Skip to content

Commit b8af022

Browse files
cjengelwghoffa
cjengel
authored and
wghoffa
committed
SecureBoot: Update sha1 bank of PCRs along with sha256
Change-Id: I526809abe8fa8d00929f79a4c3e1dcaf7386873a RTC: 154324 Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/27032 Reviewed-by: Timothy R. Block <block@us.ibm.com> Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com> Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com> Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com> Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com> Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
1 parent c4574da commit b8af022

File tree

9 files changed

+182
-61
lines changed

9 files changed

+182
-61
lines changed

src/usr/secureboot/trusted/test/tpmLogMgrTest.H

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -60,8 +60,8 @@ class TPMLogMgrTest: public CxxTest::TestSuite
6060
delete err;
6161
err = NULL;
6262
}
63-
else if (TpmLogMgr_getLogSize(logMgr) != 69)
64-
// 69 is size of header entry
63+
else if (TpmLogMgr_getLogSize(logMgr) != 73)
64+
// 73 is size of header entry
6565
{
6666
TS_FAIL( "getTestLogMgr - Failed to find "
6767
"proper header log Len=%d",
@@ -123,7 +123,7 @@ class TPMLogMgrTest: public CxxTest::TestSuite
123123
break;
124124
}
125125

126-
memset(log.digests.digests[0].digest.bytes,
126+
memset(&(log.digests.digests[0].digest),
127127
0x51+idx, digestSize);
128128

129129
log.event.eventSize = 21+idx;
@@ -213,7 +213,9 @@ class TPMLogMgrTest: public CxxTest::TestSuite
213213
// Get a TCG_PCR_EVENT2
214214
TCG_PCR_EVENT2 eventLog = TpmLogMgr_genLogEventPcrExtend(
215215
pcr, algId,
216-
digest, digestSize, i_logMsg);
216+
digest, digestSize,
217+
TPM_ALG_SHA1, digest,
218+
digestSize, i_logMsg);
217219

218220
// Add event to log
219221
errlHndl_t err = TpmLogMgr_addEvent(&i_logMgr, &eventLog);

src/usr/secureboot/trusted/test/trustedbootTest.H

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -448,7 +448,26 @@ class TrustedBootTest: public CxxTest::TestSuite
448448
fails,
449449
sizeof(TPM2_ExtendIn) +
450450
sizeof(TPMS_AUTH_COMMAND) +
451-
4); //auth size field
451+
sizeof(uint32_t) - //auth size field
452+
sizeof(TPMT_HA)); // less second digest
453+
454+
cmdPtr->digests.count = 2;
455+
cmdPtr->digests.digests[1].algorithmId = TPM_ALG_SHA1;
456+
457+
// Test with two hashes
458+
runTpmMarshalTest(baseCmd,
459+
dataBufOut,
460+
sizeof(dataBufOut),
461+
cmdSize,
462+
"ExtendIn",
463+
num_ops,
464+
fails,
465+
sizeof(TPM2_ExtendIn) +
466+
sizeof(TPMS_AUTH_COMMAND) +
467+
sizeof(uint32_t) - //auth size field
468+
(TPM_ALG_SHA256_SIZE - TPM_ALG_SHA1_SIZE)
469+
); // less sha1 digest size
470+
452471

453472
// Invalid number of digests
454473
memset(dataBufIn, 0, sizeof(dataBufIn));
@@ -488,7 +507,8 @@ class TrustedBootTest: public CxxTest::TestSuite
488507
"PcrReadIn",
489508
num_ops,
490509
fails,
491-
sizeof(TPM2_PcrReadIn));
510+
sizeof(TPM2_PcrReadIn) -
511+
sizeof(TPMS_PCR_SELECTION)); // less unused
492512

