[U-Boot] [PATCH v2 08/19] tpm: handle different buffer sizes

Miquel Raynal miquel.raynal at bootlin.com
Thu Mar 29 07:43:50 UTC 2018


Usual buffer sizes for TPMv1 and TPMv2 are different. Change TPMv1
buffer size definition for that and declare another size for TPMv2
buffers.

Signed-off-by: Miquel Raynal <miquel.raynal at bootlin.com>
---
 cmd/tpm.c     |  5 +++--
 include/tpm.h |  2 ++
 lib/tpm.c     | 60 +++++++++++++++++++++++++++++------------------------------
 3 files changed, 34 insertions(+), 33 deletions(-)

diff --git a/cmd/tpm.c b/cmd/tpm.c
index 1d32028b64..3e2bb3b118 100644
--- a/cmd/tpm.c
+++ b/cmd/tpm.c
@@ -323,8 +323,9 @@ static int do_tpm_nv_write_value(cmd_tbl_t *cmdtp, int flag,
 static int do_tpm_extend(cmd_tbl_t *cmdtp, int flag,
 		int argc, char * const argv[])
 {
+	uint8_t in_digest[TPM1_DIGEST_LENGTH];
+	uint8_t out_digest[TPM1_DIGEST_LENGTH];
 	uint32_t index, rc;
-	uint8_t in_digest[20], out_digest[20];
 
 	if (argc != 3)
 		return CMD_RET_USAGE;
@@ -337,7 +338,7 @@ static int do_tpm_extend(cmd_tbl_t *cmdtp, int flag,
 	rc = tpm_extend(index, in_digest, out_digest);
 	if (!rc) {
 		puts("PCR value after execution of the command:\n");
-		print_byte_string(out_digest, sizeof(out_digest));
+		print_byte_string(out_digest, TPM1_DIGEST_LENGTH);
 	}
 
 	return report_return_code(rc);
diff --git a/include/tpm.h b/include/tpm.h
index 0ec3428ea4..1a60ef5b36 100644
--- a/include/tpm.h
+++ b/include/tpm.h
@@ -14,6 +14,8 @@
  */
 
 #define TPM_HEADER_SIZE		10
+#define TPM1_DIGEST_LENGTH	20
+#define TPM2_DIGEST_LENGTH	32
 
 enum tpm_duration {
 	TPM_SHORT = 0,
diff --git a/lib/tpm.c b/lib/tpm.c
index aa46ec1693..c0fbba86ff 100644
--- a/lib/tpm.c
+++ b/lib/tpm.c
@@ -29,8 +29,6 @@ enum {
 	COMMAND_BUFFER_SIZE		= 256,
 	TPM_REQUEST_HEADER_LENGTH	= 10,
 	TPM_RESPONSE_HEADER_LENGTH	= 10,
-	PCR_DIGEST_LENGTH		= 20,
-	DIGEST_LENGTH			= 20,
 	TPM_REQUEST_AUTH_LENGTH		= 45,
 	TPM_RESPONSE_AUTH_LENGTH	= 41,
 	/* some max lengths, valid for RSA keys <= 2048 bits */
@@ -47,8 +45,8 @@ enum {
 struct session_data {
 	int		valid;
 	uint32_t	handle;
-	uint8_t		nonce_even[DIGEST_LENGTH];
-	uint8_t		nonce_odd[DIGEST_LENGTH];
+	uint8_t		nonce_even[TPM1_DIGEST_LENGTH];
+	uint8_t		nonce_odd[TPM1_DIGEST_LENGTH];
 };
 
 static struct session_data oiap_session = {0, };
@@ -469,7 +467,7 @@ uint32_t tpm_extend(uint32_t index, const void *in_digest, void *out_digest)
 	const size_t in_digest_offset = 14;
 	const size_t out_digest_offset = 10;
 	uint8_t buf[COMMAND_BUFFER_SIZE];
-	uint8_t response[TPM_RESPONSE_HEADER_LENGTH + PCR_DIGEST_LENGTH];
+	uint8_t response[TPM_RESPONSE_HEADER_LENGTH + TPM1_DIGEST_LENGTH];
 	size_t response_length = sizeof(response);
 	uint32_t err;
 
@@ -477,18 +475,18 @@ uint32_t tpm_extend(uint32_t index, const void *in_digest, void *out_digest)
 		return -EOPNOTSUPP;
 
 	if (pack_byte_string(buf, sizeof(buf), "sds",
-				0, command, sizeof(command),
-				index_offset, index,
-				in_digest_offset, in_digest,
-				PCR_DIGEST_LENGTH))
+			     0, command, sizeof(command),
+			     index_offset, index,
+			     in_digest_offset, in_digest,
+			     TPM1_DIGEST_LENGTH))
 		return TPM_LIB_ERROR;
 	err = tpm_sendrecv_command(buf, response, &response_length);
 	if (err)
 		return err;
 
 	if (unpack_byte_string(response, response_length, "s",
-				out_digest_offset, out_digest,
-				PCR_DIGEST_LENGTH))
+			       out_digest_offset, out_digest,
+			       TPM1_DIGEST_LENGTH))
 		return TPM_LIB_ERROR;
 
