Gitiles
Code Review Sign In
review.coreboot.org / coreboot / f5ef699f40ca36815069e9c1df72af6385e600f0^! / . / src / lib / tpm2_tlcl.c
commitf5ef699f40ca36815069e9c1df72af6385e600f0[log] [tgz]
authorVadim Bendebury <vbendeb@chromium.org>Sun Jul 03 22:20:17 2016 -0700
committerMartin Roth <martinroth@google.com>Thu Jul 14 00:00:30 2016 +0200
tree7cbc40acafedef812c0d04d611ccaeb625fc454c
parent4c0851cc37f42ed88d62b876357b71cfdaac480f [diff] [blame]
tpm2: implement and use pcr_extend command

TPM PCRs are used in Chrome OS for two purposes: to communicate
crucial information from RO firmware and to protect FW and kernel
rollback counters from being deleted.

As implemented in a TPM1 compatible way, the PCR extension command
requires a prebuilt digest to calculate a new PCR value.

TPM2 specification introduces a PCR_Event command, where the TPM
itself calculates the digest of an arbitrary length string, and then
uses the calculated digest for PCR extension. PCR_Event could be a
better option for Chrome OS, this needs to be investigated separately.

BRANCH=none
BUG=chrome-os-partner:50645
TEST=verified that the two PCRs are successfully extended before the
     RW firmware is called.

Change-Id: I38fc88172de8ec8bef56fec026f83058480c8010
Signed-off-by: Martin Roth <martinroth@chromium.org>
Original-Commit-Id: 73388139db3ffaf61a3d9027522c5ebecb3ad051
Original-Change-Id: I1a9bab7396fdb652e2e3bc8529b828ea3423d851
Original-Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Original-Reviewed-on: https://chromium-review.googlesource.com/358098
Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Original-Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-on: https://review.coreboot.org/15639
Tested-by: build bot (Jenkins)
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@googlemail.com>

diff --git a/src/lib/tpm2_tlcl.c b/src/lib/tpm2_tlcl.c
index 3003400..d9f9d37 100644
--- a/src/lib/tpm2_tlcl.c
+++ b/src/lib/tpm2_tlcl.c

@@ -65,10 +65,29 @@
 	return TPM_SUCCESS;
 }
 
+/*
+ * The caller will provide the digest in a 32 byte buffer, let's consider it a
+ * sha256 digest.
+ */
 uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest,
 		     uint8_t *out_digest)
 {
-	printk(BIOS_INFO, "%s:%s:%d\n", __FILE__, __func__, __LINE__);
+	struct tpm2_pcr_extend_cmd pcr_ext_cmd;
+	struct tpm2_response *response;
+
+	pcr_ext_cmd.pcrHandle = HR_PCR + pcr_num;
+	pcr_ext_cmd.digests.count = 1;
+	pcr_ext_cmd.digests.digests[0].hashAlg = TPM_ALG_SHA256;
+	memcpy(pcr_ext_cmd.digests.digests[0].digest.sha256, in_digest,
+	       sizeof(pcr_ext_cmd.digests.digests[0].digest.sha256));
+
+	response = tpm_process_command(TPM2_PCR_Extend, &pcr_ext_cmd);
+
+	printk(BIOS_INFO, "%s: response is %x\n",
+	       __func__, response ? response->hdr.tpm_code : -1);
+	if (!response || response->hdr.tpm_code)
+		return TPM_E_IOERROR;
+
 	return TPM_SUCCESS;
 }