[U-Boot] [PATCH v2 08/19] tpm: handle different buffer sizes
Miquel Raynal
miquel.raynal at bootlin.com
Thu Mar 29 07:43:50 UTC 2018
Usual buffer sizes for TPMv1 and TPMv2 are different. Change TPMv1
buffer size definition for that and declare another size for TPMv2
buffers.
Signed-off-by: Miquel Raynal <miquel.raynal at bootlin.com>
---
cmd/tpm.c | 5 +++--
include/tpm.h | 2 ++
lib/tpm.c | 60 +++++++++++++++++++++++++++++------------------------------
3 files changed, 34 insertions(+), 33 deletions(-)
diff --git a/cmd/tpm.c b/cmd/tpm.c
index 1d32028b64..3e2bb3b118 100644
--- a/cmd/tpm.c
+++ b/cmd/tpm.c
@@ -323,8 +323,9 @@ static int do_tpm_nv_write_value(cmd_tbl_t *cmdtp, int flag,
static int do_tpm_extend(cmd_tbl_t *cmdtp, int flag,
int argc, char * const argv[])
{
+ uint8_t in_digest[TPM1_DIGEST_LENGTH];
+ uint8_t out_digest[TPM1_DIGEST_LENGTH];
uint32_t index, rc;
- uint8_t in_digest[20], out_digest[20];
if (argc != 3)
return CMD_RET_USAGE;
@@ -337,7 +338,7 @@ static int do_tpm_extend(cmd_tbl_t *cmdtp, int flag,
rc = tpm_extend(index, in_digest, out_digest);
if (!rc) {
puts("PCR value after execution of the command:\n");
- print_byte_string(out_digest, sizeof(out_digest));
+ print_byte_string(out_digest, TPM1_DIGEST_LENGTH);
}
return report_return_code(rc);
diff --git a/include/tpm.h b/include/tpm.h
index 0ec3428ea4..1a60ef5b36 100644
--- a/include/tpm.h
+++ b/include/tpm.h
@@ -14,6 +14,8 @@
*/
#define TPM_HEADER_SIZE 10
+#define TPM1_DIGEST_LENGTH 20
+#define TPM2_DIGEST_LENGTH 32
enum tpm_duration {
TPM_SHORT = 0,
diff --git a/lib/tpm.c b/lib/tpm.c
index aa46ec1693..c0fbba86ff 100644
--- a/lib/tpm.c
+++ b/lib/tpm.c
@@ -29,8 +29,6 @@ enum {
COMMAND_BUFFER_SIZE = 256,
TPM_REQUEST_HEADER_LENGTH = 10,
TPM_RESPONSE_HEADER_LENGTH = 10,
- PCR_DIGEST_LENGTH = 20,
- DIGEST_LENGTH = 20,
TPM_REQUEST_AUTH_LENGTH = 45,
TPM_RESPONSE_AUTH_LENGTH = 41,
/* some max lengths, valid for RSA keys <= 2048 bits */
@@ -47,8 +45,8 @@ enum {
struct session_data {
int valid;
uint32_t handle;
- uint8_t nonce_even[DIGEST_LENGTH];
- uint8_t nonce_odd[DIGEST_LENGTH];
+ uint8_t nonce_even[TPM1_DIGEST_LENGTH];
+ uint8_t nonce_odd[TPM1_DIGEST_LENGTH];
};
static struct session_data oiap_session = {0, };
@@ -469,7 +467,7 @@ uint32_t tpm_extend(uint32_t index, const void *in_digest, void *out_digest)
const size_t in_digest_offset = 14;
const size_t out_digest_offset = 10;
uint8_t buf[COMMAND_BUFFER_SIZE];
- uint8_t response[TPM_RESPONSE_HEADER_LENGTH + PCR_DIGEST_LENGTH];
+ uint8_t response[TPM_RESPONSE_HEADER_LENGTH + TPM1_DIGEST_LENGTH];
size_t response_length = sizeof(response);
uint32_t err;
@@ -477,18 +475,18 @@ uint32_t tpm_extend(uint32_t index, const void *in_digest, void *out_digest)
return -EOPNOTSUPP;
if (pack_byte_string(buf, sizeof(buf), "sds",
- 0, command, sizeof(command),
- index_offset, index,
- in_digest_offset, in_digest,
- PCR_DIGEST_LENGTH))
+ 0, command, sizeof(command),
+ index_offset, index,
+ in_digest_offset, in_digest,
+ TPM1_DIGEST_LENGTH))
return TPM_LIB_ERROR;
err = tpm_sendrecv_command(buf, response, &response_length);
if (err)
return err;
if (unpack_byte_string(response, response_length, "s",
- out_digest_offset, out_digest,
- PCR_DIGEST_LENGTH))
+ out_digest_offset, out_digest,
+ TPM1_DIGEST_LENGTH))
return TPM_LIB_ERROR;
return 0;
@@ -516,7 +514,7 @@ uint32_t tpm_pcr_read(uint32_t index, void *data, size_t count)
if (err)
return err;
if (unpack_byte_string(response, response_length, "s",
