Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
tpm2.0-tools.24995
eventlog-support-sha1.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File eventlog-support-sha1.patch of Package tpm2.0-tools.24995
From a258812a47c377ee5b3db6ed0d506d7727668b94 Mon Sep 17 00:00:00 2001 From: Trammell Hudson <hudson@trmm.net> Date: Tue, 9 Jun 2020 10:51:37 +0200 Subject: [PATCH 1/6] tpm2_eventlog: move PCR tracking out of yaml code and into eventlog parser Signed-off-by: Trammell Hudson <hudson@trmm.net> --- lib/tpm2_eventlog.c | 71 +++++++++++++++++++++++++--------------- lib/tpm2_eventlog.h | 24 +++++++------- lib/tpm2_eventlog_yaml.c | 42 ++++++++++++++++++++---- 3 files changed, 93 insertions(+), 44 deletions(-) diff --git a/lib/tpm2_eventlog.c b/lib/tpm2_eventlog.c index b44ae10a..f2c9eb33 100644 --- a/lib/tpm2_eventlog.c +++ b/lib/tpm2_eventlog.c @@ -2,6 +2,10 @@ #include <stdlib.h> #include <tss2/tss2_tpm2_types.h> +#include <openssl/buffer.h> +#include <openssl/evp.h> +#include <openssl/sha.h> + #include "log.h" #include "efi_event.h" #include "tpm2_alg_util.h" @@ -27,8 +31,7 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size, * hold the digest. The size of the digest is passed to the callback in the * 'size' parameter. */ -bool foreach_digest2(TCG_DIGEST2 const *digest, size_t count, size_t size, - DIGEST2_CALLBACK callback, void *data) { +bool foreach_digest2(tpm2_eventlog_ctx_t * ctx, int pcrId, TCG_DIGEST2 const *digest, size_t count, size_t size) { if (digest == NULL) { LOG_ERR("digest cannot be NULL"); @@ -48,8 +51,26 @@ bool foreach_digest2(TCG_DIGEST2 const *digest, size_t count, size_t size, LOG_ERR("insufficient size for digest buffer"); return false; } - if (callback != NULL) { - ret = callback(digest, alg_size, data); + + if (digest->AlgorithmId == TPM2_ALG_SHA1) { + uint8_t * const pcr = ctx->sha1_pcrs[pcrId]; + SHA_CTX sha1; + SHA1_Init(&sha1); + SHA1_Update(&sha1, pcr, alg_size); + SHA1_Update(&sha1, digest->Digest, alg_size); + SHA1_Final(pcr, &sha1); + } else + if (digest->AlgorithmId == TPM2_ALG_SHA256) { + uint8_t * const pcr = ctx->sha256_pcrs[pcrId]; + SHA256_CTX sha256; + SHA256_Init(&sha256); + SHA256_Update(&sha256, pcr, alg_size); + SHA256_Update(&sha256, digest->Digest, alg_size); + SHA256_Final(pcr, &sha256); + } + + if (ctx->digest2_cb != NULL) { + ret = ctx->digest2_cb(digest, alg_size, ctx->data); if (!ret) { LOG_ERR("callback failed for digest at %p with size %zu", digest, alg_size); break; @@ -134,9 +155,13 @@ bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size, } *event_size = sizeof(*eventhdr); - ret = foreach_digest2(eventhdr->Digests, eventhdr->DigestCount, - buf_size - sizeof(*eventhdr), - digest2_accumulator_callback, digests_size); + tpm2_eventlog_ctx_t ctx = { + .data = digests_size, + .digest2_cb = digest2_accumulator_callback, + }; + ret = foreach_digest2(&ctx, eventhdr->PCRIndex, + eventhdr->Digests, eventhdr->DigestCount, + buf_size - sizeof(*eventhdr)); if (ret != true) { return false; } @@ -158,10 +183,7 @@ bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size, return true; } -bool foreach_event2(TCG_EVENT_HEADER2 const *eventhdr_start, size_t size, - EVENT2_CALLBACK event2hdr_cb, - DIGEST2_CALLBACK digest2_cb, - EVENT2DATA_CALLBACK event2_cb, void *data) { +bool foreach_event2(tpm2_eventlog_ctx_t * ctx, TCG_EVENT_HEADER2 const *eventhdr_start, size_t size) { if (eventhdr_start == NULL) { LOG_ERR("invalid parameter"); @@ -188,18 +210,18 @@ bool foreach_event2(TCG_EVENT_HEADER2 const *eventhdr_start, size_t size, } TCG_EVENT2 *event = (TCG_EVENT2*)((uintptr_t)eventhdr->Digests + digests_size); + /* event header callback */ - if (event2hdr_cb != NULL) { - ret = event2hdr_cb(eventhdr, event_size, data); + if (ctx->event2hdr_cb != NULL) { + ret = ctx->event2hdr_cb(eventhdr, event_size, ctx->data); if (ret != true) { return false; } } /* digest callback foreach digest */ - if (digest2_cb != NULL) { - ret = foreach_digest2(eventhdr->Digests, eventhdr->DigestCount, - digests_size, digest2_cb, data); + if (ctx->digest2_cb != NULL) { + ret = foreach_digest2(ctx, eventhdr->PCRIndex, eventhdr->Digests, eventhdr->DigestCount, digests_size); if (ret != true) { return false; } @@ -211,8 +233,8 @@ bool foreach_event2(TCG_EVENT_HEADER2 const *eventhdr_start, size_t size, } /* event data callback */ - if (event2_cb != NULL) { - ret = event2_cb(event, eventhdr->EventType, data); + if (ctx->event2_cb != NULL) { + ret = ctx->event2_cb(event, eventhdr->EventType, ctx->data); if (ret != true) { return false; } @@ -301,12 +323,7 @@ bool specid_event(TCG_EVENT const *event, size_t size, return true; } -bool parse_eventlog(BYTE const *eventlog, size_t size, - SPECID_CALLBACK specid_cb, - EVENT2_CALLBACK event2hdr_cb, - DIGEST2_CALLBACK digest2_cb, - EVENT2DATA_CALLBACK event2_cb, void *data) -{ +bool parse_eventlog(tpm2_eventlog_ctx_t *ctx, BYTE const *eventlog, size_t size) { TCG_EVENT_HEADER2 *next; TCG_EVENT *event = (TCG_EVENT*)eventlog; @@ -319,12 +336,12 @@ bool parse_eventlog(BYTE const *eventlog, size_t size, size -= (uintptr_t)next - (uintptr_t)eventlog; - if (specid_cb) { - ret = specid_cb(event, data); + if (ctx->specid_cb) { + ret = ctx->specid_cb(event, ctx->data); if (!ret) { return false; } } - return foreach_event2(next, size, event2hdr_cb, digest2_cb, event2_cb, data); + return foreach_event2(ctx, next, size); } diff --git a/lib/tpm2_eventlog.h b/lib/tpm2_eventlog.h index 3d8fce72..857d3f2b 100644 --- a/lib/tpm2_eventlog.h +++ b/lib/tpm2_eventlog.h @@ -17,23 +17,25 @@ typedef bool (*EVENT2DATA_CALLBACK)(TCG_EVENT2 const *event, UINT32 type, void *data); typedef bool (*SPECID_CALLBACK)(TCG_EVENT const *event, void *data); +typedef struct { + void * data; + SPECID_CALLBACK specid_cb; + EVENT2_CALLBACK event2hdr_cb; + DIGEST2_CALLBACK digest2_cb; + EVENT2DATA_CALLBACK event2_cb; + uint8_t sha1_pcrs[TPM2_MAX_PCRS][TPM2_SHA1_DIGEST_SIZE]; + uint8_t sha256_pcrs[TPM2_MAX_PCRS][TPM2_SHA256_DIGEST_SIZE]; +} tpm2_eventlog_ctx_t; + bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size, void *data); bool parse_event2body(TCG_EVENT2 const *event, UINT32 type); -bool foreach_digest2(TCG_DIGEST2 const *event_hdr, size_t count, size_t size, - DIGEST2_CALLBACK callback, void *data); +bool foreach_digest2(tpm2_eventlog_ctx_t *ctx, int pcrId, TCG_DIGEST2 const *event_hdr, size_t count, size_t size); bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size, size_t *event_size, size_t *digests_size); -bool foreach_event2(TCG_EVENT_HEADER2 const *eventhdr_start, size_t size, - EVENT2_CALLBACK event2hdr_cb, - DIGEST2_CALLBACK digest2_cb, - EVENT2DATA_CALLBACK event2_cb, void *data); +bool foreach_event2(tpm2_eventlog_ctx_t *ctx, TCG_EVENT_HEADER2 const *eventhdr_start, size_t size); bool specid_event(TCG_EVENT const *event, size_t size, TCG_EVENT_HEADER2 **next); -bool parse_eventlog(BYTE const *eventlog, size_t size, - SPECID_CALLBACK specid_cb, - EVENT2_CALLBACK event2hdr_cb, - DIGEST2_CALLBACK digest2_cb, - EVENT2DATA_CALLBACK event2_cb, void *data); +bool parse_eventlog(tpm2_eventlog_ctx_t *ctx, BYTE const *eventlog, size_t size); #endif diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c index 31447daa..c81eb764 100644 --- a/lib/tpm2_eventlog_yaml.c +++ b/lib/tpm2_eventlog_yaml.c @@ -285,7 +285,7 @@ bool yaml_event2hdr_callback(TCG_EVENT_HEADER2 const *eventhdr, size_t size, return false; } - tpm2_tool_output("- Event[%zu]:\n", *count++); + tpm2_tool_output("- Event[%zu]:\n", (*count)++); yaml_event2hdr(eventhdr, size); @@ -379,14 +379,44 @@ bool yaml_specid_callback(TCG_EVENT const *event, void *data) { return yaml_specid_event(event, count); } +static void yaml_eventlog_pcrs(tpm2_eventlog_ctx_t *ctx) { + + char hexstr[DIGEST_HEX_STRING_MAX] = { 0, }; + + tpm2_tool_output("pcrs:\n"); + + tpm2_tool_output(" sha1:\n"); + for(unsigned i = 0 ; i < TPM2_MAX_PCRS ; i++) { + bytes_to_str(ctx->sha1_pcrs[i], sizeof(ctx->sha1_pcrs[i]), + hexstr, sizeof(hexstr)); + tpm2_tool_output(" %2d : 0x%s\n", i, hexstr); + } + + tpm2_tool_output(" sha256:\n"); + for(unsigned i = 0 ; i < TPM2_MAX_PCRS ; i++) { + bytes_to_str(ctx->sha256_pcrs[i], sizeof(ctx->sha256_pcrs[i]), + hexstr, sizeof(hexstr)); + tpm2_tool_output(" %2d : 0x%s\n", i, hexstr); + } +} + bool yaml_eventlog(UINT8 const *eventlog, size_t size) { size_t count = 0; + tpm2_eventlog_ctx_t ctx = { + .data = &count, + .specid_cb = yaml_specid_callback, + .event2hdr_cb = yaml_event2hdr_callback, + .digest2_cb = yaml_digest2_callback, + .event2_cb = yaml_event2data_callback, + }; tpm2_tool_output("---\n"); - return parse_eventlog(eventlog, size, - yaml_specid_callback, - yaml_event2hdr_callback, - yaml_digest2_callback, - yaml_event2data_callback, &count); + bool rc = parse_eventlog(&ctx, eventlog, size); + if (!rc) { + return rc; + } + + yaml_eventlog_pcrs(&ctx); + return true; } -- 2.35.1 From f3aed309a92e94b6d661aa39db585edb526f621a Mon Sep 17 00:00:00 2001 From: Trammell hudson <hudson@trmm.net> Date: Wed, 10 Jun 2020 12:09:03 +0200 Subject: [PATCH 2/6] tpm2_eventlog: use tpm2_openssl_pcr_extend() to perform PCR hashing Signed-off-by: Trammell hudson <hudson@trmm.net> --- lib/tpm2_eventlog.c | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/lib/tpm2_eventlog.c b/lib/tpm2_eventlog.c index f2c9eb33..e26b7d14 100644 --- a/lib/tpm2_eventlog.c +++ b/lib/tpm2_eventlog.c @@ -2,14 +2,11 @@ #include <stdlib.h> #include <tss2/tss2_tpm2_types.h> -#include <openssl/buffer.h> -#include <openssl/evp.h> -#include <openssl/sha.h> - #include "log.h" #include "efi_event.h" #include "tpm2_alg_util.h" #include "tpm2_eventlog.h" +#include "tpm2_openssl.h" bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size, void *data){ @@ -46,27 +43,27 @@ bool foreach_digest2(tpm2_eventlog_ctx_t * ctx, int pcrId, TCG_DIGEST2 const *di LOG_ERR("insufficient size for digest header"); return false; } - size_t alg_size = tpm2_alg_util_get_hash_size(digest->AlgorithmId); + + const TPMI_ALG_HASH alg = digest->AlgorithmId; + const size_t alg_size = tpm2_alg_util_get_hash_size(alg); if (size < sizeof(*digest) + alg_size) { LOG_ERR("insufficient size for digest buffer"); return false; } - if (digest->AlgorithmId == TPM2_ALG_SHA1) { - uint8_t * const pcr = ctx->sha1_pcrs[pcrId]; - SHA_CTX sha1; - SHA1_Init(&sha1); - SHA1_Update(&sha1, pcr, alg_size); - SHA1_Update(&sha1, digest->Digest, alg_size); - SHA1_Final(pcr, &sha1); + uint8_t * pcr = NULL; + if (alg == TPM2_ALG_SHA1) { + pcr = ctx->sha1_pcrs[pcrId]; } else - if (digest->AlgorithmId == TPM2_ALG_SHA256) { - uint8_t * const pcr = ctx->sha256_pcrs[pcrId]; - SHA256_CTX sha256; - SHA256_Init(&sha256); - SHA256_Update(&sha256, pcr, alg_size); - SHA256_Update(&sha256, digest->Digest, alg_size); - SHA256_Final(pcr, &sha256); + if (alg == TPM2_ALG_SHA256) { + pcr = ctx->sha256_pcrs[pcrId]; + } else { + LOG_WARN("PCR%d algorithm %d unsupported", pcrId, alg); + } + + if (pcr && !