[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 07/14] stubdom/vtpm: Add locality-5 PCRs
This defines new PCRs (24-31) that are restricted to locality 5, which can be used by an agent outside a domain to record information about its measurements and activity. These PCRs cannot be initialized from the hardware TPM (since most hardware TPMs do not define PCR 24+). This definition may need to be changed in the future, as the TCG's VTPM working group is working to define the meaning of PCRs above 23 on a vTPM; the existing PC-client specification allows these PCRs to be implementation-defined. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- stubdom/Makefile | 1 + stubdom/vtpm-locality5-pcrs.patch | 33 +++++++++++++++++++++++++++++++++ stubdom/vtpm/README | 15 ++++++++++++++- stubdom/vtpm/vtpm.c | 8 ++++---- stubdom/vtpm/vtpm_pcrs.h | 6 +++--- 5 files changed, 55 insertions(+), 8 deletions(-) create mode 100644 stubdom/vtpm-locality5-pcrs.patch diff --git a/stubdom/Makefile b/stubdom/Makefile index 95e10f3..a657fd2 100644 --- a/stubdom/Makefile +++ b/stubdom/Makefile @@ -209,6 +209,7 @@ tpm_emulator-$(XEN_TARGET_ARCH): tpm_emulator-$(TPMEMU_VERSION).tar.gz patch -d $@ -p1 < tpmemu-$(TPMEMU_VERSION).patch; patch -d $@ -p1 < vtpm-bufsize.patch patch -d $@ -p1 < vtpm-locality.patch + patch -d $@ -p1 < vtpm-locality5-pcrs.patch mkdir $@/build cd $@/build; $(CMAKE) .. -DCMAKE_C_COMPILER=${CC} -DCMAKE_C_FLAGS="-std=c99 -DTPM_NO_EXTERN $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -Wno-declaration-after-statement" touch $@ diff --git a/stubdom/vtpm-locality5-pcrs.patch b/stubdom/vtpm-locality5-pcrs.patch new file mode 100644 index 0000000..f697035 --- /dev/null +++ b/stubdom/vtpm-locality5-pcrs.patch @@ -0,0 +1,33 @@ +diff --git a/tpm/tpm_data.c b/tpm/tpm_data.c +index 50c9697..d8cac09 100644 +--- a/tpm/tpm_data.c ++++ b/tpm/tpm_data.c +@@ -151,9 +151,12 @@ void tpm_init_data(void) + init_pcr_attr(22, TRUE, 0x04, 0x04); + init_pcr_attr(23, TRUE, 0x1f, 0x1f); + } +- for (i = 24; i < TPM_NUM_PCR; i++) { +- init_pcr_attr(i, TRUE, 0x00, 0x00); +- } ++ for (i = 24; i < 28 && i < TPM_NUM_PCR; i++) ++ init_pcr_attr(i, FALSE, 0x00, 0x20); ++ for (i = 28; i < 32 && i < TPM_NUM_PCR; i++) ++ init_pcr_attr(i, TRUE, 0x20, 0x20); ++ for (i = 32; i < TPM_NUM_PCR; i++) ++ init_pcr_attr(i, FALSE, 0x00, 0xC0); + if (tpmConf & TPM_CONF_GENERATE_EK) { + /* generate a new endorsement key */ + tpm_rsa_generate_key(&tpmData.permanent.data.endorsementKey, 2048); +diff --git a/tpm/tpm_structures.h b/tpm/tpm_structures.h +index f746c05..08cef1e 100644 +--- a/tpm/tpm_structures.h ++++ b/tpm/tpm_structures.h +@@ -676,7 +676,7 @@ typedef struct tdTPM_CMK_MA_APPROVAL { + /* + * Number of PCRs of the TPM (must be a multiple of eight) + */ +-#define TPM_NUM_PCR 24 ++#define TPM_NUM_PCR 32 + + /* + * TPM_PCR_SELECTION ([TPM_Part2], Section 