493513
// Invalid number of algorithms
494514
memset(dataBufIn, 0, sizeof(dataBufIn));

src/usr/secureboot/trusted/tpmLogMgr.C

Lines changed: 32 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,8 @@ namespace TRUSTEDBOOT
120120
eventData->numberOfAlgorithms = htole32(HASH_COUNT);
121121
eventData->digestSizes[0].algorithmId = htole16(TPM_ALG_SHA256);
122122
eventData->digestSizes[0].digestSize = htole16(TPM_ALG_SHA256_SIZE);
123+
eventData->digestSizes[1].algorithmId = htole16(TPM_ALG_SHA1);
124+
eventData->digestSizes[1].digestSize = htole16(TPM_ALG_SHA1_SIZE);
123125
eventData->vendorInfoSize = sizeof(vendorInfo);
124126
memcpy(eventData->vendorInfo, vendorInfo, sizeof(vendorInfo));
125127
val->newEventPtr = TCG_PCR_EVENT_logMarshal(&eventLogEntry,
@@ -156,16 +158,12 @@ namespace TRUSTEDBOOT
156158

157159
mutex_init( &val->logMutex );
158160
mutex_lock( &val->logMutex );
159-
TRACUCOMP( g_trac_trustedboot,
160-
">>initializeUsingExistingLog() 1");
161161

162162
val->logMaxSize = eventLogSize;
163163
val->eventLogInMem = eventLogPtr;
164164

165165
// Ok, walk the log to figure out how big this is
166166
val->logSize = TpmLogMgr_calcLogSize(val);
167-
TRACUCOMP( g_trac_trustedboot,
168-
">>initializeUsingExistingLog() 2");
169167

170168
if (0 == val->logSize)
171169
{
@@ -298,7 +296,7 @@ namespace TRUSTEDBOOT
298296
{
299297

300298
// Debug display of raw data
301-
TRACUCOMP(g_trac_trustedboot, "tpmDumpLog Size : %d\n",
299+
TRACUCOMP(g_trac_trustedboot, "tpmDumpLog Size : %d",
302300
(int)val->logSize);
303301

304302
#ifdef __HOSTBOOT_MODULE
@@ -450,25 +448,45 @@ namespace TRUSTEDBOOT
450448
}
451449

452450
TCG_PCR_EVENT2 TpmLogMgr_genLogEventPcrExtend(TPM_Pcr i_pcr,
453-
TPM_Alg_Id i_algId,
454-
const uint8_t* i_digest,
455-
size_t i_digestSize,
451+
TPM_Alg_Id i_algId_1,
452+
const uint8_t* i_digest_1,
453+
size_t i_digestSize_1,
454+
TPM_Alg_Id i_algId_2,
455+
const uint8_t* i_digest_2,
456+
size_t i_digestSize_2,
456457
const char* i_logMsg)
457458
{
458459
TCG_PCR_EVENT2 eventLog;
460+
size_t fullDigestSize_1 = 0;
461+
size_t fullDigestSize_2 = 0;
462+
463+
fullDigestSize_1 = getDigestSize(i_algId_1);
464+
if (NULL != i_digest_2)
465+
{
466+
fullDigestSize_2 = getDigestSize(i_algId_2);
467+
}
459468

460469
memset(&eventLog, 0, sizeof(eventLog));
461470
eventLog.pcrIndex = i_pcr;
462471
eventLog.eventType = EV_ACTION;
463472

464-
// Update digest information, we only use 1 entry
473+
// Update digest information
465474
eventLog.digests.count = 1;
466-
eventLog.digests.digests[0].algorithmId = i_algId;
467-
memcpy(eventLog.digests.digests[0].digest.bytes,
468-
i_digest,
469-
(i_digestSize > sizeof(TPMU_HA) ?
470-
sizeof(TPMU_HA) : i_digestSize));
475+
eventLog.digests.digests[0].algorithmId = i_algId_1;
476+
memcpy(&(eventLog.digests.digests[0].digest),
477+
i_digest_1,
478+
(i_digestSize_1 < fullDigestSize_1 ?
479+
i_digestSize_1 : fullDigestSize_1));
471480

