security/tpm: add TPM log format as per 1.2 spec

Used by default for all boards with TPM1 which don't specify log format
explicitly.

Ticket: https://ticket.coreboot.org/issues/423
Change-Id: I89720615a75573d44dd0a39ad3d7faa78f125843
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/68747
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>

src/commonlib/bsd/include/commonlib/bsd/cbmem_id.h

@@ -60,10 +60,10 @@
 #define CBMEM_ID_STAGEx_CACHE	0x57a9e100
 #define CBMEM_ID_STAGEx_RAW	0x57a9e200
 #define CBMEM_ID_STORAGE_DATA	0x53746f72
-#define CBMEM_ID_TPM_CB_LOG	0x54435041
+#define CBMEM_ID_TPM_CB_LOG	0x54435041 /* TPM log in coreboot-specific format */
-#define CBMEM_ID_TCPA_TCG_LOG	0x54445041
+#define CBMEM_ID_TCPA_TCG_LOG	0x54445041 /* TPM log per TPM 1.2 specification */
 #define CBMEM_ID_TIMESTAMP	0x54494d45
-#define CBMEM_ID_TPM2_TCG_LOG	0x54504d32
+#define CBMEM_ID_TPM2_TCG_LOG	0x54504d32 /* TPM log per TPM 2.0 specification */
 #define CBMEM_ID_TPM_PPI	0x54505049
 #define CBMEM_ID_VBOOT_HANDOFF	0x780074f0  /* deprecated */
 #define CBMEM_ID_VBOOT_SEL_REG	0x780074f1  /* deprecated */

src/commonlib/bsd/include/commonlib/bsd/tpm_log_defs.h

@@ -0,0 +1,42 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+
+#ifndef COMMONLIB_BSD_TPM_LOG_DEFS_H
+#define COMMONLIB_BSD_TPM_LOG_DEFS_H
+
+#include <commonlib/helpers.h>
+#include <stdint.h>
+
+#define TCPA_SPEC_ID_EVENT_SIGNATURE    "Spec ID Event00"
+#define TCG_EFI_SPEC_ID_EVENT_SIGNATURE "Spec ID Event03"
+
+#define EV_PREBOOT_CERT			0x00000000
+#define EV_POST_CODE			0x00000001
+#define EV_UNUSED			0x00000002
+#define EV_NO_ACTION			0x00000003
+#define EV_SEPARATOR			0x00000004
+#define EV_ACTION			0x00000005
+#define EV_EVENT_TAG			0x00000006
+#define EV_S_CRTM_CONTENTS		0x00000007
+#define EV_S_CRTM_VERSION		0x00000008
+#define EV_CPU_MICROCODE		0x00000009
+#define EV_PLATFORM_CONFIG_FLAGS	0x0000000A
+#define EV_TABLE_OF_DEVICES		0x0000000B
+#define EV_COMPACT_HASH			0x0000000C
+#define EV_IPL				0x0000000D
+#define EV_IPL_PARTITION_DATA		0x0000000E
+#define EV_NONHOST_CODE			0x0000000F
+#define EV_NONHOST_CONFIG		0x00000010
+#define EV_NONHOST_INFO			0x00000011
+#define EV_OMIT_BOOT_DEVICE_EVENTS	0x00000012
+
+struct spec_id_event_data {
+	char signature[16];
+	uint32_t platform_class;
+	uint8_t spec_version_minor;
+	uint8_t spec_version_major;
+	uint8_t spec_errata;
+	uint8_t reserved;
+	uint8_t vendor_info_size;
+} __packed;
+
+#endif

src/security/tpm/Kconfig

@@ -97,12 +97,19 @@ config TPM_MEASURED_BOOT
 choice
 	prompt "TPM event log format"
 	depends on TPM_MEASURED_BOOT
+	default TPM_LOG_TPM1 if TPM1
 	default TPM_LOG_CB
 
 config TPM_LOG_CB
 	bool "coreboot's custom format"
 	help
 	  Custom coreboot-specific format of the log derived from TPM1 log format.
+config TPM_LOG_TPM1
+	bool "TPM 1.2 format"
+	depends on TPM1
+	help
+	  Log per TPM 1.2 specification.
+	  See "TCG PC Client Specific Implementation Specification for Conventional BIOS".
 
