nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0501-ibmvtpm-Add-support-for-trusted-boot-using-a-vTPM-2..patch

b9d01e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b9d01e
From: Stefan Berger <stefanb@linux.ibm.com>
b9d01e
Date: Sun, 15 Mar 2020 12:37:10 -0400
b9d01e
Subject: [PATCH] ibmvtpm: Add support for trusted boot using a vTPM 2.0
b9d01e
b9d01e
Add support for trusted boot using a vTPM 2.0 on the IBM IEEE1275
b9d01e
PowerPC platform. With this patch grub now measures text and binary data
b9d01e
into the TPM's PCRs 8 and 9 in the same way as the x86_64 platform
b9d01e
does.
b9d01e
b9d01e
This patch requires Daniel Axtens's patches for claiming more memory.
b9d01e
b9d01e
For vTPM support to work on PowerVM, system driver levels 1010.30
b9d01e
or 1020.00 are required.
b9d01e
b9d01e
Note: Previous versions of firmware levels with the 2hash-ext-log
b9d01e
API call have a bug that, once this API call is invoked, has the
b9d01e
effect of disabling the vTPM driver under Linux causing an error
b9d01e
message to be displayed in the Linux kernel log. Those users will
b9d01e
have to update their machines to the firmware levels mentioned
b9d01e
above.
b9d01e
b9d01e
Cc: Eric Snowberg <eric.snowberg@oracle.com>
b9d01e
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
b9d01e
---
b9d01e
 grub-core/Makefile.core.def           |   7 ++
b9d01e
 grub-core/commands/ieee1275/ibmvtpm.c | 152 ++++++++++++++++++++++++++++++++++
b9d01e
 include/grub/ieee1275/ieee1275.h      |   3 +
b9d01e
 3 files changed, 162 insertions(+)
b9d01e
 create mode 100644 grub-core/commands/ieee1275/ibmvtpm.c
b9d01e
b9d01e
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
b9d01e
index ef06f8c95a..b11f74e6b2 100644
b9d01e
--- a/grub-core/Makefile.core.def
b9d01e
+++ b/grub-core/Makefile.core.def
b9d01e
@@ -1104,6 +1104,13 @@ module = {
b9d01e
   enable = powerpc_ieee1275;
b9d01e
 };
b9d01e
 
