Philipp Deppenwiese has submitted this change and it was merged. ( https://review.coreboot.org/27727 )

Change subject: security/vboot: Enable TCPA log extension ......................................................................

security/vboot: Enable TCPA log extension

* Implement TCPA log for tspi extend function. * Hook tcpa_log_init into vboot tpm_setup function. * Add TCPA log output for vboot GBB flags and HWID

Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f Signed-off-by: Philipp Deppenwiese zaolin@das-labor.org Reviewed-on: https://review.coreboot.org/27727 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Patrick Rudolph siro@das-labor.org --- M src/security/tpm/tspi.h M src/security/tpm/tspi/tspi.c M src/security/vboot/secdata_tpm.c 3 files changed, 31 insertions(+), 8 deletions(-)

Approvals: build bot (Jenkins): Verified Patrick Rudolph: Looks good to me, approved

diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h index 01b2984..43254c1 100644 --- a/src/security/tpm/tspi.h +++ b/src/security/tpm/tspi.h @@ -35,10 +35,12 @@ * Ask vboot for a digest and extend a TPM PCR with it. * @param pcr sets the pcr index * @param digest sets the hash to extend into the tpm - * @param out_digest get extended hash + * @param digest_len the length of the digest + * @param name sets additional info where the digest comes from * @return TPM_SUCCESS on success. If not a tpm error is returned */ -uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest); +uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, size_t digest_len, + const char *name);

/** * Issue a TPM_Clear and reenable/reactivate the TPM. diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c index 407e1fa..48b6219 100644 --- a/src/security/tpm/tspi/tspi.c +++ b/src/security/tpm/tspi/tspi.c @@ -178,13 +178,21 @@ return TPM_SUCCESS; }

-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest) +uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, + size_t digest_len, const char *name) { + uint32_t result; + if (!digest) return TPM_E_IOERROR;

- if (out_digest) - return tlcl_extend(pcr, digest, out_digest); + result = tlcl_extend(pcr, digest, NULL); + if (result != TPM_SUCCESS) + return result;

- return tlcl_extend(pcr, digest, NULL); + result = tcpa_log_add_table_entry(name, pcr, digest, digest_len); + if (result != 0) + printk(BIOS_ERR, "ERROR: Couldn't create TCPA log entry\n"); + + return 0; } diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c index 57c107b..d3f4a11 100644 --- a/src/security/vboot/secdata_tpm.c +++ b/src/security/vboot/secdata_tpm.c @@ -61,11 +61,13 @@ } \ } while (0)

+#define TPM_PCR_GBB_FLAGS_NAME "GBB flags" +#define TPM_PCR_GBB_HWID_NAME "GBB HWID"

static uint32_t safe_write(uint32_t index, const void *data, uint32_t length);

uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr, - enum vb2_pcr_digest which_digest) + enum vb2_pcr_digest which_digest) { uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE]; uint32_t size = sizeof(buffer); @@ -77,7 +79,15 @@ if (size < TPM_PCR_MINIMUM_DIGEST_SIZE) return VB2_ERROR_UNKNOWN;

- return tpm_extend_pcr(pcr, buffer, NULL); + switch (which_digest) { + case BOOT_MODE_PCR: + return tpm_extend_pcr(pcr, buffer, size, + TPM_PCR_GBB_FLAGS_NAME); + case HWID_DIGEST_PCR: + return tpm_extend_pcr(pcr, buffer, size, TPM_PCR_GBB_HWID_NAME); + default: + return VB2_ERROR_UNKNOWN; + } }

static uint32_t read_space_firmware(struct vb2_context *ctx) @@ -441,6 +451,9 @@ if (result == TPM_E_MUST_REBOOT) ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT;

+ // TCPA cbmem log + tcpa_log_init(); + return result; }