[coreboot-gerrit] Change in coreboot[master]: security/vboot: Enable TCPA log extension

Mon Jul 30 01:28:50 CEST 2018

Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/27727


Change subject: security/vboot: Enable TCPA log extension
......................................................................

security/vboot: Enable TCPA log extension

* Implement TCPA log for tspi extend function.
* Hook tcpa_log_init into vboot tpm_setup function.

Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
---
M src/security/tpm/tspi.h
M src/security/tpm/tspi/tspi.c
M src/security/vboot/secdata_tpm.c
3 files changed, 29 insertions(+), 8 deletions(-)



  git pull ssh://review.coreboot.org:29418/coreboot refs/changes/27/27727/1

diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h
index 01b2984..2660750 100644
--- a/src/security/tpm/tspi.h
+++ b/src/security/tpm/tspi.h
@@ -33,12 +33,14 @@
 
 /**
  * Ask vboot for a digest and extend a TPM PCR with it.
+ * @param name sets additional info where the digest comes from
  * @param pcr sets the pcr index
  * @param digest sets the hash to extend into the tpm
- * @param out_digest get extended hash
+ * @param digest_len the length of the digest
  * @return TPM_SUCCESS on success. If not a tpm error is returned
  */
-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest);
+uint32_t tpm_extend_pcr(const char *name, int pcr, uint8_t *digest,
+			size_t digest_len);
 
 /**
  * Issue a TPM_Clear and reenable/reactivate the TPM.
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c
index 407e1fa..862a286 100644
--- a/src/security/tpm/tspi/tspi.c
+++ b/src/security/tpm/tspi/tspi.c
@@ -178,13 +178,21 @@
 	return TPM_SUCCESS;
 }
 
-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest)
+uint32_t tpm_extend_pcr(const char *name, int pcr, uint8_t *digest,
+			size_t digest_len)
 {
+	uint32_t result;
+
 	if (!digest)
 		return TPM_E_IOERROR;
 
-	if (out_digest)
-		return tlcl_extend(pcr, digest, out_digest);
+	result = tlcl_extend(pcr, digest, NULL);
+	if (result != TPM_SUCCESS)
+		return result;
 
-	return tlcl_extend(pcr, digest, NULL);
+	result = tcpa_log_add_table_entry(name, pcr, digest, digest_len);
+	if (result != 0)
+		printk(BIOS_ERR, "ERROR: Couldn't creat TCPA log entry\n");
+
+	return 0;
 }
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index 57c107b..b443200 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -65,7 +65,7 @@
 static uint32_t safe_write(uint32_t index, const void *data, uint32_t length);
 
 uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
-			enum vb2_pcr_digest which_digest)
+			  enum vb2_pcr_digest which_digest)
 {
 	uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE];
 	uint32_t size = sizeof(buffer);
@@ -77,7 +77,15 @@
 	if (size < TPM_PCR_MINIMUM_DIGEST_SIZE)
 		return VB2_ERROR_UNKNOWN;
 
-	return tpm_extend_pcr(pcr, buffer, NULL);
+
+	switch (which_digest) {
+	case BOOT_MODE_PCR:
+		return tpm_extend_pcr("GBB flags", pcr, buffer, size);
+	case HWID_DIGEST_PCR:
+		return tpm_extend_pcr("GBB HWID", pcr, buffer, size);
+	default:
+		return VB2_ERROR_UNKNOWN;
+	}
 }
 
 static uint32_t read_space_firmware(struct vb2_context *ctx)
@@ -441,6 +449,9 @@
 	if (result == TPM_E_MUST_REBOOT)
 		ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT;
 
+	// TCPA cbmem log
+	tcpa_log_init();
+
 	return result;
 }
 

-- 
To view, visit https://review.coreboot.org/27727
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f
Gerrit-Change-Number: 27727
Gerrit-PatchSet: 1
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180729/ab8e461f/attachment-0001.html>
