From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: zohar@linux.ibm.com, noodles@fb.com, bauermann@kolabnow.com,
ebiederm@xmission.com, bhe@redhat.com, vgoyal@redhat.com,
dyoung@redhat.com, peterhuewe@gmx.de, jarkko@kernel.org,
jgg@ziepe.ca, kexec@lists.infradead.org,
linux-integrity@vger.kernel.org
Cc: code@tyhicks.com, nramas@linux.microsoft.com, paul@paul-moore.com
Subject: [PATCH 1/6] tpm: implement TPM2 function to get update counter
Date: Tue, 1 Aug 2023 11:19:12 -0700 [thread overview]
Message-ID: <20230801181917.8535-2-tusharsu@linux.microsoft.com> (raw)
In-Reply-To: <20230801181917.8535-1-tusharsu@linux.microsoft.com>
The TPM2_PCR_Read command returns TPM2_PCR_Read Response struct[1]. It
contains pcrUpdateCounter member which contains the current value of TPM
PCR update counter. The update counter provides the number of times the
PCRs are updated, which is essential for tracking changes and verifying
system integrity. Thus, subsystems (like IMA) should measure
pcrUpdateCounter value. Although tpm2_pcr_read_out struct is returned
by tpm2_pcr_read(), it is not used by it's caller function tpm_pcr_read().
Further, TPM2_PCR_Read Response struct and pcrUpdateCounter is not
available in tpm1_pcr_read().
PcrUpdateCounter is only needed in a specific case (IMA for measurements).
Changing tpm_pcr_read() and tpm2_pcr_read() function signature to return
tpm2_pcr_read_out struct would be a more disruptive change, since these
functions are used elsewhere too. Creating separate functions to get
pcrUpdateCounter when needed would be a cleaner approach.
Add a function, 'tpm2_pcr_get_update_counter()' to retrieve
the update counter for a given PCR index and algorithm ID on a TPM2 chip.
This function complements existing TPM functionalities such as reading
and extending PCRs, and enhances the ability to monitor PCR status
in the Linux Kernel.
[1] https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part3_Commands_pub.pdf
Section 22.4.2, Page 206.
Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
---
drivers/char/tpm/tpm.h | 3 +++
drivers/char/tpm/tpm2-cmd.c | 48 +++++++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+)
diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h
index 830014a26609..60489f21d3bd 100644
--- a/drivers/char/tpm/tpm.h
+++ b/drivers/char/tpm/tpm.h
@@ -288,6 +288,9 @@ static inline void tpm_add_ppi(struct tpm_chip *chip)
int tpm2_get_timeouts(struct tpm_chip *chip);
int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
struct tpm_digest *digest, u16 *digest_size_ptr);
+int tpm2_pcr_get_update_counter(struct tpm_chip *chip,
+ u32 pcr_idx, u16 alg_id,
+ u32 *update_counter);
int tpm2_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
struct tpm_digest *digests);
int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max);
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 93545be190a5..55f4e102289a 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -216,6 +216,54 @@ int tpm2_pcr_read(struct tpm_chip *chip, u32 pcr_idx,
return rc;
}
+/**
+ * tpm2_pcr_get_update_counter() - gets an update counter value for a PCR bank
+ * @chip: TPM chip to use
+ * @pcr_idx: PCR index used to retrieve the update counter
+ * @alg_id: alg id used to retrieve the update counter
+ * @update_counter: output update counter value
+ *
+ * Return: Same as with tpm_transmit_cmd.
+ */
+int tpm2_pcr_get_update_counter(struct tpm_chip *chip,
+ u32 pcr_idx, u16 alg_id, u32 *update_counter)
+{
+ int rc;
+ struct tpm_buf buf;
+ struct tpm2_pcr_read_out *read_out;
+ u8 pcr_select[TPM2_PCR_SELECT_MIN] = {0};
+
+ if (pcr_idx >= TPM2_PLATFORM_PCR)
+ return -EINVAL;
+
+ if (!update_counter)
+ return -EINVAL;
+
+ rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_PCR_READ);
+ if (rc)
+ return rc;
+
+ pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7);
+
+ tpm_buf_append_u32(&buf, 1);
+ tpm_buf_append_u16(&buf, alg_id);
+ tpm_buf_append_u8(&buf, TPM2_PCR_SELECT_MIN);
+ tpm_buf_append(&buf, (const unsigned char *)pcr_select,
+ sizeof(pcr_select));
+
+ rc = tpm_transmit_cmd(chip, &buf, 0, "attempting to read a pcr value");
+ if (rc)
+ goto out;
+
+ read_out = (struct tpm2_pcr_read_out *)&buf.data[TPM_HEADER_SIZE];
+
+ *update_counter = be32_to_cpu(read_out->update_cnt);
+
+out:
+ tpm_buf_destroy(&buf);
+ return rc;
+}
+
struct tpm2_null_auth_area {
__be32 handle;
__be16 nonce_size;
--
2.25.1
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2023-08-01 18:19 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-01 18:19 [PATCH 0/6] Measuring TPM update counter in IMA Tushar Sugandhi
2023-08-01 18:19 ` Tushar Sugandhi [this message]
2023-08-01 19:02 ` [PATCH 1/6] tpm: implement TPM2 function to get update counter Jarkko Sakkinen
2023-08-01 21:01 ` Tushar Sugandhi
2023-08-02 3:58 ` Jarkko Sakkinen
2023-08-02 21:04 ` Tushar Sugandhi
2023-08-03 8:43 ` Jarkko Sakkinen
2023-08-03 19:30 ` Tushar Sugandhi
2023-08-03 1:22 ` Mimi Zohar
2023-08-03 8:57 ` Jarkko Sakkinen
2023-08-03 19:33 ` Tushar Sugandhi
2023-08-03 19:31 ` Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 2/6] tpm: provide functionality " Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 3/6] ima: get TPM " Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 4/6] ima: implement functionality to measure " Tushar Sugandhi
2023-08-03 21:42 ` Mimi Zohar
2023-08-03 23:01 ` Tushar Sugandhi
2023-08-04 1:22 ` Mimi Zohar
2023-08-04 17:13 ` Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 5/6] ima: measure TPM update counter at ima_init Tushar Sugandhi
2023-08-03 22:15 ` Mimi Zohar
2023-08-03 23:34 ` Tushar Sugandhi
2023-08-04 1:18 ` Mimi Zohar
2023-08-04 17:11 ` Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 6/6] kexec: measure TPM update counter in ima log at kexec load Tushar Sugandhi
2023-08-03 13:37 ` [PATCH 0/6] Measuring TPM update counter in IMA Stefan Berger
2023-08-03 21:45 ` Tushar Sugandhi
[not found] ` <cb2029b8-d585-1c06-a0ac-15624cf70e28@linux.microsoft.com>
2023-08-03 22:09 ` Stefan Berger
2023-08-03 22:36 ` Mimi Zohar
2023-08-03 22:55 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230801181917.8535-2-tusharsu@linux.microsoft.com \
--to=tusharsu@linux.microsoft.com \
--cc=bauermann@kolabnow.com \
--cc=bhe@redhat.com \
--cc=code@tyhicks.com \
--cc=dyoung@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=kexec@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=noodles@fb.com \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=peterhuewe@gmx.de \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox