[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 07/13] stubdom/vtpm: Add locality-5 PCRs



This defines new PCRs (24-31) that are restricted to locality 5, which
can be used by an agent outside a domain to record information about its
measurements and activity. These PCRs cannot be initialized from the
hardware TPM (since most hardware TPMs do not define PCR 24+).

This definition may need to be changed in the future, as the TCG's VTPM
working group is working to define the meaning of PCRs above 23 on a
vTPM; the existing PC-client specification allows these PCRs to be
implementation-defined.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
 stubdom/Makefile                  |  1 +
 stubdom/vtpm-locality5-pcrs.patch | 33 +++++++++++++++++++++++++++++++++
 stubdom/vtpm/README               | 15 ++++++++++++++-
 stubdom/vtpm/vtpm.c               |  8 ++++----
 stubdom/vtpm/vtpm_pcrs.h          |  6 +++---
 5 files changed, 55 insertions(+), 8 deletions(-)
 create mode 100644 stubdom/vtpm-locality5-pcrs.patch

diff --git a/stubdom/Makefile b/stubdom/Makefile
index 4b4f74e..2d47b7c 100644
--- a/stubdom/Makefile
+++ b/stubdom/Makefile
@@ -210,6 +210,7 @@ tpm_emulator-$(XEN_TARGET_ARCH): 
tpm_emulator-$(TPMEMU_VERSION).tar.gz
        patch -d $@ -p1 < tpmemu-$(TPMEMU_VERSION).patch;
        patch -d $@ -p1 < vtpm-bufsize.patch
        patch -d $@ -p1 < vtpm-locality.patch
+       patch -d $@ -p1 < vtpm-locality5-pcrs.patch
        mkdir $@/build
        cd $@/build; CC=${CC} $(CMAKE) .. -DCMAKE_C_FLAGS:STRING="-std=c99 
-DTPM_NO_EXTERN $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) 
-Wno-declaration-after-statement"
        touch $@
diff --git a/stubdom/vtpm-locality5-pcrs.patch 
b/stubdom/vtpm-locality5-pcrs.patch
new file mode 100644
index 0000000..f697035
--- /dev/null
+++ b/stubdom/vtpm-locality5-pcrs.patch
@@ -0,0 +1,33 @@
+diff --git a/tpm/tpm_data.c b/tpm/tpm_data.c
+index 50c9697..d8cac09 100644
+--- a/tpm/tpm_data.c
++++ b/tpm/tpm_data.c
+@@ -151,9 +151,12 @@ void tpm_init_data(void)
+     init_pcr_attr(22, TRUE, 0x04, 0x04);
+     init_pcr_attr(23, TRUE, 0x1f, 0x1f);
+   }
+-  for (i = 24; i < TPM_NUM_PCR; i++) {
+-    init_pcr_attr(i, TRUE, 0x00, 0x00);
+-  }
++  for (i = 24; i < 28 && i < TPM_NUM_PCR; i++)
++    init_pcr_attr(i, FALSE, 0x00, 0x20);
++  for (i = 28; i < 32 && i < TPM_NUM_PCR; i++)
++    init_pcr_attr(i, TRUE, 0x20, 0x20);
++  for (i = 32; i < TPM_NUM_PCR; i++)
++    init_pcr_attr(i, FALSE, 0x00, 0xC0);
+   if (tpmConf & TPM_CONF_GENERATE_EK) {
+     /* generate a new endorsement key */
+     tpm_rsa_generate_key(&tpmData.permanent.data.endorsementKey, 2048);
+diff --git a/tpm/tpm_structures.h b/tpm/tpm_structures.h
+index f746c05..08cef1e 100644
+--- a/tpm/tpm_structures.h
++++ b/tpm/tpm_structures.h
+@@ -676,7 +676,7 @@ typedef struct tdTPM_CMK_MA_APPROVAL {
+ /*
+  * Number of PCRs of the TPM (must be a multiple of eight)
+  */
+-#define TPM_NUM_PCR 24
++#define TPM_NUM_PCR 32
+ 
+ /*
+  * TPM_PCR_SELECTION ([TPM_Part2], Section 8.1)
diff --git a/stubdom/vtpm/README b/stubdom/vtpm/README
index 11bdacb..b0bd8f9 100644
--- a/stubdom/vtpm/README
+++ b/stubdom/vtpm/README
@@ -1,7 +1,7 @@
 Copyright (c) 2010-2012 United States Government, as represented by
 the Secretary of Defense.  All rights reserved.
 November 12 2012
-Authors: Matthew Fioravante (JHUAPL),
+Authors: Matthew Fioravante (JHUAPL), Daniel De Graaf (NSA)
 
