You can subscribe to this list here.
2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
|
Dec
(2) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2010 |
Jan
(8) |
Feb
(4) |
Mar
(3) |
Apr
(4) |
May
(4) |
Jun
|
Jul
(18) |
Aug
(2) |
Sep
(2) |
Oct
(2) |
Nov
(2) |
Dec
|
2011 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
(9) |
May
(5) |
Jun
(1) |
Jul
(3) |
Aug
(5) |
Sep
(2) |
Oct
(6) |
Nov
(8) |
Dec
(5) |
2012 |
Jan
(10) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(9) |
Oct
(1) |
Nov
(3) |
Dec
(14) |
2013 |
Jan
|
Feb
|
Mar
(3) |
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
(1) |
Oct
|
Nov
(2) |
Dec
|
2014 |
Jan
(13) |
Feb
(9) |
Mar
(12) |
Apr
(5) |
May
(5) |
Jun
(1) |
Jul
(3) |
Aug
(1) |
Sep
(5) |
Oct
(2) |
Nov
|
Dec
(2) |
2015 |
Jan
|
Feb
(4) |
Mar
(5) |
Apr
|
May
(8) |
Jun
(3) |
Jul
|
Aug
(9) |
Sep
|
Oct
(2) |
Nov
(1) |
Dec
|
2016 |
Jan
|
Feb
(10) |
Mar
|
Apr
(2) |
May
(4) |
Jun
(3) |
Jul
(2) |
Aug
(6) |
Sep
(3) |
Oct
(1) |
Nov
|
Dec
(9) |
2017 |
Jan
(5) |
Feb
(2) |
Mar
|
Apr
(3) |
May
(7) |
Jun
(6) |
Jul
(6) |
Aug
(1) |
Sep
(3) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
2018 |
Jan
|
Feb
(1) |
Mar
(3) |
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
(8) |
Sep
(2) |
Oct
(6) |
Nov
(9) |
Dec
(2) |
2019 |
Jan
|
Feb
|
Mar
(2) |
Apr
(3) |
May
(6) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(7) |
2020 |
Jan
(1) |
Feb
(3) |
Mar
(3) |
Apr
(14) |
May
(5) |
Jun
(3) |
Jul
(1) |
Aug
(3) |
Sep
(4) |
Oct
(1) |
Nov
(6) |
Dec
(3) |
2021 |
Jan
(2) |
Feb
|
Mar
(4) |
Apr
|
May
(3) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(3) |
2022 |
Jan
|
Feb
(8) |
Mar
(5) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
|
Dec
(4) |
2023 |
Jan
(3) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2024 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(3) |
Oct
|
Nov
|
Dec
|
From: Pawel R. <paw...@in...> - 2022-02-24 10:16:07
|
changeset 9089a75c3c63 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=9089a75c3c63 description: Fix composite hashing algorithm for PCONF element to match lcptools-1 lcptools-v2 implements the PCONF composite hashing algorithm described in Intel® Trusted Execution Technology (Intel® TXT): Software Development Guide (01/05/2021). The problem is it doesn't work. TXT aborts with an error "No match is forund for Element." or "PCR info integrity failure". lcptools (v1) did work, but hashed a different structure. Originally signed-off by: Christopher Byrne <sal...@gm...> diffstat: lcptools-v2/pconf_legacy.c | 35 ++++++++++++++++++++++++----------- 1 files changed, 24 insertions(+), 11 deletions(-) diffs (98 lines): diff -r 3a7123929876 -r 9089a75c3c63 lcptools-v2/pconf_legacy.c --- a/lcptools-v2/pconf_legacy.c Tue Feb 22 11:52:50 2022 +0100 +++ b/lcptools-v2/pconf_legacy.c Tue Feb 22 12:45:09 2022 +0100 @@ -67,6 +67,12 @@ uint8_t digest[SHA1_DIGEST_SIZE]; } pcr_data; +typedef struct __packed { + tpm_pcr_selection pcr_selection; + uint32_t size_of_pcrs; // big endian + unsigned char pcrs[][SHA1_DIGEST_SIZE]; +} pcr_composite_buffer; + //Global vars: char pcr_info_files[MAX_FILES][MAX_PATH]; uint8_t num_files = 0; @@ -207,7 +213,7 @@ } } -static bool generate_composite_hash(pcr_data *pcrs, tb_hash_t *dest, uint8_t no_of_pcrs) +static bool generate_composite_hash(tpm_pcr_selection *pcr_selection, pcr_data *pcrs, tb_hash_t *dest, uint8_t no_of_pcrs) { /* This function: concatenates pcr values to one blob and hashes it using sha1 @@ -218,8 +224,9 @@ */ int count = 0; bool result; - size_t buff_size; - unsigned char *buff; + pcr_composite_buffer *buff; + size_t buff_size = 0; + if (pcrs == NULL || dest == NULL) { ERROR("Error: pcrs or buffer for digest are not defined.\n"); return false; @@ -228,12 +235,18 @@ ERROR("Error: at least 1 and at most 8 pcrs must be selected.\n"); return false; } - buff_size = no_of_pcrs * SHA1_DIGEST_SIZE; + buff_size = no_of_pcrs * SHA1_DIGEST_SIZE + sizeof(buff) - sizeof(buff->pcrs[0][0]); buff = calloc(1, buff_size); if (buff == NULL) { ERROR("Error: failed to allocate buffer for composite digest.\n"); return false; } + memcpy_s( + &buff->pcr_selection, + sizeof buff->pcr_selection, + pcr_selection, + sizeof buff->pcr_selection + ); for (int i = 0; i < MAX_PCRS; i++) { if (pcrs[i].valid) { if (verbose) { @@ -241,8 +254,8 @@ print_hex("", (const void *) pcrs[i].digest, SHA1_DIGEST_SIZE); } memcpy_s( - buff + (count * SHA1_DIGEST_SIZE), //Dest - buff_size - (count * SHA1_DIGEST_SIZE), //Dest size + buff->pcrs[count], //Dest + SHA1_DIGEST_SIZE, //Dest size (const void *) pcrs[i].digest, //Src SHA1_DIGEST_SIZE //Src size ); @@ -251,7 +264,7 @@ if (count == no_of_pcrs) break; } - result = hash_buffer(buff, buff_size, dest, LCP_POLHALG_SHA1); + result = hash_buffer((unsigned char *)buff, buff_size, dest, LCP_POLHALG_SHA1); if (verbose) { DISPLAY("Composite hash value: "); print_hex("", (const void *) dest, SHA1_DIGEST_SIZE); @@ -316,16 +329,16 @@ ERROR("Error: failed to allocate memory for digest buffer.\n"); return NULL; } - result = generate_composite_hash(pcrs, digest, no_of_pcrs); + pcr_info->locality_at_release = pcrs[0].locality; + pcr_info->pcr_selection.size_of_select = htons(1); + pcr_info->pcr_selection.pcr_select = pcr_select; + result = generate_composite_hash(&pcr_info->pcr_selection, pcrs, digest, no_of_pcrs); if (!result) { ERROR("Error: failed to generate composite hash.\n"); free(digest); free(elt); return false; } - pcr_info->locality_at_release = pcrs[0].locality; - pcr_info->pcr_selection.size_of_select = htons(1); - pcr_info->pcr_selection.pcr_select = pcr_select; memcpy_s((void *)&pcr_info->digest_at_release, SHA1_DIGEST_SIZE, (const void *)&digest->sha1, SHA1_DIGEST_SIZE); pcr_info++; //Move to next one |
From: Pawel R. <paw...@in...> - 2022-02-24 10:16:07
|
changeset 3a7123929876 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=3a7123929876 description: Don't ignore locality in PCR file The locality was always set to 0x1f no matter what was in the PCR file because the value read from the file was never written to the global variable, which seems to be mostly unused anyway. Originally signed-off by: Christopher Byrne <sal...@gm...> diffstat: lcptools-v2/pconf_legacy.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (28 lines): diff -r 19597b4c9514 -r 3a7123929876 lcptools-v2/pconf_legacy.c --- a/lcptools-v2/pconf_legacy.c Tue Feb 22 11:43:59 2022 +0100 +++ b/lcptools-v2/pconf_legacy.c Tue Feb 22 11:52:50 2022 +0100 @@ -68,7 +68,6 @@ } pcr_data; //Global vars: -uint8_t locality = DEFAULT_LOCALITY_SELECT; char pcr_info_files[MAX_FILES][MAX_PATH]; uint8_t num_files = 0; int prevOpt = 'i'; @@ -169,6 +168,7 @@ if (this_pcr.locality != 0xFF && this_pcr.num != 0xFF) { this_pcr.valid = true; pcrs[this_pcr.num] = this_pcr; + pcrs[0].locality = locality; } else { ERROR("Error: failed to read PCR data. Check input file.\n"); @@ -323,7 +323,7 @@ free(elt); return false; } - pcr_info->locality_at_release = locality; + pcr_info->locality_at_release = pcrs[0].locality; pcr_info->pcr_selection.size_of_select = htons(1); pcr_info->pcr_selection.pcr_select = pcr_select; memcpy_s((void *)&pcr_info->digest_at_release, SHA1_DIGEST_SIZE, |
From: Pawel R. <paw...@in...> - 2022-02-16 14:51:12
|
changeset df08b59ad9ed in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=df08b59ad9ed description: Set GDT to map CS and DS to 4GB segments before jumping to Linux There was an issue that TBOOT can copy Linux kernel binary to address outside of memory mapped in GTD. If this happens, platform will reset when trying to jump to Linux. In original implementation this limit was set to 256MB. To prevent that situation, this commit sets GDT segments to cover whole memory below 4GB. Originally commited/signed-off by Lukasz Hawrylko <lu...@ha...> diffstat: tboot/common/linux.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff -r 8635a40eab19 -r df08b59ad9ed tboot/common/linux.c --- a/tboot/common/linux.c Mon Feb 14 15:10:25 2022 +0100 +++ b/tboot/common/linux.c Wed Feb 16 15:50:44 2022 +0100 @@ -471,8 +471,8 @@ static const uint64_t gdt_table[] __attribute__ ((aligned(16))) = { 0, 0, - 0x00c09b000000ffff, /* cs */ - 0x00c093000000ffff /* ds */ + 0x00cf9b000000ffff, /* cs */ + 0x00cf93000000ffff /* ds */ }; /* both 4G flat, CS: execute/read, DS: read/write */ |
From: Pawel R. <paw...@in...> - 2022-02-14 14:10:43
|
changeset 8635a40eab19 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=8635a40eab19 description: Touch ups for GCC12 diffstat: lcptools-v2/mlehash.c | 15 ++++++++------- tboot/common/memlog.c | 8 +++++--- 2 files changed, 13 insertions(+), 10 deletions(-) diffs (73 lines): diff -r 212289468e2d -r 8635a40eab19 lcptools-v2/mlehash.c --- a/lcptools-v2/mlehash.c Thu Dec 16 12:26:24 2021 +0100 +++ b/lcptools-v2/mlehash.c Mon Feb 14 15:10:25 2022 +0100 @@ -269,7 +269,7 @@ * read file from disk, if compressed, uncompress it * */ -static bool read_mle_file(const char *filename, void **buffer, size_t *length) +static bool read_mle_file(const char *filename, void *buffer, size_t *length) { LOG("[read_mle_file]\n"); gzFile fcompressed = NULL; @@ -279,7 +279,7 @@ unsigned long i; *length = 0; - *buffer = NULL; + buffer = NULL; /* check the file exists or not */ LOG("checking whether the file exists or not ... "); @@ -326,11 +326,11 @@ /* read file into buffer */ LOG("reading the decompressed file ... "); - *buffer = malloc(*length); - if ( *buffer == NULL ) + buffer = malloc(*length); + if ( buffer == NULL ) goto error; - memset_s(*buffer, *length, 0); - if ( fread(*buffer, 1, *length, fdecompressed) != *length ) + memset_s(buffer, *length, 0); + if ( fread(buffer, 1, *length, fdecompressed) != *length ) goto error; fclose(fdecompressed); LOG(": succeeded!\n"); @@ -342,7 +342,8 @@ gzclose(fcompressed); if ( fdecompressed ) fclose(fdecompressed); - free(*buffer); + if ( buffer ) + free(buffer); return false; } diff -r 212289468e2d -r 8635a40eab19 tboot/common/memlog.c --- a/tboot/common/memlog.c Thu Dec 16 12:26:24 2021 +0100 +++ b/tboot/common/memlog.c Mon Feb 14 15:10:25 2022 +0100 @@ -50,7 +50,8 @@ { if ( g_log == NULL ) { g_log = (tboot_log_t *)TBOOT_SERIAL_LOG_ADDR; - g_log->uuid = (uuid_t)TBOOT_LOG_UUID; + uuid_t uuid = (uuid_t)TBOOT_LOG_UUID; + tb_memcpy((void *) &g_log->uuid, (const void *) &uuid, sizeof(uuid_t)); g_log->curr_pos = 0; g_log->zip_count = 0; for ( uint8_t i = 0; i < ZIP_COUNT_MAX; i++ ) g_log->zip_pos[i] = 0; @@ -63,9 +64,10 @@ g_log->max_size = TBOOT_SERIAL_LOG_SIZE - sizeof(*g_log); /* if we're calling this post-launch, verify that curr_pos is valid */ - if ( g_log->zip_pos[g_log->zip_count] > g_log->max_size ){ + if ( g_log->zip_pos[g_log->zip_count] > g_log->max_size && g_log != NULL ){ g_log->curr_pos = 0; - g_log->zip_count = 0; + uint8_t zero = 0; + tb_memcpy((void *) &g_log->uuid, (const void *) &zero, sizeof(uint8_t)); for ( uint8_t i = 0; i < ZIP_COUNT_MAX; i++ ) g_log->zip_pos[i] = 0; for ( uint8_t i = 0; i < ZIP_COUNT_MAX; i++ ) g_log->zip_size[i] = 0; } |
