diff options
author | Bill Richardson <wfrichar@chromium.org> | 2014-10-22 17:42:20 -0700 |
---|---|---|
committer | chrome-internal-fetch <chrome-internal-fetch@google.com> | 2014-10-31 20:55:28 +0000 |
commit | f4f395e1ca724ef8795cfe86a9edbf15f14eacd1 (patch) | |
tree | f76bbb265c340603f18fa74e1b4e3934006a94e1 /firmware/linktest/main.c | |
parent | e1486c3234b7dc6fc5b58681b271a65a09141e20 (diff) | |
download | vboot-f4f395e1ca724ef8795cfe86a9edbf15f14eacd1.tar.gz |
Extend HWID digest into PCR1 (GBB v1.2 only)
GBB header v1.2 adds a digest of the HWID string to the blob (and
maintains it when updated with the current futility/gbb_utility).
This CL causes VbSelectFirmware() to extend PCR1 with that HWID
digest (only for GBB header v1.2 and later, of course).
Tests are updated.
This also adds a "pcr" command to futility to help determine that
the change is working on the hardware (adds 4K bytes or fewer to
the size of the executable).
BUG=chromium:415714
BRANCH=ToT (and maybe others?)
TEST=make runtests, manual install on HW
To test on hardware, build and update a system with this change
(both the disk image and the RO firmware).
NOTE: The BIOS image must be built in a chroot that is using the
current version of futility. You may need to update your chroot
if your BIOS image still produces v1.1 GBB headers. Check with:
futility show <firmware_image.bin> | grep -B1 'digest:'
Boot the new system with a new test image, then follow these steps:
Read the BIOS:
# flashrom -r /tmp/bios.bin
Make sure the GBB has a valid digest for the HWID.
# futility show /tmp/bios.bin | grep -B1 'digest:'
HWID: SAMUS TEST 8028
digest: 4172d24f40bf72cc0ab8... <valid>
#
Extract only the sha1sum-sized part of the HWID digest:
# futility show /tmp/bios.bin | awk '/digest:/ {print $2}' | colrm 41
4172d24f40bf72cc0ab878b4c589b8fe9cf4405e
#
Simulate extending that value in a PCR using the futility "pcr"
command:
# futility pcr 4172d24f40bf72cc0ab878b4c589b8fe9cf4405e
PCR: 0000000000000000000000000000000000000000
+ 4172d24f40bf72cc0ab878b4c589b8fe9cf4405e
PCR: b6e5ffd2d898a7b15236ad22ca25f53ac1f40776
#
Finally, look at the value of PCR1. It should match the last line
of the futility pcr output:
# head /sys/class/misc/tpm0/device/pcrs | grep PCR-01
PCR-01: B6 E5 FF D2 D8 98 A7 B1 52 36 AD 22 CA 25 F5 3A C1 F4 07 76
#
Change-Id: I09cf855f1a24616cc1a9ddb676670edbc76827d2
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/226408
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Diffstat (limited to 'firmware/linktest/main.c')
-rw-r--r-- | firmware/linktest/main.c | 140 |
1 files changed, 70 insertions, 70 deletions
diff --git a/firmware/linktest/main.c b/firmware/linktest/main.c index 2ff8e9d7..b4ef4e5c 100644 --- a/firmware/linktest/main.c +++ b/firmware/linktest/main.c @@ -18,83 +18,83 @@ int main(void) { - /* cgptlib.h */ - GptInit(0); - GptNextKernelEntry(0, 0, 0); - GptUpdateKernelEntry(0, 0); + /* cgptlib.h */ + GptInit(0); + GptNextKernelEntry(0, 0, 0); + GptUpdateKernelEntry(0, 0); - /* load_firmware_fw.h */ - LoadFirmware(0, 0, 0); + /* load_firmware_fw.h */ + LoadFirmware(0, 0, 0); - /* load_kernel_fw.h */ - LoadKernel(0, 0); + /* load_kernel_fw.h */ + LoadKernel(0, 0); - /* rollback_index.h */ - RollbackS3Resume(); - RollbackFirmwareSetup(0, 0, 0, 0, 0); - RollbackFirmwareWrite(0); - RollbackFirmwareLock(); - RollbackKernelRead(0); - RollbackKernelWrite(0); - RollbackKernelLock(0); + /* rollback_index.h */ + RollbackS3Resume(); + RollbackFirmwareSetup(0, 0, 0, 0, 0); + RollbackFirmwareWrite(0); + RollbackFirmwareLock(); + RollbackKernelRead(0); + RollbackKernelWrite(0); + RollbackKernelLock(0); - /* tpm_bootmode.c */ - SetTPMBootModeState(0, 0, 0); + /* tpm_bootmode.c */ + SetTPMBootModeState(0, 0, 0, 0); - /* tlcl.h */ - TlclStartup(); - TlclResume(); - TlclSelfTestFull(); - TlclContinueSelfTest(); - TlclDefineSpace(0, 0, 0); - TlclWrite(0, 0, 0); - TlclRead(0, 0, 0); - TlclWriteLock(0); - TlclReadLock(0); - TlclAssertPhysicalPresence(); - TlclSetNvLocked(); - TlclIsOwned(); - TlclForceClear(); - TlclSetEnable(); - TlclClearEnable(); - TlclSetDeactivated(0); - TlclGetFlags(0, 0, 0); - TlclSetGlobalLock(); - TlclExtend(0, 0, 0); - TlclGetPermissions(0, 0); + /* tlcl.h */ + TlclStartup(); + TlclResume(); + TlclSelfTestFull(); + TlclContinueSelfTest(); + TlclDefineSpace(0, 0, 0); + TlclWrite(0, 0, 0); + TlclRead(0, 0, 0); + TlclWriteLock(0); + TlclReadLock(0); + TlclAssertPhysicalPresence(); + TlclSetNvLocked(); + TlclIsOwned(); + TlclForceClear(); + TlclSetEnable(); + TlclClearEnable(); + TlclSetDeactivated(0); + TlclGetFlags(0, 0, 0); + TlclSetGlobalLock(); + TlclExtend(0, 0, 0); + TlclGetPermissions(0, 0); - /* vboot_api.h - entry points INTO vboot_reference */ - VbInit(0, 0); - VbSelectFirmware(0, 0); - VbUpdateFirmwareBodyHash(0, 0, 0); - VbSelectAndLoadKernel(0, 0); + /* vboot_api.h - entry points INTO vboot_reference */ + VbInit(0, 0); + VbSelectFirmware(0, 0); + VbUpdateFirmwareBodyHash(0, 0, 0); + VbSelectAndLoadKernel(0, 0); - /* vboot_common.h */ - OffsetOf(0, 0); - GetPublicKeyData(0); - GetPublicKeyDataC(0); - GetSignatureData(0); - GetSignatureDataC(0); - VerifyMemberInside(0, 0, 0, 0, 0, 0); - VerifyPublicKeyInside(0, 0, 0); - VerifySignatureInside(0, 0, 0); - PublicKeyInit(0, 0, 0); - PublicKeyCopy(0, 0); - PublicKeyToRSA(0); - VerifyData(0, 0, 0, 0); - VerifyDigest(0, 0, 0); - KeyBlockVerify(0, 0, 0, 0); - VerifyFirmwarePreamble(0, 0, 0); - VbGetFirmwarePreambleFlags(0); - VerifyKernelPreamble(0, 0, 0); - VbSharedDataInit(0, 0); - VbSharedDataReserve(0, 0); - VbSharedDataSetKernelKey(0, 0); + /* vboot_common.h */ + OffsetOf(0, 0); + GetPublicKeyData(0); + GetPublicKeyDataC(0); + GetSignatureData(0); + GetSignatureDataC(0); + VerifyMemberInside(0, 0, 0, 0, 0, 0); + VerifyPublicKeyInside(0, 0, 0); + VerifySignatureInside(0, 0, 0); + PublicKeyInit(0, 0, 0); + PublicKeyCopy(0, 0); + PublicKeyToRSA(0); + VerifyData(0, 0, 0, 0); + VerifyDigest(0, 0, 0); + KeyBlockVerify(0, 0, 0, 0); + VerifyFirmwarePreamble(0, 0, 0); + VbGetFirmwarePreambleFlags(0); + VerifyKernelPreamble(0, 0, 0); + VbSharedDataInit(0, 0); + VbSharedDataReserve(0, 0); + VbSharedDataSetKernelKey(0, 0); - VbNvSetup(0); - VbNvGet(0, 0, 0); - VbNvSet(0, 0, 0); - VbNvTeardown(0); + VbNvSetup(0); + VbNvGet(0, 0, 0); + VbNvSet(0, 0, 0); + VbNvTeardown(0); - return 0; + return 0; } |