blob: d54f8f46183868746b5dc9da3c97db15f1d7424c [file] [log] [blame]
Philipp Deppenwiese80961af2018-02-27 22:14:34 +01001/*
2 * This file is part of the coreboot project.
3 *
4 * Copyright (C) 2018 Facebook Inc
5 * Copyright (C) 2015-2016 Intel Corp.
6 * (Written by Andrey Petrov <andrey.petrov@intel.com> for Intel Corp.)
7 * (Written by Alexandru Gagniuc <alexandrux.gagniuc@intel.com> for Intel Corp.)
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; version 2 of the License.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 */
18
19#include <security/vboot/antirollback.h>
20#include <program_loading.h>
21#include <security/vboot/vboot_common.h>
22#include <vb2_api.h>
23#include <security/tpm/tss.h>
24#include <fsp/memory_init.h>
25#include <console/console.h>
26#include <string.h>
27
28void mrc_cache_update_hash(const uint8_t *data, size_t size)
29{
30 uint8_t data_hash[VB2_SHA256_DIGEST_SIZE];
31 static const uint8_t dead_hash[VB2_SHA256_DIGEST_SIZE] = {
32 0xba, 0xad, 0xda, 0x1a, /* BAADDA1A */
33 0xde, 0xad, 0xde, 0xad, /* DEADDEAD */
34 0xde, 0xad, 0xda, 0x1a, /* DEADDA1A */
35 0xba, 0xad, 0xba, 0xad, /* BAADBAAD */
36 0xba, 0xad, 0xda, 0x1a, /* BAADDA1A */
37 0xde, 0xad, 0xde, 0xad, /* DEADDEAD */
38 0xde, 0xad, 0xda, 0x1a, /* DEADDA1A */
39 0xba, 0xad, 0xba, 0xad, /* BAADBAAD */
40 };
41 const uint8_t *hash_ptr = data_hash;
42
43 /* We do not store normal mode data hash in TPM. */
44 if (!vboot_recovery_mode_enabled())
45 return;
46
47 /* Initialize TPM driver. */
48 if (tlcl_lib_init() != VB2_SUCCESS) {
49 printk(BIOS_ERR, "MRC: TPM driver initialization failed.\n");
50 return;
51 }
52
53 /* Calculate hash of data generated by MRC. */
54 if (vb2_digest_buffer(data, size, VB2_HASH_SHA256, data_hash,
55 sizeof(data_hash))) {
56 printk(BIOS_ERR, "MRC: SHA-256 calculation failed for data. "
57 "Not updating TPM hash space.\n");
58 /*
59 * Since data is being updated in recovery cache, the hash
60 * currently stored in TPM recovery hash space is no longer
61 * valid. If we are not able to calculate hash of the data being
62 * updated, reset all the bits in TPM recovery hash space to
63 * pre-defined hash pattern.
64 */
65 hash_ptr = dead_hash;
66 }
67
68 /* Write hash of data to TPM space. */
69 if (antirollback_write_space_rec_hash(hash_ptr, VB2_SHA256_DIGEST_SIZE)
70 != TPM_SUCCESS) {
71 printk(BIOS_ERR, "MRC: Could not save hash to TPM.\n");
72 return;
73 }
74
75 printk(BIOS_INFO, "MRC: TPM MRC hash updated successfully.\n");
76}
77
78int mrc_cache_verify_hash(const uint8_t *data, size_t size)
79{
80 uint8_t data_hash[VB2_SHA256_DIGEST_SIZE];
81 uint8_t tpm_hash[VB2_SHA256_DIGEST_SIZE];
82
83 /* We do not store normal mode data hash in TPM. */
84 if (!vboot_recovery_mode_enabled())
85 return 1;
86
87 /* Calculate hash of data read from RECOVERY_MRC_CACHE. */
88 if (vb2_digest_buffer(data, size, VB2_HASH_SHA256, data_hash,
89 sizeof(data_hash))) {
90 printk(BIOS_ERR, "MRC: SHA-256 calculation failed for data.\n");
91 return 0;
92 }
93
94 /* Initialize TPM driver. */
95 if (tlcl_lib_init() != VB2_SUCCESS) {
96 printk(BIOS_ERR, "MRC: TPM driver initialization failed.\n");
97 return 0;
98 }
99
100 /* Read hash of MRC data saved in TPM. */
101 if (antirollback_read_space_rec_hash(tpm_hash, sizeof(tpm_hash))
102 != TPM_SUCCESS) {
103 printk(BIOS_ERR, "MRC: Could not read hash from TPM.\n");
104 return 0;
105 }
106
107 if (memcmp(tpm_hash, data_hash, sizeof(tpm_hash))) {
108 printk(BIOS_ERR, "MRC: Hash comparison failed.\n");
109 return 0;
110 }
111
112 printk(BIOS_INFO, "MRC: Hash comparison successful. "
113 "Using data from RECOVERY_MRC_CACHE\n");
114 return 1;
115}