[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 1/2] vtpm: deep quote flags



Currently, the flags are not interpreted by vTPM. They are just
packed and sent to vtpmmgr. The new implementation is backward
compatible, if it receives a request without flags, it continues
the request to vtpmmgr with extraInfoFlags=0.

Signed-off-by: Emil Condrea <emilcondrea@xxxxxxxxx>
---
 stubdom/Makefile                    |   1 +
 stubdom/vtpm-deepquote-anyloc.patch | 127 ++++++++++++++++++++++++++++++++++++
 stubdom/vtpm/vtpm_cmd.c             |  13 ++--
 3 files changed, 135 insertions(+), 6 deletions(-)
 create mode 100644 stubdom/vtpm-deepquote-anyloc.patch

diff --git a/stubdom/Makefile b/stubdom/Makefile
index 8fb885a..c135334 100644
--- a/stubdom/Makefile
+++ b/stubdom/Makefile
@@ -211,6 +211,7 @@ tpm_emulator-$(XEN_TARGET_ARCH): 
tpm_emulator-$(TPMEMU_VERSION).tar.gz
        patch -d $@ -p1 < vtpm-locality.patch
        patch -d $@ -p1 < vtpm-parent-sign-ek.patch
        patch -d $@ -p1 < vtpm-deepquote.patch
+       patch -d $@ -p1 < vtpm-deepquote-anyloc.patch
        patch -d $@ -p1 < vtpm-cmake-Wextra.patch
        mkdir $@/build
        cd $@/build; CC=${CC} $(CMAKE) .. -DCMAKE_C_FLAGS:STRING="-std=c99 
-DTPM_NO_EXTERN $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) 
-Wno-declaration-after-statement"
diff --git a/stubdom/vtpm-deepquote-anyloc.patch 
b/stubdom/vtpm-deepquote-anyloc.patch
new file mode 100644
index 0000000..ae7df9c
--- /dev/null
+++ b/stubdom/vtpm-deepquote-anyloc.patch
@@ -0,0 +1,127 @@
+diff --git a/tpm/tpm_cmd_handler.c b/tpm/tpm_cmd_handler.c
+index 69511d1..cf441bb 100644
+--- a/tpm/tpm_cmd_handler.c
++++ b/tpm/tpm_cmd_handler.c
+@@ -3347,12 +3347,13 @@ static TPM_RESULT execute_TPM_DeepQuote(TPM_REQUEST 
*req, TPM_RESPONSE *rsp)
+ {
+       TPM_NONCE nonce;
+       TPM_RESULT res;
+-      UINT32 sigSize;
+-      BYTE *sig;
++      UINT32 quote_blob_size;
++      BYTE *quote_blob;
+       BYTE *ptr;
+       UINT32 len;
+       TPM_PCR_SELECTION myPCR;
+       TPM_PCR_SELECTION ptPCR;
++      UINT32 extraInfoFlags = 0;
+ 
+       tpm_compute_in_param_digest(req);
+ 
+@@ -3361,17 +3362,19 @@ static TPM_RESULT execute_TPM_DeepQuote(TPM_REQUEST 
*req, TPM_RESPONSE *rsp)
+       if (tpm_unmarshal_TPM_NONCE(&ptr, &len, &nonce)
+               || tpm_unmarshal_TPM_PCR_SELECTION(&ptr, &len, &myPCR)
+               || tpm_unmarshal_TPM_PCR_SELECTION(&ptr, &len, &ptPCR)
++              || (len>0 && tpm_unmarshal_TPM_DEEP_QUOTE_INFO(&ptr, &len, 
&extraInfoFlags)!=0)
+               || len != 0) return TPM_BAD_PARAMETER;
+ 
+-      res = TPM_DeepQuote(&nonce, &myPCR, &ptPCR, &req->auth1, &sigSize, 
&sig);
++      res = TPM_DeepQuote(&nonce, &myPCR, &ptPCR, &req->auth1, extraInfoFlags,
++              &quote_blob_size, &quote_blob);
+       if (res != TPM_SUCCESS) return res;
+-      rsp->paramSize = len = sigSize;
++              rsp->paramSize = len = quote_blob_size;
+       rsp->param = ptr = tpm_malloc(len);
+-      if (ptr == NULL || tpm_marshal_BLOB(&ptr, &len, sig, sigSize)) {
++      if (ptr == NULL || tpm_marshal_BLOB(&ptr, &len, quote_blob, 
quote_blob_size)) {
+               tpm_free(rsp->param);
+               res = TPM_FAIL;
+       }
+-      tpm_free(sig);
++      tpm_free(quote_blob);
+ 
+       return res;
+ }
+diff --git a/tpm/tpm_commands.h b/tpm/tpm_commands.h
+index 328d1be..a56dd5f 100644
+--- a/tpm/tpm_commands.h
++++ b/tpm/tpm_commands.h
+@@ -3077,6 +3077,7 @@ TPM_RESULT TPM_ParentSignEK(
+  * @myPCR: [in] PCR selection for the virtual TPM
+  * @ptPCR: [in] PCR selection for the hardware TPM