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) { + LOG_ERR("PCR%d extend failed", pcrId); + return false; } if (ctx->digest2_cb != NULL) { @@ -76,6 +73,7 @@ bool foreach_digest2(tpm2_eventlog_ctx_t * ctx, int pcrId, TCG_DIGEST2 const *di break; } } + size -= sizeof(*digest) + alg_size; digest = (TCG_DIGEST2*)((uintptr_t)digest->Digest + alg_size); } -- 2.35.1 From 9adfb9ec3e8f7395621665ffd60f8a76f7341190 Mon Sep 17 00:00:00 2001 From: Trammell hudson <hudson@trmm.net> Date: Wed, 10 Jun 2020 12:35:57 +0200 Subject: [PATCH 3/6] tpm2_eventlog: support all current PCR hash algorithms Signed-off-by: Trammell hudson <hudson@trmm.net> --- lib/tpm2_eventlog.c | 17 +++++++++++ lib/tpm2_eventlog.h | 8 ++++++ lib/tpm2_eventlog_yaml.c | 61 +++++++++++++++++++++++++++++++++------- 3 files changed, 76 insertions(+), 10 deletions(-) diff --git a/lib/tpm2_eventlog.c b/lib/tpm2_eventlog.c index e26b7d14..cda9aeb5 100644 --- a/lib/tpm2_eventlog.c +++ b/lib/tpm2_eventlog.c @@ -52,11 +52,28 @@ bool foreach_digest2(tpm2_eventlog_ctx_t * ctx, int pcrId, TCG_DIGEST2 const *di } uint8_t * pcr = NULL; + if (pcrId > TPM2_MAX_PCRS) { + LOG_ERR("PCR%d > max %d", pcrId, TPM2_MAX_PCRS); + } else if (alg == TPM2_ALG_SHA1) { pcr = ctx->sha1_pcrs[pcrId]; + ctx->sha1_used |= (1 << pcrId); } else if (alg == TPM2_ALG_SHA256) { pcr = ctx->sha256_pcrs[pcrId]; + ctx->sha256_used |= (1 << pcrId); + } else + if (alg == TPM2_ALG_SHA384) { + pcr = ctx->sha384_pcrs[pcrId]; + ctx->sha384_used |= (1 << pcrId); + } else + if (alg == TPM2_ALG_SHA512) { + pcr = ctx->sha512_pcrs[pcrId]; + ctx->sha512_used |= (1 << pcrId); + } else + if (alg == TPM2_ALG_SM3_256) { + pcr = ctx->sm3_256_pcrs[pcrId]; + ctx->sm3_256_used |= (1 << pcrId); } else { LOG_WARN("PCR%d algorithm %d unsupported", pcrId, alg); } diff --git a/lib/tpm2_eventlog.h b/lib/tpm2_eventlog.h index 857d3f2b..52222bf6 100644 --- a/lib/tpm2_eventlog.h +++ b/lib/tpm2_eventlog.h @@ -23,8 +23,16 @@ typedef struct { EVENT2_CALLBACK event2hdr_cb; DIGEST2_CALLBACK digest2_cb; EVENT2DATA_CALLBACK event2_cb; + uint32_t sha1_used; + uint32_t sha256_used; + uint32_t sha384_used; + uint32_t sha512_used; + uint32_t sm3_256_used; uint8_t sha1_pcrs[TPM2_MAX_PCRS][TPM2_SHA1_DIGEST_SIZE]; uint8_t sha256_pcrs[TPM2_MAX_PCRS][TPM2_SHA256_DIGEST_SIZE]; + uint8_t sha384_pcrs[TPM2_MAX_PCRS][TPM2_SHA384_DIGEST_SIZE]; + uint8_t sha512_pcrs[TPM2_MAX_PCRS][TPM2_SHA512_DIGEST_SIZE]; + uint8_t sm3_256_pcrs[TPM2_MAX_PCRS][TPM2_SM3_256_DIGEST_SIZE]; } tpm2_eventlog_ctx_t; bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size, diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c index c81eb764..257184e5 100644 --- a/lib/tpm2_eventlog_yaml.c +++ b/lib/tpm2_eventlog_yaml.c @@ -385,18 +385,59 @@ static void yaml_eventlog_pcrs(tpm2_eventlog_ctx_t *ctx) { tpm2_tool_output("pcrs:\n"); - tpm2_tool_output(" sha1:\n"); - for(unsigned i = 0 ; i < TPM2_MAX_PCRS ; i++) { - bytes_to_str(ctx->sha1_pcrs[i], sizeof(ctx->sha1_pcrs[i]), - hexstr, sizeof(hexstr)); - tpm2_tool_output(" %2d : 0x%s\n", i, hexstr); + if (ctx->sha1_used != 0) { + tpm2_tool_output(" sha1:\n"); + for(unsigned i = 0 ; i < TPM2_MAX_PCRS ; i++) { + if ((ctx->sha1_used & (1 << i)) == 0) + continue; + bytes_to_str(ctx->sha1_pcrs[i], sizeof(ctx->sha1_pcrs[i]), + hexstr, sizeof(hexstr)); + tpm2_tool_output(" %2d : 0x%s\n", i, hexstr); + } + } + + if (ctx->sha256_used != 0) { + tpm2_tool_output(" sha256:\n"); + for(unsigned i = 0 ; i < TPM2_MAX_PCRS ; i++) { + if ((ctx->sha256_used & (1 << i)) == 0) + continue; + bytes_to_str(ctx->sha256_pcrs[i], sizeof(ctx->sha256_pcrs[i]), + hexstr, sizeof(hexstr)); + tpm2_tool_output(" %2d : 0x%s\n", i, hexstr); + } } - tpm2_tool_output(" sha256:\n"); - for(unsigned i = 0 ; i < TPM2_MAX_PCRS ; i++) { - bytes_to_str(ctx->sha256_pcrs[i], sizeof(ctx->sha256_pcrs[i]), - hexstr, sizeof(hexstr)); - tpm2_tool_output(" %2d : 0x%s\n", i, hexstr); + if (ctx->sha384_used != 0) { + tpm2_tool_output(" sha384:\n"); + for(unsigned i = 0 ; i < TPM2_MAX_PCRS ; i++) { + if ((ctx->sha384_used & (1 << i)) == 0) + continue; + bytes_to_str(ctx->sha384_pcrs[i], sizeof(ctx->sha384_pcrs[i]), + hexstr, sizeof(hexstr)); + tpm2_tool_output(" %2d : 0x%s\n", i, hexstr); + } + } + + if (ctx->sha512_used != 0) { + tpm2_tool_output(" sha512:\n"); + for(unsigned