Patch 1 fixes the return of a missing digest in the HashLogExtendEvent command.
Beyond thad that, the patches extend the handling of physical presence to HW physical presence and rework the showing of the TPM menu to depend on whether SW physical presence could be asserted or HW physical presence has been found to be enabled.
Regards, Stefan
Stefan Berger (6): Copy digest into HashLogExentEvent response Move assert_physical_presence and dependencies Add support for harware physical presence Rework the assertion of physical presence Remove usage of PP_CMD_ENABLE from all but one place Do not set TPM in failure mode if menu command fails
src/boot.c | 2 +- src/std/tcg.h | 1 + src/tcgbios.c | 227 ++++++++++++++++++++++++---------------------------------- src/tcgbios.h | 1 + 4 files changed, 98 insertions(+), 133 deletions(-)
From: Stefan Berger stefanb@linux.vnet.ibm.com
Copy the digest into the response of a HashLogExtendEvent API call.
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com --- src/tcgbios.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/tcgbios.c b/src/tcgbios.c index 046b3ce..965874c 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -656,6 +656,7 @@ hash_log_extend_event_int(const struct hleei_short *hleei_s, hleeo->opblength = sizeof(struct hleeo); hleeo->reserved = 0; hleeo->eventnumber = hleo.eventnumber; + memcpy(hleeo->digest, pcpes->digest, sizeof(hleeo->digest));
err_exit: if (rc != 0) {
From: Stefan Berger stefanb@linux.vnet.ibm.com
Move assert_physical_presence and dependencies in front of tpm_startup so that the next patches can assert physical presence after TPM_ORD_Startup ran.
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com --- src/tcgbios.c | 146 +++++++++++++++++++++++++++++----------------------------- 1 file changed, 73 insertions(+), 73 deletions(-)
diff --git a/src/tcgbios.c b/src/tcgbios.c index 965874c..51b3e78 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -410,6 +410,79 @@ tpm_smbios_measure(void) (u8 *)&pcctes, sizeof(pcctes)); }
+static u32 +read_stclear_flags(char *buf, int buf_len) +{ + memset(buf, 0, buf_len); + + struct tpm_res_getcap_stclear_flags stcf; + int ret = tpm_get_capability(TPM_CAP_FLAG, TPM_CAP_FLAG_VOLATILE + , &stcf.hdr, sizeof(stcf)); + if (ret) { + dprintf(DEBUG_tcg, "Error reading STClear flags: 0x%08x\n", ret); + return -1; + } + + memcpy(buf, &stcf.stclear_flags, buf_len); + + return 0; +} + +static int +read_permanent_flags(char *buf, int buf_len) +{ + memset(buf, 0, buf_len); + + struct tpm_res_getcap_perm_flags pf; + int ret = tpm_get_capability(TPM_CAP_FLAG, TPM_CAP_FLAG_PERMANENT + , &pf.hdr, sizeof(pf)); + if (ret) + return -1; + + memcpy(buf, &pf.perm_flags, buf_len); + + return 0; +} + +static u32 +assert_physical_presence(int verbose) +{ + struct tpm_stclear_flags stcf; + int ret = read_stclear_flags((char *)&stcf, sizeof(stcf)); + if (ret) + return -1; + + if (stcf.flags[STCLEAR_FLAG_IDX_PHYSICAL_PRESENCE]) + /* physical presence already asserted */ + return 0; + + ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalPresence, + PhysicalPresence_CMD_ENABLE, + sizeof(PhysicalPresence_CMD_ENABLE), + TPM_DURATION_TYPE_SHORT); + if (ret) { + if (verbose) + printf("Error: Could not enable physical presence.