security/tpm: add CONFIG_TPM_LOG_TCG

This event log format option automatically selects TCG log format depending on which TPM is present. Change-Id: I1997396f24ff6362fe64ac56f8e61efcf2ffb0f7 Signed-off-by: Sergii Dmytruk <[email protected]>
Dasharo · Aug 8, 2024 · 70a0c6a · 70a0c6a
1 parent c4a1abe
commit 70a0c6a
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 29 deletions.
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
@@ -90,13 +90,18 @@ config TPM_MEASURED_BOOT
 choice
 	prompt "TPM event log format"
 	depends on TPM_MEASURED_BOOT
+	default TPM_LOG_TCG if TPM1 && TPM2
 	default TPM_LOG_TPM1 if TPM1
 	default TPM_LOG_TPM2 if TPM2
 
 config TPM_LOG_CB
 	bool "coreboot's custom format"
 	help
 	  Custom coreboot-specific format of the log derived from TPM1 log format.
+config TPM_LOG_TCG
+	bool "TPM 1.2 or TPM 2.0 format (matches detected TPM)"
+	help
+	  Automatically select TCG log format depending on which TPM is present.
 config TPM_LOG_TPM1
 	bool "TPM 1.2 format"
 	depends on TPM1 && !TPM2
@@ -114,7 +119,7 @@ endchoice
 
 choice
 	prompt "TPM2 hashing algorithm"
-	depends on TPM_MEASURED_BOOT && TPM_LOG_TPM2
+	depends on TPM_MEASURED_BOOT && (TPM_LOG_TCG || TPM_LOG_TPM2)
 	default TPM_HASH_SHA1 if TPM1
 	default TPM_HASH_SHA256 if TPM2
 

diff --git a/src/security/tpm/Makefile.mk b/src/security/tpm/Makefile.mk
@@ -70,16 +70,24 @@ verstage-$(CONFIG_TPM_LOG_CB) += tspi/log.c
 postcar-$(CONFIG_TPM_LOG_CB) += tspi/log.c
 bootblock-$(CONFIG_TPM_LOG_CB) += tspi/log.c
 
-ramstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
-romstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
-verstage-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
-postcar-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
-bootblock-$(CONFIG_TPM_LOG_TPM1) += tspi/log-tpm1.c
-
-ramstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
-romstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
-verstage-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
-postcar-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
-bootblock-$(CONFIG_TPM_LOG_TPM2) += tspi/log-tpm2.c
+ifeq ($(CONFIG_TPM_LOG_TCG)$(CONFIG_TPM_LOG_TPM1),y)
+
+ramstage-y += tspi/log-tpm1.c
+romstage-y += tspi/log-tpm1.c
+verstage-y += tspi/log-tpm1.c
+postcar-y += tspi/log-tpm1.c
+bootblock-y += tspi/log-tpm1.c
+
+endif # CONFIG_TPM_LOG_TCG or CONFIG_TPM_LOG_TPM1
+
+ifeq ($(CONFIG_TPM_LOG_TCG)$(CONFIG_TPM_LOG_TPM2),y)
+
+ramstage-y += tspi/log-tpm2.c
+romstage-y += tspi/log-tpm2.c
+verstage-y += tspi/log-tpm2.c
+postcar-y += tspi/log-tpm2.c
+bootblock-y += tspi/log-tpm2.c
+
+endif # CONFIG_TPM_LOG_TCG or CONFIG_TPM_LOG_TPM2
 
 endif # CONFIG_TPM_MEASURED_BOOT
diff --git a/src/security/tpm/tpm2_log_serialized.h b/src/security/tpm/tpm2_log_serialized.h
@@ -17,7 +17,7 @@
  * varying number of digests and their sizes. However, it works as long as
  * we're only using single kind of digests.
  */
-#if CONFIG(TPM_LOG_TPM2)
+#if CONFIG(TPM_LOG_TCG) || CONFIG(TPM_LOG_TPM2)
 #  if CONFIG(TPM_HASH_SHA1)
 #    define TPM_20_LOG_DIGEST_MAX_LENGTH SHA1_DIGEST_SIZE
 #  endif

diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h
@@ -17,6 +17,32 @@
 /* Assumption of 2K TCPA log size reserved for CAR/SRAM */
 #define MAX_PRERAM_TPM_LOG_ENTRIES 15
 
+/**
+ * Checks whether TCG TPM1.2 log format should be used.
+ * When required, initializes TPM if it wasn't yet initialized.
+ */
+static inline bool tpm_log_use_tpm1_format(void)
+{
+	if (CONFIG(TPM_LOG_TPM1))
+		return true;
+	if (CONFIG(TPM_LOG_TCG))
+		return tlcl_lib_init() == TPM_SUCCESS && tlcl_get_family() == TPM_1;
+	return false;
+}
+
+/**
+ * Checks whether TCG TPM2.0 log format should be used.
+ * When required, initializes TPM if it wasn't yet initialized.
+ */
+static inline bool tpm_log_use_tpm2_format(void)
+{
+	if (CONFIG(TPM_LOG_TPM2))
+		return true;
+	if (CONFIG(TPM_LOG_TCG))
+		return tlcl_lib_init() == TPM_SUCCESS && tlcl_get_family() == TPM_2;
+	return false;
+}
+
 /**
  * Retrieves hash algorithm used by TPM event log or VB2_HASH_INVALID.
  */
@@ -25,10 +51,10 @@ static inline enum vb2_hash_algorithm tpm_log_alg(void)
 	if (CONFIG(TPM_LOG_CB))
 		return (tlcl_get_family() == TPM_1 ? VB2_HASH_SHA1 : VB2_HASH_SHA256);
 
