[PATCH v2 0/2] vtpm deep quote in locality 0

[PATCH v2 0/2] vtpm deep quote in locality 0

[Emil Condrea]

Changes from v1, suggested by Daniel:
 - flags parameter is now mandatory
 - updated documentation about externData calculation
 - constant size for externData structure, perform SHA1 on empty string
if requested parameter is NULL
 - return error if invalid bit is set in flags
 - added VTPM_QUOTE_FLAGS_GROUP_PUBKEY flag

Right now, deep quote functionality is enabled just when vtpm manager
is started with locality=2. This requirement is enforced by the current
implementation which uses PCRs that can be reset in locality 2: 20,21,22,23.

Since some TPM chips do not enable access to other locality than 0 this patch
enables the deep quote functionality for vtpm manager started with locality=0.

The patches are based on a suggestion given by Daniel De Graaf in another
thread on the list:
 - Add a field to the request - extraInfoFlags
 - Compute externData = SHA1 (
       extraInfoFlags
       requestData
       [SHA1 (
          [SHA1 (UUIDs if requested)]
          [SHA1 (vTPM measurements if requested)]
          [SHA1 (vTPM group update policy if requested)]
          [SHA1 (vTPM group public key if requested)]
       ) if flags !=0 ]
   )
 - Perform deep quotes using the above externData value instead of the value
provided by the vTPM.

Embedding additional data in externData is equivalently secure as extending
it into PCRs.

This change also has the benefit of increasing the flexibility of the request.
It is simple to define additional flags and add data to the hash if needed.

Emil Condrea (2):
  vtpm: deep quote flags
  vtpmmgr: execute deep quote in locality 0

 stubdom/Makefile                    |   1 +
 stubdom/vtpm-deepquote-anyloc.patch | 127 ++++++++++++++++++++++++++++++++++++
 stubdom/vtpm/vtpm_cmd.c             |  13 ++--
 stubdom/vtpmmgr/marshal.h           |   1 +
 stubdom/vtpmmgr/mgmt_authority.c    |  91 +++++++++++++++++++++++---
 stubdom/vtpmmgr/mgmt_authority.h    |   2 +-
 stubdom/vtpmmgr/vtpm_cmd_handler.c  |   7 +-
 stubdom/vtpmmgr/vtpm_manager.h      |  27 +++++++-
 8 files changed, 250 insertions(+), 19 deletions(-)
 create mode 100644 stubdom/vtpm-deepquote-anyloc.patch

-- 
2.1.0

[PATCH v2 1/2] vtpm: deep quote flags

[Emil Condrea]

Currently, the flags are not interpreted by vTPM. They are just
packed and sent to vtpmmgr.

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
---
 stubdom/Makefile                    |   1 +
 stubdom/vtpm-deepquote-anyloc.patch | 127 ++++++++++++++++++++++++++++++++++++
 stubdom/vtpm/vtpm_cmd.c             |  13 ++--
 3 files changed, 135 insertions(+), 6 deletions(-)
 create mode 100644 stubdom/vtpm-deepquote-anyloc.patch

