[Skiboot] [PATCH 23/40] libstb/tpm_chip: add tpm_extendl()

Stewart Smith stewart at linux.vnet.ibm.com
Mon Oct 10 19:44:04 AEDT 2016


From: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>

This adds the tpm_extendl() function to tpm_chip interface

For each TPM device, tpm_extendl() extends the sha1 and sha256 digests
provided to the indicated PCR and also records an event for the same PCR
in the event log.

Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
[stewart at linux.vnet.ibm.com: remove special char, align comments to 80 cols]
Signed-off-by: Stewart Smith <stewart at linux.vnet.ibm.com>
---
 libstb/status_codes.h |   4 ++
 libstb/tpm_chip.c     | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++
 libstb/tpm_chip.h     |  26 +++++++++++
 3 files changed, 146 insertions(+)

diff --git a/libstb/status_codes.h b/libstb/status_codes.h
index 1637e9f..5fd9757 100644
--- a/libstb/status_codes.h
+++ b/libstb/status_codes.h
@@ -25,6 +25,10 @@
 /* secure boot */
 #define STB_VERIFY_FAILED  		-100
 
+/* trusted boot */
+#define STB_EVENTLOG_FAILED	-200
+#define STB_PCR_EXTEND_FAILED	-201
+
 /* TPM */
 #define STB_TPM_OVERFLOW	-300
 #define STB_TPM_TIMEOUT	-301
diff --git a/libstb/tpm_chip.c b/libstb/tpm_chip.c
index 91efa3a..1bfeb9a 100644
--- a/libstb/tpm_chip.c
+++ b/libstb/tpm_chip.c
@@ -22,9 +22,48 @@
 #include "container.h"
 #include "tpm_chip.h"
 #include "drivers/tpm_i2c_nuvoton.h"
+#include "tss/trustedbootCmds.H"
+
+/* For debugging only */
+//#define STB_DEBUG
 
 static struct list_head tpm_list = LIST_HEAD_INIT(tpm_list);
 
+#ifdef STB_DEBUG
+static void tpm_print_pcr(struct tpm_chip *tpm, TPM_Pcr pcr, TPM_Alg_Id alg,
+			  size_t size)
+{
+	int rc;
+	uint8_t digest[TPM_ALG_SHA256_SIZE];
+
+	memset(digest, 0, size);
+
+	rc = tpmCmdPcrRead(tpm, pcr, alg, digest, size);
+	if (rc) {
+		/**
+		 * @fwts-label STBPCRReadFailed
+		 * @fwts-advice STB_DEBUG should not be enabled
+		 * in production. PCR read operation failed.
+		 * This TSS implementation is part of hostboot,
+		 * but the source code is shared with skiboot.
+		 * 1) The hostboot TSS may have been updated.
+		 * 2) This may be caused by the short I2C
+		 * timeout and can be fixed by increasing the
+		 * timeout. Otherwise this indicates a bug in
+		 * the TSS or the TPM device driver. Each one
+		 * has local debug macros that can help.
+		 */
+		prlog(PR_ERR, "STB: tpmCmdPcrRead() failed: "
+		      "tpm%d, alg=%x, pcr%d, rc=%d\n",
+		      tpm->id, alg, pcr, rc);
+	} else {
+		prlog(PR_NOTICE,"STB: print pcr-read: tpm%d alg=%x pcr%d\n",
+		      tpm->id, alg, pcr);
+		stb_print_data(digest, size);
+	}
+}
+#endif
+
 int tpm_register_chip(struct dt_node *node, struct tpm_dev *dev,
 		       struct tpm_driver *driver)
 {
@@ -175,6 +214,83 @@ void tpm_cleanup(void)
 	list_head_init(&tpm_list);
 }
 
