tpm2: implement and use pcr_extend command

TPM PCRs are used in Chrome OS for two purposes: to communicate crucial information from RO firmware and to protect FW and kernel rollback counters from being deleted. As implemented in a TPM1 compatible way, the PCR extension command requires a prebuilt digest to calculate a new PCR value. TPM2 specification introduces a PCR_Event command, where the TPM itself calculates the digest of an arbitrary length string, and then uses the calculated digest for PCR extension. PCR_Event could be a better option for Chrome OS, this needs to be investigated separately. BRANCH=none BUG=chrome-os-partner:50645 TEST=verified that the two PCRs are successfully extended before the RW firmware is called. Change-Id: I38fc88172de8ec8bef56fec026f83058480c8010 Signed-off-by: Martin Roth <martinroth@chromium.org> Original-Commit-Id: 73388139db3ffaf61a3d9027522c5ebecb3ad051 Original-Change-Id: I1a9bab7396fdb652e2e3bc8529b828ea3423d851 Original-Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Original-Reviewed-on: https://chromium-review.googlesource.com/358098 Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org> Original-Reviewed-by: Darren Krahn <dkrahn@chromium.org> Reviewed-on: https://review.coreboot.org/15639 Tested-by: build bot (Jenkins) Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@googlemail.com>
2016-07-03 22:20:17 -07:00
parent 4c0851cc37
commit f5ef699f40
3 changed files with 86 additions and 2 deletions
--- a/src/lib/tpm2_marshaling.c
+++ b/src/lib/tpm2_marshaling.c
@@ -201,6 +201,27 @@ static void marshal_TPMS_NV_PUBLIC(void **buffer,
 	marshal_u16(buffer, nvpub->dataSize, buffer_space);
 }

+static void marshal_TPMT_HA(void **buffer,
+			    TPMT_HA *tpmtha,
+			    size_t *buffer_space)
+{
+	marshal_TPMI_ALG_HASH(buffer, tpmtha->hashAlg, buffer_space);
+	marshal_blob(buffer, tpmtha->digest.sha256,
+		     sizeof(tpmtha->digest.sha256),
+		     buffer_space);
+}
+
+static void marshal_TPML_DIGEST_VALUES(void **buffer,
+				       TPML_DIGEST_VALUES *dvalues,
+				       size_t *buffer_space)
+{
+	int i;
+
+	marshal_u32(buffer, dvalues->count, buffer_space);
+	for (i = 0; i < dvalues->count; i++)
+		marshal_TPMT_HA(buffer, &dvalues->digests[i], buffer_space);
+}
+
 static void marshal_session_header(void **buffer,
 				   struct tpm2_session_header *session_header,
 				   size_t *buffer_space)
@@ -312,6 +333,17 @@ static void marshal_nv_write_lock(void **buffer,
 				      ARRAY_SIZE(handles), buffer_space);
 }

+static void marshal_pcr_extend(void **buffer,
+			       struct tpm2_pcr_extend_cmd *command_body,
+			       size_t *buffer_space)
+{
+	uint32_t handle = command_body->pcrHandle;
+
+	marshal_common_session_header(buffer, &handle, 1, buffer_space);
+	marshal_TPML_DIGEST_VALUES(buffer,
+				   &command_body->digests, buffer_space);
+}
+
 static void marshal_nv_read(void **buffer,
 			    struct tpm2_nv_read_cmd *command_body,
 			    size_t *buffer_space)
@@ -385,6 +417,10 @@ int tpm_marshal_command(TPM_CC command, void *tpm_command_body,
 		marshal_clear(&cmd_body, &body_size);
 		break;

+	case TPM2_PCR_Extend:
+		marshal_pcr_extend(&cmd_body, tpm_command_body, &body_size);
+		break;
+
 	default:
 		body_size = 0;
 		printk(BIOS_INFO, "%s:%d:Request to marshal unsupported command %#x\n",
@@ -547,6 +583,7 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command,
 	case TPM2_NV_DefineSpace:
 	case TPM2_NV_Write:
 	case TPM2_NV_WriteLock:
+	case TPM2_PCR_Extend:
 		/* Session data included in response can be safely ignored. */
 		cr_size = 0;
 		break;