integ/security/tboot/centos/patches/1000-tboot-for-tis.patch
Scott Little bab9bb6b69 Internal restructuring of stx-integ
Create new directories:
   ceph
   config
   config-files
   filesystem
   kernel
   kernel/kernel-modules
   ldap
   logging
   strorage-drivers
   tools
   utilities
   virt

Retire directories:
   connectivity
   core
   devtools
   support
   extended

Delete two packages:
   tgt
   irqbalance

Relocated packages:
   base/
      dhcp
      initscripts
      libevent
      lighttpd
      linuxptp
      memcached
      net-snmp
      novnc
      ntp
      openssh
      pam
      procps
      sanlock
      shadow
      sudo
      systemd
      util-linux
      vim
      watchdog

   ceph/
      python-cephclient

   config/
      facter
      puppet-4.8.2
      puppet-modules

   filesystem/
      e2fsprogs
      nfs-utils
      nfscheck

   kernel/
      kernel-std
      kernel-rt

   kernel/kernel-modules/
      mlnx-ofa_kernel

   ldap/
      nss-pam-ldapd
      openldap

   logging/
      syslog-ng
      logrotate

   networking/
      lldpd
      iproute
      mellanox
      python-ryu
      mlx4-config

   python/
      python-2.7.5
      python-django
      python-gunicorn
      python-setuptools
      python-smartpm
      python-voluptuous

   security/
      shim-signed
      shim-unsigned
      tboot

   strorage-drivers/
      python-3parclient
      python-lefthandclient

   virt/
      cloud-init
      libvirt
      libvirt-python
      qemu

   tools/
      storage-topology
      vm-topology

   utilities/
      tis-extensions
      namespace-utils
      nova-utils
      update-motd

Change-Id: I37ade764d873c701b35eac5881eb40412ba64a86
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 10:06:31 -04:00

