d983580f90
Test: Install bootimage.iso on bare mental, enable Intel TXT setting in BIOS. During installation make with such selection "Standard Controller" or "All-in-One Controller" -> "Graphical console" -> "EXTENDED Security Profile" -> "Trusted Boot Profile" After system bootup, check tboot with such command "sudo txt-stat" Depends-On: https://review.openstack.org/627745 Story: 2004522 Task: 28436 Change-Id: I7599f1648acfa71757cd5dfdb54f00c9499c8d61 Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
189 lines
7.4 KiB
Diff
189 lines
7.4 KiB
Diff
From c2edea1ff347242a70075808652fa1ad4c86037a Mon Sep 17 00:00:00 2001
|
|
From: Bin Qian <bin.qian@windriver.com>
|
|
Date: Mon, 27 Nov 2017 08:35:11 -0500
|
|
Subject: [PATCH 1/1] WRS: Patch1: 9000-tboot-for-tis.patch
|
|
|
|
---
|
|
tboot/20_linux_tboot | 21 ++++++++++++---------
|
|
tboot/20_linux_xen_tboot | 2 +-
|
|
tboot/common/policy.c | 16 +++++++++++-----
|
|
tboot/common/tpm_20.c | 7 ++++---
|
|
4 files changed, 28 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/tboot/20_linux_tboot b/tboot/20_linux_tboot
|
|
index 816d50a..eed512d 100644
|
|
--- a/tboot/20_linux_tboot
|
|
+++ b/tboot/20_linux_tboot
|
|
@@ -22,6 +22,13 @@ exec_prefix=${prefix}
|
|
bindir=${exec_prefix}/bin
|
|
libdir=${exec_prefix}/lib
|
|
sysconfdir=/etc
|
|
+
|
|
+
|
|
+tboot=`cat /proc/cmdline | xargs -n1 | grep '^tboot=true$'` || true
|
|
+if [ -z "$tboot" ]; then
|
|
+ exit 0
|
|
+fi
|
|
+
|
|
if test -e /usr/share/grub/grub-mkconfig_lib; then
|
|
. /usr/share/grub/grub-mkconfig_lib
|
|
elif test -e ${libdir}/grub/grub-mkconfig_lib; then
|
|
@@ -40,7 +47,7 @@ fi
|
|
[ -z "${GRUB_CMDLINE_LINUX_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_TBOOT
|
|
[ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
|
|
# Command line for tboot itself
|
|
-: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
|
|
+: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga extpol=sha256'}
|
|
# Linux kernel parameters to append for tboot
|
|
: ${GRUB_CMDLINE_LINUX_TBOOT='intel_iommu=on'}
|
|
# Base name of LCP policy data file for list policy
|
|
@@ -69,10 +76,8 @@ export TEXTDOMAINDIR=${prefix}/share/locale
|
|
|
|
CLASS="--class gnu-linux --class gnu --class os --class tboot"
|
|
|
|
-if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
|
|
- OS=GNU/Linux
|
|
-else
|
|
- OS="${GRUB_DISTRIBUTOR} GNU/Linux"
|
|
+OS="CentOS GNU/Linux"
|
|
+if [ -n "${GRUB_DISTRIBUTOR}" ] ; then
|
|
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}"
|
|
fi
|
|
|
|
@@ -109,9 +114,9 @@ linux_entry ()
|
|
iommu_args="$7"
|
|
|
|
if ${recovery} ; then
|
|
- title="$(gettext_quoted "%s, with tboot %s and Linux %s (recovery mode)")"
|
|
+ title="$(gettext_quoted "%s, w/ tboot %s & Linux %s (recovery mode)")"
|
|
else
|
|
- title="$(gettext_quoted "%s, with tboot %s and Linux %s")"
|
|
+ title="$(gettext_quoted "%s, w/ tboot %s & Linux %s")"
|
|
fi
|
|
|
|
if [ -d /sys/firmware/efi ] ; then
|
|
@@ -202,7 +207,6 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do
|
|
rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname`
|
|
# tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"`
|
|
tboot_version="1.9.6"
|
|
- echo "submenu \"tboot ${tboot_version}\" {"
|
|
while [ "x$list" != "x" ] ; do
|
|
linux=`version_find_latest $list`
|
|
echo "Found linux image: $linux" >&2
|
|
@@ -243,6 +247,5 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do
|
|
|
|
list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '`
|
|
done
|
|
- echo "}"
|
|
tboot_list=`echo $tboot_list | tr ' ' '\n' | grep -vx $current_tboot | tr '\n' ' '`
|
|
done
|
|
diff --git a/tboot/20_linux_xen_tboot b/tboot/20_linux_xen_tboot
|
|
index a113a3c..b1e4b09 100644
|
|
--- a/tboot/20_linux_xen_tboot
|
|
+++ b/tboot/20_linux_xen_tboot
|
|
@@ -41,7 +41,7 @@ fi
|
|
[ -z "${GRUB_CMDLINE_LINUX_XEN_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_XEN_TBOOT
|
|
[ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
|
|
# Command line for tboot itself
|
|