b9d01e
+module = {
b9d01e
+  name = tpm;
b9d01e
+  common = commands/tpm.c;
b9d01e
+  ieee1275 = commands/ieee1275/ibmvtpm.c;
b9d01e
+  enable = powerpc_ieee1275;
b9d01e
+};
b9d01e
+
b9d01e
 module = {
b9d01e
   name = terminal;
b9d01e
   common = commands/terminal.c;
b9d01e
diff --git a/grub-core/commands/ieee1275/ibmvtpm.c b/grub-core/commands/ieee1275/ibmvtpm.c
b9d01e
new file mode 100644
b9d01e
index 0000000000..e68b8448bc
b9d01e
--- /dev/null
b9d01e
+++ b/grub-core/commands/ieee1275/ibmvtpm.c
b9d01e
@@ -0,0 +1,152 @@
b9d01e
+/*
b9d01e
+ *  GRUB  --  GRand Unified Bootloader
b9d01e
+ *  Copyright (C) 2021  Free Software Foundation, Inc.
b9d01e
+ *  Copyright (C) 2021  IBM Corporation
b9d01e
+ *
b9d01e
+ *  GRUB is free software: you can redistribute it and/or modify
b9d01e
+ *  it under the terms of the GNU General Public License as published by
b9d01e
+ *  the Free Software Foundation, either version 3 of the License, or
b9d01e
+ *  (at your option) any later version.
b9d01e
+ *
b9d01e
+ *  GRUB is distributed in the hope that it will be useful,
b9d01e
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
b9d01e
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
b9d01e
+ *  GNU General Public License for more details.
b9d01e
+ *
b9d01e
+ *  You should have received a copy of the GNU General Public License
b9d01e
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
b9d01e
+ *
b9d01e
+ *  IBM vTPM support code.
b9d01e
+ */
b9d01e
+
b9d01e
+#include <grub/err.h>
b9d01e
+#include <grub/types.h>
b9d01e
+#include <grub/tpm.h>
b9d01e
+#include <grub/ieee1275/ieee1275.h>
b9d01e
+#include <grub/mm.h>
b9d01e
+#include <grub/misc.h>
b9d01e
+
b9d01e
+static grub_ieee1275_ihandle_t tpm_ihandle;
b9d01e
+static grub_uint8_t tpm_version;
b9d01e
+
b9d01e
+#define IEEE1275_IHANDLE_INVALID ((grub_ieee1275_ihandle_t)0)
b9d01e
+
b9d01e
+static void
b9d01e
+tpm_get_tpm_version (void)
b9d01e
+{
b9d01e
+  grub_ieee1275_phandle_t vtpm;
b9d01e
+  char buffer[20];
b9d01e
+
b9d01e
+  if (!grub_ieee1275_finddevice ("/vdevice/vtpm", &vtpm) &&
b9d01e
+      !grub_ieee1275_get_property (vtpm, "compatible", buffer,
b9d01e
+				   sizeof (buffer), NULL) &&
b9d01e
+      !grub_strcmp (buffer, "IBM,vtpm20"))
b9d01e
+    tpm_version = 2;
b9d01e
+}
b9d01e
+
b9d01e
+static grub_err_t
b9d01e
+tpm_init (void)
b9d01e
+{
b9d01e
+  static int init_success = 0;
b9d01e
+
b9d01e
+  if (!init_success)
b9d01e
+    {
b9d01e
+      if (grub_ieee1275_open ("/vdevice/vtpm", &tpm_ihandle) < 0) {
b9d01e
+        tpm_ihandle = IEEE1275_IHANDLE_INVALID;
b9d01e
+        return GRUB_ERR_UNKNOWN_DEVICE;
b9d01e
+      }
b9d01e
+
b9d01e
+      init_success = 1;
b9d01e
+
b9d01e
+      tpm_get_tpm_version ();
b9d01e
+    }
b9d01e
+
b9d01e
+  return GRUB_ERR_NONE;
b9d01e
+}
b9d01e
+
b9d01e
+static int
b9d01e
+ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
b9d01e
+		       grub_uint32_t eventtype,
b9d01e
+		       const char *description,
b9d01e
+		       grub_size_t description_size,
b9d01e
+		       void *buf, grub_size_t size)
b9d01e
+{
b9d01e
+  struct tpm_2hash_ext_log
b9d01e
+  {
b9d01e
+    struct grub_ieee1275_common_hdr common;
b9d01e
+    grub_ieee1275_cell_t method;
b9d01e
+    grub_ieee1275_cell_t ihandle;
b9d01e
+    grub_ieee1275_cell_t size;
b9d01e
+    grub_ieee1275_cell_t buf;
b9d01e
+    grub_ieee1275_cell_t description_size;
b9d01e
+    grub_ieee1275_cell_t description;
b9d01e
+    grub_ieee1275_cell_t eventtype;
b9d01e
+    grub_ieee1275_cell_t pcrindex;
b9d01e
+    grub_ieee1275_cell_t catch_result;
b9d01e
+    grub_ieee1275_cell_t rc;
b9d01e
+  }
b9d01e
+  args;
b9d01e
+
b9d01e
+  INIT_IEEE1275_COMMON (&args.common, "call-method", 8, 2);
b9d01e
+  args.method = (grub_ieee1275_cell_t) "2hash-ext-log";
b9d01e
+  args.ihandle = tpm_ihandle;
b9d01e
+  args.pcrindex = pcrindex;
b9d01e
+  args.eventtype = eventtype;
b9d01e
+  args.description = (grub_ieee1275_cell_t) description;
b9d01e
+  args.description_size = description_size;
b9d01e
+  args.buf = (grub_ieee1275_cell_t) buf;
b9d01e
+  args.size = (grub_ieee1275_cell_t) size;
b9d01e
+
b9d01e
+  if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
b9d01e
+    return -1;
b9d01e
+
b9d01e
+  /*
b9d01e
+   * catch_result is set if firmware does not support 2hash-ext-log
b9d01e
+   * rc is GRUB_IEEE1275_CELL_FALSE (0) on failure
b9d01e
+   */
b9d01e
+  if ((args.catch_result) || args.rc == GRUB_IEEE1275_CELL_FALSE)
b9d01e
+    return -1;
b9d01e
+
b9d01e
+  return 0;
b9d01e
+}
b9d01e
+
b9d01e
+static grub_err_t
b9d01e
+tpm2_log_event (unsigned char *buf,
b9d01e
+		grub_size_t size, grub_uint8_t pcr,
b9d01e
+		const char *description)
b9d01e
+{
b9d01e
+  static int error_displayed = 0;
b9d01e
+  int err;
b9d01e
+
b9d01e
+  err = ibmvtpm_2hash_ext_log (pcr, EV_IPL,
b9d01e
+			       description,
b9d01e
+			       grub_strlen(description) + 1,
b9d01e
+			       buf, size);
b9d01e
+  if (err && !error_displayed)
b9d01e
+    {
b9d01e
+      error_displayed++;
b9d01e
+      return grub_error (GRUB_ERR_BAD_DEVICE,
b9d01e
+	      "2HASH-EXT-LOG failed: Firmware is likely too old.\n");
b9d01e
+    }
b9d01e
+
b9d01e
+  return GRUB_ERR_NONE;
b9d01e
+}
b9d01e
+
b9d01e
+grub_err_t
b9d01e
+grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
b9d01e
+		  const char *description)
b9d01e
+{
b9d01e
+  grub_err_t err = tpm_init();
b9d01e
+
b9d01e
+  /* Absence of a TPM isn't a failure. */
b9d01e
+  if (err != GRUB_ERR_NONE)
b9d01e
+    return GRUB_ERR_NONE;
b9d01e
+
b9d01e
+  grub_dprintf ("tpm", "log_event, pcr = %d, size = 0x%" PRIxGRUB_SIZE ", %s\n",
b9d01e
+		pcr, size, description);
b9d01e
+
b9d01e
+  if (tpm_version == 2)
b9d01e
+    return tpm2_log_event (buf, size, pcr, description);
b9d01e
+
b9d01e
+  return GRUB_ERR_NONE;
b9d01e
+}
b9d01e
diff --git a/include/grub/ieee1275/ieee1275.h b/include/grub/ieee1275/ieee1275.h
b9d01e
index 131808d619..87b9f95d34 100644
b9d01e
--- a/include/grub/ieee1275/ieee1275.h
b9d01e
+++ b/include/grub/ieee1275/ieee1275.h
b9d01e
@@ -24,6 +24,9 @@
b9d01e
 #include <grub/types.h>
b9d01e
 #include <grub/machine/ieee1275.h>
b9d01e
 
b9d01e
+#define GRUB_IEEE1275_CELL_FALSE       ((grub_ieee1275_cell_t) 0)
b9d01e
+#define GRUB_IEEE1275_CELL_TRUE        ((grub_ieee1275_cell_t) -1)
b9d01e
+
b9d01e
 struct grub_ieee1275_mem_region
b9d01e
 {
b9d01e
   unsigned int start;