i = 0 ; i < TPM2_MAX_PCRS ; i++) { + if ((ctx->sha512_used & (1 << i)) == 0) + continue; + bytes_to_str(ctx->sha512_pcrs[i], sizeof(ctx->sha512_pcrs[i]), + hexstr, sizeof(hexstr)); + tpm2_tool_output(" %2d : 0x%s\n", i, hexstr); + } + } + + if (ctx->sm3_256_used != 0) { + tpm2_tool_output(" sm3_256:\n"); + for(unsigned i = 0 ; i < TPM2_MAX_PCRS ; i++) { + if ((ctx->sm3_256_used & (1 << i)) == 0) + continue; + bytes_to_str(ctx->sm3_256_pcrs[i], sizeof(ctx->sm3_256_pcrs[i]), + hexstr, sizeof(hexstr)); + tpm2_tool_output(" %2d : 0x%s\n", i, hexstr); + } } } -- 2.35.1 From 4d31239dd7a92ec2b3fc835e1f0b7d4e3058734f Mon Sep 17 00:00:00 2001 From: Trammell hudson <hudson@trmm.net> Date: Fri, 12 Jun 2020 15:26:22 +0200 Subject: [PATCH 4/6] tpm2_eventlog: style guide fixes Signed-off-by: Trammell hudson <hudson@trmm.net> --- lib/tpm2_eventlog.c | 49 ++++++++++++++++++++------------------------- lib/tpm2_eventlog.h | 5 +++-- 2 files changed, 25 insertions(+), 29 deletions(-) diff --git a/lib/tpm2_eventlog.c b/lib/tpm2_eventlog.c index cda9aeb5..8e7d18e8 100644 --- a/lib/tpm2_eventlog.c +++ b/lib/tpm2_eventlog.c @@ -28,7 +28,7 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size, * hold the digest. The size of the digest is passed to the callback in the * 'size' parameter. */ -bool foreach_digest2(tpm2_eventlog_ctx_t * ctx, int pcrId, TCG_DIGEST2 const *digest, size_t count, size_t size) { +bool foreach_digest2(tpm2_eventlog_ctx_t *ctx, unsigned pcr_index, TCG_DIGEST2 const *digest, size_t count, size_t size) { if (digest == NULL) { LOG_ERR("digest cannot be NULL"); @@ -51,35 +51,30 @@ bool foreach_digest2(tpm2_eventlog_ctx_t * ctx, int pcrId, TCG_DIGEST2 const *di return false; } - uint8_t * pcr = NULL; - if (pcrId > TPM2_MAX_PCRS) { - LOG_ERR("PCR%d > max %d", pcrId, TPM2_MAX_PCRS); - } else - if (alg == TPM2_ALG_SHA1) { - pcr = ctx->sha1_pcrs[pcrId]; - ctx->sha1_used |= (1 << pcrId); - } else - if (alg == TPM2_ALG_SHA256) { - pcr = ctx->sha256_pcrs[pcrId]; - ctx->sha256_used |= (1 << pcrId); - } else - if (alg == TPM2_ALG_SHA384) { - pcr = ctx->sha384_pcrs[pcrId]; - ctx->sha384_used |= (1 << pcrId); - } else - if (alg == TPM2_ALG_SHA512) { - pcr = ctx->sha512_pcrs[pcrId]; - ctx->sha512_used |= (1 << pcrId); - } else - if (alg == TPM2_ALG_SM3_256) { - pcr = ctx->sm3_256_pcrs[pcrId]; - ctx->sm3_256_used |= (1 << pcrId); + uint8_t *pcr = NULL; + if (pcr_index > TPM2_MAX_PCRS) { + LOG_ERR("PCR%d > max %d", pcr_index, TPM2_MAX_PCRS); + } else if (alg == TPM2_ALG_SHA1) { + pcr = ctx->sha1_pcrs[pcr_index]; + ctx->sha1_used |= (1 << pcr_index); + } else if (alg == TPM2_ALG_SHA256) { + pcr = ctx->sha256_pcrs[pcr_index]; + ctx->sha256_used |= (1 << pcr_index); + } else if (alg == TPM2_ALG_SHA384) { + pcr = ctx->sha384_pcrs[pcr_index]; + ctx->sha384_used |= (1 << pcr_index); + } else if (alg == TPM2_ALG_SHA512) { + pcr = ctx->sha512_pcrs[pcr_index]; + ctx->sha512_used |= (1 << pcr_index); + } else if (alg == TPM2_ALG_SM3_256) { + pcr = ctx->sm3_256_pcrs[pcr_index]; + ctx->sm3_256_used |= (1 << pcr_index); } else { - LOG_WARN("PCR%d algorithm %d unsupported", pcrId, alg); + LOG_WARN("PCR%d algorithm %d unsupported", pcr_index, alg); } if (pcr && !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) { - LOG_ERR("PCR%d extend failed", pcrId); + LOG_ERR("PCR%d extend failed", pcr_index); return false; } @@ -198,7 +193,7 @@ bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size, return true; } -bool foreach_event2(tpm2_eventlog_ctx_t * ctx, TCG_EVENT_HEADER2 const *eventhdr_start, size_t size) { +bool foreach_event2(tpm2_eventlog_ctx_t *ctx, TCG_EVENT_HEADER2 const *eventhdr_start, size_t size) { if (eventhdr_start == NULL) { LOG_ERR("invalid parameter"); diff --git a/lib/tpm2_eventlog.h b/lib/tpm2_eventlog.h