 This document describes the operation and command line interface
 of vtpm-stubdom. See docs/misc/vtpm.txt for details on the
@@ -68,6 +68,19 @@ hwinitpcr=<PCRSPEC>: Initialize the virtual Platform 
Configuration Registers
        will copy pcrs 5, 12, 13, 14, 15, and 16.
 
 ------------------------------
+VIRTUAL-TPM SPECIFIC FEATURES
+------------------------------
+
+The virtual TPM emulator provides some extensions to the TPM specification that
+are useful in a virtualized environment. The featues added to the emulator are:
+
+ * Support for specifying localities beyond the standard 0-4
+ * Extended PCRs 24-31 that can only be extended by locality 5
+
+Locality 5 is intended for use by a measurement agent running outside the
+primary domain using the VM.
+
+------------------------------
 REFERENCES
 ------------------------------
 
diff --git a/stubdom/vtpm/vtpm.c b/stubdom/vtpm/vtpm.c
index eb7912f..aaf1a24 100644
--- a/stubdom/vtpm/vtpm.c
+++ b/stubdom/vtpm/vtpm.c
@@ -253,18 +253,18 @@ int parse_cmd_line(int argc, char** argv)
                opt_args.hwinitpcrs = VTPM_PCRNONE;
             } else if(sscanf(pch, "%u", &v1) == 1) {
                //Set one
-               if(v1 >= TPM_NUM_PCR) {
+               if(v1 >= VTPM_NUMPCRS) {
                   error("hwinitpcr error: Invalid PCR index %u", v1);
                   return -1;
                }
                opt_args.hwinitpcrs |= (1 << v1);
             } else if(sscanf(pch, "%u-%u", &v1, &v2) == 2) {
                //Set range
-               if(v1 >= TPM_NUM_PCR) {
+               if(v1 >= VTPM_NUMPCRS) {
                   error("hwinitpcr error: Invalid PCR index %u", v1);
                   return -1;
                }
-               if(v2 >= TPM_NUM_PCR) {
+               if(v2 >= VTPM_NUMPCRS) {
                   error("hwinitpcr error: Invalid PCR index %u", v1);
                   return -1;
                }
@@ -312,7 +312,7 @@ int parse_cmd_line(int argc, char** argv)
 
       pcrstr[0] = '\0';
       info("The following PCRs will be initialized with values from the 
hardware TPM:");
-      for(unsigned int i = 0; i < TPM_NUM_PCR; ++i) {
+      for(unsigned int i = 0; i < VTPM_NUMPCRS; ++i) {
          if(opt_args.hwinitpcrs & (1 << i)) {
             ptr += sprintf(ptr, "%u, ", i);
          }
diff --git a/stubdom/vtpm/vtpm_pcrs.h b/stubdom/vtpm/vtpm_pcrs.h
index 11835f9..bd9068c 100644
--- a/stubdom/vtpm/vtpm_pcrs.h
+++ b/stubdom/vtpm/vtpm_pcrs.h
@@ -40,11 +40,11 @@
 #define VTPM_PCR22 1 << 22
 #define VTPM_PCR23 1 << 23
 
-#define VTPM_PCRALL (1 << TPM_NUM_PCR) - 1
-#define VTPM_PCRNONE 0
-
 #define VTPM_NUMPCRS 24
 
+#define VTPM_PCRALL (1 << VTPM_NUMPCRS) - 1
+#define VTPM_PCRNONE 0
+
 struct tpmfront_dev;
 
 TPM_RESULT vtpm_initialize_hw_pcrs(struct tpmfront_dev* tpmfront_dev, unsigned 
long pcrs);
-- 
1.8.1


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.