Dasharo · krystian-hebel · Jun 17, 2022 · Jun 9, 2022 · Jun 15, 2022 · Jun 9, 2022
diff --git a/src/commonlib/include/commonlib/cbmem_id.h b/src/commonlib/include/commonlib/cbmem_id.h
@@ -56,6 +56,7 @@
 #define CBMEM_ID_STAGEx_RAW 0x57a9e200
 #define CBMEM_ID_STORAGE_DATA 0x53746f72
 #define CBMEM_ID_TCPA_LOG 0x54435041
+#define CBMEM_ID_TCPA_SPEC_LOG 0x54534C47
 #define CBMEM_ID_TCPA_TCG_LOG 0x54445041
 #define CBMEM_ID_TIMESTAMP 0x54494d45
 #define CBMEM_ID_TPM2_TCG_LOG 0x54504d32
@@ -125,6 +126,7 @@
  { CBMEM_ID_SMM_SAVE_SPACE, "SMM BACKUP " }, \
  { CBMEM_ID_STORAGE_DATA, "SD/MMC/eMMC" }, \
  { CBMEM_ID_TCPA_LOG, "TCPA LOG " }, \
+ { CBMEM_ID_TCPA_SPEC_LOG, "TCPASPECLOG" }, \
  { CBMEM_ID_TCPA_TCG_LOG, "TCPA TCGLOG" }, \
  { CBMEM_ID_TIMESTAMP, "TIME STAMP " }, \
  { CBMEM_ID_TPM2_TCG_LOG, "TPM2 TCGLOG" }, \

diff --git a/src/commonlib/include/commonlib/coreboot_tables.h b/src/commonlib/include/commonlib/coreboot_tables.h
@@ -83,6 +83,7 @@ enum {
  LB_TAG_SMMSTOREV2 = 0x0039,
  LB_TAG_TPM_PPI_HANDOFF = 0x003a,
  LB_TAG_BOARD_CONFIG = 0x0040,
+ LB_TAG_TCPA_SPEC_LOG = 0x00c7,
  /* The following options are CMOS-related */
  LB_TAG_CMOS_OPTION_TABLE = 0x00c8,
  LB_TAG_OPTION = 0x00c9,