index 52222bf6..875302b5 100644 --- a/lib/tpm2_eventlog.h +++ b/lib/tpm2_eventlog.h @@ -18,7 +18,7 @@ typedef bool (*EVENT2DATA_CALLBACK)(TCG_EVENT2 const *event, UINT32 type, typedef bool (*SPECID_CALLBACK)(TCG_EVENT const *event, void *data); typedef struct { - void * data; + void *data; SPECID_CALLBACK specid_cb; EVENT2_CALLBACK event2hdr_cb; DIGEST2_CALLBACK digest2_cb; @@ -39,7 +39,8 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size, void *data); bool parse_event2body(TCG_EVENT2 const *event, UINT32 type); -bool foreach_digest2(tpm2_eventlog_ctx_t *ctx, int pcrId, TCG_DIGEST2 const *event_hdr, size_t count, size_t size); +bool foreach_digest2(tpm2_eventlog_ctx_t *ctx, unsigned pcr_index, + TCG_DIGEST2 const *event_hdr, size_t count, size_t size); bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size, size_t *event_size, size_t *digests_size); bool foreach_event2(tpm2_eventlog_ctx_t *ctx, TCG_EVENT_HEADER2 const *eventhdr_start, size_t size); -- 2.35.1 From 255a3f4a2f696b909d8dc157efe2aff0d5cf05c9 Mon Sep 17 00:00:00 2001 From: Trammell hudson <hudson@trmm.net> Date: Fri, 12 Jun 2020 15:28:46 +0200 Subject: [PATCH 5/6] tpm2_eventlog: rename tpm2_eventlog_ctx_t to tpm2_eventlog_context Signed-off-by: Trammell hudson <hudson@trmm.net> --- lib/tpm2_eventlog.c | 8 ++++---- lib/tpm2_eventlog.h | 8 ++++---- lib/tpm2_eventlog_yaml.c | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/lib/tpm2_eventlog.c b/lib/tpm2_eventlog.c index 8e7d18e8..f3042394 100644 --- a/lib/tpm2_eventlog.c +++ b/lib/tpm2_eventlog.c @@ -28,7 +28,7 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size, * hold the digest. The size of the digest is passed to the callback in the * 'size' parameter. */ -bool foreach_digest2(tpm2_eventlog_ctx_t *ctx, unsigned pcr_index, TCG_DIGEST2 const *digest, size_t count, size_t size) { +bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index, TCG_DIGEST2 const *digest, size_t count, size_t size) { if (digest == NULL) { LOG_ERR("digest cannot be NULL"); @@ -165,7 +165,7 @@ bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size, } *event_size = sizeof(*eventhdr); - tpm2_eventlog_ctx_t ctx = { + tpm2_eventlog_context ctx = { .data = digests_size, .digest2_cb = digest2_accumulator_callback, }; @@ -193,7 +193,7 @@ bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size, return true; } -bool foreach_event2(tpm2_eventlog_ctx_t *ctx, TCG_EVENT_HEADER2 const *eventhdr_start, size_t size) { +bool foreach_event2(tpm2_eventlog_context *ctx, TCG_EVENT_HEADER2 const *eventhdr_start, size_t size) { if (eventhdr_start == NULL) { LOG_ERR("invalid parameter"); @@ -333,7 +333,7 @@ bool specid_event(TCG_EVENT const *event, size_t size, return true; } -bool parse_eventlog(tpm2_eventlog_ctx_t *ctx, BYTE const *eventlog, size_t size) { +bool parse_eventlog(tpm2_eventlog_context *ctx, BYTE const *eventlog, size_t size) { TCG_EVENT_HEADER2 *next; TCG_EVENT *event = (TCG_EVENT*)eventlog; diff --git a/lib/tpm2_eventlog.h b/lib/tpm2_eventlog.h index 875302b5..a425f926 100644 --- a/lib/tpm2_eventlog.h +++ b/lib/tpm2_eventlog.h @@ -33,18 +33,18 @@ typedef struct { uint8_t sha384_pcrs[TPM2_MAX_PCRS][TPM2_SHA384_DIGEST_SIZE]; uint8_t sha512_pcrs[TPM2_MAX_PCRS][TPM2_SHA512_DIGEST_SIZE]; uint8_t sm3_256_pcrs[TPM2_MAX_PCRS][TPM2_SM3_256_DIGEST_SIZE]; -} tpm2_eventlog_ctx_t; +} tpm2_eventlog_context; bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size, void *data); bool parse_event2body(TCG_EVENT2 const *event, UINT32 type); -bool foreach_digest2(tpm2_eventlog_ctx_t *ctx, unsigned pcr_index, +bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index, TCG_DIGEST2 const *event_hdr, size_t count, size_t size); bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size, size_t *event_size, size_t *digests_size); -bool