From 6b33572158ef9c1226eb90afe9d309128c220c50 Mon Sep 17 00:00:00 2001 From: Sergii Dmytruk Date: Fri, 5 Jul 2024 00:53:46 +0300 Subject: [PATCH] security/tpm: add CONFIG_TPM_LOG_TCG This event log format option automatically selects TCG log format depending on which TPM is present. Change-Id: I1997396f24ff6362fe64ac56f8e61efcf2ffb0f7 Signed-off-by: Sergii Dmytruk --- src/security/tpm/Kconfig | 7 +++- src/security/tpm/Makefile.mk | 30 ++++++++----- src/security/tpm/tpm2_log_serialized.h | 2 +- src/security/tpm/tspi.h | 58 +++++++++++++++++++------- 4 files changed, 68 insertions(+), 29 deletions(-) diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig index 22e37ffd0fe..bcc8aad6273 100644 --- a/src/security/tpm/Kconfig +++ b/src/security/tpm/Kconfig @@ -90,6 +90,7 @@ config TPM_MEASURED_BOOT choice prompt "TPM event log format" depends on TPM_MEASURED_BOOT + default TPM_LOG_TCG if TPM1 && TPM2 default TPM_LOG_TPM1 if TPM1 default TPM_LOG_TPM2 if TPM2 @@ -97,6 +98,10 @@ config TPM_LOG_CB bool "coreboot's custom format" help Custom coreboot-specific format of the log derived from TPM1 log format. +config TPM_LOG_TCG + bool "TPM 1.2 or TPM 2.0 format (matches detected TPM)" + help + Automatically select TCG log format depending on which TPM is present. config TPM_LOG_TPM1 bool "TPM 1.2 format" depends on TPM1 && !TPM2 @@ -114,7 +119,7 @@ endchoice choice prompt "TPM2 hashing algorithm" - depends on TPM_MEASURED_BOOT && TPM_LOG_TPM2 + depends on TPM_MEASURED_BOOT && (TPM_LOG_TCG || TPM_LOG_TPM2) default TPM_HASH_SHA1 if TPM1 default TPM_HASH_SHA256 if TPM2 diff --git a/src/security/tpm/Makefile.mk b/src/security/tpm/Makefile.mk index fe16192ff67..ebecb32974a 100644 --- a/src/security/tpm/Makefile.mk +++ b/src/security/tpm/Makefile.mk @@ -70,16 +70,24 @@ verstage-$(CONFIG_TPM_LOG_CB) += tspi/log.c postcar-$(CONFIG_TPM_LOG_CB) += tspi/log.c bootblock-$(CONFIG_TPM_LOG_CB) += tspi/log.c -ramstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c -romstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c -verstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c -postcar-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c -bootblock-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c - -ramstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c -romstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c -verstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c -postcar-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c -bootblock-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c +ifeq ($(CONFIG_TPM_LOG_TCG)$(CONFIG_TPM_LOG_TPM1),y) + +ramstage-y += tspi/log-tpm1.c +romstage-y += tspi/log-tpm1.c +verstage-y += tspi/log-tpm1.c +postcar-y += tspi/log-tpm1.c +bootblock-y += tspi/log-tpm1.c + +endif # CONFIG_TPM_LOG_TCG or CONFIG_TPM_LOG_TPM1 + +ifeq ($(CONFIG_TPM_LOG_TCG)$(CONFIG_TPM_LOG_TPM2),y) + +ramstage-y += tspi/log-tpm2.c +romstage-y += tspi/log-tpm2.c +verstage-y += tspi/log-tpm2.c +postcar-y += tspi/log-tpm2.c +bootblock-y += tspi/log-tpm2.c + +endif # CONFIG_TPM_LOG_TCG or CONFIG_TPM_LOG_TPM2 endif # CONFIG_TPM_MEASURED_BOOT diff --git a/src/security/tpm/tpm2_log_serialized.h b/src/security/tpm/tpm2_log_serialized.h index a11a2f6a7e5..aaaf576eca3 100644 --- a/src/security/tpm/tpm2_log_serialized.h +++ b/src/security/tpm/tpm2_log_serialized.h @@ -17,7 +17,7 @@ * varying number of digests and their sizes. However, it works as long as * we're only using single kind of digests. */ -#if CONFIG(TPM_LOG_TPM2) +#if CONFIG(TPM_LOG_TCG) || CONFIG(TPM_LOG_TPM2) # if CONFIG(TPM_HASH_SHA1) # define TPM_20_LOG_DIGEST_MAX_LENGTH SHA1_DIGEST_SIZE # endif diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h index 80cafd5e090..ec805942f6e 100644 --- a/src/security/tpm/tspi.h +++ b/src/security/tpm/tspi.h @@ -17,6 +17,32 @@ /* Assumption of 2K TCPA log