\n\n"); + goto err_exit; + } + + ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalPresence, + PhysicalPresence_PRESENT, + sizeof(PhysicalPresence_PRESENT), + TPM_DURATION_TYPE_SHORT); + if (ret) { + if (verbose) + printf("Error: Could not set presence flag.\n\n"); + goto err_exit; + } + + return 0; + +err_exit: + dprintf(DEBUG_tcg, "TCGBIOS: Asserting physical presence failed: %x\n", ret); + return -1; +} + static int tpm_startup(void) { @@ -876,79 +949,6 @@ tpm_interrupt_handler32(struct bregs *regs) * TPM Configuration Menu ****************************************************************/
-static u32 -read_stclear_flags(char *buf, int buf_len) -{ - memset(buf, 0, buf_len); - - struct tpm_res_getcap_stclear_flags stcf; - int ret = tpm_get_capability(TPM_CAP_FLAG, TPM_CAP_FLAG_VOLATILE - , &stcf.hdr, sizeof(stcf)); - if (ret) { - dprintf(DEBUG_tcg, "Error reading STClear flags: 0x%08x\n", ret); - return -1; - } - - memcpy(buf, &stcf.stclear_flags, buf_len); - - return 0; -} - -static u32 -assert_physical_presence(int verbose) -{ - struct tpm_stclear_flags stcf; - int ret = read_stclear_flags((char *)&stcf, sizeof(stcf)); - if (ret) - return -1; - - if (stcf.flags[STCLEAR_FLAG_IDX_PHYSICAL_PRESENCE]) - /* physical presence already asserted */ - return 0; - - ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalPresence, - PhysicalPresence_CMD_ENABLE, - sizeof(PhysicalPresence_CMD_ENABLE), - TPM_DURATION_TYPE_SHORT); - if (ret) { - if (verbose) - printf("Error: Could not enable physical presence.\n\n"); - goto err_exit; - } - - ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalPresence, - PhysicalPresence_PRESENT, - sizeof(PhysicalPresence_PRESENT), - TPM_DURATION_TYPE_SHORT); - if (ret) { - if (verbose) - printf("Error: Could not set presence flag.\n\n"); - goto err_exit; - } - - return 0; - -err_exit: - dprintf(DEBUG_tcg, "TCGBIOS: Asserting physical presence failed: %x\n", ret); - return -1; -} - -static int -read_permanent_flags(char *buf, int buf_len) -{ - memset(buf, 0, buf_len); - - struct tpm_res_getcap_perm_flags pf; - int ret = tpm_get_capability(TPM_CAP_FLAG, TPM_CAP_FLAG_PERMANENT - , &pf.hdr, sizeof(pf)); - if (ret) - return -1; - - memcpy(buf, &pf.perm_flags, buf_len); - - return 0; -} - static int read_has_owner(int *has_owner) {
From: Stefan Berger stefanb@linux.vnet.ibm.com
Extend assert_physical_presence with checks for hardware physical presence support. If hardware physical presence is enabled, we return 0.
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com --- src/std/tcg.h | 1 + src/tcgbios.c | 79 ++++++++++++++++++++++------------------------------------- 2 files changed, 30 insertions(+), 50 deletions(-)
diff --git a/src/std/tcg.h b/src/std/tcg.h index 9f7f021..91692e9 100644 --- a/src/std/tcg.h +++ b/src/std/tcg.h @@ -285,6 +285,7 @@ enum permFlagsIndex { PERM_FLAG_IDX_ALLOW_MAINTENANCE, PERM_FLAG_IDX_PHYSICAL_PRESENCE_LIFETIME_LOCK, PERM_FLAG_IDX_PHYSICAL_PRESENCE_HW_ENABLE, + PERM_FLAG_IDX_PHYSICAL_PRESENCE_CMD_ENABLE, };
diff --git a/src/tcgbios.c b/src/tcgbios.c index 51b3e78..7a81d00 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -410,24 +410,6 @@ tpm_smbios_measure(void) (u8 *)&pcctes, sizeof(pcctes)); }