 	return 0;
@@ -516,7 +514,7 @@ uint32_t tpm_pcr_read(uint32_t index, void *data, size_t count)
 	if (err)
 		return err;
 	if (unpack_byte_string(response, response_length, "s",
-				out_digest_offset, data, PCR_DIGEST_LENGTH))
+				out_digest_offset, data, TPM1_DIGEST_LENGTH))
 		return TPM_LIB_ERROR;
 
 	return 0;
@@ -784,7 +782,7 @@ static uint32_t create_request_auth(const void *request, size_t request_len0,
 	struct session_data *auth_session,
 	void *request_auth, const void *auth)
 {
-	uint8_t hmac_data[DIGEST_LENGTH * 3 + 1];
+	uint8_t hmac_data[TPM1_DIGEST_LENGTH * 3 + 1];
 	sha1_context hash_ctx;
 	const size_t command_code_offset = 6;
 	const size_t auth_nonce_odd_offset = 4;
@@ -804,25 +802,25 @@ static uint32_t create_request_auth(const void *request, size_t request_len0,
 	sha1_finish(&hash_ctx, hmac_data);
 
 	sha1_starts(&hash_ctx);
-	sha1_update(&hash_ctx, auth_session->nonce_odd, DIGEST_LENGTH);
+	sha1_update(&hash_ctx, auth_session->nonce_odd, TPM1_DIGEST_LENGTH);
 	sha1_update(&hash_ctx, hmac_data, sizeof(hmac_data));
 	sha1_finish(&hash_ctx, auth_session->nonce_odd);
 
 	if (pack_byte_string(request_auth, TPM_REQUEST_AUTH_LENGTH, "dsb",
 			     0, auth_session->handle,
 			     auth_nonce_odd_offset, auth_session->nonce_odd,
-			     DIGEST_LENGTH,
+			     TPM1_DIGEST_LENGTH,
 			     auth_continue_offset, 1))
 		return TPM_LIB_ERROR;
 	if (pack_byte_string(hmac_data, sizeof(hmac_data), "ss",
-			     DIGEST_LENGTH,
+			     TPM1_DIGEST_LENGTH,
 			     auth_session->nonce_even,
-			     DIGEST_LENGTH,
-			     2 * DIGEST_LENGTH,
+			     TPM1_DIGEST_LENGTH,
+			     2 * TPM1_DIGEST_LENGTH,
 			     request_auth + auth_nonce_odd_offset,
-			     DIGEST_LENGTH + 1))
+			     TPM1_DIGEST_LENGTH + 1))
 		return TPM_LIB_ERROR;
-	sha1_hmac(auth, DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
+	sha1_hmac(auth, TPM1_DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
 		  request_auth + auth_auth_offset);
 
 	return TPM_SUCCESS;
@@ -848,8 +846,8 @@ static uint32_t verify_response_auth(uint32_t command_code,
 	struct session_data *auth_session,
 	const void *response_auth, const void *auth)
 {
-	uint8_t hmac_data[DIGEST_LENGTH * 3 + 1];
-	uint8_t computed_auth[DIGEST_LENGTH];
+	uint8_t hmac_data[TPM1_DIGEST_LENGTH * 3 + 1];
+	uint8_t computed_auth[TPM1_DIGEST_LENGTH];
 	sha1_context hash_ctx;
 	const size_t return_code_offset = 6;
 	const size_t auth_continue_offset = 20;
@@ -874,24 +872,24 @@ static uint32_t verify_response_auth(uint32_t command_code,
 			    - handles_len);
 	sha1_finish(&hash_ctx, hmac_data);
 
-	memcpy(auth_session->nonce_even, response_auth, DIGEST_LENGTH);
+	memcpy(auth_session->nonce_even, response_auth, TPM1_DIGEST_LENGTH);
 	auth_continue = ((uint8_t *)response_auth)[auth_continue_offset];
 	if (pack_byte_string(hmac_data, sizeof(hmac_data), "ssb",
-			     DIGEST_LENGTH,
+			     TPM1_DIGEST_LENGTH,
 			     response_auth,
-			     DIGEST_LENGTH,
-			     2 * DIGEST_LENGTH,
+			     TPM1_DIGEST_LENGTH,
+			     2 * TPM1_DIGEST_LENGTH,
 			     auth_session->nonce_odd,
-			     DIGEST_LENGTH,
-			     3 * DIGEST_LENGTH,
+			     TPM1_DIGEST_LENGTH,
+			     3 * TPM1_DIGEST_LENGTH,
 			     auth_continue))
 		return TPM_LIB_ERROR;
 
-	sha1_hmac(auth, DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
+	sha1_hmac(auth, TPM1_DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
 		  computed_auth);
 
 	if (memcmp(computed_auth, response_auth + auth_auth_offset,
-		   DIGEST_LENGTH))
+		   TPM1_DIGEST_LENGTH))
 		return TPM_AUTHFAIL;
 
 	return TPM_SUCCESS;
@@ -961,7 +959,7 @@ uint32_t tpm_oiap(uint32_t *auth_handle)
 	if (unpack_byte_string(response, response_length, "ds",
 			       res_auth_handle_offset, &oiap_session.handle,
 			       res_nonce_even_offset, &oiap_session.nonce_even,
-			       (uint32_t)DIGEST_LENGTH))
+			       (uint32_t)TPM1_DIGEST_LENGTH))
 		return TPM_LIB_ERROR;
 	oiap_session.valid = 1;
 	if (auth_handle)
-- 
2.14.1



More information about the U-Boot mailing list