481+
if (NULL != i_digest_2)
482+
{
483+
eventLog.digests.count = 2;
484+
eventLog.digests.digests[1].algorithmId = i_algId_2;
485+
memcpy(&(eventLog.digests.digests[1].digest),
486+
i_digest_2,
487+
(i_digestSize_2 < fullDigestSize_2 ?
488+
i_digestSize_2 : fullDigestSize_2));
489+
}
472490
// Event field data
473491
eventLog.event.eventSize = strlen(i_logMsg);
474492
memset(eventLog.event.event, 0, sizeof(eventLog.event.event));

src/usr/secureboot/trusted/tpmLogMgr.H

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@ namespace TRUSTEDBOOT
7777
uint32_t TCG_EfiSpecIdEventStruct_size(TCG_EfiSpecIdEventStruct* val);
7878

7979
enum {
80-
TPMLOG_BUFFER_SIZE = 1024, ///< Size of event log buffer in bytes
80+
TPMLOG_BUFFER_SIZE = 2048, ///< Size of event log buffer in bytes
8181
TPMLOG_DEVTREE_SIZE = 64*1024, ///< Size to allocate for OPAL
8282
};
8383

@@ -204,17 +204,23 @@ namespace TRUSTEDBOOT
204204
* @brief Get a TCG_PCR_EVENT2 populated with required data
205205
*
206206
* @param[in] i_pcr PCR to write to
207-
* @param[in] i_algId Algorithm to use
208-
* @param[in] i_digest Digest value to write to PCR
209-
* @param[in] i_digestSize Byte size of i_digest array
207+
* @param[in] i_algId_1 Algorithm to use
208+
* @param[in] i_digest_1 Digest value to write to PCR
209+
* @param[in] i_digestSize_1 Byte size of i_digest array
210+
* @param[in] i_algId_2 Algorithm to use
211+
* @param[in] i_digest_2 Digest value to write to PCR, NULL if not used
212+
* @param[in] i_digestSize_2 Byte size of i_digest array
210213
* @param[in] i_logMsg Null terminated Log message
211214
*
212215
* @return TCG_PCR_EVENT2 PCR event log
213216
*/
214217
TCG_PCR_EVENT2 TpmLogMgr_genLogEventPcrExtend(TPM_Pcr i_pcr,
215-
TPM_Alg_Id i_algId,
216-
const uint8_t* i_digest,
217-
size_t i_digestSize,
218+
TPM_Alg_Id i_algId_1,
219+
const uint8_t* i_digest_1,
220+
size_t i_digestSize_1,
221+
TPM_Alg_Id i_algId_2,
222+
const uint8_t* i_digest_2,
223+
size_t i_digestSize_2,
218224
const char* i_logMsg);
219225

220226
/**

src/usr/secureboot/trusted/trustedTypes.C

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -167,7 +167,7 @@ namespace TRUSTEDBOOT
167167
return NULL;
168168
}
169169
o_tpmBuf = marshalChunk(o_tpmBuf, i_tpmBufSize, io_cmdSize,
170-
&(val->digest.bytes),
170+
&(val->digest),
171171
getDigestSize((TPM_Alg_Id)val->algorithmId));
172172
return o_tpmBuf;
173173
}
@@ -493,7 +493,7 @@ namespace TRUSTEDBOOT
493493
uint16_t* field16 = (uint16_t*)i_logBuf;
494494
*field16 = htole16(val->algorithmId);
495495
i_logBuf += sizeof(uint16_t);
496-
memcpy(i_logBuf, val->digest.bytes,
496+
memcpy(i_logBuf, &(val->digest),
497497
getDigestSize((TPM_Alg_Id)val->algorithmId));
498498
i_logBuf += getDigestSize((TPM_Alg_Id)val->algorithmId);
499499
return i_logBuf;
@@ -537,7 +537,7 @@ namespace TRUSTEDBOOT
537537
break;
538538
}
539539

540-
memcpy(&(val->digest.bytes), i_tpmBuf, size);
540+
memcpy(&(val->digest), i_tpmBuf, size);
541541
i_tpmBuf += size;
542542
} while(0);
543543

@@ -555,7 +555,7 @@ namespace TRUSTEDBOOT
555555
{
556556
size_t digestSize = getDigestSize((TPM_Alg_Id)algorithmId);
557557
return (algorithmId == i_rhs.algorithmId) &&
558-
(memcmp(digest.bytes, i_rhs.digest.bytes, digestSize) == 0);
558+
(memcmp(&(digest), &(i_rhs.digest), digestSize) == 0);
559559
}
560560
#endif
561561