-static u32 -read_stclear_flags(char *buf, int buf_len) -{ - memset(buf, 0, buf_len); - - struct tpm_res_getcap_stclear_flags stcf; - int ret = tpm_get_capability(TPM_CAP_FLAG, TPM_CAP_FLAG_VOLATILE - , &stcf.hdr, sizeof(stcf)); - if (ret) { - dprintf(DEBUG_tcg, "Error reading STClear flags: 0x%08x\n", ret); - return -1; - } - - memcpy(buf, &stcf.stclear_flags, buf_len); - - return 0; -} - static int read_permanent_flags(char *buf, int buf_len) { @@ -444,42 +426,39 @@ read_permanent_flags(char *buf, int buf_len) return 0; }
-static u32 -assert_physical_presence(int verbose) +static int +assert_physical_presence(void) { - struct tpm_stclear_flags stcf; - int ret = read_stclear_flags((char *)&stcf, sizeof(stcf)); + int ret = tpm_send_cmd(0, TPM_ORD_PhysicalPresence, + PhysicalPresence_PRESENT, + sizeof(PhysicalPresence_PRESENT), + TPM_DURATION_TYPE_SHORT); + if (!ret) + return 0; + + struct tpm_permanent_flags pf; + ret = read_permanent_flags((char *)&pf, sizeof(pf)); if (ret) return -1;
- if (stcf.flags[STCLEAR_FLAG_IDX_PHYSICAL_PRESENCE]) - /* physical presence already asserted */ + /* check if hardware physical presence is supported */ + if (pf.flags[PERM_FLAG_IDX_PHYSICAL_PRESENCE_HW_ENABLE]) { + /* HW phys. presence may not be asserted... */ return 0; - - ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalPresence, - PhysicalPresence_CMD_ENABLE, - sizeof(PhysicalPresence_CMD_ENABLE), - TPM_DURATION_TYPE_SHORT); - if (ret) { - if (verbose) - printf("Error: Could not enable physical presence.\n\n"); - goto err_exit; - } - - ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalPresence, - PhysicalPresence_PRESENT, - sizeof(PhysicalPresence_PRESENT), - TPM_DURATION_TYPE_SHORT); - if (ret) { - if (verbose) - printf("Error: Could not set presence flag.\n\n"); - goto err_exit; }
- return 0; + if (!pf.flags[PERM_FLAG_IDX_PHYSICAL_PRESENCE_LIFETIME_LOCK] + && !pf.flags[PERM_FLAG_IDX_PHYSICAL_PRESENCE_CMD_ENABLE]) { + tpm_send_cmd(0, TPM_ORD_PhysicalPresence, + PhysicalPresence_CMD_ENABLE, + sizeof(PhysicalPresence_CMD_ENABLE), + TPM_DURATION_TYPE_SHORT);
-err_exit: - dprintf(DEBUG_tcg, "TCGBIOS: Asserting physical presence failed: %x\n", ret); + return tpm_send_cmd(0, TPM_ORD_PhysicalPresence, + PhysicalPresence_PRESENT, + sizeof(PhysicalPresence_PRESENT), + TPM_DURATION_TYPE_SHORT); + } return -1; }
@@ -974,7 +953,7 @@ enable_tpm(int enable, int verbose) if (pf.flags[PERM_FLAG_IDX_DISABLE] && !enable) return 0;
- ret = assert_physical_presence(verbose); + ret = assert_physical_presence(); if (ret) return -1;
@@ -1004,7 +983,7 @@ activate_tpm(int activate, int allow_reset, int verbose) if (pf.flags[PERM_FLAG_IDX_DISABLE]) return 0;
- ret = assert_physical_presence(verbose); + ret = assert_physical_presence(); if (ret) return -1;
@@ -1061,7 +1040,7 @@ force_clear(int enable_activate_before, int enable_activate_after, int verbose) } }
- ret = assert_physical_presence(verbose); + ret = assert_physical_presence(); if (ret) return -1;
@@ -1104,7 +1083,7 @@ set_owner_install(int allow, int verbose) return 0; }
- ret = assert_physical_presence(verbose); + ret = assert_physical_presence(); if (ret) return -1;
From: Stefan Berger stefanb@linux.vnet.ibm.com
Rework the assertion of physical presence by calling assert_physical_presence in tpm_setup. This call will assert physical presence if SW assertion is possible or by checking whether HW physical presence is enabled. The TPM menu will only be shown if physical presence is asserted or HW physical presence is enabled after this call.