+int tpm_extendl(TPM_Pcr pcr,
+		TPM_Alg_Id alg1, uint8_t* digest1, size_t size1,
+		TPM_Alg_Id alg2, uint8_t* digest2, size_t size2,
+		uint32_t event_type, const char* event_msg)
+{
+	int rc;
+	TCG_PCR_EVENT2 event;
+	struct tpm_chip *tpm = NULL;
+
+	rc = 0;
+
+	list_for_each(&tpm_list, tpm, link) {
+		if (!tpm->enabled)
+			continue;
+		event = TpmLogMgr_genLogEventPcrExtend(pcr, alg1, digest1, size1,
+						       alg2, digest2, size2,
+						       event_type, event_msg);
+		/* eventlog recording */
+		rc = TpmLogMgr_addEvent(&tpm->logmgr, &event);
+		if (rc) {
+			/**
+			 * @fwts-label STBAddEventFailed
+			 * @fwts-advice TpmLogMgr failed to add a new event
+			 * to the event log. TpmLogMgr is part of hostboot,
+			 * but the source code is shared with skiboot.
+			 * 1) The hostboot TpmLogMgr code may have
+			 * been updated.
+			 * 2) Check that max event log size was not reached
+			 * and log marshall executed with no error. Enabling the
+			 * trace routines in trustedbootUtils.H may help.
+			 */
+			prlog(PR_ERR, "TPM: %s -> elog%d FAILED: pcr%d et=%x rc=%d\n",
+			      event_msg, tpm->id, pcr, event_type, rc);
+			rc = STB_EVENTLOG_FAILED;
+			goto error;
+		}
+#ifdef STB_DEBUG
+		prlog(PR_NOTICE, "TPM: %s -> elog%d: pcr%d et=%x ls=%d\n",
+		      event_msg, tpm->id, pcr, event_type, tpm->logmgr.logSize);
+		tpm_print_pcr(tpm, pcr, alg1, size1);
+		tpm_print_pcr(tpm, pcr, alg2, size2);
+#endif
+		/* extend pcr of both sha1 and sha256 banks*/
+		rc = tpmCmdPcrExtend2Hash(tpm, pcr,
+					  alg1, digest1, size1,
+					  alg2, digest2, size2);
+		if (rc) {
+			/**
+			 * @fwts-label STBPCRExtendFailed
+			 * @fwts-advice PCR extend operation failed. This TSS
+			 * implementation is part of hostboot, but the source
+			 * code is shared with skiboot.
+			 * 1) The hostboot TSS may have been updated.
+			 * 2) This may be caused by the short I2C timeout and
+			 * can be fixed by increasing the timeout. Otherwise,
+			 * this indicates a bug in the TSS or the TPM
+			 * device driver. Each one has local debug macros that
+			 * can help.
+			 */
+			prlog(PR_ERR, "TPM: %s -> tpm%d FAILED: pcr%d rc=%d\n",
+			      event_msg, tpm->id, pcr, rc);
+			rc = STB_PCR_EXTEND_FAILED;
+			goto error;
+		}
+#ifdef STB_DEBUG
+		prlog(PR_NOTICE, "TPM: %s -> tpm%d: pcr%d\n", event_msg,
+		      tpm->id, pcr);
+		tpm_print_pcr(tpm, pcr, alg1, size1);
+		tpm_print_pcr(tpm, pcr, alg2, size2);
+#endif
+	}
+	return rc;
+error:
+	tpm->enabled = false;
+	return rc;
+}
+
 void tpm_add_status_property(void) {
 	struct tpm_chip *tpm;
 	list_for_each(&tpm_list, tpm, link) {
diff --git a/libstb/tpm_chip.h b/libstb/tpm_chip.h
index b8f536c..d7363e7 100644
--- a/libstb/tpm_chip.h
+++ b/libstb/tpm_chip.h
@@ -20,6 +20,7 @@
 #include <device.h>
 
 #include "tss/tpmLogMgr.H"
+#include "tss/trustedTypes.H"
 
 struct tpm_dev {
 
@@ -73,6 +74,31 @@ typedef struct tpm_chip TpmTarget;
 extern int tpm_register_chip(struct dt_node *node, struct tpm_dev *dev,
 			     struct tpm_driver *driver);
 
+/*
+ * tpm_extendl - For each TPM device, this extends the sha1 and sha 256 digests
+ * to the indicated PCR and also records an event for the same PCR
+ * in the event log
+ * This calls a TSS extend function that supports multibank. Both sha1 and
+ * sha256 digests are extended in a single operation sent to the TPM device.
+ *
+ * @pcr: PCR number to be extended and recorded in the event log. The same PCR
+ * number is extende for both sha1 and sha256 banks.
+ * @alg1: SHA algorithm of digest1. Either TPM_ALG_SHA1 or TPM_ALG_SHA256
+ * @digest1: digest1 buffer
+ * @size1: size of digest1. Either TPM_ALG_SHA1_SIZE or TPM_ALG_SHA256_SIZE
+ * @alg2: SHA algorithm of digest2. Either TPM_ALG_SHA1 or TPM_ALG_SHA256
+ * @digest2: digest2 buffer
+ * @size2: size of digest2. Either TPM_ALG_SHA1_SIZE or TPM_ALG_SHA256_SIZE
+ * @event_type: event type log. In skiboot, either EV_ACTION or EV_SEPARATOR.
+ * @event_msg: event log message that describes the event
+ *
+ * Returns O for success or a negative number if it fails.
+ */
+extern int tpm_extendl(TPM_Pcr pcr,
+		       TPM_Alg_Id alg1, uint8_t* digest1, size_t size1,
+		       TPM_Alg_Id alg2, uint8_t* digest2, size_t size2,
+		       uint32_t event_type, const char* event_msg);
+
 /* Add status property to the TPM devices */
 extern void tpm_add_status_property(void);
 
-- 
2.7.4



More information about the Skiboot mailing list