@@ -871,7 +871,7 @@ namespace TRUSTEDBOOT
871871
{
872872
*o_err = true;
873873
i_tpmBuf = NULL;
874-
TRACFCOMP(g_trac_trustedboot,"ERROR> TCG_PCR_EVENT2:"
874+
TRACUCOMP(g_trac_trustedboot,"ERROR> TCG_PCR_EVENT2:"
875875
"logUnmarshal() invalid pcrIndex %d",
876876
val->pcrIndex);
877877
break;
@@ -888,7 +888,7 @@ namespace TRUSTEDBOOT
888888
{
889889
*o_err = true;
890890
i_tpmBuf = NULL;
891-
TRACFCOMP(g_trac_trustedboot,"ERROR> TCG_PCR_EVENT2:"
891+
TRACUCOMP(g_trac_trustedboot,"ERROR> TCG_PCR_EVENT2:"
892892
"logUnmarshal() invalid eventType %d",
893893
val->eventType);
894894
break;

src/usr/secureboot/trusted/trustedTypes.H

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ namespace TRUSTEDBOOT
7676
TPM_BACKUP_INDEX = 1, ///< Index for backup TPM
7777
MAX_TPM_LOG_MSG = 128, ///< Maximum log message size
7878

79-
HASH_COUNT = 1, ///< Maximum # of digests
79+
HASH_COUNT = 2, ///< Maximum # of digests
8080

8181
PCR_SELECT_MAX = (IMPLEMENTATION_PCR+7)/8, ///< PCR selection octet max
8282
};
@@ -203,7 +203,6 @@ namespace TRUSTEDBOOT
203203
/// Digest union
204204
union _TPMU_HA
205205
{
206-
uint8_t bytes[0];
207206
uint8_t sha1[TPM_ALG_SHA1_SIZE];
208207
uint8_t sha256[TPM_ALG_SHA256_SIZE];
209208
} PACKED;

src/usr/secureboot/trusted/trustedboot.C

Lines changed: 18 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -411,7 +411,8 @@ void tpmReplayLog(TRUSTEDBOOT::TpmTarget & io_target)
411411
err = tpmCmdPcrExtend(&io_target,
412412
(TPM_Pcr)l_eventLog.pcrIndex,
413413
l_algId,
414-
l_eventLog.digests.digests[i].digest.bytes,
414+
reinterpret_cast<uint8_t*>
415+
(&(l_eventLog.digests.digests[i].digest)),
415416
getDigestSize(l_algId));
416417
if (err)
417418
{
@@ -571,8 +572,12 @@ void pcrExtendSingleTpm(TpmTarget & io_target,
571572
!io_target.failed))
572573
{
573574
// Fill in TCG_PCR_EVENT2 and add to log
574-
eventLog = TpmLogMgr_genLogEventPcrExtend(i_pcr, i_algId, i_digest,
575-
i_digestSize, i_logMsg);
575+
eventLog = TpmLogMgr_genLogEventPcrExtend(i_pcr,
576+
i_algId, i_digest,
577+
i_digestSize,
578+
TPM_ALG_SHA1, i_digest,
579+
i_digestSize,
580+
i_logMsg);
576581
err = TpmLogMgr_addEvent(io_target.logMgr,&eventLog);
577582
if (NULL != err)
578583
{
@@ -587,11 +592,16 @@ void pcrExtendSingleTpm(TpmTarget & io_target,
587592
!io_target.failed)
588593
{
589594

590-
err = tpmCmdPcrExtend(&io_target,
591-
i_pcr,
592-
i_algId,
593-
i_digest,
594-
i_digestSize);
595+
// Perform the requested extension and also force into the
596+
// SHA1 bank
597+
err = tpmCmdPcrExtend2Hash(&io_target,
598+
i_pcr,
599+
i_algId,
600+
i_digest,
601+
i_digestSize,
602+
TPM_ALG_SHA1,
603+
i_digest,
604+
i_digestSize);
595605
}
596606
} while ( 0 );
597607

0 commit comments

Comments
 (0)