 endchoice
 

src/security/tpm/Makefile.inc

@@ -61,4 +61,10 @@ verstage-$(CONFIG_TPM_LOG_CB) += tspi/log.c
 postcar-$(CONFIG_TPM_LOG_CB) += tspi/log.c
 bootblock-$(CONFIG_TPM_LOG_CB) += tspi/log.c
 
+ramstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
+romstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
+verstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
+postcar-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
+bootblock-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
+
 endif # CONFIG_TPM_MEASURED_BOOT

src/security/tpm/tpm1_log_serialized.h

@@ -0,0 +1,47 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+
+#ifndef __TPM1_LOG_SERIALIZED_H__
+#define __TPM1_LOG_SERIALIZED_H__
+
+#include <commonlib/bsd/helpers.h>
+#include <commonlib/bsd/tpm_log_defs.h>
+#include <stdint.h>
+
+#define TPM_1_LOG_DIGEST_MAX_LENGTH 20
+#define TPM_1_LOG_DATA_MAX_LENGTH 50
+
+#define TPM_1_LOG_VI_MAGIC 0x31544243 /* "CBT1" in LE */
+#define TPM_1_LOG_VI_MAJOR 1
+#define TPM_1_LOG_VI_MINOR 0
+
+struct tpm_1_log_entry {
+	uint32_t pcr;
+	uint32_t event_type;
+	uint8_t digest[TPM_1_LOG_DIGEST_MAX_LENGTH];
+	uint32_t data_length;
+	uint8_t data[TPM_1_LOG_DATA_MAX_LENGTH];
+} __packed;
+
+struct tpm_1_vendor {
+	uint8_t reserved;
+	uint8_t version_major;
+	uint8_t version_minor;
+	uint32_t magic;
+	uint16_t max_entries;
+	uint16_t num_entries;
+	uint32_t entry_size;
+} __packed;
+
+struct tpm_1_log_table {
+	/* The first entry of the log is inlined and describes the log itself */
+	uint32_t pcr;
+	uint32_t event_type;
+	uint8_t digest[TPM_1_LOG_DIGEST_MAX_LENGTH];
+	uint32_t spec_id_size;
+	struct spec_id_event_data spec_id;
+	struct tpm_1_vendor vendor;
+
+	struct tpm_1_log_entry entries[0]; /* Variable number of entries */
+} __packed;
+
+#endif

src/security/tpm/tspi.h

@@ -3,6 +3,8 @@
 #ifndef TSPI_H_
 #define TSPI_H_
 
+#include <security/tpm/tpm1_log_serialized.h>
+#include <security/tpm/tspi/logs.h>
 #include <security/tpm/tss.h>
 #include <commonlib/tpm_log_serialized.h>
 #include <commonlib/region.h>
@@ -24,29 +26,62 @@ void *tpm_log_init(void);
  * Get the pointer to the single CBMEM instance of global
  * TPM log data, and initialize it when necessary
  */
-void *tpm_log_cbmem_init(void);
+static inline void *tpm_log_cbmem_init(void)
+{
+	if (CONFIG(TPM_LOG_CB))
+		return tpm_cb_log_cbmem_init();
+	if (CONFIG(TPM_LOG_TPM1))
+		return tpm1_log_cbmem_init();
+	return NULL;
+}
 
 /**
  * Clears the pre-RAM TPM log data and initializes
  * any content with default values
  */
-void tpm_preram_log_clear(void);
+static inline void tpm_preram_log_clear(void)
+{
+	if (CONFIG(TPM_LOG_CB))
+		tpm_cb_preram_log_clear();
+	else if (CONFIG(TPM_LOG_TPM1))
+		tpm1_preram_log_clear();
+}
 
 /**
  * Retrieves number of entries currently stored in the log.
  */
-uint16_t tpm_log_get_size(const void *log_table);
+static inline uint16_t tpm_log_get_size(const void *log_table)
+{
+	if (CONFIG(TPM_LOG_CB))
+		return tpm_cb_log_get_size(log_table);
+	if (CONFIG(TPM_LOG_TPM1))
+		return tpm1_log_get_size(log_table);
+	return 0;
+}
 
 /**
  * Copies data from pre-RAM TPM log to CBMEM (RAM) log
  */
-void tpm_log_copy_entries(const void *from, void *to);
+static inline void tpm_log_copy_entries(const void *from, void *to)
+{
+	if (CONFIG(TPM_LOG_CB))
+		tpm_cb_log_copy_entries(from, to);
+	else if (CONFIG(TPM_LOG_TPM1))
+		tpm1_log_copy_entries(from, to);
+}
 
 /**
  * Retrieves an entry from a log. Returns non-zero on invalid index or error.
  */
-int tpm_log_get(int entry_idx, int *pcr, const uint8_t **digest_data,
+static inline int tpm_log_get(int entry_idx, int *pcr, const uint8_t **digest_data,
-		enum vb2_hash_algorithm *digest_algo, const char **event_name);
+			      enum vb2_hash_algorithm *digest_algo, const char **event_name)
+{
+	if (CONFIG(TPM_LOG_CB))
+		return tpm_cb_log_get(entry_idx, pcr, digest_data, digest_algo, event_name);
+	if (CONFIG(TPM_LOG_TPM1))
+		return tpm1_log_get(entry_idx, pcr, digest_data, digest_algo, event_name);
+	return 1;
+}
 
 /**
  * Add table entry for cbmem TPM log.
@@ -56,15 +91,27 @@ int tpm_log_get(int entry_idx, int *pcr, const uint8_t **digest_data,
  * @param digest sets the hash extended into the tpm
  * @param digest_len the length of the digest
  */
-void tpm_log_add_table_entry(const char *name, const uint32_t pcr,
+static inline void tpm_log_add_table_entry(const char *name, const uint32_t pcr,
-			     enum vb2_hash_algorithm digest_algo,
+					   enum vb2_hash_algorithm digest_algo,
-			     const uint8_t *digest,
+					   const uint8_t *digest,
-			     const size_t digest_len);
+					   const size_t digest_len)
+{
+	if (CONFIG(TPM_LOG_CB))
+		tpm_cb_log_add_table_entry(name, pcr, digest_algo, digest, digest_len);
+	else if (CONFIG(TPM_LOG_TPM1))
+		tpm1_log_add_table_entry(name, pcr, digest_algo, digest, digest_len);
+}
 
 /**
  * Dump TPM log entries on console
  */
-void tpm_log_dump(void *unused);
+static inline void tpm_log_dump(void *unused)
+{
+	if (CONFIG(TPM_LOG_CB))
+		tpm_cb_log_dump();
+	else if (CONFIG(TPM_LOG_TPM1))
+		tpm1_log_dump();
+}
 
 /**
  * Ask vboot for a digest and extend a TPM PCR with it.

src/security/tpm/tspi/crtm.h

@@ -20,6 +20,8 @@
 #  define TPM_MEASURE_ALGO VB2_HASH_SHA1
 #elif CONFIG(TPM_LOG_CB) && CONFIG(TPM2)
 #  define TPM_MEASURE_ALGO VB2_HASH_SHA256
+#elif CONFIG(TPM_LOG_TPM1)
+#  define TPM_MEASURE_ALGO VB2_HASH_SHA1
 #endif
 
