126 lines
4.0 KiB
C
126 lines
4.0 KiB
C
/*
|
|
* VAS_EBOOT -- GRand Unified Bootloader
|
|
* Copyright (C) 2018 Free Software Foundation, Inc.
|
|
*
|
|
* VAS_EBOOT is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* VAS_EBOOT is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with VAS_EBOOT. If not, see <http://www.gnu.org/licenses/>.
|
|
*
|
|
* Core TPM support code.
|
|
*/
|
|
|
|
#include <VasEBoot/err.h>
|
|
#include <VasEBoot/i18n.h>
|
|
#include <VasEBoot/misc.h>
|
|
#include <VasEBoot/mm.h>
|
|
#include <VasEBoot/tpm.h>
|
|
#include <VasEBoot/term.h>
|
|
#include <VasEBoot/verify.h>
|
|
#include <VasEBoot/dl.h>
|
|
|
|
VAS_EBOOT_MOD_LICENSE ("GPLv3+");
|
|
|
|
static VasEBoot_err_t
|
|
VasEBoot_tpm_verify_init (VasEBoot_file_t io,
|
|
enum VasEBoot_file_type type __attribute__ ((unused)),
|
|
void **context, enum VasEBoot_verify_flags *flags)
|
|
{
|
|
*context = io->name;
|
|
*flags |= VAS_EBOOT_VERIFY_FLAGS_SINGLE_CHUNK;
|
|
|
|
/*
|
|
* The loopback image is mapped as a disk allowing it to function like
|
|
* a block device. However, we measure files read from the block device
|
|
* not the device itself. For example, we don't measure block devices like
|
|
* hd0 disk directly. This process is crucial to prevent out-of-memory
|
|
* errors as loopback images are inherently large.
|
|
*/
|
|
if ((type & VAS_EBOOT_FILE_TYPE_MASK) == VAS_EBOOT_FILE_TYPE_LOOPBACK)
|
|
*flags = VAS_EBOOT_VERIFY_FLAGS_SKIP_VERIFICATION;
|
|
return VAS_EBOOT_ERR_NONE;
|
|
}
|
|
|
|
static VasEBoot_err_t
|
|
VasEBoot_tpm_verify_write (void *context, void *buf, VasEBoot_size_t size)
|
|
{
|
|
VasEBoot_err_t status = VasEBoot_tpm_measure (buf, size, VAS_EBOOT_BINARY_PCR, context);
|
|
|
|
if (status == VAS_EBOOT_ERR_NONE)
|
|
return VAS_EBOOT_ERR_NONE;
|
|
|
|
VasEBoot_dprintf ("tpm", "Measuring buffer failed: %d\n", status);
|
|
return VasEBoot_is_tpm_fail_fatal () ? status : VAS_EBOOT_ERR_NONE;
|
|
}
|
|
|
|
static VasEBoot_err_t
|
|
VasEBoot_tpm_verify_string (char *str, enum VasEBoot_verify_string_type type)
|
|
{
|
|
const char *prefix = NULL;
|
|
char *description;
|
|
VasEBoot_err_t status;
|
|
|
|
switch (type)
|
|
{
|
|
case VAS_EBOOT_VERIFY_KERNEL_CMDLINE:
|
|
prefix = "kernel_cmdline: ";
|
|
break;
|
|
case VAS_EBOOT_VERIFY_MODULE_CMDLINE:
|
|
prefix = "module_cmdline: ";
|
|
break;
|
|
case VAS_EBOOT_VERIFY_COMMAND:
|
|
prefix = "VasEBoot_cmd: ";
|
|
break;
|
|
}
|
|
description = VasEBoot_malloc (VasEBoot_strlen (str) + VasEBoot_strlen (prefix) + 1);
|
|
if (!description)
|
|
return VasEBoot_errno;
|
|
VasEBoot_memcpy (description, prefix, VasEBoot_strlen (prefix));
|
|
VasEBoot_memcpy (description + VasEBoot_strlen (prefix), str,
|
|
VasEBoot_strlen (str) + 1);
|
|
status =
|
|
VasEBoot_tpm_measure ((unsigned char *) str, VasEBoot_strlen (str),
|
|
VAS_EBOOT_STRING_PCR, description);
|
|
VasEBoot_free (description);
|
|
if (status == VAS_EBOOT_ERR_NONE)
|
|
return VAS_EBOOT_ERR_NONE;
|
|
|
|
VasEBoot_dprintf ("tpm", "Measuring string %s failed: %d\n", str, status);
|
|
return VasEBoot_is_tpm_fail_fatal () ? status : VAS_EBOOT_ERR_NONE;
|
|
}
|
|
|
|
struct VasEBoot_file_verifier VasEBoot_tpm_verifier = {
|
|
.name = "tpm",
|
|
.init = VasEBoot_tpm_verify_init,
|
|
.write = VasEBoot_tpm_verify_write,
|
|
.verify_string = VasEBoot_tpm_verify_string,
|
|
};
|
|
|
|
VAS_EBOOT_MOD_INIT (tpm)
|
|
{
|
|
/*
|
|
* Even though this now calls ibmvtpm's VasEBoot_tpm_present() from VAS_EBOOT_MOD_INIT(),
|
|
* it does seem to call it late enough in the initialization sequence so
|
|
* that whatever discovered "device nodes" before this VAS_EBOOT_MOD_INIT() is
|
|
* called, enables the ibmvtpm driver to see the device nodes.
|
|
*/
|
|
if (!VasEBoot_tpm_present())
|
|
return;
|
|
VasEBoot_verifier_register (&VasEBoot_tpm_verifier);
|
|
}
|
|
|
|
VAS_EBOOT_MOD_FINI (tpm)
|
|
{
|
|
if (!VasEBoot_tpm_present())
|
|
return;
|
|
VasEBoot_verifier_unregister (&VasEBoot_tpm_verifier);
|
|
}
|