From: Pawel R. <paw...@in...> - 2021-12-10 14:36:06
|
changeset 513125987ff7 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=513125987ff7 description: Version v1.10.3 diffstat: CHANGELOG | 7 +++++++ tboot/20_linux_tboot | 2 +- tboot/20_linux_xen_tboot | 2 +- tboot/Config.mk | 4 ++-- 4 files changed, 11 insertions(+), 4 deletions(-) diffs (52 lines): diff -r 6bba3c037fc0 -r 513125987ff7 CHANGELOG --- a/CHANGELOG Tue Dec 07 15:18:51 2021 +0100 +++ b/CHANGELOG Fri Dec 10 15:35:16 2021 +0100 @@ -1,3 +1,10 @@ +20211210: v1.10.3 + Add UNI-VGA license information + Remove poly1305 object files on clean + Support higher resolution monitors + Use SHA256 as default hashing algorithm in lcp2_mlehash and tb_polgen + Add OpenSSL 3.0.0 support in lcptools-v2 + Increase number of supported CPUs to 1024 to accomodate for larger units 20210614: v1.10.2 Fix ACM chipset/processor list validation Check for client/server match when selecting SINIT diff -r 6bba3c037fc0 -r 513125987ff7 tboot/20_linux_tboot --- a/tboot/20_linux_tboot Tue Dec 07 15:18:51 2021 +0100 +++ b/tboot/20_linux_tboot Fri Dec 10 15:35:16 2021 +0100 @@ -181,7 +181,7 @@ tboot_dirname=`dirname ${current_tboot}` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` # tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"` - tboot_version="1.10.2" + tboot_version="1.10.3" echo "submenu \"tboot ${tboot_version}\" {" while [ "x$list" != "x" ] ; do linux=`version_find_latest $list` diff -r 6bba3c037fc0 -r 513125987ff7 tboot/20_linux_xen_tboot --- a/tboot/20_linux_xen_tboot Tue Dec 07 15:18:51 2021 +0100 +++ b/tboot/20_linux_xen_tboot Fri Dec 10 15:35:16 2021 +0100 @@ -216,7 +216,7 @@ tboot_basename=`basename ${current_tboot}` tboot_dirname=`dirname ${current_tboot}` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` - tboot_version="1.10.2" + tboot_version="1.10.3" list="${linux_list}" echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{" while [ "x$list" != "x" ] ; do diff -r 6bba3c037fc0 -r 513125987ff7 tboot/Config.mk --- a/tboot/Config.mk Tue Dec 07 15:18:51 2021 +0100 +++ b/tboot/Config.mk Fri Dec 10 15:35:16 2021 +0100 @@ -6,8 +6,8 @@ # # tboot-specific build settings # -RELEASEVER := "1.10.2" -RELEASETIME := "2021-06-14 14:00 +0100" +RELEASEVER := "1.10.3" +RELEASETIME := "2021-12-10 16:00 +0100" ROOTDIR ?= $(CURDIR)/.. # tboot needs too many customized compiler settings to use system CFLAGS, |
From: Pawel R. <paw...@in...> - 2021-12-10 14:36:06
|
changeset 5a30b6b09e77 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=5a30b6b09e77 description: Added tag v1.10.3 for changeset 513125987ff7 diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 513125987ff7 -r 5a30b6b09e77 .hgtags --- a/.hgtags Fri Dec 10 15:35:16 2021 +0100 +++ b/.hgtags Fri Dec 10 15:35:42 2021 +0100 @@ -31,3 +31,4 @@ ffaf4680f4ba58a10ee8b1d77426921ae70c98ee v1.10.0 4cfc8a26e6373619296ec93d6a82c9cbdd164732 v1.10.1 4ae5658592ca01bb1a400a9edccbc73092b6c5f3 v1.10.2 +513125987ff7aab93451b87da3fd504eeb9cfd69 v1.10.3 |
From: Pawel R. <paw...@in...> - 2021-12-10 14:36:05
|
changeset 1d7d6d196bb1 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=1d7d6d196bb1 description: Add OpenSSL 3.0.0 support in lcptools-v2 diffstat: lcptools-v2/lcputils.c | 557 +++++++++++++++++++++++++++++++--------------- lcptools-v2/pollist2.c | 173 +++++++++---- lcptools-v2/pollist2_1.c | 162 +++++++++---- 3 files changed, 601 insertions(+), 291 deletions(-) diffs (truncated from 1308 to 300 lines): diff -r 5bf5c12411d3 -r 1d7d6d196bb1 lcptools-v2/lcputils.c --- a/lcptools-v2/lcputils.c Wed Sep 15 16:53:34 2021 +0200 +++ b/lcptools-v2/lcputils.c Fri Dec 10 15:27:43 2021 +0100 @@ -50,6 +50,12 @@ #include <openssl/ecdsa.h> #include <openssl/ec.h> #include <openssl/evp.h> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include <openssl/core.h> + #include <openssl/decoder.h> + #include <openssl/crypto.h> + #include <openssl/param_build.h> +#endif #include <safe_lib.h> #include <snprintf_s.h> #define PRINT printf @@ -512,77 +518,164 @@ int status; EVP_PKEY_CTX *evp_context = NULL; EVP_PKEY *evp_key = NULL; - RSA *rsa_pubkey = NULL; BIGNUM *modulus = NULL; BIGNUM *exponent = NULL; tb_hash_t *digest = NULL; unsigned char exp_arr[] = {0x01, 0x00, 0x01}; + unsigned char *decrypted_sig = NULL; + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + size_t dcpt_sig_len; + #else + RSA *rsa_pubkey = NULL; + #endif LOG("[verify_rsa_signature]\n"); if (data == NULL || pubkey == NULL || signature == NULL) { ERROR("Error: list data, pubkey or signature buffer not defined.\n"); return false; } - uint8_t decrypted_sig[pubkey->size]; - - //1. Create public key - rsa_pubkey = RSA_new(); - if ( rsa_pubkey == NULL ) { - ERROR("Error: failed to allocate key\n"); - status = 0; - goto EXIT; - } - + modulus = BN_bin2bn(pubkey->data, pubkey->size, NULL); exponent = BN_bin2bn(exp_arr, 3, NULL); - if (modulus == NULL) { - goto OPENSSL_ERROR; - } - if (exponent == NULL) { + if ( modulus == NULL || exponent == NULL ) { + ERROR("Error: failed to convert modulus and/or exponent.\n"); goto OPENSSL_ERROR; } - #if OPENSSL_VERSION_NUMBER >= 0x10100000L - RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + evp_context = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + if ( evp_context == NULL) { + ERROR("Error: failed to initialize CTX from name.\n"); + goto OPENSSL_ERROR; + } + + OSSL_PARAM_BLD *params_build = OSSL_PARAM_BLD_new(); + if ( params_build == NULL ) { + ERROR("Error: failed to set up parameter builder.\n"); + goto OPENSSL_ERROR; + } + if ( !OSSL_PARAM_BLD_push_BN(params_build, "n", modulus) ) { + ERROR("Error: failed to push modulus into param build.\n"); + goto OPENSSL_ERROR; + } + if ( !OSSL_PARAM_BLD_push_BN(params_build, "e", exponent) ) { + ERROR("Error: failed to push exponent into param build.\n"); + goto OPENSSL_ERROR; + } + if ( !OSSL_PARAM_BLD_push_BN(params_build, "d", NULL) ) { + ERROR("Error: failed to push NULL into param build.\n"); + goto OPENSSL_ERROR; + } + + OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(params_build); + if ( params == NULL ) { + ERROR("Error: failed to construct parameters from builder.\n"); + goto OPENSSL_ERROR; + } + + if ( EVP_PKEY_fromdata_init(evp_context) <= 0 ) { + ERROR("Error: failed to initialize key creation.\n"); + goto OPENSSL_ERROR; + } + + if ( EVP_PKEY_fromdata(evp_context, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0 ) { + ERROR("Error: failed to create key.\n"); + goto OPENSSL_ERROR; + } + OSSL_PARAM_free(params); + OSSL_PARAM_BLD_free(params_build); + EVP_PKEY_CTX_free(evp_context); + evp_context = NULL; #else - rsa_pubkey->n = modulus; - rsa_pubkey->e = exponent; - rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL; + rsa_pubkey = RSA_new(); + if ( rsa_pubkey == NULL ) { + ERROR("Error: failed to allocate key\n"); + status = 0; + goto EXIT; + } + + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); + #else + rsa_pubkey->n = modulus; + rsa_pubkey->e = exponent; + rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL; + #endif #endif if (MAJOR_VER(list_ver) != MAJOR_VER(LCP_TPM20_POLICY_LIST2_1_VERSION_300)) { - //Decrypt signature - we will need to to find hashalg - status = RSA_public_decrypt(pubkey->size, signature->data, decrypted_sig, - rsa_pubkey, RSA_NO_PADDING); - if (status <= 0) { - ERROR("Error: failed to decrypt signature.\n"); + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + + evp_context = EVP_PKEY_CTX_new(evp_key, NULL); + if ( evp_context == NULL ) { + ERROR("Error: failed to instatiate CTX.\n"); + goto OPENSSL_ERROR; + } + if ( EVP_PKEY_encrypt_init(evp_context) <= 0 ) { + ERROR("Error: failed to initialize signature decryption.\n"); + goto OPENSSL_ERROR; + } + if ( EVP_PKEY_CTX_set_rsa_padding(evp_context, RSA_NO_PADDING) <= 0 ) { + ERROR("Error: failed to set RSA padding.\n"); + goto OPENSSL_ERROR; + } + if ( EVP_PKEY_encrypt(evp_context, NULL, &dcpt_sig_len, signature->data, pubkey->size) <= 0 ) { + ERROR("Error: failed to retrieve decrypted signature length.\n"); + goto OPENSSL_ERROR; + } + decrypted_sig = OPENSSL_malloc(dcpt_sig_len); + if ( decrypted_sig == NULL ) { + ERROR("Error: failed to allocate memory for decrypted signature.\n"); + status = 0; + goto EXIT; + } + if ( EVP_PKEY_encrypt(evp_context, decrypted_sig, &dcpt_sig_len, signature->data, pubkey->size) <= 0 ) { + ERROR("Error: failed to decrypt signature.\n"); + goto OPENSSL_ERROR; + } + if ( verbose ) { + LOG("Decrypted signature: \n"); + print_hex("", decrypted_sig, dcpt_sig_len); + } + EVP_PKEY_CTX_free(evp_context); + evp_context = NULL; + #else + decrypted_sig = OPENSSL_malloc(pubkey->size); + status = RSA_public_decrypt(pubkey->size, signature->data, decrypted_sig, rsa_pubkey, RSA_NO_PADDING); + if (status <= 0) { + ERROR("Error: failed to decrypt signature.