diff options
| author | Philipp Deppenwiese <zaolin@das-labor.org> | 2020-12-18 19:40:55 +0100 |
|---|---|---|
| committer | Patrick Georgi <pgeorgi@google.com> | 2021-02-07 21:52:43 +0000 |
| commit | 1474ddb722d131d1534c958dbb7136e73a34268f (patch) | |
| tree | d5432182b3e2cb9fcbe9989afbffa69d2702e8fb | |
| parent | 1c7b526de11924b36bf86f305f419830349774b9 (diff) | |
| download | coreboot-1474ddb722d131d1534c958dbb7136e73a34268f.tar.gz coreboot-1474ddb722d131d1534c958dbb7136e73a34268f.tar.bz2 coreboot-1474ddb722d131d1534c958dbb7136e73a34268f.zip | |
security/tpm: Add crypto agility support
* Added tlcl_extend size checks
* Added TPM2 tlcl_extend crypto agility
TESTED=On Facebook Watson_V2 mainboard, the TCPA log now shows correct hash content and algorithm:
PCR-0 62571891215b4efc1ceab744ce59dd0b66ea6f73 SHA1 [VBOOT: boot mode]
instead of:
PCR-0 62571891215b4efc1ceab744ce59dd0b66ea6f73 SHA256 [VBOOT: boot mode]
Change-Id: I9cc8d994081896e8c0d511c31e9741297227afef
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48742
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
| -rw-r--r-- | src/security/tpm/tspi/tspi.c | 19 | ||||
| -rw-r--r-- | src/security/tpm/tss.h | 3 | ||||
| -rw-r--r-- | src/security/tpm/tss/tcg-1.2/tss.c | 8 | ||||
| -rw-r--r-- | src/security/tpm/tss/tcg-2.0/tss.c | 38 | ||||
| -rw-r--r-- | src/security/vboot/tpm_common.c | 2 | ||||
| -rw-r--r-- | src/vendorcode/eltan/security/mboot/mboot.c | 3 |
6 files changed, 61 insertions, 12 deletions
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c index 966b8b7c77ce..795016e725a6 100644 --- a/src/security/tpm/tspi/tspi.c +++ b/src/security/tpm/tspi/tspi.c @@ -210,11 +210,28 @@ uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo, uint8_t *digest, size_t digest_len, const char *name) { uint32_t result; + uint16_t algorithm = 0; if (!digest) return TPM_E_IOERROR; - result = tlcl_extend(pcr, digest, NULL); +#if CONFIG(TPM2) + switch (digest_algo) { + case VB2_HASH_SHA1: + algorithm = TPM_ALG_SHA1; + break; + case VB2_HASH_SHA256: + algorithm = TPM_ALG_SHA256; + break; + case VB2_HASH_SHA512: + algorithm = TPM_ALG_SHA512; + break; + default: + return TPM_E_HASH_ERROR; + } +#endif + + result = tlcl_extend(pcr, algorithm, digest, digest_len, NULL); if (result != TPM_SUCCESS) return result; diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h index 336935d91198..c1ba234c2cad 100644 --- a/src/security/tpm/tss.h +++ b/src/security/tpm/tss.h @@ -184,7 +184,8 @@ uint32_t tlcl_lock_nv_write(uint32_t index); /** * Perform a TPM_Extend. */ -uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest, +uint32_t tlcl_extend(int pcr_num, uint16_t algorithm, + const uint8_t *in_digest, size_t in_digest_len, uint8_t *out_digest); /** diff --git a/src/security/tpm/tss/tcg-1.2/tss.c b/src/security/tpm/tss/tcg-1.2/tss.c index b11d6a3d1636..4c980d0d7920 100644 --- a/src/security/tpm/tss/tcg-1.2/tss.c +++ b/src/security/tpm/tss/tcg-1.2/tss.c @@ -341,7 +341,8 @@ uint32_t tlcl_set_global_lock(void) return tlcl_write(TPM_NV_INDEX0, (uint8_t *) &x, 0); } -uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest, +uint32_t tlcl_extend(int pcr_num, uint16_t algorithm, + const uint8_t *in_digest, size_t in_digest_len, uint8_t *out_digest) { struct s_tpm_extend_cmd cmd; @@ -350,8 +351,11 @@ uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest, memcpy(&cmd, &tpm_extend_cmd, sizeof(cmd)); to_tpm_uint32(cmd.buffer + tpm_extend_cmd.pcrNum, pcr_num); - memcpy(cmd.buffer + cmd.inDigest, in_digest, kPcrDigestLength); + if (in_digest_len != kPcrDigestLength) + return TPM_E_HASH_ERROR; + + memcpy(cmd.buffer + cmd.inDigest, in_digest, kPcrDigestLength); result = tlcl_send_receive(cmd.buffer, response, sizeof(response)); if (result != TPM_SUCCESS) return result; diff --git a/src/security/tpm/tss/tcg-2.0/tss.c b/src/security/tpm/tss/tcg-2.0/tss.c index 16e40fe56974..ac43549d8481 100644 --- a/src/security/tpm/tss/tcg-2.0/tss.c +++ b/src/security/tpm/tss/tcg-2.0/tss.c @@ -127,21 +127,47 @@ uint32_t tlcl_assert_physical_presence(void) } /* - * The caller will provide the digest in a 32 byte buffer, let's consider it a - * sha256 digest. + * The caller will provide the pcr index, digest algorithm and + * a byte buffer to extend into the TPM. */ -uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest, +uint32_t tlcl_extend(int pcr_num, uint16_t algorithm, + const uint8_t *in_digest, size_t in_digest_len, uint8_t *out_digest) { struct tpm2_pcr_extend_cmd pcr_ext_cmd; struct tpm2_response *response; + uint16_t algorithm_size; pcr_ext_cmd.pcrHandle = HR_PCR + pcr_num; pcr_ext_cmd.digests.count = 1; - pcr_ext_cmd.digests.digests[0].hashAlg = TPM_ALG_SHA256; - memcpy(pcr_ext_cmd.digests.digests[0].digest.sha256, in_digest, - sizeof(pcr_ext_cmd.digests.digests[0].digest.sha256)); + pcr_ext_cmd.digests.digests[0].hashAlg = algorithm; + algorithm_size = tlcl_get_hash_size_from_algo(algorithm); + if (algorithm_size == 0) + return TPM_E_HASH_ERROR; + + if (in_digest_len != algorithm_size) + return TPM_E_HASH_ERROR; + + switch (algorithm) { + case TPM_ALG_SHA1: + memcpy(pcr_ext_cmd.digests.digests[0].digest.sha1, in_digest, in_digest_len); + break; + case TPM_ALG_SHA256: + memcpy(pcr_ext_cmd.digests.digests[0].digest.sha256, in_digest, in_digest_len); + break; + case TPM_ALG_SHA384: + memcpy(pcr_ext_cmd.digests.digests[0].digest.sha384, in_digest, in_digest_len); + break; + case TPM_ALG_SHA512: + memcpy(pcr_ext_cmd.digests.digests[0].digest.sha512, in_digest, in_digest_len); + break; + case TPM_ALG_SM3_256: + memcpy(pcr_ext_cmd.digests.digests[0].digest.sm3_256, in_digest, in_digest_len); + break; + default: + return TPM_E_HASH_ERROR; + } response = tpm_process_command(TPM2_PCR_Extend, &pcr_ext_cmd); printk(BIOS_INFO, "%s: response is %x\n", diff --git a/src/security/vboot/tpm_common.c b/src/security/vboot/tpm_common.c index 0a211c57d4c8..1db7189d7a8a 100644 --- a/src/security/vboot/tpm_common.c +++ b/src/security/vboot/tpm_common.c @@ -46,7 +46,7 @@ vb2_error_t vboot_extend_pcr(struct vb2_context *ctx, int pcr, switch (which_digest) { /* SHA1 of (devmode|recmode|keyblock) bits */ case BOOT_MODE_PCR: - return tpm_extend_pcr(pcr, VB2_HASH_SHA256, buffer, size, + return tpm_extend_pcr(pcr, VB2_HASH_SHA1, buffer, size, TPM_PCR_BOOT_MODE); /* SHA256 of HWID */ case HWID_DIGEST_PCR: diff --git a/src/vendorcode/eltan/security/mboot/mboot.c b/src/vendorcode/eltan/security/mboot/mboot.c index c5523a5fd82f..499d35299c27 100644 --- a/src/vendorcode/eltan/security/mboot/mboot.c +++ b/src/vendorcode/eltan/security/mboot/mboot.c @@ -150,7 +150,8 @@ int mboot_hash_extend_log(uint64_t flags, uint8_t *hashData, uint32_t hashDataLe printk(BIOS_DEBUG, "%s: SHA256 Hash Digest:\n", __func__); mboot_print_buffer(digest->digest.sha256, VB2_SHA256_DIGEST_SIZE); - return (tlcl_extend(newEventHdr->pcrIndex, (uint8_t *)&(newEventHdr->digest), NULL)); + return (tlcl_extend(newEventHdr->pcrIndex, newEventHdr->digest.digests[0].hashAlg, + (uint8_t *)&(newEventHdr->digest), hashDataLen, NULL)); } /* |