-	if (CONFIG(TPM_LOG_TPM1))
+	if (tpm_log_use_tpm1_format())
 		return VB2_HASH_SHA1;
 
-	if (CONFIG(TPM_LOG_TPM2)) {
+	if (tpm_log_use_tpm2_format()) {
 		if (CONFIG(TPM_HASH_SHA1))
 			return VB2_HASH_SHA1;
 		if (CONFIG(TPM_HASH_SHA256))
@@ -56,9 +82,9 @@ static inline void *tpm_log_cbmem_init(void)
 {
 	if (CONFIG(TPM_LOG_CB))
 		return tpm_cb_log_cbmem_init();
-	if (CONFIG(TPM_LOG_TPM1))
+	if (tpm_log_use_tpm1_format())
 		return tpm1_log_cbmem_init();
-	if (CONFIG(TPM_LOG_TPM2))
+	if (tpm_log_use_tpm2_format())
 		return tpm2_log_cbmem_init();
 	return NULL;
 }
@@ -71,9 +97,9 @@ static inline void tpm_preram_log_clear(void)
 {
 	if (CONFIG(TPM_LOG_CB))
 		tpm_cb_preram_log_clear();
-	else if (CONFIG(TPM_LOG_TPM1))
+	else if (tpm_log_use_tpm1_format())
 		tpm1_preram_log_clear();
-	else if (CONFIG(TPM_LOG_TPM2))
+	else if (tpm_log_use_tpm2_format())
 		tpm2_preram_log_clear();
 }
 
@@ -84,9 +110,9 @@ static inline uint16_t tpm_log_get_size(const void *log_table)
 {
 	if (CONFIG(TPM_LOG_CB))
 		return tpm_cb_log_get_size(log_table);
-	if (CONFIG(TPM_LOG_TPM1))
+	if (tpm_log_use_tpm1_format())
 		return tpm1_log_get_size(log_table);
-	if (CONFIG(TPM_LOG_TPM2))
+	if (tpm_log_use_tpm2_format())
 		return tpm2_log_get_size(log_table);
 	return 0;
 }
@@ -98,9 +124,9 @@ static inline void tpm_log_copy_entries(const void *from, void *to)
 {
 	if (CONFIG(TPM_LOG_CB))
 		tpm_cb_log_copy_entries(from, to);
-	else if (CONFIG(TPM_LOG_TPM1))
+	else if (tpm_log_use_tpm1_format())
 		tpm1_log_copy_entries(from, to);
-	else if (CONFIG(TPM_LOG_TPM2))
+	else if (tpm_log_use_tpm2_format())
 		tpm2_log_copy_entries(from, to);
 }
 
@@ -112,9 +138,9 @@ static inline int tpm_log_get(int entry_idx, int *pcr, const uint8_t **digest_da
 {
 	if (CONFIG(TPM_LOG_CB))
 		return tpm_cb_log_get(entry_idx, pcr, digest_data, digest_algo, event_name);
-	if (CONFIG(TPM_LOG_TPM1))
+	if (tpm_log_use_tpm1_format())
 		return tpm1_log_get(entry_idx, pcr, digest_data, digest_algo, event_name);
-	if (CONFIG(TPM_LOG_TPM2))
+	if (tpm_log_use_tpm2_format())
 		return tpm2_log_get(entry_idx, pcr, digest_data, digest_algo, event_name);
 	return 1;
 }
@@ -134,9 +160,9 @@ static inline void tpm_log_add_table_entry(const char *name, const uint32_t pcr,
 {
 	if (CONFIG(TPM_LOG_CB))
 		tpm_cb_log_add_table_entry(name, pcr, digest_algo, digest, digest_len);
-	else if (CONFIG(TPM_LOG_TPM1))
+	else if (tpm_log_use_tpm1_format())
 		tpm1_log_add_table_entry(name, pcr, digest_algo, digest, digest_len);
-	else if (CONFIG(TPM_LOG_TPM2))
+	else if (tpm_log_use_tpm2_format())
 		tpm2_log_add_table_entry(name, pcr, digest_algo, digest, digest_len);
 }
 
@@ -147,9 +173,9 @@ static inline void tpm_log_dump(void *unused)
 {
 	if (CONFIG(TPM_LOG_CB))
 		tpm_cb_log_dump();
-	else if (CONFIG(TPM_LOG_TPM1))
+	else if (tpm_log_use_tpm1_format())
 		tpm1_log_dump();
-	else if (CONFIG(TPM_LOG_TPM2))
+	else if (tpm_log_use_tpm2_format())
 		tpm2_log_dump();
 }