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com --- src/boot.c | 2 +- src/tcgbios.c | 33 +++++++++++++++++---------------- src/tcgbios.h | 1 + 3 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/src/boot.c b/src/boot.c index a251eb4..27b85d5 100644 --- a/src/boot.c +++ b/src/boot.c @@ -499,7 +499,7 @@ interactive_bootmenu(void) scan_code = get_keystroke(1000); if (scan_code == 1 && !irqtimer_check(esc_accepted_time)) continue; - if (tpm_is_working() && scan_code == 20 /* t */) { + if (tpm_can_show_menu() && scan_code == 20 /* t */) { printf("\n"); tpm_menu(); } diff --git a/src/tcgbios.c b/src/tcgbios.c index 7a81d00..d14468e 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -60,6 +60,8 @@ struct { u8 * log_area_last_entry; } tpm_state VARLOW;
+static int TPM_has_physical_presence; + static struct tcpa_descriptor_rev2 * find_tcpa_by_rsdp(struct rsdp_descriptor *rsdp) { @@ -164,6 +166,12 @@ tpm_is_working(void) return CONFIG_TCGBIOS && TPM_working; }
+int +tpm_can_show_menu(void) +{ + return tpm_is_working() && TPM_has_physical_presence; +} + /* * Send a TPM command with the given ordinal. Append the given buffer * containing all data in network byte order to the command (this is @@ -477,6 +485,11 @@ tpm_startup(void) if (ret) goto err_exit;
+ /* assertion of physical presence is only possible after startup */ + ret = assert_physical_presence(); + if (!ret) + TPM_has_physical_presence = 1; + ret = determine_timeouts(); if (ret) return -1; @@ -521,6 +534,10 @@ tpm_setup(void) if (ret) return;
+ ret = assert_physical_presence(); + if (!ret) + TPM_has_physical_presence = 1; + tpm_smbios_measure(); tpm_add_action(2, "Start Option ROM Scan"); } @@ -953,10 +970,6 @@ enable_tpm(int enable, int verbose) if (pf.flags[PERM_FLAG_IDX_DISABLE] && !enable) return 0;
- ret = assert_physical_presence(); - if (ret) - return -1; - ret = tpm_send_check_cmd(0, enable ? TPM_ORD_PhysicalEnable : TPM_ORD_PhysicalDisable, NULL, 0, TPM_DURATION_TYPE_SHORT); @@ -983,10 +996,6 @@ activate_tpm(int activate, int allow_reset, int verbose) if (pf.flags[PERM_FLAG_IDX_DISABLE]) return 0;
- ret = assert_physical_presence(); - if (ret) - return -1; - ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalSetDeactivated, activate ? CommandFlag_FALSE : CommandFlag_TRUE, @@ -1040,10 +1049,6 @@ force_clear(int enable_activate_before, int enable_activate_after, int verbose) } }
- ret = assert_physical_presence(); - if (ret) - return -1; - ret = tpm_send_check_cmd(0, TPM_ORD_ForceClear, NULL, 0, TPM_DURATION_TYPE_SHORT); if (ret) @@ -1083,10 +1088,6 @@ set_owner_install(int allow, int verbose) return 0; }
- ret = assert_physical_presence(); - if (ret) - return -1; - ret = tpm_send_check_cmd(0, TPM_ORD_SetOwnerInstall, (allow) ? CommandFlag_TRUE : CommandFlag_FALSE, diff --git a/src/tcgbios.h b/src/tcgbios.h index 6040b0c..28763e7 100644 --- a/src/tcgbios.h +++ b/src/tcgbios.h @@ -14,6 +14,7 @@ void tpm_add_cdrom(u32 bootdrv, const u8 *addr, u32 length); void tpm_add_cdrom_catalog(const u8 *addr, u32 length); void tpm_option_rom(const void *addr, u32 len); int tpm_is_working(void); +int tpm_can_show_menu(void); void tpm_menu(void);
#endif /* TCGBIOS_H */
On Thu, Jan 07, 2016 at 07:55:39AM -0500, Stefan Berger wrote:
From: Stefan Berger stefanb@linux.vnet.ibm.com
Rework the assertion of physical presence by calling assert_physical_presence in tpm_setup. This call will assert physical presence if SW assertion is possible or by checking whether HW physical presence is enabled. The TPM menu will only be shown if physical presence is asserted or HW physical presence is enabled after this call.
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com
src/boot.c | 2 +- src/tcgbios.c | 33 +++++++++++++++++---------------- src/tcgbios.h | 1 + 3 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/src/boot.c b/src/boot.c index a251eb4..27b85d5 100644 --- a/src/boot.c +++ b/src/boot.c @@ -499,7 +499,7 @@ interactive_bootmenu(void) scan_code = get_keystroke(1000); if (scan_code == 1 && !irqtimer_check(esc_accepted_time)) continue;
if (tpm_is_working() && scan_code == 20 /* t */) {
if (tpm_can_show_menu() && scan_code == 20 /* t */) { printf("\n"); tpm_menu(); }diff --git a/src/tcgbios.c b/src/tcgbios.c index 7a81d00..d14468e 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -60,6 +60,8 @@ struct { u8 * log_area_last_entry; } tpm_state VARLOW;
+static int TPM_has_physical_presence;
static struct tcpa_descriptor_rev2 * find_tcpa_by_rsdp(struct rsdp_descriptor *rsdp) { @@ -164,6 +166,12 @@ tpm_is_working(void) return CONFIG_TCGBIOS && TPM_working; }
+int +tpm_can_show_menu(void) +{
- return tpm_is_working() && TPM_has_physical_presence;
+}
/*
- Send a TPM command with the given ordinal. Append the given buffer
- containing all data in network byte order to the command (this is
@@ -477,6 +485,11 @@ tpm_startup(void) if (ret) goto err_exit;
- /* assertion of physical presence is only possible after startup */
- ret = assert_physical_presence();
- if (!ret)
TPM_has_physical_presence = 1;- ret = determine_timeouts(); if (ret) return -1;
@@ -521,6 +534,10 @@ tpm_setup(void) if (ret) return;
- ret = assert_physical_presence();
- if (!ret)
TPM_has_physical_presence = 1;- tpm_smbios_measure(); tpm_add_action(2, "Start Option ROM Scan");
}
This calls assert_physical_presence() twice during setup. I'm guessing the first was a copy-and-paste error and only the one in tpm_setup() is desired?
[...]
--- a/src/tcgbios.h +++ b/src/tcgbios.h @@ -14,6 +14,7 @@ void tpm_add_cdrom(u32 bootdrv, const u8 *addr, u32 length); void tpm_add_cdrom_catalog(const u8 *addr, u32 length); void tpm_option_rom(const void *addr, u32 len); int tpm_is_working(void); +int tpm_can_show_menu(void);
Now that tpm_is_working() is no longer used, it should be marked as static and not exported.
-Kevin
"Kevin O'Connor" kevin@koconnor.net wrote on 01/07/2016 11:21:02 AM:
On Thu, Jan 07, 2016 at 07:55:39AM -0500, Stefan Berger wrote:
From: Stefan Berger stefanb@linux.vnet.ibm.com
Rework the assertion of physical presence by calling
assert_physical_presence
in tpm_setup. This call will assert physical presence if SW assertion
is
possible or by checking whether HW physical presence is enabled. The TPM menu will only be shown if physical presence is asserted or HW physical presence is enabled after this call.
