diff options
author | Chris Engel <cjengel@us.ibm.com> | 2015-08-25 09:37:28 -0500 |
---|---|---|
committer | Daniel M. Crowell <dcrowell@us.ibm.com> | 2016-03-15 16:46:13 -0400 |
commit | e09fae967685172091f4b90657dacd4a0c5a1e5c (patch) | |
tree | f7bfaded7697b23093300d9aa6ccdada85c6ac8b /src/usr | |
parent | f52d668fcefa6e35650aa8eab78b5405b0612992 (diff) | |
download | blackbird-hostboot-e09fae967685172091f4b90657dacd4a0c5a1e5c.tar.gz blackbird-hostboot-e09fae967685172091f4b90657dacd4a0c5a1e5c.zip |
Trustedboot TPM Event log manager
Change-Id: I4a8c2010421a63e44112666bdd424e2e5d010e7f
RTC: 125289
ForwardPort: yes
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/960
Tested-by: Jenkins Server
Tested-by: Jenkins OP Build CI
Tested-by: Jenkins OP HW
Tested-by: FSP CI Jenkins
Reviewed-by: Timothy R. Block <block@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/22009
Diffstat (limited to 'src/usr')
-rw-r--r-- | src/usr/secureboot/base/makefile | 4 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/base/tpmLogMgr.C | 254 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/base/tpmLogMgr.H | 130 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/base/trustedTypes_base.C | 261 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/base/trustedboot_base.C | 208 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/base/trustedboot_base.H | 67 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/makefile | 1 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/test/makefile | 5 | ||||
-rwxr-xr-x | src/usr/secureboot/trusted/test/tpmLogMgrTest.H | 200 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedTypes.C | 30 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedTypes.H | 46 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedboot.C | 43 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedboot.H | 5 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedbootCmds.C | 15 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedbootUtils.H | 6 |
15 files changed, 1192 insertions, 83 deletions
diff --git a/src/usr/secureboot/base/makefile b/src/usr/secureboot/base/makefile index 9dd92e7b1..f33416568 100644 --- a/src/usr/secureboot/base/makefile +++ b/src/usr/secureboot/base/makefile @@ -5,7 +5,7 @@ # # OpenPOWER HostBoot Project # -# Contributors Listed Below - COPYRIGHT 2013,2015 +# Contributors Listed Below - COPYRIGHT 2013,2016 # [+] International Business Machines Corp. # # @@ -33,6 +33,8 @@ OBJS += purge.o OBJS += securerom.o OBJS += rom_entry.o OBJS += trustedboot_base.o +OBJS += $(if $(CONFIG_TPMDD),tpmLogMgr.o,) +OBJS += $(if $(CONFIG_TPMDD),trustedTypes_base.o,) EXTRAINCDIR += ${ROOTPATH}/src/usr/secureboot/trusted/base VPATH += ${ROOTPATH}/src/usr/secureboot/trusted/base diff --git a/src/usr/secureboot/trusted/base/tpmLogMgr.C b/src/usr/secureboot/trusted/base/tpmLogMgr.C new file mode 100644 index 000000000..400ecfe17 --- /dev/null +++ b/src/usr/secureboot/trusted/base/tpmLogMgr.C @@ -0,0 +1,254 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/trusted/base/tpmLogMgr.C $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2015,2016 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +/** + * @file TpmLogMgr.C + * + * @brief TPM Event log manager + */ + +///////////////////////////////////////////////////////////////// +// NOTE: This file is exportable as TSS-Lite for skiboot/PHYP // +///////////////////////////////////////////////////////////////// + +// ---------------------------------------------- +// Includes +// ---------------------------------------------- +#include <string.h> +#include "tpmLogMgr.H" +#ifdef __HOSTBOOT_MODULE +#include <secureboot/trustedboot_reasoncodes.H> +#include "../trustedbootUtils.H" +#include "../trustedboot.H" +#else +#include "trustedboot_reasoncodes.H" +#include "trustedbootUtils.H" +#include "trustedboot.H" +#include "trustedTypes.H" +#endif + +#ifdef __cplusplus +namespace TRUSTEDBOOT +{ +#endif + + uint32_t TCG_EfiSpecIdEventStruct_size(TCG_EfiSpecIdEventStruct* val) + { + return (sizeof(TCG_EfiSpecIdEventStruct) + val->vendorInfoSize); + } + + errlHndl_t TpmLogMgr_initialize(TpmLogMgr* val) + { + errlHndl_t err = TB_SUCCESS; + const char vendorInfo[] = "IBM"; + const char eventSignature[] = "Spec ID Event03"; + TCG_EfiSpecIdEventStruct* eventData = NULL; + + TCG_PCR_EVENT eventLogEntry; + + TRACUCOMP( g_trac_trustedboot, ">>initialize()"); + + if (NULL == val) + { + TRACFCOMP( g_trac_trustedboot, + "TPM LOG INIT FAIL"); + + /*@ + * @errortype + * @reasoncode RC_TPMLOGMGR_INIT_FAIL + * @severity ERRL_SEV_UNRECOVERABLE + * @moduleid MOD_TPMLOGMGR_INITIALIZE + * @userdata1 0 + * @userdata2 0 + * @devdesc TPM log buffer init failure. + */ + err = tpmCreateErrorLog( MOD_TPMLOGMGR_INITIALIZE, + RC_TPMLOGMGR_INIT_FAIL, 0, 0); + + } + else + { + + val->logSize = 0; + mutex_init( &val->logMutex ); + mutex_lock( &val->logMutex ); + + + // Assign our new event pointer to the start + val->newEventPtr = val->eventLog; + memset(val->eventLog, 0, TPMLOG_BUFFER_SIZE); + + eventData = (TCG_EfiSpecIdEventStruct*) eventLogEntry.event; + + // Add the header event log + // Values here come from the PC ClientSpecificPlatformProfile spec + eventLogEntry.eventType = EV_NO_ACTION; + eventLogEntry.pcrIndex = 0; + eventLogEntry.eventSize = sizeof(TCG_EfiSpecIdEventStruct) + + sizeof(vendorInfo); + + memcpy(eventData->signature, eventSignature, + sizeof(eventSignature)); + eventData->platformClass = htole32(TPM_PLATFORM_SERVER); + eventData->specVersionMinor = TPM_SPEC_MINOR; + eventData->specVersionMajor = TPM_SPEC_MAJOR; + eventData->specErrata = TPM_SPEC_ERRATA; + eventData->uintnSize = 1; + eventData->numberOfAlgorithms = htole32(HASH_COUNT); + eventData->digestSizes[0].algorithmId = htole16(TPM_ALG_SHA256); + eventData->digestSizes[0].digestSize = htole16(TPM_ALG_SHA256_SIZE); + eventData->vendorInfoSize = sizeof(vendorInfo); + memcpy(eventData->vendorInfo, vendorInfo, sizeof(vendorInfo)); + + val->newEventPtr = TCG_PCR_EVENT_logMarshal(&eventLogEntry, + val->newEventPtr); + + // Done, move our pointers + val->logSize += TCG_PCR_EVENT_marshalSize(&eventLogEntry); + + + mutex_unlock( &val->logMutex ); + + // Debug display of raw data + TRACUBIN(g_trac_trustedboot, "tpmInitialize: Header Entry", + val->eventLog, val->logSize); + + TRACUCOMP( g_trac_trustedboot, + "<<initialize() LS:%d - %s", + val->logSize, + ((TB_SUCCESS == err) ? "No Error" : "With Error") ); + } + + return err; + } + + errlHndl_t TpmLogMgr_addEvent(TpmLogMgr* val, + TCG_PCR_EVENT2* logEvent) + { + errlHndl_t err = TB_SUCCESS; + size_t newLogSize = TCG_PCR_EVENT2_marshalSize(logEvent); + uint8_t* startPtr = val->newEventPtr; + + TRACUCOMP( g_trac_trustedboot, + ">>tpmAddEvent() PCR:%d Type:%d Size:%d", + logEvent->pcrIndex, logEvent->eventType, (int)newLogSize); + + mutex_lock( &val->logMutex ); + + do + { + + // Need to ensure we have room for the new event + // We have to leave room for the log full event as well + if (NULL == val->newEventPtr || + val->logSize + newLogSize > TPMLOG_BUFFER_SIZE) + { + TRACFCOMP( g_trac_trustedboot, + "TPM LOG ADD FAIL PNULL(%d) LS(%d) New LS(%d)", + (NULL == val->newEventPtr ? 0 : 1), + (int)val->logSize, (int)newLogSize); + + /*@ + * @errortype + * @reasoncode RC_TPMLOGMGR_ADDEVENT_FAIL + * @severity ERRL_SEV_UNRECOVERABLE + * @moduleid MOD_TPMLOGMGR_ADDEVENT + * @userdata1 Log buffer NULL + * @userdata2[0:31] Current Log Size + * @userdata2[32:63] New entry size + * @devdesc TPM log buffer add failure. + */ + err = tpmCreateErrorLog( MOD_TPMLOGMGR_ADDEVENT, + RC_TPMLOGMGR_ADDEVENT_FAIL, + (NULL == val->newEventPtr ? 0 : 1), + (uint64_t)val->logSize << 32 | + newLogSize); + + break; + } + + + val->newEventPtr = TCG_PCR_EVENT2_logMarshal(logEvent, + val->newEventPtr); + + if (NULL == val->newEventPtr) + { + TRACFCOMP( g_trac_trustedboot, + "TPM LOG MARSHAL Fail"); + + /*@ + * @errortype + * @reasoncode RC_TPMLOGMGR_ADDEVENTMARSH_FAIL + * @severity ERRL_SEV_UNRECOVERABLE + * @moduleid MOD_TPMLOGMGR_ADDEVENT + * @userdata1 0 + * @userdata2 0 + * @devdesc log buffer malloc failure. + */ + err = tpmCreateErrorLog( MOD_TPMLOGMGR_ADDEVENT, + RC_TPMLOGMGR_ADDEVENTMARSH_FAIL, + 0, + 0); + break; + } + + // Debug display of raw data + TRACUCOMP(g_trac_trustedboot, "tpmAddEvent: Start %p", + startPtr); + TRACUBIN(g_trac_trustedboot, "tpmAddEvent", + startPtr, newLogSize); + + + val->logSize += newLogSize; + + + } while ( 0 ); + + TRACUCOMP( g_trac_trustedboot, + "<<tpmAddEvent() LS:%d - %s", + (int)val->logSize, + ((TB_SUCCESS == err) ? "No Error" : "With Error") ); + + mutex_unlock( &val->logMutex ); + return err; + } + + uint32_t TpmLogMgr_getLogSize(TpmLogMgr* val) + { + return val->logSize; + } + + void TpmLogMgr_dumpLog(TpmLogMgr* val) + { + + // Debug display of raw data + TRACUCOMP(g_trac_trustedboot, "tpmDumpLog Size : %d\n", + (int)val->logSize); + TRACUBIN(g_trac_trustedboot, "tpmDumpLog", + val->eventLog, val->logSize); + } + +#ifdef __cplusplus +} // end TRUSTEDBOOT +#endif diff --git a/src/usr/secureboot/trusted/base/tpmLogMgr.H b/src/usr/secureboot/trusted/base/tpmLogMgr.H new file mode 100644 index 000000000..f56e27d7b --- /dev/null +++ b/src/usr/secureboot/trusted/base/tpmLogMgr.H @@ -0,0 +1,130 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/trusted/base/tpmLogMgr.H $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2015,2016 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +/** + * @file tpmLogMgr.H + * + * @brief Trustedboot TPM Event Log Manager + * + */ + +///////////////////////////////////////////////////////////////// +// NOTE: This file is exportable as TSS-Lite for skiboot/PHYP // +///////////////////////////////////////////////////////////////// + +#ifndef __TPMLOGMGR_H +#define __TPMLOGMGR_H +// ----------------------------------------------- +// Includes +// ----------------------------------------------- + +#ifdef __HOSTBOOT_MODULE +#include <sys/sync.h> +#include "../trustedboot.H" +#include "../trustedTypes.H" +#else +#include "trustedboot.H" +#include "trustedTypes.H" +#endif + +#ifdef __cplusplus +namespace TRUSTEDBOOT +{ +#endif + + /// Event log header algorithms + struct _TCG_EfiSpecIdEventAlgorithmSize + { + uint16_t algorithmId; + uint16_t digestSize; + } PACKED; + typedef struct _TCG_EfiSpecIdEventAlgorithmSize + TCG_EfiSpecIdEventAlgorithmSize; + + /// Event log header event data + struct _TCG_EfiSpecIdEventStruct + { + char signature[16]; + uint32_t platformClass; + uint8_t specVersionMinor; + uint8_t specVersionMajor; + uint8_t specErrata; + uint8_t uintnSize; + uint32_t numberOfAlgorithms; + TCG_EfiSpecIdEventAlgorithmSize digestSizes[HASH_COUNT]; + uint8_t vendorInfoSize; + char vendorInfo[0]; + } PACKED; + typedef struct _TCG_EfiSpecIdEventStruct TCG_EfiSpecIdEventStruct; + uint32_t TCG_EfiSpecIdEventStruct_size(TCG_EfiSpecIdEventStruct* val); + + enum { + TPMLOG_BUFFER_SIZE = 1024, ///< Size of event log buffer in bytes + }; + + struct _TpmLogMgr + { + uint32_t logSize; ///< Current byte size of log + uint8_t eventLog[TPMLOG_BUFFER_SIZE]; ///< EventLog Buffer + uint8_t* newEventPtr; ///< Pointer to location to add new event + mutex_t logMutex; ///< Log mutex + }; + typedef struct _TpmLogMgr TpmLogMgr; + + /** + * @brief Initialize the log manager + * @param[in/out] io_logMgr Return a pointer to the log manager + * @return errlHndl_t NULL if successful, otherwise a pointer to the + * error log. + */ + errlHndl_t TpmLogMgr_initialize(TpmLogMgr * io_logMgr); + + /** + * @brief Add a new event to the log + * @param[in] val TpmLogMgr structure + * @param[in] logEvent Event log entry to add + * @return errlHndl_t NULL if successful, otherwise a pointer to the + * error log. + */ + errlHndl_t TpmLogMgr_addEvent(TpmLogMgr* val, TCG_PCR_EVENT2* logEvent); + + /** + * @brief Get current log size in bytes + * @param[in] val TpmLogMgr structure + * @return uint32_t Byte size of log + */ + uint32_t TpmLogMgr_getLogSize(TpmLogMgr* val); + + /** + * @brief Dump contents of log to a trace + * @param[in] val TpmLogMgr structure + */ + void TpmLogMgr_dumpLog(TpmLogMgr* val); + + +#ifdef __cplusplus +} // end TRUSTEDBOOT namespace +#endif + +#endif diff --git a/src/usr/secureboot/trusted/base/trustedTypes_base.C b/src/usr/secureboot/trusted/base/trustedTypes_base.C new file mode 100644 index 000000000..3c3d8d737 --- /dev/null +++ b/src/usr/secureboot/trusted/base/trustedTypes_base.C @@ -0,0 +1,261 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/trusted/base/trustedTypes_base.C $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2015,2016 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +/** + * @file trustedTypes_base.C + * + * @brief Trusted boot type inline functions for hostboot base + */ + +///////////////////////////////////////////////////////////////// +// NOTE: This file is exportable as TSS-Lite for skiboot/PHYP // +///////////////////////////////////////////////////////////////// + +// ---------------------------------------------- +// Includes +// ---------------------------------------------- +#include <string.h> +#ifdef __HOSTBOOT_MODULE +#include "../trustedTypes.H" +#include "../trustedboot.H" +#else +#include "trustedTypes.H" +#include "trustedboot.H" +#endif + + +#ifdef __cplusplus +namespace TRUSTEDBOOT +{ +#endif + + uint32_t getDigestSize(TPM_Alg_Id i_algId) + { + uint32_t ret = 0; + switch (i_algId) + { + case TPM_ALG_SHA256: + ret = TPM_ALG_SHA256_SIZE; + break; + default: + ret = 0; + break; + }; + return ret; + } + + uint8_t* TPMT_HA_logMarshal(TPMT_HA* val, uint8_t* i_logBuf) + { + uint16_t* field16 = (uint16_t*)i_logBuf; + *field16 = htole16(val->algorithmId); + i_logBuf += sizeof(uint16_t); + memcpy(i_logBuf, val->digest.bytes, + getDigestSize((TPM_Alg_Id)val->algorithmId)); + i_logBuf += getDigestSize((TPM_Alg_Id)val->algorithmId); + return i_logBuf; + } + + size_t TPML_DIGEST_VALUES_marshalSize(TPML_DIGEST_VALUES* val) + { + size_t ret = sizeof(val->count); + for (size_t idx = 0; (idx < val->count && idx < HASH_COUNT); idx++) + { + ret += TPMT_HA_marshalSize(&(val->digests[idx])); + } + return ret; + } + + uint8_t* TPML_DIGEST_VALUES_logMarshal(TPML_DIGEST_VALUES* val, + uint8_t* i_logBuf) + { + uint32_t* field32 = (uint32_t*)i_logBuf; + if (HASH_COUNT < val->count) + { + i_logBuf = NULL; + } + else + { + *field32 = htole32(val->count); + i_logBuf += sizeof(uint32_t); + for (size_t idx = 0; idx < val->count; idx++) + { + i_logBuf = TPMT_HA_logMarshal(&(val->digests[idx]), i_logBuf); + if (NULL == i_logBuf) break; + } + } + return i_logBuf; + } + + uint8_t* TCG_PCR_EVENT_logUnmarshal(TCG_PCR_EVENT* val, + uint8_t* i_tpmBuf, + size_t i_bufSize, + bool* o_err) + { + size_t size = 0; + uint32_t* field32; + + *o_err = false; + do { + // Ensure enough space for unmarshalled data + if (sizeof(TCG_PCR_EVENT) > i_bufSize) + { + *o_err = true; + i_tpmBuf = NULL; + break; + } + + // pcrIndex + size = sizeof(val->pcrIndex); + field32 = (uint32_t*)(i_tpmBuf); + val->pcrIndex = le32toh(*field32); + // Ensure a valid pcr index + if (val->pcrIndex >= PCR_MAX) + { + *o_err = true; + i_tpmBuf = NULL; + TRACFCOMP(g_trac_trustedboot, + "ERROR> TCG_PCR_EVENT:logUnmarshal() invalid pcrIndex %d", + val->pcrIndex); + break; + } + i_tpmBuf += size; + + // eventType + size = sizeof(val->eventType); + field32 = (uint32_t*)(i_tpmBuf); + val->eventType = le32toh(*field32); + // Ensure a valid event type + if (val->eventType == 0 || val->eventType >= EV_INVALID) + { + *o_err = true; + i_tpmBuf = NULL; + TRACFCOMP(g_trac_trustedboot, + "ERROR> TCG_PCR_EVENT:logUnmarshal() invalid eventType %d", + val->eventType); + break; + } + i_tpmBuf += size; + + // digest + size = sizeof(val->digest); + memcpy(val->digest, i_tpmBuf, size); + i_tpmBuf += size; + + // eventSize + size = sizeof(val->eventSize); + field32 = (uint32_t*)(i_tpmBuf); + val->eventSize = le32toh(*field32); + // Ensure a valid eventSize + if (val->eventSize >= MAX_TPM_LOG_MSG) + { + *o_err = true; + i_tpmBuf = NULL; + TRACFCOMP(g_trac_trustedboot, + "ERROR> TCG_PCR_EVENT:logUnmarshal() invalid eventSize %d", + val->eventSize); + break; + } + i_tpmBuf += size; + + memcpy(val->event, i_tpmBuf, val->eventSize); + i_tpmBuf += val->eventSize; + + } while(0); + + return i_tpmBuf; + } + + uint8_t* TCG_PCR_EVENT_logMarshal(TCG_PCR_EVENT* val, uint8_t* i_logBuf) + { + uint32_t* field32 = (uint32_t*)(i_logBuf); + *field32 = htole32(val->pcrIndex); + i_logBuf += sizeof(uint32_t); + + field32 = (uint32_t*)(i_logBuf); + *field32 = htole32(val->eventType); + i_logBuf += sizeof(uint32_t); + + memcpy(i_logBuf, val->digest, sizeof(val->digest)); + i_logBuf += sizeof(val->digest); + + field32 = (uint32_t*)(i_logBuf); + *field32 = htole32(val->eventSize); + i_logBuf += sizeof(uint32_t); + + if (val->eventSize > 0) + { + memcpy(i_logBuf, val->event, val->eventSize); + i_logBuf += val->eventSize; + } + return i_logBuf; + } + + + uint8_t* TPM_EVENT_FIELD_logMarshal(TPM_EVENT_FIELD* val, + uint8_t* i_logBuf) + { + uint32_t* field32 = (uint32_t*)i_logBuf; + if (MAX_TPM_LOG_MSG < val->eventSize) + { + i_logBuf = NULL; + } + else + { + *field32 = htole32(val->eventSize); + i_logBuf += sizeof(uint32_t); + + memcpy(i_logBuf, val->event, val->eventSize); + i_logBuf += val->eventSize; + } + return i_logBuf; + } + + size_t TCG_PCR_EVENT2_marshalSize(TCG_PCR_EVENT2* val) + { + return (sizeof(val->pcrIndex) + sizeof(val->eventType) + + TPML_DIGEST_VALUES_marshalSize(&(val->digests)) + + TPM_EVENT_FIELD_marshalSize(&(val->event))); + } + + uint8_t* TCG_PCR_EVENT2_logMarshal(TCG_PCR_EVENT2* val, + uint8_t* i_logBuf) + { + uint32_t* field32 = (uint32_t*)i_logBuf; + *field32 = htole32(val->pcrIndex); + i_logBuf += sizeof(uint32_t); + field32 = (uint32_t*)i_logBuf; + *field32 = htole32(val->eventType); + i_logBuf += sizeof(uint32_t); + + i_logBuf = TPML_DIGEST_VALUES_logMarshal(&(val->digests),i_logBuf); + if (NULL != i_logBuf) + { + i_logBuf = TPM_EVENT_FIELD_logMarshal(&(val->event),i_logBuf); + } + return i_logBuf; + } + +#ifdef __cplusplus +} // end TRUSTEDBOOT +#endif diff --git a/src/usr/secureboot/trusted/base/trustedboot_base.C b/src/usr/secureboot/trusted/base/trustedboot_base.C index 31522ef7f..e9f20db59 100644 --- a/src/usr/secureboot/trusted/base/trustedboot_base.C +++ b/src/usr/secureboot/trusted/base/trustedboot_base.C @@ -26,6 +26,7 @@ * @file trustedboot_base.C * * @brief Trusted boot base interfaces + * This file is compiled in regardless of CONFIG_TPMDD */ // ---------------------------------------------- @@ -39,8 +40,11 @@ #include <errl/errludtarget.H> #include <errl/errludstring.H> #include <secureboot/trustedbootif.H> -#include "../trustedboot.H" #include <secureboot/trustedboot_reasoncodes.H> +#include "trustedboot_base.H" +#include "../trustedboot.H" +#include "../trustedbootUtils.H" +#include "tpmLogMgr.H" // ---------------------------------------------- // Trace definitions @@ -53,6 +57,7 @@ TRAC_INIT( & g_trac_trustedboot, "TRBOOT", KILOBYTE ); namespace TRUSTEDBOOT { +#ifdef CONFIG_TPMDD /// Global object to store TPM status SystemTpms systemTpms; @@ -65,7 +70,10 @@ TpmTarget::TpmTarget() memset(this, 0, sizeof(TpmTarget)); available = true; // Default to available until we know better mutex_init(&tpmMutex); + } +#endif + errlHndl_t pcrExtend(TPM_Pcr i_pcr, uint8_t* i_digest, @@ -74,10 +82,206 @@ errlHndl_t pcrExtend(TPM_Pcr i_pcr, { errlHndl_t err = NULL; #ifdef CONFIG_TPMDD - /// @todo RTC:125288 Add call to extend the PCR + TPM_Alg_Id algId = TPM_ALG_SHA256; + + size_t fullDigestSize = getDigestSize(algId); + char logMsg[MAX_TPM_LOG_MSG]; + + TRACDCOMP( g_trac_trustedboot, + ENTER_MRK"pcrExtend()" ); + TRACUCOMP( g_trac_trustedboot, + ENTER_MRK"pcrExtend() pcr=%d msg='%s' digest=%016llX", + i_pcr, + i_logMsg, + *(reinterpret_cast<uint64_t*>(i_digest))); + + // Ensure proper digest size + uint8_t digestData[fullDigestSize]; + memset(digestData, 0, sizeof(digestData)); + + // copy over the incoming digest to append or truncate to what we need + memcpy(digestData, i_digest, + (i_digestSize < fullDigestSize ? i_digestSize : fullDigestSize)); + + // Truncate logMsg if required + memset(logMsg, 0, sizeof(logMsg)); + memcpy(logMsg, i_logMsg, + (strlen(i_logMsg) < MAX_TPM_LOG_MSG ? strlen(i_logMsg) : + MAX_TPM_LOG_MSG)); + + for (size_t idx = 0; idx < MAX_SYSTEM_TPMS; idx++) + { + // Add the event to this TPM, if an error occurs the TPM will + // be marked as failed and the error log committed + pcrExtendSingleTpm(systemTpms.tpm[idx], + i_pcr, + algId, + digestData, + fullDigestSize, + logMsg); + } + + + // Lastly make sure we are in a state where we have a functional TPM + err = tpmVerifyFunctionalTpmExists(); + + + TRACUCOMP( g_trac_trustedboot, + EXIT_MRK"pcrExtend() - %s", + ((NULL == err) ? "No Error" : "With Error") ); #endif return err; } +#ifdef CONFIG_TPMDD +void pcrExtendSingleTpm(TpmTarget & io_target, + TPM_Pcr i_pcr, + TPM_Alg_Id i_algId, + uint8_t* i_digest, + size_t i_digestSize, + const char* i_logMsg) +{ + errlHndl_t err = NULL; + TCG_PCR_EVENT2 eventLog; + bool unlock = false; + + do + { + + mutex_lock( &io_target.tpmMutex ); + unlock = true; + + // Allocate the TPM log if it hasn't been already + if (!io_target.failed && + io_target.available && + NULL == io_target.logMgr) + { + io_target.logMgr = new TpmLogMgr; + err = TpmLogMgr_initialize(io_target.logMgr); + if (NULL != err) + { + break; + } + } + + + + // If the TPM init has occurred and it is currently + // functional we will do our extension + if (io_target.available && + io_target.initAttempted && + !io_target.failed) + { + + /// @todo RTC:125288 Add call to extend the PCR + } + + // Now we log the event, we will do this in two scenarios + // - !initAttempted - prior to IPL of the TPM we log for replay + // - initAttempted && !failed - TPM is functional so we log + if ((io_target.available && + !io_target.initAttempted) || + (io_target.available && + io_target.initAttempted && + !io_target.failed)) + { + memset(&eventLog, 0, sizeof(eventLog)); + eventLog.pcrIndex = i_pcr; + eventLog.eventType = EV_ACTION; + + // Update digest information, we only use 1 entry + eventLog.digests.count = 1; + eventLog.digests.digests[0].algorithmId = i_algId; + memcpy(eventLog.digests.digests[0].digest.bytes, + i_digest, i_digestSize); + + // Event field data + eventLog.event.eventSize = strlen(i_logMsg); + assert(eventLog.event.eventSize <= MAX_TPM_LOG_MSG, + "TPM Log message too long"); + memcpy(eventLog.event.event, i_logMsg, strlen(i_logMsg)); + + err = TpmLogMgr_addEvent(io_target.logMgr,&eventLog); + if (NULL != err) + { + break; + } + } + + } while ( 0 ); + + if (NULL != err) + { + // We failed to extend to this TPM we can no longer use it + tpmMarkFailed(&io_target); + + // Log this failure + errlCommit(err, SECURE_COMP_ID); + err = NULL; + } + + if (unlock) + { + mutex_unlock(&io_target.tpmMutex); + } + return; +} + +void tpmMarkFailed(TpmTarget * io_target) +{ + + TRACFCOMP( g_trac_trustedboot, + ENTER_MRK"tpmMarkFailed() Marking TPM as failed : " + "tgt=0x%X chip=%d", + TARGETING::get_huid(io_target->nodeTarget), + io_target->chip); + + io_target->failed = true; + /// @todo RTC:125287 Add fail marker to TPM log and disable TPM access + +} + +errlHndl_t tpmVerifyFunctionalTpmExists() +{ + errlHndl_t err = NULL; + bool foundFunctional = false; + + for (size_t idx = 0; idx < MAX_SYSTEM_TPMS; idx ++) + { + if (!systemTpms.tpm[idx].failed || + !systemTpms.tpm[idx].initAttempted) + { + foundFunctional = true; + break; + } + } + + if (!foundFunctional) + { + TRACFCOMP( g_trac_trustedboot, + "NO FUNCTIONAL TPM FOUND"); + + /*@ + * @errortype + * @reasoncode RC_TPM_NOFUNCTIONALTPM_FAIL + * @severity ERRL_SEV_UNRECOVERABLE + * @moduleid MOD_TPM_VERIFYFUNCTIONAL + * @userdata1 0 + * @userdata2 0 + * @devdesc No functional TPMs exist in the system + */ + err = new ERRORLOG::ErrlEntry( ERRORLOG::ERRL_SEV_UNRECOVERABLE, + MOD_TPM_VERIFYFUNCTIONAL, + RC_TPM_NOFUNCTIONALTPM_FAIL, + 0, 0, + true /*Add HB SW Callout*/ ); + + err->collectTrace( SECURE_COMP_NAME ); + } + + return err; +} +#endif + } // end TRUSTEDBOOT diff --git a/src/usr/secureboot/trusted/base/trustedboot_base.H b/src/usr/secureboot/trusted/base/trustedboot_base.H new file mode 100644 index 000000000..70d160b02 --- /dev/null +++ b/src/usr/secureboot/trusted/base/trustedboot_base.H @@ -0,0 +1,67 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/trusted/base/trustedboot_base.H $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2015,2016 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +/** + * @file trustedboot_base.H + * + * @brief Trustedboot TPM interfaces in HB base + * + */ +#ifndef __TRUSTEDBOOT_BASE_H +#define __TRUSTEDBOOT_BASE_H +// ----------------------------------------------- +// Includes +// ----------------------------------------------- +#include <secureboot/trustedbootif.H> +#include "../trustedTypes.H" + +namespace TRUSTEDBOOT +{ + + +/** + * @brief Verify a functional TPM still exists in the system + * @return errlHndl_t NULL if TPM available, otherwise a pointer to the + * error log. +*/ +errlHndl_t tpmVerifyFunctionalTpmExists(); + +/** + * @brief Extend a measurement into a TPM and log + * @param[in/out] io_target Current TPM target structure + * @param[in] i_pcr PCR to write to + * @param[in] i_digest Digest value to write to PCR + * @param[in] i_digestSize Byte size of i_digest data + * @param[in] i_logMsg Null terminated log message + */ +void pcrExtendSingleTpm(TpmTarget & io_target, + TPM_Pcr i_pcr, + TPM_Alg_Id i_algId, + uint8_t* i_digest, + size_t i_digestSize, + const char* i_logMsg); + + +} // end TRUSTEDBOOT namespace +#endif diff --git a/src/usr/secureboot/trusted/makefile b/src/usr/secureboot/trusted/makefile index 3cc0ef5e0..6fd41f709 100644 --- a/src/usr/secureboot/trusted/makefile +++ b/src/usr/secureboot/trusted/makefile @@ -33,4 +33,5 @@ OBJS += $(if $(CONFIG_TPMDD),trustedbootUtils.o,) SUBDIRS += $(if $(CONFIG_TPMDD),test.d,) CFLAGS += -iquote ../ + include ${ROOTPATH}/config.mk diff --git a/src/usr/secureboot/trusted/test/makefile b/src/usr/secureboot/trusted/test/makefile index 3345252a6..25a8c1508 100644 --- a/src/usr/secureboot/trusted/test/makefile +++ b/src/usr/secureboot/trusted/test/makefile @@ -5,7 +5,7 @@ # # OpenPOWER HostBoot Project # -# Contributors Listed Below - COPYRIGHT 2015 +# Contributors Listed Below - COPYRIGHT 2015,2016 # [+] International Business Machines Corp. # # @@ -26,5 +26,6 @@ ROOTPATH = ../../../../.. MODULE = testtrusted TESTS += $(if $(CONFIG_TPMDD),trustedbootTest.H,) +TESTS += $(if $(CONFIG_TPMDD),tpmLogMgrTest.H,) -include ${ROOTPATH}/config.mk
\ No newline at end of file +include ${ROOTPATH}/config.mk diff --git a/src/usr/secureboot/trusted/test/tpmLogMgrTest.H b/src/usr/secureboot/trusted/test/tpmLogMgrTest.H new file mode 100755 index 000000000..dd30cf682 --- /dev/null +++ b/src/usr/secureboot/trusted/test/tpmLogMgrTest.H @@ -0,0 +1,200 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/trusted/test/tpmLogMgrTest.H $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2015,2016 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +#ifndef __TPMLOGMGRTEST_H +#define __TPMLOGMGRTEST_H + +/** + * @file tpmLogMgrTest.H + * + * @brief Test cases for the tpm log manager + */ + +#include <sys/time.h> +#include <cxxtest/TestSuite.H> +#include <errl/errlmanager.H> +#include <errl/errlentry.H> +#include "../trustedTypes.H" +#include "../base/tpmLogMgr.H" + + +using namespace TRUSTEDBOOT; + + +class TPMLogMgrTest: public CxxTest::TestSuite +{ + public: + + /** + * @brief TPM Log Allocate Test + */ + void testTPMLogMgrAllocate ( void ) + { + errlHndl_t err = NULL; + int64_t fails = 0, num_ops = 0; + TCG_PCR_EVENT2 log; + uint32_t totalLogSize = 0; + + TRACFCOMP( g_trac_trustedboot, + "testTPMLogMgrAllocate - Start" ); + + do + { + + TpmLogMgr logMgr; + + num_ops++; + err = TpmLogMgr_initialize(&logMgr); + + if( NULL != err ) + { + fails++; + TS_FAIL( "testTPMLogMgrAllocate - Error detected" ); + errlCommit( err, + SECURE_COMP_ID ); + delete err; + err = NULL; + break; + } + else if (TpmLogMgr_getLogSize(&logMgr) != 69) + // 69 is size of header entry + { + fails++; + TS_FAIL( "testTPMLogMgrAllocate - Failed to find " + "proper header log Len=%d", + TpmLogMgr_getLogSize(&logMgr)); + break; + + } + else + { + TRACUCOMP(g_trac_trustedboot, "testTPMLogMgrAllocate - " + "Allocate returned as expected. Len=%d", + TpmLogMgr_getLogSize(&logMgr)); + } + // Bump full size by the header + totalLogSize = TpmLogMgr_getLogSize(&logMgr); + + for (size_t idx = 0; idx < 10; idx ++) + { + + // Build up and add an event to the log + memset(&log, 0, sizeof(log)); + log.pcrIndex = 0xF1F2F300 + idx; + log.eventType = 0xE1E2E3E4; + + log.digests.count=1; + + uint32_t digestSize = TPM_ALG_SHA256_SIZE; + log.digests.digests[0].algorithmId = TPM_ALG_SHA256; + + num_ops++; + if (TPMT_HA_marshalSize(&(log.digests.digests[0])) != + (digestSize + sizeof(uint16_t))) + { + fails++; + TS_FAIL( "testTPMLogMgrAllocate(%d) - Invalid digest " + "size Act=%d Exp=%d", + TPMT_HA_marshalSize(&(log.digests.digests[0])), + idx, + (digestSize + sizeof(uint16_t))); + break; + } + + memset(log.digests.digests[0].digest.bytes, + 0x51+idx, digestSize); + + log.event.eventSize = 21+idx; + memset(log.event.event, 0x31+idx, log.event.eventSize); + + // Full log size dependent on algorithm used + uint32_t logSize = (sizeof(uint32_t) * 2) + + sizeof(uint32_t) + + sizeof(uint16_t) + TPM_ALG_SHA256_SIZE + + sizeof(uint32_t) + 21 + idx; + totalLogSize += logSize; + + num_ops++; + if (TCG_PCR_EVENT2_marshalSize(&log) != logSize) + { + fails++; + TS_FAIL( "testTPMLogMgrAllocate(%d) - " + "Invalid final log size " + "Act=%d Exp=%d", + idx, TCG_PCR_EVENT2_marshalSize(&log), + logSize); + break; + } + + // Ok, finally add this to the TPM log + err = TpmLogMgr_addEvent(&logMgr,&log); + num_ops ++; + if( NULL != err ) + { + fails++; + TS_FAIL( "testTPMLogMgrAllocate(%d) - " + "Error detected adding event", idx); + errlCommit( err, + SECURE_COMP_ID ); + delete err; + err = NULL; + break; + } + else if (TpmLogMgr_getLogSize(&logMgr) != totalLogSize) + { + fails++; + TS_FAIL( "testTPMLogMgrAllocate(%d) - Failed to find " + "log ActLen=%d ExpLen=%d", + idx, + TpmLogMgr_getLogSize(&logMgr), + totalLogSize); + break; + + } + else + { + TRACUCOMP(g_trac_trustedboot, + "testTPMLogMgrAllocate(%d) " + "- Addevent returned as expected. " + "Len=%d", + idx, + TpmLogMgr_getLogSize(&logMgr)); + } + + } // End for + + + // Lastly dump the log to a trace so we can review it + TpmLogMgr_dumpLog(&logMgr); + + } while( 0 ); + TRACFCOMP( g_trac_trustedboot, + "testTPMLogMgrAllocate - End: %d/%d fails", + fails, num_ops ); + } + + +}; + +#endif diff --git a/src/usr/secureboot/trusted/trustedTypes.C b/src/usr/secureboot/trusted/trustedTypes.C index 4467b4c54..f9ae71165 100644 --- a/src/usr/secureboot/trusted/trustedTypes.C +++ b/src/usr/secureboot/trusted/trustedTypes.C @@ -55,24 +55,6 @@ namespace TRUSTEDBOOT void* i_chunkPtr, size_t i_chunkSize); - uint32_t getDigestSize(TPM_Alg_Id i_algId) - { - uint32_t ret = 0; - switch (i_algId) - { - case TPM_ALG_SHA1: - ret = TPM_ALG_SHA1_SIZE; - break; - case TPM_ALG_SHA256: - ret = TPM_ALG_SHA256_SIZE; - break; - default: - ret = 0; - break; - }; - return ret; - } - uint8_t* unmarshalChunk(uint8_t* i_tpmBuf, size_t * io_tpmBufSize, void* o_chunkPtr, @@ -161,20 +143,10 @@ namespace TRUSTEDBOOT size_t TPMT_HA_marshalSize(TPMT_HA* val) { - return (sizeof(TPMT_HA) - sizeof(TPMU_HA) + + return (sizeof(val->algorithmId) + getDigestSize((TPM_Alg_Id)(val->algorithmId))); } - size_t TPML_DIGEST_VALUES_marshalSize(TPML_DIGEST_VALUES* val) - { - size_t ret = sizeof(val->count); - for (size_t idx = 0; (idx < val->count && idx < HASH_COUNT); idx++) - { - ret += TPMT_HA_marshalSize(&(val->digests[idx])); - } - return ret; - } - size_t TPM_EVENT_FIELD_marshalSize(TPM_EVENT_FIELD* val) { return (sizeof(val->eventSize) + val->eventSize); diff --git a/src/usr/secureboot/trusted/trustedTypes.H b/src/usr/secureboot/trusted/trustedTypes.H index b2e8abcd9..f6348f6bb 100644 --- a/src/usr/secureboot/trusted/trustedTypes.H +++ b/src/usr/secureboot/trusted/trustedTypes.H @@ -40,10 +40,10 @@ // ----------------------------------------------- #include <stdint.h> #ifdef __HOSTBOOT_MODULE -#include <secureboot/trustedbootif.H> +#include <builtins.h> #else -#define PACKED __attribute__((__packed__)) #include "trustedboot.H" +#define PACKED __attribute__((__packed__)) #endif #ifdef __cplusplus @@ -55,10 +55,19 @@ namespace TRUSTEDBOOT /// TPM Algorithm defines typedef enum { - TPM_ALG_SHA1 = 0x0004, - TPM_ALG_SHA256 = 0x000B, + TPM_ALG_SHA1 = 0x0004, ///< SHA1 Id + TPM_ALG_SHA256 = 0x000B, ///< SHA256 Id + TPM_ALG_INVALID_ID ///< Used for error checking } TPM_Alg_Id; + typedef enum + { + TPM_ALG_NUM_SUPPORTED = 1, ///< Number of algorithms supported + TPM_ALG_SHA1_SIZE = 20, ///< SHA1 digest byte size + TPM_ALG_SHA256_SIZE = 32, ///< SHA256 digest byte size + TPM_ALG_INVALID_SIZE ///< Used for error checking + } TPM_Alg_Sizes; + /// Common static values enum { @@ -68,15 +77,16 @@ namespace TRUSTEDBOOT MAX_TPM_LOG_MSG = 128, ///< Maximum log message size HASH_COUNT = 1, ///< Maximum # of digests - TPM_ALG_SHA1_SIZE = 20, ///< SHA1 digest byte size - TPM_ALG_SHA256_SIZE = 32, ///< SHA256 digest byte size - - // Event types - EV_NO_ACTION = 0x3, ///< Event field contains info - EV_ACTION = 0x5, ///< Must extend a PCR - }; + typedef enum + { + EV_NO_ACTION = 0x3, ///< Event field contains info + EV_SEPARATOR = 0x4, ///< Used to indicate an error + EV_ACTION = 0x5, ///< Must extend a PCR + EV_INVALID ///< Used for error checking + } EventTypes; + /** * @brief Get the digest size of the selected hash algorithm * @param[in] i_algId Algorith ID to query @@ -176,10 +186,14 @@ namespace TRUSTEDBOOT } PACKED; typedef struct _TCG_PCR_EVENT TCG_PCR_EVENT; size_t TCG_PCR_EVENT_marshalSize(TCG_PCR_EVENT* val); + uint8_t* TCG_PCR_EVENT_logUnmarshal(TCG_PCR_EVENT* val, uint8_t* i_tpmBuf, + size_t i_bufSize, bool* o_err); + uint8_t* TCG_PCR_EVENT_logMarshal(TCG_PCR_EVENT* val, uint8_t* i_logBuf); /// Digest union union _TPMU_HA { + uint8_t bytes[0]; uint8_t sha1[TPM_ALG_SHA1_SIZE]; uint8_t sha256[TPM_ALG_SHA256_SIZE]; } PACKED; @@ -193,6 +207,8 @@ namespace TRUSTEDBOOT } PACKED; typedef struct _TPMT_HA TPMT_HA; size_t TPMT_HA_marshalSize(TPMT_HA* val); + uint8_t* TPMT_HA_logMarshal(TPMT_HA* val, uint8_t* i_logBuf); + /// Crypto agile digests list struct _TPML_DIGEST_VALUES @@ -202,6 +218,8 @@ namespace TRUSTEDBOOT } PACKED; typedef struct _TPML_DIGEST_VALUES TPML_DIGEST_VALUES; size_t TPML_DIGEST_VALUES_marshalSize(TPML_DIGEST_VALUES* val); + uint8_t* TPML_DIGEST_VALUES_logMarshal(TPML_DIGEST_VALUES* val, + uint8_t* i_logBuf); /// Event field structure struct _TPM_EVENT_FIELD @@ -211,6 +229,8 @@ namespace TRUSTEDBOOT } PACKED; typedef struct _TPM_EVENT_FIELD TPM_EVENT_FIELD; size_t TPM_EVENT_FIELD_marshalSize(TPM_EVENT_FIELD* val); + uint8_t* TPM_EVENT_FIELD_logMarshal(TPM_EVENT_FIELD* val, + uint8_t* i_logBuf); /// Crypto agile log entry format struct _TCG_PCR_EVENT2 @@ -219,9 +239,11 @@ namespace TRUSTEDBOOT uint32_t eventType; ///< Type of event TPML_DIGEST_VALUES digests; ///< List of digests extended to PCRIndex TPM_EVENT_FIELD event; ///< Event information - } PACKED; typedef struct _TCG_PCR_EVENT2 TCG_PCR_EVENT2; + uint8_t* TCG_PCR_EVENT2_logMarshal(TCG_PCR_EVENT2* val, + uint8_t* i_logBuf); + size_t TCG_PCR_EVENT2_marshalSize(TCG_PCR_EVENT2* val); struct _TPM2_BaseIn { diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C index