diff --git a/stubdom/Makefile b/stubdom/Makefile
index 8fb885a..c135334 100644
--- a/stubdom/Makefile
+++ b/stubdom/Makefile
@@ -211,6 +211,7 @@ tpm_emulator-$(XEN_TARGET_ARCH): tpm_emulator-$(TPMEMU_VERSION).tar.gz
 	patch -d $@ -p1 < vtpm-locality.patch
 	patch -d $@ -p1 < vtpm-parent-sign-ek.patch
 	patch -d $@ -p1 < vtpm-deepquote.patch
+	patch -d $@ -p1 < vtpm-deepquote-anyloc.patch
 	patch -d $@ -p1 < vtpm-cmake-Wextra.patch
 	mkdir $@/build
 	cd $@/build; CC=${CC} $(CMAKE) .. -DCMAKE_C_FLAGS:STRING="-std=c99 -DTPM_NO_EXTERN $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -Wno-declaration-after-statement"
diff --git a/stubdom/vtpm-deepquote-anyloc.patch b/stubdom/vtpm-deepquote-anyloc.patch
new file mode 100644
index 0000000..13b00d8
--- /dev/null
+++ b/stubdom/vtpm-deepquote-anyloc.patch
@@ -0,0 +1,127 @@
+diff --git a/tpm/tpm_cmd_handler.c b/tpm/tpm_cmd_handler.c
+index 69511d1..7545d51 100644
+--- a/tpm/tpm_cmd_handler.c
++++ b/tpm/tpm_cmd_handler.c
+@@ -3347,12 +3347,13 @@ static TPM_RESULT execute_TPM_DeepQuote(TPM_REQUEST *req, TPM_RESPONSE *rsp)
+ {
+ 	TPM_NONCE nonce;
+ 	TPM_RESULT res;
+-	UINT32 sigSize;
+-	BYTE *sig;
++	UINT32 quote_blob_size;
++	BYTE *quote_blob;
+ 	BYTE *ptr;
+ 	UINT32 len;
+ 	TPM_PCR_SELECTION myPCR;
+ 	TPM_PCR_SELECTION ptPCR;
++	UINT32 extraInfoFlags = 0;
+ 
+ 	tpm_compute_in_param_digest(req);
+ 
+@@ -3361,17 +3362,19 @@ static TPM_RESULT execute_TPM_DeepQuote(TPM_REQUEST *req, TPM_RESPONSE *rsp)
+ 	if (tpm_unmarshal_TPM_NONCE(&ptr, &len, &nonce)
+ 		|| tpm_unmarshal_TPM_PCR_SELECTION(&ptr, &len, &myPCR)
+ 		|| tpm_unmarshal_TPM_PCR_SELECTION(&ptr, &len, &ptPCR)
++		|| tpm_unmarshal_TPM_DEEP_QUOTE_INFO(&ptr, &len, &extraInfoFlags))
+ 		|| len != 0) return TPM_BAD_PARAMETER;
+ 
+-	res = TPM_DeepQuote(&nonce, &myPCR, &ptPCR, &req->auth1, &sigSize, &sig);
++	res = TPM_DeepQuote(&nonce, &myPCR, &ptPCR, &req->auth1, extraInfoFlags,
++		&quote_blob_size, &quote_blob);
+ 	if (res != TPM_SUCCESS) return res;
+-	rsp->paramSize = len = sigSize;
++		rsp->paramSize = len = quote_blob_size;
+ 	rsp->param = ptr = tpm_malloc(len);
+-	if (ptr == NULL || tpm_marshal_BLOB(&ptr, &len, sig, sigSize)) {
++	if (ptr == NULL || tpm_marshal_BLOB(&ptr, &len, quote_blob, quote_blob_size)) {
+ 		tpm_free(rsp->param);
+ 		res = TPM_FAIL;
+ 	}
+-	tpm_free(sig);
++	tpm_free(quote_blob);
+ 
+ 	return res;
+ }
+diff --git a/tpm/tpm_commands.h b/tpm/tpm_commands.h
+index 328d1be..a56dd5f 100644
+--- a/tpm/tpm_commands.h
++++ b/tpm/tpm_commands.h
+@@ -3077,6 +3077,7 @@ TPM_RESULT TPM_ParentSignEK(
+  * @myPCR: [in] PCR selection for the virtual TPM
+  * @ptPCR: [in] PCR selection for the hardware TPM
+  * @auth1: [in, out] Authorization protocol parameters
++ * @extraInfoFlags [in] Flags for including, kernel hash, group info, etc
+  * @sigSize: [out] The length of the returned digital signature
+  * @sig: [out] The resulting digital signature and PCR values
+  * Returns: TPM_SUCCESS on success, a TPM error code otherwise.
+@@ -3086,6 +3087,7 @@ TPM_RESULT TPM_DeepQuote(
+   TPM_PCR_SELECTION *myPCR,
+   TPM_PCR_SELECTION *ptPCR,
+   TPM_AUTH *auth1,
++  UINT32 extraInfoFlags,
+   UINT32 *sigSize,
+   BYTE **sig
+ );
+diff --git a/tpm/tpm_credentials.c b/tpm/tpm_credentials.c
+index c0d62e7..6586c22 100644
+--- a/tpm/tpm_credentials.c
++++ b/tpm/tpm_credentials.c
+@@ -183,7 +183,8 @@ TPM_RESULT TPM_OwnerReadInternalPub(TPM_KEY_HANDLE keyHandle, TPM_AUTH *auth1,
+ 
+ int endorsementKeyFresh = 0;
+ 
+-TPM_RESULT VTPM_GetParentQuote(TPM_DIGEST* data, TPM_PCR_SELECTION *sel, UINT32 *sigSize, BYTE **sig);
++TPM_RESULT VTPM_GetParentQuote(TPM_NONCE *data, TPM_PCR_SELECTION *sel,
++                               UINT32 extraInfoFlags, UINT32 *sigSize, BYTE **sig);
+ 
+ TPM_RESULT TPM_ParentSignEK(TPM_NONCE *externalData, TPM_PCR_SELECTION *sel,
+                             TPM_AUTH *auth1, UINT32 *sigSize, BYTE **sig)
+@@ -191,7 +192,7 @@ TPM_RESULT TPM_ParentSignEK(TPM_NONCE *externalData, TPM_PCR_SELECTION *sel,
+ 	TPM_PUBKEY pubKey;
+ 	TPM_RESULT res;
+ 	TPM_DIGEST hres;
+-
++	UINT32 extraInfoFlags = 0;
+ 	info("TPM_ParentSignEK()");
+ 
+ 	res = tpm_verify_auth(auth1, tpmData.permanent.data.ownerAuth, TPM_KH_OWNER);
+@@ -206,7 +207,7 @@ TPM_RESULT TPM_ParentSignEK(TPM_NONCE *externalData, TPM_PCR_SELECTION *sel,
+ 		res = TPM_FAIL;
+ 
+ 	if (res == TPM_SUCCESS)
+-		res = VTPM_GetParentQuote(&hres, sel, sigSize, sig);
++		res = VTPM_GetParentQuote((TPM_NONCE*)&hres, sel, extraInfoFlags, sigSize, sig);
+ 
+ 	free_TPM_PUBKEY(pubKey);
+ 	return res;
+@@ -218,7 +219,7 @@ static const BYTE dquot_hdr[] = {
+ 
+ TPM_RESULT TPM_DeepQuote(TPM_NONCE *externalData, TPM_PCR_SELECTION *myPCR,
+                          TPM_PCR_SELECTION *ptPCR, TPM_AUTH *auth1,
+-                         UINT32 *sigSize, BYTE **sig)
++                         UINT32 extraInfoFlags, UINT32 *quote_blob_size, BYTE **quote_blob)
+ {
+   TPM_RESULT res;
+   TPM_DIGEST hres;
+@@ -253,7 +254,7 @@ TPM_RESULT TPM_DeepQuote(TPM_NONCE *externalData, TPM_PCR_SELECTION *myPCR,
+ 
+   tpm_free(buf);
+ 
+-	res = VTPM_GetParentQuote(&hres, ptPCR, sigSize, sig);
++  res = VTPM_GetParentQuote((TPM_NONCE*)&hres, ptPCR, extraInfoFlags, quote_blob_size, quote_blob);
+ 
+   return res;
+ }
+diff --git a/tpm/tpm_marshalling.h b/tpm/tpm_marshalling.h
+index d510ebe..2e0c008 100644
+--- a/tpm/tpm_marshalling.h
++++ b/tpm/tpm_marshalling.h
+@@ -268,6 +268,8 @@ static inline int tpm_unmarshal_BOOL(BYTE **ptr, UINT32 *length, BOOL *v)
+ #define tpm_unmarshal_TPM_REDIR_COMMAND        tpm_unmarshal_UINT32
+ #define tpm_marshal_DAAHANDLE                  tpm_marshal_UINT32
+ #define tpm_unmarshal_DAAHANDLE                tpm_unmarshal_UINT32
++#define tpm_marshal_TPM_DEEP_QUOTE_INFO        tpm_marshal_UINT32
++#define tpm_unmarshal_TPM_DEEP_QUOTE_INFO      tpm_unmarshal_UINT32
+ 
+ int tpm_marshal_UINT32_ARRAY(BYTE **ptr, UINT32 *length, UINT32 *v, UINT32 n);
+ int tpm_unmarshal_UINT32_ARRAY(BYTE **ptr, UINT32 *length, UINT32 *v, UINT32 n);
diff --git a/stubdom/vtpm/vtpm_cmd.c b/stubdom/vtpm/vtpm_cmd.c
index 6fda456..eec37df 100644
--- a/stubdom/vtpm/vtpm_cmd.c
+++ b/stubdom/vtpm/vtpm_cmd.c
@@ -218,7 +218,8 @@ egress:
 }
 