diff --git a/src/commonlib/include/commonlib/tpm_log_serialized.h b/src/commonlib/include/commonlib/tpm_log_serialized.h
@@ -0,0 +1,151 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+
+#ifndef __TPM_LOG_SERIALIZED_H__
+#define __TPM_LOG_SERIALIZED_H__
+
+#include <stdint.h>
+#include <commonlib/helpers.h>
+
+#define TCPA_SPEC_ID_EVENT_SIGNATURE "Spec ID Event00"
+
+struct tcpa_log_entry {
+ uint32_t pcr;
+ uint32_t event_type;
+ uint8_t digest[20];
+ uint32_t event_data_size;
+ uint8_t event[0];
+} __packed;
+
+struct tcpa_spec_entry {
+ struct tcpa_log_entry entry;
+ uint8_t signature[16];
+ uint32_t platform_class;
+ uint8_t spec_version_minor;
+ uint8_t spec_version_major;
+ uint8_t spec_errata;
+ uint8_t reserved;
+ uint8_t vendor_info_size;
+ uint8_t vendor_info[0];
+} __packed;
+
+/* Some hardcoded algorithm values. */
+/* Table 7 - TPM_ALG_ID Constants */
+#define TPM2_ALG_ERROR 0x0000
+#define TPM2_ALG_HMAC 0x0005
+#define TPM2_ALG_NULL 0x0010
+#define TPM2_ALG_SHA1 0x0004
+#define TPM2_ALG_SHA256 0x000b
+#define TPM2_ALG_SHA384 0x000c
+#define TPM2_ALG_SHA512 0x000d
+#define TPM2_ALG_SM3_256 0x0012
+
+/* Annex A Algorithm Constants */
+
+/* Table 205 - Defines for SHA1 Hash Values */
+#define SHA1_DIGEST_SIZE 20
+/* Table 206 - Defines for SHA256 Hash Values */
+#define SHA256_DIGEST_SIZE 32
+/* Table 207 - Defines for SHA384 Hash Values */
+#define SHA384_DIGEST_SIZE 48
+/* Table 208 - Defines for SHA512 Hash Values */
+#define SHA512_DIGEST_SIZE 64
+/* Table 209 - Defines for SM3_256 Hash Values */
+#define SM3_256_DIGEST_SIZE 32
+
+#define HASH_COUNT 2
+
+/* Table 66 - TPMU_HA Union */
+typedef union {
+ uint8_t sha1[SHA1_DIGEST_SIZE];
+ uint8_t sha256[SHA256_DIGEST_SIZE];
+ uint8_t sm3_256[SM3_256_DIGEST_SIZE];
+ uint8_t sha384[SHA384_DIGEST_SIZE];
+ uint8_t sha512[SHA512_DIGEST_SIZE];
+} tpm_hash_digest;
+
+typedef struct {
+ uint16_t hashAlg;
+ tpm_hash_digest digest;
+} tpm_hash_algorithm;
+
+/* Table 96 -- TPML_DIGEST_VALUES Structure <I/O> */
+typedef struct {
+ uint32_t count;
+ tpm_hash_algorithm digests[HASH_COUNT];
+} tpm_digest_values;
+
+typedef struct {
+ uint16_t alg_id;
+ uint16_t digest_size;
+} __packed tpm_digest_sizes;
+
+typedef struct {
+ uint32_t pcr_index;
+ uint32_t event_type;
+ tpm_digest_values digest;
+ uint32_t event_size;
+ uint8_t event[0];
+} __packed tcg_pcr_event2_header;
+
+typedef struct {
+ uint32_t pcr_index;
+ uint32_t event_type;
+ uint8_t digest[20];
+ uint32_t event_size;
+ uint8_t signature[16];
+ uint32_t platform_class;
+ uint8_t spec_version_minor;
+ uint8_t spec_version_major;
+ uint8_t spec_errata;
+ uint8_t uintn_size;
+ uint32_t num_of_algorithms;
+ tpm_digest_sizes digest_sizes[HASH_COUNT];
+ uint8_t vendor_info_size;
+ uint8_t vendor_info[0];
+} __packed tcg_efi_spec_id_event;
+
+#define TCG_EFI_SPEC_ID_EVENT_SIGNATURE "Spec ID Event03"
+
+#define EV_PREBOOT_CERT 0x00000000
+#define EV_POST_CODE 0x00000001
+#define EV_UNUSED 0x00000002
+#define EV_NO_ACTION 0x00000003
+#define EV_SEPARATOR 0x00000004
+#define EV_ACTION 0x00000005
+#define EV_EVENT_TAG 0x00000006
+#define EV_S_CRTM_CONTENTS 0x00000007
+#define EV_S_CRTM_VERSION 0x00000008
+#define EV_CPU_MICROCODE 0x00000009
+#define EV_PLATFORM_CONFIG_FLAGS 0x0000000A
+#define EV_TABLE_OF_DEVICES 0x0000000B
+#define EV_COMPACT_HASH 0x0000000C
+#define EV_IPL 0x0000000D
+#define EV_IPL_PARTITION_DATA 0x0000000E
+#define EV_NONHOST_CODE 0x0000000F
+#define EV_NONHOST_CONFIG 0x00000010
+#define EV_NONHOST_INFO 0x00000011
+#define EV_OMIT_BOOT_DEVICE_EVENTS 0x00000012
+
+static const char *tpm_event_types[] __unused = {
+ [EV_PREBOOT_CERT] = "Reserved",
+ [EV_POST_CODE] = "POST code",
+ [EV_UNUSED] = "Unused",
+ [EV_NO_ACTION] = "No action",
+ [EV_SEPARATOR] = "Separator",
+ [EV_ACTION] = "Action",
+ [EV_EVENT_TAG] = "Event tag",
+ [EV_S_CRTM_CONTENTS] = "S-CRTM contents",
+ [EV_S_CRTM_VERSION] = "S-CRTM version",
+ [EV_CPU_MICROCODE] = "CPU microcode",
+ [EV_PLATFORM_CONFIG_FLAGS] = "Platform configuration flags",
+ [EV_TABLE_OF_DEVICES] = "Table of devices",
+ [EV_COMPACT_HASH] = "Compact hash",
+ [EV_IPL] = "IPL",
+ [EV_IPL_PARTITION_DATA] = "IPL partition data",
+ [EV_NONHOST_CODE] = "Non-host code",
+ [EV_NONHOST_CONFIG] = "Non-host configuration",
+ [EV_NONHOST_INFO] = "Non-host information",
+ [EV_OMIT_BOOT_DEVICE_EVENTS] = "Omit boot device events",
+};
+
+#endif
diff --git a/src/lib/coreboot_table.c b/src/lib/coreboot_table.c
@@ -249,6 +249,7 @@ static void add_cbmem_pointers(struct lb_header *header)
  {CBMEM_ID_VPD, LB_TAG_VPD},
  {CBMEM_ID_WIFI_CALIBRATION, LB_TAG_WIFI_CALIBRATION},
  {CBMEM_ID_TCPA_LOG, LB_TAG_TCPA_LOG},
+ {CBMEM_ID_TCPA_SPEC_LOG, LB_TAG_TCPA_SPEC_LOG},
  {CBMEM_ID_FMAP, LB_TAG_FMAP},
  {CBMEM_ID_VBOOT_WORKBUF, LB_TAG_VBOOT_WORKBUF},
  };

diff --git a/src/mainboard/raptor-cs/talos-2/Kconfig b/src/mainboard/raptor-cs/talos-2/Kconfig
@@ -33,6 +33,7 @@ config TALOS_2_INFINEON_TPM_1
  bool "I2C TPM1 chip compatible with SLB9635TT"
  default n
  select TPM_MEASURED_BOOT # needed for TCPA log
+ select TPM_MEASURED_BOOT_SPEC_LOG # don't use coreboot's log format
 
 config DRIVER_TPM_I2C_BUS
  hex

diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
@@ -106,6 +106,14 @@ config TPM_MEASURED_BOOT
  help
  Enables measured boot (experimental)
 
+config TPM_MEASURED_BOOT_SPEC_LOG
+ bool "Use TCPA log per specification"
+ default n
+ depends on TPM_MEASURED_BOOT
+ help
+ Enables writing of TPM event log in format defined by TCPA
+ specification (TPM2).
+
 config TPM_MEASURED_BOOT_INIT_BOOTBLOCK
  bool
  depends on TPM_MEASURED_BOOT && !VBOOT

diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc
@@ -55,10 +55,22 @@ romstage-y += tspi/crtm.c
 ramstage-y += tspi/crtm.c
 postcar-y += tspi/crtm.c
 
+ifeq ($(CONFIG_TPM_MEASURED_BOOT_SPEC_LOG),y)
+
+ramstage-y += tspi/log-tpm.c
+romstage-y += tspi/log-tpm.c
+verstage-y += tspi/log-tpm.c
+postcar-y += tspi/log-tpm.c
+bootblock-y += tspi/log-tpm.c
+
+else
+
 ramstage-y += tspi/log.c
 romstage-y += tspi/log.c
 verstage-y += tspi/log.c
 postcar-y += tspi/log.c
 bootblock-y += tspi/log.c
 
+endif # CONFIG_TPM_MEASURED_BOOT_SPEC_LOG
+
 endif # CONFIG_TPM_MEASURED_BOOT
diff --git a/src/security/tpm/tcpa_spec_log_serialized.h b/src/security/tpm/tcpa_spec_log_serialized.h
@@ -0,0 +1,40 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+
+#ifndef __TCPA_SPEC_LOG_SERIALIZED_H__
+#define __TCPA_SPEC_LOG_SERIALIZED_H__
+
+#include <commonlib/tpm_log_serialized.h>
+#include <stdint.h>
+
+#define MAX_TCPA_LOG_ENTRIES 50
+#define TCPA_PCR_HASH_NAME 50
+#define TCPA_PCR_HASH_LEN 10
+/* Assumption of 2K TCPA log size reserved for CAR/SRAM */
+#define MAX_PRERAM_TCPA_LOG_ENTRIES 15
+
+/*
+ * TPM2.0 log entries can't be generally represented as C structures due to
+ * varying number of digests and their sizes. However, it works as long as
+ * we're only using and supporting SHA1 digests.
+ */
+#define TCPA_DIGEST_MAX_LENGTH SHA1_DIGEST_SIZE
+
+/* TCG_PCR_EVENT2 */
+struct tcpa_entry {
+ uint32_t pcr;
+ uint32_t event_type;
+ uint32_t digest_count;
+ uint16_t digest_type;
+ uint8_t digest[TCPA_DIGEST_MAX_LENGTH];
+ uint32_t name_length;
+ char name[TCPA_PCR_HASH_NAME];
+} __packed;
+
+struct tcpa_table {
+ uint16_t max_entries;
+ uint16_t num_entries;
+ tcg_efi_spec_id_event header; /* TCG_PCR_EVENT actually */
+ struct tcpa_entry entries[0]; /* Variable number of entries */
+} __packed;
+
+#endif
diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h
@@ -4,10 +4,15 @@
 #define TSPI_H_
 
 #include <security/tpm/tss.h>
-#include <commonlib/tcpa_log_serialized.h>
 #include <commonlib/region.h>
 #include <vb2_api.h>
 
+#if CONFIG(TPM_MEASURED_BOOT_SPEC_LOG)
+#include "tcpa_spec_log_serialized.h"
+#else
+#include <commonlib/tcpa_log_serialized.h>
+#endif
+
 #define TPM_PCR_MAX_LEN 64
 #define HASH_DATA_CHUNK_SIZE 1024
 

diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c
@@ -178,8 +178,8 @@ int tspi_measure_cache_to_pcr(void)
  if (tce) {
  printk(BIOS_DEBUG, "TPM: Write digest for"
  " %s into PCR %d\n",
- tce->name, tce->pcr);
- int result = tlcl_extend(tce->pcr,
+ tce->name, le32toh(tce->pcr));
+ int result = tlcl_extend(le32toh(tce->pcr),
  tce->digest,
  NULL);
  if (result != TPM_SUCCESS) {