[SLOF] [PATCH 3/4] tcgbios: Use The proper sha function for each PCR bank

Alexey Kardashevskiy aik at ozlabs.ru
Wed Jun 30 12:56:11 AEST 2021 


On 16/06/2021 00:41, Stefan Berger wrote:
> Instead of just using sha256 for all PCR banks (and truncating
> the value or zero-padding it) use the proper hash function for
> each one of the banks. For unimplemented hashes, fill the buffer
> with 0xff.

Was it a bug that sha256 was always used?


> 
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> ---
>   lib/libtpm/tcgbios.c | 42 ++++++++++++++++++++++++++++++++----------
>   1 file changed, 32 insertions(+), 10 deletions(-)
> 
> diff --git a/lib/libtpm/tcgbios.c b/lib/libtpm/tcgbios.c
> index 91f2f46..af96c52 100644
> --- a/lib/libtpm/tcgbios.c
> +++ b/lib/libtpm/tcgbios.c
> @@ -127,28 +127,32 @@ static const struct hash_parameters {
>   	uint8_t  hashalg_flag;
>   	uint8_t  hash_buffersize;
>   	const char *name;
> +	void (*hashfunc)(const uint8_t *data, uint32_t length, uint8_t *hash);
>   } hash_parameters[] = {
>   	{
>   		.hashalg = TPM2_ALG_SHA1,
>   		.hashalg_flag = TPM2_ALG_SHA1_FLAG,
>   		.hash_buffersize = SHA1_BUFSIZE,
>   		.name = "SHA1",
> +		.hashfunc = sha1,
>   	}, {
>   		.hashalg = TPM2_ALG_SHA256,
>   		.hashalg_flag = TPM2_ALG_SHA256_FLAG,
>   		.hash_buffersize = SHA256_BUFSIZE,
>   		.name = "SHA256",
> +		.hashfunc = sha256,
>   	}, {
>   		.hashalg = TPM2_ALG_SHA384,
>   		.hashalg_flag = TPM2_ALG_SHA384_FLAG,
>   		.hash_buffersize = SHA384_BUFSIZE,
>   		.name = "SHA384",
> -
> +		.hashfunc = sha384,
>   	}, {
>   		.hashalg = TPM2_ALG_SHA512,
>   		.hashalg_flag = TPM2_ALG_SHA512_FLAG,
>   		.hash_buffersize = SHA512_BUFSIZE,
>   		.name = "SHA512",
> +		.hashfunc = sha512,
>   	}, {
>   		.hashalg = TPM2_ALG_SM3_256,
>   		.hashalg_flag = TPM2_ALG_SM3_256_FLAG,



Do not you want sha256/... for this and other guys after this one?



> @@ -233,6 +237,25 @@ static const char * tpm20_hashalg_flag_to_name(uint8_t hashalg_flag)
>   	return NULL;
>   }
>   
> +static void tpm2_hash_data(uint16_t hashAlg,
> +                           const uint8_t *data, uint32_t data_len,
> +                           uint8_t *hash)
> +{
> +	unsigned i;
> +
> +	for (i = 0; i < ARRAY_SIZE(hash_parameters); i++) {
> +		if (hash_parameters[i].hashalg == hashAlg) {
> +			if (hash_parameters[i].hashfunc) {
> +				hash_parameters[i].hashfunc(data, data_len,
> +							    hash);
> +			} else {
> +				memset(hash, 0xff,
> +				       hash_parameters[i].hash_buffersize);
> +			}
> +		}
> +	}
> +}
> +
>   /*
>    * Build the TPM2 TPML_DIGEST_VALUES data structure from the given hash.
>    * Follow the PCR bank configuration of the TPM and write the same hash
> @@ -242,13 +265,15 @@ static const char * tpm20_hashalg_flag_to_name(uint8_t hashalg_flag)
>    * hash when writing it in the area of the sha1 hash.
>    *
>    * le: the log entry to build the digest in
> - * sha1: the sha1 hash value to use
> + * hashdata: the data to hash
> + * hashdata_len: the length of the hashdata
>    * bigEndian: whether to build in big endian format for the TPM or log
>    *            little endian for the log (TPM 2.0)
>    *
>    * Returns the digest size; -1 on fatal error
>    */
> -static int tpm20_build_digest(struct tpm_log_entry *le, const uint8_t *sha256,
> +static int tpm20_build_digest(struct tpm_log_entry *le,
> +                              const uint8_t *hashdata, uint32_t hashdata_len,
>   			      bool bigEndian)
>   {
>   	struct tpms_pcr_selection *sel;
> @@ -297,9 +322,8 @@ static int tpm20_build_digest(struct tpm_log_entry *le, const uint8_t *sha256,
>   		else
>   			v->hashAlg = cpu_to_le16(be16_to_cpu(sel->hashAlg));
>   
> -		memset(v->hash, 0, hsize);
> -		memcpy(v->hash, sha256,
> -		       hsize < SHA256_BUFSIZE ? hsize : SHA256_BUFSIZE);
> +		tpm2_hash_data(be16_to_cpu(sel->hashAlg), hashdata, hashdata_len,
> +			       v->hash);
>   
>   		dest += sizeof(*v) + hsize;
>   		sel = nsel;
> @@ -865,7 +889,6 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex,
>   					   const uint8_t *hashdata,
>   					   uint32_t hashdatalen)
>   {
> -	uint8_t hash[SHA256_BUFSIZE];
>   	struct tpm_log_entry le = {
>   		.hdr.pcrindex = cpu_to_log32(pcrindex),
>   		.hdr.eventtype = cpu_to_log32(eventtype),
> @@ -873,8 +896,7 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex,
>   	int digest_len;
>   	int ret;
>   
> -	sha256(hashdata, hashdatalen, hash);
> -	digest_len = tpm20_build_digest(&le, hash, true);
> +	digest_len = tpm20_build_digest(&le, hashdata, hashdatalen, true);
>   	if (digest_len < 0)
>   		return TCGBIOS_GENERAL_ERROR;
>   	ret = tpm20_extend(&le, digest_len);
> @@ -882,7 +904,7 @@ static uint32_t tpm_add_measurement_to_log(uint32_t pcrindex,
>   		tpm_set_failure();
>   		return TCGBIOS_COMMAND_ERROR;
>   	}
> -	tpm20_build_digest(&le, hash, false);
> +	tpm20_build_digest(&le, hashdata, hashdatalen, false);
>   	return tpm_log_event_long(&le.hdr, digest_len, info, infolen);
>   }
>   
> 

-- 
Alexey

More information about the SLOF mailing list