 extern struct tpmfront_dev* tpmfront_dev;
-TPM_RESULT VTPM_GetParentQuote(TPM_NONCE *data, TPM_PCR_SELECTION *sel, UINT32 *sigSize, BYTE **sig)
+TPM_RESULT VTPM_GetParentQuote(TPM_NONCE *data, TPM_PCR_SELECTION *sel,
+                               UINT32 extraInfoFlags, UINT32 *quote_blob_size, BYTE **quote_blob)
 {
    TPM_RESULT status = TPM_SUCCESS;
    uint8_t* bptr, *resp;
@@ -231,11 +232,12 @@ TPM_RESULT VTPM_GetParentQuote(TPM_NONCE *data, TPM_PCR_SELECTION *sel, UINT32 *
    TPM_COMMAND_CODE ord = VTPM_ORD_GET_QUOTE;
 
    /*Create the command*/
-   len = size = VTPM_COMMAND_HEADER_SIZE + 25;
+   len = size = VTPM_COMMAND_HEADER_SIZE + 20 + sizeof_TPM_PCR_SELECTION((*sel)) + 4;
    bptr = cmdbuf = malloc(size);
    TRYFAILGOTO(pack_header(&bptr, &len, tag, size, ord));
    TRYFAILGOTO(tpm_marshal_TPM_NONCE(&bptr, &len, data));
    TRYFAILGOTO(tpm_marshal_TPM_PCR_SELECTION(&bptr, &len, sel));
+   TRYFAILGOTO(tpm_marshal_TPM_DEEP_QUOTE_INFO(&bptr, &len, extraInfoFlags));
 
