src/security/vboot/tpm_common.c

   1 /* SPDX-License-Identifier: GPL-2.0-only */
   2
   3 #include <security/tpm/tspi.h>
   4 #include <security/tpm/tss.h>
   5 #include <security/vboot/tpm_common.h>
   6 #include <security/tpm/tss_errors.h>
   7 #include <vb2_api.h>
   8 #include <vb2_sha.h>
   9
  10 #define TPM_PCR_BOOT_MODE "VBOOT: boot mode"
  11 #define TPM_PCR_GBB_HWID_NAME "VBOOT: GBB HWID"
  12 #define TPM_PCR_FIRMWARE_VERSION "VBOOT: firmware ver"
  13
  14 tpm_result_t vboot_setup_tpm(struct vb2_context *ctx)
  15 {
  16         tpm_result_t rc;
  17
  18         rc = tpm_setup(ctx->flags & VB2_CONTEXT_S3_RESUME);
  19         if (rc == TPM_CB_MUST_REBOOT)
  20                 ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT;
  21
  22         return rc;
  23 }
  24
  25 tpm_result_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
  26                              enum vb2_pcr_digest which_digest)
  27 {
  28         uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE];
  29         uint32_t size = sizeof(buffer);
  30
  31         if (vb2api_get_pcr_digest(ctx, which_digest, buffer, &size) != VB2_SUCCESS)
  32                 return TPM_CB_FAIL;
  33
  34         /*
  35          * On TPM 1.2, all PCRs are intended for use with SHA1. We truncate our
  36          * SHA256 HWID hash to 20 bytes to make it fit. On TPM 2.0, we always
  37          * want to use the SHA256 banks, even for the boot mode which is
  38          * technically a SHA1 value for historical reasons. vboot has already
  39          * zero-extended the buffer to 32 bytes for us, so we just take it like
  40          * that and pretend it's a SHA256. In practice, this means we never care
  41          * about the (*size) value returned from vboot (which indicates how many
  42          * significant bytes vboot wrote, although it always extends zeroes up
  43          * to the end of the buffer), we always use a hardcoded size instead.
  44          */
  45         _Static_assert(sizeof(buffer) >= VB2_SHA256_DIGEST_SIZE,
  46                        "Buffer needs to be able to fit at least a SHA256");
  47         enum vb2_hash_algorithm algo = tlcl_get_family() == TPM_1 ?
  48                 VB2_HASH_SHA1 : VB2_HASH_SHA256;
  49
  50         switch (which_digest) {
  51         /* SHA1 of (devmode|recmode|keyblock) bits */
  52         case BOOT_MODE_PCR:
  53                 return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo),
  54                                       TPM_PCR_BOOT_MODE);
  55          /* SHA256 of HWID */
  56         case HWID_DIGEST_PCR:
  57                 return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo),
  58                                       TPM_PCR_GBB_HWID_NAME);
  59         /* firmware version */
  60         case FIRMWARE_VERSION_PCR:
  61                 return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo),
  62                                       TPM_PCR_FIRMWARE_VERSION);
  63         default:
  64                 return TPM_CB_FAIL;
  65         }
  66 }