Hi Lukasz,
I try to add PCONF element type support to lcptools-v2. It can worked with
tpm2-tools
to generate PCONF element by following commands.
sudo tpm2_pcrlist -L sha256:0,1,2,3,4,5,6,7 --tcti=device | awk 'NR!=1
{print $3}' | sed 's/0x//g' | sed -E 's/(.{2})/\1\ /g' > pcr
lcp2_crtpolelt --create --type pconf --alg sha256 --pcr_hash sha256 --pcr
0,1,2,3,4,5,6,7 --ctrl 0x00 --out pconf.elt pcr
Regards,
Dirk
Hawrylko, Lukasz <[email protected]> 於 2019年6月3日 週一 下午5:23寫道:
> Hi Dirk
>
> I don't know if there any any official, public accessible tool for dumping
> PCRs. However structure of file required by lcp-gen2 is quite simple, it is
> described in util.py line 355.
>
> Thanks,
> Lukasz
>
> -----Original Message-----
> *From*: Dirk <[email protected] <dirk%20%[email protected]%3e>>
> *To*: [email protected] <[email protected]
> <%[email protected]%22%20%[email protected]%3e>
> >
> *Subject*: Re: [tboot-devel] Create LCP_PCONF_ELEMENT with TPM 2.0
> *Date*: Tue, 28 May 2019 17:11:13 +0800
>
> Hi Lukasz,
>
> Thanks for the reply. I tried to run lcp-gen2 tool and found I can't
> create valid PCR dump
> file. In UserGuide.txt of lcp-gen2, mentioned that the PCR dump file can
> be created by
> PCRDump2. But I can't find the tool. Do you have any suggestion which tool
> I can use
> to dump the PCR file?
>
> Regards,
> Dirk
>
> Hawrylko, Lukasz <[email protected]> 於 2019年5月27日 週一 下午2:24寫道:
>
> Hi Dirk
>
> LCP for TPM 2.0 is supported by lcp-gen2 tool. This tool allows to add
> PCONF element.
>
> Thanks,
> Lukasz
>
> -----Original Message-----
> From: Dirk <[email protected]>
> To: [email protected]
> Subject: [tboot-devel] Create LCP_PCONF_ELEMENT with TPM 2.0
> Date: Fri, 24 May 2019 10:13:27 +0800
>
> Hi,
>
> I am using tboot 1.9.9 and find there seems no way to create
> LCP_PCONF_ELEMENT
> with TPM 2.0. Tool lcp2_crtpolelt only support mle, custom, sbios and stm.
> Is there any
> way to create pconf element?
>
> Regards,
> Dirk
>
> _______________________________________________
> tboot-devel mailing list
> [email protected]
>
> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>
>
> ---------------------------------------------------------------------
>
> *Intel Technology Poland sp. z o.o.*ul. Słowackiego 173 | 80-298
> Gdańsk | Sąd Rejonowy Gdańsk Północ | VII Wydział
> Gospodarczy Krajowego Rejestru Sądowego - KRS 101882 | NIP
> 957-07-52-316 | Kapitał zakładowy 200.000 PLN.
>
> Ta wiadomość wraz z załącznikami jest przeznaczona dla
> określonego adresata i może zawierać informacje poufne. W razie
> przypadkowego otrzymania tej wiadomości, prosimy o powiadomienie
> nadawcy oraz trwałe jej usunięcie; jakiekolwiek przeglądanie
> lub rozpowszechnianie jest zabronione.
> This e-mail and any attachments may contain confidential material for the
> sole use of the intended recipient(s). If you are not the intended
> recipient, please contact the sender and delete all copies; any review or
> distribution by others is strictly prohibited.
>
> _______________________________________________
> tboot-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>
> _______________________________________________
>
> tboot-devel mailing list
>
> [email protected]
>
>
> https://lists.sourceforge.net/lists/listinfo/tboot-devel
>
>
> ---------------------------------------------------------------------
>
> *Intel Technology Poland sp. z o.o.*ul. Słowackiego 173 | 80-298
> Gdańsk | Sąd Rejonowy Gdańsk Północ | VII Wydział
> Gospodarczy Krajowego Rejestru Sądowego - KRS 101882 | NIP
> 957-07-52-316 | Kapitał zakładowy 200.000 PLN.
>
> Ta wiadomość wraz z załącznikami jest przeznaczona dla
> określonego adresata i może zawierać informacje poufne. W razie
> przypadkowego otrzymania tej wiadomości, prosimy o powiadomienie
> nadawcy oraz trwałe jej usunięcie; jakiekolwiek przeglądanie
> lub rozpowszechnianie jest zabronione.
> This e-mail and any attachments may contain confidential material for the
> sole use of the intended recipient(s). If you are not the intended
> recipient, please contact the sender and delete all copies; any review or
> distribution by others is strictly prohibited.