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com
src/boot.c | 2 +- src/tcgbios.c | 33 +++++++++++++++++---------------- src/tcgbios.h | 1 + 3 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/src/boot.c b/src/boot.c index a251eb4..27b85d5 100644 --- a/src/boot.c +++ b/src/boot.c @@ -499,7 +499,7 @@ interactive_bootmenu(void) scan_code = get_keystroke(1000); if (scan_code == 1 && !irqtimer_check(esc_accepted_time)) continue;
if (tpm_is_working() && scan_code == 20 /* t */) {
if (tpm_can_show_menu() && scan_code == 20 /* t */) { printf("\n"); tpm_menu(); }diff --git a/src/tcgbios.c b/src/tcgbios.c index 7a81d00..d14468e 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -60,6 +60,8 @@ struct { u8 * log_area_last_entry; } tpm_state VARLOW;
+static int TPM_has_physical_presence;
static struct tcpa_descriptor_rev2 * find_tcpa_by_rsdp(struct rsdp_descriptor *rsdp) { @@ -164,6 +166,12 @@ tpm_is_working(void) return CONFIG_TCGBIOS && TPM_working; }
+int +tpm_can_show_menu(void) +{
- return tpm_is_working() && TPM_has_physical_presence;
+}
/*
- Send a TPM command with the given ordinal. Append the given buffer
- containing all data in network byte order to the command (this is
@@ -477,6 +485,11 @@ tpm_startup(void) if (ret) goto err_exit;
- /* assertion of physical presence is only possible after startup
*/
- ret = assert_physical_presence();
- if (!ret)
TPM_has_physical_presence = 1;- ret = determine_timeouts(); if (ret) return -1;
@@ -521,6 +534,10 @@ tpm_setup(void) if (ret) return;
- ret = assert_physical_presence();
- if (!ret)
TPM_has_physical_presence = 1;- tpm_smbios_measure(); tpm_add_action(2, "Start Option ROM Scan");
}
This calls assert_physical_presence() twice during setup. I'm guessing the first was a copy-and-paste error and only the one in tpm_setup() is desired?
Right, copy-paste error. Only the first is necessary.
[...]
--- a/src/tcgbios.h +++ b/src/tcgbios.h @@ -14,6 +14,7 @@ void tpm_add_cdrom(u32 bootdrv, const u8 *addr,
u32 length);
void tpm_add_cdrom_catalog(const u8 *addr, u32 length); void tpm_option_rom(const void *addr, u32 len); int tpm_is_working(void); +int tpm_can_show_menu(void);
Now that tpm_is_working() is no longer used, it should be marked as static and not exported.
Good catch.
Stefan
-Kevin
From: Stefan Berger stefanb@linux.vnet.ibm.com
Remove the usage of PhysicalPresence_CMD_ENABLE from all but the assert_physical_presence function.
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com --- src/tcgbios.c | 36 +++++++++--------------------------- 1 file changed, 9 insertions(+), 27 deletions(-)
diff --git a/src/tcgbios.c b/src/tcgbios.c index d14468e..ccf5486 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -38,7 +38,6 @@ static const u8 CommandFlag_TRUE[1] = { 0x01 };
typedef u8 tpm_ppi_code;
- /**************************************************************** * ACPI TCPA table interface ****************************************************************/ @@ -213,16 +212,10 @@ tpm_set_failure(void) { dprintf(DEBUG_tcg, "TCGBIOS: TPM malfunctioning.\n");
- /* we will try to deactivate the TPM now - ignoring all errors */ - tpm_send_cmd(0, TPM_ORD_PhysicalPresence, - PhysicalPresence_CMD_ENABLE, - sizeof(PhysicalPresence_CMD_ENABLE), - TPM_DURATION_TYPE_SHORT); - - tpm_send_cmd(0, TPM_ORD_PhysicalPresence, - PhysicalPresence_PRESENT, - sizeof(PhysicalPresence_PRESENT), - TPM_DURATION_TYPE_SHORT); + /* + * We will try to deactivate the TPM now - ignoring all errors + * Physical presence is asserted. + */
tpm_send_cmd(0, TPM_ORD_SetTempDeactivated, NULL, 0, TPM_DURATION_TYPE_SHORT); @@ -545,22 +538,11 @@ tpm_setup(void) void tpm_prepboot(void) { - if (!tpm_is_working()) - return; - - int ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalPresence, - PhysicalPresence_CMD_ENABLE, - sizeof(PhysicalPresence_CMD_ENABLE), - TPM_DURATION_TYPE_SHORT); - if (ret) - return; - - ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalPresence, - PhysicalPresence_NOT_PRESENT_LOCK, - sizeof(PhysicalPresence_NOT_PRESENT_LOCK), - TPM_DURATION_TYPE_SHORT); - if (ret) - return; + if (TPM_has_physical_presence) + tpm_send_cmd(0, TPM_ORD_PhysicalPresence, + PhysicalPresence_NOT_PRESENT_LOCK, + sizeof(PhysicalPresence_NOT_PRESENT_LOCK), + TPM_DURATION_TYPE_SHORT);
tpm_add_action(4, "Calling INT 19h"); tpm_add_event_separators();
On Thu, Jan 07, 2016 at 07:55:40AM -0500, Stefan Berger wrote:
From: Stefan Berger stefanb@linux.vnet.ibm.com
Remove the usage of PhysicalPresence_CMD_ENABLE from all but the assert_physical_presence function.
