subject:"\[tpmdd\-devel\] \[PATCH v6 2\/2\] tpm\: enhance TPM 2.0 PCR extend to, support multiple banks"

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to, support multiple banks

2017-01-30 Thread Nayna



On 01/26/2017 03:41 AM, Ken Goldman wrote:
>> The current TPM 2.0 device driver extends only the SHA1 PCR bank
>> but the TCG Specification[1] recommends extending all active PCR
>> banks, to prevent malicious users from setting unused PCR banks with
>> fake measurements and quoting them.
>>
>> The existing in-kernel interface(tpm_pcr_extend()) expects only a
>> SHA1 digest.  To extend all active PCR banks with differing
>> digest sizes, the SHA1 digest is padded with trailing 0's as needed.
>>
>> This patch reuses the defined digest sizes from the crypto subsystem,
>> adding a dependency on CRYPTO_HASH_INFO module.
>>
>> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific
>> Platform Firmware Profile for TPM 2.0"
>
> Tested-by: Kenneth Goldman 
>
> I obtained an IMA event log from a Power platform, along with the PCR 10
> value from both the SHA-1 and SHA-256 banks of its Nuvoton TPM 2.0.  I
> independently validated that the event log matches the TPM PCR values.

Thank You Ken !!

Thanks & Regards,
- Nayna

>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> tpmdd-devel mailing list
> tpmdd-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
>


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

[tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to, support multiple banks

2017-01-25 Thread Ken Goldman

> The current TPM 2.0 device driver extends only the SHA1 PCR bank
> but the TCG Specification[1] recommends extending all active PCR
> banks, to prevent malicious users from setting unused PCR banks with
> fake measurements and quoting them.
>
> The existing in-kernel interface(tpm_pcr_extend()) expects only a
> SHA1 digest.  To extend all active PCR banks with differing
> digest sizes, the SHA1 digest is padded with trailing 0's as needed.
>
> This patch reuses the defined digest sizes from the crypto subsystem,
> adding a dependency on CRYPTO_HASH_INFO module.
>
> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific
> Platform Firmware Profile for TPM 2.0"

Tested-by: Kenneth Goldman 

I obtained an IMA event log from a Power platform, along with the PCR 10 
value from both the SHA-1 and SHA-256 banks of its Nuvoton TPM 2.0.  I 
independently validated that the event log matches the TPM PCR values.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