+  * @auth1: [in, out] Authorization protocol parameters
++ * @extraInfoFlags [in] Flags for including, kernel hash, group info, etc
+  * @sigSize: [out] The length of the returned digital signature
+  * @sig: [out] The resulting digital signature and PCR values
+  * Returns: TPM_SUCCESS on success, a TPM error code otherwise.
+@@ -3086,6 +3087,7 @@ TPM_RESULT TPM_DeepQuote(
+   TPM_PCR_SELECTION *myPCR,
+   TPM_PCR_SELECTION *ptPCR,
+   TPM_AUTH *auth1,
++  UINT32 extraInfoFlags,
+   UINT32 *sigSize,
+   BYTE **sig
+ );
+diff --git a/tpm/tpm_credentials.c b/tpm/tpm_credentials.c
+index c0d62e7..6586c22 100644
+--- a/tpm/tpm_credentials.c
++++ b/tpm/tpm_credentials.c
+@@ -183,7 +183,8 @@ TPM_RESULT TPM_OwnerReadInternalPub(TPM_KEY_HANDLE 
keyHandle, TPM_AUTH *auth1,
+ 
+ int endorsementKeyFresh = 0;
+ 
+-TPM_RESULT VTPM_GetParentQuote(TPM_DIGEST* data, TPM_PCR_SELECTION *sel, 
UINT32 *sigSize, BYTE **sig);
++TPM_RESULT VTPM_GetParentQuote(TPM_NONCE *data, TPM_PCR_SELECTION *sel,
++                               UINT32 extraInfoFlags, UINT32 *sigSize, BYTE 
**sig);
+ 
+ TPM_RESULT TPM_ParentSignEK(TPM_NONCE *externalData, TPM_PCR_SELECTION *sel,
+                             TPM_AUTH *auth1, UINT32 *sigSize, BYTE **sig)
+@@ -191,7 +192,7 @@ TPM_RESULT TPM_ParentSignEK(TPM_NONCE *externalData, 
TPM_PCR_SELECTION *sel,
+       TPM_PUBKEY pubKey;
+       TPM_RESULT res;
+       TPM_DIGEST hres;
+-
++      UINT32 extraInfoFlags = 0;
+       info("TPM_ParentSignEK()");
+ 
+       res = tpm_verify_auth(auth1, tpmData.permanent.data.ownerAuth, 
TPM_KH_OWNER);
+@@ -206,7 +207,7 @@ TPM_RESULT TPM_ParentSignEK(TPM_NONCE *externalData, 
TPM_PCR_SELECTION *sel,
+               res = TPM_FAIL;
+ 
+       if (res == TPM_SUCCESS)
+-              res = VTPM_GetParentQuote(&hres, sel, sigSize, sig);
++              res = VTPM_GetParentQuote((TPM_NONCE*)&hres, sel, 
extraInfoFlags, sigSize, sig);
+ 
+       free_TPM_PUBKEY(pubKey);
+       return res;
+@@ -218,7 +219,7 @@ static const BYTE dquot_hdr[] = {
+ 
+ TPM_RESULT TPM_DeepQuote(TPM_NONCE *externalData, TPM_PCR_SELECTION *myPCR,
+                          TPM_PCR_SELECTION *ptPCR, TPM_AUTH *auth1,
+-                         UINT32 *sigSize, BYTE **sig)
++                         UINT32 extraInfoFlags, UINT32 *quote_blob_size, BYTE 
**quote_blob)
+ {
+   TPM_RESULT res;
+   TPM_DIGEST hres;
+@@ -253,7 +254,7 @@ TPM_RESULT TPM_DeepQuote(TPM_NONCE *externalData, 
TPM_PCR_SELECTION *myPCR,
+ 
+   tpm_free(buf);
+ 
+-      res = VTPM_GetParentQuote(&hres, ptPCR, sigSize, sig);
++  res = VTPM_GetParentQuote((TPM_NONCE*)&hres, ptPCR, extraInfoFlags, 
quote_blob_size, quote_blob);
+ 
+   return res;
+ }
+diff --git a/tpm/tpm_marshalling.h b/tpm/tpm_marshalling.h
+index d510ebe..2e0c008 100644
+--- a/tpm/tpm_marshalling.h
++++ b/tpm/tpm_marshalling.h
+@@ -268,6 +268,8 @@ static inline int tpm_unmarshal_BOOL(BYTE **ptr, UINT32 
*length, BOOL *v)
+ #define tpm_unmarshal_TPM_REDIR_COMMAND        tpm_unmarshal_UINT32
+ #define tpm_marshal_DAAHANDLE                  tpm_marshal_UINT32
+ #define tpm_unmarshal_DAAHANDLE                tpm_unmarshal_UINT32
++#define tpm_marshal_TPM_DEEP_QUOTE_INFO        tpm_marshal_UINT32
++#define tpm_unmarshal_TPM_DEEP_QUOTE_INFO      tpm_unmarshal_UINT32
+ 
+ int tpm_marshal_UINT32_ARRAY(BYTE **ptr, UINT32 *length, UINT32 *v, UINT32 n);
+ int tpm_unmarshal_UINT32_ARRAY(BYTE **ptr, UINT32 *length, UINT32 *v, UINT32 
n);
diff --git a/stubdom/vtpm/vtpm_cmd.c b/stubdom/vtpm/vtpm_cmd.c
index 6fda456..eec37df 100644
--- a/stubdom/vtpm/vtpm_cmd.c
+++ b/stubdom/vtpm/vtpm_cmd.c
@@ -218,7 +218,8 @@ egress:
 }
 