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com
src/tcgbios.c | 36 +++++++++--------------------------- 1 file changed, 9 insertions(+), 27 deletions(-)
diff --git a/src/tcgbios.c b/src/tcgbios.c index d14468e..ccf5486 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -38,7 +38,6 @@ static const u8 CommandFlag_TRUE[1] = { 0x01 };
typedef u8 tpm_ppi_code;
/****************************************************************
- ACPI TCPA table interface
****************************************************************/ @@ -213,16 +212,10 @@ tpm_set_failure(void) { dprintf(DEBUG_tcg, "TCGBIOS: TPM malfunctioning.\n");
- /* we will try to deactivate the TPM now - ignoring all errors */
- tpm_send_cmd(0, TPM_ORD_PhysicalPresence,
PhysicalPresence_CMD_ENABLE,sizeof(PhysicalPresence_CMD_ENABLE),TPM_DURATION_TYPE_SHORT);- tpm_send_cmd(0, TPM_ORD_PhysicalPresence,
PhysicalPresence_PRESENT,sizeof(PhysicalPresence_PRESENT),TPM_DURATION_TYPE_SHORT);
/*
* We will try to deactivate the TPM now - ignoring all errors* Physical presence is asserted.*/tpm_send_cmd(0, TPM_ORD_SetTempDeactivated, NULL, 0, TPM_DURATION_TYPE_SHORT);
@@ -545,22 +538,11 @@ tpm_setup(void) void tpm_prepboot(void) {
- if (!tpm_is_working())
return;- int ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalPresence,
PhysicalPresence_CMD_ENABLE,sizeof(PhysicalPresence_CMD_ENABLE),TPM_DURATION_TYPE_SHORT);- if (ret)
return;- ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalPresence,
PhysicalPresence_NOT_PRESENT_LOCK,sizeof(PhysicalPresence_NOT_PRESENT_LOCK),TPM_DURATION_TYPE_SHORT);- if (ret)
return;
if (TPM_has_physical_presence)
tpm_send_cmd(0, TPM_ORD_PhysicalPresence,PhysicalPresence_NOT_PRESENT_LOCK,sizeof(PhysicalPresence_NOT_PRESENT_LOCK),TPM_DURATION_TYPE_SHORT);tpm_add_action(4, "Calling INT 19h"); tpm_add_event_separators();
If the call to tpm_is_working() is removed from tpm_prepboot(), then a check for CONFIG_TCGBIOS still needs to be present (or the build may not weed out the code on !CONFIG_TCGBIOS).
-Kevin
From: Stefan Berger stefanb@linux.vnet.ibm.com
Since we may detect that HW physical presence is enabled but we do not detect whether it is actually asserted, we may fail on the TPM menu commands that require the assertion of physical presence. We therefore cannot set the TPM into failure mode if we hit this case. Failure should never occur in these cases if SW physical presence has been asserted.