8.1) diff --git a/stubdom/vtpm/README b/stubdom/vtpm/README index 11bdacb..b0bd8f9 100644 --- a/stubdom/vtpm/README +++ b/stubdom/vtpm/README @@ -1,7 +1,7 @@ Copyright (c) 2010-2012 United States Government, as represented by the Secretary of Defense. All rights reserved. November 12 2012 -Authors: Matthew Fioravante (JHUAPL), +Authors: Matthew Fioravante (JHUAPL), Daniel De Graaf (NSA) This document describes the operation and command line interface of vtpm-stubdom. See docs/misc/vtpm.txt for details on the @@ -68,6 +68,19 @@ hwinitpcr=<PCRSPEC>: Initialize the virtual Platform Configuration Registers will copy pcrs 5, 12, 13, 14, 15, and 16. ------------------------------ +VIRTUAL-TPM SPECIFIC FEATURES +------------------------------ + +The virtual TPM emulator provides some extensions to the TPM specification that +are useful in a virtualized environment. The featues added to the emulator are: + + * Support for specifying localities beyond the standard 0-4 + * Extended PCRs 24-31 that can only be extended by locality 5 + +Locality 5 is intended for use by a measurement agent running outside the +primary domain using the VM. + +------------------------------ REFERENCES ------------------------------ diff --git a/stubdom/vtpm/vtpm.c b/stubdom/vtpm/vtpm.c index eb7912f..aaf1a24 100644 --- a/stubdom/vtpm/vtpm.c +++ b/stubdom/vtpm/vtpm.c @@ -253,18 +253,18 @@ int parse_cmd_line(int argc, char** argv) opt_args.hwinitpcrs = VTPM_PCRNONE; } else if(sscanf(pch, "%u", &v1) == 1) { //Set one - if(v1 >= TPM_NUM_PCR) { + if(v1 >= VTPM_NUMPCRS) { error("hwinitpcr error: Invalid PCR index %u", v1); return -1; } opt_args.hwinitpcrs |= (1 << v1); } else if(sscanf(pch, "%u-%u", &v1, &v2) == 2) { //Set range - if(v1 >= TPM_NUM_PCR) { + if(v1 >= VTPM_NUMPCRS) { error("hwinitpcr error: Invalid PCR index %u", v1); return -1; } - if(v2 >= TPM_NUM_PCR) { + if(v2 >= VTPM_NUMPCRS) { error("hwinitpcr error: Invalid PCR index %u", v1); return -1; } @@ -312,7 +312,7 @@ int parse_cmd_line(int argc, char** argv) pcrstr[0] = '\0'; info("The following PCRs will be initialized with values from the hardware TPM:"); - for(unsigned int i = 0; i < TPM_NUM_PCR; ++i) { + for(unsigned int i = 0; i < VTPM_NUMPCRS; ++i) { if(opt_args.hwinitpcrs & (1 << i)) { ptr += sprintf(ptr, "%u, ", i); } diff --git a/stubdom/vtpm/vtpm_pcrs.h b/stubdom/vtpm/vtpm_pcrs.h index 11835f9..bd9068c 100644 --- a/stubdom/vtpm/vtpm_pcrs.h +++ b/stubdom/vtpm/vtpm_pcrs.h @@ -40,11 +40,11 @@ #define VTPM_PCR22 1 << 22 #define VTPM_PCR23 1 << 23 -#define VTPM_PCRALL (1 << TPM_NUM_PCR) - 1 -#define VTPM_PCRNONE 0 - #define VTPM_NUMPCRS 24 +#define VTPM_PCRALL (1 << VTPM_NUMPCRS) - 1 +#define VTPM_PCRNONE 0 + struct tpmfront_dev; TPM_RESULT vtpm_initialize_hw_pcrs(struct tpmfront_dev* tpmfront_dev, unsigned long pcrs); -- 1.7.11.7 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |