1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
|
/* SPDX-License-Identifier: GPL-2.0-only */
#include <console/console.h>
#include <security/tpm/tspi/crtm.h>
#include <security/tpm/tspi.h>
#include <security/tpm/tss.h>
#include <assert.h>
#include <security/vboot/misc.h>
#include <vb2_api.h>
#include <vb2_sha.h>
#if CONFIG(TPM1)
static uint32_t tpm1_invoke_state_machine(void)
{
uint8_t disabled;
uint8_t deactivated;
uint32_t result = TPM_SUCCESS;
/* Check that the TPM is enabled and activated. */
result = tlcl_get_flags(&disabled, &deactivated, NULL);
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Can't read capabilities.\n");
return result;
}
if (disabled) {
printk(BIOS_INFO, "TPM: is disabled. Enabling...\n");
result = tlcl_set_enable();
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Can't set enabled state.\n");
return result;
}
}
if (!!deactivated != CONFIG(TPM_DEACTIVATE)) {
printk(BIOS_INFO,
"TPM: Unexpected TPM deactivated state. Toggling...\n");
result = tlcl_set_deactivated(!deactivated);
if (result != TPM_SUCCESS) {
printk(BIOS_ERR,
"TPM: Can't toggle deactivated state.\n");
return result;
}
deactivated = !deactivated;
result = TPM_E_MUST_REBOOT;
}
return result;
}
#endif
static uint32_t tpm_setup_s3_helper(void)
{
uint32_t result;
result = tlcl_resume();
switch (result) {
case TPM_SUCCESS:
break;
case TPM_E_INVALID_POSTINIT:
/*
* We're on a platform where the TPM maintains power
* in S3, so it's already initialized.
*/
printk(BIOS_INFO, "TPM: Already initialized.\n");
result = TPM_SUCCESS;
break;
default:
printk(BIOS_ERR, "TPM: Resume failed (%#x).\n", result);
break;
}
return result;
}
static uint32_t tpm_setup_epilogue(uint32_t result)
{
if (result != TPM_SUCCESS)
post_code(POST_TPM_FAILURE);
else
printk(BIOS_INFO, "TPM: setup succeeded\n");
return result;
}
static int tpm_is_setup;
static inline int tspi_tpm_is_setup(void)
{
/*
* vboot_logic_executed() only starts returning true at the end of
* verstage, but the vboot logic itself already wants to extend PCRs
* before that. So in the stage where verification actually runs, we
* need to check tpm_is_setup. Skip that check in all other stages so
* this whole function can be evaluated at compile time.
*/
if (CONFIG(VBOOT)) {
if (verification_should_run())
return tpm_is_setup;
return vboot_logic_executed();
}
if (CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK))
return ENV_BOOTBLOCK ? tpm_is_setup : 1;
if (ENV_RAMSTAGE)
return tpm_is_setup;
return 0;
}
/*
* tpm_setup starts the TPM and establishes the root of trust for the
* anti-rollback mechanism. tpm_setup can fail for three reasons. 1 A bug.
* 2 a TPM hardware failure. 3 An unexpected TPM state due to some attack. In
* general we cannot easily distinguish the kind of failure, so our strategy is
* to reboot in recovery mode in all cases. The recovery mode calls tpm_setup
* again, which executes (almost) the same sequence of operations. There is a
* good chance that, if recovery mode was entered because of a TPM failure, the
* failure will repeat itself. (In general this is impossible to guarantee
* because we have no way of creating the exact TPM initial state at the
* previous boot.) In recovery mode, we ignore the failure and continue, thus
* giving the recovery kernel a chance to fix things (that's why we don't set
* bGlobalLock). The choice is between a knowingly insecure device and a
* bricked device.
*
* As a side note, observe that we go through considerable hoops to avoid using
* the STCLEAR permissions for the index spaces. We do this to avoid writing
* to the TPM flashram at every reboot or wake-up, because of concerns about
* the durability of the NVRAM.