 #if !defined(TPM_MEASURE_ALGO)

src/security/tpm/tspi/log-tpm1.c

@@ -0,0 +1,179 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+
+/*
+ * Unlike log.c this implements TPM log according to TPM1.2 specification
+ * rather than using coreboot-specific log format.
+ */
+
+#include <endian.h>
+#include <console/console.h>
+#include <security/tpm/tspi/logs.h>
+#include <security/tpm/tspi.h>
+#include <string.h>
+#include <symbols.h>
+#include <cbmem.h>
+#include <vb2_sha.h>
+
+void *tpm1_log_cbmem_init(void)
+{
+	static struct tpm_1_log_table *tclt;
+	if (tclt)
+		return tclt;
+
+	if (cbmem_possibly_online()) {
+		size_t tpm_log_len;
+		struct spec_id_event_data *hdr;
+
+		tclt = cbmem_find(CBMEM_ID_TCPA_TCG_LOG);
+		if (tclt)
+			return tclt;
+
+		tpm_log_len = sizeof(*tclt) + MAX_TPM_LOG_ENTRIES * sizeof(tclt->entries[0]);
+		tclt = cbmem_add(CBMEM_ID_TCPA_TCG_LOG, tpm_log_len);
+		if (!tclt)
+			return NULL;
+
+		memset(tclt, 0, sizeof(*tclt));
+		hdr = &tclt->spec_id;
+
+		/* Fill in first "header" entry. */
+		tclt->event_type = htole32(EV_NO_ACTION);
+		tclt->spec_id_size = htole32(sizeof(tclt->spec_id) + sizeof(tclt->vendor));
+		strcpy(hdr->signature, TCPA_SPEC_ID_EVENT_SIGNATURE);
+		hdr->platform_class = htole32(0x00); // client platform
+		hdr->spec_version_minor = 0x02;
+		hdr->spec_version_major = 0x01;
+		hdr->spec_errata = 0x01;
+		hdr->vendor_info_size = sizeof(tclt->vendor);
+
+		tclt->vendor.reserved = 0;
+		tclt->vendor.version_major = TPM_1_LOG_VI_MAJOR;
+		tclt->vendor.version_minor = TPM_1_LOG_VI_MINOR;
+		tclt->vendor.magic = htole32(TPM_1_LOG_VI_MAGIC);
+		tclt->vendor.max_entries = htole16(MAX_TPM_LOG_ENTRIES);
+		tclt->vendor.num_entries = htole16(0);
+		tclt->vendor.entry_size = htole32(sizeof(tclt->entries[0]));
+	}
+
+	return tclt;
+}
+
+void tpm1_log_dump(void)
+{
+	int i, j;
+	struct tpm_1_log_table *tclt;
+
+	tclt = tpm_log_init();
+	if (!tclt)
+		return;
+
+	printk(BIOS_INFO, "coreboot TPM 1.2 measurements:\n\n");
+	for (i = 0; i < le16toh(tclt->vendor.num_entries); i++) {
+		struct tpm_1_log_entry *tce = &tclt->entries[i];
+
+		printk(BIOS_INFO, " PCR-%u ", le32toh(tce->pcr));
+
+		for (j = 0; j < TPM_1_LOG_DIGEST_MAX_LENGTH; j++)
+			printk(BIOS_INFO, "%02x", tce->digest[j]);
+
+		printk(BIOS_INFO, " %s [%s]\n", "SHA1", (char *)tce->data);
+	}
+	printk(BIOS_INFO, "\n");
+}
+
+void tpm1_log_add_table_entry(const char *name, const uint32_t pcr,
+			      enum vb2_hash_algorithm digest_algo,
+			      const uint8_t *digest,
