Angel Pons | 986d50e | 2020-04-02 23:48:53 +0200 | [diff] [blame] | 1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 2 | |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 3 | #include <security/tpm/tspi.h> |
Sergii Dmytruk | 47e9e8c | 2022-11-02 00:50:03 +0200 | [diff] [blame^] | 4 | #include <security/tpm/tss.h> |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 5 | #include <security/vboot/tpm_common.h> |
Jon Murphy | d7b8dc9 | 2023-09-05 11:36:43 -0600 | [diff] [blame] | 6 | #include <security/tpm/tss_errors.h> |
Julius Werner | d96ca24 | 2022-08-08 18:08:35 -0700 | [diff] [blame] | 7 | #include <vb2_api.h> |
| 8 | #include <vb2_sha.h> |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 9 | |
| 10 | #define TPM_PCR_BOOT_MODE "VBOOT: boot mode" |
| 11 | #define TPM_PCR_GBB_HWID_NAME "VBOOT: GBB HWID" |
Yi Chou | 0f910e7 | 2023-08-11 14:40:37 +0800 | [diff] [blame] | 12 | #define TPM_PCR_FIRMWARE_VERSION "VBOOT: firmware ver" |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 13 | |
Jon Murphy | d7b8dc9 | 2023-09-05 11:36:43 -0600 | [diff] [blame] | 14 | tpm_result_t vboot_setup_tpm(struct vb2_context *ctx) |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 15 | { |
Jon Murphy | d7b8dc9 | 2023-09-05 11:36:43 -0600 | [diff] [blame] | 16 | tpm_result_t rc; |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 17 | |
Jon Murphy | 2460481 | 2023-09-05 10:37:05 -0600 | [diff] [blame] | 18 | rc = tpm_setup(ctx->flags & VB2_CONTEXT_S3_RESUME); |
Jon Murphy | 056952e | 2023-09-05 10:44:09 -0600 | [diff] [blame] | 19 | if (rc == TPM_CB_MUST_REBOOT) |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 20 | ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT; |
| 21 | |
Jon Murphy | 2460481 | 2023-09-05 10:37:05 -0600 | [diff] [blame] | 22 | return rc; |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 23 | } |
| 24 | |
Jon Murphy | d7b8dc9 | 2023-09-05 11:36:43 -0600 | [diff] [blame] | 25 | tpm_result_t vboot_extend_pcr(struct vb2_context *ctx, int pcr, |
Joel Kitching | 220ac04 | 2019-07-31 14:19:00 +0800 | [diff] [blame] | 26 | enum vb2_pcr_digest which_digest) |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 27 | { |
| 28 | uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE]; |
| 29 | uint32_t size = sizeof(buffer); |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 30 | |
Jon Murphy | d7b8dc9 | 2023-09-05 11:36:43 -0600 | [diff] [blame] | 31 | if (vb2api_get_pcr_digest(ctx, which_digest, buffer, &size) != VB2_SUCCESS) |
| 32 | return TPM_CB_FAIL; |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 33 | |
Julius Werner | 74a0fad | 2021-03-22 17:25:20 -0700 | [diff] [blame] | 34 | /* |
| 35 | * On TPM 1.2, all PCRs are intended for use with SHA1. We truncate our |
| 36 | * SHA256 HWID hash to 20 bytes to make it fit. On TPM 2.0, we always |
| 37 | * want to use the SHA256 banks, even for the boot mode which is |
| 38 | * technically a SHA1 value for historical reasons. vboot has already |
| 39 | * zero-extended the buffer to 32 bytes for us, so we just take it like |
| 40 | * that and pretend it's a SHA256. In practice, this means we never care |
| 41 | * about the (*size) value returned from vboot (which indicates how many |
| 42 | * significant bytes vboot wrote, although it always extends zeroes up |
| 43 | * to the end of the buffer), we always use a hardcoded size instead. |
| 44 | */ |
| 45 | _Static_assert(sizeof(buffer) >= VB2_SHA256_DIGEST_SIZE, |
| 46 | "Buffer needs to be able to fit at least a SHA256"); |
Sergii Dmytruk | 47e9e8c | 2022-11-02 00:50:03 +0200 | [diff] [blame^] | 47 | enum vb2_hash_algorithm algo = tlcl_get_family() == TPM_1 ? |
| 48 | VB2_HASH_SHA1 : VB2_HASH_SHA256; |
Julius Werner | 74a0fad | 2021-03-22 17:25:20 -0700 | [diff] [blame] | 49 | |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 50 | switch (which_digest) { |
| 51 | /* SHA1 of (devmode|recmode|keyblock) bits */ |
| 52 | case BOOT_MODE_PCR: |
Julius Werner | 74a0fad | 2021-03-22 17:25:20 -0700 | [diff] [blame] | 53 | return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo), |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 54 | TPM_PCR_BOOT_MODE); |
| 55 | /* SHA256 of HWID */ |
| 56 | case HWID_DIGEST_PCR: |
Julius Werner | 74a0fad | 2021-03-22 17:25:20 -0700 | [diff] [blame] | 57 | return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo), |
| 58 | TPM_PCR_GBB_HWID_NAME); |
Yi Chou | 0f910e7 | 2023-08-11 14:40:37 +0800 | [diff] [blame] | 59 | /* firmware version */ |
| 60 | case FIRMWARE_VERSION_PCR: |
| 61 | return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo), |
| 62 | TPM_PCR_FIRMWARE_VERSION); |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 63 | default: |
Jon Murphy | d7b8dc9 | 2023-09-05 11:36:43 -0600 | [diff] [blame] | 64 | return TPM_CB_FAIL; |
Christian Walter | 0bd84ed | 2019-07-23 10:26:30 +0200 | [diff] [blame] | 65 | } |
| 66 | } |