[coreboot-gerrit] Change in coreboot[master]: security/vboot: Enable TCPA log extension

Philipp Deppenwiese (Code Review) gerrit at coreboot.org
Mon Jul 30 17:46:34 CEST 2018 

Philipp Deppenwiese has submitted this change and it was merged. ( https://review.coreboot.org/27727 )

Change subject: security/vboot: Enable TCPA log extension
......................................................................

security/vboot: Enable TCPA log extension

* Implement TCPA log for tspi extend function.
* Hook tcpa_log_init into vboot tpm_setup function.
* Add TCPA log output for vboot GBB flags and HWID

Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
Reviewed-on: https://review.coreboot.org/27727
Tested-by: build bot (Jenkins) <no-reply at coreboot.org>
Reviewed-by: Patrick Rudolph <siro at das-labor.org>
---
M src/security/tpm/tspi.h
M src/security/tpm/tspi/tspi.c
M src/security/vboot/secdata_tpm.c
3 files changed, 31 insertions(+), 8 deletions(-)

Approvals:
  build bot (Jenkins): Verified
  Patrick Rudolph: Looks good to me, approved



diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h
index 01b2984..43254c1 100644
--- a/src/security/tpm/tspi.h
+++ b/src/security/tpm/tspi.h
@@ -35,10 +35,12 @@
  * Ask vboot for a digest and extend a TPM PCR with it.
  * @param pcr sets the pcr index
  * @param digest sets the hash to extend into the tpm
- * @param out_digest get extended hash
+ * @param digest_len the length of the digest
+ * @param name sets additional info where the digest comes from
  * @return TPM_SUCCESS on success. If not a tpm error is returned
  */
-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest);
+uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, size_t digest_len,
+			const char *name);
 
 /**
  * Issue a TPM_Clear and reenable/reactivate the TPM.
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c
index 407e1fa..48b6219 100644
--- a/src/security/tpm/tspi/tspi.c
+++ b/src/security/tpm/tspi/tspi.c
@@ -178,13 +178,21 @@
 	return TPM_SUCCESS;
 }
 
-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest)
+uint32_t tpm_extend_pcr(int pcr, uint8_t *digest,
+			size_t digest_len, const char *name)
 {
+	uint32_t result;
+
 	if (!digest)
 		return TPM_E_IOERROR;
 
-	if (out_digest)
-		return tlcl_extend(pcr, digest, out_digest);
+	result = tlcl_extend(pcr, digest, NULL);
+	if (result != TPM_SUCCESS)
+		return result;
 
-	return tlcl_extend(pcr, digest, NULL);
+	result = tcpa_log_add_table_entry(name, pcr, digest, digest_len);
+	if (result != 0)
+		printk(BIOS_ERR, "ERROR: Couldn't create TCPA log entry\n");
+
+	return 0;
 }
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index 57c107b..d3f4a11 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -61,11 +61,13 @@
 		}							\
 	} while (0)
 
+#define TPM_PCR_GBB_FLAGS_NAME "GBB flags"
+#define TPM_PCR_GBB_HWID_NAME "GBB HWID"
 
 static uint32_t safe_write(uint32_t index, const void *data, uint32_t length);
 
 uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
-			enum vb2_pcr_digest which_digest)
+			  enum vb2_pcr_digest which_digest)
 {
 	uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE];
 	uint32_t size = sizeof(buffer);
@@ -77,7 +79,15 @@
 	if (size < TPM_PCR_MINIMUM_DIGEST_SIZE)
 		return VB2_ERROR_UNKNOWN;
 
-	return tpm_extend_pcr(pcr, buffer, NULL);
+	switch (which_digest) {
+	case BOOT_MODE_PCR:
+		return tpm_extend_pcr(pcr, buffer, size,
+				      TPM_PCR_GBB_FLAGS_NAME);
+	case HWID_DIGEST_PCR:
+		return tpm_extend_pcr(pcr, buffer, size, TPM_PCR_GBB_HWID_NAME);
+	default:
+		return VB2_ERROR_UNKNOWN;
+	}
 }
 
 static uint32_t read_space_firmware(struct vb2_context *ctx)
@@ -441,6 +451,9 @@
 	if (result == TPM_E_MUST_REBOOT)
 		ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT;
 
+	// TCPA cbmem log
+	tcpa_log_init();
+
 	return result;
 }
 

-- 
To view, visit https://review.coreboot.org/27727
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I22b1aa8da1a95380c39715727615ce5ce4c9443f
Gerrit-Change-Number: 27727
Gerrit-PatchSet: 10
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Gerrit-Reviewer: Patrick Rudolph <siro at das-labor.org>
Gerrit-Reviewer: Paul Menzel <paulepanter at users.sourceforge.net>
Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply at coreboot.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180730/abac1998/attachment.html>

More information about the coreboot-gerrit mailing list