>
>
diff -r ca935709d8a6 include/lcp3.h
--- a/include/lcp3.h Thu May 09 13:09:01 2019 +0200
+++ b/include/lcp3.h Tue Jun 04 10:12:12 2019 +0800
@@ -212,7 +212,7 @@
typedef struct __packed {
uint16_t hash_alg;
uint16_t num_pcr_infos;
- tpms_quote_info_t prc_infos[];
+ tpms_quote_info_t pcr_infos[];
} lcp_pconf_element_t2;
#define LCP_POLELT_TYPE_SBIOS2 0x12
diff -r ca935709d8a6 lcptools-v2/Makefile
--- a/lcptools-v2/Makefile Thu May 09 13:09:01 2019 +0200
+++ b/lcptools-v2/Makefile Tue Jun 04 10:12:12 2019 +0800
@@ -62,7 +62,7 @@
# LCP v2
-POLELT_PLUGINS := mle_elt.o custom_elt.o sbios_elt.o stm_elt.o
+POLELT_PLUGINS := pconf_elt.o mle_elt.o custom_elt.o sbios_elt.o stm_elt.o
LCP2_LIB := liblcp.a
diff -r ca935709d8a6 lcptools-v2/pconf_elt.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lcptools-v2/pconf_elt.c Tue Jun 04 10:12:12 2019 +0800
@@ -0,0 +1,253 @@
+/*
+ * pconf_elt.c: PCONF policy element (LCP_PCONF_ELEMENT) plugin
+ *
+ * Copyright (c) 2014, Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ * * Neither the name of the Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <string.h>
+#include <arpa/inet.h>
+#define _GNU_SOURCE
+#include <getopt.h>
+#include <safe_lib.h>
+#include "openssl/sha.h"
+#define PRINT printf
+#include "../include/config.h"
+#include "../include/hash.h"
+#include "../include/uuid.h"
+#include "../include/lcp3.h"
+#include "polelt_plugin.h"
+#include "lcputils.h"
+
+#define MAX_HASHES 32
+
+static uint8_t pcr_selected;
+static unsigned int nr_hashes;
+static tb_hash_t hashes[MAX_HASHES];
+static char pcr_alg_name[32] = "sha1";
+static uint16_t pcr_alg_type = TPM_ALG_SHA1;
+static char alg_name[32] = "sha1";
+static uint16_t alg_type = TPM_ALG_SHA1;
+
+static bool parse_pconf_line(const char *line)
+{
+ if ( nr_hashes == MAX_HASHES )
+ return false;
+
+ return parse_line_hashes(line, &hashes[nr_hashes++], pcr_alg_type);
+}
+
+static void process_sha(uint16_t alg_type, void *data, int data_size, void *outputBuffer)
+{
+ SHA_CTX sha1;
+ SHA256_CTX sha256;
+ SHA512_CTX sha512;
+
+ switch(alg_type) {
+ case TPM_ALG_SHA1:
+ SHA1_Init(&sha1);
+ SHA1_Update(&sha1, data, data_size);
+ SHA1_Final(outputBuffer, &sha1);
+ break;
+ case TPM_ALG_SHA256:
+ SHA256_Init(&sha256);
+ SHA256_Update(&sha256, data, data_size);
+ SHA256_Final(outputBuffer, &sha256);
+ break;
+ case TPM_ALG_SHA384:
+ SHA384_Init(&sha512);
+ SHA384_Update(&sha512, data, data_size);
+ SHA384_Final(outputBuffer, &sha512);
+ break;
+ case TPM_ALG_SHA512:
+ SHA512_Init(&sha512);
+ SHA512_Update(&sha512, data, data_size);
+ SHA512_Final(outputBuffer, &sha512);
+ break;
+ default:
+ LOG("alg_type %d not supported\n",alg_type);
+ break;
+ }
+}
+
+static bool parse_pcr_string(const char *str)
+{
+ const char *strCurrent = str;
+ char *ptr;
+ uint8_t pcr;
+
+ do {
+ pcr = (uint8_t)strtoul(strCurrent, &ptr, 0);
+ if (pcr > 7)
+ return false;
+ pcr_selected |= 1<<pcr;
+
+ if (*ptr != '\0') {
+ strCurrent = ++ptr;
+ }
+ else
+ break;
+ } while (strCurrent);
+
+ printf("pcr_selected = 0x%x\n", pcr_selected);
+
+ return true;
+}
+
+static bool cmdline_handler(int c, const char *opt)
+{
+ if (c == 'p') {
+ return parse_pcr_string(opt);
+ }
+ else if (c == 'h') {
+ strlcpy(pcr_alg_name, opt,sizeof(pcr_alg_name));
+ pcr_alg_type = str_to_hash_alg(pcr_alg_name);
+ LOG("cmdline opt: pcr alg: %s\n",pcr_alg_name);
+ if (pcr_alg_type != TPM_ALG_SHA1 && pcr_alg_type != TPM_ALG_SHA256)
+ return false;
+ return true;
+ }
+ else if (c == 'a') {
+ strlcpy(alg_name, opt,sizeof(alg_name));
+ alg_type = str_to_hash_alg(alg_name);