+			      const size_t digest_len)
+{
+	struct tpm_1_log_table *tclt;
+	struct tpm_1_log_entry *tce;
+
+	tclt = tpm_log_init();
+	if (!tclt) {
+		printk(BIOS_WARNING, "TPM LOG: non-existent!\n");
+		return;
+	}
+
+	if (!name) {
+		printk(BIOS_WARNING, "TPM LOG: entry name not set\n");
+		return;
+	}
+
+	if (digest_algo != VB2_HASH_SHA1) {
+		printk(BIOS_WARNING, "TPM LOG: unsupported hash algorithm\n");
+		return;
+	}
+
+	if (le16toh(tclt->vendor.num_entries) >= le16toh(tclt->vendor.max_entries)) {
+		printk(BIOS_WARNING, "TPM LOG: log table is full\n");
+		return;
+	}
+
+	tce = &tclt->entries[le16toh(tclt->vendor.num_entries)];
+	tclt->vendor.num_entries = htole16(le16toh(tclt->vendor.num_entries) + 1);
+
+	tce->pcr = htole32(pcr);
+	tce->event_type = htole32(EV_ACTION);
+
+	memcpy(tce->digest, digest, digest_len);
+
+	tce->data_length = htole32(TPM_1_LOG_DATA_MAX_LENGTH);
+	strncpy((char *)tce->data, name, sizeof(tce->data) - 1);
+	tce->data[sizeof(tce->data) - 1] = '\0';
+}
+
+void tpm1_preram_log_clear(void)
+{
+	printk(BIOS_INFO, "TPM LOG: clearing the log\n");
+	/*
+	 * Pre-RAM log is only for internal use and isn't exported anywhere, hence it's header
+	 * is not initialized.
+	 */
+	struct tpm_1_log_table *tclt = (struct tpm_1_log_table *)_tpm_log;
+	tclt->vendor.max_entries = htole16(MAX_TPM_LOG_ENTRIES);
+	tclt->vendor.num_entries = htole16(0);
+}
+
+int tpm1_log_get(int entry_idx, int *pcr, const uint8_t **digest_data,
+		 enum vb2_hash_algorithm *digest_algo, const char **event_name)
+{
+	struct tpm_1_log_table *tclt;
+	struct tpm_1_log_entry *tce;
+
+	tclt = tpm_log_init();
+	if (!tclt)
+		return 1;
+
+	if (entry_idx < 0 || entry_idx >= le16toh(tclt->vendor.num_entries))
+		return 1;
+
+	tce = &tclt->entries[entry_idx];
+
+	*pcr = le32toh(tce->pcr);
+	*digest_data = tce->digest;
+	*digest_algo = VB2_HASH_SHA1;
+	*event_name = (char *)tce->data;
+	return 0;
+}
+
+uint16_t tpm1_log_get_size(const void *log_table)
+{
+	const struct tpm_1_log_table *tclt = log_table;
+	return le16toh(tclt->vendor.num_entries);
+}
+
+void tpm1_log_copy_entries(const void *from, void *to)
+{
+	const struct tpm_1_log_table *from_log = from;
+	struct tpm_1_log_table *to_log = to;
+	int i;
+
+	for (i = 0; i < le16toh(from_log->vendor.num_entries); i++) {
+		struct tpm_1_log_entry *tce =
+			&to_log->entries[le16toh(to_log->vendor.num_entries)];
+		memcpy(tce, &from_log->entries[i], sizeof(*tce));
+
+		to_log->vendor.num_entries = htole16(le16toh(to_log->vendor.num_entries) + 1);
+	}
+}

