Blame - src/security/vboot/tpm_common.c - coreboot

blob: dedf8dfebcc3fb7eb8069b755a97a3daad666161 [file] [log] [blame]

Angel Pons	986d50e	2020-04-02 23:48:53 +0200	[diff] [blame]	1	/* SPDX-License-Identifier: GPL-2.0-only */
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	2
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	3	#include <security/tpm/tspi.h>
Sergii Dmytruk	47e9e8c	2022-11-02 00:50:03 +0200	[diff] [blame^]	4	#include <security/tpm/tss.h>
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	5	#include <security/vboot/tpm_common.h>
Jon Murphy	d7b8dc9	2023-09-05 11:36:43 -0600	[diff] [blame]	6	#include <security/tpm/tss_errors.h>
Julius Werner	d96ca24	2022-08-08 18:08:35 -0700	[diff] [blame]	7	#include <vb2_api.h>
				8	#include <vb2_sha.h>
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	9
				10	#define TPM_PCR_BOOT_MODE "VBOOT: boot mode"
				11	#define TPM_PCR_GBB_HWID_NAME "VBOOT: GBB HWID"
Yi Chou	0f910e7	2023-08-11 14:40:37 +0800	[diff] [blame]	12	#define TPM_PCR_FIRMWARE_VERSION "VBOOT: firmware ver"
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	13
Jon Murphy	d7b8dc9	2023-09-05 11:36:43 -0600	[diff] [blame]	14	tpm_result_t vboot_setup_tpm(struct vb2_context *ctx)
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	15	{
Jon Murphy	d7b8dc9	2023-09-05 11:36:43 -0600	[diff] [blame]	16	tpm_result_t rc;
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	17
Jon Murphy	2460481	2023-09-05 10:37:05 -0600	[diff] [blame]	18	rc = tpm_setup(ctx->flags & VB2_CONTEXT_S3_RESUME);
Jon Murphy	056952e	2023-09-05 10:44:09 -0600	[diff] [blame]	19	if (rc == TPM_CB_MUST_REBOOT)
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	20	ctx->flags \|= VB2_CONTEXT_SECDATA_WANTS_REBOOT;
				21
Jon Murphy	2460481	2023-09-05 10:37:05 -0600	[diff] [blame]	22	return rc;
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	23	}
				24
Jon Murphy	d7b8dc9	2023-09-05 11:36:43 -0600	[diff] [blame]	25	tpm_result_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
Joel Kitching	220ac04	2019-07-31 14:19:00 +0800	[diff] [blame]	26	enum vb2_pcr_digest which_digest)
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	27	{
				28	uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE];
				29	uint32_t size = sizeof(buffer);
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	30
Jon Murphy	d7b8dc9	2023-09-05 11:36:43 -0600	[diff] [blame]	31	if (vb2api_get_pcr_digest(ctx, which_digest, buffer, &size) != VB2_SUCCESS)
				32	return TPM_CB_FAIL;
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	33
Julius Werner	74a0fad	2021-03-22 17:25:20 -0700	[diff] [blame]	34	/*
				35	* On TPM 1.2, all PCRs are intended for use with SHA1. We truncate our
				36	* SHA256 HWID hash to 20 bytes to make it fit. On TPM 2.0, we always
				37	* want to use the SHA256 banks, even for the boot mode which is
				38	* technically a SHA1 value for historical reasons. vboot has already
				39	* zero-extended the buffer to 32 bytes for us, so we just take it like
				40	* that and pretend it's a SHA256. In practice, this means we never care
				41	* about the (*size) value returned from vboot (which indicates how many
				42	* significant bytes vboot wrote, although it always extends zeroes up
				43	* to the end of the buffer), we always use a hardcoded size instead.
				44	*/
				45	_Static_assert(sizeof(buffer) >= VB2_SHA256_DIGEST_SIZE,
				46	"Buffer needs to be able to fit at least a SHA256");
Sergii Dmytruk	47e9e8c	2022-11-02 00:50:03 +0200	[diff] [blame^]	47	enum vb2_hash_algorithm algo = tlcl_get_family() == TPM_1 ?
				48	VB2_HASH_SHA1 : VB2_HASH_SHA256;
Julius Werner	74a0fad	2021-03-22 17:25:20 -0700	[diff] [blame]	49
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	50	switch (which_digest) {
				51	/* SHA1 of (devmode\|recmode\|keyblock) bits */
				52	case BOOT_MODE_PCR:
Julius Werner	74a0fad	2021-03-22 17:25:20 -0700	[diff] [blame]	53	return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo),
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	54	TPM_PCR_BOOT_MODE);
				55	/* SHA256 of HWID */
				56	case HWID_DIGEST_PCR:
Julius Werner	74a0fad	2021-03-22 17:25:20 -0700	[diff] [blame]	57	return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo),
				58	TPM_PCR_GBB_HWID_NAME);
Yi Chou	0f910e7	2023-08-11 14:40:37 +0800	[diff] [blame]	59	/* firmware version */
				60	case FIRMWARE_VERSION_PCR:
				61	return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo),
				62	TPM_PCR_FIRMWARE_VERSION);
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	63	default:
Jon Murphy	d7b8dc9	2023-09-05 11:36:43 -0600	[diff] [blame]	64	return TPM_CB_FAIL;
Christian Walter	0bd84ed	2019-07-23 10:26:30 +0200	[diff] [blame]	65	}
				66	}