2017-01-25 Thread Jarkko Sakkinen

On Tue, Jan 24, 2017 at 06:34:54PM +0530, Nayna wrote:
> 
> 
> On 01/24/2017 05:29 PM, Jarkko Sakkinen wrote:
> > On Mon, Jan 23, 2017 at 10:11:48PM +0530, Nayna wrote:
> > > 
> > > 
> > > On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote:
> > > > On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote:
> > > > > The current TPM 2.0 device driver extends only the SHA1 PCR bank
> > > > > but the TCG Specification[1] recommends extending all active PCR
> > > > > banks, to prevent malicious users from setting unused PCR banks with
> > > > > fake measurements and quoting them.
> > > > > 
> > > > > The existing in-kernel interface(tpm_pcr_extend()) expects only a
> > > > > SHA1 digest.  To extend all active PCR banks with differing
> > > > > digest sizes, the SHA1 digest is padded with trailing 0's as needed.
> > > > > 
> > > > > This patch reuses the defined digest sizes from the crypto subsystem,
> > > > > adding a dependency on CRYPTO_HASH_INFO module.
> > > > > 
> > > > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific
> > > > > Platform Firmware Profile for TPM 2.0"
> > > > > 
> > > > > Signed-off-by: Nayna Jain 
> > > > > Reviewed-by: Jarkko Sakkinen 
> > > > > ---
> > > > >drivers/char/tpm/Kconfig |  1 +
> > > > >drivers/char/tpm/tpm-interface.c | 15 ++-
> > > > >drivers/char/tpm/tpm.h   |  3 +-
> > > > >drivers/char/tpm/tpm2-cmd.c  | 91 
> > > > > +---
> > > > >drivers/char/tpm/tpm_eventlog.h  |  7 
> > > > >5 files changed, 73 insertions(+), 44 deletions(-)
> > > > > 
> > > > > diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
> > > > > index 277186d..af985cc 100644
> > > > > --- a/drivers/char/tpm/Kconfig
> > > > > +++ b/drivers/char/tpm/Kconfig
> > > > > @@ -6,6 +6,7 @@ menuconfig TCG_TPM
> > > > >   tristate "TPM Hardware Support"
> > > > >   depends on HAS_IOMEM
> > > > >   select SECURITYFS
> > > > > + select CRYPTO_HASH_INFO
> > > > >   ---help---
> > > > > If you have a TPM security chip in your system, which
> > > > > implements the Trusted Computing Group's specification,
> > > > > diff --git a/drivers/char/tpm/tpm-interface.c 
> > > > > b/drivers/char/tpm/tpm-interface.c
> > > > > index a3461cb..cf959c3 100644
> > > > > --- a/drivers/char/tpm/tpm-interface.c
> > > > > +++ b/drivers/char/tpm/tpm-interface.c
> > > > > @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, 
> > > > > const u8 *hash)
> > > > >   struct tpm_cmd_t cmd;
> > > > >   int rc;
> > > > >   struct tpm_chip *chip;
> > > > > + int max_active_banks = ARRAY_SIZE(chip->active_banks);
> > > > > + struct tpm2_digest digest_list[max_active_banks];
> > > > > + u32 count = 0;
> > > > > + int i;
> > > > > 
> > > > >   chip = tpm_chip_find_get(chip_num);
> > > > >   if (chip == NULL)
> > > > >   return -ENODEV;
> > > > > 
> > > > >   if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> > > > > - rc = tpm2_pcr_extend(chip, pcr_idx, hash);
> > > > > + memset(digest_list, 0, sizeof(digest_list));
> > > > > +
> > > > > + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) &&
> > > > > +  (i < max_active_banks); i++) {
> > > > > + digest_list[i].alg_id = chip->active_banks[i];
> > > > > + memcpy(digest_list[i].digest, hash, 
> > > > > TPM_DIGEST_SIZE);
> > > > > + count++;
> > > > > + }
> > > > > +
> > > > > + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list);
> > > > >   tpm_put_ops(chip);
> > > > >   return rc;
> > > > >   }
> > > > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> > > > > index c291f19..07a0677 100644
> > > > > --- a/drivers/char/tpm/tpm.h
> > > > > +++ b/drivers/char/tpm/tpm.h
> > > > > @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip 
> > > > > *chip)
> > > > >#endif
> > > > > 
> > > > >int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf);
> > > > > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 
> > > > > *hash);
> > > > > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count,
> > > > > + struct tpm2_digest *digests);
> > > > >int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max);
> > > > >int tpm2_seal_trusted(struct tpm_chip *chip,
> > > > > struct trusted_key_payload *payload,
> > > > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> > > > > index 0e000a3..d78adb8 100644
> > > > > --- a/drivers/char/tpm/tpm2-cmd.c
> > > > > +++ b/drivers/char/tpm/tpm2-cmd.c
> > > > > @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out {
> > > > >   u8  digest[TPM_DIGEST_SIZE];
> > > > >} __packed;
> > > > > 
> > > > > -struct

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

2017-01-24 Thread Nayna



On 01/24/2017 05:29 PM, Jarkko Sakkinen wrote:
> On Mon, Jan 23, 2017 at 10:11:48PM +0530, Nayna wrote:
>>
>>
>> On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote:
>>> On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote:
 The current TPM 2.0 device driver extends only the SHA1 PCR bank
 but the TCG Specification[1] recommends extending all active PCR
 banks, to prevent malicious users from setting unused PCR banks with
 fake measurements and quoting them.

 The existing in-kernel interface(tpm_pcr_extend()) expects only a
 SHA1 digest.  To extend all active PCR banks with differing
 digest sizes, the SHA1 digest is padded with trailing 0's as needed.

 This patch reuses the defined digest sizes from the crypto subsystem,
 adding a dependency on CRYPTO_HASH_INFO module.

