[coreboot-gerrit] Change in coreboot[master]: security/vboot: Enable TCPA log extension
Philipp Deppenwiese (Code Review)
gerrit at coreboot.org
Mon Jul 30 01:28:50 CEST 2018
Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/27727
Change subject: security/vboot: Enable TCPA log extension
......................................................................
security/vboot: Enable TCPA log extension
* Implement TCPA log for tspi extend function.
* Hook tcpa_log_init into vboot tpm_setup function.
Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
---
M src/security/tpm/tspi.h
M src/security/tpm/tspi/tspi.c
M src/security/vboot/secdata_tpm.c
3 files changed, 29 insertions(+), 8 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/27/27727/1
diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h
index 01b2984..2660750 100644
--- a/src/security/tpm/tspi.h
+++ b/src/security/tpm/tspi.h
@@ -33,12 +33,14 @@
/**
* Ask vboot for a digest and extend a TPM PCR with it.
+ * @param name sets additional info where the digest comes from
* @param pcr sets the pcr index
* @param digest sets the hash to extend into the tpm
- * @param out_digest get extended hash
+ * @param digest_len the length of the digest
* @return TPM_SUCCESS on success. If not a tpm error is returned
*/
-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest);
+uint32_t tpm_extend_pcr(const char *name, int pcr, uint8_t *digest,
+ size_t digest_len);
/**
* Issue a TPM_Clear and reenable/reactivate the TPM.
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c
index 407e1fa..862a286 100644
--- a/src/security/tpm/tspi/tspi.c
+++ b/src/security/tpm/tspi/tspi.c
@@ -178,13 +178,21 @@
return TPM_SUCCESS;
}
-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest)
+uint32_t tpm_extend_pcr(const char *name, int pcr, uint8_t *digest,
+ size_t digest_len)
{
+ uint32_t result;
+
if (!digest)
return TPM_E_IOERROR;
- if (out_digest)
- return tlcl_extend(pcr, digest, out_digest);
+ result = tlcl_extend(pcr, digest, NULL);
+ if (result != TPM_SUCCESS)
+ return result;
- return tlcl_extend(pcr, digest, NULL);
+ result = tcpa_log_add_table_entry(name, pcr, digest, digest_len);
+ if (result != 0)
+ printk(BIOS_ERR, "ERROR: Couldn't creat TCPA log entry\n");
+
+ return 0;
}
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index 57c107b..b443200 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -65,7 +65,7 @@
static uint32_t safe_write(uint32_t index, const void *data, uint32_t length);
uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
- enum vb2_pcr_digest which_digest)
+ enum vb2_pcr_digest which_digest)
{
uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE];
uint32_t size = sizeof(buffer);
@@ -77,7 +77,15 @@
if (size < TPM_PCR_MINIMUM_DIGEST_SIZE)
return VB2_ERROR_UNKNOWN;
- return tpm_extend_pcr(pcr, buffer, NULL);
+
+ switch (which_digest) {
+ case BOOT_MODE_PCR:
+ return tpm_extend_pcr("GBB flags", pcr, buffer, size);
+ case HWID_DIGEST_PCR:
+ return tpm_extend_pcr("GBB HWID", pcr, buffer, size);
+ default:
+ return VB2_ERROR_UNKNOWN;
+ }
}
static uint32_t read_space_firmware(struct vb2_context *ctx)
@@ -441,6 +449,9 @@
if (result == TPM_E_MUST_REBOOT)
ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT;
+ // TCPA cbmem log
+ tcpa_log_init();
+
return result;
}
--
To view, visit https://review.coreboot.org/27727
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f
Gerrit-Change-Number: 27727
Gerrit-PatchSet: 1
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180729/ab8e461f/attachment-0001.html>
More information about the coreboot-gerrit
mailing list