\n"); + goto OPENSSL_ERROR; + } + if ( verbose ) { + LOG("Decrypted signature: \n"); + print_hex("", decrypted_sig, pubkey->size); + } + #endif + //In older lists we need to get hashAlg from signature data. + hashAlg = pkcs_get_hashalg((const unsigned char *) decrypted_sig); + OPENSSL_free((void *) decrypted_sig); + } + + #if OPENSSL_VERSION_NUMBER < 0x30000000L + evp_key = EVP_PKEY_new(); + if ( evp_key == NULL) { goto OPENSSL_ERROR; } - if (verbose) { - LOG("Decrypted signature: \n"); - print_hex("", decrypted_sig, pubkey->size); + + status = EVP_PKEY_set1_RSA(evp_key, rsa_pubkey); + if (status <= 0) { + goto OPENSSL_ERROR; } - //In older lists we need to get hashAlg from signature data. - hashAlg = pkcs_get_hashalg((const unsigned char *) decrypted_sig); - } + #endif - evp_key = EVP_PKEY_new(); - if ( evp_key == NULL) { + evp_context = EVP_PKEY_CTX_new(evp_key, NULL); + if ( evp_context == NULL ) { + ERROR("Error: failed to initialize CTX from pkey.\n"); goto OPENSSL_ERROR; } - status = EVP_PKEY_set1_RSA(evp_key, rsa_pubkey); - if (status <= 0) { - goto OPENSSL_ERROR; - } - - evp_context = EVP_PKEY_CTX_new(evp_key, NULL); - if ( evp_context == NULL) { - goto OPENSSL_ERROR; - } - - status = EVP_PKEY_verify_init(evp_context); - if ( status <= 0) { + if ( EVP_PKEY_verify_init(evp_context) <= 0) { + ERROR("Error: failed to initialize verification."); goto OPENSSL_ERROR; } @@ -596,44 +689,38 @@ goto EXIT; } if ( status <= 0) { + ERROR("Error: failed to set rsa padding.\n"); goto OPENSSL_ERROR; } - switch ( hashAlg) { - case TPM_ALG_SHA1: - if ( EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha1()) <= 0 ) { - goto OPENSSL_ERROR; - } - break; - case TPM_ALG_SHA256: - if ( EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha256()) <= 0 ) { - goto OPENSSL_ERROR; - } - break; - case TPM_ALG_SHA384: - if ( EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha384()) <= 0 ) { - goto OPENSSL_ERROR; - } - break; - default: + if ( hashAlg == TPM_ALG_SHA1 ) { + status = EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha1()); + } else if ( hashAlg == TPM_ALG_SHA256 ) { + status = EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha256()); + } else if ( hashAlg == TPM_ALG_SHA384 ) { + status = EVP_PKEY_CTX_set_signature_md(evp_context, EVP_sha384()); + } else { ERROR("Error: Unknown hash alg.\n"); status = 0; goto EXIT; } + if ( status <= 0 ) { + ERROR("Error: failed to set signature message digest.\n"); + goto OPENSSL_ERROR; + } + digest = malloc(get_lcp_hash_size(hashAlg)); if (digest == NULL) { ERROR("Error: failed to allocate digest"); status = 0; goto EXIT; } - status = hash_buffer((const unsigned char *) data->data, data->size, digest, - hashAlg); - if (!status) { + if ( !hash_buffer((const unsigned char *) data->data, data->size, digest, hashAlg) ) { ERROR("Error: failed to hash list contents.\n"); + status = 0; goto EXIT; } - status = EVP_PKEY_verify(evp_context, signature->data, pubkey->size, - (const unsigned char *) digest, get_lcp_hash_size(hashAlg)); + status = EVP_PKEY_verify(evp_context, signature->data, pubkey->size, (const unsigned char *) digest, get_lcp_hash_size(hashAlg)); if (status < 0) { //Error occurred goto OPENSSL_ERROR; } @@ -646,12 +733,14 @@ ERR_free_strings(); status = 0; EXIT: + #if OPENSSL_VERSION_NUMBER < 0x30000000L + if (rsa_pubkey != NULL) + OPENSSL_free((void *) rsa_pubkey); + #endif if (evp_context != NULL) OPENSSL_free((void *) evp_context); if (evp_key != NULL) OPENSSL_free((void *) evp_key); - if (rsa_pubkey != NULL) |
From: Lukasz H. <luk...@in...> - 2021-09-15 14:53:56
|
changeset 5bf5c12411d3 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=5bf5c12411d3 description: Use sha256 as default hashing algorithm in lcp2_mlehash and tb_polgen Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: docs/man/tb_polgen.8 | 3 +++ lcptools-v2/mlehash.c | 4 ++-- tb_polgen/param.c | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diffs (48 lines): diff -r 4cdcf97e4723 -r 5bf5c12411d3 docs/man/tb_polgen.8 --- a/docs/man/tb_polgen.8 Thu Aug 26 14:12:44 2021 +0200 +++ b/docs/man/tb_polgen.8 Wed Sep 15 16:53:34 2021 +0200 @@ -21,6 +21,9 @@ \fR[\fB\-\-ctrl \fIpolicy-control-value\fR] The default value 1 is to extend policy into PCR 17. .TP +\fR[\fB\-\-alg \fIsha1 \fR|\fI sha256 \fR|\fI sha384 \fR|\fI sha512\fR] +Policy hashing algorithm. +.TP \fIpolicy-file\fR .RE .TP diff -r 4cdcf97e4723 -r 5bf5c12411d3 lcptools-v2/mlehash.c --- a/lcptools-v2/mlehash.c Thu Aug 26 14:12:44 2021 +0200 +++ b/lcptools-v2/mlehash.c Wed Sep 15 16:53:34 2021 +0200 @@ -70,8 +70,8 @@ bool verbose = false; -char alg_name[32] = "sha1"; -uint16_t alg_type = TPM_ALG_SHA1; +char alg_name[32] = "sha256"; +uint16_t alg_type = TPM_ALG_SHA256; static struct option long_opts[] = { diff -r 4cdcf97e4723 -r 5bf5c12411d3 tb_polgen/param.c --- a/tb_polgen/param.c Thu Aug 26 14:12:44 2021 +0200 +++ b/tb_polgen/param.c Wed Sep 15 16:53:34 2021 +0200 @@ -51,7 +51,7 @@ static const char *help[] = { "tb_polgen --create --type nonfatal|continue|halt\n", - " [--alg sha1 (default)|sha256|sha384|sha512]\n", + " [--alg sha1|sha256 (default)|sha384|sha512]\n", " [--ctrl <policy control value>]\n", " [--verbose]\n", " <policy file name>\n", @@ -330,7 +330,7 @@ params->cmd = POLGEN_CMD_NONE; params->mod_num = -1; params->pcr = -1; - params->hash_alg = TB_HALG_SHA1; + params->hash_alg = TB_HALG_SHA256; params->policy_type = -1; params->policy_control = TB_POLCTL_EXTEND_PCR17; params->hash_type = -1; |
From: Lukasz H. <luk...@in...> - 2021-07-06 14:13:02
|
changeset 9a9c09482e5c in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=9a9c09482e5c description: Add UNI-VGA license information Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: tboot/include/vga/LICENSE | 29 + tboot/include/vga/u_vga16.bdf | 66709 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 66738 insertions(+), 0 deletions(-) diffs (truncated from 66746 to 300 lines): diff -r 4276f8fed237 -r 9a9c09482e5c tboot/include/vga/LICENSE --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tboot/include/vga/LICENSE Tue Jul 06 10:36:57 2021 +0200 @@ -0,0 +1,29 @@ +font.h is generated from u_vga16.sfn that is a part of UNI-VGA project. +u_vga16.sfn is converted from u_vga16.bfd with sfnconv tool. + +UNI-VGA was created by Dmitry Bolkhovityanov and is distributed under +X license. + +Copyright (c) 2000 Dmitry Bolkhovityanov, bo...@in... + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, and/or sell copies of the +Software, and to permit persons to whom the Software is furnished to do so, +provided that the above copyright notice(s) and this permission notice appear +in all copies of the Software and that both the above copyright notice(s) and +this permission notice appear in supporting documentation. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. +IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE +LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY +DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN +CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Except as contained in this notice, the name of a copyright holder shall not be +used in advertising or otherwise to promote the sale, use or other dealings in +this Software without prior written authorization of the copyright holder. diff -r 4276f8fed237 -r 9a9c09482e5c tboot/include/vga/u_vga16.bdf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tboot/include/vga/u_vga16.bdf Tue Jul 06 10:36:57 2021 +0200 @@ -0,0 +1,66709 @@ +STARTFONT 2.1 +FONT -Bolkhov-VGA-Medium-R-Normal--16-160-75-75-C-80-iso10646-1 +SIZE 16 75 75 +FONTBOUNDINGBOX 8 16 0 -4 +STARTPROPERTIES 24 +FOUNDRY "Bolkhov" +FAMILY_NAME "VGA" +WEIGHT_NAME "Medium" +SLANT "R" +SETWIDTH_NAME "Normal" +ADD_STYLE_NAME "" +PIXEL_SIZE 16 +POINT_SIZE 160 +RESOLUTION_X 75 +RESOLUTION_Y 75 +SPACING "C" +AVERAGE_WIDTH 80 +CHARSET_REGISTRY "iso10646" +CHARSET_ENCODING "1" +CAP_HEIGHT 10 +X_HEIGHT 7 +FONT_ASCENT 12 +FONT_DESCENT 4 +FACE_NAME "Vga Unicode" +COPYRIGHT "Copyright (c) 2000 Dmitry Bolkhovityanov, bo...@in..." +HOMEPAGE "http://www.inp.nsk.su/~bolkhov/files/fonts/univga/" +NOTICE "VGA is a trademark of IBM Corporation." +DEFAULT_CHAR 0 +_XMBDFED_INFO "Edited with xmbdfed 4.4." +ENDPROPERTIES +CHARS 2899 +STARTCHAR char0 +ENCODING 0 +SWIDTH 480 0 +DWIDTH 8 0 +BBX 8 16 0 -4 +BITMAP +00 +00 +DA +02 +80 +82 +02 +80 +82 +02 +80 +B6 +00 +00 +00 +00 +ENDCHAR +STARTCHAR space +ENCODING 32 +SWIDTH 480 0 +DWIDTH 8 0 +BBX 8 16 0 -4 +BITMAP +00 +00 +00 +00 +00 +00 +00 +00 +00 +00 +00 +00 +00 +00 +00 +00 +ENDCHAR +STARTCHAR exclam +ENCODING 33 +SWIDTH 480 0 +DWIDTH 8 0 +BBX 8 16 0 -4 +BITMAP +00 +00 +18 +3C +3C +3C +18 +18 +18 +00 +18 +18 +00 +00 +00 +00 +ENDCHAR +STARTCHAR quotedbl +ENCODING 34 +SWIDTH 480 0 +DWIDTH 8 0 +BBX 8 16 0 -4 +BITMAP +00 +66 +66 +66 +24 +00 +00 +00 +00 +00 +00 +00 +00 +00 +00 +00 +ENDCHAR +STARTCHAR numbersign +ENCODING 35 +SWIDTH 480 0 +DWIDTH 8 0 +BBX 8 16 0 -4 +BITMAP +00 +00 +00 +6C +6C +FE +6C +6C +6C +FE +6C +6C +00 +00 +00 +00 +ENDCHAR +STARTCHAR dollar +ENCODING 36 +SWIDTH 480 0 +DWIDTH 8 0 +BBX 8 16 0 -4 +BITMAP +18 +18 +7C +C6 +C2 +C0 +7C +06 +06 +86 +C6 +7C +18 +18 +00 +00 +ENDCHAR +STARTCHAR percent +ENCODING 37 +SWIDTH 480 0 +DWIDTH 8 0 +BBX 8 16 0 -4 +BITMAP +00 +00 +00 +00 +C2 +C6 +0C +18 +30 +60 +C6 +86 +00 +00 +00 +00 +ENDCHAR +STARTCHAR ampersand +ENCODING 38 +SWIDTH 480 0 +DWIDTH 8 0 +BBX 8 16 0 -4 +BITMAP +00 +00 +38 +6C +6C +38 +76 +DC +CC +CC +CC +76 +00 +00 +00 +00 +ENDCHAR +STARTCHAR quotesingle +ENCODING 39 +SWIDTH 480 0 +DWIDTH 8 0 +BBX 8 16 0 -4 +BITMAP +00 +30 +30 +30 +20 +00 +00 +00 +00 +00 +00 +00 +00 +00 +00 +00 +ENDCHAR +STARTCHAR parenleft +ENCODING 40 +SWIDTH 480 0 +DWIDTH 8 0 +BBX 8 16 0 -4 +BITMAP +00 +00 +0C +18 +30 +30 +30 +30 +30 +30 +18 +0C +00 +00 +00 +00 +ENDCHAR +STARTCHAR parenright +ENCODING 41 |
