Miriam Polzer has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/59097 )
Change subject: security/vboot: Add NVRAM counter for TPM 2.0 ......................................................................
security/vboot: Add NVRAM counter for TPM 2.0
Create an NVRAM counter in TPM 2.0 that survives owner clear and can be read and written without authorization. This counter allows to seal data with the TPM that can only be unsealed before the counter was incremented. It will be used during Chrome OS rollback to securely carry data across a TPM clear.
Signed-off-by: Miriam Polzer mpolzer@google.com Change-Id: I511dba3b3461713ce20fb2bda9fced0fee6517e1 --- M src/security/vboot/antirollback.h M src/security/vboot/secdata_tpm.c M src/security/vboot/vboot_logic.c 3 files changed, 43 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/97/59097/1
diff --git a/src/security/vboot/antirollback.h b/src/security/vboot/antirollback.h index a208c04..483efd9 100644 --- a/src/security/vboot/antirollback.h +++ b/src/security/vboot/antirollback.h @@ -28,6 +28,7 @@ /* 0x100d: Hash of MRC_CACHE training data for non-recovery boot */ #define MRC_RW_HASH_NV_INDEX 0x100d #define HASH_NV_SIZE VB2_SHA256_DIGEST_SIZE +#define ENT_ROLLBACK_NV_INDEX 0x100e /* Zero-Touch Enrollment related spaces */ #define ZTE_BOARD_ID_NV_INDEX 0x3fff00 #define ZTE_RMA_SN_BITS_INDEX 0x3fff01 @@ -93,4 +94,9 @@ */ uint32_t antirollback_lock_space_mrc_hash(uint32_t index);
+/* + * Create a new tpm counter that is used for enterprise rollback. + */ +uint32_t enterprise_rollback_create_counter(void); + #endif /* ANTIROLLBACK_H_ */ diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c index a95e7d1..bc9c216 100644 --- a/src/security/vboot/secdata_tpm.c +++ b/src/security/vboot/secdata_tpm.c @@ -110,6 +110,13 @@ .TPMA_NV_WRITE_STCLEAR = 1, };
+const static TPMA_NV rw_counter_attributes = { + .TPMA_NV_AUTHWRITE = 1, + .TPMA_NV_AUTHREAD = 1, + .TPMA_NV_PLATFORMCREATE = 1, + .TPMA_NV_COUNTER = 1, +}; + static const TPMA_NV fwmp_attr = { .TPMA_NV_PLATFORMCREATE = 1, .TPMA_NV_OWNERWRITE = 1, @@ -178,6 +185,14 @@ 0x50, 0xEF, 0x96, 0x98, 0x0A, 0x2B, 0x96, 0x6E, 0xA9, 0x09, 0x04, 0x4A, 0x01, 0xB8, 0x5F, 0xA5, 0x4A, 0x96, 0xFC, 0x59, 0x84};
+/** + * Empty policy digest. + */ +const static uint8_t empty_policy[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; + static const uint8_t unsatisfiable_policy[VB2_SHA256_DIGEST_SIZE] = "hmwhat if RBR beat merc in 2021";
@@ -411,6 +426,16 @@ return tlcl_lock_nv_write(index); }
+uint32_t enterprise_rollback_create_counter(void) +{ + /* + * No need to increment the counter to initialize, this can be done later. + */ + return tlcl_define_space(ENT_ROLLBACK_NV_INDEX, /*size=*/8, + rw_counter_attributes, + empty_policy, sizeof(empty_policy)); +} + #else
/** @@ -510,6 +535,14 @@ return tlcl_set_global_lock(); }
+uint32_t enterprise_rollback_create_counter(void) +{ + /* + * Do nothing, NVRAM counters don't exist under TPM 1.2. + */ + return TPM_SUCCESS; +} + #endif
/** diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index 2973934..f439de8 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -275,6 +275,10 @@ if (vboot_setup_tpm(ctx) == TPM_SUCCESS) { antirollback_read_space_firmware(ctx); antirollback_read_space_kernel(ctx); + /* On TPM 2.0, create a counter that survives TPM clear. This allows to + * securely lock data during enterprise rollback by binding to this + * counter's value. */ + enterprise_rollback_create_counter(); } timestamp_add_now(TS_END_TPMINIT);
-
Miriam Polzer (Code Review)