This series of patches modifies the logging of events so that only active PCR banks are logged. An active PCR bank is recognized by the pcrSelect[0] being != 0.
The vendorInfoSize was assumed to be u32 but it is u8.
Prepare the tcgbios for SHA3 hash algorithms that may be support by TPM2's some time in the future.
Stefan
v1->v2: - added missing check for !sizeOfSelect - added '+ sizeof(u8)' to pad to account for vendorInfoSize field - added Marc-Andre's R-b's
Stefan Berger (3): tcgbios: Only write logs for PCRs that are in active PCR banks tcgbios: Fix the vendorInfoSize to be of type u8 tcgbios: Add support for SHA3 type of algorithms
src/std/tcg.h | 9 +++++++++ src/tcgbios.c | 56 +++++++++++++++++++++++++++++++++++++++------------ 2 files changed, 52 insertions(+), 13 deletions(-)
Only write the logs for those PCRs that are in active PCR banks. A PCR banks is assumed to be active if any of the BIOS relevant PCRs 0 - 7 is enabled, thus pcrSelect[0] != 0.
Signed-off-by: Stefan Berger stefanb@linux.ibm.com Reviewed-by: Marc-André Lureau marcandre.lureau@redhat.com --- src/tcgbios.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/src/tcgbios.c b/src/tcgbios.c index 95c1e94..cc3a51f 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -265,7 +265,7 @@ tpm20_write_EfiSpecIdEventStruct(void) struct tpms_pcr_selection *sel = tpm20_pcr_selection->selections; void *nsel, *end = (void*)tpm20_pcr_selection + tpm20_pcr_selection_size;
- u32 count; + u32 count, numAlgs = 0; for (count = 0; count < be32_to_cpu(tpm20_pcr_selection->count); count++) { u8 sizeOfSelect = sel->sizeOfSelect;
@@ -273,6 +273,11 @@ tpm20_write_EfiSpecIdEventStruct(void) if (nsel > end) break;
+ if (!sizeOfSelect || sel->pcrSelect[0] == 0) { + sel = nsel; + continue; + } + int hsize = tpm20_get_hash_buffersize(be16_to_cpu(sel->hashAlg)); if (hsize < 0) { dprintf(DEBUG_tcg, "TPM is using an unsupported hash: %d\n", @@ -287,8 +292,9 @@ tpm20_write_EfiSpecIdEventStruct(void) return -1; }
- event.hdr.digestSizes[count].algorithmId = be16_to_cpu(sel->hashAlg); - event.hdr.digestSizes[count].digestSize = hsize; + event.hdr.digestSizes[numAlgs].algorithmId = be16_to_cpu(sel->hashAlg); + event.hdr.digestSizes[numAlgs].digestSize = hsize; + numAlgs++;
sel = nsel; } @@ -298,9 +304,9 @@ tpm20_write_EfiSpecIdEventStruct(void) return -1; }
- event.hdr.numberOfAlgorithms = count; + event.hdr.numberOfAlgorithms = numAlgs; int event_size = offsetof(struct TCG_EfiSpecIdEventStruct - , digestSizes[count]); + , digestSizes[numAlgs]); u32 *vendorInfoSize = (void*)&event + event_size; *vendorInfoSize = 0; event_size += sizeof(*vendorInfoSize); @@ -336,7 +342,7 @@ tpm20_build_digest(struct tpm_log_entry *le, const u8 *sha1, int bigEndian) void *nsel, *end = (void*)tpm20_pcr_selection + tpm20_pcr_selection_size; void *dest = le->hdr.digest + sizeof(struct tpm2_digest_values);
- u32 count; + u32 count, numAlgs = 0; for (count = 0; count < be32_to_cpu(tpm20_pcr_selection->count); count++) { u8 sizeOfSelect = sel->sizeOfSelect;
@@ -344,6 +350,12 @@ tpm20_build_digest(struct tpm_log_entry *le, const u8 *sha1, int bigEndian) if (nsel > end) break;
+ /* PCR 0-7 unused? -- skip */ + if (!sizeOfSelect || sel->pcrSelect[0] == 0) { + sel = nsel; + continue; + } + int hsize = tpm20_get_hash_buffersize(be16_to_cpu(sel->hashAlg)); if (hsize < 0) { dprintf(DEBUG_tcg, "TPM is using an unsupported hash: %d\n", @@ -368,6 +380,8 @@ tpm20_build_digest(struct tpm_log_entry *le, const u8 *sha1, int bigEndian)
dest += sizeof(*v) + hsize; sel = nsel; + + numAlgs++; }
if (sel != end) { @@ -377,9 +391,9 @@ tpm20_build_digest(struct tpm_log_entry *le, const u8 *sha1, int bigEndian)
struct tpm2_digest_values *v = (void*)le->hdr.digest; if (bigEndian) - v->count = cpu_to_be32(count); + v->count = cpu_to_be32(numAlgs); else - v->count = count; + v->count = numAlgs;
return dest - (void*)le->hdr.digest; }
The vendorInfoSize is a u8 rather than a u32.