foreach_event2(tpm2_eventlog_ctx_t *ctx, TCG_EVENT_HEADER2 const *eventhdr_start, size_t size); +bool foreach_event2(tpm2_eventlog_context *ctx, TCG_EVENT_HEADER2 const *eventhdr_start, size_t size); bool specid_event(TCG_EVENT const *event, size_t size, TCG_EVENT_HEADER2 **next); -bool parse_eventlog(tpm2_eventlog_ctx_t *ctx, BYTE const *eventlog, size_t size); +bool parse_eventlog(tpm2_eventlog_context *ctx, BYTE const *eventlog, size_t size); #endif diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c index 257184e5..4e6b8cff 100644 --- a/lib/tpm2_eventlog_yaml.c +++ b/lib/tpm2_eventlog_yaml.c @@ -379,7 +379,7 @@ bool yaml_specid_callback(TCG_EVENT const *event, void *data) { return yaml_specid_event(event, count); } -static void yaml_eventlog_pcrs(tpm2_eventlog_ctx_t *ctx) { +static void yaml_eventlog_pcrs(tpm2_eventlog_context *ctx) { char hexstr[DIGEST_HEX_STRING_MAX] = { 0, }; @@ -444,7 +444,7 @@ static void yaml_eventlog_pcrs(tpm2_eventlog_ctx_t *ctx) { bool yaml_eventlog(UINT8 const *eventlog, size_t size) { size_t count = 0; - tpm2_eventlog_ctx_t ctx = { + tpm2_eventlog_context ctx = { .data = &count, .specid_cb = yaml_specid_callback, .event2hdr_cb = yaml_event2hdr_callback, -- 2.35.1 From 5f3eb09146df96cbcb99ea8eaead725b0a1e715f Mon Sep 17 00:00:00 2001 From: Juergen Repp <juergen.repp@sit.fraunhofer.de> Date: Wed, 19 Aug 2020 10:23:32 +0200 Subject: [PATCH 6/6] eventlog: Add handling of sha1 log format (Fixes #2179). If no specid event is part of the event list no description of the crytpo agile event format is available. In this case it will be assumed that the sha1 log format is used. A function for parsing the sha1 log event header and yaml callbacks for this format were added. A fixture with a binary sha1 event log was added to the integration tests. Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de> --- lib/tpm2_eventlog.c | 104 ++++++++++++++++++++++++++++++++++++--- lib/tpm2_eventlog.h | 4 ++ lib/tpm2_eventlog_yaml.c | 30 +++++++++++ 3 files changed, 130 insertions(+), 8 deletions(-) diff --git a/lib/tpm2_eventlog.c b/lib/tpm2_eventlog.c index f3042394..5e6a4c34 100644 --- a/lib/tpm2_eventlog.c +++ b/lib/tpm2_eventlog.c @@ -193,6 +193,86 @@ bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size, return true; } +bool parse_sha1_log_event(tpm2_eventlog_context *ctx, TCG_EVENT const *event, size_t size, + size_t *event_size) { + + uint8_t *pcr = NULL; + + /* enough size for the 1.2 event structure */ + if (size < sizeof(*event)) { + LOG_ERR("insufficient size for SpecID event header"); + return false; + } + *event_size = sizeof(*event); + + pcr = ctx->sha1_pcrs[ event->pcrIndex]; + if (pcr) { + tpm2_openssl_pcr_extend(TPM2_ALG_SHA1, pcr, &event->digest[0], 20); + ctx->sha1_used |= (1 << event->pcrIndex); + } + + /* buffer size must be sufficient to hold event and event data */ + if (size < sizeof(*event) + (sizeof(event->event[0]) * + event->eventDataSize)) { + LOG_ERR("insufficient size for SpecID event data"); + return false; + } + *event_size += event->eventDataSize; + return true; +} + +bool foreach_sha1_log_event(tpm2_eventlog_context *ctx, TCG_EVENT const *eventhdr_start, size_t size) { + + if (eventhdr_start == NULL) { + LOG_ERR("invalid parameter"); + return false; + } + + if (size == 0) { + return true; + } + + TCG_EVENT const *eventhdr; + size_t event_size; + bool ret; + + for (eventhdr = eventhdr_start, event_size = 0; + size > 0; + eventhdr = (TCG_EVENT*)((uintptr_t)eventhdr + event_size), + size -= event_size) { + + ret = parse_sha1_log_event(ctx, eventhdr, size, &event_size); + if (!ret) { + return ret; + } + + TCG_EVENT2 *event = (TCG_EVENT2*)((uintptr_t)&eventhdr->eventDataSize); + + /* event header callback */ + if (ctx->log_eventhdr_cb != NULL) { + ret = ctx->log_eventhdr_cb(eventhdr, event_size, ctx->data); + if (ret != true) { + return false; + } + } + + ret = parse_event2body(event, eventhdr->eventType); + if (ret != true) { + return ret; + } + + /* event data callback */ + if (ctx->event2_cb != NULL) { + ret = ctx->event2_cb(event, eventhdr->eventType, ctx->data); + if (ret != true) { + return false; + } + } + } + + return true; +} + bool foreach_event2(tpm2_eventlog_context *ctx, TCG_EVENT_HEADER2 const *eventhdr_start, size_t size) { if (eventhdr_start == NULL) { @@ -339,19 +419,27 @@ bool parse_eventlog(tpm2_eventlog_context *ctx, BYTE const *eventlog, size_t siz TCG_EVENT *event = (TCG_EVENT*)eventlog; bool ret; - ret = specid_event(event, size, &next); - if (!ret) { + if (!event) { return false; } - size -= (uintptr_t)next - (uintptr_t)eventlog; - - if (ctx->specid_cb) { - ret = ctx->specid_cb(event, ctx->data); + if (event->eventType == EV_NO_ACTION) { + ret = specid_event(event, size, &next); if (!ret) { return false; } - } - return foreach_event2(ctx, next, size); + size -= (uintptr_t)next - (uintptr_t)eventlog; + + if (ctx->specid_cb) { + ret = ctx->specid_cb(event, ctx->data); + if (!ret) { + return false; + } + } + return foreach_event2(ctx, next, size); + } else { + /* No specid event found. sha1 log format will be parsed. */ + return foreach_sha1_log_event(ctx, event, size); + } } diff --git a/lib/tpm2_eventlog.h b/lib/tpm2_eventlog.h index a425f926..8e801e05 100644 --- a/lib/tpm2_eventlog.h +++ b/lib/tpm2_eventlog.h @@ -16,10 +16,14 @@ typedef bool (*EVENT2_CALLBACK)(TCG_EVENT_HEADER2 const *event_hdr, size_t size, typedef bool (*EVENT2DATA_CALLBACK)(TCG_EVENT2 const *event, UINT32 type, void *data); typedef bool (*SPECID_CALLBACK)(TCG_EVENT const *event, void *data); +typedef bool (*LOG_EVENT_CALLBACK)(TCG_EVENT const *event_hdr, size_t size, + void *data); + typedef struct { void *data; SPECID_CALLBACK specid_cb; + LOG_EVENT_CALLBACK log_eventhdr_cb; EVENT2_CALLBACK event2hdr_cb; DIGEST2_CALLBACK digest2_cb; EVENT2DATA_CALLBACK event2_cb; diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c index 4e6b8cff..9f706486 100644 --- a/lib/tpm2_eventlog_yaml.c +++ b/lib/tpm2_eventlog_yaml.c @@ -100,6 +100,17 @@ void yaml_event2hdr(TCG_EVENT_HEADER2 const *eventhdr, size_t size) { return; } +void yaml_sha1_log_eventhdr(TCG_EVENT const *eventhdr, size_t size) { + + (void)size; + + tpm2_tool_output(" PCRIndex: %d\n" + " EventType: %s\n", + eventhdr->pcrIndex, + eventtype_to_string(eventhdr->eventType)); + + return; +} /* converting byte buffer to hex string requires 2x, plus 1 for '\0' */ #define BYTES_TO_HEX_STRING_SIZE(byte_count) (byte_count * 2 + 1) #define DIGEST_HEX_STRING_MAX BYTES_TO_HEX_STRING_SIZE(TPM2_MAX_DIGEST_BUFFER) @@ -293,6 +304,24 @@ bool yaml_event2hdr_callback(TCG_EVENT_HEADER2 const *eventhdr, size_t size, return true; } +bool yaml_sha1_log_eventhdr_callback(TCG_EVENT const *eventhdr, size_t size, + void *data_in) { + + (void)data_in; + + yaml_sha1_log_eventhdr(eventhdr, size); + + char hexstr[20 * 2] = { 0, }; + bytes_to_str(eventhdr->digest, 20, hexstr, sizeof(hexstr)); + + tpm2_tool_output(" DigestCount: 1\n" + " Digests:\n" + " - AlgorithmId: %s\n" + " Digest: %s\n", + tpm2_alg_util_algtostr(TPM2_ALG_SHA1, tpm2_alg_util_flags_hash), + hexstr); + return true; +} void yaml_eventhdr(TCG_EVENT const *event, size_t *count) { /* digest is 20 bytes, 2 chars / byte and null terminator for string*/ @@ -448,6 +477,7 @@ bool yaml_eventlog(UINT8 const *eventlog, size_t size) { .data = &count, .specid_cb = yaml_specid_callback, .event2hdr_cb = yaml_event2hdr_callback, + .log_eventhdr_cb = yaml_sha1_log_eventhdr_callback, .digest2_cb = yaml_digest2_callback, .event2_cb = yaml_event2data_callback, }; -- 2.35.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor