tpm2: implement and use pcr_extend command
TPM PCRs are used in Chrome OS for two purposes: to communicate
crucial information from RO firmware and to protect FW and kernel
rollback counters from being deleted.
As implemented in a TPM1 compatible way, the PCR extension command
requires a prebuilt digest to calculate a new PCR value.
TPM2 specification introduces a PCR_Event command, where the TPM
itself calculates the digest of an arbitrary length string, and then
uses the calculated digest for PCR extension. PCR_Event could be a
better option for Chrome OS, this needs to be investigated separately.
BRANCH=none
BUG=chrome-os-partner:50645
TEST=verified that the two PCRs are successfully extended before the
RW firmware is called.
Change-Id: I38fc88172de8ec8bef56fec026f83058480c8010
Signed-off-by: Martin Roth <martinroth@chromium.org>
Original-Commit-Id: 73388139db3ffaf61a3d9027522c5ebecb3ad051
Original-Change-Id: I1a9bab7396fdb652e2e3bc8529b828ea3423d851
Original-Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Original-Reviewed-on: https://chromium-review.googlesource.com/358098
Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Original-Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-on: https://review.coreboot.org/15639
Tested-by: build bot (Jenkins)
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@googlemail.com>
This commit is contained in:
Vadim Bendebury
committed by
Martin Roth
Martin Roth
parent
4c0851cc37
commit
f5ef699f40
@ -201,6 +201,27 @@ static void marshal_TPMS_NV_PUBLIC(void **buffer,
|
||||
marshal_u16(buffer, nvpub->dataSize, buffer_space);
|
||||
}
|
||||
|
||||
static void marshal_TPMT_HA(void **buffer,
|
||||
TPMT_HA *tpmtha,
|
||||
size_t *buffer_space)
|
||||
{
|
||||
marshal_TPMI_ALG_HASH(buffer, tpmtha->hashAlg, buffer_space);
|
||||
marshal_blob(buffer, tpmtha->digest.sha256,
|
||||
sizeof(tpmtha->digest.sha256),
|
||||
buffer_space);
|
||||
}
|
||||
|
||||
static void marshal_TPML_DIGEST_VALUES(void **buffer,
|
||||
TPML_DIGEST_VALUES *dvalues,
|
||||
size_t *buffer_space)
|
||||
{
|
||||
int i;
|
||||
|
||||
marshal_u32(buffer, dvalues->count, buffer_space);
|
||||
for (i = 0; i < dvalues->count; i++)
|
||||
marshal_TPMT_HA(buffer, &dvalues->digests[i], buffer_space);
|
||||
}
|
||||
|
||||
static void marshal_session_header(void **buffer,
|
||||
struct tpm2_session_header *session_header,
|
||||
size_t *buffer_space)
|
||||
@ -312,6 +333,17 @@ static void marshal_nv_write_lock(void **buffer,
|
||||
ARRAY_SIZE(handles), buffer_space);
|
||||
}
|
||||
|
||||
static void marshal_pcr_extend(void **buffer,
|
||||
struct tpm2_pcr_extend_cmd *command_body,
|
||||
size_t *buffer_space)
|
||||
{
|
||||
uint32_t handle = command_body->pcrHandle;
|
||||
|
||||
marshal_common_session_header(buffer, &handle, 1, buffer_space);
|
||||
marshal_TPML_DIGEST_VALUES(buffer,
|
||||
&command_body->digests, buffer_space);
|
||||
}
|
||||
|
||||
static void marshal_nv_read(void **buffer,
|
||||
struct tpm2_nv_read_cmd *command_body,
|
||||
size_t *buffer_space)
|
||||
@ -385,6 +417,10 @@ int tpm_marshal_command(TPM_CC command, void *tpm_command_body,
|
||||
marshal_clear(&cmd_body, &body_size);
|
||||
break;
|
||||
|
||||
case TPM2_PCR_Extend:
|
||||
marshal_pcr_extend(&cmd_body, tpm_command_body, &body_size);
|
||||
break;
|
||||
|
||||
default:
|
||||
body_size = 0;
|
||||
printk(BIOS_INFO, "%s:%d:Request to marshal unsupported command %#x\n",
|
||||
@ -547,6 +583,7 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command,
|
||||
case TPM2_NV_DefineSpace:
|
||||
case TPM2_NV_Write:
|
||||
case TPM2_NV_WriteLock:
|
||||
case TPM2_PCR_Extend:
|
||||
/* Session data included in response can be safely ignored. */
|
||||
cr_size = 0;
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user