Signed-off-by: Stefan Berger stefanb@linux.ibm.com Reviewed-by: Marc-André Lureau marcandre.lureau@redhat.com --- src/tcgbios.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tcgbios.c b/src/tcgbios.c index cc3a51f..6a3a613 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -287,7 +287,7 @@ tpm20_write_EfiSpecIdEventStruct(void)
int event_size = offsetof(struct TCG_EfiSpecIdEventStruct , digestSizes[count+1]); - if (event_size > sizeof(event) - sizeof(u32)) { + if (event_size > sizeof(event) - sizeof(u8)) { dprintf(DEBUG_tcg, "EfiSpecIdEventStruct pad too small\n"); return -1; } @@ -307,7 +307,7 @@ tpm20_write_EfiSpecIdEventStruct(void) event.hdr.numberOfAlgorithms = numAlgs; int event_size = offsetof(struct TCG_EfiSpecIdEventStruct , digestSizes[numAlgs]); - u32 *vendorInfoSize = (void*)&event + event_size; + u8 *vendorInfoSize = (void*)&event + event_size; *vendorInfoSize = 0; event_size += sizeof(*vendorInfoSize);
Add support for SHA3 type of algorithms that a TPM2 may support some time in the future.
Signed-off-by: Stefan Berger stefanb@linux.ibm.com Reviewed-by: Marc-André Lureau marcandre.lureau@redhat.com --- src/std/tcg.h | 9 +++++++++ src/tcgbios.c | 22 +++++++++++++++++++--- 2 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/src/std/tcg.h b/src/std/tcg.h index 1c9eeb4..98cca49 100644 --- a/src/std/tcg.h +++ b/src/std/tcg.h @@ -8,6 +8,9 @@ #define SHA384_BUFSIZE 48 #define SHA512_BUFSIZE 64 #define SM3_256_BUFSIZE 32 +#define SHA3_256_BUFSIZE 32 +#define SHA3_384_BUFSIZE 48 +#define SHA3_512_BUFSIZE 64
/**************************************************************** @@ -335,12 +338,18 @@ struct tpm_res_sha1complete { #define TPM2_ALG_SHA384 0x000c #define TPM2_ALG_SHA512 0x000d #define TPM2_ALG_SM3_256 0x0012 +#define TPM2_ALG_SHA3_256 0x0027 +#define TPM2_ALG_SHA3_384 0x0028 +#define TPM2_ALG_SHA3_512 0x0029
#define TPM2_ALG_SHA1_FLAG (1 << 0) #define TPM2_ALG_SHA256_FLAG (1 << 1) #define TPM2_ALG_SHA384_FLAG (1 << 2) #define TPM2_ALG_SHA512_FLAG (1 << 3) #define TPM2_ALG_SM3_256_FLAG (1 << 4) +#define TPM2_ALG_SHA3_256_FLAG (1 << 5) +#define TPM2_ALG_SHA3_384_FLAG (1 << 6) +#define TPM2_ALG_SHA3_512_FLAG (1 << 7)
/* TPM 2 command tags */ #define TPM2_ST_NO_SESSIONS 0x8001 diff --git a/src/tcgbios.c b/src/tcgbios.c index 6a3a613..82894f5 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -156,9 +156,10 @@ static struct tpml_pcr_selection *tpm20_pcr_selection; struct tpm_log_entry { struct tpm_log_header hdr; u8 pad[sizeof(struct tpm2_digest_values) - + 5 * sizeof(struct tpm2_digest_value) + + 8 * sizeof(struct tpm2_digest_value) + SHA1_BUFSIZE + SHA256_BUFSIZE + SHA384_BUFSIZE - + SHA512_BUFSIZE + SM3_256_BUFSIZE]; + + SHA512_BUFSIZE + SM3_256_BUFSIZE + SHA3_256_BUFSIZE + + SHA3_384_BUFSIZE + SHA3_512_BUFSIZE]; } PACKED;
static const struct hash_parameters { @@ -192,6 +193,21 @@ static const struct hash_parameters { .hashalg_flag = TPM2_ALG_SM3_256_FLAG, .hash_buffersize = SM3_256_BUFSIZE, .name = "SM3-256", + }, { + .hashalg = TPM2_ALG_SHA3_256, + .hashalg_flag = TPM2_ALG_SHA3_256_FLAG, + .hash_buffersize = SHA3_256_BUFSIZE, + .name = "SHA3-256", + }, { + .hashalg = TPM2_ALG_SHA3_384, + .hashalg_flag = TPM2_ALG_SHA3_384_FLAG, + .hash_buffersize = SHA3_384_BUFSIZE, + .name = "SHA3-384", + }, { + .hashalg = TPM2_ALG_SHA3_512, + .hashalg_flag = TPM2_ALG_SHA3_512_FLAG, + .hash_buffersize = SHA3_512_BUFSIZE, + .name = "SHA3-512", } };
@@ -252,7 +268,7 @@ tpm20_write_EfiSpecIdEventStruct(void)
struct { struct TCG_EfiSpecIdEventStruct hdr; - u8 pad[256]; + u8 pad[sizeof(struct tpm_log_entry) + sizeof(u8)]; } event = { .hdr.signature = "Spec ID Event03", .hdr.platformClass = TPM_TCPA_ACPI_CLASS_CLIENT,
On Mon, Mar 30, 2020 at 07:55:54AM -0400, Stefan Berger wrote:
This series of patches modifies the logging of events so that only active PCR banks are logged. An active PCR bank is recognized by the pcrSelect[0] being != 0.
The vendorInfoSize was assumed to be u32 but it is u8.
Prepare the tcgbios for SHA3 hash algorithms that may be support by TPM2's some time in the future.
Thanks. I committed this series.
-Kevin
-
Kevin O'Connor -
Stefan Berger