    /* Send the command to vtpm_manager */
    info("Requesting Quote from backend");
@@ -248,11 +250,10 @@ TPM_RESULT VTPM_GetParentQuote(TPM_NONCE *data, TPM_PCR_SELECTION *sel, UINT32 *
 
    /* Check return code */
    CHECKSTATUSGOTO(ord, "VTPM_GetParentQuote()");
-
    /* Copy out the value */
-   *sigSize = len;
-   *sig = tpm_malloc(*sigSize);
-   TRYFAILGOTOMSG(tpm_unmarshal_BYTE_ARRAY(&bptr, &len, *sig, *sigSize), ERR_MALFORMED);
+   *quote_blob_size = len;
+   *quote_blob = tpm_malloc(*quote_blob_size);
+   TRYFAILGOTOMSG(tpm_unmarshal_BYTE_ARRAY(&bptr, &len, *quote_blob, *quote_blob_size), ERR_MALFORMED);
 
    goto egress;
 abort_egress:
-- 
2.1.0

[PATCH v2 2/2] vtpmmgr: execute deep quote in locality 0

[Emil Condrea]

Enables deep quote execution for vtpmmgr which can not be started
using locality 2. Flags are used to request additional data to be
present when executing quote. They are interpreted as a bitmask of:
 * VTPM_QUOTE_FLAGS_HASH_UUID
 * VTPM_QUOTE_FLAGS_VTPM_MEASUREMENTS
 * VTPM_QUOTE_FLAGS_GROUP_INFO
 * VTPM_QUOTE_FLAGS_GROUP_PUBKEY

The externData param for TPM_Quote is calculated as:
externData = SHA1 (
       extraInfoFlags
       requestData
       [SHA1 (
          [SHA1 (UUIDs if requested)]
          [SHA1 (vTPM measurements if requested)]
          [SHA1 (vTPM group update policy if requested)]
          [SHA1 (vTPM group public key if requested)]
       ) if flags !=0 ]
)

The response param pcrValues is an array containing requested hashes used
for externData calculation : UUIDs, vTPM measurements, vTPM group update
policy, group public key. At the end of these hashes the PCR values are
appended.

Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
---
 stubdom/vtpmmgr/marshal.h          |  1 +
 stubdom/vtpmmgr/mgmt_authority.c   | 91 ++++++++++++++++++++++++++++++++++----
 stubdom/vtpmmgr/mgmt_authority.h   |  2 +-
 stubdom/vtpmmgr/vtpm_cmd_handler.c |  7 ++-
 stubdom/vtpmmgr/vtpm_manager.h     | 27 ++++++++++-
 5 files changed, 115 insertions(+), 13 deletions(-)

diff --git a/stubdom/vtpmmgr/marshal.h b/stubdom/vtpmmgr/marshal.h
index bcc7c46..d826f19 100644
--- a/stubdom/vtpmmgr/marshal.h
+++ b/stubdom/vtpmmgr/marshal.h
@@ -195,6 +195,7 @@ inline int unpack3_UINT32(BYTE* ptr, UINT32* pos, UINT32 max, UINT32 *t)
 #define unpack3_TPM_PHYSICAL_PRESENCE(p, l, m, t) unpack3_UINT16(p, l, m, t)
 #define unpack3_TPM_KEY_FLAGS(p, l, m, t) unpack3_UINT32(p, l, m, t)
 #define unpack3_TPM_LOCALITY_SELECTION(p, l, m, t) unpack3_BYTE(p, l, m, t)
+#define unpack3_TPM_DEEP_QUOTE_INFO(p, l, m, t) unpack3_UINT32(p, l, m, t)
 
 #define sizeof_TPM_RESULT(t) sizeof_UINT32(t)
 #define sizeof_TPM_PCRINDEX(t) sizeof_UINT32(t)
diff --git a/stubdom/vtpmmgr/mgmt_authority.c b/stubdom/vtpmmgr/mgmt_authority.c
index 0526a12..b839a20 100644
--- a/stubdom/vtpmmgr/mgmt_authority.c
+++ b/stubdom/vtpmmgr/mgmt_authority.c
@@ -128,6 +128,55 @@ static int do_load_aik(struct mem_group *group, TPM_HANDLE *handle)
 	return TPM_LoadKey(TPM_SRK_KEYHANDLE, &key, handle, (void*)&vtpm_globals.srk_auth, &vtpm_globals.oiap);
 }
 
