[PATCH v2 10/10] sandbox: tpm: Support extending a PCR multiple times
Simon Glass
sjg at chromium.org
Sun Jul 18 22:18:06 CEST 2021
It is fairly easy to handle this case and it makes the emulator more
useful, since PCRs are commonly extended several times.
Add support for this, using U-Boot's sha256 support.
For now sandbox only supports a single PCR, but that is enough for the
tests that currently exist.
Signed-off-by: Simon Glass <sjg at chromium.org>
---
Changes in v2:
- Drop the constant sandbox_extended_once_pcr since we can calculate it
- Update the commit message to explain that there is only one PCR
drivers/tpm/tpm2_tis_sandbox.c | 24 ++++++++++--------------
test/py/tests/test_tpm2.py | 18 +++++++++++++++++-
2 files changed, 27 insertions(+), 15 deletions(-)
diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c
index 3c4bbcdf2ee..ac6eb143539 100644
--- a/drivers/tpm/tpm2_tis_sandbox.c
+++ b/drivers/tpm/tpm2_tis_sandbox.c
@@ -11,6 +11,7 @@
#include <asm/unaligned.h>
#include <linux/bitops.h>
#include <u-boot/crc.h>
+#include <u-boot/sha256.h>
#include "sandbox_common.h"
/* Hierarchies */
@@ -39,13 +40,6 @@ enum tpm2_cap_tpm_property {
#define SANDBOX_TPM_PCR_NB 1
-static const u8 sandbox_extended_once_pcr[] = {
- 0xf5, 0xa5, 0xfd, 0x42, 0xd1, 0x6a, 0x20, 0x30,
- 0x27, 0x98, 0xef, 0x6e, 0xd3, 0x09, 0x97, 0x9b,
- 0x43, 0x00, 0x3d, 0x23, 0x20, 0xd9, 0xf0, 0xe8,
- 0xea, 0x98, 0x31, 0xa9, 0x27, 0x59, 0xfb, 0x4b,
-};
-
/*
* Information about our TPM emulation. This is preserved in the sandbox
* state file if enabled.
@@ -407,15 +401,17 @@ static int sandbox_tpm2_extend(struct udevice *dev, int pcr_index,
const u8 *extension)
{
struct sandbox_tpm2 *tpm = dev_get_priv(dev);
- int i;
+ sha256_context ctx;
+
+ /* Zero the PCR if this is the first use */
+ if (!tpm->pcr_extensions[pcr_index])
+ memset(tpm->pcr[pcr_index], '\0', TPM2_DIGEST_LEN);
- /* Only simulate the first extensions from all '0' with only '0' */
- for (i = 0; i < TPM2_DIGEST_LEN; i++)
- if (tpm->pcr[pcr_index][i] || extension[i])
- return TPM2_RC_FAILURE;
+ sha256_starts(&ctx);
+ sha256_update(&ctx, tpm->pcr[pcr_index], TPM2_DIGEST_LEN);
+ sha256_update(&ctx, extension, TPM2_DIGEST_LEN);
+ sha256_finish(&ctx, tpm->pcr[pcr_index]);
- memcpy(tpm->pcr[pcr_index], sandbox_extended_once_pcr,
- TPM2_DIGEST_LEN);
tpm->pcr_extensions[pcr_index]++;
return 0;
diff --git a/test/py/tests/test_tpm2.py b/test/py/tests/test_tpm2.py
index 70f906da511..ac04f7191ec 100644
--- a/test/py/tests/test_tpm2.py
+++ b/test/py/tests/test_tpm2.py
@@ -216,7 +216,9 @@ def test_tpm2_pcr_extend(u_boot_console):
output = u_boot_console.run_command('echo $?')
assert output.endswith('0')
- read_pcr = u_boot_console.run_command('tpm2 pcr_read 0 0x%x' % ram)
+ # Read the value back into a different place so we can still use 'ram' as
+ # our zero bytes
+ read_pcr = u_boot_console.run_command('tpm2 pcr_read 0 0x%x' % (ram + 0x20))
output = u_boot_console.run_command('echo $?')
assert output.endswith('0')
assert 'f5 a5 fd 42 d1 6a 20 30 27 98 ef 6e d3 09 97 9b' in read_pcr
@@ -226,6 +228,20 @@ def test_tpm2_pcr_extend(u_boot_console):
new_updates = int(re.findall(r'\d+', str)[0])
assert (updates + 1) == new_updates
+ u_boot_console.run_command('tpm2 pcr_extend 0 0x%x' % ram)
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+ read_pcr = u_boot_console.run_command('tpm2 pcr_read 0 0x%x' % (ram + 0x20))
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+ assert '7a 05 01 f5 95 7b df 9c b3 a8 ff 49 66 f0 22 65' in read_pcr
+ assert 'f9 68 65 8b 7a 9c 62 64 2c ba 11 65 e8 66 42 f5' in read_pcr
+
+ str = re.findall(r'\d+ known updates', read_pcr)[0]
+ new_updates = int(re.findall(r'\d+', str)[0])
+ assert (updates + 2) == new_updates
+
@pytest.mark.buildconfigspec('cmd_tpm_v2')
def test_tpm2_cleanup(u_boot_console):
"""Ensure the TPM is cleared from password or test related configuration."""
--
2.32.0.402.g57bb445576-goog
More information about the U-Boot
mailing list