From: Lukasz H. <luk...@in...> - 2021-07-06 14:13:02
|
changeset 6736ab640540 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=6736ab640540 description: Remove plantuml binary from repository Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: Doxyfile | 2 +- uml/plantuml.jar | Bin 2 files changed, 1 insertions(+), 1 deletions(-) diffs (14 lines): diff -r 9a9c09482e5c -r 6736ab640540 Doxyfile --- a/Doxyfile Tue Jul 06 10:36:57 2021 +0200 +++ b/Doxyfile Tue Jul 06 11:02:08 2021 +0200 @@ -2409,7 +2409,7 @@ # generate a warning when it encounters a \startuml command in this case and # will not generate output for the diagram. -PLANTUML_JAR_PATH = uml/plantuml.jar +PLANTUML_JAR_PATH = /opt/plantuml.jar # When using plantuml, the PLANTUML_CFG_FILE tag can be used to specify a # configuration file for plantuml. diff -r 9a9c09482e5c -r 6736ab640540 uml/plantuml.jar Binary file uml/plantuml.jar has changed |
From: Lukasz H. <luk...@in...> - 2021-06-14 13:24:32
|
changeset 4ae5658592ca in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=4ae5658592ca description: Version v1.10.2 Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: CHANGELOG | 5 +++++ tboot/20_linux_tboot | 2 +- tboot/20_linux_xen_tboot | 2 +- tboot/Config.mk | 4 ++-- 4 files changed, 9 insertions(+), 4 deletions(-) diffs (50 lines): diff -r f0648bb334e8 -r 4ae5658592ca CHANGELOG --- a/CHANGELOG Thu Jun 10 11:14:51 2021 +0200 +++ b/CHANGELOG Mon Jun 14 14:15:17 2021 +0200 @@ -1,3 +1,8 @@ +20210614: v1.10.2 + Fix ACM chipset/processor list validation + Check for client/server match when selecting SINIT + Fix issues when building with GCC11 + Default to D/A mapping when TPM1.2 and CBnT platform 20210330: v1.10.1 Indicate to SINIT that CBnT is supported by TBOOT lcptools: Fix issues from static code analysis diff -r f0648bb334e8 -r 4ae5658592ca tboot/20_linux_tboot --- a/tboot/20_linux_tboot Thu Jun 10 11:14:51 2021 +0200 +++ b/tboot/20_linux_tboot Mon Jun 14 14:15:17 2021 +0200 @@ -181,7 +181,7 @@ tboot_dirname=`dirname ${current_tboot}` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` # tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"` - tboot_version="1.10.1" + tboot_version="1.10.2" echo "submenu \"tboot ${tboot_version}\" {" while [ "x$list" != "x" ] ; do linux=`version_find_latest $list` diff -r f0648bb334e8 -r 4ae5658592ca tboot/20_linux_xen_tboot --- a/tboot/20_linux_xen_tboot Thu Jun 10 11:14:51 2021 +0200 +++ b/tboot/20_linux_xen_tboot Mon Jun 14 14:15:17 2021 +0200 @@ -216,7 +216,7 @@ tboot_basename=`basename ${current_tboot}` tboot_dirname=`dirname ${current_tboot}` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` - tboot_version="1.10.1" + tboot_version="1.10.2" list="${linux_list}" echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{" while [ "x$list" != "x" ] ; do diff -r f0648bb334e8 -r 4ae5658592ca tboot/Config.mk --- a/tboot/Config.mk Thu Jun 10 11:14:51 2021 +0200 +++ b/tboot/Config.mk Mon Jun 14 14:15:17 2021 +0200 @@ -6,8 +6,8 @@ # # tboot-specific build settings # -RELEASEVER := "1.10.1" -RELEASETIME := "2021-03-30 11:00 +0100" +RELEASEVER := "1.10.2" +RELEASETIME := "2021-06-14 14:00 +0100" ROOTDIR ?= $(CURDIR)/.. # tboot needs too many customized compiler settings to use system CFLAGS, |
From: Lukasz H. <luk...@in...> - 2021-06-14 13:24:30
|
changeset 4276f8fed237 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=4276f8fed237 description: Added tag v1.10.2 for changeset 4ae5658592ca diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 4ae5658592ca -r 4276f8fed237 .hgtags --- a/.hgtags Mon Jun 14 14:15:17 2021 +0200 +++ b/.hgtags Mon Jun 14 14:15:24 2021 +0200 @@ -30,3 +30,4 @@ 931ccde2b4287cfc054e74c6d5ea2a94dcb4e5d8 v1.9.12 ffaf4680f4ba58a10ee8b1d77426921ae70c98ee v1.10.0 4cfc8a26e6373619296ec93d6a82c9cbdd164732 v1.10.1 +4ae5658592ca01bb1a400a9edccbc73092b6c5f3 v1.10.2 |
From: Lukasz H. <luk...@in...> - 2021-06-10 09:15:10
|
changeset f0648bb334e8 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=f0648bb334e8 description: Fix ACM chipset/processor list validation Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: tboot/txt/acmod.c | 20 ++++++++++---------- 1 files changed, 10 insertions(+), 10 deletions(-) diffs (71 lines): diff -r d8a8e17f6d41 -r f0648bb334e8 tboot/txt/acmod.c --- a/tboot/txt/acmod.c Thu May 13 16:04:27 2021 +0200 +++ b/tboot/txt/acmod.c Thu Jun 10 11:14:51 2021 +0200 @@ -115,13 +115,13 @@ size = hdr->size * 4; /* overflow? */ - if ( plus_overflow_u32(id_list_off, sizeof(acm_chipset_id_t)) ) { - printk(TBOOT_ERR"id_list_off plus acm_chipset_id_t size overflows\n"); + if ( plus_overflow_u32(id_list_off, sizeof(acm_chipset_id_list_t)) ) { + printk(TBOOT_ERR"id_list_off plus acm_chipset_id_list_t size overflows\n"); return NULL; } /* check that chipset id table is w/in ACM */ - if ( id_list_off + sizeof(acm_chipset_id_t) > size ) { + if ( id_list_off + sizeof(acm_chipset_id_list_t) > size ) { printk(TBOOT_ERR"ACM chipset id list is too big: chipset_id_list=%x\n", id_list_off); return NULL; @@ -142,14 +142,14 @@ printk(TBOOT_ERR"size of acm_chipset_id_list overflows\n"); return NULL; } - if ( plus_overflow_u32(id_list_off + sizeof(acm_chipset_id_t), + if ( plus_overflow_u32(id_list_off + sizeof(acm_chipset_id_list_t), chipset_id_list->count * sizeof(acm_chipset_id_t)) ) { printk(TBOOT_ERR"size of all entries overflows\n"); return NULL; } /* check that all entries are w/in ACM */ - if ( id_list_off + sizeof(acm_chipset_id_t) + + if ( id_list_off + sizeof(acm_chipset_id_list_t) + chipset_id_list->count * sizeof(acm_chipset_id_t) > size ) { printk(TBOOT_ERR"ACM chipset id entries are too big:" " chipset_id_list->count=%x\n", chipset_id_list->count); @@ -175,13 +175,13 @@ size = hdr->size * 4; /* overflow? */ - if ( plus_overflow_u32(id_list_off, sizeof(acm_processor_id_t)) ) { - printk(TBOOT_ERR"id_list_off plus acm_processor_id_t size overflows\n"); + if ( plus_overflow_u32(id_list_off, sizeof(acm_processor_id_list_t)) ) { + printk(TBOOT_ERR"id_list_off plus acm_processor_id_list_t size overflows\n"); return NULL; } /* check that processor id table is w/in ACM */ - if ( id_list_off + sizeof(acm_processor_id_t) > size ) { + if ( id_list_off + sizeof(acm_processor_id_list_t) > size ) { printk(TBOOT_ERR"ACM processor id list is too big: processor_id_list=%x\n", id_list_off); return NULL; @@ -202,14 +202,14 @@ printk(TBOOT_ERR"size of acm_processor_id_list overflows\n"); return NULL; } - if ( plus_overflow_u32(id_list_off + sizeof(acm_processor_id_t), + if ( plus_overflow_u32(id_list_off + sizeof(acm_processor_id_list_t), proc_id_list->count * sizeof(acm_processor_id_t)) ) { printk(TBOOT_ERR"size of all entries overflows\n"); return NULL; } /* check that all entries are w/in ACM */ - if ( id_list_off + sizeof(acm_processor_id_t) + + if ( id_list_off + sizeof(acm_processor_id_list_t) + proc_id_list->count * sizeof(acm_processor_id_t) > size ) { printk(TBOOT_ERR"ACM processor id entries are too big:" " proc_id_list->count=%x\n", proc_id_list->count); |
From: Lukasz H. <luk...@in...> - 2021-05-13 14:04:51
|
changeset d8a8e17f6d41 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=d8a8e17f6d41 description: Check for client/server match when selecting SINIT This patch adds another verification layer when TBOOT selects SINIT from modules included in multiboot. If both ACM Info Table and BIOS Data Table includes information about client/server platform type, these values will be compared to each other. ACM Info Table and BIOS Data Table structures in header files are updated to currently latest versions (7 and 6 respectively) as well. Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: tboot/include/txt/acmod.h | 4 ++-- tboot/include/txt/heap.h | 22 ++++++++++++++++++++-- tboot/txt/acmod.c | 34 +++++++++++++++++++++++++++++----- tboot/txt/heap.c | 4 ++-- utils/txt-acminfo.c | 6 +++++- 5 files changed, 58 insertions(+), 12 deletions(-) diffs (184 lines): diff -r 9613571d0a09 -r d8a8e17f6d41 tboot/include/txt/acmod.h --- a/tboot/include/txt/acmod.h Tue May 11 15:20:24 2021 +0200 +++ b/tboot/include/txt/acmod.h Thu May 13 16:04:27 2021 +0200 @@ -124,14 +124,14 @@ typedef struct __packed { uuid_t uuid; uint8_t chipset_acm_type; - uint8_t version; /* currently 4 */ + uint8_t version; /* currently 7 */ uint16_t length; uint32_t chipset_id_list; uint32_t os_sinit_data_ver; uint32_t min_mle_hdr_ver; txt_caps_t capabilities; uint8_t acm_ver; - uint8_t reserved[3]; + uint8_t acm_revision[3]; /* versions >= 4 */ uint32_t processor_id_list; /* versions >= 5 */ diff -r 9613571d0a09 -r d8a8e17f6d41 tboot/include/txt/heap.h --- a/tboot/include/txt/heap.h Tue May 11 15:20:24 2021 +0200 +++ b/tboot/include/txt/heap.h Thu May 13 16:04:27 2021 +0200 @@ -244,14 +244,32 @@ /* * BIOS structure */ + +#define PLATFORM_TYPE_CLIENT 0x01 +#define PLATFORM_TYPE_SERVER 0x02 + typedef struct __packed { - uint32_t version; /* currently 2-4 */ + uint32_t sinit; + struct { + /* versions >= 5 */ + uint32_t ppi_supported : 1; + /* versions >= 6 */ + uint32_t platform_type : 2; + uint32_t reserved : 29; + } mle; +} bios_data_flags_t; + +typedef struct __packed { + uint32_t version; /* currently 2-6 */ uint32_t bios_sinit_size; uint64_t lcp_pd_base; uint64_t lcp_pd_size; uint32_t num_logical_procs; /* versions >= 3 */ - uint64_t flags; /* For TPM2, it is divided into sinit_flag and mle_flag */ + union { + uint64_t raw; + bios_data_flags_t bits; /* For TPM2, it is divided into sinit_flag and mle_flag */ + } flags; /* versions >= 4 */ heap_ext_data_element_t ext_data_elts[]; } bios_data_t; diff -r 9613571d0a09 -r d8a8e17f6d41 tboot/txt/acmod.c --- a/tboot/txt/acmod.c Tue May 11 15:20:24 2021 +0200 +++ b/tboot/txt/acmod.c Thu May 13 16:04:27 2021 +0200 @@ -52,6 +52,7 @@ #include <txt/mtrrs.h> #include <txt/heap.h> #include <txt/smx.h> +#include <txt/heap.h> #include <tpm.h> #endif /* IS_INCLUDED */ @@ -359,6 +360,12 @@ printk(TBOOT_DETA"\t\t min_mle_hdr_ver: 0x%08x\n", info_table->min_mle_hdr_ver); print_txt_caps("\t\t ", info_table->capabilities); printk(TBOOT_DETA"\t\t acm_ver: %u\n", (uint32_t)info_table->acm_ver); + if (info_table->version > 6) { + printk(TBOOT_DETA"\t\t acm_revision: %x.%x.%x\n", + (uint32_t)info_table->acm_revision[0], + (uint32_t)info_table->acm_revision[1], + (uint32_t)info_table->acm_revision[2]); + } /* chipset list */ printk(TBOOT_DETA"\t chipset list:\n"); @@ -524,7 +531,7 @@ return false; } /* there is forward compatibility, so this is just a warning */ - else if ( info_table->version > 5 ) { + else if ( info_table->version > 7 ) { if ( !quiet ) printk(TBOOT_WARN"\t ACM info_table version mismatch (%u)\n", (uint32_t)info_table->version); @@ -575,6 +582,27 @@ static bool printed_host_info; /* this fn assumes that the ACM has already passed the is_acmod() checks */ + acm_info_table_t *info_table = get_acmod_info_table(hdr); + if ( info_table == NULL ) + return false; + + /* verify client/server platform match */ + txt_heap_t *txt_heap = get_txt_heap(); + bios_data_t *bios_data = get_bios_data_start(txt_heap); + if (info_table->version >= 5 && bios_data->version >= 6) { + uint32_t bios_type = bios_data->flags.bits.mle.platform_type; + uint32_t sinit_type = info_table->capabilities.platform_type; + + if (bios_type == PLATFORM_TYPE_CLIENT && sinit_type != PLATFORM_TYPE_CLIENT) { + printk(TBOOT_ERR"Error: Non-client ACM on client platform\n"); + return false; + } + + if (bios_type == PLATFORM_TYPE_SERVER && sinit_type != PLATFORM_TYPE_SERVER) { + printk(TBOOT_ERR"Error: Non-server ACM on server platform\n"); + return false; + } + } /* get chipset fusing, device, and vendor id info */ txt_didvid_t didvid; @@ -641,10 +669,6 @@ /* * check if processor family/model/stepping and platform IDs match */ - acm_info_table_t *info_table = get_acmod_info_table(hdr); - if ( info_table == NULL ) - return false; - if ( info_table->version >= 4 ) { acm_processor_id_list_t *proc_id_list = get_acmod_processor_list(hdr); if ( proc_id_list == NULL ) diff -r 9613571d0a09 -r d8a8e17f6d41 tboot/txt/heap.c --- a/tboot/txt/heap.c Tue May 11 15:20:24 2021 +0200 +++ b/tboot/txt/heap.c Thu May 13 16:04:27 2021 +0200 @@ -418,7 +418,7 @@ bios_data->lcp_pd_size); printk(TBOOT_DETA"\t num_logical_procs: %u\n", bios_data->num_logical_procs); if ( bios_data->version >= 3 ) - printk(TBOOT_DETA"\t flags: 0x%08jx\n", bios_data->flags); + printk(TBOOT_DETA"\t flags: 0x%08jx\n", bios_data->flags.raw); if ( bios_data->version >= 4 && size > sizeof(*bios_data) + sizeof(size) ) print_ext_data_elts(bios_data->ext_data_elts); } @@ -617,7 +617,7 @@ return false; } /* we assume backwards compatibility but print a warning */ - if ( bios_data->version > 4 ) + if ( bios_data->version > 6 ) printk(TBOOT_WARN"unsupported BIOS data version (%u)\n", bios_data->version); /* all TXT-capable CPUs support at least 1 core */ diff -r 9613571d0a09 -r d8a8e17f6d41 utils/txt-acminfo.c --- a/utils/txt-acminfo.c Tue May 11 15:20:24 2021 +0200 +++ b/utils/txt-acminfo.c Thu May 13 16:04:27 2021 +0200 @@ -47,16 +47,21 @@ #include <sys/user.h> #include <fcntl.h> +typedef uint8_t mtrr_state_t; +typedef uint8_t multiboot_info_t; + #define printk printf #include "../include/config.h" #include "../include/uuid.h" #include "../include/mle.h" +#include "../include/hash.h" #include "../tboot/include/compiler.h" #include "../tboot/include/processor.h" #include "../tboot/include/misc.h" #include "../tboot/include/io.h" #include "../tboot/include/txt/acmod.h" #include "../tboot/include/txt/config_regs.h" +#include "../tboot/include/txt/heap.h" /* override of fn. that will be called by verify_acmod() */ typedef struct { @@ -101,7 +106,6 @@ #define read_pub_config_reg(reg) *(volatile uint64_t *)(pub_config_base + \ reg); #define MIN_OS_SINIT_DATA_VER 4 -#define MAX_OS_SINIT_DATA_VER 6 #define IS_INCLUDED /* prevent acmod.c #include */ #include "../tboot/txt/acmod.c" |
From: Lukasz H. <luk...@in...> - 2021-05-11 13:20:53
|
changeset 9613571d0a09 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=9613571d0a09 description: Fix issues when building with GCC11 Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: lcptools-v2/pollist2_1.c | 1 - tboot/common/loader.c | 2 +- tboot/common/tpm_12.c | 6 ++++++ 3 files changed, 7 insertions(+), 2 deletions(-) diffs (60 lines): diff -r 33e5ffc285b6 -r 9613571d0a09 lcptools-v2/pollist2_1.c --- a/lcptools-v2/pollist2_1.c Fri Apr 09 15:07:40 2021 +0200 +++ b/lcptools-v2/pollist2_1.c Tue May 11 15:20:24 2021 +0200 @@ -480,7 +480,6 @@ display_tpm20_signature_2_1(" ", sig, TPM_ALG_ECDSA); return; } - free(sig); return; } diff -r 33e5ffc285b6 -r 9613571d0a09 tboot/common/loader.c --- a/tboot/common/loader.c Fri Apr 09 15:07:40 2021 +0200 +++ b/tboot/common/loader.c Tue May 11 15:20:24 2021 +0200 @@ -60,7 +60,7 @@ #include <efi_memmap.h> /* copy of kernel/VMM command line so that can append 'tboot=0x1234' */ -static char *new_cmdline = (char *)TBOOT_KERNEL_CMDLINE_ADDR; +static char * volatile new_cmdline = (char *)TBOOT_KERNEL_CMDLINE_ADDR; /* MLE/kernel shared data page (in boot.S) */ extern tboot_shared_t _tboot_shared; diff -r 33e5ffc285b6 -r 9613571d0a09 tboot/common/tpm_12.c --- a/tboot/common/tpm_12.c Fri Apr 09 15:07:40 2021 +0200 +++ b/tboot/common/tpm_12.c Tue May 11 15:20:24 2021 +0200 @@ -1027,6 +1027,8 @@ static uint32_t _tpm12_wrap_unseal(uint32_t locality, const uint8_t *in_data, uint32_t *secret_size, uint8_t *secret) { +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" uint32_t ret; tpm_nonce_t odd_osap, even_osap; tpm_nonce_t nonce_even, nonce_odd, nonce_even_d, nonce_odd_d; @@ -1099,6 +1101,7 @@ /* skip check for res_auth */ return ret; +#pragma GCC diagnostic pop } static bool init_pcr_info(uint32_t locality, @@ -1933,6 +1936,8 @@ static bool tpm12_cap_pcrs(struct tpm_if *ti, u32 locality, int pcr) { +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" bool was_capped[TPM_NR_PCRS] = {false}; tpm_pcr_value_t cap_val; /* use whatever val is on stack */ @@ -1961,6 +1966,7 @@ printk(TBOOT_INFO"cap'ed dynamic PCRs\n"); return true; +#pragma GCC diagnostic pop } static bool tpm12_check(void) |
From: Lukasz H. <luk...@in...> - 2021-05-11 13:20:50
|
changeset 33e5ffc285b6 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=33e5ffc285b6 description: Default to D/A mapping when TPM1.2 and CBnT platform TBOOT checks capability bits in SINIT info table to make a decision what PCR mapping will be used. When both D/A and legacy are supported by SINIT and TPM1.2 is used, TBOOT chose legacy one. This patch modifies that behaviour for CBnT platforms, so when both mapping are supported, D/A is chosen. For non-CBnT system nothing is changed. Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: tboot/txt/txt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r eb6676a8f7fd -r 33e5ffc285b6 tboot/txt/txt.c --- a/tboot/txt/txt.c Tue Mar 30 10:59:34 2021 +0200 +++ b/tboot/txt/txt.c Fri Apr 09 15:07:40 2021 +0200 @@ -692,7 +692,7 @@ /* capabilities : choose DA/LG */ os_sinit_data->capabilities.pcr_map_no_legacy = 1; - if ( sinit_caps.pcr_map_da && get_tboot_prefer_da() ) + if ( sinit_caps.pcr_map_da && (get_tboot_prefer_da() || sinit_caps.cbnt_supported) ) os_sinit_data->capabilities.pcr_map_da = 1; else if ( !sinit_caps.pcr_map_no_legacy ) os_sinit_data->capabilities.pcr_map_no_legacy = 0; |
From: Lukasz H. <luk...@in...> - 2021-03-30 09:03:08
|
changeset 4cfc8a26e637 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=4cfc8a26e637 description: Version v1.10.1 Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: CHANGELOG | 3 +++ tboot/20_linux_tboot | 2 +- tboot/20_linux_xen_tboot | 2 +- tboot/Config.mk | 4 ++-- 4 files changed, 7 insertions(+), 4 deletions(-) diffs (48 lines): diff -r 0ee90b496047 -r 4cfc8a26e637 CHANGELOG --- a/CHANGELOG Tue Mar 30 10:44:40 2021 +0200 +++ b/CHANGELOG Tue Mar 30 10:59:15 2021 +0200 @@ -1,3 +1,6 @@ +20210330: v1.10.1 + Indicate to SINIT that CBnT is supported by TBOOT + lcptools: Fix issues from static code analysis 20201113: v1.10.0 Rename TXT related tools to have 'txt-' prefix Clarify license issues diff -r 0ee90b496047 -r 4cfc8a26e637 tboot/20_linux_tboot --- a/tboot/20_linux_tboot Tue Mar 30 10:44:40 2021 +0200 +++ b/tboot/20_linux_tboot Tue Mar 30 10:59:15 2021 +0200 @@ -181,7 +181,7 @@ tboot_dirname=`dirname ${current_tboot}` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` # tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"` - tboot_version="1.10.0" + tboot_version="1.10.1" echo "submenu \"tboot ${tboot_version}\" {" while [ "x$list" != "x" ] ; do linux=`version_find_latest $list` diff -r 0ee90b496047 -r 4cfc8a26e637 tboot/20_linux_xen_tboot --- a/tboot/20_linux_xen_tboot Tue Mar 30 10:44:40 2021 +0200 +++ b/tboot/20_linux_xen_tboot Tue Mar 30 10:59:15 2021 +0200 @@ -216,7 +216,7 @@ tboot_basename=`basename ${current_tboot}` tboot_dirname=`dirname ${current_tboot}` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` - tboot_version="1.10.0" + tboot_version="1.10.1" list="${linux_list}" echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{" while [ "x$list" != "x" ] ; do diff -r 0ee90b496047 -r 4cfc8a26e637 tboot/Config.mk --- a/tboot/Config.mk Tue Mar 30 10:44:40 2021 +0200 +++ b/tboot/Config.mk Tue Mar 30 10:59:15 2021 +0200 @@ -6,8 +6,8 @@ # # tboot-specific build settings # -RELEASEVER := "1.10.0" -RELEASETIME := "2020-11-13 16:00 +0100" +RELEASEVER := "1.10.1" +RELEASETIME := "2021-03-30 11:00 +0100" ROOTDIR ?= $(CURDIR)/.. # tboot needs too many customized compiler settings to use system CFLAGS, |
From: Lukasz H. <luk...@in...> - 2021-03-30 09:03:08
|
changeset eb6676a8f7fd in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=eb6676a8f7fd description: Added tag v1.10.1 for changeset 4cfc8a26e637 diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 4cfc8a26e637 -r eb6676a8f7fd .hgtags --- a/.hgtags Tue Mar 30 10:59:15 2021 +0200 +++ b/.hgtags Tue Mar 30 10:59:34 2021 +0200 @@ -29,3 +29,4 @@ 3eb9f4780f0a70460fd1a29c87f75d90c3c6b5b7 v1.9.11 931ccde2b4287cfc054e74c6d5ea2a94dcb4e5d8 v1.9.12 ffaf4680f4ba58a10ee8b1d77426921ae70c98ee v1.10.0 +4cfc8a26e6373619296ec93d6a82c9cbdd164732 v1.10.1 |
From: Lukasz H. <luk...@in...> - 2021-03-30 09:03:03
|
changeset 0ee90b496047 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=0ee90b496047 description: Fix README.md path in Makefile for 'make dist' Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 35ecd2ba0e19 -r 0ee90b496047 Makefile --- a/Makefile Mon Mar 15 09:47:06 2021 +0100 +++ b/Makefile Tue Mar 30 10:44:40 2021 +0200 @@ -59,7 +59,7 @@ dist : $(patsubst %,dist-%,$(SUBDIRS)) [ -d $(DISTDIR) ] || $(INSTALL_DIR) $(DISTDIR) $(INSTALL_DATA) COPYING $(DISTDIR) - $(INSTALL_DATA) README $(DISTDIR) + $(INSTALL_DATA) README.md $(DISTDIR) dist-% : $(MAKE) -C $* dist |
From: Lukasz H. <luk...@in...> - 2021-03-23 10:07:48
|
changeset 35ecd2ba0e19 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=35ecd2ba0e19 description: Indicate to SINIT that CBnT is supported by TBOOT Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: include/mle.h | 8 +++++--- tboot/txt/acmod.c | 1 + tboot/txt/txt.c | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diffs (48 lines): diff -r 558617b09974 -r 35ecd2ba0e19 include/mle.h --- a/include/mle.h Wed Jan 13 14:53:03 2021 +0100 +++ b/include/mle.h Mon Mar 15 09:47:06 2021 +0100 @@ -51,7 +51,8 @@ uint32_t platform_type : 2; uint32_t max_phy_addr : 1; uint32_t tcg_event_log_format: 1; - uint32_t reserved1 : 22; + uint32_t cbnt_supported : 1; + uint32_t reserved1 : 21; }; } txt_caps_t; @@ -80,8 +81,9 @@ * values supported by current version of tboot */ #define MLE_HDR_VER 0x00020001 /* 2.1 */ -#define MLE_HDR_CAPS 0x000000227 /* rlp_wake_{getsec, monitor} = 1, - ecx_pgtbl = 1, nolg = 0, da = 1 tcg_event_log_format =1 */ +#define MLE_HDR_CAPS 0x000000627 /* rlp_wake_{getsec, monitor} = 1, + ecx_pgtbl = 1, nolg = 0, da = 1 + tcg_event_log_format = 1, cbnt_supported = 1 */ #endif /* __MLE_H__ */ diff -r 558617b09974 -r 35ecd2ba0e19 tboot/txt/acmod.c --- a/tboot/txt/acmod.c Wed Jan 13 14:53:03 2021 +0100 +++ b/tboot/txt/acmod.c Mon Mar 15 09:47:06 2021 +0100 @@ -290,6 +290,7 @@ printk(TBOOT_DETA"%s platform_type: %d\n", prefix, caps.platform_type); printk(TBOOT_DETA"%s max_phy_addr: %d\n", prefix, caps.max_phy_addr); printk(TBOOT_DETA"%s tcg_event_log_format: %d\n", prefix, caps.tcg_event_log_format); + printk(TBOOT_DETA"%s cbnt_supported: %d\n", prefix, caps.cbnt_supported); } static void print_acm_hdr(const acm_hdr_t *hdr, const char *mod_name) diff -r 558617b09974 -r 35ecd2ba0e19 tboot/txt/txt.c --- a/tboot/txt/txt.c Wed Jan 13 14:53:03 2021 +0100 +++ b/tboot/txt/txt.c Mon Mar 15 09:47:06 2021 +0100 @@ -715,7 +715,7 @@ os_sinit_data->capabilities.pcr_map_no_legacy = 0; os_sinit_data->capabilities.pcr_map_da = 0; g_using_da = 1; - } + } /* Event log initialization */ if ( os_sinit_data->version >= 6 ) |
From: Lukasz H. <luk...@in...> - 2021-01-14 12:38:11
|
changeset 558617b09974 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=558617b09974 description: lcptools: Fix issues from static code analysis Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: lcptools-v2/crtpol.c | 7 +------ lcptools-v2/crtpollist.c | 5 ++++- lcptools-v2/lcputils.c | 2 +- lcptools-v2/pconf_legacy.c | 3 +++ lcptools-v2/pollist1.c | 2 +- lcptools-v2/pollist2.c | 2 +- lcptools-v2/pollist2_1.c | 18 +++++++----------- 7 files changed, 18 insertions(+), 21 deletions(-) diffs (167 lines): diff -r c39bdb49adb5 -r 558617b09974 lcptools-v2/crtpol.c --- a/lcptools-v2/crtpol.c Mon Jan 11 13:23:52 2021 +0100 +++ b/lcptools-v2/crtpol.c Wed Jan 13 14:53:03 2021 +0100 @@ -288,10 +288,6 @@ pollist21 = NULL; } if ( poldata == NULL ) { - if (pollist != NULL) - free(pollist); - if (pollist21 != NULL) - free(pollist21); return NULL; } } @@ -366,6 +362,7 @@ if (i == 0) { use_only_version = version; //Read version of first list } + free(file_data); if ( use_only_version != version ) { //If version differs, that's error ERROR("ERROR: Mixing list versions is not supported.\n"); free(pol); @@ -425,8 +422,6 @@ } if ( poldata == NULL ) { free(pol); - if (pollist != NULL) - free(pollist); return 1; } } diff -r c39bdb49adb5 -r 558617b09974 lcptools-v2/crtpollist.c --- a/lcptools-v2/crtpollist.c Mon Jan 11 13:23:52 2021 +0100 +++ b/lcptools-v2/crtpollist.c Wed Jan 13 14:53:03 2021 +0100 @@ -193,8 +193,10 @@ return 1; } pollist = add_tpm20_policy_element_2_1(pollist, elt); - if ( pollist == NULL ) + if ( pollist == NULL ) { + free(elt); return 1; + } free(elt); elt = NULL; } @@ -444,6 +446,7 @@ uint16_t version; memcpy_s((void*)&version, sizeof(uint16_t), (const void *)pollist, sizeof(uint16_t)); + free(pollist); if (MAJOR_VER(version) == MAJOR_VER(LCP_TPM12_POLICY_LIST_VERSION) ) { pollist = read_policy_list_file(files[0], false, &no_sigblock_ok); if (pollist == NULL) { diff -r c39bdb49adb5 -r 558617b09974 lcptools-v2/lcputils.c --- a/lcptools-v2/lcputils.c Mon Jan 11 13:23:52 2021 +0100 +++ b/lcptools-v2/lcputils.c Wed Jan 13 14:53:03 2021 +0100 @@ -845,7 +845,7 @@ OPENSSL_free((void *) ec_group); } if (der_encoded_sig != NULL) { - free((void *)der_encoded_sig); + OPENSSL_free((void *)der_encoded_sig); } if (mctx != NULL) { OPENSSL_free(mctx); diff -r c39bdb49adb5 -r 558617b09974 lcptools-v2/pconf_legacy.c --- a/lcptools-v2/pconf_legacy.c Mon Jan 11 13:23:52 2021 +0100 +++ b/lcptools-v2/pconf_legacy.c Wed Jan 13 14:53:03 2021 +0100 @@ -158,6 +158,9 @@ Getline also reads up to and including newline. We need to remove it else import_hash will fail. */ + if (ptr2token == NULL) { + goto ERROR; + } ptr2token[40] = '\0'; if (!import_hash(ptr2token, (tb_hash_t *) &this_pcr.digest, LCP_POLHALG_SHA1)) { ERROR("Error: failed to import hash. Check digest format.\n"); diff -r c39bdb49adb5 -r 558617b09974 lcptools-v2/pollist1.c --- a/lcptools-v2/pollist1.c Mon Jan 11 13:23:52 2021 +0100 +++ b/lcptools-v2/pollist1.c Wed Jan 13 14:53:03 2021 +0100 @@ -545,7 +545,7 @@ bool sign_lcp_policy_list_t(sign_user_input user_input) { - bool no_sigblock_ok; + bool no_sigblock_ok = false; bool result; lcp_policy_list_t *pollist = NULL; lcp_signature_t2 *sig = NULL; diff -r c39bdb49adb5 -r 558617b09974 lcptools-v2/pollist2.c --- a/lcptools-v2/pollist2.c Mon Jan 11 13:23:52 2021 +0100 +++ b/lcptools-v2/pollist2.c Wed Jan 13 14:53:03 2021 +0100 @@ -1350,7 +1350,7 @@ Out: true on success false on failure. */ - bool no_sigblock_ok; + bool no_sigblock_ok = false; bool write_ok; lcp_policy_list_t2 *pollist = NULL; diff -r c39bdb49adb5 -r 558617b09974 lcptools-v2/pollist2_1.c --- a/lcptools-v2/pollist2_1.c Mon Jan 11 13:23:52 2021 +0100 +++ b/lcptools-v2/pollist2_1.c Wed Jan 13 14:53:03 2021 +0100 @@ -118,8 +118,10 @@ status = memcpy_s(new_pollist, base_size, raw_data, base_size); if (status == EOK) return new_pollist; - else + else { + free(new_pollist); return NULL; + } } new_pollist = malloc(key_signature_offset); @@ -226,7 +228,7 @@ } //List has signature and we want to sign it, disregard the signature it has //and return it without it. - else if ( (has_sig && sign_it) || !has_sig) { + else { //Pass 0 as last arg to get_data func, this way we don't get sig. new_pollist = get_policy_list_2_1_data((const void *) pollist, base_size+ elts_size, 0); @@ -238,11 +240,6 @@ free(pollist); return new_pollist; } - else { - //Error; - free(pollist); - return NULL; - } } lcp_signature_2_1 *create_empty_ecc_signature_2_1(void) @@ -448,9 +445,6 @@ return; } - if ( prefix == NULL ) { - prefix = ""; - } DISPLAY("LCP_POLICY_LIST_2_1 structure:\n"); DISPLAY("%s Version: 0x%x\n", prefix, pollist->Version); DISPLAY("%s KeySignatureOffset: 0x%x\n", prefix, pollist->KeySignatureOffset); @@ -653,7 +647,7 @@ bool result; sig_key_2_1_header *header; size_t base_size = offsetof(lcp_policy_list_t2_1, PolicyElements); - size_t elts_size = pollist->PolicyElementsSize; + size_t elts_size; lcp_signature_2_1 *sig; LOG("[verify_tpm20_pollist_2_1_sig]\n"); @@ -662,6 +656,8 @@ return false; } + elts_size = pollist->PolicyElementsSize; + sig = get_tpm20_signature_2_1(pollist); if (sig == NULL) { ERROR("Error: failed to get list signature.\n"); |
From: Lukasz H. <luk...@in...> - 2021-01-11 12:39:16
|
