Philipp Deppenwiese has submitted this change and it was merged. ( https://review.coreboot.org/22867 )
Change subject: security/tpm: Add TCPA logging functionality ......................................................................
security/tpm: Add TCPA logging functionality
* TCG spec only applies to BIOS or UEFI. * Therefore implement coreboot TCPA compliant log in CBMEM. * Write CBMEM log into the coreboot table for CBMEM tool access
Change-Id: I0a52494f647d21e2587231af26ed13d62b3a72f5 Signed-off-by: Philipp Deppenwiese zaolin@das-labor.org Reviewed-on: https://review.coreboot.org/22867 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Patrick Rudolph siro@das-labor.org --- M src/commonlib/include/commonlib/cbmem_id.h A src/commonlib/include/commonlib/tcpa_log_serialized.h M src/drivers/tpm/tpm.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/log.c 6 files changed, 141 insertions(+), 8 deletions(-)
Approvals: build bot (Jenkins): Verified Patrick Rudolph: Looks good to me, approved
diff --git a/src/commonlib/include/commonlib/cbmem_id.h b/src/commonlib/include/commonlib/cbmem_id.h index 3529fef..cc2fed1 100644 --- a/src/commonlib/include/commonlib/cbmem_id.h +++ b/src/commonlib/include/commonlib/cbmem_id.h @@ -64,6 +64,7 @@ #define CBMEM_ID_STAGEx_RAW 0x57a9e200 #define CBMEM_ID_STORAGE_DATA 0x53746f72 #define CBMEM_ID_TCPA_LOG 0x54435041 +#define CBMEM_ID_TCPA_COMPLIANT_LOG 0x54445041 #define CBMEM_ID_TIMESTAMP 0x54494d45 #define CBMEM_ID_VBOOT_HANDOFF 0x780074f0 #define CBMEM_ID_VBOOT_SEL_REG 0x780074f1 @@ -120,6 +121,7 @@ { CBMEM_ID_SMM_SAVE_SPACE, "SMM BACKUP " }, \ { CBMEM_ID_STORAGE_DATA, "SD/MMC/eMMC" }, \ { CBMEM_ID_TCPA_LOG, "TCPA LOG " }, \ + { CBMEM_ID_TCPA_COMPLIANT_LOG, "TCPA COMPLIANT LOG " }, \ { CBMEM_ID_TIMESTAMP, "TIME STAMP " }, \ { CBMEM_ID_VBOOT_HANDOFF, "VBOOT " }, \ { CBMEM_ID_VBOOT_SEL_REG, "VBOOT SEL " }, \ diff --git a/src/commonlib/include/commonlib/tcpa_log_serialized.h b/src/commonlib/include/commonlib/tcpa_log_serialized.h new file mode 100644 index 0000000..cd6fbec --- /dev/null +++ b/src/commonlib/include/commonlib/tcpa_log_serialized.h @@ -0,0 +1,41 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018 Facebook Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef __TCPA_LOG_SERIALIZED_H__ +#define __TCPA_LOG_SERIALIZED_H__ + +#include <compiler.h> +#include <stdint.h> + +#define MAX_TCPA_LOG_ENTRIES 50 +#define TCPA_LOG_STRING_LENGTH 512 +#define TCPA_FORMAT_HASH_LENGTH 128 +#define TCPA_DIGEST_MAX_LENGTH 64 +#define TCPA_PCR_HASH_NAME 256 + +struct tcpa_entry { + uint32_t pcr; + uint8_t digest[TCPA_DIGEST_MAX_LENGTH]; + uint32_t digest_length; + uint8_t name[TCPA_PCR_HASH_NAME]; +} __packed; + +struct tcpa_table { + uint16_t max_entries; + uint16_t num_entries; + struct tcpa_entry entries[0]; /* Variable number of entries */ +} __packed; + +#endif diff --git a/src/drivers/tpm/tpm.c b/src/drivers/tpm/tpm.c index e4a81c3..8c68159 100644 --- a/src/drivers/tpm/tpm.c +++ b/src/drivers/tpm/tpm.c @@ -30,6 +30,9 @@ #else tpm_setup(false); #endif + + // TCPA cbmem log + tcpa_log_init(); }
BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_ENTRY, init_tpm_dev, NULL); diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc index 9157fec..34ead8f 100644 --- a/src/security/tpm/Makefile.inc +++ b/src/security/tpm/Makefile.inc @@ -12,11 +12,11 @@
## TSPI
-ramstage-y += tspi/tspi.c -romstage-y += tspi/tspi.c +ramstage-y += tspi/tspi.c tspi/log.c +romstage-y += tspi/tspi.c tspi/log.c
-verstage-$(CONFIG_VBOOT) += tspi/tspi.c -postcar-$(CONFIG_VBOOT) += tspi/tspi.c +verstage-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c +postcar-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
endif # CONFIG_TPM1
@@ -36,10 +36,10 @@
## TSPI
-ramstage-y += tspi/tspi.c -romstage-y += tspi/tspi.c +ramstage-y += tspi/tspi.c tspi/log.c +romstage-y += tspi/tspi.c tspi/log.c
-verstage-$(CONFIG_VBOOT) += tspi/tspi.c -postcar-$(CONFIG_VBOOT) += tspi/tspi.c +verstage-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c +postcar-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
endif # CONFIG_TPM2 diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h index fdc9e1c..01b2984 100644 --- a/src/security/tpm/tspi.h +++ b/src/security/tpm/tspi.h @@ -18,6 +18,18 @@ #define TSPI_H_
#include <security/tpm/tss.h> +#include <commonlib/tcpa_log_serialized.h> + +/** + * Setup TCPA cbmem log. + */ +void tcpa_log_init(void); + +/** + * Add table entry for cbmem TCPA log. + */ +int tcpa_log_add_table_entry(const char *name, const uint32_t pcr, + const uint8_t *digest, const size_t digest_length);
/** * Ask vboot for a digest and extend a TPM PCR with it. diff --git a/src/security/tpm/tspi/log.c b/src/security/tpm/tspi/log.c new file mode 100644 index 0000000..6091dfe --- /dev/null +++ b/src/security/tpm/tspi/log.c @@ -0,0 +1,75 @@ +/* + * This file is part of the coreboot project. + * + * Copyright 2018 Facebook Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <string.h> +#include <cbmem.h> +#include <console/console.h> +#include <security/tpm/tspi.h> + +void tcpa_log_init(void) +{ + const struct cbmem_entry *ce; + struct tcpa_table *tclt; + + if (!cbmem_possibly_online()) + return; + + ce = cbmem_entry_find(CBMEM_ID_TCPA_LOG); + if (ce) + return; + + tclt = cbmem_add(CBMEM_ID_TCPA_LOG, + sizeof(struct tcpa_table) + + MAX_TCPA_LOG_ENTRIES * + sizeof(struct tcpa_entry)); + + if (!tclt) + return; + + tclt->max_entries = MAX_TCPA_LOG_ENTRIES; + tclt->num_entries = 0; + + printk(BIOS_DEBUG, "TCPA log created at %p\n", tclt); +} + +int tcpa_log_add_table_entry(const char *name, const uint32_t pcr, + const uint8_t *digest, const size_t digest_length) +{ + MAYBE_STATIC struct tcpa_table *tclt = NULL; + struct tcpa_entry *tce; + + if (!cbmem_possibly_online()) + return -1; + + tclt = cbmem_find(CBMEM_ID_TCPA_LOG); + if (!tclt) { + printk(BIOS_ERR, "ERROR: No TCPA log table found\n"); + return -1; + } + + if (tclt->num_entries == tclt->max_entries) { + printk(BIOS_WARNING, "ERROR: TCPA log table is full\n"); + return -1; + } + + tce = &tclt->entries[tclt->num_entries++]; + + memcpy(tce->name, name, TCPA_PCR_HASH_NAME); + tce->pcr = pcr; + memcpy(tce->digest, digest, digest_length); + tce->digest_length = digest_length; + + return 0; +}