From 094a051732341d20e82c349ea10f85faea6e58d1 Mon Sep 17 00:00:00 2001 From: Sergii Dmytruk Date: Mon, 31 Oct 2022 18:41:52 +0200 Subject: security/tpm: resolve conflicts in TSS implementations No functional changes. Refactor code such that there won't be any compiler or linker errors if TSS 1.2 and TSS 2.0 were both compiled in. One might want to support both TPM families for example if TPM is pluggable, while currently one has to reflash firmware along with switching TPM device. Change-Id: Ia0ea5a917c46ada9fc3274f17240e12bca98db6a Ticket: https://ticket.coreboot.org/issues/433 Signed-off-by: Sergii Dmytruk Reviewed-on: https://review.coreboot.org/c/coreboot/+/69160 Tested-by: build bot (Jenkins) Reviewed-by: Julius Werner --- src/security/tpm/tss/tcg-2.0/tss.c | 120 +++++++++++--------------- src/security/tpm/tss/tcg-2.0/tss_marshaling.c | 10 +-- 2 files changed, 54 insertions(+), 76 deletions(-) (limited to 'src/security/tpm/tss/tcg-2.0') diff --git a/src/security/tpm/tss/tcg-2.0/tss.c b/src/security/tpm/tss/tcg-2.0/tss.c index 27390a78ab..282845e44c 100644 --- a/src/security/tpm/tss/tcg-2.0/tss.c +++ b/src/security/tpm/tss/tcg-2.0/tss.c @@ -16,9 +16,7 @@ * TPM2 specification. */ -static tis_sendrecv_fn tis_sendrecv; - -void *tpm_process_command(TPM_CC command, void *command_body) +void *tlcl2_process_command(TPM_CC command, void *command_body) { struct obuf ob; struct ibuf ib; @@ -28,7 +26,7 @@ void *tpm_process_command(TPM_CC command, void *command_body) /* Command/response buffer. */ static uint8_t cr_buffer[TPM_BUFFER_SIZE]; - if (tis_sendrecv == NULL) { + if (tlcl_tis_sendrecv == NULL) { printk(BIOS_ERR, "Attempted use of uninitialized TSS 2.0 stack\n"); return NULL; } @@ -43,7 +41,7 @@ void *tpm_process_command(TPM_CC command, void *command_body) sendb = obuf_contents(&ob, &out_size); in_size = sizeof(cr_buffer); - if (tis_sendrecv(sendb, out_size, cr_buffer, &in_size)) { + if (tlcl_tis_sendrecv(sendb, out_size, cr_buffer, &in_size)) { printk(BIOS_ERR, "tpm transaction failed\n"); return NULL; } @@ -53,13 +51,13 @@ void *tpm_process_command(TPM_CC command, void *command_body) return tpm_unmarshal_response(command, &ib); } -static tpm_result_t tlcl_send_startup(TPM_SU type) +static tpm_result_t tlcl2_send_startup(TPM_SU type) { struct tpm2_startup startup; struct tpm2_response *response; startup.startup_type = type; - response = tpm_process_command(TPM2_Startup, &startup); + response = tlcl2_process_command(TPM2_Startup, &startup); /* IO error, tpm2_response pointer is empty. */ if (!response) { @@ -82,18 +80,18 @@ static tpm_result_t tlcl_send_startup(TPM_SU type) return TPM_IOERROR; } -tpm_result_t tlcl_resume(void) +tpm_result_t tlcl2_resume(void) { - return tlcl_send_startup(TPM_SU_STATE); + return tlcl2_send_startup(TPM_SU_STATE); } -static tpm_result_t tlcl_send_shutdown(TPM_SU type) +static tpm_result_t tlcl2_send_shutdown(TPM_SU type) { struct tpm2_shutdown shutdown; struct tpm2_response *response; shutdown.shutdown_type = type; - response = tpm_process_command(TPM2_Shutdown, &shutdown); + response = tlcl2_process_command(TPM2_Shutdown, &shutdown); /* IO error, tpm2_response pointer is empty. */ if (!response) { @@ -111,12 +109,12 @@ static tpm_result_t tlcl_send_shutdown(TPM_SU type) return TPM_IOERROR; } -tpm_result_t tlcl_save_state(void) +tpm_result_t