changeset c39bdb49adb5 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=c39bdb49adb5 description: Remove accidentally added binaries for deprecated tools Also update paths, so they can be built from new location. Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: .hgignore | 20 +++++++------------- deprecated/lcptools/Makefile | 2 +- deprecated/lcptools/defindex.c | 4 ++-- deprecated/lcptools/getcap.c | 4 ++-- deprecated/lcptools/lcp_crtpconf | Bin deprecated/lcptools/lcp_crtpol | Bin deprecated/lcptools/lcp_mlehash | Bin deprecated/lcptools/lcp_readpol | Bin deprecated/lcptools/lcp_writepol | Bin deprecated/lcptools/lcptools.c | 4 ++-- deprecated/lcptools/lcputils.c | 4 ++-- deprecated/lcptools/lock.c | 4 ++-- deprecated/lcptools/readpol.c | 4 ++-- deprecated/lcptools/relindex.c | 4 ++-- deprecated/lcptools/tpmnv_defindex | Bin deprecated/lcptools/tpmnv_getcap | Bin deprecated/lcptools/tpmnv_lock | Bin deprecated/lcptools/tpmnv_relindex | Bin deprecated/lcptools/trousers_dep | Bin deprecated/lcptools/writepol.c | 4 ++-- 20 files changed, 24 insertions(+), 30 deletions(-) diffs (174 lines): diff -r cc489ff0c783 -r c39bdb49adb5 .hgignore --- a/.hgignore Mon Dec 14 16:44:12 2020 +0100 +++ b/.hgignore Mon Jan 11 13:23:52 2021 +0100 @@ -32,19 +32,13 @@ ^tboot/tboot-syms$ ^tboot/tboot.gz$ ^tboot/tboot.strip$ -^lcptools/tpmnv_defindex$ -^lcptools/tpmnv_getcap$ -^lcptools/tpmnv_lock$ -^lcptools/tpmnv_relindex$ -^lcptools/lcp_crtpconf$ -^lcptools/lcp_crtpol$ -^lcptools/lcp_mlehash$ -^lcptools/lcp_readpol$ -^lcptools/lcp_writepol$ -^lcptools/lcp_crtpol2$ -^lcptools/lcp_crtpolelt$ -^lcptools/lcp_crtpollist$ -^lcptools/trousers_dep$ +^deprecated/lcptools/tpmnv_defindex$ +^deprecated/lcptools/tpmnv_getcap$ +^deprecated/lcptools/tpmnv_lock$ +^deprecated/lcptools/tpmnv_relindex$ +^deprecated/lcptools/lcp_readpol$ +^deprecated/lcptools/lcp_writepol$ +^deprecated/lcptools/trousers_dep$ ^lcptools-v2/lcp2_crtpol$ ^lcptools-v2/lcp2_crtpolelt$ ^lcptools-v2/lcp2_crtpollist$ diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/Makefile --- a/deprecated/lcptools/Makefile Mon Dec 14 16:44:12 2020 +0100 +++ b/deprecated/lcptools/Makefile Mon Jan 11 13:23:52 2021 +0100 @@ -7,7 +7,7 @@ # lcptools makefile # -ROOTDIR ?= $(CURDIR)/.. +ROOTDIR ?= $(CURDIR)/../.. include $(ROOTDIR)/Config.mk diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/defindex.c --- a/deprecated/lcptools/defindex.c Mon Dec 14 16:44:12 2020 +0100 +++ b/deprecated/lcptools/defindex.c Mon Jan 11 13:23:52 2021 +0100 @@ -45,8 +45,8 @@ #include <trousers/trousers.h> #include <safe_lib.h> #define PRINT printf -#include "../include/uuid.h" -#include "../include/lcp2.h" +#include "../../include/uuid.h" +#include "../../include/lcp2.h" #include "lcptools.h" #include "lcputils.h" diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/getcap.c --- a/deprecated/lcptools/getcap.c Mon Dec 14 16:44:12 2020 +0100 +++ b/deprecated/lcptools/getcap.c Mon Jan 11 13:23:52 2021 +0100 @@ -47,8 +47,8 @@ #include <trousers/trousers.h> #include <safe_lib.h> #define PRINT printf -#include "../include/uuid.h" -#include "../include/lcp.h" +#include "../../include/uuid.h" +#include "../../include/lcp.h" #include "lcptools.h" #include "lcputils.h" diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/lcp_crtpconf Binary file deprecated/lcptools/lcp_crtpconf has changed diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/lcp_crtpol Binary file deprecated/lcptools/lcp_crtpol has changed diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/lcp_mlehash Binary file deprecated/lcptools/lcp_mlehash has changed diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/lcp_readpol Binary file deprecated/lcptools/lcp_readpol has changed diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/lcp_writepol Binary file deprecated/lcptools/lcp_writepol has changed diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/lcptools.c --- a/deprecated/lcptools/lcptools.c Mon Dec 14 16:44:12 2020 +0100 +++ b/deprecated/lcptools/lcptools.c Mon Jan 11 13:23:52 2021 +0100 @@ -42,8 +42,8 @@ #include <trousers/trousers.h> #include <safe_lib.h> #define PRINT printf -#include "../include/uuid.h" -#include "../include/lcp.h" +#include "../../include/uuid.h" +#include "../../include/lcp.h" #include "lcptools.h" #include "lcputils.h" diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/lcputils.c --- a/deprecated/lcptools/lcputils.c Mon Dec 14 16:44:12 2020 +0100 +++ b/deprecated/lcptools/lcputils.c Mon Jan 11 13:23:52 2021 +0100 @@ -46,8 +46,8 @@ #include <safe_lib.h> #include <snprintf_s.h> #define PRINT printf -#include "../include/uuid.h" -#include "../include/lcp.h" +#include "../../include/uuid.h" +#include "../../include/lcp.h" #include "lcptools.h" #include "lcputils.h" diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/lock.c --- a/deprecated/lcptools/lock.c Mon Dec 14 16:44:12 2020 +0100 +++ b/deprecated/lcptools/lock.c Mon Jan 11 13:23:52 2021 +0100 @@ -45,8 +45,8 @@ #include <trousers/trousers.h> #define PRINT printf -#include "../include/uuid.h" -#include "../include/lcp.h" +#include "../../include/uuid.h" +#include "../../include/lcp.h" #include "lcptools.h" #include "lcputils.h" diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/readpol.c --- a/deprecated/lcptools/readpol.c Mon Dec 14 16:44:12 2020 +0100 +++ b/deprecated/lcptools/readpol.c Mon Jan 11 13:23:52 2021 +0100 @@ -42,8 +42,8 @@ #include <trousers/trousers.h> #include <safe_lib.h> #define PRINT printf -#include "../include/uuid.h" -#include "../include/lcp.h" +#include "../../include/uuid.h" +#include "../../include/lcp.h" #include "lcptools.h" #include "lcputils.h" diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/relindex.c --- a/deprecated/lcptools/relindex.c Mon Dec 14 16:44:12 2020 +0100 +++ b/deprecated/lcptools/relindex.c Mon Jan 11 13:23:52 2021 +0100 @@ -45,8 +45,8 @@ #include <trousers/trousers.h> #include <safe_lib.h> #define PRINT printf -#include "../include/uuid.h" -#include "../include/lcp.h" +#include "../../include/uuid.h" +#include "../../include/lcp.h" #include "lcptools.h" #include "lcputils.h" diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/tpmnv_defindex Binary file deprecated/lcptools/tpmnv_defindex has changed diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/tpmnv_getcap Binary file deprecated/lcptools/tpmnv_getcap has changed diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/tpmnv_lock Binary file deprecated/lcptools/tpmnv_lock has changed diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/tpmnv_relindex Binary file deprecated/lcptools/tpmnv_relindex has changed diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/trousers_dep Binary file deprecated/lcptools/trousers_dep has changed diff -r cc489ff0c783 -r c39bdb49adb5 deprecated/lcptools/writepol.c --- a/deprecated/lcptools/writepol.c Mon Dec 14 16:44:12 2020 +0100 +++ b/deprecated/lcptools/writepol.c Mon Jan 11 13:23:52 2021 +0100 @@ -42,8 +42,8 @@ #include <trousers/trousers.h> #include <safe_lib.h> #define PRINT printf -#include "../include/uuid.h" -#include "../include/lcp.h" +#include "../../include/uuid.h" +#include "../../include/lcp.h" #include "lcptools.h" #include "lcputils.h" |
From: Lukasz H. <luk...@in...> - 2020-12-14 15:45:36
|
changeset cc489ff0c783 in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=cc489ff0c783 description: Do not install man pages for deprecated tools Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: deprecated/man/lcp_crtpconf.8 | 30 ++++++++ deprecated/man/lcp_crtpol.8 | 86 ++++++++++++++++++++++++ deprecated/man/lcp_crtpol2.8 | 75 +++++++++++++++++++++ deprecated/man/lcp_crtpolelt.8 | 107 ++++++++++++++++++++++++++++++ deprecated/man/lcp_crtpollist.8 | 140 ++++++++++++++++++++++++++++++++++++++++ deprecated/man/lcp_mlehash.8 | 41 +++++++++++ deprecated/man/lcp_readpol.8 | 54 +++++++++++++++ deprecated/man/lcp_writepol.8 | 54 +++++++++++++++ deprecated/man/tpmnv_defindex.8 | 51 ++++++++++++++ deprecated/man/tpmnv_getcap.8 | 26 +++++++ deprecated/man/tpmnv_lock.8 | 20 +++++ deprecated/man/tpmnv_relindex.8 | 26 +++++++ docs/Makefile | 7 +- docs/man/lcp_crtpconf.8 | 30 -------- docs/man/lcp_crtpol.8 | 86 ------------------------ docs/man/lcp_crtpol2.8 | 75 --------------------- docs/man/lcp_crtpolelt.8 | 107 ------------------------------ docs/man/lcp_crtpollist.8 | 140 ---------------------------------------- docs/man/lcp_mlehash.8 | 41 ----------- docs/man/lcp_readpol.8 | 54 --------------- docs/man/lcp_writepol.8 | 54 --------------- docs/man/tpmnv_defindex.8 | 51 -------------- docs/man/tpmnv_getcap.8 | 26 ------- docs/man/tpmnv_lock.8 | 20 ----- docs/man/tpmnv_relindex.8 | 26 ------- 25 files changed, 713 insertions(+), 714 deletions(-) diffs (truncated from 1533 to 300 lines): diff -r a83778e2915a -r cc489ff0c783 deprecated/man/lcp_crtpconf.8 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/deprecated/man/lcp_crtpconf.8 Mon Dec 14 16:44:12 2020 +0100 @@ -0,0 +1,30 @@ +.\" +.TH LCP_CRTPCONF 8 "2011-12-31" "tboot" "User Manuals" +.SH NAME +lcp_crtpconf \- create a platform configuration measurement for v1 policies +.SH SYNOPSIS +.B lcp_crtpconf +.B \-p +.IR PCR-index1,PCR-index2,...,PCR-indexN +.RB [\| \-f +.IR file-name \|] +.RB [\| \-h \|] +.SH DESCRIPTION +.B lcp_crtpconf +is used to create a platform configuration measurement. The produced platform +configuration measurement will be appended to the input file in binary mode. +.SH OPTIONS +.TP +.BI \-p\ PCR-index1,PCR-index2,...,PCR-indexN +Index values can be 0-23. +.TP +.BI \-f\ file-name +File name to which the measurement is appended. +.TP +.B \-h +Print out the help message +.SH EXAMPLES +\fBlcp_crtpconf \-p \fI0,1,2,3 \fB \-f \fIpconf-file +.SH "SEE ALSO" +.BR lcp_writepol (8), +.BR lcp_crtpol (8). diff -r a83778e2915a -r cc489ff0c783 deprecated/man/lcp_crtpol.8 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/deprecated/man/lcp_crtpol.8 Mon Dec 14 16:44:12 2020 +0100 @@ -0,0 +1,86 @@ +.\" +.TH LCP_CRTPOL 8 "2011-12-31" "tboot" "User Manuals" +.SH NAME +lcp_crtpol \- create a TXT v1 Launch Control Policy +.SH SYNOPSIS +.B lcp_crtpol +.B \-t +.I policy-type +.RB [\| \-a +.IR hashalg \|] +.RB [\| \-v +.IR version \|] +.RB [\| \-sr +.IR SINIT-revocation-counter \|] +.RB [\| \-s +.IR srtm-file \|] +.RB [\| \-m +.IR mle-file \|] +.RB [\| \-o +.IR policy-file \|] +.RB [\| \-b +.IR policy-data-file \|] +.RB [\| \-pcf +.IR policy-control-field \|] +.RB [\| \-h \|] +.SH DESCRIPTION +.B lcp_crtpol +is used to create a TXT v1 LCP policy (and optionally policy data), which can later be written to the TPM. The policy created are for platforms produced before 2009 (Weybridge, Montevina, McCreary). +.SH OPTIONS +.TP +.BI \-t\ policy-type +Policy type can be UINT8 or string. 