 extern struct tpmfront_dev* tpmfront_dev;
-TPM_RESULT VTPM_GetParentQuote(TPM_NONCE *data, TPM_PCR_SELECTION *sel, UINT32 
*sigSize, BYTE **sig)
+TPM_RESULT VTPM_GetParentQuote(TPM_NONCE *data, TPM_PCR_SELECTION *sel,
+                               UINT32 extraInfoFlags, UINT32 *quote_blob_size, 
BYTE **quote_blob)
 {
    TPM_RESULT status = TPM_SUCCESS;
    uint8_t* bptr, *resp;
@@ -231,11 +232,12 @@ TPM_RESULT VTPM_GetParentQuote(TPM_NONCE *data, 
TPM_PCR_SELECTION *sel, UINT32 *
    TPM_COMMAND_CODE ord = VTPM_ORD_GET_QUOTE;
 
    /*Create the command*/
-   len = size = VTPM_COMMAND_HEADER_SIZE + 25;
+   len = size = VTPM_COMMAND_HEADER_SIZE + 20 + 
sizeof_TPM_PCR_SELECTION((*sel)) + 4;
    bptr = cmdbuf = malloc(size);
    TRYFAILGOTO(pack_header(&bptr, &len, tag, size, ord));
    TRYFAILGOTO(tpm_marshal_TPM_NONCE(&bptr, &len, data));
    TRYFAILGOTO(tpm_marshal_TPM_PCR_SELECTION(&bptr, &len, sel));
+   TRYFAILGOTO(tpm_marshal_TPM_DEEP_QUOTE_INFO(&bptr, &len, extraInfoFlags));
 
    /* Send the command to vtpm_manager */
    info("Requesting Quote from backend");
@@ -248,11 +250,10 @@ TPM_RESULT VTPM_GetParentQuote(TPM_NONCE *data, 
TPM_PCR_SELECTION *sel, UINT32 *
 
    /* Check return code */
    CHECKSTATUSGOTO(ord, "VTPM_GetParentQuote()");
-
    /* Copy out the value */
-   *sigSize = len;
-   *sig = tpm_malloc(*sigSize);
-   TRYFAILGOTOMSG(tpm_unmarshal_BYTE_ARRAY(&bptr, &len, *sig, *sigSize), 
ERR_MALFORMED);
+   *quote_blob_size = len;
+   *quote_blob = tpm_malloc(*quote_blob_size);
+   TRYFAILGOTOMSG(tpm_unmarshal_BYTE_ARRAY(&bptr, &len, *quote_blob, 
*quote_blob_size), ERR_MALFORMED);
 
    goto egress;
 abort_egress:
-- 
2.1.0


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.