tpm2: implement and use pcr_extend command

TPM PCRs are used in Chrome OS for two purposes: to communicate
crucial information from RO firmware and to protect FW and kernel
rollback counters from being deleted.

As implemented in a TPM1 compatible way, the PCR extension command
requires a prebuilt digest to calculate a new PCR value.

TPM2 specification introduces a PCR_Event command, where the TPM
itself calculates the digest of an arbitrary length string, and then
uses the calculated digest for PCR extension. PCR_Event could be a
better option for Chrome OS, this needs to be investigated separately.

BRANCH=none
BUG=chrome-os-partner:50645
TEST=verified that the two PCRs are successfully extended before the
     RW firmware is called.

Change-Id: I38fc88172de8ec8bef56fec026f83058480c8010
Signed-off-by: Martin Roth <martinroth@chromium.org>
Original-Commit-Id: 73388139db3ffaf61a3d9027522c5ebecb3ad051
Original-Change-Id: I1a9bab7396fdb652e2e3bc8529b828ea3423d851
Original-Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Original-Reviewed-on: https://chromium-review.googlesource.com/358098
Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Original-Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-on: https://review.coreboot.org/15639
Tested-by: build bot (Jenkins)
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@googlemail.com>

1 files changed, 29 insertions, 1 deletions

diff --git a/src/lib/tpm2_tlcl_structures.h b/src/lib/tpm2_tlcl_structures.h
index 1e7fcf05fa..36a3e8b253 100644
--- a/src/lib/tpm2_tlcl_structures.h
+++ b/src/lib/tpm2_tlcl_structures.h
@@ -25,11 +25,12 @@ typedef uint32_t TPM_CC;
 typedef uint32_t TPM_HANDLE;
 typedef uint32_t TPM_RC;
 typedef uint8_t TPMI_YES_NO;
+typedef TPM_ALG_ID TPMI_ALG_HASH;
+typedef TPM_HANDLE TPMI_DH_PCR;
 typedef TPM_HANDLE TPMI_RH_NV_INDEX;
 typedef TPM_HANDLE TPMI_RH_PROVISION;
 typedef TPM_HANDLE TPMI_SH_AUTH_SESSION;
 typedef TPM_HANDLE TPM_RH;
-typedef TPM_ALG_ID TPMI_ALG_HASH;
 
 /* Some hardcoded algorithm values. */
 #define TPM_ALG_HMAC   ((TPM_ALG_ID)0x0005)
@@ -37,6 +38,8 @@ typedef TPM_ALG_ID TPMI_ALG_HASH;
 #define TPM_ALG_SHA1   ((TPM_ALG_ID)0x0004)
 #define TPM_ALG_SHA256 ((TPM_ALG_ID)0x000b)
 
+#define SHA256_DIGEST_SIZE 32
+
 /* Some hardcoded hierarchies. */
 #define TPM_RH_NULL         0x40000007
 #define TPM_RS_PW           0x40000009
@@ -64,11 +67,13 @@ struct tpm_header {
 #define TPM2_Startup        ((TPM_CC)0x00000144)
 #define TPM2_NV_Read        ((TPM_CC)0x0000014E)
 #define TPM2_GetCapability  ((TPM_CC)0x0000017A)
+#define TPM2_PCR_Extend     ((TPM_CC)0x00000182)
 
 /* Startup values. */
 #define TPM_SU_CLEAR 0
 #define TPM_SU_STATE 1
 
+#define TPM_HT_PCR             0x00
 #define TPM_HT_NV_INDEX        0x01
 #define TPM_HT_HMAC_SESSION    0x02
 #define TPM_HT_POLICY_SESSION  0x03
@@ -241,6 +246,24 @@ typedef union {
 	TPM2B b;
 } TPM2B_MAX_NV_BUFFER;
 
+/*
+ * This is a union, but as of now we support just one digest - sha256, so
+ * there is just one element.
+ */
+typedef union {
+	uint8_t  sha256[SHA256_DIGEST_SIZE];
+} TPMU_HA;
+
+typedef struct {
+	TPMI_ALG_HASH  hashAlg;
+	TPMU_HA        digest;
+} TPMT_HA;
+
+typedef struct {
+	uint32_t   count;
+	TPMT_HA  digests[1];  /* Limit max number of hashes to 1. */
+} TPML_DIGEST_VALUES;
+
 struct nv_read_response {
 	uint32_t params_size;
 	TPM2B_MAX_NV_BUFFER buffer;
@@ -306,4 +329,9 @@ struct tpm2_nv_write_lock_cmd {
 	TPMI_RH_NV_INDEX nvIndex;
 };
 
+struct tpm2_pcr_extend_cmd {
+	TPMI_DH_PCR pcrHandle;
+	TPML_DIGEST_VALUES digests;
+};
+
 #endif // __SRC_LIB_TPM2_TLCL_STRUCTURES_H