ac2882174..ad596648c 100644 --- a/src/usr/secureboot/trusted/trustedboot.C +++ b/src/usr/secureboot/trusted/trustedboot.C @@ -44,15 +44,9 @@ #include "trustedboot.H" #include "trustedTypes.H" #include "trustedbootCmds.H" - -// ---------------------------------------------- -// Trace definitions -// ---------------------------------------------- -extern trace_desc_t* g_trac_trustedboot; - -// Easy macro replace for unit testing -//#define TRACUCOMP(args...) TRACFCOMP(args) -#define TRACUCOMP(args...) +#include "trustedbootUtils.H" +#include "base/tpmLogMgr.H" +#include "base/trustedboot_base.H" namespace TRUSTEDBOOT { @@ -104,6 +98,20 @@ void* host_update_master_tpm( void *io_pArgs ) systemTpms.tpm[TPM_MASTER_INDEX].available = false; } + // Allocate the TPM log if it hasn't been already + if (!systemTpms.tpm[TPM_MASTER_INDEX].failed && + systemTpms.tpm[TPM_MASTER_INDEX].available && + NULL == systemTpms.tpm[TPM_MASTER_INDEX].logMgr) + { + systemTpms.tpm[TPM_MASTER_INDEX].logMgr = new TpmLogMgr; + err = TpmLogMgr_initialize( + systemTpms.tpm[TPM_MASTER_INDEX].logMgr); + if (NULL != err) + { + break; + } + } + if (systemTpms.tpm[TPM_MASTER_INDEX].failed || !systemTpms.tpm[TPM_MASTER_INDEX].available) { @@ -207,14 +215,13 @@ void tpmInitialize(TRUSTEDBOOT::TpmTarget & io_target, } - } while ( 0 ); // If the TPM failed we will mark it not functional if (NULL != err) { - tpmMarkFailed(io_target); + tpmMarkFailed(&io_target); // Log this failure errlCommit(err, SECURE_COMP_ID); } @@ -224,19 +231,5 @@ void tpmInitialize(TRUSTEDBOOT::TpmTarget & io_target, } -void tpmMarkFailed(TRUSTEDBOOT::TpmTarget & io_target) -{ - - TRACFCOMP( g_trac_trustedboot, - ENTER_MRK"tpmMarkFailed() Marking TPM as failed : " - "tgt=0x%X chip=%d", - TARGETING::get_huid(io_target.nodeTarget), - io_target.chip); - - io_target.failed = true; - /// @todo RTC:125287 Add fail marker to TPM log and disable TPM access - -} - } // end TRUSTEDBOOT diff --git a/src/usr/secureboot/trusted/trustedboot.H b/src/usr/secureboot/trusted/trustedboot.H index 1549f7810..eaf950759 100644 --- a/src/usr/secureboot/trusted/trustedboot.H +++ b/src/usr/secureboot/trusted/trustedboot.H @@ -74,11 +74,6 @@ void tpmInitialize(TRUSTEDBOOT::TpmTarget & io_target, TARGETING::Target* i_nodeTarget, TPMDD::tpm_chip_types_t i_chip); -/** - * @brief Mark the TPM as non-functional and take required steps - * @param[in/out] io_target Current TPM target structure - */ -void tpmMarkFailed(TRUSTEDBOOT::TpmTarget & io_target); } // end TRUSTEDBOOT namespace #endif diff --git a/src/usr/secureboot/trusted/trustedbootCmds.C b/src/usr/secureboot/trusted/trustedbootCmds.C index ded224b5f..aa5d713fa 100644 --- a/src/usr/secureboot/trusted/trustedbootCmds.C +++ b/src/usr/secureboot/trusted/trustedbootCmds.C @@ -65,7 +65,7 @@ errlHndl_t tpmTransmitCommand(TpmTarget * io_target, TRACUCOMP( g_trac_trustedboot, ">>TPM TRANSMIT CMD START : BufLen %d : %016llx", - i_bufsize, + (int)i_bufsize, *((uint64_t*)io_buffer) ); do @@ -132,7 +132,7 @@ errlHndl_t tpmMarshalCommandData(TPM2_BaseIn* i_cmd, TRACUCOMP( g_trac_trustedboot, "TPM MARSHAL START : BufLen %d : %016llx", - i_bufsize, + (int)i_bufsize, *((uint64_t*)i_cmd) ); // Start with the command header @@ -232,7 +232,8 @@ errlHndl_t tpmMarshalCommandData(TPM2_BaseIn* i_cmd, o_outbuf, *o_cmdSize); TRACUCOMP( g_trac_trustedboot, - "TPM MARSHAL END : CmdSize: %d : %016llx ", *o_cmdSize, + "TPM MARSHAL END : CmdSize: %d : %016llx ", + (int)(*o_cmdSize), *((uint64_t*)o_outbuf) ); TRACDCOMP( g_trac_trustedboot, @@ -258,7 +259,7 @@ errlHndl_t tpmUnmarshalResponseData(uint32_t i_commandCode, TRACUCOMP( g_trac_trustedboot, "TPM UNMARSHAL START : RespBufLen %d : OutBufLen %d", - i_respBufSize, i_outBufSize); + (int)i_respBufSize, (int)i_outBufSize); TRACUBIN(g_trac_trustedboot,"Unmarshal In", i_respBuf, i_respBufSize); @@ -473,7 +474,7 @@ errlHndl_t tpmCmdGetCapFwVersion(TpmTarget* io_target) TRACFCOMP( g_trac_trustedboot, "TPM GETCAP OP Fail %X Size(%d) ", resp->base.responseCode, - dataSize); + (int)dataSize); /*@ * @errortype @@ -555,7 +556,7 @@ errlHndl_t tpmCmdGetCapFwVersion(TpmTarget* io_target) if (TB_SUCCESS != err) { TRACFCOMP( g_trac_trustedboot, - "TPM GETCAP2 Transmit Fail %X"); + "TPM GETCAP2 Transmit Fail"); break; } @@ -566,7 +567,7 @@ errlHndl_t tpmCmdGetCapFwVersion(TpmTarget* io_target) TRACFCOMP( g_trac_trustedboot, "TPM GETCAP2 OP Fail %X Size(%d) ", resp->base.responseCode, - dataSize); + (int)dataSize); /*@ * @errortype diff --git a/src/usr/secureboot/trusted/trustedbootUtils.H b/src/usr/secureboot/trusted/trustedbootUtils.H index dd5b564e5..73bc38743 100644 --- a/src/usr/secureboot/trusted/trustedbootUtils.H +++ b/src/usr/secureboot/trusted/trustedbootUtils.H @@ -72,6 +72,12 @@ errlHndl_t tpmCreateErrorLog(const uint8_t i_modId, const uint64_t i_user1, const uint64_t i_user2); +/** + * @brief Mark the TPM as non-functional and take required steps + * @param[in/out] io_target Current TPM target structure + */ +void tpmMarkFailed(TpmTarget * io_target); + #ifdef __cplusplus } // end TRUSTEDBOOT namespace #endif |