integ/security/tboot/centos/patches/1000-tboot-for-tis.patch
Martin, Chen d983580f90 rebase tboot patch to CentOS 7.6 version
Test:
Install bootimage.iso on bare mental, enable
Intel TXT setting in BIOS. During installation
make with such selection

"Standard Controller" or "All-in-One Controller" ->
"Graphical console" -> "EXTENDED Security Profile" ->
"Trusted Boot Profile"

After system bootup, check tboot with such command
"sudo txt-stat"

Depends-On: https://review.openstack.org/627745

Story: 2004522
Task: 28436

Change-Id: I7599f1648acfa71757cd5dfdb54f00c9499c8d61
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
2019-01-17 01:25:09 +08:00

189 lines
7.4 KiB
Diff

From c2edea1ff347242a70075808652fa1ad4c86037a Mon Sep 17 00:00:00 2001
From: Bin Qian <bin.qian@windriver.com>
Date: Mon, 27 Nov 2017 08:35:11 -0500
Subject: [PATCH 1/1] WRS: Patch1: 9000-tboot-for-tis.patch
---
tboot/20_linux_tboot | 21 ++++++++++++---------
tboot/20_linux_xen_tboot | 2 +-
tboot/common/policy.c | 16 +++++++++++-----
tboot/common/tpm_20.c | 7 ++++---
4 files changed, 28 insertions(+), 18 deletions(-)
diff --git a/tboot/20_linux_tboot b/tboot/20_linux_tboot
index 816d50a..eed512d 100644
--- a/tboot/20_linux_tboot
+++ b/tboot/20_linux_tboot
@@ -22,6 +22,13 @@ exec_prefix=${prefix}
bindir=${exec_prefix}/bin
libdir=${exec_prefix}/lib
sysconfdir=/etc
+
+
+tboot=`cat /proc/cmdline | xargs -n1 | grep '^tboot=true$'` || true
+if [ -z "$tboot" ]; then
+ exit 0
+fi
+
if test -e /usr/share/grub/grub-mkconfig_lib; then
. /usr/share/grub/grub-mkconfig_lib
elif test -e ${libdir}/grub/grub-mkconfig_lib; then
@@ -40,7 +47,7 @@ fi
[ -z "${GRUB_CMDLINE_LINUX_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_TBOOT
[ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
# Command line for tboot itself
-: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
+: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga extpol=sha256'}
# Linux kernel parameters to append for tboot
: ${GRUB_CMDLINE_LINUX_TBOOT='intel_iommu=on'}
# Base name of LCP policy data file for list policy
@@ -69,10 +76,8 @@ export TEXTDOMAINDIR=${prefix}/share/locale
CLASS="--class gnu-linux --class gnu --class os --class tboot"
-if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
- OS=GNU/Linux
-else
- OS="${GRUB_DISTRIBUTOR} GNU/Linux"
+OS="CentOS GNU/Linux"
+if [ -n "${GRUB_DISTRIBUTOR}" ] ; then
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}"
fi
@@ -109,9 +114,9 @@ linux_entry ()
iommu_args="$7"
if ${recovery} ; then
- title="$(gettext_quoted "%s, with tboot %s and Linux %s (recovery mode)")"
+ title="$(gettext_quoted "%s, w/ tboot %s & Linux %s (recovery mode)")"
else
- title="$(gettext_quoted "%s, with tboot %s and Linux %s")"
+ title="$(gettext_quoted "%s, w/ tboot %s & Linux %s")"
fi
if [ -d /sys/firmware/efi ] ; then
@@ -202,7 +207,6 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do
rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname`
# tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"`
tboot_version="1.9.6"
- echo "submenu \"tboot ${tboot_version}\" {"
while [ "x$list" != "x" ] ; do
linux=`version_find_latest $list`
echo "Found linux image: $linux" >&2
@@ -243,6 +247,5 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do
list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '`
done
- echo "}"
tboot_list=`echo $tboot_list | tr ' ' '\n' | grep -vx $current_tboot | tr '\n' ' '`
done
diff --git a/tboot/20_linux_xen_tboot b/tboot/20_linux_xen_tboot
index a113a3c..b1e4b09 100644
--- a/tboot/20_linux_xen_tboot
+++ b/tboot/20_linux_xen_tboot
@@ -41,7 +41,7 @@ fi
[ -z "${GRUB_CMDLINE_LINUX_XEN_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_XEN_TBOOT
[ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
# Command line for tboot itself
-: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
+: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga extpol=sha256'}
# Xen parameters to append for tboot
: ${GRUB_CMDLINE_XEN_TBOOT=''}
# Linux kernel parameters to append for tboot + Xen
diff --git a/tboot/common/policy.c b/tboot/common/policy.c
index 9678b7c..5a16d81 100644
--- a/tboot/common/policy.c
+++ b/tboot/common/policy.c
@@ -353,6 +353,7 @@ tb_error_t set_policy(void)
* type is LCP_POLTYPE_LIST (since we could have been give a policy data
* file even though the policy was not a LIST */
printk(TBOOT_INFO"reading Launch Control Policy from TPM NV...\n");
+
if ( read_policy_from_tpm(tpm->lcp_own_index,
_policy_index_buf, &policy_index_size) ) {
printk(TBOOT_DETA"\t:%lu bytes read\n", policy_index_size);
@@ -412,6 +413,7 @@ bool hash_policy(tb_hash_t *hash, uint16_t hash_alg)
/* generate hash by hashing cmdline and module image */
static bool hash_module(hash_list_t *hl,
+ u16 cur_alg,
const char* cmdline, void *base,
size_t size)
{
@@ -423,6 +425,7 @@ static bool hash_module(hash_list_t *hl,
return false;
}
+ printk(TBOOT_INFO"Using hash algorithm %d\n", cur_alg);
/* final hash is SHA-1( SHA-1(cmdline) | SHA-1(image) ) */
/* where cmdline is first stripped of leading spaces, file name, then */
/* any spaces until the next non-space char */
@@ -437,16 +440,17 @@ static bool hash_module(hash_list_t *hl,
switch (tpm->extpol) {
case TB_EXTPOL_FIXED:
hl->count = 1;
- hl->entries[0].alg = tpm->cur_alg;
+ // hl->entries[0].alg = tpm->cur_alg;
+ hl->entries[0].alg = cur_alg;
if ( !hash_buffer((const unsigned char *)cmdline, strlen(cmdline),
- &hl->entries[0].hash, tpm->cur_alg) )
+ &hl->entries[0].hash, cur_alg) )
return false;
/* hash image and extend into cmdline hash */
tb_hash_t img_hash;
- if ( !hash_buffer(base, size, &img_hash, tpm->cur_alg) )
+ if ( !hash_buffer(base, size, &img_hash, cur_alg) )
return false;
- if ( !extend_hash(&hl->entries[0].hash, &img_hash, tpm->cur_alg) )
+ if ( !extend_hash(&hl->entries[0].hash, &img_hash, cur_alg) )
return false;
break;
@@ -643,7 +647,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
}
hash_list_t hl;
- if ( !hash_module(&hl, cmdline, base, size) ) {
+ if ( !hash_module(&hl, hash_alg, cmdline, base, size) ) {
printk(TBOOT_ERR"\t hash cannot be generated.\n");
return TB_ERR_MODULE_VERIFICATION_FAILED;
}
@@ -667,6 +671,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
if ( pol_entry != NULL &&
!is_hash_in_policy_entry(pol_entry, &hl.entries[0].hash, hash_alg) ) {
printk(TBOOT_ERR"\t verification failed\n");
+ print_hash(&hl.entries[0].hash, hash_alg);
+ print_hash(&pol_entry->hashes[0], hash_alg);
return TB_ERR_MODULE_VERIFICATION_FAILED;
}
diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c
index b9b67c9..b7c5d62 100644
--- a/tboot/common/tpm_20.c
+++ b/tboot/common/tpm_20.c
@@ -2096,7 +2096,7 @@ static bool tpm20_nv_read(struct tpm_if *ti, uint32_t locality,
ret = _tpm20_nv_read(locality, &read_in, &read_out);
if ( ret != TPM_RC_SUCCESS ) {
- printk(TBOOT_WARN"TPM: read NV index %08x from offset %08x, return value = %08X\n",
+ printk(TBOOT_WARN"TPM 2.0: read NV index %08x from offset %08x, return value = %08X\n",
index, offset, ret);
ti->error = ret;
return false;
@@ -2504,8 +2504,9 @@ static bool tpm20_init(struct tpm_if *ti)
get_tboot_extpol();
if (info_list->capabilities.tpm_nv_index_set == 0){
/* init NV index */
- ti->tb_policy_index = 0x1200001;
- ti->lcp_own_index = 0x1400001;
+ ti->tb_policy_index = 0x1800001;
+ // ti->lcp_own_index = 0x1400001;
+ ti->lcp_own_index = 0x1c10131;
ti->tb_err_index = 0x1200002;
ti->sgx_svn_index = 0x01800004;
}
--
2.7.4