/*
* VAS_EBOOT -- GRand Unified Bootloader
* Copyright (C) 2018 Free Software Foundation, Inc.
*
* VAS_EBOOT is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* VAS_EBOOT is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with VAS_EBOOT. If not, see .
*
* Core TPM support code.
*/
#include
#include
#include
#include
#include
#include
#include
#include
VAS_EBOOT_MOD_LICENSE ("GPLv3+");
static VasEBoot_err_t
VasEBoot_tpm_verify_init (VasEBoot_file_t io,
enum VasEBoot_file_type type __attribute__ ((unused)),
void **context, enum VasEBoot_verify_flags *flags)
{
*context = io->name;
*flags |= VAS_EBOOT_VERIFY_FLAGS_SINGLE_CHUNK;
/*
* The loopback image is mapped as a disk allowing it to function like
* a block device. However, we measure files read from the block device
* not the device itself. For example, we don't measure block devices like
* hd0 disk directly. This process is crucial to prevent out-of-memory
* errors as loopback images are inherently large.
*/
if ((type & VAS_EBOOT_FILE_TYPE_MASK) == VAS_EBOOT_FILE_TYPE_LOOPBACK)
*flags = VAS_EBOOT_VERIFY_FLAGS_SKIP_VERIFICATION;
return VAS_EBOOT_ERR_NONE;
}
static VasEBoot_err_t
VasEBoot_tpm_verify_write (void *context, void *buf, VasEBoot_size_t size)
{
VasEBoot_err_t status = VasEBoot_tpm_measure (buf, size, VAS_EBOOT_BINARY_PCR, context);
if (status == VAS_EBOOT_ERR_NONE)
return VAS_EBOOT_ERR_NONE;
VasEBoot_dprintf ("tpm", "Measuring buffer failed: %d\n", status);
return VasEBoot_is_tpm_fail_fatal () ? status : VAS_EBOOT_ERR_NONE;
}
static VasEBoot_err_t
VasEBoot_tpm_verify_string (char *str, enum VasEBoot_verify_string_type type)
{
const char *prefix = NULL;
char *description;
VasEBoot_err_t status;
switch (type)
{
case VAS_EBOOT_VERIFY_KERNEL_CMDLINE:
prefix = "kernel_cmdline: ";
break;
case VAS_EBOOT_VERIFY_MODULE_CMDLINE:
prefix = "module_cmdline: ";
break;
case VAS_EBOOT_VERIFY_COMMAND:
prefix = "VasEBoot_cmd: ";
break;
}
description = VasEBoot_malloc (VasEBoot_strlen (str) + VasEBoot_strlen (prefix) + 1);
if (!description)
return VasEBoot_errno;
VasEBoot_memcpy (description, prefix, VasEBoot_strlen (prefix));
VasEBoot_memcpy (description + VasEBoot_strlen (prefix), str,
VasEBoot_strlen (str) + 1);
status =
VasEBoot_tpm_measure ((unsigned char *) str, VasEBoot_strlen (str),
VAS_EBOOT_STRING_PCR, description);
VasEBoot_free (description);
if (status == VAS_EBOOT_ERR_NONE)
return VAS_EBOOT_ERR_NONE;
VasEBoot_dprintf ("tpm", "Measuring string %s failed: %d\n", str, status);
return VasEBoot_is_tpm_fail_fatal () ? status : VAS_EBOOT_ERR_NONE;
}
struct VasEBoot_file_verifier VasEBoot_tpm_verifier = {
.name = "tpm",
.init = VasEBoot_tpm_verify_init,
.write = VasEBoot_tpm_verify_write,
.verify_string = VasEBoot_tpm_verify_string,
};
VAS_EBOOT_MOD_INIT (tpm)
{
/*
* Even though this now calls ibmvtpm's VasEBoot_tpm_present() from VAS_EBOOT_MOD_INIT(),
* it does seem to call it late enough in the initialization sequence so
* that whatever discovered "device nodes" before this VAS_EBOOT_MOD_INIT() is
* called, enables the ibmvtpm driver to see the device nodes.
*/
if (!VasEBoot_tpm_present())
return;
VasEBoot_verifier_register (&VasEBoot_tpm_verifier);
}
VAS_EBOOT_MOD_FINI (tpm)
{
if (!VasEBoot_tpm_present())
return;
VasEBoot_verifier_unregister (&VasEBoot_tpm_verifier);
}