 [1] TPM 2.0 Specification referred here is "TCG PC Client Specific
 Platform Firmware Profile for TPM 2.0"

 Signed-off-by: Nayna Jain 
 Reviewed-by: Jarkko Sakkinen 
 ---
drivers/char/tpm/Kconfig |  1 +
drivers/char/tpm/tpm-interface.c | 15 ++-
drivers/char/tpm/tpm.h   |  3 +-
drivers/char/tpm/tpm2-cmd.c  | 91 
 +---
drivers/char/tpm/tpm_eventlog.h  |  7 
5 files changed, 73 insertions(+), 44 deletions(-)

 diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
 index 277186d..af985cc 100644
 --- a/drivers/char/tpm/Kconfig
 +++ b/drivers/char/tpm/Kconfig
 @@ -6,6 +6,7 @@ menuconfig TCG_TPM
tristate "TPM Hardware Support"
depends on HAS_IOMEM
select SECURITYFS
 +  select CRYPTO_HASH_INFO
---help---
  If you have a TPM security chip in your system, which
  implements the Trusted Computing Group's specification,
 diff --git a/drivers/char/tpm/tpm-interface.c 
 b/drivers/char/tpm/tpm-interface.c
 index a3461cb..cf959c3 100644
 --- a/drivers/char/tpm/tpm-interface.c
 +++ b/drivers/char/tpm/tpm-interface.c
 @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const 
 u8 *hash)
struct tpm_cmd_t cmd;
int rc;
struct tpm_chip *chip;
 +  int max_active_banks = ARRAY_SIZE(chip->active_banks);
 +  struct tpm2_digest digest_list[max_active_banks];
 +  u32 count = 0;
 +  int i;

chip = tpm_chip_find_get(chip_num);
if (chip == NULL)
return -ENODEV;

if (chip->flags & TPM_CHIP_FLAG_TPM2) {
 -  rc = tpm2_pcr_extend(chip, pcr_idx, hash);
 +  memset(digest_list, 0, sizeof(digest_list));
 +
 +  for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) &&
 +   (i < max_active_banks); i++) {
 +  digest_list[i].alg_id = chip->active_banks[i];
 +  memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE);
 +  count++;
 +  }
 +
 +  rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list);
tpm_put_ops(chip);
return rc;
}
 diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
 index c291f19..07a0677 100644
 --- a/drivers/char/tpm/tpm.h
 +++ b/drivers/char/tpm/tpm.h
 @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip)
#endif

int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf);
 -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash);
 +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count,
 +  struct tpm2_digest *digests);
int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max);
int tpm2_seal_trusted(struct tpm_chip *chip,
  struct trusted_key_payload *payload,
 diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
 index 0e000a3..d78adb8 100644
 --- a/drivers/char/tpm/tpm2-cmd.c
 +++ b/drivers/char/tpm/tpm2-cmd.c
 @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out {
u8  digest[TPM_DIGEST_SIZE];
} __packed;

 -struct tpm2_null_auth_area {
 -  __be32  handle;
 -  __be16  nonce_size;
 -  u8  attributes;
 -  __be16  auth_size;
 -} __packed;
 -
 -struct tpm2_pcr_extend_in {
 -  __be32  pcr_idx;
 -  __be32  auth_area_size;
 -  struct tpm2_null_auth_area  auth_area;
 -  __be32  digest_cnt;
 -  __be16  hash_alg;
 -  u8