tlcl2_save_state(void) { - return tlcl_send_shutdown(TPM_SU_STATE); + return tlcl2_send_shutdown(TPM_SU_STATE); } -tpm_result_t tlcl_assert_physical_presence(void) +tpm_result_t tlcl2_assert_physical_presence(void) { /* * Nothing to do on TPM2 for this, use platform hierarchy availability @@ -142,8 +140,12 @@ static TPM_ALG_ID tpmalg_from_vb2_hash(enum vb2_hash_algorithm hash_type) } } -tpm_result_t tlcl_extend(int pcr_num, const uint8_t *digest_data, - enum vb2_hash_algorithm digest_type) +/* + * The caller will provide the digest in a 32 byte buffer, let's consider it a + * sha256 digest. + */ +tpm_result_t tlcl2_extend(int pcr_num, const uint8_t *digest_data, + enum vb2_hash_algorithm digest_type) { struct tpm2_pcr_extend_cmd pcr_ext_cmd; struct tpm2_response *response; @@ -160,7 +162,7 @@ tpm_result_t tlcl_extend(int pcr_num, const uint8_t *digest_data, memcpy(pcr_ext_cmd.digests.digests[0].digest.sha512, digest_data, vb2_digest_size(digest_type)); - response = tpm_process_command(TPM2_PCR_Extend, &pcr_ext_cmd); + response = tlcl2_process_command(TPM2_PCR_Extend, &pcr_ext_cmd); printk(BIOS_INFO, "%s: response is %#x\n", __func__, response ? response->hdr.tpm_code : -1); @@ -170,18 +172,18 @@ tpm_result_t tlcl_extend(int pcr_num, const uint8_t *digest_data, return TPM_SUCCESS; } -tpm_result_t tlcl_finalize_physical_presence(void) +tpm_result_t tlcl2_finalize_physical_presence(void) { /* Nothing needs to be done with tpm2. */ printk(BIOS_INFO, "%s:%s:%d\n", __FILE__, __func__, __LINE__); return TPM_SUCCESS; } -tpm_result_t tlcl_force_clear(void) +tpm_result_t tlcl2_force_clear(void) { struct tpm2_response *response; - response = tpm_process_command(TPM2_Clear, NULL); + response = tlcl2_process_command(TPM2_Clear, NULL); printk(BIOS_INFO, "%s: response is %#x\n", __func__, response ? response->hdr.tpm_code : -1); @@ -191,16 +193,16 @@ tpm_result_t tlcl_force_clear(void) return TPM_SUCCESS; } -tpm_result_t tlcl_clear_control(bool disable) +tpm_result_t tlcl2_clear_control(bool disable) { struct tpm2_response *response; struct tpm2_clear_control_cmd cc = { .disable = 0, }; - response = tpm_process_command(TPM2_ClearControl, &cc); + response = tlcl2_process_command(TPM2_ClearControl, &cc); printk(BIOS_INFO, "%s: response is %#x\n", - __func__, response ? response->hdr.tpm_code : -1); + __func__, response ? response->hdr.tpm_code : -1); if (!response || response->hdr.tpm_code) return TPM_IOERROR; @@ -208,37 +210,13 @@ tpm_result_t tlcl_clear_control(bool disable) return TPM_SUCCESS; } -/* This function is called directly by vboot, uses vboot return types. */ -tpm_result_t tlcl_lib_init(void) -{ - enum tpm_family family; - - if (tis_sendrecv != NULL) - return TPM_SUCCESS; - - tis_sendrecv = tis_probe(&family); - if (tis_sendrecv == NULL) { - printk(BIOS_ERR, "%s: tis_probe returned error\n", __func__); - return TPM_CB_NO_DEVICE; - } - - if (family != TPM_2) { - tis_sendrecv = NULL; - printk(BIOS_ERR, "%s: tis_probe returned unsupported TPM family: %d\n", - __func__, family); - return TPM_CB_INTERNAL_INCONSISTENCY; - } - - return TPM_SUCCESS; -} - -tpm_result_t tlcl_physical_presence_cmd_enable(void) +tpm_result_t tlcl2_physical_presence_cmd_enable(void) { printk(BIOS_INFO, "%s:%s:%d\n", __FILE__, __func__, __LINE__); return TPM_SUCCESS; } -tpm_result_t tlcl_read(uint32_t index, void *data, uint32_t