On Sat, 22 Jun 2024 at 19:34, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 22.06.24 16:35, Ilias Apalodimas wrote:
Simon reports that after enabling all algorithms on the TPM some boards fail since they don't have enough storage to accommodate the ~5KB growth.
The choice of hash algorithms are determined by the platform and the TPM configuration. Failing to cap a PCR in a bank which the platform left active is a security vulnerability. It might allow unsealing of secrets if an attacker can replay a good set of measurements into an unused bank.
If MEASURED_BOOT or EFI_TCG2_PROTOCOL is enabled our Kconfig will enable all supported hashing algorithms. We still want to allow users to add a TPM and not enable measured boot via EFI or bootm though and at the same time, control the compiled algorithms for size reasons.
So let's add a function tpm2_allow_extend() which checks the TPM active PCRs banks against the one U-Boot was compiled with. If all the active PCRs banks are not enabled refuse to extend a PCR but otherwise leave the TPM functional.
The paragraph above is bit hard to read. I guess you mean:
We only allow extending PCRs using one of the algorithms selected in the configuration.
Yes
It's worth noting that this is only added on TPM2.0, since TPM1.2 is lacking a lot of code at the moment to read the available PCRs. We unconditionally enable SHA1 when a TPM is selected, which is the only hashing algorithm v1.2 supports.
Why do we need SHA1 if we cannot access PCRs on a TPM1.2?
You can. On TPM1.2 we don't have the functions to check for the active PCR banks. So I am unconditionally enabling SHA1, which is the only hashing algo TPM1.2 supports.
Thanks /Ilias
Best regards
Heinrich
Signed-off-by: Ilias Apalodimas ilias.apalodimas@linaro.org
boot/Kconfig | 4 ++++ include/tpm-v2.h | 59 +++++++++++++++++++++++++++++++++++------------- lib/Kconfig | 6 ++--- lib/tpm-v2.c | 40 +++++++++++++++++++++++++++++--- 4 files changed, 87 insertions(+), 22 deletions(-)
diff --git a/boot/Kconfig b/boot/Kconfig index 6f3096c15a6f..b061891e109c 100644 --- a/boot/Kconfig +++ b/boot/Kconfig @@ -734,6 +734,10 @@ config LEGACY_IMAGE_FORMAT config MEASURED_BOOT bool "Measure boot images and configuration when booting without EFI" depends on HASH && TPM_V2
select SHA1select SHA256select SHA384select SHA512 help This option enables measurement of the boot process when booting without UEFI . Measurement involves creating cryptographic hashesdiff --git a/include/tpm-v2.h b/include/tpm-v2.h index eac04d1c6831..fccb07fa4695 100644 --- a/include/tpm-v2.h +++ b/include/tpm-v2.h @@ -277,48 +277,40 @@ struct digest_info { #define TCG2_BOOT_HASH_ALG_SM3_256 0x00000010
static const struct digest_info hash_algo_list[] = { +#if IS_ENABLED(CONFIG_SHA1) { "sha1", TPM2_ALG_SHA1, TCG2_BOOT_HASH_ALG_SHA1, TPM2_SHA1_DIGEST_SIZE, }, +#endif +#if IS_ENABLED(CONFIG_SHA256) { "sha256", TPM2_ALG_SHA256, TCG2_BOOT_HASH_ALG_SHA256, TPM2_SHA256_DIGEST_SIZE, }, +#endif +#if IS_ENABLED(CONFIG_SHA384) { "sha384", TPM2_ALG_SHA384, TCG2_BOOT_HASH_ALG_SHA384, TPM2_SHA384_DIGEST_SIZE, }, +#endif +#if IS_ENABLED(CONFIG_SHA512) { "sha512", TPM2_ALG_SHA512, TCG2_BOOT_HASH_ALG_SHA512, TPM2_SHA512_DIGEST_SIZE, }, +#endif };
-static inline u16 tpm2_algorithm_to_len(enum tpm2_algorithms a) -{
switch (a) {case TPM2_ALG_SHA1:return TPM2_SHA1_DIGEST_SIZE;case TPM2_ALG_SHA256:return TPM2_SHA256_DIGEST_SIZE;case TPM2_ALG_SHA384:return TPM2_SHA384_DIGEST_SIZE;case TPM2_ALG_SHA512:return TPM2_SHA512_DIGEST_SIZE;default:return 0;}-}
- /* NV index attributes */ enum tpm_index_attrs { TPMA_NV_PPWRITE = 1UL << 0,
@@ -711,6 +703,41 @@ enum tpm2_algorithms tpm2_name_to_algorithm(const char *name); */ const char *tpm2_algorithm_name(enum tpm2_algorithms);
+/**
- tpm2_algorithm_to_len() - Return an algorithm length for supported algorithm id
- @algorithm_id: algorithm defined in enum tpm2_algorithms
- Return: len or 0 if not supported
- */
+u16 tpm2_algorithm_to_len(enum tpm2_algorithms algo);
+/*
- When measured boot is enabled via EFI or bootX commands all the algorithms
- above are selected by our Kconfigs. Due to U-Boots nature of being small there
- are cases where we need some functionality from the TPM -- e.g storage or RNG
- but we don't want to support measurements.