+static void do_vtpminfo_hash(uint32_t extra_info_flags,struct mem_group *group,
+	const void* uuid, const uint8_t* kern_hash,unsigned char** calc_hashes)
+{
+	int i;
+	sha1_context ctx;
+	if(extra_info_flags & VTPM_QUOTE_FLAGS_HASH_UUID){
+		printk("hashing for FLAGS_HASH_UUID: ");
+		sha1_starts(&ctx);
+		if(uuid){
+			printk("true");
+			sha1_update(&ctx, (void*)uuid, 16);
+		}
+		sha1_finish(&ctx, *calc_hashes);
+		*calc_hashes = *calc_hashes + 20;
+		printk("\n");
+	}
+	if(extra_info_flags & VTPM_QUOTE_FLAGS_VTPM_MEASUREMENTS){
+		printk("hashing for VTPM_QUOTE_FLAGS_VTPM_MEASUREMENTS: ");
+		sha1_starts(&ctx);
+		if(kern_hash){
+			printk("true");
+			sha1_update(&ctx, (void*)kern_hash, 20);
+		}
+		sha1_finish(&ctx, *calc_hashes);
+		*calc_hashes = *calc_hashes + 20;
+		printk("\n");
+	}
+	if(extra_info_flags & VTPM_QUOTE_FLAGS_GROUP_INFO){
+		printk("hashing for VTPM_QUOTE_FLAGS_GROUP_INFO: true\n");
+		sha1_starts(&ctx);
+		sha1_update(&ctx, (void*)&group->id_data.saa_pubkey, sizeof(group->id_data.saa_pubkey));
+		sha1_update(&ctx, (void*)&group->details.cfg_seq, 8);
+		sha1_update(&ctx, (void*)&group->seal_bits.nr_cfgs, 4);
+		for(i=0; i < group->nr_seals; i++)
+			sha1_update(&ctx, (void*)&group->seals[i].digest_release, 20);
+		sha1_update(&ctx, (void*)&group->seal_bits.nr_kerns, 4);
+		sha1_update(&ctx, (void*)&group->seal_bits.kernels, 20 * be32_native(group->seal_bits.nr_kerns));
+		sha1_finish(&ctx, *calc_hashes);
+		*calc_hashes = *calc_hashes + 20;
+	}
+	if(extra_info_flags & VTPM_QUOTE_FLAGS_GROUP_PUBKEY){
+		printk("hashing for VTPM_QUOTE_FLAGS_GROUP_PUBKEY: true\n");
+		sha1_starts(&ctx);
+		sha1_update(&ctx, (void*)&group->id_data.saa_pubkey, sizeof(group->id_data.saa_pubkey));
+		sha1_finish(&ctx, *calc_hashes);
+		*calc_hashes = *calc_hashes + 20;
+	}
+}
+
 /* 
  * Sets up resettable PCRs for a vTPM deep quote request
  */
@@ -273,18 +322,40 @@ int group_do_activate(struct mem_group *group, void* blob, int blobSize,
 
 int vtpm_do_quote(struct mem_group *group, const uuid_t uuid,
 	const uint8_t* kern_hash, const struct tpm_authdata *data, TPM_PCR_SELECTION *sel,
-	void* pcr_out, uint32_t *pcr_size, void* sig_out)
+	uint32_t extra_info_flags, void* pcr_out, uint32_t *pcr_size, void* sig_out)
 {
 	TPM_HANDLE handle;
 	TPM_AUTH_SESSION oiap = TPM_AUTH_SESSION_INIT;
 	TPM_PCR_COMPOSITE pcrs;
 	BYTE* sig;
 	UINT32 size;
+	sha1_context ctx;
+	TPM_DIGEST externData;
+	const void* data_to_quote = data;
+	unsigned char* ppcr_out = (unsigned char*)pcr_out;
+	unsigned char** pcr_outv = (unsigned char**)&ppcr_out;
+
 	int rc;
+	printk("Extra Info Flags =0x%x\n",extra_info_flags);
+	if((extra_info_flags & ~VTPM_QUOTE_FLAGS_HASH_UUID
+		& ~VTPM_QUOTE_FLAGS_VTPM_MEASUREMENTS
+		& ~VTPM_QUOTE_FLAGS_GROUP_INFO
+		& ~VTPM_QUOTE_FLAGS_GROUP_PUBKEY) != 0)
+		return VTPM_INVALID_REQUEST;
 
-	rc = do_pcr_setup(group, uuid, kern_hash);
-	if (rc)
-		return rc;
+	sha1_starts(&ctx);
+	sha1_update(&ctx, (void*)&extra_info_flags, 4);
+	sha1_update(&ctx, (void*)data, 20);
+	if(pcr_out!=NULL && extra_info_flags!=0)
+	{
+		/*creates hashes and sets them to pcr_out*/
+		do_vtpminfo_hash(extra_info_flags,group, uuid, kern_hash, pcr_outv);
+		*pcr_size = *pcr_outv - (unsigned char*)pcr_out;
+		if(*pcr_size > 0)
+			sha1_update(&ctx, pcr_out, *pcr_size);
+	}
+	sha1_finish(&ctx, externData.digest);
+	data_to_quote = (void*)externData.digest;
 
 	rc = do_load_aik(group, &handle);
 	if (rc)
@@ -296,8 +367,7 @@ int vtpm_do_quote(struct mem_group *group, const uuid_t uuid,
 		return rc;
 	}
 
