From f5ef699f40ca36815069e9c1df72af6385e600f0 Mon Sep 17 00:00:00 2001 From: Vadim Bendebury Date: Sun, 3 Jul 2016 22:20:17 -0700 Subject: tpm2: implement and use pcr_extend command TPM PCRs are used in Chrome OS for two purposes: to communicate crucial information from RO firmware and to protect FW and kernel rollback counters from being deleted. As implemented in a TPM1 compatible way, the PCR extension command requires a prebuilt digest to calculate a new PCR value. TPM2 specification introduces a PCR_Event command, where the TPM itself calculates the digest of an arbitrary length string, and then uses the calculated digest for PCR extension. PCR_Event could be a better option for Chrome OS, this needs to be investigated separately. BRANCH=none BUG=chrome-os-partner:50645 TEST=verified that the two PCRs are successfully extended before the RW firmware is called. Change-Id: I38fc88172de8ec8bef56fec026f83058480c8010 Signed-off-by: Martin Roth Original-Commit-Id: 73388139db3ffaf61a3d9027522c5ebecb3ad051 Original-Change-Id: I1a9bab7396fdb652e2e3bc8529b828ea3423d851 Original-Signed-off-by: Vadim Bendebury Original-Reviewed-on: https://chromium-review.googlesource.com/358098 Original-Reviewed-by: Aaron Durbin Original-Reviewed-by: Darren Krahn Reviewed-on: https://review.coreboot.org/15639 Tested-by: build bot (Jenkins) Reviewed-by: Philipp Deppenwiese --- src/lib/tpm2_tlcl_structures.h | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) (limited to 'src/lib/tpm2_tlcl_structures.h') diff --git a/src/lib/tpm2_tlcl_structures.h b/src/lib/tpm2_tlcl_structures.h index 1e7fcf05fa..36a3e8b253 100644 --- a/src/lib/tpm2_tlcl_structures.h +++ b/src/lib/tpm2_tlcl_structures.h @@ -25,11 +25,12 @@ typedef uint32_t TPM_CC; typedef uint32_t TPM_HANDLE; typedef uint32_t TPM_RC; typedef uint8_t TPMI_YES_NO; +typedef TPM_ALG_ID TPMI_ALG_HASH; +typedef TPM_HANDLE TPMI_DH_PCR; typedef TPM_HANDLE TPMI_RH_NV_INDEX; typedef TPM_HANDLE TPMI_RH_PROVISION; typedef TPM_HANDLE TPMI_SH_AUTH_SESSION; typedef TPM_HANDLE TPM_RH; -typedef TPM_ALG_ID TPMI_ALG_HASH; /* Some hardcoded algorithm values. */ #define TPM_ALG_HMAC ((TPM_ALG_ID)0x0005) @@ -37,6 +38,8 @@ typedef TPM_ALG_ID TPMI_ALG_HASH; #define TPM_ALG_SHA1 ((TPM_ALG_ID)0x0004) #define TPM_ALG_SHA256 ((TPM_ALG_ID)0x000b) +#define SHA256_DIGEST_SIZE 32 + /* Some hardcoded hierarchies. */ #define TPM_RH_NULL 0x40000007 #define TPM_RS_PW 0x40000009 @@ -64,11 +67,13 @@ struct tpm_header { #define TPM2_Startup ((TPM_CC)0x00000144) #define TPM2_NV_Read ((TPM_CC)0x0000014E) #define TPM2_GetCapability ((TPM_CC)0x0000017A) +#define TPM2_PCR_Extend ((TPM_CC)0x00000182) /* Startup values. */ #define TPM_SU_CLEAR 0 #define TPM_SU_STATE 1 +#define TPM_HT_PCR 0x00 #define TPM_HT_NV_INDEX 0x01 #define TPM_HT_HMAC_SESSION 0x02 #define TPM_HT_POLICY_SESSION 0x03 @@ -241,6 +246,24 @@ typedef union { TPM2B b; } TPM2B_MAX_NV_BUFFER; +/* + * This is a union, but as of now we support just one digest - sha256, so + * there is just one element. + */ +typedef union { + uint8_t sha256[SHA256_DIGEST_SIZE]; +} TPMU_HA; + +typedef struct { + TPMI_ALG_HASH hashAlg; + TPMU_HA digest; +} TPMT_HA; + +typedef struct { + uint32_t count; + TPMT_HA digests[1]; /* Limit max number of hashes to 1. */ +} TPML_DIGEST_VALUES; + struct nv_read_response { uint32_t params_size; TPM2B_MAX_NV_BUFFER buffer; @@ -306,4 +329,9 @@ struct tpm2_nv_write_lock_cmd { TPMI_RH_NV_INDEX nvIndex; }; +struct tpm2_pcr_extend_cmd { + TPMI_DH_PCR pcrHandle; + TPML_DIGEST_VALUES digests; +}; + #endif // __SRC_LIB_TPM2_TLCL_STRUCTURES_H -- cgit v1.2.3