length) +tpm_result_t tlcl2_read(uint32_t index, void *data, uint32_t length) { struct tpm2_nv_read_cmd nv_readc; struct tpm2_response *response; @@ -248,7 +226,7 @@ tpm_result_t tlcl_read(uint32_t index, void *data, uint32_t length) nv_readc.nvIndex = HR_NV_INDEX + index; nv_readc.size = length; - response = tpm_process_command(TPM2_NV_Read, &nv_readc); + response = tlcl2_process_command(TPM2_NV_Read, &nv_readc); /* Need to map tpm error codes into internal values. */ if (!response) @@ -287,20 +265,20 @@ tpm_result_t tlcl_read(uint32_t index, void *data, uint32_t length) return TPM_SUCCESS; } -tpm_result_t tlcl_self_test_full(void) +tpm_result_t tlcl2_self_test_full(void) { struct tpm2_self_test st; struct tpm2_response *response; st.yes_no = 1; - response = tpm_process_command(TPM2_SelfTest, &st); + response = tlcl2_process_command(TPM2_SelfTest, &st); printk(BIOS_INFO, "%s: response is %#x\n", __func__, response ? response->hdr.tpm_code : -1); return TPM_SUCCESS; } -tpm_result_t tlcl_lock_nv_write(uint32_t index) +tpm_result_t tlcl2_lock_nv_write(uint32_t index) { struct tpm2_response *response; /* TPM Will reject attempts to write at non-defined index. */ @@ -308,7 +286,7 @@ tpm_result_t tlcl_lock_nv_write(uint32_t index) .nvIndex = HR_NV_INDEX + index, }; - response = tpm_process_command(TPM2_NV_WriteLock, &nv_wl); + response = tlcl2_process_command(TPM2_NV_WriteLock, &nv_wl); printk(BIOS_INFO, "%s: response is %#x\n", __func__, response ? response->hdr.tpm_code : -1); @@ -319,12 +297,12 @@ tpm_result_t tlcl_lock_nv_write(uint32_t index) return TPM_SUCCESS; } -tpm_result_t tlcl_startup(void) +tpm_result_t tlcl2_startup(void) { - return tlcl_send_startup(TPM_SU_CLEAR); + return tlcl2_send_startup(TPM_SU_CLEAR); } -tpm_result_t tlcl_write(uint32_t index, const void *data, uint32_t length) +tpm_result_t tlcl2_write(uint32_t index, const void *data, uint32_t length) { struct tpm2_nv_write_cmd nv_writec; struct tpm2_response *response; @@ -335,7 +313,7 @@ tpm_result_t tlcl_write(uint32_t index, const void *data, uint32_t length) nv_writec.data.t.size = length; nv_writec.data.t.buffer = data; - response = tpm_process_command(TPM2_NV_Write, &nv_writec); + response = tlcl2_process_command(TPM2_NV_Write, &nv_writec); printk(BIOS_INFO, "%s: response is %#x\n", __func__, response ? response->hdr.tpm_code : -1); @@ -347,7 +325,7 @@ tpm_result_t tlcl_write(uint32_t index, const void *data, uint32_t length) return TPM_SUCCESS; } -tpm_result_t tlcl_set_bits(uint32_t index, uint64_t bits) +tpm_result_t tlcl2_set_bits(uint32_t index, uint64_t bits) { struct tpm2_nv_setbits_cmd nvsb_cmd; struct tpm2_response *response; @@ -358,7 +336,7 @@ tpm_result_t tlcl_set_bits(uint32_t index, uint64_t bits) nvsb_cmd.nvIndex = HR_NV_INDEX + index; nvsb_cmd.bits = bits; - response = tpm_process_command(TPM2_NV_SetBits, &nvsb_cmd); + response = tlcl2_process_command(TPM2_NV_SetBits, &nvsb_cmd); printk(BIOS_INFO, "%s: response is %#x\n", __func__, response ? response->hdr.tpm_code : -1); @@ -370,9 +348,9 @@ tpm_result_t tlcl_set_bits(uint32_t index, uint64_t bits) return TPM_SUCCESS; } -tpm_result_t tlcl_define_space(uint32_t space_index, size_t space_size, - const TPMA_NV nv_attributes, - const uint8_t *nv_policy, size_t nv_policy_size) +tpm_result_t tlcl2_define_space(uint32_t space_index, size_t space_size, + const TPMA_NV nv_attributes, + const uint8_t *nv_policy, size_t nv_policy_size) { struct tpm2_nv_define_space_cmd nvds_cmd; struct tpm2_response *response; @@ -395,7 +373,7 @@ tpm_result_t tlcl_define_space(uint32_t space_index, size_t space_size, nvds_cmd.publicInfo.authPolicy.t.size = nv_policy_size; } - response = tpm_process_command(TPM2_NV_DefineSpace, &nvds_cmd); + response = tlcl2_process_command(TPM2_NV_DefineSpace, &nvds_cmd); printk(BIOS_INFO, "%s: response is %#x\n", __func__, response ? response->hdr.tpm_code : -1); @@ -413,7 +391,7 @@ tpm_result_t tlcl_define_space(uint32_t space_index, size_t space_size, } } -uint16_t tlcl_get_hash_size_from_algo(TPMI_ALG_HASH hash_algo) +uint16_t tlcl2_get_hash_size_from_algo(TPMI_ALG_HASH hash_algo) { uint16_t value; @@ -445,7 +423,7 @@ uint16_t tlcl_get_hash_size_from_algo(TPMI_ALG_HASH hash_algo) return value; } -tpm_result_t tlcl_disable_platform_hierarchy(void) +tpm_result_t tlcl2_disable_platform_hierarchy(void) { struct tpm2_response *response; struct tpm2_hierarchy_control_cmd hc = { @@ -453,7 +431,7 @@ tpm_result_t tlcl_disable_platform_hierarchy(void) .state = 0, }; - response = tpm_process_command(TPM2_Hierarchy_Control, &hc); + response = tlcl2_process_command(TPM2_Hierarchy_Control, &hc); if (!response || response->hdr.tpm_code) return TPM_CB_INTERNAL_INCONSISTENCY; @@ -461,9 +439,9 @@ tpm_result_t tlcl_disable_platform_hierarchy(void) return TPM_SUCCESS; } -tpm_result_t tlcl_get_capability(TPM_CAP capability, uint32_t property, - uint32_t property_count, - TPMS_CAPABILITY_DATA *capability_data) +tpm_result_t tlcl2_get_capability(TPM_CAP capability, uint32_t property, + uint32_t property_count, + TPMS_CAPABILITY_DATA *capability_data) { struct tpm2_get_capability cmd; struct tpm2_response *response; @@ -478,7 +456,7 @@ tpm_result_t tlcl_get_capability(TPM_CAP capability, uint32_t property, return TPM_IOERROR; } - response = tpm_process_command(TPM2_GetCapability, &cmd); + response = tlcl2_process_command(TPM2_GetCapability, &cmd); if (!response) { printk(BIOS_ERR, "%s: Command Failed\n", __func__); diff --git a/src/security/tpm/tss/tcg-2.0/tss_marshaling.c b/src/security/tpm/tss/tcg-2.0/tss_marshaling.c index 5ade6395bb..3039a8b8ba 100644 --- a/src/security/tpm/tss/tcg-2.0/tss_marshaling.c +++ b/src/security/tpm/tss/tcg-2.0/tss_marshaling.c @@ -79,23 +79,23 @@ static int marshal_TPMT_HA(struct obuf *ob, const TPMT_HA *tpmtha) switch (tpmtha->hashAlg) { case TPM_ALG_SHA1: rc |= obuf_write(ob, tpmtha->digest.sha1, - tlcl_get_hash_size_from_algo(tpmtha->hashAlg)); + tlcl2_get_hash_size_from_algo(tpmtha->hashAlg)); break; case TPM_ALG_SHA256: rc |= obuf_write(ob, tpmtha->digest.sha256, - tlcl_get_hash_size_from_algo(tpmtha->hashAlg)); + tlcl2_get_hash_size_from_algo(tpmtha->hashAlg)); break; case TPM_ALG_SM3_256: rc |= obuf_write(ob, tpmtha->digest.sm3_256, - tlcl_get_hash_size_from_algo(tpmtha->hashAlg)); + tlcl2_get_hash_size_from_algo(tpmtha->hashAlg)); break; case TPM_ALG_SHA384: rc |= obuf_write(ob, tpmtha->digest.sha384, - tlcl_get_hash_size_from_algo(tpmtha->hashAlg)); + tlcl2_get_hash_size_from_algo(tpmtha->hashAlg)); break; case TPM_ALG_SHA512: rc |= obuf_write(ob, tpmtha->digest.sha512, - tlcl_get_hash_size_from_algo(tpmtha->hashAlg)); + tlcl2_get_hash_size_from_algo(tpmtha->hashAlg)); break; default: rc = -1; -- cgit v1.2.3