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com --- src/tcgbios.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/src/tcgbios.c b/src/tcgbios.c index ccf5486..dd391e9 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -952,9 +952,9 @@ enable_tpm(int enable, int verbose) if (pf.flags[PERM_FLAG_IDX_DISABLE] && !enable) return 0;
- ret = tpm_send_check_cmd(0, enable ? TPM_ORD_PhysicalEnable - : TPM_ORD_PhysicalDisable, - NULL, 0, TPM_DURATION_TYPE_SHORT); + ret = tpm_send_cmd(0, enable ? TPM_ORD_PhysicalEnable + : TPM_ORD_PhysicalDisable, + NULL, 0, TPM_DURATION_TYPE_SHORT); if (ret) { if (enable) dprintf(DEBUG_tcg, "TCGBIOS: Enabling the TPM failed.\n"); @@ -978,12 +978,12 @@ activate_tpm(int activate, int allow_reset, int verbose) if (pf.flags[PERM_FLAG_IDX_DISABLE]) return 0;
- ret = tpm_send_check_cmd(0, TPM_ORD_PhysicalSetDeactivated, - activate ? CommandFlag_FALSE - : CommandFlag_TRUE, - activate ? sizeof(CommandFlag_FALSE) - : sizeof(CommandFlag_TRUE), - TPM_DURATION_TYPE_SHORT); + ret = tpm_send_cmd(0, TPM_ORD_PhysicalSetDeactivated, + activate ? CommandFlag_FALSE + : CommandFlag_TRUE, + activate ? sizeof(CommandFlag_FALSE) + : sizeof(CommandFlag_TRUE), + TPM_DURATION_TYPE_SHORT); if (ret) return ret;
@@ -1031,8 +1031,8 @@ force_clear(int enable_activate_before, int enable_activate_after, int verbose) } }
- ret = tpm_send_check_cmd(0, TPM_ORD_ForceClear, - NULL, 0, TPM_DURATION_TYPE_SHORT); + ret = tpm_send_cmd(0, TPM_ORD_ForceClear, + NULL, 0, TPM_DURATION_TYPE_SHORT); if (ret) return ret;
@@ -1070,11 +1070,11 @@ set_owner_install(int allow, int verbose) return 0; }
- ret = tpm_send_check_cmd(0, TPM_ORD_SetOwnerInstall, - (allow) ? CommandFlag_TRUE - : CommandFlag_FALSE, - sizeof(CommandFlag_TRUE), - TPM_DURATION_TYPE_SHORT); + ret = tpm_send_cmd(0, TPM_ORD_SetOwnerInstall, + (allow) ? CommandFlag_TRUE + : CommandFlag_FALSE, + sizeof(CommandFlag_TRUE), + TPM_DURATION_TYPE_SHORT); if (ret) return ret;
On Thu, Jan 07, 2016 at 07:55:35AM -0500, Stefan Berger wrote:
Patch 1 fixes the return of a missing digest in the HashLogExtendEvent command.
Beyond thad that, the patches extend the handling of physical presence to HW physical presence and rework the showing of the TPM menu to depend on whether SW physical presence could be asserted or HW physical presence has been found to be enabled.
Thanks. In general it looks good to me. However, it looks like you applied your patches on top of my testing branch instead of on top of the master branch. My testing branch diverged from master (I didn't apply patch 8, and I fixed a couple of typos before committing to master).
I merged your patches into master and put them back to the (now updated) testing branch: https://github.com/KevinOConnor/seabios/tree/testing
Also, each patch in the series should have "tpm: " prefaced to the subject and I have three comments in patches 4 and 5. They are minor, so I can fix these on commit if you wish - let me know.
-Kevin
"Kevin O'Connor" kevin@koconnor.net wrote on 01/07/2016 11:19:30 AM:
On Thu, Jan 07, 2016 at 07:55:35AM -0500, Stefan Berger wrote:
Patch 1 fixes the return of a missing digest in the
HashLogExtendEvent command.
Beyond thad that, the patches extend the handling of physical presence
to HW
physical presence and rework the showing of the TPM menu to dependon
whether
SW physical presence could be asserted or HW physical presence hasbeen
found
to be enabled.
Thanks. In general it looks good to me. However, it looks like you applied your patches on top of my testing branch instead of on top of the master branch. My testing branch diverged from master (I didn't apply patch 8, and I fixed a couple of typos before committing to master).
I merged your patches into master and put them back to the (now updated) testing branch: https://github.com/KevinOConnor/seabios/tree/testing
Also, each patch in the series should have "tpm: " prefaced to the subject and I have three comments in patches 4 and 5. They are minor, so I can fix these on commit if you wish - let me know.
I can post a v3 based on the new ones in testing.
Stefan
-
Kevin O'Connor -
Stefan Berger