-	rc = TPM_Quote(handle, (void*)data, sel, (void*)&group->aik_authdata, &oiap, &pcrs, &sig, &size);
-	printk("TPM_Quote: %d\n", rc);
+	rc = TPM_Quote(handle, data_to_quote, sel, (void*)&group->aik_authdata, &oiap, &pcrs, &sig, &size);
 
 	TPM_TerminateHandle(oiap.AuthHandle);
 	TPM_FlushSpecific(handle, TPM_RT_KEY);
@@ -306,16 +376,19 @@ int vtpm_do_quote(struct mem_group *group, const uuid_t uuid,
 		return rc;
 	if (size != 256) {
 		printk("Bad size\n");
-		return TPM_FAIL;
+		rc = TPM_FAIL;
+		goto end;
 	}
 
 	if (pcr_out) {
-		*pcr_size = pcrs.valueSize;
-		memcpy(pcr_out, pcrs.pcrValue, *pcr_size);
+		/*append TPM_PCRVALUEs after externData hashes*/
+		memcpy(pcr_out+*pcr_size, pcrs.pcrValue, pcrs.valueSize);
+		*pcr_size = *pcr_size + pcrs.valueSize;
 	}
 
 	memcpy(sig_out, sig, size);
 
+end:
 	free_TPM_PCR_COMPOSITE(&pcrs);
 	free(sig);
 
diff --git a/stubdom/vtpmmgr/mgmt_authority.h b/stubdom/vtpmmgr/mgmt_authority.h
index 1e96c8a..cdd06aa 100644
--- a/stubdom/vtpmmgr/mgmt_authority.h
+++ b/stubdom/vtpmmgr/mgmt_authority.h
@@ -5,7 +5,7 @@ struct mem_group *vtpm_new_group(const struct tpm_authdata *privCADigest);
 int group_do_activate(struct mem_group *group, void* blob, int blobSize,
 	void* resp, unsigned int *rlen);
 int vtpm_do_quote(struct mem_group *group, const uuid_t uuid,
-	const uint8_t* kern_hash, const struct tpm_authdata *data, TPM_PCR_SELECTION *sel,
+	const uint8_t* kern_hash, const struct tpm_authdata *data, TPM_PCR_SELECTION *sel, uint32_t extraInfoFlags,
 	void* pcr_out, uint32_t *pcr_size, void* sig_out);
 
 #endif
diff --git a/stubdom/vtpmmgr/vtpm_cmd_handler.c b/stubdom/vtpmmgr/vtpm_cmd_handler.c
index 13ead93..2ac14fa 100644
--- a/stubdom/vtpmmgr/vtpm_cmd_handler.c
+++ b/stubdom/vtpmmgr/vtpm_cmd_handler.c
@@ -282,9 +282,11 @@ static TPM_RESULT vtpmmgr_GetQuote(struct tpm_opaque *opq, tpmcmd_t* tpmcmd)
 	void *ibuf;
 	uint32_t pcr_size;
 	TPM_PCR_SELECTION sel;
+	uint32_t extra_info_flags;
 
 	UNPACK_IN(VPTR, &ibuf, 20, UNPACK_ALIAS);
 	UNPACK_IN(TPM_PCR_SELECTION, &sel, UNPACK_ALIAS);
+	UNPACK_IN(TPM_DEEP_QUOTE_INFO, &extra_info_flags);
 	UNPACK_DONE();
 
 	if (!opq->vtpm) {
@@ -297,7 +299,7 @@ static TPM_RESULT vtpmmgr_GetQuote(struct tpm_opaque *opq, tpmcmd_t* tpmcmd)
 		printk("%02x", ((uint8_t*)ibuf)[i]);
 	printk("\n");
 
-	status = vtpm_do_quote(opq->group, *opq->uuid, opq->kern_hash, ibuf, &sel, PACK_BUF + 256, &pcr_size, PACK_BUF);
+	status = vtpm_do_quote(opq->group, *opq->uuid, opq->kern_hash, ibuf, &sel, extra_info_flags, PACK_BUF + 256, &pcr_size, PACK_BUF);
 	if (status)
 		goto abort_egress;
 	tpmcmd->resp_len += 256 + pcr_size;
@@ -529,6 +531,7 @@ static TPM_RESULT vtpmmgr_GroupRegister(tpmcmd_t* tpmcmd)
 	sha1_context ctx;
 	TPM_PCR_SELECTION sel;
 	void *dhkx1, *dhkx2, *gk, *sig;
+	uint32_t extra_info_flags = 0;
 
