From nobody Sat May 10 07:24:25 2025 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 80.81.252.135 is neither permitted nor denied by domain of seabios.org) client-ip=80.81.252.135; envelope-from=seabios-bounces@seabios.org; helo=mail.coreboot.org; Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 80.81.252.135 is neither permitted nor denied by domain of seabios.org) smtp.mailfrom=seabios-bounces@seabios.org Return-Path: Received: from mail.coreboot.org (mail.coreboot.org [80.81.252.135]) by mx.zohomail.com with SMTPS id 1513188094209640.6703605811931; Wed, 13 Dec 2017 10:01:34 -0800 (PST) Received: from [127.0.0.1] (helo=ra.coreboot.org) by mail.coreboot.org with esmtp (Exim 4.86_2) (envelope-from ) id 1ePBLG-0001AY-Ji; Wed, 13 Dec 2017 19:01:14 +0100 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5] helo=mx0a-001b2d01.pphosted.com) by mail.coreboot.org with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.86_2) (envelope-from ) id 1ePBKm-0005IJ-UB for seabios@seabios.org; Wed, 13 Dec 2017 19:01:12 +0100 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id vBDHxUXn060510 for ; Wed, 13 Dec 2017 13:00:45 -0500 Received: from e12.ny.us.ibm.com (e12.ny.us.ibm.com [129.33.205.202]) by mx0b-001b2d01.pphosted.com with ESMTP id 2eu7kymrb4-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 13 Dec 2017 13:00:44 -0500 Received: from localhost by e12.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 13 Dec 2017 13:00:44 -0500 Received: from b01cxnp22034.gho.pok.ibm.com (9.57.198.24) by e12.ny.us.ibm.com (146.89.104.199) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 13 Dec 2017 13:00:42 -0500 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id vBDI0dQG47382598; Wed, 13 Dec 2017 18:00:41 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B20CFB2046; Wed, 13 Dec 2017 12:57:47 -0500 (EST) Received: from sbct-3.watson.ibm.com (unknown [9.47.158.153]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP id 9B299B2050; Wed, 13 Dec 2017 12:57:47 -0500 (EST) From: Stefan Berger To: seabios@seabios.org Date: Wed, 13 Dec 2017 13:00:32 -0500 X-Mailer: git-send-email 2.5.5 In-Reply-To: <1513188032-1373-1-git-send-email-stefanb@linux.vnet.ibm.com> References: <1513188032-1373-1-git-send-email-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17121318-0048-0000-0000-00000213C581 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00008200; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000244; SDB=6.00959712; UDB=6.00485388; IPR=6.00739734; BA=6.00005740; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00018523; XFM=3.00000015; UTC=2017-12-13 18:00:43 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17121318-0049-0000-0000-000043728574 Message-Id: <1513188032-1373-3-git-send-email-stefanb@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-12-13_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1712130253 X-Spam-Score: -2.5 (--) Subject: [SeaBIOS] [PATCH 2/2] tcbios: Add menu item to create a primary storage key for TPM 2 X-BeenThere: seabios@seabios.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SeaBIOS mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: seabios-bounces@seabios.org Sender: "SeaBIOS" X-Duff: Orig. Duff, Duff Lite, Duff Dry, Duff Dark, Raspberry Duff, Lady Duff, Red Duff, Tartar Control Duff X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Add a menu item to create an SRK with the handle 0x81000001 per the Infrastructure Work Group specification TCG TPM v2.0 Provisioning Guidance; Version 1.0, Rev 1.0, March 15, 2017 https://trustedcomputinggroup.org/tcg-tpm-v2-0-provisioning-guidance/ For the creation flags to set on the EK we follow the above spec Section 7.5.1 "Storage Primary Key (SRK) Templates" and the following spec TCG EK Credential Profile For TPM Family 2.0; Level 0; Rev 14, Nov. 4 2014 https://trustedcomputinggroup.org/tcg-ek-credential-profile-tpm-family-2-0/ Signed-off-by: Stefan Berger --- src/std/tcg.h | 3 ++- src/tcgbios.