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

2017-01-24 Thread Jarkko Sakkinen

On Mon, Jan 23, 2017 at 10:11:48PM +0530, Nayna wrote:
> 
> 
> On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote:
> > On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote:
> > > The current TPM 2.0 device driver extends only the SHA1 PCR bank
> > > but the TCG Specification[1] recommends extending all active PCR
> > > banks, to prevent malicious users from setting unused PCR banks with
> > > fake measurements and quoting them.
> > > 
> > > The existing in-kernel interface(tpm_pcr_extend()) expects only a
> > > SHA1 digest.  To extend all active PCR banks with differing
> > > digest sizes, the SHA1 digest is padded with trailing 0's as needed.
> > > 
> > > This patch reuses the defined digest sizes from the crypto subsystem,
> > > adding a dependency on CRYPTO_HASH_INFO module.
> > > 
> > > [1] TPM 2.0 Specification referred here is "TCG PC Client Specific
> > > Platform Firmware Profile for TPM 2.0"
> > > 
> > > Signed-off-by: Nayna Jain 
> > > Reviewed-by: Jarkko Sakkinen 
> > > ---
> > >   drivers/char/tpm/Kconfig |  1 +
> > >   drivers/char/tpm/tpm-interface.c | 15 ++-
> > >   drivers/char/tpm/tpm.h   |  3 +-
> > >   drivers/char/tpm/tpm2-cmd.c  | 91 
> > > +---
> > >   drivers/char/tpm/tpm_eventlog.h  |  7 
> > >   5 files changed, 73 insertions(+), 44 deletions(-)
> > > 
> > > diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
> > > index 277186d..af985cc 100644
> > > --- a/drivers/char/tpm/Kconfig
> > > +++ b/drivers/char/tpm/Kconfig
> > > @@ -6,6 +6,7 @@ menuconfig TCG_TPM
> > >   tristate "TPM Hardware Support"
> > >   depends on HAS_IOMEM
> > >   select SECURITYFS
> > > + select CRYPTO_HASH_INFO
> > >   ---help---
> > > If you have a TPM security chip in your system, which
> > > implements the Trusted Computing Group's specification,
> > > diff --git a/drivers/char/tpm/tpm-interface.c 
> > > b/drivers/char/tpm/tpm-interface.c
> > > index a3461cb..cf959c3 100644
> > > --- a/drivers/char/tpm/tpm-interface.c
> > > +++ b/drivers/char/tpm/tpm-interface.c
> > > @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const 
> > > u8 *hash)
> > >   struct tpm_cmd_t cmd;
> > >   int rc;
> > >   struct tpm_chip *chip;
> > > + int max_active_banks = ARRAY_SIZE(chip->active_banks);
> > > + struct tpm2_digest digest_list[max_active_banks];
> > > + u32 count = 0;
> > > + int i;
> > > 
> > >   chip = tpm_chip_find_get(chip_num);
> > >   if (chip == NULL)
> > >   return -ENODEV;
> > > 
> > >   if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> > > - rc = tpm2_pcr_extend(chip, pcr_idx, hash);
> > > + memset(digest_list, 0, sizeof(digest_list));
> > > +
> > > + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) &&
> > > +  (i < max_active_banks); i++) {
> > > + digest_list[i].alg_id = chip->active_banks[i];
> > > + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE);
> > > + count++;
> > > + }
> > > +
> > > + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list);
> > >   tpm_put_ops(chip);
> > >   return rc;
> > >   }
> > > diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> > > index c291f19..07a0677 100644
> > > --- a/drivers/char/tpm/tpm.h
> > > +++ b/drivers/char/tpm/tpm.h
> > > @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip)
> > >   #endif
> > > 
> > >   int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf);
> > > -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash);
> > > +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count,
> > > + struct tpm2_digest *digests);
> > >   int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max);
> > >   int tpm2_seal_trusted(struct tpm_chip *chip,
> > > struct trusted_key_payload *payload,
> > > diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> > > index 0e000a3..d78adb8 100644
> > > --- a/drivers/char/tpm/tpm2-cmd.c
> > > +++ b/drivers/char/tpm/tpm2-cmd.c
> > > @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out {
> > >   u8  digest[TPM_DIGEST_SIZE];
> > >   } __packed;
> > > 
> > > -struct tpm2_null_auth_area {
> > > - __be32  handle;
> > > - __be16  nonce_size;
> > > - u8  attributes;
> > > - __be16  auth_size;
> > > -} __packed;
> > > -
> > > -struct tpm2_pcr_extend_in {
> > > - __be32  pcr_idx;
> > > - __be32  auth_area_size;
> > > - struct tpm2_null_auth_area  auth_area;
> > > - __be32  digest_cnt;
> > > - __be16  hash_alg;
> > > - u8

