[coreboot-gerrit] Change in coreboot[master]: security/tpm: Improve TCPA log generation

Philipp Deppenwiese (Code Review) gerrit at coreboot.org
Sat Aug 4 01:46:25 CEST 2018 

Philipp Deppenwiese has submitted this change and it was merged. ( https://review.coreboot.org/27769 )

Change subject: security/tpm: Improve TCPA log generation
......................................................................

security/tpm: Improve TCPA log generation

* Make tcpa_log_init static and move init code into
the tcpa_log_add_table_entry routine.
* Add more checks for log initialization.
* Fix minor issues

Change-Id: I215d79eed7ad17c6ab87f0c4b14a282e519ef07d
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
Reviewed-on: https://review.coreboot.org/27769
Reviewed-by: Julius Werner <jwerner at chromium.org>
Tested-by: build bot (Jenkins) <no-reply at coreboot.org>
---
M src/commonlib/include/commonlib/tcpa_log_serialized.h
M src/drivers/tpm/tpm.c
M src/security/tpm/tspi.h
M src/security/tpm/tspi/log.c
M src/security/vboot/secdata_tpm.c
5 files changed, 26 insertions(+), 34 deletions(-)

Approvals:
  build bot (Jenkins): Verified
  Julius Werner: Looks good to me, approved



diff --git a/src/commonlib/include/commonlib/tcpa_log_serialized.h b/src/commonlib/include/commonlib/tcpa_log_serialized.h
index cd6fbec..6dfb566 100644
--- a/src/commonlib/include/commonlib/tcpa_log_serialized.h
+++ b/src/commonlib/include/commonlib/tcpa_log_serialized.h
@@ -29,7 +29,7 @@
 	uint32_t pcr;
 	uint8_t digest[TCPA_DIGEST_MAX_LENGTH];
 	uint32_t digest_length;
-	uint8_t name[TCPA_PCR_HASH_NAME];
+	char name[TCPA_PCR_HASH_NAME];
 } __packed;
 
 struct tcpa_table {
diff --git a/src/drivers/tpm/tpm.c b/src/drivers/tpm/tpm.c
index 8c68159..e4a81c3 100644
--- a/src/drivers/tpm/tpm.c
+++ b/src/drivers/tpm/tpm.c
@@ -30,9 +30,6 @@
 #else
 	tpm_setup(false);
 #endif
-
-	// TCPA cbmem log
-	tcpa_log_init();
 }
 
 BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_ENTRY, init_tpm_dev, NULL);
diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h
index 94b53b0..e4ddefc 100644
--- a/src/security/tpm/tspi.h
+++ b/src/security/tpm/tspi.h
@@ -21,11 +21,6 @@
 #include <commonlib/tcpa_log_serialized.h>
 
 /**
- * Setup TCPA cbmem log.
- */
-void tcpa_log_init(void);
-
-/**
  * Add table entry for cbmem TCPA log.
  */
 void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
diff --git a/src/security/tpm/tspi/log.c b/src/security/tpm/tspi/log.c
index 8ec4c6d..0a6655a 100644
--- a/src/security/tpm/tspi/log.c
+++ b/src/security/tpm/tspi/log.c
@@ -18,47 +18,45 @@
 #include <console/console.h>
 #include <security/tpm/tspi.h>
 
-void tcpa_log_init(void)
+static struct tcpa_table *tcpa_log_init(void)
 {
-	const struct cbmem_entry *ce;
-	struct tcpa_table *tclt;
+	MAYBE_STATIC struct tcpa_table *tclt = NULL;
 
 	if (!cbmem_possibly_online())
-		return;
+		return NULL;
 
-	ce = cbmem_entry_find(CBMEM_ID_TCPA_LOG);
-	if (ce)
-		return;
+	if (tclt != NULL)
+		return tclt;
+
+	tclt = (struct tcpa_table *) cbmem_entry_find(CBMEM_ID_TCPA_LOG);
+	if (tclt)
+		return tclt;
 
 	tclt = cbmem_add(CBMEM_ID_TCPA_LOG,
 			 sizeof(struct tcpa_table) +
-				 MAX_TCPA_LOG_ENTRIES *
-					 sizeof(struct tcpa_entry));
+			 MAX_TCPA_LOG_ENTRIES *
+			 sizeof(struct tcpa_entry));
 
-	if (!tclt)
-		return;
+	if (!tclt) {
+		printk(BIOS_ERR, "ERROR: Could not create TCPA log table\n");
+		return NULL;
+	}
 
 	tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
 	tclt->num_entries = 0;
 
 	printk(BIOS_DEBUG, "TCPA log created at %p\n", tclt);
+
+	return tclt;
 }
 
 void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
 			      const uint8_t *digest, const size_t digest_length)
 {
-	MAYBE_STATIC struct tcpa_table *tclt = NULL;
+	struct tcpa_table *tclt;
 	struct tcpa_entry *tce;
 
-	if (!cbmem_possibly_online())
-		return;
-
-	tclt = cbmem_find(CBMEM_ID_TCPA_LOG);
-	if (!tclt) {
-		printk(BIOS_ERR, "ERROR: No TCPA log table found\n");
-		return;
-	}
-
+	tclt = tcpa_log_init();
 	if (tclt->num_entries == tclt->max_entries) {
 		printk(BIOS_WARNING, "ERROR: TCPA log table is full\n");
 		return;
@@ -66,8 +64,13 @@
 
 	tce = &tclt->entries[tclt->num_entries++];
 
-	memcpy(tce->name, name, TCPA_PCR_HASH_NAME);
+	strncpy(tce->name, name, TCPA_PCR_HASH_NAME - 1);
 	tce->pcr = pcr;
+
+	if (digest_length > TCPA_DIGEST_MAX_LENGTH) {
+		printk(BIOS_WARNING, "ERROR: PCR digest too long for TCPA log entry\n");
+		return;
+	}
 	memcpy(tce->digest, digest, digest_length);
 	tce->digest_length = digest_length;
 }
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index d3f4a11..c62f18b 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -451,9 +451,6 @@
 	if (result == TPM_E_MUST_REBOOT)
 		ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT;
 
-	// TCPA cbmem log
-	tcpa_log_init();
-
 	return result;
 }
 

-- 
To view, visit https://review.coreboot.org/27769
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I215d79eed7ad17c6ab87f0c4b14a282e519ef07d
Gerrit-Change-Number: 27769
Gerrit-PatchSet: 9
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Gerrit-Reviewer: Julius Werner <jwerner at chromium.org>
Gerrit-Reviewer: Patrick Rudolph <siro at das-labor.org>
Gerrit-Reviewer: Paul Menzel <paulepanter at users.sourceforge.net>
Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply at coreboot.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180803/40d1ab73/attachment.html>

More information about the coreboot-gerrit mailing list