 	UNPACK_GROUP(group);
 	UNPACK_IN(VPTR, &dhkx1, 256, UNPACK_ALIAS);
@@ -567,7 +570,7 @@ static TPM_RESULT vtpmmgr_GroupRegister(tpmcmd_t* tpmcmd)
 	sha1_update(&ctx, dhkx2, 256 + 32);
 	sha1_finish(&ctx, digest.bits);
 
-	status = vtpm_do_quote(group, NULL, NULL, &digest, &sel, NULL, NULL, PACK_BUF);
+	status = vtpm_do_quote(group, NULL, NULL, &digest, &sel, extra_info_flags,NULL, NULL, PACK_BUF);
 	tpmcmd->resp_len += 256;
 
 	CMD_END;
diff --git a/stubdom/vtpmmgr/vtpm_manager.h b/stubdom/vtpmmgr/vtpm_manager.h
index 156c2ce..2d2109d 100644
--- a/stubdom/vtpmmgr/vtpm_manager.h
+++ b/stubdom/vtpmmgr/vtpm_manager.h
@@ -46,6 +46,12 @@
 // Header size
 #define VTPM_COMMAND_HEADER_SIZE ( 2 + 4 + 4)
 
+//************************ Command Params ***************************
+#define VTPM_QUOTE_FLAGS_HASH_UUID                  0x00000001
+#define VTPM_QUOTE_FLAGS_VTPM_MEASUREMENTS          0x00000002
+#define VTPM_QUOTE_FLAGS_GROUP_INFO                 0x00000004
+#define VTPM_QUOTE_FLAGS_GROUP_PUBKEY               0x00000008
+
 //************************ Command Codes ****************************
 #define VTPM_ORD_BASE       0x0000
 #define TPM_VENDOR_COMMAND  0x02000000 // TPM Main, part 2, section 17.
@@ -110,6 +116,23 @@
  * Get a hardware TPM quote for this vTPM.  The quote will use the AIK
  * associated with the group this vTPM was created in. Values specific to the
  * vTPM will be extended to certain resettable PCRs.
+ * Additional info can be included when creating the signature by using
+ * quoteSelect as PCR selection and by setting flags param. The externData
+ * param for TPM_Quote is calculated as:
+ * externData = SHA1 (
+ *       extraInfoFlags
+ *       requestData
+ *       [SHA1 (
+ *          [SHA1 (UUIDs if requested)]
+ *          [SHA1 (vTPM measurements if requested)]
+ *          [SHA1 (vTPM group update policy if requested)]
+ *          [SHA1 (vTPM group public key if requested)]
+ *       ) if flags !=0 ]
+ * )
+ * The response param pcrValues is an array containing requested hashes used
+ * for externData calculation : UUIDs, vTPM measurements, vTPM group update
+ * policy, group public key. At the end of these hashes the PCR values are
+ * appended.
  *
  * Input:
  *  TPM_TAG         tag          VTPM_TAG_REQ
@@ -117,12 +140,14 @@
  *  UINT32          ordinal      VTPM_ORD_GET_QUOTE
  *  TPM_NONCE       externData   Data to be quoted
  *  PCR_SELECTION   quoteSelect  PCR selection for quote.
+ *  UINT32          flags        Bit mask of VTPM_QUOTE_FLAGS_*
  * Output:
  *  TPM_TAG         tag          VTPM_TAG_RSP
  *  UINT32          paramSize    total size
  *  UINT32          status       return code
  *  BYTE[]          signature    256 bytes of signature data
- *  TPM_PCRVALUE[]  pcrValues    Values of PCRs selected by the request
+ *  TPM_PCRVALUE[]  pcrValues    Values of additional SHA1 hashes requested,
+ *                               concatenated with PCRs selected by the request
  */
 #define VTPM_ORD_GET_QUOTE        (VTPM_ORD_BASE + 4)
 
-- 
2.1.0

Re: [PATCH v2 1/2] vtpm: deep quote flags

[Daniel De Graaf]

On 04/14/2015 05:08 AM, Emil Condrea wrote:
> Currently, the flags are not interpreted by vTPM. They are just
> packed and sent to vtpmmgr.
>
> Signed-off-by: Emil Condrea <emilcondrea@gmail.com>

Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

[...]
> +-	res = TPM_DeepQuote(&nonce, &myPCR, &ptPCR, &req->auth1, &sigSize, &sig);
> ++	res = TPM_DeepQuote(&nonce, &myPCR, &ptPCR, &req->auth1, extraInfoFlags,
> ++		&quote_blob_size, &quote_blob);
> + 	if (res != TPM_SUCCESS) return res;
> +-	rsp->paramSize = len = sigSize;
> ++		rsp->paramSize = len = quote_blob_size;

There's an extra tab at the start of this line.