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

2017-01-23 Thread Nayna



On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote:
> On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote:
>> The current TPM 2.0 device driver extends only the SHA1 PCR bank
>> but the TCG Specification[1] recommends extending all active PCR
>> banks, to prevent malicious users from setting unused PCR banks with
>> fake measurements and quoting them.
>>
>> The existing in-kernel interface(tpm_pcr_extend()) expects only a
>> SHA1 digest.  To extend all active PCR banks with differing
>> digest sizes, the SHA1 digest is padded with trailing 0's as needed.
>>
>> This patch reuses the defined digest sizes from the crypto subsystem,
>> adding a dependency on CRYPTO_HASH_INFO module.
>>
>> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific
>> Platform Firmware Profile for TPM 2.0"
>>
>> Signed-off-by: Nayna Jain 
>> Reviewed-by: Jarkko Sakkinen 
>> ---
>>   drivers/char/tpm/Kconfig |  1 +
>>   drivers/char/tpm/tpm-interface.c | 15 ++-
>>   drivers/char/tpm/tpm.h   |  3 +-
>>   drivers/char/tpm/tpm2-cmd.c  | 91 
>> +---
>>   drivers/char/tpm/tpm_eventlog.h  |  7 
>>   5 files changed, 73 insertions(+), 44 deletions(-)
>>
>> diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
>> index 277186d..af985cc 100644
>> --- a/drivers/char/tpm/Kconfig
>> +++ b/drivers/char/tpm/Kconfig
>> @@ -6,6 +6,7 @@ menuconfig TCG_TPM
>>  tristate "TPM Hardware Support"
>>  depends on HAS_IOMEM
>>  select SECURITYFS
>> +select CRYPTO_HASH_INFO
>>  ---help---
>>If you have a TPM security chip in your system, which
>>implements the Trusted Computing Group's specification,
>> diff --git a/drivers/char/tpm/tpm-interface.c 
>> b/drivers/char/tpm/tpm-interface.c
>> index a3461cb..cf959c3 100644
>> --- a/drivers/char/tpm/tpm-interface.c
>> +++ b/drivers/char/tpm/tpm-interface.c
>> @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 
>> *hash)
>>  struct tpm_cmd_t cmd;
>>  int rc;
>>  struct tpm_chip *chip;
>> +int max_active_banks = ARRAY_SIZE(chip->active_banks);
>> +struct tpm2_digest digest_list[max_active_banks];
>> +u32 count = 0;
>> +int i;
>>
>>  chip = tpm_chip_find_get(chip_num);
>>  if (chip == NULL)
>>  return -ENODEV;
>>
>>  if (chip->flags & TPM_CHIP_FLAG_TPM2) {
>> -rc = tpm2_pcr_extend(chip, pcr_idx, hash);
>> +memset(digest_list, 0, sizeof(digest_list));
>> +
>> +for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) &&
>> + (i < max_active_banks); i++) {
>> +digest_list[i].alg_id = chip->active_banks[i];
>> +memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE);
>> +count++;
>> +}
>> +
>> +rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list);
>>  tpm_put_ops(chip);
>>  return rc;
>>  }
>> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
>> index c291f19..07a0677 100644
>> --- a/drivers/char/tpm/tpm.h
>> +++ b/drivers/char/tpm/tpm.h
>> @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip)
>>   #endif
>>
>>   int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf);
>> -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash);
>> +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count,
>> +struct tpm2_digest *digests);
>>   int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max);
>>   int tpm2_seal_trusted(struct tpm_chip *chip,
>>struct trusted_key_payload *payload,
>> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
>> index 0e000a3..d78adb8 100644
>> --- a/drivers/char/tpm/tpm2-cmd.c
>> +++ b/drivers/char/tpm/tpm2-cmd.c
>> @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out {
>>  u8  digest[TPM_DIGEST_SIZE];
>>   } __packed;
>>
>> -struct tpm2_null_auth_area {
>> -__be32  handle;
>> -__be16  nonce_size;
>> -u8  attributes;
>> -__be16  auth_size;
>> -} __packed;
>> -
>> -struct tpm2_pcr_extend_in {
>> -__be32  pcr_idx;
>> -__be32  auth_area_size;
>> -struct tpm2_null_auth_area  auth_area;
>> -__be32  digest_cnt;
>> -__be16  hash_alg;
>> -u8  digest[TPM_DIGEST_SIZE];
>> -} __packed;
>> -
>>   struct tpm2_get_tpm_pt_in {
>>  __be32  cap_id;
>>  __be32  property_id;
>> @@ -97,7 +81,6 @@ union tpm2_cmd_params {
>>  struct  tpm2_self_test_in   selftest_in;
>>  struct  tpm2_pcr_read_inpcrread_in;
>>  struct  tpm2_pcr_read_out   pcrread_out;
>> -struct  tpm2_pcr_extend_in  pcrextend_in;
>>

