................
vboot: Add permission check for kernel space
This patch restores the permission check for the kernel space which was dropped when read_space_kernel was moved from Depthcharge by CL:2155429.
BUG=chromium:1045217, chromium:1020578 BRANCH=none TEST=none
Signed-off-by: dnojiri dnojiri@chromium.org Change-Id: If6d487940f39865cadc0ca9d5de6e055ad3e017d Reviewed-on: https://review.coreboot.org/c/coreboot/+/40579 Reviewed-by: Julius Werner jwerner@chromium.org Tested-by: build bot (Jenkins) no-reply@coreboot.org --- M src/security/tpm/tss.h M src/security/tpm/tss/tcg-1.2/tss.c M src/security/vboot/secdata_tpm.c 3 files changed, 46 insertions(+), 0 deletions(-)
Approvals: build bot (Jenkins): Verified Julius Werner: Looks good to me, approved
diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h index 5237387..57f3b24 100644 --- a/src/security/tpm/tss.h +++ b/src/security/tpm/tss.h @@ -197,4 +197,9 @@ */ uint32_t tlcl_disable_platform_hierarchy(void);
+/** + * Get the permission bits for the NVRAM space with |index|. + */ +uint32_t tlcl_get_permissions(uint32_t index, uint32_t *permissions); + #endif /* TSS_H_ */ diff --git a/src/security/tpm/tss/tcg-1.2/tss.c b/src/security/tpm/tss/tcg-1.2/tss.c index 9bc72d2..ea3f94d 100644 --- a/src/security/tpm/tss/tcg-1.2/tss.c +++ b/src/security/tpm/tss/tcg-1.2/tss.c @@ -359,3 +359,22 @@ kPcrDigestLength); return result; } + +uint32_t tlcl_get_permissions(uint32_t index, uint32_t *permissions) +{ + struct s_tpm_getpermissions_cmd cmd; + uint8_t response[TPM_LARGE_ENOUGH_COMMAND_SIZE]; + uint8_t *nvdata; + uint32_t result; + uint32_t size; + + memcpy(&cmd, &tpm_getpermissions_cmd, sizeof(cmd)); + to_tpm_uint32(cmd.buffer + tpm_getpermissions_cmd.index, index); + result = tlcl_send_receive(cmd.buffer, response, sizeof(response)); + if (result != TPM_SUCCESS) + return result; + + nvdata = response + kTpmResponseHeaderLength + sizeof(size); + from_tpm_uint32(nvdata + kNvDataPublicPermissionsOffset, permissions); + return result; +} diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c index d666ae8..37665bc 100644 --- a/src/security/vboot/secdata_tpm.c +++ b/src/security/vboot/secdata_tpm.c @@ -36,6 +36,8 @@ #include <security/vboot/tpm_common.h> #include <string.h> #include <security/tpm/tspi.h> +#include <security/tpm/tss.h> +#include <security/tpm/tss/tcg-1.2/tss_structures.h> #include <vb2_api.h> #include <console/console.h>
@@ -68,6 +70,26 @@
uint32_t antirollback_read_space_kernel(struct vb2_context *ctx) { + if (!CONFIG(TPM2)) { + /* + * Before reading the kernel space, verify its permissions. If + * the kernel space has the wrong permission, we give up. This + * will need to be fixed by the recovery kernel. We will have + * to worry about this because at any time (even with PP turned + * off) the TPM owner can remove and redefine a PP-protected + * space (but not write to it). + */ + uint32_t perms; + + RETURN_ON_FAILURE(tlcl_get_permissions(KERNEL_NV_INDEX, + &perms)); + if (perms != TPM_NV_PER_PPWRITE) { + printk(BIOS_ERR, + "TPM: invalid secdata_kernel permissions\n"); + return TPM_E_CORRUPTED_STATE; + } + } + uint8_t size = VB2_SECDATA_KERNEL_MIN_SIZE;
RETURN_ON_FAILURE(tlcl_read(KERNEL_NV_INDEX, ctx->secdata_kernel,