From 016ef077a2e81fab14cbcd5ba6fae10a6681688b Mon Sep 17 00:00:00 2001 From: jetwhiz Date: Mon, 1 Oct 2018 17:55:13 -0400 Subject: [PATCH 2/6] tpm2_pcrreset new tools New tool to allow resetting PCR registers, backport from 0ef0f31775 Signed-off-by: jetwhiz --- Makefile.am | 3 + man/tpm2_pcrreset.1.md | 58 ++++++++++++++ test/system/test_tpm2_pcrreset.sh | 59 ++++++++++++++ tools/tpm2_pcrreset.c | 129 ++++++++++++++++++++++++++++++ 4 files changed, 249 insertions(+) create mode 100644 man/tpm2_pcrreset.1.md create mode 100755 test/system/test_tpm2_pcrreset.sh create mode 100644 tools/tpm2_pcrreset.c diff --git a/Makefile.am b/Makefile.am index 3856bcb400c..ffe22f383e3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -87,6 +87,7 @@ bin_PROGRAMS = \ tools/tpm2_pcrevent \ tools/tpm2_pcrextend \ tools/tpm2_pcrlist \ + tools/tpm2_pcrreset \ tools/tpm2_quote \ tools/tpm2_rc_decode \ tools/tpm2_readpublic \ @@ -179,6 +180,7 @@ tools_tpm2_unseal_SOURCES = tools/tpm2_unseal.c $(TOOL_SRC) tools_tpm2_dictionarylockout_SOURCES = tools/tpm2_dictionarylockout.c $(TOOL_SRC) tools_tpm2_createpolicy_SOURCES = tools/tpm2_createpolicy.c $(TOOL_SRC) tools_tpm2_pcrextend_SOURCES = tools/tpm2_pcrextend.c $(TOOL_SRC) +tools_tpm2_pcrreset_SOURCES = tools/tpm2_pcrreset.c $(TOOL_SRC) tools_tpm2_pcrevent_SOURCES = tools/tpm2_pcrevent.c $(TOOL_SRC) tools_tpm2_rc_decode_SOURCES = tools/tpm2_rc_decode.c $(TOOL_SRC) @@ -279,6 +281,7 @@ if HAVE_MAN_PAGES man/man1/tpm2_pcrevent.1 \ man/man1/tpm2_pcrextend.1 \ man/man1/tpm2_pcrlist.1 \ + man/man1/tpm2_pcrreset.1 \ man/man1/tpm2_quote.1 \ man/man1/tpm2_rc_decode.1 \ man/man1/tpm2_readpublic.1 \ diff --git a/man/tpm2_pcrreset.1.md b/man/tpm2_pcrreset.1.md new file mode 100644 index 00000000000..d5637137796 --- /dev/null +++ b/man/tpm2_pcrreset.1.md @@ -0,0 +1,58 @@ +% tpm2_pcrreset(1) tpm2-tools | General Commands Manual +% +% JANUARY 2019 + +# NAME + +**tpm2_pcrreset**(1) - Reset one or more PCR banks + +# SYNOPSIS + +**tpm2_pcrreset** [*OPTIONS*] _PCR\_INDEX_ ... + +# DESCRIPTION + +**tpm2_pcrreset**(1) - Reset PCR value in all banks for specified index. +More than one PCR index can be specified. + +The reset value is manufacturer-dependent and is either sequence of 00 or FF +on the length of the hash algorithm for each supported bank + +_PCR\_INDEX_ is a space separated list of PCR indexes to be reset when issuing +the command. + +# OPTIONS + +This tool accepts no tool specific options. + +[common options](common/options.md) + +[common tcti options](common/tcti.md) + +# EXAMPLES + +## Reset a single PCR +``` +tpm2_pcrreset 23 +``` + +## Reset multiple PCRs +``` +tpm2_pcrreset 16 23 +``` + +# NOTES + +On operating system's locality (generally locality 0), only PCR 23 can be reset. +PCR-16 can also be reset on this locality, depending on TPM manufacturers +which could define this PCR as resettable. + +PCR 0 to 15 are not resettable (being part of SRTM). PCR 16 to 22 are mostly +reserved for DRTM or dedicated to specific localities and might not +be resettable depending on current TPM locality. + +# RETURNS + +0 on success or 1 on failure. + +[footer](common/footer.md) diff --git a/test/system/test_tpm2_pcrreset.sh b/test/system/test_tpm2_pcrreset.sh new file mode 100755 index 00000000000..962de780ab4 --- /dev/null +++ b/test/system/test_tpm2_pcrreset.sh @@ -0,0 +1,59 @@ +#!/bin/bash +#;**********************************************************************; +# +# Copyright (c) 2019, Sebastien LE STUM +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# 3. Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software without +# specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE +# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF +# THE POSSIBILITY OF SUCH DAMAGE. +#;**********************************************************************; + +source test_helpers.sh + +# Reset a resettable PCR +tpm2_pcrreset 23 + +# Reset more than one resettable PCR +tpm2_pcrreset 16 23 + +# Get PCR_Reset out of bound index error +tpm2_pcrreset 999 2>&1 1>/dev/null | grep -q "out of bound PCR" + +# Get PCR_Reset wrong index error +tpm2_pcrreset toto 2>&1 1>/dev/null | grep -q "invalid PCR" + +# Get PCR_Reset index out of range error +if tpm2_pcrreset 29 2>&1 1>/dev/null ; then + echo "tpm2_pcrreset on out of range PCR index didn't fail" + exit 1 +else + true +fi + +# Get PCR_Reset bad locality error +tpm2_pcrreset 0 2>&1 1>/dev/null | grep -q "0x907" + +exit 0 diff --git a/tools/tpm2_pcrreset.c b/tools/tpm2_pcrreset.c new file mode 100644 index 00000000000..5fa1de121e7 --- /dev/null +++ b/tools/tpm2_pcrreset.c @@ -0,0 +1,129 @@ +//**********************************************************************; +// Copyright (c) 2017, Intel Corporation +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are met: +// +// 1. Redistributions of source code must retain the above copyright notice, +// this list of conditions and the following disclaimer. +// +// 2. Redistributions in binary form must reproduce the above copyright notice, +// this list of conditions and the following disclaimer in the documentation +// and/or other materials provided with the distribution. +// +// 3. Neither the name of Intel Corporation nor the names of its contributors +// may be used to endorse or promote products derived from this software without +// specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE +// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF +// THE POSSIBILITY OF SUCH DAMAGE. +//**********************************************************************; + +#include +#include +#include +#include +#include + +#include + +#include "log.h" +#include "pcr.h" +#include "tpm2_options.h" +#include "tpm2_tool.h" +#include "tpm2_util.h" + +typedef struct tpm_pcr_reset_ctx tpm_pcr_reset_ctx; +struct tpm_pcr_reset_ctx { + bool pcr_list[TPM2_MAX_PCRS]; +}; + +static tpm_pcr_reset_ctx ctx; + +static bool pcr_reset_one(TSS2_SYS_CONTEXT *sapi_context, TPMI_DH_PCR pcr_index) { + TSS2L_SYS_AUTH_RESPONSE sessions_data_out; + TSS2L_SYS_AUTH_COMMAND sessions_data = { 1, {{ .sessionHandle=TPM2_RS_PW }}}; + + TSS2_RC rval = TSS2_RETRY_EXP(Tss2_Sys_PCR_Reset(sapi_context, pcr_index, &sessions_data, + &sessions_data_out)); + if (rval != TSS2_RC_SUCCESS) { + LOG_ERR("Could not reset PCR index: %d", pcr_index); + return false; + } + + return true; +} + +static bool pcr_reset(TSS2_SYS_CONTEXT *sapi_context) { + size_t i; + + for (i = 0; i < TPM2_MAX_PCRS; i++) { + if(!ctx.pcr_list[i]) + continue; + + bool result = pcr_reset_one(sapi_context, i); + if (!result) { + return false; + } + } + + return true; +} + +static bool on_arg(int argc, char** argv){ + int i; + uint32_t pcr; + + memset(ctx.pcr_list, 0, TPM2_MAX_PCRS); + + if (argc < 1) { + LOG_ERR("Expected at least one PCR index" + "ie: , got: 0"); + return false; + } + + for(i = 0; i < argc; i++){ + if(!tpm2_util_string_to_uint32(argv[i], &pcr)){ + LOG_ERR("Got invalid PCR Index: \"%s\"", argv[i]); + return false; + } + + /* + * If any specified PCR index is greater than the last valid + * index supported in the spec, throw an error + */ + if(pcr > TPM2_MAX_PCRS - 1){ + LOG_ERR("Got out of bound PCR Index: \"%s\"", argv[i]); + return false; + } + + ctx.pcr_list[pcr] = 1; + } + + return true; +} + +bool tpm2_tool_onstart(tpm2_options **opts) { + + *opts = tpm2_options_new(NULL, 0, NULL, NULL, on_arg, 0); + + return *opts != NULL; +} + +int tpm2_tool_onrun(TSS2_SYS_CONTEXT *sapi_context, tpm2_option_flags flags) { + + UNUSED(flags); + + return pcr_reset(sapi_context) != true; +} + -- 2.21.0