- out_digest_offset, data, PCR_DIGEST_LENGTH))
+ out_digest_offset, data, TPM1_DIGEST_LENGTH))
return TPM_LIB_ERROR;
return 0;
@@ -784,7 +782,7 @@ static uint32_t create_request_auth(const void *request, size_t request_len0,
struct session_data *auth_session,
void *request_auth, const void *auth)
{
- uint8_t hmac_data[DIGEST_LENGTH * 3 + 1];
+ uint8_t hmac_data[TPM1_DIGEST_LENGTH * 3 + 1];
sha1_context hash_ctx;
const size_t command_code_offset = 6;
const size_t auth_nonce_odd_offset = 4;
@@ -804,25 +802,25 @@ static uint32_t create_request_auth(const void *request, size_t request_len0,
sha1_finish(&hash_ctx, hmac_data);
sha1_starts(&hash_ctx);
- sha1_update(&hash_ctx, auth_session->nonce_odd, DIGEST_LENGTH);
+ sha1_update(&hash_ctx, auth_session->nonce_odd, TPM1_DIGEST_LENGTH);
sha1_update(&hash_ctx, hmac_data, sizeof(hmac_data));
sha1_finish(&hash_ctx, auth_session->nonce_odd);
if (pack_byte_string(request_auth, TPM_REQUEST_AUTH_LENGTH, "dsb",
0, auth_session->handle,
auth_nonce_odd_offset, auth_session->nonce_odd,
- DIGEST_LENGTH,
+ TPM1_DIGEST_LENGTH,
auth_continue_offset, 1))
return TPM_LIB_ERROR;
if (pack_byte_string(hmac_data, sizeof(hmac_data), "ss",
- DIGEST_LENGTH,
+ TPM1_DIGEST_LENGTH,
auth_session->nonce_even,
- DIGEST_LENGTH,
- 2 * DIGEST_LENGTH,
+ TPM1_DIGEST_LENGTH,
+ 2 * TPM1_DIGEST_LENGTH,
request_auth + auth_nonce_odd_offset,
- DIGEST_LENGTH + 1))
+ TPM1_DIGEST_LENGTH + 1))
return TPM_LIB_ERROR;
- sha1_hmac(auth, DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
+ sha1_hmac(auth, TPM1_DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
request_auth + auth_auth_offset);
return TPM_SUCCESS;
@@ -848,8 +846,8 @@ static uint32_t verify_response_auth(uint32_t command_code,
struct session_data *auth_session,
const void *response_auth, const void *auth)
{
- uint8_t hmac_data[DIGEST_LENGTH * 3 + 1];
- uint8_t computed_auth[DIGEST_LENGTH];
+ uint8_t hmac_data[TPM1_DIGEST_LENGTH * 3 + 1];
+ uint8_t computed_auth[TPM1_DIGEST_LENGTH];
sha1_context hash_ctx;
const size_t return_code_offset = 6;
const size_t auth_continue_offset = 20;
@@ -874,24 +872,24 @@ static uint32_t verify_response_auth(uint32_t command_code,
- handles_len);
sha1_finish(&hash_ctx, hmac_data);
- memcpy(auth_session->nonce_even, response_auth, DIGEST_LENGTH);
+ memcpy(auth_session->nonce_even, response_auth, TPM1_DIGEST_LENGTH);
auth_continue = ((uint8_t *)response_auth)[auth_continue_offset];
if (pack_byte_string(hmac_data, sizeof(hmac_data), "ssb",
- DIGEST_LENGTH,
+ TPM1_DIGEST_LENGTH,
response_auth,
- DIGEST_LENGTH,
- 2 * DIGEST_LENGTH,
+ TPM1_DIGEST_LENGTH,
+ 2 * TPM1_DIGEST_LENGTH,
auth_session->nonce_odd,
- DIGEST_LENGTH,
- 3 * DIGEST_LENGTH,
+ TPM1_DIGEST_LENGTH,
+ 3 * TPM1_DIGEST_LENGTH,
auth_continue))
return TPM_LIB_ERROR;
- sha1_hmac(auth, DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
+ sha1_hmac(auth, TPM1_DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
computed_auth);
if (memcmp(computed_auth, response_auth + auth_auth_offset,
- DIGEST_LENGTH))
+ TPM1_DIGEST_LENGTH))
return TPM_AUTHFAIL;
return TPM_SUCCESS;
@@ -961,7 +959,7 @@ uint32_t tpm_oiap(uint32_t *auth_handle)
if (unpack_byte_string(response, response_length, "ds",
res_auth_handle_offset, &oiap_session.handle,
res_nonce_even_offset, &oiap_session.nonce_even,
- (uint32_t)DIGEST_LENGTH))
+ (uint32_t)TPM1_DIGEST_LENGTH))
return TPM_LIB_ERROR;
oiap_session.valid = 1;
if (auth_handle)
--
2.14.1
More information about the U-Boot
mailing list