189 lines
7.4 KiB
Diff

From c2edea1ff347242a70075808652fa1ad4c86037a Mon Sep 17 00:00:00 2001
From: Bin Qian <bin.qian@windriver.com>
Date: Mon, 27 Nov 2017 08:35:11 -0500
Subject: [PATCH 1/1] WRS: Patch1: 9000-tboot-for-tis.patch
---
tboot/20_linux_tboot | 21 ++++++++++++---------
tboot/20_linux_xen_tboot | 2 +-
tboot/common/policy.c | 16 +++++++++++-----
tboot/common/tpm_20.c | 7 ++++---
4 files changed, 28 insertions(+), 18 deletions(-)
diff --git a/tboot/20_linux_tboot b/tboot/20_linux_tboot
index 7c25181..e4fd557 100644
--- a/tboot/20_linux_tboot
+++ b/tboot/20_linux_tboot
@@ -22,6 +22,13 @@ exec_prefix=${prefix}
bindir=${exec_prefix}/bin
libdir=${exec_prefix}/lib
sysconfdir=/etc
+
+
+tboot=`cat /proc/cmdline | xargs -n1 | grep '^tboot=true$'` || true
+if [ -z "$tboot" ]; then
+ exit 0
+fi
+
if test -e /usr/share/grub/grub-mkconfig_lib; then
. /usr/share/grub/grub-mkconfig_lib
elif test -e ${libdir}/grub/grub-mkconfig_lib; then
@@ -38,7 +45,7 @@ fi
[ -z "${GRUB_CMDLINE_LINUX_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_TBOOT
[ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
# Command line for tboot itself
-: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
+: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga extpol=sha256'}
# Linux kernel parameters to append for tboot
: ${GRUB_CMDLINE_LINUX_TBOOT='intel_iommu=on'}
# Base name of LCP policy data file for list policy
@@ -67,10 +74,8 @@ export TEXTDOMAINDIR=${prefix}/share/locale
CLASS="--class gnu-linux --class gnu --class os --class tboot"
-if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
- OS=GNU/Linux
-else
- OS="${GRUB_DISTRIBUTOR} GNU/Linux"
+OS="CentOS GNU/Linux"
+if [ -n "${GRUB_DISTRIBUTOR}" ] ; then
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}"
fi
@@ -107,9 +112,9 @@ linux_entry ()
iommu_args="$7"
if ${recovery} ; then
- title="$(gettext_quoted "%s, with tboot %s and Linux %s (recovery mode)")"
+ title="$(gettext_quoted "%s, w/ tboot %s & Linux %s (recovery mode)")"
else
- title="$(gettext_quoted "%s, with tboot %s and Linux %s")"
+ title="$(gettext_quoted "%s, w/ tboot %s & Linux %s")"
fi
if [ -d /sys/firmware/efi ] ; then
@@ -200,7 +205,6 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do
rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname`
# tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"`
tboot_version="1.9.5"
- echo "submenu \"tboot ${tboot_version}\" {"
while [ "x$list" != "x" ] ; do
linux=`version_find_latest $list`
echo "Found linux image: $linux" >&2
@@ -241,6 +245,5 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do
list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '`
done
- echo "}"
tboot_list=`echo $tboot_list | tr ' ' '\n' | grep -vx $current_tboot | tr '\n' ' '`
done
diff --git a/tboot/20_linux_xen_tboot b/tboot/20_linux_xen_tboot
index b674834..4dc8d68 100644
--- a/tboot/20_linux_xen_tboot
+++ b/tboot/20_linux_xen_tboot
@@ -39,7 +39,7 @@ fi
[ -z "${GRUB_CMDLINE_LINUX_XEN_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_XEN_TBOOT
[ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
# Command line for tboot itself
-: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
+: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga extpol=sha256'}
# Xen parameters to append for tboot
: ${GRUB_CMDLINE_XEN_TBOOT=''}
# Linux kernel parameters to append for tboot + Xen
diff --git a/tboot/common/policy.c b/tboot/common/policy.c
index b30d299..9ec02be 100644
--- a/tboot/common/policy.c
+++ b/tboot/common/policy.c
@@ -347,6 +347,7 @@ tb_error_t set_policy(void)
* type is LCP_POLTYPE_LIST (since we could have been give a policy data
* file even though the policy was not a LIST */
printk(TBOOT_INFO"reading Launch Control Policy from TPM NV...\n");
+
if ( read_policy_from_tpm(g_tpm->lcp_own_index,
_policy_index_buf, &policy_index_size) ) {
printk(TBOOT_DETA"\t:%lu bytes read\n", policy_index_size);
@@ -406,6 +407,7 @@ bool hash_policy(tb_hash_t *hash, uint16_t hash_alg)
/* generate hash by hashing cmdline and module image */
static bool hash_module(hash_list_t *hl,
+ u16 cur_alg,
const char* cmdline, void *base,
size_t size)
{
@@ -414,6 +416,7 @@ static bool hash_module(hash_list_t *hl,
return false;
}
+ printk(TBOOT_INFO"Using hash algorithm %d\n", cur_alg);
/* final hash is SHA-1( SHA-1(cmdline) | SHA-1(image) ) */
/* where cmdline is first stripped of leading spaces, file name, then */
/* any spaces until the next non-space char */
@@ -428,16 +431,17 @@ static bool hash_module(hash_list_t *hl,
switch (g_tpm->extpol) {
case TB_EXTPOL_FIXED:
hl->count = 1;
- hl->entries[0].alg = g_tpm->cur_alg;
+ // hl->entries[0].alg = g_tpm->cur_alg;
+ hl->entries[0].alg = cur_alg;
if ( !hash_buffer((const unsigned char *)cmdline, strlen(cmdline),
- &hl->entries[0].hash, g_tpm->cur_alg) )
+ &hl->entries[0].hash, cur_alg) )
return false;
/* hash image and extend into cmdline hash */
tb_hash_t img_hash;
- if ( !hash_buffer(base, size, &img_hash, g_tpm->cur_alg) )
+ if ( !hash_buffer(base, size, &img_hash, cur_alg) )
return false;
- if ( !extend_hash(&hl->entries[0].hash, &img_hash, g_tpm->cur_alg) )
+ if ( !extend_hash(&hl->entries[0].hash, &img_hash, cur_alg) )
return false;
break;
@@ -633,7 +637,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
}
hash_list_t hl;
- if ( !hash_module(&hl, cmdline, base, size) ) {
+ if ( !hash_module(&hl, hash_alg, cmdline, base, size) ) {
printk(TBOOT_ERR"\t hash cannot be generated.\n");
return TB_ERR_MODULE_VERIFICATION_FAILED;
}
@@ -657,6 +661,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
if ( pol_entry != NULL &&
!is_hash_in_policy_entry(pol_entry, &hl.entries[0].hash, hash_alg) ) {
printk(TBOOT_ERR"\t verification failed\n");
+ print_hash(&hl.entries[0].hash, hash_alg);
+ print_hash(&pol_entry->hashes[0], hash_alg);
return TB_ERR_MODULE_VERIFICATION_FAILED;
}
diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c
index 678a3d2..63ca9dd 100644
--- a/tboot/common/tpm_20.c
+++ b/tboot/common/tpm_20.c
@@ -1933,7 +1933,7 @@ static bool tpm20_nv_read(struct tpm_if *ti, uint32_t locality,
ret = _tpm20_nv_read(locality, &read_in, &read_out);
if ( ret != TPM_RC_SUCCESS ) {
- printk(TBOOT_WARN"TPM: read NV index %08x from offset %08x, return value = %08X\n",
+ printk(TBOOT_WARN"TPM 2.0: read NV index %08x from offset %08x, return value = %08X\n",
index, offset, ret);
ti->error = ret;
return false;
@@ -2273,8 +2273,9 @@ static bool tpm20_init(struct tpm_if *ti)
get_tboot_extpol();
if (info_list->capabilities.tpm_nv_index_set == 0){
/* init NV index */
- ti->tb_policy_index = 0x1200001;
- ti->lcp_own_index = 0x1400001;
+ ti->tb_policy_index = 0x1800001;
+ // ti->lcp_own_index = 0x1400001;
+ ti->lcp_own_index = 0x1c10131;
ti->tb_err_index = 0x1200002;
ti->sgx_svn_index = 0x01800004;
}
--
1.8.3.1