- The choice of hash algorithms are determined by the platform and the TPM
- configuration. Failing to cap a PCR in a bank which the platform left
- active is a security vulnerability. It permits the unsealing of secrets
- if an attacker can replay a good set of measurements into an unused bank.
- On top of that a previous stage bootloader (e.g TF-A), migh pass an eventlog
- since it doesn't have a TPM driver, which U-Boot needs to replace. The algorit h
- choice is a compile time option in that case and we need to make sure we conform.
- Add a variable here that sums the supported algorithms U-Boot was compiled
- with so we can refuse to do measurements if we don't support all of them
- */
+/**
- tpm2_allow_extend() - Check if extending PCRs is allowed and safe
- @dev: TPM device
- Return: true if allowed
- */
+bool tpm2_allow_extend(struct udevice *dev);
- /**
- tpm2_is_active_pcr() - check the pcr_select. If at least one of the PCRs
supports the algorithm add it on the active onesdiff --git a/lib/Kconfig b/lib/Kconfig index 189e6eb31aa1..b3baa4b85b07 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -439,9 +439,6 @@ config TPM depends on DM imply DM_RNG select SHA1
select SHA256select SHA384select SHA512 help This enables support for TPMs which can be used to provide security features for your board. The TPM can be connected via LPC or I2C@@ -449,6 +446,9 @@ config TPM command to interactive the TPM. Driver model support is provided for the low-level TPM interface, but only one TPM is supported at a time by the TPM library.
For size reasons only SHA1 is selected which is supported on TPM1.2.If you want a fully functional TPM enable all hashing algorithms.If you enabled measured boot all hashing algorithms are selected.config SPL_TPM bool "Trusted Platform Module (TPM) Support in SPL"
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c index 36aace03cf4e..59e6cbafafaa 100644 --- a/lib/tpm-v2.c +++ b/lib/tpm-v2.c @@ -196,6 +196,11 @@ u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
if (!digest) return -EINVAL;
if (!tpm2_allow_extend(dev)) {log_err("Cannot extend PCRs if all the TPM enabled algorithms are not supported\n");return -EINVAL;} /* * Fill the command structure starting from the first buffer: * - the digest@@ -409,11 +414,10 @@ int tpm2_get_pcr_info(struct udevice *dev, struct tpml_pcr_selection *pcrs)
pcrs->count = get_unaligned_be32(response); /*
* We only support 5 algorithms for now so check against that
* We only support 4 algorithms for now so check against that * instead of TPM2_NUM_PCR_BANKS */
if (pcrs->count > ARRAY_SIZE(hash_algo_list) ||pcrs->count < 1) {
if (pcrs->count > 4 || pcrs->count < 1) { printf("%s: too many pcrs: %u\n", __func__, pcrs->count); return -EMSGSIZE; }@@ -880,3 +884,33 @@ const char *tpm2_algorithm_name(enum tpm2_algorithms algo) return ""; }
+u16 tpm2_algorithm_to_len(enum tpm2_algorithms algo) +{
size_t i;for (i = 0; i < ARRAY_SIZE(hash_algo_list); ++i) {if (hash_algo_list[i].hash_alg == algo)return hash_algo_list[i].hash_len;}return 0;+}
+bool tpm2_allow_extend(struct udevice *dev) +{
struct tpml_pcr_selection pcrs;size_t i;int rc;rc = tpm2_get_pcr_info(dev, &pcrs);if (rc)return false;for (i = 0; i < pcrs.count; i++) {if (tpm2_is_active_pcr(&pcrs.selection[i]) &&!tpm2_algorithm_to_len(pcrs.selection[i].hash))return false;}return true;+}