*/
uint32_t tpm_setup(int s3flag)
{
uint32_t result;
result = tlcl_lib_init();
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Can't initialize.\n");
return tpm_setup_epilogue(result);
}
/* Handle special init for S3 resume path */
if (s3flag) {
printk(BIOS_INFO, "TPM: Handle S3 resume.\n");
return tpm_setup_epilogue(tpm_setup_s3_helper());
}
result = tlcl_startup();
if (CONFIG(TPM_STARTUP_IGNORE_POSTINIT)
&& result == TPM_E_INVALID_POSTINIT) {
printk(BIOS_DEBUG, "TPM: ignoring invalid POSTINIT\n");
result = TPM_SUCCESS;
}
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Can't run startup command.\n");
return tpm_setup_epilogue(result);
}
result = tlcl_assert_physical_presence();
if (result != TPM_SUCCESS) {
/*
* It is possible that the TPM was delivered with the physical
* presence command disabled. This tries enabling it, then
* tries asserting PP again.
*/
result = tlcl_physical_presence_cmd_enable();
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Can't enable physical presence command.\n");
return tpm_setup_epilogue(result);
}
result = tlcl_assert_physical_presence();
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Can't assert physical presence.\n");
return tpm_setup_epilogue(result);
}
}
#if CONFIG(TPM1)
result = tpm1_invoke_state_machine();
#endif
if (CONFIG(TPM_MEASURED_BOOT))
result = tspi_measure_cache_to_pcr();
tpm_is_setup = 1;
return tpm_setup_epilogue(result);
}
uint32_t tpm_clear_and_reenable(void)
{
uint32_t result;
printk(BIOS_INFO, "TPM: Clear and re-enable\n");
result = tlcl_force_clear();
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Can't initiate a force clear.\n");
return result;
}
#if CONFIG(TPM1)
result = tlcl_set_enable();
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Can't set enabled state.\n");
return result;
}
result = tlcl_set_deactivated(0);
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Can't set deactivated state.\n");
return result;
}
#endif
return TPM_SUCCESS;
}
uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo,
const uint8_t *digest, size_t digest_len, const char *name)
{
uint32_t result;
if (!digest)
return TPM_E_IOERROR;
if (tspi_tpm_is_setup()) {
result = tlcl_lib_init();
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Can't initialize library.\n");
return result;
}
printk(BIOS_DEBUG, "TPM: Extending digest for `%s` into PCR %d\n", name, pcr);
result = tlcl_extend(pcr, digest, digest_algo);
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Extending hash for `%s` into PCR %d failed.\n",
name, pcr);
return result;
}
}
if (CONFIG(TPM_MEASURED_BOOT))
tpm_log_add_table_entry(name, pcr, digest_algo, digest, digest_len);
printk(BIOS_DEBUG, "TPM: Digest of `%s` to PCR %d %s\n",
name, pcr, tspi_tpm_is_setup() ? "measured" : "logged");
return TPM_SUCCESS;
}
#if CONFIG(VBOOT_LIB)
uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr,
const char *rname)
{
uint8_t digest[TPM_PCR_MAX_LEN], digest_len;
uint8_t buf[HASH_DATA_CHUNK_SIZE];
uint32_t offset;
size_t len;
struct vb2_digest_context ctx;
if (!rdev || !rname)
return TPM_E_INVALID_ARG;
digest_len = vb2_digest_size(TPM_MEASURE_ALGO);
assert(digest_len <= sizeof(digest));
if (vb2_digest_init(&ctx, vboot_hwcrypto_allowed(), TPM_MEASURE_ALGO,
region_device_sz(rdev))) {
printk(BIOS_ERR, "TPM: Error initializing hash.\n");
return TPM_E_HASH_ERROR;
}
/*
* Though one can mmap the full needed region on x86 this is not the
* case for e.g. ARM. In order to make this code as universal as
* possible across different platforms read the data to hash in chunks.
*/
for (offset = 0; offset < region_device_sz(rdev); offset += len) {
len = MIN(sizeof(buf), region_device_sz(rdev) - offset);
if (rdev_readat(rdev, buf, offset, len) < 0) {
printk(BIOS_ERR, "TPM: Not able to read region %s.\n",
rname);
return TPM_E_READ_FAILURE;
}
if (vb2_digest_extend(&ctx, buf, len)) {
printk(BIOS_ERR, "TPM: Error extending hash.\n");
return TPM_E_HASH_ERROR;
}
}
if (vb2_digest_finalize(&ctx, digest, digest_len)) {
printk(BIOS_ERR, "TPM: Error finalizing hash.\n");
return TPM_E_HASH_ERROR;
}
return tpm_extend_pcr(pcr, TPM_MEASURE_ALGO, digest, digest_len, rname);
}
#endif /* VBOOT_LIB */
|