From nobody Sat Apr 20 08:32:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of seabios.org designates 78.46.105.101 as permitted sender) client-ip=78.46.105.101; envelope-from=seabios-bounces@seabios.org; helo=coreboot.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of seabios.org designates 78.46.105.101 as permitted sender) smtp.mailfrom=seabios-bounces@seabios.org; dmarc=fail(p=none dis=none) header.from=linux.ibm.com Return-Path: Received: from coreboot.org (coreboot.org [78.46.105.101]) by mx.zohomail.com with SMTPS id 1623692829252477.34534443691064; Mon, 14 Jun 2021 10:47:09 -0700 (PDT) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by coreboot.org (Postfix) with ESMTPA id 517821061DAC; Mon, 14 Jun 2021 17:47:03 +0000 (UTC) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by coreboot.org (Postfix) with ESMTP id 672A81061A36 for ; Mon, 14 Jun 2021 17:46:40 +0000 (UTC) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15EHXdVV188441; Mon, 14 Jun 2021 13:36:00 -0400 Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by mx0a-001b2d01.pphosted.com with ESMTP id 396axssaw8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Jun 2021 13:36:00 -0400 Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 15EHW6Nd028863; Mon, 14 Jun 2021 17:35:59 GMT Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by ppma04dal.us.ibm.com with ESMTP id 3965ytb405-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Jun 2021 17:35:59 +0000 Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 15EHZvP727722216 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 14 Jun 2021 17:35:57 GMT Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by IMSVA (Postfix) with ESMTP id 8A57B6A054; Mon, 14 Jun 2021 17:35:57 +0000 (GMT) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by IMSVA (Postfix) with ESMTP id 49C0A6A04D; Mon, 14 Jun 2021 17:35:57 +0000 (GMT) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Mon, 14 Jun 2021 17:35:57 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=KmtenQjbO0UncIOIyNosQ4sLamlLeWQh7Y1AO+QQl/M=; b=mKMUzbNN3/VAXqmbtivWU3y7bHoJiGl68IsNKud+LUjDRLjJ7sFjHwHciHfVHKgkIb/G 4Ml7/rq0Xxvzu/lJBiDKCMwU7NE1MCwiMkVnvOfmjd2+d37vmQRJltfLMmdyoFn8Rf+x NWwvjOs9e1g02nJPM/bTkjQ4gEqfDhGa+z13I1vad9DET7pX1D+cRV5vxuaXF6eD1+XX WvsNcSmdTfV21BZI/7inNO3lrKM8WD7mSLsVgptTyWvNg4G03yVIQ06dm0riTJTSed62 qY/CCyzNUxu1dLA4Ks4+kCkm9NgurYvRdoiAgeVwko/clOS/XcsdELYJh23CG+uR0seU nA== From: Stefan Berger To: seabios@seabios.org Date: Mon, 14 Jun 2021 13:35:49 -0400 Message-Id: <20210614173549.1920855-3-stefanb@linux.ibm.com> In-Reply-To: <20210614173549.1920855-1-stefanb@linux.ibm.com> References: <20210614173549.1920855-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 7sVU-PKwVUbu-wE5XgnV8FQz6XVG-kzZ X-Proofpoint-GUID: 7sVU-PKwVUbu-wE5XgnV8FQz6XVG-kzZ X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-06-14_10:2021-06-14,2021-06-14 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 adultscore=0 spamscore=0 phishscore=0 lowpriorityscore=0 mlxlogscore=833 suspectscore=0 impostorscore=0 priorityscore=1501 mlxscore=0 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106140110 X-Spam-Level: *** Message-ID-Hash: C5V5ALL56SSBQIWZ3XZ7HOXD372AIHYR X-Message-ID-Hash: C5V5ALL56SSBQIWZ3XZ7HOXD372AIHYR X-MailFrom: stefanb@linux.ibm.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-seabios.seabios.org-0; header-match-seabios.seabios.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Stefan Berger X-Mailman-Version: 3.3.4 Precedence: list Subject: [SeaBIOS] [PATCH 2/2] tcgbios: Use The proper sha function for each PCR bank List-Id: SeaBIOS mailing list Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable Authentication-Results: coreboot.org; auth=pass smtp.auth=mailman@coreboot.org smtp.mailfrom=seabios-bounces@seabios.org X-Spamd-Bar: --- X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" Instead of just using sha1 for all PCR banks (and truncating the value or zero-padding it) use the proper hash function for each one of the banks. For unimplemented hashes, fill the buffer with 0xff. Signed-off-by: Stefan Berger --- src/tcgbios.c | 58 ++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 43 insertions(+), 15 deletions(-) diff --git a/src/tcgbios.c b/src/tcgbios.c index a9d62c8..02921d8 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -167,27 +167,32 @@ static const struct hash_parameters { u8 hashalg_flag; u8 hash_buffersize; const char *name; + void (*hashfunc)(const u8 *data, u32 length, u8 *hash); } hash_parameters[] =3D { { .hashalg =3D TPM2_ALG_SHA1, .hashalg_flag =3D TPM2_ALG_SHA1_FLAG, .hash_buffersize =3D SHA1_BUFSIZE, .name =3D "SHA1", + .hashfunc =3D sha1, }, { .hashalg =3D TPM2_ALG_SHA256, .hashalg_flag =3D TPM2_ALG_SHA256_FLAG, .hash_buffersize =3D SHA256_BUFSIZE, .name =3D "SHA256", + .hashfunc =3D sha256, }, { .hashalg =3D TPM2_ALG_SHA384, .hashalg_flag =3D TPM2_ALG_SHA384_FLAG, .hash_buffersize =3D SHA384_BUFSIZE, .name =3D "SHA384", + .hashfunc =3D sha384, }, { .hashalg =3D TPM2_ALG_SHA512, .hashalg_flag =3D TPM2_ALG_SHA512_FLAG, .hash_buffersize =3D SHA512_BUFSIZE, .name =3D "SHA512", + .hashfunc =3D sha512, }, { .hashalg =3D TPM2_ALG_SM3_256, .hashalg_flag =3D TPM2_ALG_SM3_256_FLAG, @@ -259,6 +264,21 @@ tpm20_hashalg_flag_to_name(u8 hashalg_flag) return NULL; } =20 +static void tpm2_hash_data(u16 hashAlg, const u8 *data, u32 data_len, u8 *= hash) +{ + unsigned i; + + for (i =3D 0; i < ARRAY_SIZE(hash_parameters); i++) { + if (hash_parameters[i].hashalg =3D=3D hashAlg) { + if (hash_parameters[i].hashfunc) { + hash_parameters[i].hashfunc(data, data_len, hash); + } else { + memset(hash, 0xff, hash_parameters[i].hash_buffersize); + } + } + } +} + // Add an entry at the start of the log describing digest formats static int tpm20_write_EfiSpecIdEventStruct(void) @@ -342,14 +362,16 @@ tpm20_write_EfiSpecIdEventStruct(void) * hash when writing it in the area of the sha1 hash. * * le: the log entry to build the digest in - * sha1: the sha1 hash value to use + * hashdata: the data to hash + * hashdata_len: the length of the hashdata * bigEndian: whether to build in big endian format for the TPM or * little endian for the log * * Returns the digest size; -1 on fatal error */ static int -tpm20_build_digest(struct tpm_log_entry *le, const u8 *sha1, int bigEndian) +tpm20_build_digest(struct tpm_log_entry *le, + const u8 *hashdata, u32 hashdata_len, int bigEndian) { if (!tpm20_pcr_selection) return -1; @@ -391,8 +413,8 @@ tpm20_build_digest(struct tpm_log_entry *le, const u8 *= sha1, int bigEndian) else v->hashAlg =3D be16_to_cpu(sel->hashAlg); =20 - memset(v->hash, 0, hsize); - memcpy(v->hash, sha1, hsize > SHA1_BUFSIZE ? SHA1_BUFSIZE : hsize); + tpm2_hash_data(be16_to_cpu(sel->hashAlg), hashdata, hashdata_len, + v->hash); =20 dest +=3D sizeof(*v) + hsize; sel =3D nsel; @@ -415,7 +437,15 @@ tpm20_build_digest(struct tpm_log_entry *le, const u8 = *sha1, int bigEndian) } =20 static int -tpm12_build_digest(struct tpm_log_entry *le, const u8 *sha1) +tpm12_build_digest(struct tpm_log_entry *le, + const u8 *hashdata, u32 hashdata_len) +{ + sha1(hashdata, hashdata_len, le->hdr.digest); + return SHA1_BUFSIZE; +} + +static int +tpm12_build_digest_direct(struct tpm_log_entry *le, const u8 *sha1) { // On TPM 1.2 the digest contains just the SHA1 hash memcpy(le->hdr.digest, sha1, SHA1_BUFSIZE); @@ -423,13 +453,14 @@ tpm12_build_digest(struct tpm_log_entry *le, const u8= *sha1) } =20 static int -tpm_build_digest(struct tpm_log_entry *le, const u8 *sha1, int bigEndian) +tpm_build_digest(struct tpm_log_entry *le, const u8 *hashdata, u32 hashdat= a_len + , int bigEndian) { switch (TPM_version) { case TPM_VERSION_1_2: - return tpm12_build_digest(le, sha1); + return tpm12_build_digest(le, hashdata, hashdata_len); case TPM_VERSION_2: - return tpm20_build_digest(le, sha1, bigEndian); + return tpm20_build_digest(le, hashdata, hashdata_len, bigEndian); } return -1; } @@ -978,14 +1009,11 @@ tpm_add_measurement_to_log(u32 pcrindex, u32 event_t= ype, if (!tpm_is_working()) return; =20 - u8 hash[SHA1_BUFSIZE]; - sha1(hashdata, hashdata_length, hash); - struct tpm_log_entry le =3D { .hdr.pcrindex =3D pcrindex, .hdr.eventtype =3D event_type, }; - int digest_len =3D tpm_build_digest(&le, hash, 1); + int digest_len =3D tpm_build_digest(&le, hashdata, hashdata_length, 1); if (digest_len < 0) return; int ret =3D tpm_extend(&le, digest_len); @@ -993,7 +1021,7 @@ tpm_add_measurement_to_log(u32 pcrindex, u32 event_typ= e, tpm_set_failure(); return; } - tpm_build_digest(&le, hash, 0); + tpm_build_digest(&le, hashdata, hashdata_length, 0); tpm_log_event(&le.hdr, digest_len, event, event_length); } =20 @@ -1407,7 +1435,7 @@ hash_log_extend(struct pcpes *pcpes, const void *hash= data, u32 hashdata_length .hdr.pcrindex =3D pcpes->pcrindex, .hdr.eventtype =3D pcpes->eventtype, }; - int digest_len =3D tpm_build_digest(&le, pcpes->digest, 1); + int digest_len =3D tpm12_build_digest_direct(&le, pcpes->digest); if (digest_len < 0) return TCG_GENERAL_ERROR; if (extend) { @@ -1415,7 +1443,7 @@ hash_log_extend(struct pcpes *pcpes, const void *hash= data, u32 hashdata_length if (ret) return TCG_TCG_COMMAND_ERROR; } - tpm_build_digest(&le, pcpes->digest, 0); + tpm12_build_digest_direct(&le, pcpes->digest); int ret =3D tpm_log_event(&le.hdr, digest_len , pcpes->event, pcpes->eventdatasize); if (ret) --=20 2.31.1 _______________________________________________ SeaBIOS mailing list -- seabios@seabios.org To unsubscribe send an email to seabios-leave@seabios.org