diff options
-rw-r--r-- | src/include/usr/secureboot/trustedbootif.H | 39 | ||||
-rwxr-xr-x | src/usr/i2c/tpmdd.C | 11 | ||||
-rw-r--r-- | src/usr/secureboot/base/makefile | 8 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/base/trustedboot_base.C | 84 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedboot.C | 48 | ||||
-rw-r--r-- | src/usr/secureboot/trusted/trustedboot.H | 26 |
6 files changed, 176 insertions, 40 deletions
diff --git a/src/include/usr/secureboot/trustedbootif.H b/src/include/usr/secureboot/trustedbootif.H index d73220f7f..d59cd1e14 100644 --- a/src/include/usr/secureboot/trustedbootif.H +++ b/src/include/usr/secureboot/trustedbootif.H @@ -33,10 +33,34 @@ // ----------------------------------------------- // Includes // ----------------------------------------------- +#include <i2c/tpmddif.H> +#include <errl/errlentry.H> namespace TRUSTEDBOOT { + /// Track system TPM status + struct TpmTarget + { + TARGETING::Target* nodeTarget; ///< Node target ptr + TPMDD::tpm_chip_types_t chip; ///< Chip Pri vs Backup + uint8_t initAttempted:1;///< Has TPM init been run + uint8_t failed:1; ///< Is TPM currently failed + mutex_t tpmMutex; ///< TPM Mutex + + TpmTarget(); + }; + + /// TPM PCR designations + enum TPM_Pcr + { + PCR_0 = 0, + PCR_1 = 1, + PCR_4 = 4, + PCR_DEBUG = 16, + PCR_MAX = 16, + }; + /** * @brief Initialize trusted boot/TPM components for the master TPM @@ -48,6 +72,21 @@ namespace TRUSTEDBOOT */ void* host_update_master_tpm( void *io_pArgs ); + /** + * @brief Extend a measurement into the TPMs and log + * @param[in] i_pcr PCR to write to + * @param[in] i_digest Digest value to write to PCR + * @param[in] i_digestSize Byte size of i_digest data + * @param[in] i_logMsg Null terminated log message, truncated at 128 chars + * @return errlHndl_t NULL if successful, otherwise a pointer to the + * error log. + * Digest will be right padded with zeros or truncated to match TPM digest + * size being used + */ + errlHndl_t pcrExtend(TPM_Pcr i_pcr, + uint8_t* i_digest, + size_t i_digestSize, + const char* i_logMsg); } // end TRUSTEDBOOT namespace diff --git a/src/usr/i2c/tpmdd.C b/src/usr/i2c/tpmdd.C index ec25c511c..baf1c956f 100755 --- a/src/usr/i2c/tpmdd.C +++ b/src/usr/i2c/tpmdd.C @@ -275,17 +275,6 @@ errlHndl_t tpmPerformOp( DeviceFW::OperationType i_opType, } while( 0 ); -#if 0 - // If there is an error, add parameter info to log - if ( err != NULL ) - { - TPMDD::UdEepromParms( i_opType, - i_target, - io_buflen, - tpmInfo ) - .addToLog(err); - } -#endif if( unlock ) { mutex_unlock( & g_tpmMutex ); diff --git a/src/usr/secureboot/base/makefile b/src/usr/secureboot/base/makefile index dc8382520..9dd92e7b1 100644 --- a/src/usr/secureboot/base/makefile +++ b/src/usr/secureboot/base/makefile @@ -5,7 +5,9 @@ # # OpenPOWER HostBoot Project # -# COPYRIGHT International Business Machines Corp. 2013,2014 +# Contributors Listed Below - COPYRIGHT 2013,2015 +# [+] International Business Machines Corp. +# # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,6 +32,10 @@ OBJS += header.o OBJS += purge.o OBJS += securerom.o OBJS += rom_entry.o +OBJS += trustedboot_base.o + +EXTRAINCDIR += ${ROOTPATH}/src/usr/secureboot/trusted/base +VPATH += ${ROOTPATH}/src/usr/secureboot/trusted/base CFLAGS += -iquote ../ include ${ROOTPATH}/config.mk diff --git a/src/usr/secureboot/trusted/base/trustedboot_base.C b/src/usr/secureboot/trusted/base/trustedboot_base.C new file mode 100644 index 000000000..95a55fdc2 --- /dev/null +++ b/src/usr/secureboot/trusted/base/trustedboot_base.C @@ -0,0 +1,84 @@ +/* IBM_PROLOG_BEGIN_TAG */ +/* This is an automatically generated prolog. */ +/* */ +/* $Source: src/usr/secureboot/trusted/base/trustedboot_base.C $ */ +/* */ +/* OpenPOWER HostBoot Project */ +/* */ +/* Contributors Listed Below - COPYRIGHT 2015 */ +/* [+] International Business Machines Corp. */ +/* */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); */ +/* you may not use this file except in compliance with the License. */ +/* You may obtain a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */ +/* implied. See the License for the specific language governing */ +/* permissions and limitations under the License. */ +/* */ +/* IBM_PROLOG_END_TAG */ +/** + * @file trustedboot_base.C + * + * @brief Trusted boot base interfaces + */ + +// ---------------------------------------------- +// Includes +// ---------------------------------------------- +#include <string.h> +#include <sys/time.h> +#include <trace/interface.H> +#include <errl/errlentry.H> +#include <errl/errlmanager.H> +#include <errl/errludtarget.H> +#include <errl/errludstring.H> +#include <secureboot/trustedbootif.H> +#include "../trustedboot.H" +#include <secureboot/trustedboot_reasoncodes.H> + +// ---------------------------------------------- +// Trace definitions +// ---------------------------------------------- +trace_desc_t* g_trac_trustedboot = NULL; +TRAC_INIT( & g_trac_trustedboot, "TRBOOT", KILOBYTE ); + +// Easy macro replace for unit testing +//#define TRACUCOMP(args...) TRACFCOMP(args) +#define TRACUCOMP(args...) + +namespace TRUSTEDBOOT +{ + +/// Global object to store TPM status +SystemTpms systemTpms; + +SystemTpms::SystemTpms() +{ +} + +TpmTarget::TpmTarget() +{ + memset(this, 0, sizeof(TpmTarget)); + mutex_init(&tpmMutex); +} + +errlHndl_t pcrExtend(TPM_Pcr i_pcr, + uint8_t* i_digest, + size_t i_digestSize, + const char* i_logMsg) +{ + errlHndl_t err = NULL; +#ifdef CONFIG_TPMDD + /// @todo RTC:125288 Add call to extend the PCR + +#endif + return err; +} + +} // end TRUSTEDBOOT diff --git a/src/usr/secureboot/trusted/trustedboot.C b/src/usr/secureboot/trusted/trustedboot.C index ed8ce7ac6..a80272be3 100644 --- a/src/usr/secureboot/trusted/trustedboot.C +++ b/src/usr/secureboot/trusted/trustedboot.C @@ -49,8 +49,7 @@ // ---------------------------------------------- // Trace definitions // ---------------------------------------------- -trace_desc_t* g_trac_trustedboot = NULL; -TRAC_INIT( & g_trac_trustedboot, "TRBOOT", KILOBYTE ); +extern trace_desc_t* g_trac_trustedboot; // Easy macro replace for unit testing //#define TRACUCOMP(args...) TRACFCOMP(args) @@ -59,9 +58,13 @@ TRAC_INIT( & g_trac_trustedboot, "TRBOOT", KILOBYTE ); namespace TRUSTEDBOOT { +extern SystemTpms systemTpms; + void* host_update_master_tpm( void *io_pArgs ) { errlHndl_t err = NULL; + bool unlock = false; + TRACDCOMP( g_trac_trustedboot, ENTER_MRK"host_update_master_tpm()" ); TRACUCOMP( g_trac_trustedboot, @@ -70,11 +73,6 @@ void* host_update_master_tpm( void *io_pArgs ) do { - // First time here so we need to clean out our data structure - memset(&tpmTargets, 0, - sizeof(TpmTarget) * TRUSTEDBOOT::MAX_SYSTEM_TPMS); - - // Get a node Target TARGETING::TargetService& tS = TARGETING::targetService(); TARGETING::Target* nodeTarget = NULL; @@ -90,21 +88,23 @@ void* host_update_master_tpm( void *io_pArgs ) continue; } - if (TPMDD::tpmPresence(nodeTarget, TPMDD::TPM_PRIMARY)) - { - tpmTargets[TPM_MASTER_INDEX].nodeTarget = nodeTarget; - tpmTargets[TPM_MASTER_INDEX].chip = TPMDD::TPM_PRIMARY; - tpmTargets[TPM_MASTER_INDEX].functional = true; + mutex_lock( &(systemTpms.tpm[TPM_MASTER_INDEX].tpmMutex) ); + unlock = true; + if (!systemTpms.tpm[TPM_MASTER_INDEX].failed && + TPMDD::tpmPresence(nodeTarget, TPMDD::TPM_PRIMARY)) + { // Initialize the TPM, this will mark it as non-functional on fail - tpmInitialize(tpmTargets[TPM_MASTER_INDEX]); + tpmInitialize(systemTpms.tpm[TPM_MASTER_INDEX], + nodeTarget, + TPMDD::TPM_PRIMARY); } - if (!tpmTargets[TPM_MASTER_INDEX].functional) + if (systemTpms.tpm[TPM_MASTER_INDEX].failed) { - /// @todo RTC:134913 Switch to redundant chip if redundant TPM avail + /// @todo RTC:134913 Switch to backup chip if backup TPM avail // Master TPM not available TRACFCOMP( g_trac_trustedboot, @@ -133,6 +133,12 @@ void* host_update_master_tpm( void *io_pArgs ) } while ( 0 ); + if( unlock ) + { + mutex_unlock(&(systemTpms.tpm[TPM_MASTER_INDEX].tpmMutex)); + } + + TRACDCOMP( g_trac_trustedboot, EXIT_MRK"host_update_master_tpm() - %s", ((NULL == err) ? "No Error" : "With Error") ); @@ -140,7 +146,9 @@ void* host_update_master_tpm( void *io_pArgs ) } -void tpmInitialize(TRUSTEDBOOT::TpmTarget & io_target) +void tpmInitialize(TRUSTEDBOOT::TpmTarget & io_target, + TARGETING::Target* i_nodeTarget, + TPMDD::tpm_chip_types_t i_chip) { errlHndl_t err = NULL; uint8_t dataBuf[BUFSIZE]; @@ -158,6 +166,11 @@ void tpmInitialize(TRUSTEDBOOT::TpmTarget & io_target) { // TPM Initialization sequence + io_target.nodeTarget = i_nodeTarget; + io_target.chip = i_chip; + io_target.initAttempted = true; + io_target.failed = false; + // Send the TPM startup command // Build our command block for a startup memset(dataBuf, 0, sizeof(dataBuf)); @@ -233,12 +246,11 @@ void tpmInitialize(TRUSTEDBOOT::TpmTarget & io_target) // If the TPM failed we will mark it not functional if (NULL != err) { - io_target.functional = false; + io_target.failed = true; // Log this failure errlCommit(err, SECURE_COMP_ID); } - TRACDCOMP( g_trac_trustedboot, EXIT_MRK"tpmInitialize() - %s", ((NULL == err) ? "No Error" : "With Error") ); diff --git a/src/usr/secureboot/trusted/trustedboot.H b/src/usr/secureboot/trusted/trustedboot.H index 5c1c87e15..fa5e085fe 100644 --- a/src/usr/secureboot/trusted/trustedboot.H +++ b/src/usr/secureboot/trusted/trustedboot.H @@ -33,6 +33,7 @@ // ----------------------------------------------- // Includes // ----------------------------------------------- +#include <secureboot/trustedbootif.H> namespace TRUSTEDBOOT { @@ -42,23 +43,28 @@ enum MAX_SYSTEM_TPMS = 2, BUFSIZE = 256, TPM_MASTER_INDEX = 0, ///< Index into tpmTargets array for master chip - TPM_REDUNDANT_INDEX = 1, ///< Index for redundant chip TPM + TPM_BACKUP_INDEX = 1, ///< Index for backup chip TPM }; -/// Track system TPM status -struct TpmTarget -{ - TARGETING::Target* nodeTarget; - TPMDD::tpm_chip_types_t chip; ///< Chip Pri vs Backup - uint8_t functional:1; ///< Is TPM currently functional -} tpmTargets[MAX_SYSTEM_TPMS]; /** * @brief Initialize the targetted TPM - * @param[in/out] target Current TPM target structure + * @param[in/out] io_target Current TPM target structure + * @param[in] i_nodeTarget Node Target + * @param[in] i_chip Chip to initialize */ -void tpmInitialize(TRUSTEDBOOT::TpmTarget & io_target); + void tpmInitialize(TRUSTEDBOOT::TpmTarget & io_target, + TARGETING::Target* i_nodeTarget, + TPMDD::tpm_chip_types_t i_chip); + +/// Class object to store system TPM information +class SystemTpms +{ +public: + SystemTpms(); + TpmTarget tpm[MAX_SYSTEM_TPMS]; +}; // Command structures taken from TPM Main - Part3 commands v 1.2 rev116 |