diff options
Diffstat (limited to 'src/security/tpm/tspi')
| -rw-r--r-- | src/security/tpm/tspi/crtm.c | 47 | ||||
| -rw-r--r-- | src/security/tpm/tspi/crtm.h | 5 | ||||
| -rw-r--r-- | src/security/tpm/tspi/tspi.c | 54 |
3 files changed, 55 insertions, 51 deletions
diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c index 4f29ad134b..4a89d7f262 100644 --- a/src/security/tpm/tspi/crtm.c +++ b/src/security/tpm/tspi/crtm.c @@ -31,25 +31,27 @@ static inline int tpm_log_available(void) * stage. * * Takes the current vboot context as parameter for s3 checks. - * returns on success VB2_SUCCESS, else a vboot error. + * returns on success TPM_SUCCESS, else a TPM error. */ -static uint32_t tspi_init_crtm(void) +static tpm_result_t tspi_init_crtm(void) { + tpm_result_t rc = TPM_SUCCESS; /* Initialize TPM PRERAM log. */ if (!tpm_log_available()) { tpm_preram_log_clear(); tpm_log_initialized = 1; } else { printk(BIOS_WARNING, "TSPI: CRTM already initialized!\n"); - return VB2_SUCCESS; + return TPM_SUCCESS; } struct region_device fmap; if (fmap_locate_area_as_rdev("FMAP", &fmap) == 0) { - if (tpm_measure_region(&fmap, CONFIG_PCR_SRTM, "FMAP: FMAP")) { + rc = tpm_measure_region(&fmap, CONFIG_PCR_SRTM, "FMAP: FMAP"); + if (rc) { printk(BIOS_ERR, - "TSPI: Couldn't measure FMAP into CRTM!\n"); - return VB2_ERROR_UNKNOWN; + "TSPI: Couldn't measure FMAP into CRTM! rc %#x\n", rc); + return rc; } } else { printk(BIOS_ERR, "TSPI: Could not find FMAP!\n"); @@ -59,10 +61,11 @@ static uint32_t tspi_init_crtm(void) if (!CONFIG(ARCH_X86)) { struct region_device bootblock_fmap; if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) { - if (tpm_measure_region(&bootblock_fmap, + rc = tpm_measure_region(&bootblock_fmap, CONFIG_PCR_SRTM, - "FMAP: BOOTBLOCK")) - return VB2_ERROR_UNKNOWN; + "FMAP: BOOTBLOCK"); + if (rc) + return rc; } } else if (CONFIG(BOOTBLOCK_IN_CBFS)){ /* Mapping measures the file. We know we can safely map here because @@ -72,7 +75,7 @@ static uint32_t tspi_init_crtm(void) if (!mapping) { printk(BIOS_INFO, "TSPI: Couldn't measure bootblock into CRTM!\n"); - return VB2_ERROR_UNKNOWN; + return TPM_CB_FAIL; } cbfs_unmap(mapping); } else { @@ -82,11 +85,11 @@ static uint32_t tspi_init_crtm(void) if (tspi_soc_measure_bootblock(CONFIG_PCR_SRTM)) { printk(BIOS_INFO, "TSPI: Couldn't measure bootblock into CRTM on SoC level!\n"); - return VB2_ERROR_UNKNOWN; + return TPM_CB_FAIL; } } - return VB2_SUCCESS; + return TPM_SUCCESS; } static bool is_runtime_data(const char *name) @@ -108,16 +111,18 @@ static bool is_runtime_data(const char *name) return !strcmp(allowlist, name); } -uint32_t tspi_cbfs_measurement(const char *name, uint32_t type, const struct vb2_hash *hash) +tpm_result_t tspi_cbfs_measurement(const char *name, uint32_t type, const struct vb2_hash *hash) { uint32_t pcr_index; + tpm_result_t rc = TPM_SUCCESS; char tpm_log_metadata[TPM_CB_LOG_PCR_HASH_NAME]; if (!tpm_log_available()) { - if (tspi_init_crtm() != VB2_SUCCESS) { + rc = tspi_init_crtm(); + if (rc) { printk(BIOS_WARNING, "Initializing CRTM failed!\n"); - return 0; + return rc; } printk(BIOS_DEBUG, "CRTM initialized.\n"); } @@ -171,7 +176,7 @@ void *tpm_log_init(void) return tclt; } -int tspi_measure_cache_to_pcr(void) +tpm_result_t tspi_measure_cache_to_pcr(void) { int i; int pcr; @@ -181,27 +186,27 @@ int tspi_measure_cache_to_pcr(void) /* This means the table is empty. */ if (!tpm_log_available()) - return VB2_SUCCESS; + return TPM_SUCCESS; if (tpm_log_init() == NULL) { printk(BIOS_WARNING, "TPM LOG: log non-existent!