5 strings are supported for the reserved LCP +policy types. Strings and default policy type values for each string are: +.RS +.TP +0 or "hashonly" +.TP +1 or "unsigned" +.TP +2 or "signed" +.TP +3 or "any" +.TP +4 or "forceowner" +.RE +.TP +.BI \-a\ hashalg +Hash algorithm. Currently we only support SHA-1 algorithm: 0 OR 'sha1'. +.TP +.BI \-v\ version +Version number. Currently it can be set to 0 or 1 if specified. The default value is 0. +.TP +.BI \-sr\ SINIT-revocation-counter +The default sinit revocation counter is 0. +.TP +.BI \-s\ srtm-file +File name of platform configuration data, as produced by +.BR lcp_crtpconf. +.TP +.BI \-m\ mle-file +File name of file containing the MLE hash values. This is a text file that contains one SHA-1 hash per line. The value of the hash must be hexadecimal values, specified either a single un-deliminated set or as space-delimited two-character (i.e. one byte) values. This can be produced by the +.BR lcp_mlehash +command. +.TP +.BI \-o\ policy-file +File name to store the output policy. +.TP +.BI \-b\ policy-data-file +File name to store the LCP Policy data. +.TP +.BI \-pcf\ policy-control-field +The default policy control field value is 0. +.TP +.B \-h +Print out the help message +.SH EXAMPLES +\fBlcp_crtpol \-t \fI0 \fB \-m \fImle-file \fB \-o \fIpolicy-hashonly-file +.PP +\fBlcp_crtpol \-t \fI1 \fB \-m \fImle-file \fB \-s \fIpconf-file \fB \-b \fI policy-data-file +.PP +\fBlcp_crtpol \-t \fIunsigned \fB \-a \fIsha1 \fB \-m \fImle-file \fB \-s \fIpconf-file \fB \-o \fIpolicy-unsigned-file \fB \-b \fIpolicy-data-file +.SH "SEE ALSO" +.BR lcp_readpol (8), +.BR lcp_writepol (8), +.BR lcp_mlehash (8), +.BR lcp_crtpconf (8). diff -r a83778e2915a -r cc489ff0c783 deprecated/man/lcp_crtpol2.8 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/deprecated/man/lcp_crtpol2.8 Mon Dec 14 16:44:12 2020 +0100 @@ -0,0 +1,75 @@ +.\" +.TH LCP_CRTPOL2 8 "2011-12-31" "tboot" "User Manuals" +.SH NAME +lcp_crtpol2 \- create an Intel(R) TXT policy (and policy data file) +.SH SYNOPSIS +.B lcp_crtpol2 +.I COMMAND +.RI [ OPTION ] +.SH DESCRIPTION +.B lcp_crtpol2 +is used to create an Intel(R) TXT policy (and policy data file) for platforms +produced after 2008. +.SH OPTIONS +.TP +.B \-\-create +Create an TXT policy. The following options are available: +.RS +.TP \w'\fR[\fB\-\-rev\ \fIctr1\fR[,\fIctrN\fR]'u+1n +\fB\-\-type\ \fIany\||\|list\fR +type +.TP +\fB\-\-pol\ \fIfile\fR +policy file +.TP +\fR[\fB\-\-ver\ \fIversion\fR] +version +.TP +\fR[\fB\-\-minver\ \fIver\fR] +SINITMinVersion +.TP +\fR[\fB\-\-rev\ \fIctr1\fR,\fIctrN\fR] +revocation values (comma separated, no spaces) +.TP +\fR[\fB\-\-ctrl\ \fIpol-ctrl\fR] +policy control +.TP +\fR[\fB\-\-data\ \fIfile\fR] +policy data file +.TP +\fR[\fIfile\fR]... +policy list files +.RE +.TP +.B \-\-show +Show the content of policy file or policy data file. Available options are: +.RS +.TP \w'\fR[\fB\-\-rev\ \fIctr1\fR[,\fIcrtN\fR]'u+1n +\fR[\fB\-\-brief\fR] +brief format output +.TP +\fR[\fIpolicy-file\fR] +policy file +.TP +\fR[\fIpolicy-data-file\fR] +policy data file +.RE +.TP +.B \-\-help +Print out the help message. +.TP +.B \-\-verbose +Enable verbose output; can be specified with any command. +.SH EXAMPLES +Assuming a policy list file +.I list-unsig.lst +has been created by the command +.B lcp_crtpolist(8). +The following example will create a policy and policy data file. +.PP +\fBlcp_crtpol2\ \-\-create\ \-\-type \fIlist \fB\-\-pol \fIlist.pol \fB\-\-data \fIlist.data\ list-unsig.lst +.SH "SEE ALSO" +.BR lcp_crtpol (8), +.BR lcp_mlehash (8), +.BR lcp_crtpolelt (8), +.BR lcp_crtpollist (8). diff -r a83778e2915a -r cc489ff0c783 deprecated/man/lcp_crtpolelt.8 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/deprecated/man/lcp_crtpolelt.8 Mon Dec 14 16:44:12 2020 +0100 @@ -0,0 +1,107 @@ +.\" +.TH LCP_CRTPOLELT 8 "2011-12-31" "tboot" "User Manuals" +.SH NAME +lcp_crtpolelt \- create an Intel(R) TXT policy element of specified type. +.SH SYNOPSIS +.B lcp_crtpolelt +.I COMMAND +.RI [ OPTION ] +.SH DESCRIPTION +.B lcp_crtpolelt +is used to create an Intel(R) TXT policy element of specified type. +.SH OPTIONS +.TP +\fB\-\-create +create an policy element +.RS +.TP \w'\fR[\fB\-\-ctrl\ \fIpol-elt-ctr1\fR]'u+1n +\fB\-\-type\ \fItype\fP +type of element; must be first option; see below for type strings and their options +.TP +\fB\-\-out\ \fIfile\fP +output file name +.TP +\fR[\fB\-\-ctrl\ \fIpol-elt-ctr1\fR]\fP +PolEltControl field (hex or decimal) +.RE +.TP +\fB\-\-show\ \fIfile\fP +show policy element +.TP +\fB\-\-verbose\fP +enable verbose output; can be specified with any command +.TP +\fB\-\-help\fP +print out the help message +.SS "Available type options:" +.TP +\fBmle\ \fR[\fB\-\-minver\ \fIver\fR]\fP +minimum version of SINIT +.TP +\fBmle\ \fR[\fIfile1\fR][\fIfile2\fR]...\fP +one or more files containing MLE hash(es); each file can contain multiple hashes +.TP +\fBpconf\ \fR[\fIfile1\fR][\fIfile2\fR]...\fP +one or more files containing PCR numbers and the desired digest of each; each file will be a PCONF +.TP +\fBcustom\ \fR[\fB\-\-uuid\ \fIUUID\fR]\fP +UUID in format: {0xaabbccdd, 0xeeff, 0xgghh, 0xiijj, {0xkk 0xll, 0xmm, 0xnn, 0xoo, 0xpp}} or "--uuid tboot" to use default +.TP +\fBcustom\ \fR[\fIfile\fR]\fP +file containing element data +.SH EXAMPLES +.SS "Create an MLE element: +.TS +tab (@); +l lx. +1@T{ +\fBlcp_mlehash \-c \fI"logging=serial,vga,memory" /boot/tboot.gz \fR> \fImle-hash +T} +2@T{ +\fBlcp_crtpolelt \fB\-\-create \-\-type \fImle \fB\-\-ctrl \fI0x00 \fB\-\-minver \fI17 \fB\-\-out \fImle.elt mle-hash +T} +.TE +.SS "Create a PCONF element: +.TS +tab (@); +l lx. +1@T{ +\fBcat \fI/sys/devices/platform/tpm_tis/pcrs \fR| \fBgrep \-e \fIPCR-00 \fB\-e \fIPCR-01 \fR> \fIpcrs +T} +2@T{ +\fBlcp_crtpolelt \-\-create \-\-type \fIpconf \fB\-\-out \fIpconf.elt pcrs +T} +.TE +.SS "Create an SBIOS element: +.TS +tab (@); +l lx. +1@T{ +Create hash file containing BIOS hash(es), e.g. named \fIsbios-hash +T} +2@T{ +\fBlcp_crtpolelt \-\-create \-\-type \fIsbios \fB\-\-out \fIsbios.elt sbios-hash +T} +.TE +.SS "Create a CUSTOM element: +.TS +tab (@); +l lx. +1@T{ +Create or determine the UUID that will identify this data format (e.g. using +\fBuuidgen\fR(1)). +T} |
From: Lukasz H. <luk...@in...> - 2020-12-07 13:56:04
|
changeset ffaf4680f4ba in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=ffaf4680f4ba description: Update changelog, bump version to v1.10.0 Signed-off-by: Lukasz Hawrylko <luk...@in...> diffstat: CHANGELOG | 19 +++++++++++++++++++ tboot/20_linux_tboot | 2 +- tboot/20_linux_xen_tboot | 2 +- tboot/Config.mk | 4 ++-- 4 files changed, 23 insertions(+), 4 deletions(-) diffs (64 lines): diff -r 7871790bb56a -r ffaf4680f4ba CHANGELOG --- a/CHANGELOG Mon Nov 30 13:05:44 2020 -0800 +++ b/CHANGELOG Fri Nov 13 16:28:35 2020 +0100 @@ -1,3 +1,22 @@ +20201113: v1.10.0 + Rename TXT related tools to have 'txt-' prefix + Clarify license issues + Fix issues reported by Coverity Scan + Ensure txt-acminfo does not print false information if msr is not loaded + Fix issue with multiboot(1) booting - infinite loop during boot + Fix issue with TPM1.2 - invalid default policy + Unmask NMI# after returning from SINIT + Update GRUB scripts to use multiboot2 only + Enable VGA logging for EFI platforms + Add warning when using SHA1 as hashing algorithm + Add Doxygen documentation + Replace VMAC with Poly1305 + Validate TPM NV index attributes + Move old lcptool to deprecated folder and exclude from build + TrouSerS is not longer required to build + lcptools-v2: meet requirements from MLE DG rev16 + lcptools-v2: Implement SM2 signing and SM2 signature verification + lcptools-v2: Set aux_hash_alg_mask to 0 when policy version != 0x300 20200429: v1.9.12 Release localities in S3 flow for CRB interface Config.mk, safestringlib/makefile : allow tool overrides diff -r 7871790bb56a -r ffaf4680f4ba tboot/20_linux_tboot --- a/tboot/20_linux_tboot Mon Nov 30 13:05:44 2020 -0800 +++ b/tboot/20_linux_tboot Fri Nov 13 16:28:35 2020 +0100 @@ -181,7 +181,7 @@ tboot_dirname=`dirname ${current_tboot}` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` # tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"` - tboot_version="1.9.12" + tboot_version="1.10.0" echo "submenu \"tboot ${tboot_version}\" {" while [ "x$list" != "x" ] ; do linux=`version_find_latest $list` diff -r 7871790bb56a -r ffaf4680f4ba tboot/20_linux_xen_tboot --- a/tboot/20_linux_xen_tboot Mon Nov 30 13:05:44 2020 -0800 +++ b/tboot/20_linux_xen_tboot Fri Nov 13 16:28:35 2020 +0100 @@ -216,7 +216,7 @@ tboot_basename=`basename ${current_tboot}` tboot_dirname=`dirname ${current_tboot}` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` - tboot_version="1.9.12" + tboot_version="1.10.0" list="${linux_list}" echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{" while [ "x$list" != "x" ] ; do diff -r 7871790bb56a -r ffaf4680f4ba tboot/Config.mk --- a/tboot/Config.mk Mon Nov 30 13:05:44 2020 -0800 +++ b/tboot/Config.mk Fri Nov 13 16:28:35 2020 +0100 @@ -6,8 +6,8 @@ # # tboot-specific build settings # -RELEASEVER := "1.9.12" -RELEASETIME := "2020-04-29 15:00 +0200" +RELEASEVER := "1.10.0" +RELEASETIME := "2020-11-13 16:00 +0100" ROOTDIR ?= $(CURDIR)/.. # tboot needs too many customized compiler settings to use system CFLAGS, |
From: Lukasz H. <luk...@in...> - 2020-12-07 13:56:04
|
changeset a83778e2915a in /hg/p/tboot/code details: http://hg.code.sf.net/p/tboot/code/code?cmd=changeset;node=a83778e2915a description: Added tag v1.10.0 for changeset ffaf4680f4ba diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r ffaf4680f4ba -r a83778e2915a .hgtags --- a/.hgtags Fri Nov 13 16:28:35 2020 +0100 +++ b/.hgtags Mon Dec 07 13:03:06 2020 +0100 @@ -28,3 +28,4 @@ 0000000000000000000000000000000000000000 v1.9.11 3eb9f4780f0a70460fd1a29c87f75d90c3c6b5b7 v1.9.11 931ccde2b4287cfc054e74c6d5ea2a94dcb4e5d8 v1.9.12 +ffaf4680f4ba58a10ee8b1d77426921ae70c98ee v1.10.0 |