[Skiboot] [PATCH v2 1/6] secvar/secboot_tpm: correctly reset the control index on secboot format

Eric Richter erichte at linux.ibm.com
Wed Nov 3 01:54:04 AEDT 2021 

On 11/2/21 8:33 AM, Daniel Axtens wrote:
> Eric Richter <erichte at linux.ibm.com> writes:
> 
>> When the SECBOOT partition is formatted, the bank hash stored in the
>> control TPM NV index must be updated to match, or else we will immediately
>> fail to load the freshly formatted data at the .load_bank() step.
>>
>> However, while the secboot_format() function does calculate and update the
>> bank hash, it only writes the new hash for bank 0. It does not update the
>> value for bank 1, or set the current active bank. This works as expected if
>> the active bank bit happens to be set to 0. On the other hand, if the active
>> bit is set to 1, the freshly formatted bank 1 will be compared against the
>> unchanged bank hash in bank 1 at the load step, therefore causing an error.
>>
>> This patch fixes this issue by also setting the active bit to 0 to match
>> the freshly calculated hash.
>>
>> Signed-off-by: Eric Richter <erichte at linux.ibm.com>
>> Tested-by: Nick Child <nick.child at ibm.com>
>> ---
>>  libstb/secvar/storage/secboot_tpm.c | 11 +++++++----
>>  1 file changed, 7 insertions(+), 4 deletions(-)
>>
>> diff --git a/libstb/secvar/storage/secboot_tpm.c b/libstb/secvar/storage/secboot_tpm.c
>> index 129f674a..5907ff07 100644
>> --- a/libstb/secvar/storage/secboot_tpm.c
>> +++ b/libstb/secvar/storage/secboot_tpm.c
>> @@ -127,12 +127,15 @@ static int secboot_format(void)
>>  		prlog(PR_ERR, "Bank hash failed to calculate somehow\n");
>>  		return rc;
>>  	}
>> +	/* Clear bank_hash[1] anyway, to match state of PNOR */
>> +	memset(tpmnv_control_image->bank_hash[1], 0x00, sizeof(tpmnv_control_image->bank_hash[1]));
> 
> I am a bit confused by this line. The next thing you do is to set the
> active bit to 0, which I understand and which matches what the commit
> message says, but I don't understand why setting the bank hash of the
> first bank to 0 is the right thing to do. The sha256 of a run of zeros
> isn't going to be 0, so this is still - afaict - wrong, just differently
> wrong?
> 

It's not entirely needed, no. The hash won't match, but it will match 
the TPM NV state from the first boot, where both PNOR partitions are
empty, active_bit = 0, bank_hash[0] = sha256(empty), bank_hash[0] = 0

Only the bank specified by the active bit is verified, so the hash
of the other bank isn't read, and will be overwritten on the next
variable bank write.

>> +
>> +	tpmnv_control_image->active_bit = 0;
> 
> This bit I get.
> 
>>  
>>  	rc = tpmnv_ops.write(SECBOOT_TPMNV_CONTROL_INDEX,
>> -			     tpmnv_control_image->bank_hash[0],
>> -			     SHA256_DIGEST_SIZE,
>> -			     offsetof(struct tpmnv_control,
>> -			     bank_hash[0]));
>> +			     tpmnv_control_image,
>> +			     sizeof(struct tpmnv_control),
>> +			     0);
> 
> I understand that this writes out both bank hashes and the active
> bit. It'll also write out the header again but hard to see that being an
> issue. This looks good to me.
> 
> Kind regards,
> Daniel
>

More information about the Skiboot mailing list