\n"); - return VB2_ERROR_UNKNOWN; + return TPM_CB_FAIL; } printk(BIOS_DEBUG, "TPM: Write digests cached in TPM log to PCR\n"); i = 0; while (!tpm_log_get(i++, &pcr, &digest_data, &digest_algo, &event_name)) { printk(BIOS_DEBUG, "TPM: Write digest for %s into PCR %d\n", event_name, pcr); - int rc = tlcl_extend(pcr, digest_data, digest_algo); + tpm_result_t rc = tlcl_extend(pcr, digest_data, digest_algo); if (rc != TPM_SUCCESS) { printk(BIOS_ERR, "TPM: Writing digest of %s into PCR failed with error %d\n", event_name, rc); - return VB2_ERROR_UNKNOWN; + return rc; } } - return VB2_SUCCESS; + return TPM_SUCCESS; } #if !CONFIG(VBOOT_RETURN_FROM_VERSTAGE) diff --git a/src/security/tpm/tspi/crtm.h b/src/security/tpm/tspi/crtm.h index 2bc1d1fad9..6f5eb2e716 100644 --- a/src/security/tpm/tspi/crtm.h +++ b/src/security/tpm/tspi/crtm.h @@ -5,6 +5,7 @@ #include <program_loading.h> #include <security/tpm/tspi.h> +#include <security/tpm/tss_errors.h> #include <types.h> #include <vb2_sha.h> @@ -40,12 +41,12 @@ /** * Measure digests cached in TPM log entries into PCRs */ -int tspi_measure_cache_to_pcr(void); +tpm_result_t tspi_measure_cache_to_pcr(void); /** * Extend a measurement hash taken for a CBFS file into the appropriate PCR. */ -uint32_t tspi_cbfs_measurement(const char *name, uint32_t type, const struct vb2_hash *hash); +tpm_result_t tspi_cbfs_measurement(const char *name, uint32_t type, const struct vb2_hash *hash); /* * Provide a function on SoC level to measure the bootblock for cases where bootblock is diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c index aee1cf4709..80f33d59c6 100644 --- a/src/security/tpm/tspi/tspi.c +++ b/src/security/tpm/tspi/tspi.c @@ -11,16 +11,16 @@ #include <vb2_sha.h> #if CONFIG(TPM1) -static uint32_t tpm1_invoke_state_machine(void) +static tpm_result_t tpm1_invoke_state_machine(void) { uint8_t disabled; uint8_t deactivated; - uint32_t rc = TPM_SUCCESS; + tpm_result_t rc = TPM_SUCCESS; /* Check that the TPM is enabled and activated. */ rc = tlcl_get_flags(&disabled, &deactivated, NULL); if (rc != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't read capabilities.\n"); + printk(BIOS_ERR, "TPM Error (%#x): Can't read capabilities.\n", rc); return rc; } @@ -29,7 +29,7 @@ static uint32_t tpm1_invoke_state_machine(void) rc = tlcl_set_enable(); if (rc != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't set enabled state.\n"); + printk(BIOS_ERR, "TPM Error (%#x): Can't set enabled state.\n", rc); return rc; } } @@ -40,7 +40,7 @@ static uint32_t tpm1_invoke_state_machine(void) rc = tlcl_set_deactivated(!deactivated); if (rc != TPM_SUCCESS) { printk(BIOS_ERR, - "TPM: Can't toggle deactivated state.\n"); + "TPM Error (%#x): Can't toggle deactivated state.\n", rc); return rc; } @@ -52,11 +52,9 @@ static uint32_t tpm1_invoke_state_machine(void) } #endif -static uint32_t tpm_setup_s3_helper(void) +static tpm_result_t tpm_setup_s3_helper(void) { - uint32_t rc; - - rc = tlcl_resume(); + tpm_result_t rc = tlcl_resume(); switch (rc) { case TPM_SUCCESS: break; @@ -78,7 +76,7 @@ static uint32_t tpm_setup_s3_helper(void) return rc; } -static uint32_t tpm_setup_epilogue(uint32_t rc) +static tpm_result_t tpm_setup_epilogue(tpm_result_t rc) { if (rc != TPM_SUCCESS) post_code(POSTCODE_TPM_FAILURE); @@ -133,13 +131,13 @@ static inline int tspi_tpm_is_setup(void) * to the TPM flashram at every reboot or wake-up, because of concerns about * the durability of the NVRAM. */ -uint32_t tpm_setup(int s3flag) +tpm_result_t tpm_setup(int s3flag) { - uint32_t rc; + tpm_result_t rc; rc = tlcl_lib_init(); if (rc != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't initialize.\n"); + printk(BIOS_ERR, "TPM Error (%#x): Can't initialize.\n", rc); return tpm_setup_epilogue(rc); } @@ -152,11 +150,11 @@ uint32_t tpm_setup(int s3flag) rc = tlcl_startup(); if (CONFIG(TPM_STARTUP_IGNORE_POSTINIT) && rc == TPM_INVALID_POSTINIT) { - printk(BIOS_DEBUG, "TPM: ignoring invalid POSTINIT\n"); + printk(BIOS_DEBUG, "TPM Warn(%#x): ignoring invalid POSTINIT\n", rc); rc = TPM_SUCCESS; } if (rc != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't run startup command.\n"); + printk(BIOS_ERR, "TPM Error (%#x): Can't run startup command.\n", rc); return tpm_setup_epilogue(rc); } @@ -169,13 +167,13 @@ uint32_t tpm_setup(int s3flag) */ rc = tlcl_physical_presence_cmd_enable(); if (rc != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't enable physical presence command.\n"); + printk(BIOS_ERR, "TPM Error (%#x): Can't enable physical presence command.\n", rc); return tpm_setup_epilogue(rc); } rc = tlcl_assert_physical_presence(); if (rc != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't assert physical presence.\n"); + printk(BIOS_ERR, "TPM Error (%#x): Can't assert physical presence.\n", rc); return tpm_setup_epilogue(rc); } } @@ -190,27 +188,27 @@ uint32_t tpm_setup(int s3flag) return tpm_setup_epilogue(rc); } -uint32_t tpm_clear_and_reenable(void) +tpm_result_t tpm_clear_and_reenable(void) { - uint32_t rc; + tpm_result_t rc; printk(BIOS_INFO, "TPM: Clear and re-enable\n"); rc = tlcl_force_clear(); if (rc != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't initiate a force clear.\n"); + printk(BIOS_ERR, "TPM Error (%#x): Can't initiate a force clear.\n", rc); return rc; } #if CONFIG(TPM1) rc = tlcl_set_enable(); if (rc != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't set enabled state.\n"); + printk(BIOS_ERR, "TPM Error (%#x): Can't set enabled state.\n", rc); return rc; } rc = tlcl_set_deactivated(0); if (rc != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't set deactivated state.\n"); + printk(BIOS_ERR, "TPM Error (%#x): Can't set deactivated state.\n", rc); return rc; } #endif @@ -218,10 +216,10 @@ uint32_t tpm_clear_and_reenable(void) return TPM_SUCCESS; } -uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo, +tpm_result_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo, const uint8_t *digest, size_t digest_len, const char *name) { - uint32_t rc; + tpm_result_t rc; if (!digest) return TPM_IOERROR; @@ -229,15 +227,15 @@ uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo, if (tspi_tpm_is_setup()) { rc = tlcl_lib_init(); if (rc != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't initialize library.\n"); + printk(BIOS_ERR, "TPM Error (%#x): Can't initialize library.\n", rc); return rc; } printk(BIOS_DEBUG, "TPM: Extending digest for `%s` into PCR %d\n", name, pcr); rc = tlcl_extend(pcr, digest, digest_algo); if (rc != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Extending hash for `%s` into PCR %d failed.\n", - name, pcr); + printk(BIOS_ERR, "TPM Error (%#x): Extending hash for `%s` into PCR %d failed.\n", + rc, name, pcr); return rc; } } @@ -252,7 +250,7 @@ uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo, } #if CONFIG(VBOOT_LIB) -uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr, +tpm_result_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr, const char *rname) { uint8_t digest[TPM_PCR_MAX_LEN], digest_len; |