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++= ++++ 2 files changed, 73 insertions(+), 1 deletion(-) diff --git a/src/std/tcg.h b/src/std/tcg.h index beecd1f..19dab64 100644 --- a/src/std/tcg.h +++ b/src/std/tcg.h @@ -599,7 +599,7 @@ struct pcctes_romex #define TPM_STATE_OWNERINSTALL 8 =20 #define TPM2_STATE_CREATE_EK 1 -#define TPM2_STATE_CREATE_PSK 2 +#define TPM2_STATE_CREATE_SPK 2 =20 #define TPM_PPI_OP_NOOP 0 #define TPM_PPI_OP_ENABLE 1 @@ -612,5 +612,6 @@ struct pcctes_romex =20 /* additional operations */ #define TPM_PPI_EXT_OP_CREATE_EK (0xe0 + 0) +#define TPM_PPI_EXT_OP_CREATE_SPK (0xe0 + 1) =20 #endif // tcg.h diff --git a/src/tcgbios.c b/src/tcgbios.c index e5b5678..9348a23 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -1866,6 +1866,50 @@ tpm20_create_ek(int verbose, u32 *keyhandle) } =20 static int +tpm20_create_spk(int verbose, u32 *keyhandle) +{ + struct tpm2_tpmt_public { + u16 publen; + u16 alg_key; + u16 alg_hash; + u32 keyflags; + u16 authpolicylen; + u8 authpolicy[0]; + struct symkeydata { + u16 algorithm; + u16 keyBits; + u16 mode; + } symkeydata; + u16 scheme; + u16 keyBits; + u32 exponent; + } PACKED ttp =3D { + .publen =3D cpu_to_be16(sizeof(ttp)), + .alg_key =3D cpu_to_be16(TPM2_ALG_RSA), + .alg_hash =3D cpu_to_be16(TPM2_ALG_SHA256), + .keyflags =3D cpu_to_be32(TPM2_OBJECT_FIXEDTPM | + TPM2_OBJECT_FIXEDPARENT | + TPM2_OBJECT_SENSITIVEDATAORIGIN | + TPM2_OBJECT_USERWITHAUTH | + TPM2_OBJECT_NODA | + TPM2_OBJECT_RESTRICTED | + TPM2_OBJECT_DECRYPT), + .authpolicylen =3D cpu_to_be16(sizeof(ttp.authpolicy)), + .symkeydata =3D { + .algorithm =3D cpu_to_be16(TPM2_ALG_AES), + .keyBits =3D cpu_to_be16(128), + .mode =3D cpu_to_be16(TPM2_ALG_CFB), + }, + .scheme =3D cpu_to_be16(TPM2_ALG_NULL), + .keyBits =3D cpu_to_be16(2048), + .exponent =3D cpu_to_be32(0), + }; + + return tpm20_createprimary(TPM2_RH_OWNER, &ttp, sizeof(ttp), + keyhandle); +} + +static int tpm20_evictcontrol(u32 authhandle, u32 keyhandle, u32 persistentHandle) { @@ -1922,6 +1966,15 @@ tpm20_process_cfg(tpm_ppi_code msgCode, int verbose) keyhandle, 0x81010001); break; + + case TPM_PPI_EXT_OP_CREATE_SPK: + ret =3D tpm20_create_spk(verbose, &keyhandle); + if (ret) + break; + ret =3D tpm20_evictcontrol(TPM2_RH_OWNER, + keyhandle, + 0x81000001); + break; } =20 if (ret) @@ -2121,6 +2174,7 @@ tpm20_get_tpm_state(void) =20 struct tpml_handle *handles =3D (struct tpml_handle *)&trg->data; int has_ek =3D 0; + int has_spk =3D 0; =20 num_handles =3D be32_to_cpu(handles->count); =20 @@ -2128,10 +2182,14 @@ tpm20_get_tpm_state(void) u32 h =3D be32_to_cpu(handles->handle[i]); if (h >=3D 0x81010000 && h <=3D 0x8101ffff) has_ek =3D 1; + if (h >=3D 0x81000000 && h <=3D 0x8100ffff) + has_spk =3D 1; } =20 if (!has_ek) state |=3D TPM2_STATE_CREATE_EK; + if (!has_spk) + state |=3D TPM2_STATE_CREATE_SPK; =20 return state; } @@ -2148,6 +2206,12 @@ tpm20_show_tpm_menu(int state, int next_scancodes[4]) printf(" - has"); printf(" a persistent endorsement key.\n"); =20 + if (state & TPM2_STATE_CREATE_SPK) + printf(" - does not have"); + else + printf(" - has"); + printf(" a persistent storage primary key.\n"); + printf("\n1. Clear TPM\n"); next_scancodes[i++] =3D 2; =20 @@ -2155,6 +2219,10 @@ tpm20_show_tpm_menu(int state, int next_scancodes[4]) printf("2. Create a persistent endorsement primary key\n"); next_scancodes[i++] =3D 3; } + if (state & TPM2_STATE_CREATE_SPK) { + printf("3. Create a primary storage key\n"); + next_scancodes[i++] =3D 4; + } next_scancodes[i++] =3D 0; } =20 @@ -2197,6 +2265,9 @@ tpm20_menu(void) case 3: msgCode =3D TPM_PPI_EXT_OP_CREATE_EK; break; + case 4: + msgCode =3D TPM_PPI_EXT_OP_CREATE_SPK; + break; default: continue; } --=20 2.5.5 _______________________________________________ SeaBIOS mailing list SeaBIOS@seabios.org https://mail.coreboot.org/mailman/listinfo/seabios