+ LOG("cmdline opt: hash alg: %s\n",alg_name);
+ return true;
+ }
+ else if ( c != 0 ) {
+ ERROR("Error: unknown option for PCONF type\n");
+ return false;
+ }
+
+ /* MLE hash files */
+ LOG("cmdline opt: pconf hash file: %s\n", opt);
+ if ( !parse_file(opt, parse_pconf_line) )
+ return false;
+
+ return true;
+}
+
+static lcp_policy_element_t *create(void)
+{
+ LOG("[create]\n");
+ size_t data_size = sizeof(lcp_pconf_element_t2) +
+ sizeof(tpms_quote_info_t) + 3 + get_hash_size(alg_type);
+ lcp_policy_element_t *elt = malloc(sizeof(*elt) + data_size);
+ if ( elt == NULL ) {
+ ERROR("Error: failed to allocate element\n");
+ return NULL;
+ }
+
+ memset_s(elt, sizeof(*elt) + data_size, 0);
+ elt->size = sizeof(*elt) + data_size;
+ lcp_pconf_element_t2 *pconf = (lcp_pconf_element_t2 *)&elt->data;
+ tpms_quote_info_t *pcr_infos = (tpms_quote_info_t *)&pconf->pcr_infos;
+ tpml_pcr_selection_t *pcr_select_l = (tpml_pcr_selection_t *)&pcr_infos->pcr_selection;
+ tpms_pcr_selection_t *pcr_select_s = (tpms_pcr_selection_t *)&pcr_select_l->pcr_selections;
+ uint8_t *pcr_select = (uint8_t *)&pcr_select_s->pcr_select;
+ tpm2b_digest_t *pcr_digest = (tpm2b_digest_t *)(pcr_select + 3);
+
+ pconf->hash_alg = alg_type;
+ pconf->num_pcr_infos = 1;
+ pcr_select_l->count = htonl(1);
+ pcr_select_s->hash_alg = htons(alg_type);
+ pcr_select_s->size_of_select = 3;
+ pcr_select[0] = pcr_selected;
+ pcr_digest->size = htons(get_hash_size(alg_type));
+
+ lcp_hash_t2 *hash = (lcp_hash_t2 *)&pcr_digest->buffer;
+ uint8_t *pcr_concatenate = malloc(nr_hashes * get_hash_size(pcr_alg_type));
+ for ( unsigned int i = 0; i < nr_hashes; i++ )
+ memcpy(pcr_concatenate + i * get_hash_size(pcr_alg_type), &hashes[i], get_hash_size(pcr_alg_type));
+ process_sha(alg_type, pcr_concatenate, nr_hashes * get_hash_size(pcr_alg_type), hash);
+ free(pcr_concatenate);
+ LOG("create pconf element succeed!\n");
+ return elt;
+}
+
+static void display(const char *prefix, const lcp_policy_element_t *elt)
+{
+ lcp_pconf_element_t2 *pconf = (lcp_pconf_element_t2 *)elt->data;
+ tpms_quote_info_t *pcr_infos = (tpms_quote_info_t *)&pconf->pcr_infos;
+ tpml_pcr_selection_t *pcr_select_l = (tpml_pcr_selection_t *)&pcr_infos->pcr_selection;
+ tpms_pcr_selection_t *pcr_select_s = (tpms_pcr_selection_t *)&pcr_select_l->pcr_selections;
+ uint8_t *pcr_select = (uint8_t *)&pcr_select_s->pcr_select;
+ tpm2b_digest_t *pcr_digest = (tpm2b_digest_t *)(pcr_select + 3);
+
+ DISPLAY("%s hash_alg: %s\n", prefix, hash_alg_to_str(pconf->hash_alg));
+ DISPLAY("%s PCR quote: ", prefix);
+ for ( unsigned int i = 0; i < 8; i++ )
+ if ( pcr_select[0] & (1<<i)) DISPLAY("%d ", i);
+ DISPLAY("\n");
+
+ uint8_t *hash = (uint8_t *)pcr_digest->buffer;
+ unsigned int hash_size = get_hash_size(pconf->hash_alg);
+ DISPLAY("hashes: ");
+ print_hex("", hash, hash_size);
+}
+
+
+static struct option opts[] = {
+ {"alg", required_argument, NULL, 'a'},
+ {"pcr_hash", required_argument, NULL, 'h'},
+ {"pcr", required_argument, NULL, 'p'},
+ {0, 0, 0, 0}
+};
+
+static polelt_plugin_t plugin = {
+ "pconf",
+ opts,
+ " pconf\n"
+ " [--alg <sha1|sha256|sha384|sha512>] hash alg of element\n"
+ " [--pcr_hash <sha1|sha256>] hash alg of input pcr\n"
+ " [--pcr <0|1|2|3|4|5|6|7>] pcrs quoted\n"
+ " <HASH FILE> file containing pcr hash(es)\n",
+ LCP_POLELT_TYPE_PCONF2,
+ &cmdline_handler,
+ &create,
+ &display
+};
+
+REG_POLELT_PLUGIN(&plugin)
+
+
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
_______________________________________________
tboot-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tboot-devel