-: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
|
|
+: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga extpol=sha256'}
|
|
# Xen parameters to append for tboot
|
|
: ${GRUB_CMDLINE_XEN_TBOOT=''}
|
|
# Linux kernel parameters to append for tboot + Xen
|
|
diff --git a/tboot/common/policy.c b/tboot/common/policy.c
|
|
index 9678b7c..5a16d81 100644
|
|
--- a/tboot/common/policy.c
|
|
+++ b/tboot/common/policy.c
|
|
@@ -353,6 +353,7 @@ tb_error_t set_policy(void)
|
|
* type is LCP_POLTYPE_LIST (since we could have been give a policy data
|
|
* file even though the policy was not a LIST */
|
|
printk(TBOOT_INFO"reading Launch Control Policy from TPM NV...\n");
|
|
+
|
|
if ( read_policy_from_tpm(tpm->lcp_own_index,
|
|
_policy_index_buf, &policy_index_size) ) {
|
|
printk(TBOOT_DETA"\t:%lu bytes read\n", policy_index_size);
|
|
@@ -412,6 +413,7 @@ bool hash_policy(tb_hash_t *hash, uint16_t hash_alg)
|
|
|
|
/* generate hash by hashing cmdline and module image */
|
|
static bool hash_module(hash_list_t *hl,
|
|
+ u16 cur_alg,
|
|
const char* cmdline, void *base,
|
|
size_t size)
|
|
{
|
|
@@ -423,6 +425,7 @@ static bool hash_module(hash_list_t *hl,
|
|
return false;
|
|
}
|
|
|
|
+ printk(TBOOT_INFO"Using hash algorithm %d\n", cur_alg);
|
|
/* final hash is SHA-1( SHA-1(cmdline) | SHA-1(image) ) */
|
|
/* where cmdline is first stripped of leading spaces, file name, then */
|
|
/* any spaces until the next non-space char */
|
|
@@ -437,16 +440,17 @@ static bool hash_module(hash_list_t *hl,
|
|
switch (tpm->extpol) {
|
|
case TB_EXTPOL_FIXED:
|
|
hl->count = 1;
|
|
- hl->entries[0].alg = tpm->cur_alg;
|
|
+ // hl->entries[0].alg = tpm->cur_alg;
|
|
+ hl->entries[0].alg = cur_alg;
|
|
|
|
if ( !hash_buffer((const unsigned char *)cmdline, strlen(cmdline),
|
|
- &hl->entries[0].hash, tpm->cur_alg) )
|
|
+ &hl->entries[0].hash, cur_alg) )
|
|
return false;
|
|
/* hash image and extend into cmdline hash */
|
|
tb_hash_t img_hash;
|
|
- if ( !hash_buffer(base, size, &img_hash, tpm->cur_alg) )
|
|
+ if ( !hash_buffer(base, size, &img_hash, cur_alg) )
|
|
return false;
|
|
- if ( !extend_hash(&hl->entries[0].hash, &img_hash, tpm->cur_alg) )
|
|
+ if ( !extend_hash(&hl->entries[0].hash, &img_hash, cur_alg) )
|
|
return false;
|
|
|
|
break;
|
|
@@ -643,7 +647,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
|
|
}
|
|
|
|
hash_list_t hl;
|
|
- if ( !hash_module(&hl, cmdline, base, size) ) {
|
|
+ if ( !hash_module(&hl, hash_alg, cmdline, base, size) ) {
|
|
printk(TBOOT_ERR"\t hash cannot be generated.\n");
|
|
return TB_ERR_MODULE_VERIFICATION_FAILED;
|
|
}
|
|
@@ -667,6 +671,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
|
|
if ( pol_entry != NULL &&
|
|
!is_hash_in_policy_entry(pol_entry, &hl.entries[0].hash, hash_alg) ) {
|
|
printk(TBOOT_ERR"\t verification failed\n");
|
|
+ print_hash(&hl.entries[0].hash, hash_alg);
|
|
+ print_hash(&pol_entry->hashes[0], hash_alg);
|
|
return TB_ERR_MODULE_VERIFICATION_FAILED;
|
|
}
|
|
|
|
diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c
|
|
index b9b67c9..b7c5d62 100644
|
|
--- a/tboot/common/tpm_20.c
|
|
+++ b/tboot/common/tpm_20.c
|
|
@@ -2096,7 +2096,7 @@ static bool tpm20_nv_read(struct tpm_if *ti, uint32_t locality,
|
|
|
|
ret = _tpm20_nv_read(locality, &read_in, &read_out);
|
|
if ( ret != TPM_RC_SUCCESS ) {
|
|
- printk(TBOOT_WARN"TPM: read NV index %08x from offset %08x, return value = %08X\n",
|
|
+ printk(TBOOT_WARN"TPM 2.0: read NV index %08x from offset %08x, return value = %08X\n",
|
|
index, offset, ret);
|
|
ti->error = ret;
|
|
return false;
|
|
@@ -2504,8 +2504,9 @@ static bool tpm20_init(struct tpm_if *ti)
|
|
get_tboot_extpol();
|
|
if (info_list->capabilities.tpm_nv_index_set == 0){
|
|
/* init NV index */
|
|
- ti->tb_policy_index = 0x1200001;
|
|
- ti->lcp_own_index = 0x1400001;
|
|
+ ti->tb_policy_index = 0x1800001;
|
|
+ // ti->lcp_own_index = 0x1400001;
|
|
+ ti->lcp_own_index = 0x1c10131;
|
|
ti->tb_err_index = 0x1200002;
|
|
ti->sgx_svn_index = 0x01800004;
|
|
}
|
|
--
|
|
2.7.4
|
|
|