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

2017-01-23 Thread Jarkko Sakkinen

On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote:
> The current TPM 2.0 device driver extends only the SHA1 PCR bank
> but the TCG Specification[1] recommends extending all active PCR
> banks, to prevent malicious users from setting unused PCR banks with
> fake measurements and quoting them.
> 
> The existing in-kernel interface(tpm_pcr_extend()) expects only a
> SHA1 digest.  To extend all active PCR banks with differing
> digest sizes, the SHA1 digest is padded with trailing 0's as needed.
> 
> This patch reuses the defined digest sizes from the crypto subsystem,
> adding a dependency on CRYPTO_HASH_INFO module.
> 
> [1] TPM 2.0 Specification referred here is "TCG PC Client Specific
> Platform Firmware Profile for TPM 2.0"
> 
> Signed-off-by: Nayna Jain 
> Reviewed-by: Jarkko Sakkinen 
> ---
>  drivers/char/tpm/Kconfig |  1 +
>  drivers/char/tpm/tpm-interface.c | 15 ++-
>  drivers/char/tpm/tpm.h   |  3 +-
>  drivers/char/tpm/tpm2-cmd.c  | 91 
> +---
>  drivers/char/tpm/tpm_eventlog.h  |  7 
>  5 files changed, 73 insertions(+), 44 deletions(-)
> 
> diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
> index 277186d..af985cc 100644
> --- a/drivers/char/tpm/Kconfig
> +++ b/drivers/char/tpm/Kconfig
> @@ -6,6 +6,7 @@ menuconfig TCG_TPM
>   tristate "TPM Hardware Support"
>   depends on HAS_IOMEM
>   select SECURITYFS
> + select CRYPTO_HASH_INFO
>   ---help---
> If you have a TPM security chip in your system, which
> implements the Trusted Computing Group's specification,
> diff --git a/drivers/char/tpm/tpm-interface.c 
> b/drivers/char/tpm/tpm-interface.c
> index a3461cb..cf959c3 100644
> --- a/drivers/char/tpm/tpm-interface.c
> +++ b/drivers/char/tpm/tpm-interface.c
> @@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 
> *hash)
>   struct tpm_cmd_t cmd;
>   int rc;
>   struct tpm_chip *chip;
> + int max_active_banks = ARRAY_SIZE(chip->active_banks);
> + struct tpm2_digest digest_list[max_active_banks];
> + u32 count = 0;
> + int i;
>  
>   chip = tpm_chip_find_get(chip_num);
>   if (chip == NULL)
>   return -ENODEV;
>  
>   if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> - rc = tpm2_pcr_extend(chip, pcr_idx, hash);
> + memset(digest_list, 0, sizeof(digest_list));
> +
> + for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) &&
> +  (i < max_active_banks); i++) {
> + digest_list[i].alg_id = chip->active_banks[i];
> + memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE);
> + count++;
> + }
> +
> + rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list);
>   tpm_put_ops(chip);
>   return rc;
>   }
> diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
> index c291f19..07a0677 100644
> --- a/drivers/char/tpm/tpm.h
> +++ b/drivers/char/tpm/tpm.h
> @@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip)
>  #endif
>  
>  int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf);
> -int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash);
> +int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count,
> + struct tpm2_digest *digests);
>  int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max);
>  int tpm2_seal_trusted(struct tpm_chip *chip,
> struct trusted_key_payload *payload,
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index 0e000a3..d78adb8 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -53,22 +53,6 @@ struct tpm2_pcr_read_out {
>   u8  digest[TPM_DIGEST_SIZE];
>  } __packed;
>  
> -struct tpm2_null_auth_area {
> - __be32  handle;
> - __be16  nonce_size;
> - u8  attributes;
> - __be16  auth_size;
> -} __packed;
> -
> -struct tpm2_pcr_extend_in {
> - __be32  pcr_idx;
> - __be32  auth_area_size;
> - struct tpm2_null_auth_area  auth_area;
> - __be32  digest_cnt;
> - __be16  hash_alg;
> - u8  digest[TPM_DIGEST_SIZE];
> -} __packed;
> -
>  struct tpm2_get_tpm_pt_in {
>   __be32  cap_id;
>   __be32  property_id;
> @@ -97,7 +81,6 @@ union tpm2_cmd_params {
>   struct  tpm2_self_test_in   selftest_in;
>   struct  tpm2_pcr_read_inpcrread_in;
>   struct  tpm2_pcr_read_out   pcrread_out;
> - struct  tpm2_pcr_extend_in  pcrextend_in;
>   struct  tpm2_get_tpm_pt_in  get_tpm_pt_in;
>   struct  tpm2_get_tpm_pt_out get_tpm_pt_out;
>   struct

[tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

2017-01-20 Thread Nayna Jain

The current TPM 2.0 device driver extends only the SHA1 PCR bank
but the TCG Specification[1] recommends extending all active PCR
banks, to prevent malicious users from setting unused PCR banks with
fake measurements and quoting them.

The existing in-kernel interface(tpm_pcr_extend()) expects only a
SHA1 digest.  To extend all active PCR banks with differing
digest sizes, the SHA1 digest is padded with trailing 0's as needed.

This patch reuses the defined digest sizes from the crypto subsystem,
adding a dependency on CRYPTO_HASH_INFO module.

[1] TPM 2.0 Specification referred here is "TCG PC Client Specific
Platform Firmware Profile for TPM 2.0"

Signed-off-by: Nayna Jain 
Reviewed-by: Jarkko Sakkinen 
---
 drivers/char/tpm/Kconfig |  1 +
 drivers/char/tpm/tpm-interface.c | 15 ++-
 drivers/char/tpm/tpm.h   |  3 +-
 drivers/char/tpm/tpm2-cmd.c  | 91 +---
 drivers/char/tpm/tpm_eventlog.h  |  7 
 5 files changed, 73 insertions(+), 44 deletions(-)

diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig
index 277186d..af985cc 100644
--- a/drivers/char/tpm/Kconfig
+++ b/drivers/char/tpm/Kconfig
@@ -6,6 +6,7 @@ menuconfig TCG_TPM
tristate "TPM Hardware Support"
depends on HAS_IOMEM
select SECURITYFS
+   select CRYPTO_HASH_INFO
---help---
  If you have a TPM security chip in your system, which
  implements the Trusted Computing Group's specification,
diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index a3461cb..cf959c3 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -772,13 +772,26 @@ int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 
*hash)
struct tpm_cmd_t cmd;
int rc;
struct tpm_chip *chip;
+   int max_active_banks = ARRAY_SIZE(chip->active_banks);
+   struct tpm2_digest digest_list[max_active_banks];
+   u32 count = 0;
+   int i;
 
chip = tpm_chip_find_get(chip_num);
if (chip == NULL)
return -ENODEV;
 
if (chip->flags & TPM_CHIP_FLAG_TPM2) {
-   rc = tpm2_pcr_extend(chip, pcr_idx, hash);
+   memset(digest_list, 0, sizeof(digest_list));
+
+   for (i = 0; (chip->active_banks[i] != TPM2_ALG_ERROR) &&
+(i < max_active_banks); i++) {
+   digest_list[i].alg_id = chip->active_banks[i];
+   memcpy(digest_list[i].digest, hash, TPM_DIGEST_SIZE);
+   count++;
+   }
+
+   rc = tpm2_pcr_extend(chip, pcr_idx, count, digest_list);
tpm_put_ops(chip);
return rc;
}
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index c291f19..07a0677 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -534,7 +534,8 @@ static inline void tpm_add_ppi(struct tpm_chip *chip)
 #endif
 
 int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf);
-int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, const u8 *hash);
+int tpm2_pcr_extend(struct tpm_chip *chip, int pcr_idx, u32 count,
+   struct tpm2_digest *digests);
 int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max);
 int tpm2_seal_trusted(struct tpm_chip *chip,
  struct trusted_key_payload *payload,
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 0e000a3..d78adb8 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -53,22 +53,6 @@ struct tpm2_pcr_read_out {
u8  digest[TPM_DIGEST_SIZE];
 } __packed;
 
-struct tpm2_null_auth_area {
-   __be32  handle;
-   __be16  nonce_size;
-   u8  attributes;
-   __be16  auth_size;
-} __packed;
-
-struct tpm2_pcr_extend_in {
-   __be32  pcr_idx;
-   __be32  auth_area_size;
-   struct tpm2_null_auth_area  auth_area;
-   __be32  digest_cnt;
-   __be16  hash_alg;
-   u8  digest[TPM_DIGEST_SIZE];
-} __packed;
-
 struct tpm2_get_tpm_pt_in {
__be32  cap_id;
__be32  property_id;
@@ -97,7 +81,6 @@ union tpm2_cmd_params {
struct  tpm2_self_test_in   selftest_in;
struct  tpm2_pcr_read_inpcrread_in;
struct  tpm2_pcr_read_out   pcrread_out;
-   struct  tpm2_pcr_extend_in  pcrextend_in;
struct  tpm2_get_tpm_pt_in  get_tpm_pt_in;
struct  tpm2_get_tpm_pt_out get_tpm_pt_out;
struct  tpm2_get_random_in  getrandom_in;
@@ -290,46 +273,68 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 
*res_buf)
return rc;
 }
 
-#define TPM2_GET_PCREXTEND_IN_SIZE \
-

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to, support multiple banks

[tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to, support multiple banks

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

Re: [tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

[tpmdd-devel] [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks

8 matches

Site Navigation

Mail list logo

Footer information