size reserved for CAR/SRAM */ #define MAX_PRERAM_TPM_LOG_ENTRIES 15 +/** + * Checks whether TCG TPM1.2 log format should be used. + * When required, initializes TPM if it wasn't yet initialized. + */ +static inline bool tpm_log_use_tpm1_format(void) +{ + if (CONFIG(TPM_LOG_TPM1)) + return true; + if (CONFIG(TPM_LOG_TCG)) + return tlcl_lib_init() == TPM_SUCCESS && tlcl_get_family() == TPM_1; + return false; +} + +/** + * Checks whether TCG TPM2.0 log format should be used. + * When required, initializes TPM if it wasn't yet initialized. + */ +static inline bool tpm_log_use_tpm2_format(void) +{ + if (CONFIG(TPM_LOG_TPM2)) + return true; + if (CONFIG(TPM_LOG_TCG)) + return tlcl_lib_init() == TPM_SUCCESS && tlcl_get_family() == TPM_2; + return false; +} + /** * Retrieves hash algorithm used by TPM event log or VB2_HASH_INVALID. */ @@ -25,10 +51,10 @@ static inline enum vb2_hash_algorithm tpm_log_alg(void) if (CONFIG(TPM_LOG_CB)) return (tlcl_get_family() == TPM_1 ? VB2_HASH_SHA1 : VB2_HASH_SHA256); - if (CONFIG(TPM_LOG_TPM1)) + if (tpm_log_use_tpm1_format()) return VB2_HASH_SHA1; - if (CONFIG(TPM_LOG_TPM2)) { + if (tpm_log_use_tpm2_format()) { if (CONFIG(TPM_HASH_SHA1)) return VB2_HASH_SHA1; if (CONFIG(TPM_HASH_SHA256)) @@ -56,9 +82,9 @@ static inline void *tpm_log_cbmem_init(void) { if (CONFIG(TPM_LOG_CB)) return tpm_cb_log_cbmem_init(); - if (CONFIG(TPM_LOG_TPM1)) + if (tpm_log_use_tpm1_format()) return tpm1_log_cbmem_init(); - if (CONFIG(TPM_LOG_TPM2)) + if (tpm_log_use_tpm2_format()) return tpm2_log_cbmem_init(); return NULL; } @@ -71,9 +97,9 @@ static inline void tpm_preram_log_clear(void) { if (CONFIG(TPM_LOG_CB)) tpm_cb_preram_log_clear(); - else if (CONFIG(TPM_LOG_TPM1)) + else if (tpm_log_use_tpm1_format()) tpm1_preram_log_clear(); - else if (CONFIG(TPM_LOG_TPM2)) + else if (tpm_log_use_tpm2_format()) tpm2_preram_log_clear(); } @@ -84,9 +110,9 @@ static inline uint16_t tpm_log_get_size(const void *log_table) { if (CONFIG(TPM_LOG_CB)) return tpm_cb_log_get_size(log_table); - if (CONFIG(TPM_LOG_TPM1)) + if (tpm_log_use_tpm1_format()) return tpm1_log_get_size(log_table); - if (CONFIG(TPM_LOG_TPM2)) + if (tpm_log_use_tpm2_format()) return tpm2_log_get_size(log_table); return 0; } @@ -98,9 +124,9 @@ static inline void tpm_log_copy_entries(const void *from, void *to) { if (CONFIG(TPM_LOG_CB)) tpm_cb_log_copy_entries(from, to); - else if (CONFIG(TPM_LOG_TPM1)) + else if (tpm_log_use_tpm1_format()) tpm1_log_copy_entries(from, to); - else if (CONFIG(TPM_LOG_TPM2)) + else if (tpm_log_use_tpm2_format()) tpm2_log_copy_entries(from, to); } @@ -112,9 +138,9 @@ static inline int tpm_log_get(int entry_idx, int *pcr, const uint8_t **digest_da { if (CONFIG(TPM_LOG_CB)) return tpm_cb_log_get(entry_idx, pcr, digest_data, digest_algo, event_name); - if (CONFIG(TPM_LOG_TPM1)) + if (tpm_log_use_tpm1_format()) return tpm1_log_get(entry_idx, pcr, digest_data, digest_algo, event_name); - if (CONFIG(TPM_LOG_TPM2)) + if (tpm_log_use_tpm2_format()) return tpm2_log_get(entry_idx, pcr, digest_data, digest_algo, event_name); return 1; } @@ -134,9 +160,9 @@ static inline void tpm_log_add_table_entry(const char *name, const uint32_t pcr, { if (CONFIG(TPM_LOG_CB)) tpm_cb_log_add_table_entry(name, pcr, digest_algo, digest, digest_len); - else if (CONFIG(TPM_LOG_TPM1)) + else if (tpm_log_use_tpm1_format()) tpm1_log_add_table_entry(name, pcr, digest_algo, digest, digest_len); - else if (CONFIG(TPM_LOG_TPM2)) + else if (tpm_log_use_tpm2_format()) tpm2_log_add_table_entry(name, pcr, digest_algo, digest, digest_len); } @@ -147,9 +173,9 @@ static inline void tpm_log_dump(void *unused) { if (CONFIG(TPM_LOG_CB)) tpm_cb_log_dump(); - else if (CONFIG(TPM_LOG_TPM1)) + else if (tpm_log_use_tpm1_format()) tpm1_log_dump(); - else if (CONFIG(TPM_LOG_TPM2)) + else if (tpm_log_use_tpm2_format()) tpm2_log_dump(); }