1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
/* IBM_PROLOG_BEGIN_TAG */
/* This is an automatically generated prolog. */
/* */
/* $Source: src/usr/secureboot/trusted/trustedboot.H $ */
/* */
/* OpenPOWER HostBoot Project */
/* */
/* Contributors Listed Below - COPYRIGHT 2015,2017 */
/* [+] International Business Machines Corp. */
/* */
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); */
/* you may not use this file except in compliance with the License. */
/* You may obtain a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or */
/* implied. See the License for the specific language governing */
/* permissions and limitations under the License. */
/* */
/* IBM_PROLOG_END_TAG */
/**
* @file trustedboot.H
*
* @brief Trustedboot TPM interfaces
*
*/
#ifndef __TRUSTEDBOOT_H
#define __TRUSTEDBOOT_H
// -----------------------------------------------
// Includes
// -----------------------------------------------
#include <secureboot/trustedbootif.H>
#include <i2c/tpmddif.H>
#include <trace/interface.H>
#include <sys/msg.h>
#include "trustedTypes.H"
// ----------------------------------------------
// Trace definitions
// ----------------------------------------------
extern trace_desc_t* g_trac_trustedboot;
// Easy macro replace for unit testing
//#define TRACUCOMP(args...) TRACFCOMP(args)
#define TRACUCOMP(args...)
//#define TRACUBIN(args...) TRACFBIN(args)
#define TRACUBIN(args...)
#define TB_SUCCESS NULL
namespace TRUSTEDBOOT
{
const size_t DEFAULT_BIN_TRACE_SIZE = 128;
/// Common static values
enum TRUSTED_BOOT_LIMITS
{
MAX_TPMS_PER_NODE = 2,
};
/// Class object to store trusted boot system data
class SystemData
{
public:
SystemData():
msgQ(msg_q_create()),
failedTpmsPosted(false)
{ }
// NOTE: No destructor implemented to destroy msgQ as required for shutdown
msg_q_t msgQ; ///< TrustedBootRp message queue
bool failedTpmsPosted; ///< Have we already posted
};
/**
* @brief Initialize the targeted TPM
*
* @param[in] i_pTpm TPM targeting target handle indicating TPM to initialize.
* Function will assert if value is nullptr or is not of TPM type
*/
void tpmInitialize(TRUSTEDBOOT::TpmTarget* i_pTpm);
/**
* @brief Verify a functional TPM still exists in the system
*
* If no functional TPMs are found in the system :
* If the system is running in secure mode an error log will be committed
* and if the TPMRequired attribute is true a system shutdown will be
* initiated
*/
void tpmVerifyFunctionalTpmExists();
/**
* @brief Replay the entries that exist in the log into the TPM as needed
*
* @param[in] i_pTpm TPM targeting target handle indicating TPM to replay log.
* Function will assert if value is nullptr or is not of TPM type
*/
void tpmReplayLog(TRUSTEDBOOT::TpmTarget* i_pTpm);
/**
* @brief Send config entries to TPM
*
* @param[in] i_pTpm TPM targeting target handle indicating TPM to send config
* entries to. Function will assert if value is nullptr or is not of TPM
* type.
*
* @return errlHndl_t nullptr if successful, otherwise pointer to error log
*/
errlHndl_t tpmLogConfigEntries(TRUSTEDBOOT::TpmTarget* i_pTpm);
/**
* @brief Extend a measurement into a TPM and log
*
* @param[in] i_pTpm TPM targeting target handle referring to TPM to log a
* measurement to. Function will assert if value is nullptr or is not of
* TPM type.
* @param[in] i_pcr PCR to write to
* @param[in] i_algId Algorithm to extend
* @param[in] i_digest Digest value to write to PCR
* @param[in] i_digestSize Byte size of i_digest data
* @param[in] i_logMsg Null terminated log message
*/
void pcrExtendSingleTpm(TpmTarget* i_pTpm,
TPM_Pcr i_pcr,
const EventTypes i_eventType,
TPM_Alg_Id i_algId,
const uint8_t* i_digest,
size_t i_digestSize,
const char* i_logMsg);
/**
* @brief Extend a separator into a TPM and log
*
* @param[in] i_pTpm TPM targeting target handle referring to TPM to log a
* extend a separator to. Function will assert if value is nullptr or is
* not of TPM type.
*/
void pcrExtendSeparator(TpmTarget* i_pTpm);
/** Thread start routine for the TPM Daemon
* @param[in] void*, unused
*/
void* tpmDaemon(void* unused);
#ifdef CONFIG_DRTM
/**
* @brief Initiate a DRTM PCR reset on the given TPM
*
* @param[in] i_pTpm TPM targeting target handle referring to TPM to DRTM
* reset. Function will assert if value is nullptr or is
* not of TPM type.
*
* @return errlHndl_t nullptr if successful, otherwise a pointer to the
* error log.
*/
errlHndl_t tpmDrtmReset(TpmTarget* i_pTpm);
#endif
/**
* @brief Returns a pointer to the TPM's log manger
*
* @param[in] i_pTpm TPM targeting target handle. Function asserts if value is
* nullptr or does not refer to a TPM targeting target.
*
* @return _TpmLogMgr* Pointer to TPM's log manager, or nullptr if log manager
* is not configured.
*/
_TpmLogMgr* getTpmLogMgr(
const TpmTarget* i_pTpm);
/**
* @brief Sets a TPM's log manger
*
* @param[in] i_pTpm TPM targeting target handle. Function asserts if value is
* nullptr or does not refer to a TPM targeting target.
*
* @param[in] i_pTpmLogMg Pointer to TPM log manager, or nullptr to remove log
* manager.
*/
void setTpmLogMgr(
TpmTarget* i_pTpm,
const _TpmLogMgr* i_pTpmLogMgr);
/**
* @brief Returns TPM with matching role
*
* @param[in] i_tpmRole Role of the TPM to search for
*
* @param[out] o_pTpm TPM targeting target handle of the TPM with the matching
* role, or nullptr if none found
*/
void getTpmWithRoleOf(
TARGETING::TPM_ROLE i_tpmRole,
TARGETING::Target*& o_pTpm);
/**
* @brief Returns value of TPM Sensor if it is available
* All error handing is contained in the function and the output value
* is only valid if the function returns TRUE
*
* @param[out] o_isTpmRequired Value returned from TPM Required sensor:
* TRUE if TPM is required; FALSE if TPM is NOT required
* NOTE: this parameter is only valid if this function returns TRUE
*
* @return bool Returns TRUE if sensor was available and found without error;
* otherwise returns FALSE
*/
bool getTpmRequiredSensorValue(
bool& o_isTpmRequired);
} // end TRUSTEDBOOT namespace
#endif
|