src/security/tpm/tspi/log.c

@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: GPL-2.0-only */
 
 #include <console/console.h>
+#include <security/tpm/tspi/logs.h>
 #include <security/tpm/tspi.h>
 #include <region_file.h>
 #include <string.h>
@@ -8,7 +9,7 @@
 #include <cbmem.h>
 #include <vb2_sha.h>
 
-void *tpm_log_cbmem_init(void)
+void *tpm_cb_log_cbmem_init(void)
 {
 	static struct tpm_cb_log_table *tclt;
 	if (tclt)
@@ -29,7 +30,7 @@ void *tpm_log_cbmem_init(void)
 	return tclt;
 }
 
-void tpm_log_dump(void *unused)
+void tpm_cb_log_dump(void)
 {
 	int i, j;
 	struct tpm_cb_log_table *tclt;
@@ -54,10 +55,10 @@ void tpm_log_dump(void *unused)
 	printk(BIOS_INFO, "\n");
 }
 
-void tpm_log_add_table_entry(const char *name, const uint32_t pcr,
+void tpm_cb_log_add_table_entry(const char *name, const uint32_t pcr,
-			     enum vb2_hash_algorithm digest_algo,
+				enum vb2_hash_algorithm digest_algo,
-			     const uint8_t *digest,
+				const uint8_t *digest,
-			     const size_t digest_len)
+				const size_t digest_len)
 {
 	struct tpm_cb_log_table *tclt = tpm_log_init();
 	if (!tclt) {
@@ -93,7 +94,7 @@ void tpm_log_add_table_entry(const char *name, const uint32_t pcr,
 	memcpy(tce->digest, digest, tce->digest_length);
 }
 
-void tpm_preram_log_clear(void)
+void tpm_cb_preram_log_clear(void)
 {
 	printk(BIOS_INFO, "TPM LOG: clearing preram log\n");
 	struct tpm_cb_log_table *tclt = (struct tpm_cb_log_table *)_tpm_log;
@@ -101,8 +102,8 @@ void tpm_preram_log_clear(void)
 	tclt->num_entries = 0;
 }
 
-int tpm_log_get(int entry_idx, int *pcr, const uint8_t **digest_data,
+int tpm_cb_log_get(int entry_idx, int *pcr, const uint8_t **digest_data,
-		enum vb2_hash_algorithm *digest_algo, const char **event_name)
+		   enum vb2_hash_algorithm *digest_algo, const char **event_name)
 {
 	struct tpm_cb_log_table *tclt;
 	struct tpm_cb_log_entry *tce;
@@ -131,13 +132,13 @@ int tpm_log_get(int entry_idx, int *pcr, const uint8_t **digest_data,
 	return 0;
 }
 
-uint16_t tpm_log_get_size(const void *log_table)
+uint16_t tpm_cb_log_get_size(const void *log_table)
 {
 	const struct tpm_cb_log_table *tclt = log_table;
 	return tclt->num_entries;
 }
 
-void tpm_log_copy_entries(const void *from, void *to)
+void tpm_cb_log_copy_entries(const void *from, void *to)
 {
 	const struct tpm_cb_log_table *from_log = from;
 	struct tpm_cb_log_table *to_log = to;

src/security/tpm/tspi/logs.h

@@ -0,0 +1,39 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+
+#ifndef LOGS_H_
+#define LOGS_H_
+
+#include <stdint.h>
+#include <vb2_api.h>
+
+/* coreboot-specific TPM log format */
+
+void *tpm_cb_log_init(void);
+void *tpm_cb_log_cbmem_init(void);
+void tpm_cb_preram_log_clear(void);
+uint16_t tpm_cb_log_get_size(const void *log_table);
+void tpm_cb_log_copy_entries(const void *from, void *to);
+int tpm_cb_log_get(int entry_idx, int *pcr, const uint8_t **digest_data,
+		   enum vb2_hash_algorithm *digest_algo, const char **event_name);
+void tpm_cb_log_add_table_entry(const char *name, const uint32_t pcr,
+				enum vb2_hash_algorithm digest_algo,
+				const uint8_t *digest,
+				const size_t digest_len);
+void tpm_cb_log_dump(void);
+
+/* TPM 1.2 log format */
+
+void *tpm1_log_init(void);
+void *tpm1_log_cbmem_init(void);
+void tpm1_preram_log_clear(void);
+uint16_t tpm1_log_get_size(const void *log_table);
+void tpm1_log_copy_entries(const void *from, void *to);
+int tpm1_log_get(int entry_idx, int *pcr, const uint8_t **digest_data,
+		 enum vb2_hash_algorithm *digest_algo, const char **event_name);
+void tpm1_log_add_table_entry(const char *name, const uint32_t pcr,
+			      enum vb2_hash_algorithm digest_algo,
+			      const uint8_t *digest,
+			      const size_t digest_len);
+void tpm1_log_dump(void);
+
+#endif /* LOGS_H_ */

src/security/tpm/tspi/tspi.c

@@ -2,6 +2,7 @@
 
 #include <console/console.h>
 #include <security/tpm/tspi/crtm.h>
+#include <security/tpm/tspi/logs.h>
 #include <security/tpm/tspi.h>
 #include <security/tpm/tss.h>
 #include <assert.h>