-- 
Daniel De Graaf
National Security Agency

Re: [PATCH v2 2/2] vtpmmgr: execute deep quote in locality 0

[Daniel De Graaf]

On 04/14/2015 05:08 AM, Emil Condrea wrote:
> Enables deep quote execution for vtpmmgr which can not be started
> using locality 2. Flags are used to request additional data to be
> present when executing quote. They are interpreted as a bitmask of:
>   * VTPM_QUOTE_FLAGS_HASH_UUID
>   * VTPM_QUOTE_FLAGS_VTPM_MEASUREMENTS
>   * VTPM_QUOTE_FLAGS_GROUP_INFO
>   * VTPM_QUOTE_FLAGS_GROUP_PUBKEY
>
> The externData param for TPM_Quote is calculated as:
> externData = SHA1 (
>         extraInfoFlags
>         requestData
>         [SHA1 (
>            [SHA1 (UUIDs if requested)]
>            [SHA1 (vTPM measurements if requested)]
>            [SHA1 (vTPM group update policy if requested)]
>            [SHA1 (vTPM group public key if requested)]
>         ) if flags !=0 ]
> )
>
> The response param pcrValues is an array containing requested hashes used
> for externData calculation : UUIDs, vTPM measurements, vTPM group update
> policy, group public key. At the end of these hashes the PCR values are
> appended.
>
> Signed-off-by: Emil Condrea <emilcondrea@gmail.com>

Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

Re: [PATCH v2 1/2] vtpm: deep quote flags

[Emil Condrea]

[-- Attachment #1.1: Type: text/plain, Size: 892 bytes --]

Thanks! Should it remove it and resend the patches ?

On Wed, Apr 15, 2015 at 6:07 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov>
wrote:

> On 04/14/2015 05:08 AM, Emil Condrea wrote:
>
>> Currently, the flags are not interpreted by vTPM. They are just
>> packed and sent to vtpmmgr.
>>
>> Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
>>
>
> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>
> [...]
>
>> +-      res = TPM_DeepQuote(&nonce, &myPCR, &ptPCR, &req->auth1,
>> &sigSize, &sig);
>> ++      res = TPM_DeepQuote(&nonce, &myPCR, &ptPCR, &req->auth1,
>> extraInfoFlags,
>> ++              &quote_blob_size, &quote_blob);
>> +       if (res != TPM_SUCCESS) return res;
>> +-      rsp->paramSize = len = sigSize;
>> ++              rsp->paramSize = len = quote_blob_size;
>>
>
> There's an extra tab at the start of this line.
>
> --
> Daniel De Graaf
> National Security Agency
>

[-- Attachment #1.2: Type: text/html, Size: 1789 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH v2 1/2] vtpm: deep quote flags

[Ian Campbell]

On Wed, 2015-04-15 at 18:09 +0300, Emil Condrea wrote:
> Thanks! Should it remove it and resend the patches ?

I'll do it on commit (which I'm about to do).

> 
> On Wed, Apr 15, 2015 at 6:07 PM, Daniel De Graaf
> <dgdegra@tycho.nsa.gov> wrote:
>         On 04/14/2015 05:08 AM, Emil Condrea wrote:
>                 Currently, the flags are not interpreted by vTPM. They
>                 are just
>                 packed and sent to vtpmmgr.
>                 
>                 Signed-off-by: Emil Condrea <emilcondrea@gmail.com>
>         
>         Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>         
>         [...]
>                 +-      res = TPM_DeepQuote(&nonce, &myPCR, &ptPCR,
>                 &req->auth1, &sigSize, &sig);
>                 ++      res = TPM_DeepQuote(&nonce, &myPCR, &ptPCR,
>                 &req->auth1, extraInfoFlags,
>                 ++              &quote_blob_size, &quote_blob);
>                 +       if (res != TPM_SUCCESS) return res;
>                 +-      rsp->paramSize = len = sigSize;
>                 ++              rsp->paramSize = len =
>                 quote_blob_size;
>         
>         There's an extra tab at the start of this line.
>         
>         _______________________________________________
>         Xen-devel mailing list
>         Xen-devel@lists.xen.org
>         http://lists.xen.org/xen-devel
> 
> 

Re: [PATCH v2 1/2] vtpm: deep quote flags

[Ian Campbell]

On Wed, 2015-04-15 at 16:34 +0100, Ian Campbell wrote:
> On Wed, 2015-04-15 at 18:09 +0300, Emil Condrea wrote:
> > Thanks! Should it remove it and resend the patches ?
> 
> I'll do it on commit (which I'm about to do).

Except:
stubdom/tpm_emulator-x86_64/tpm/tpm_cmd_handler.c: In function ‘execute_TPM_DeepQuote’:
stubdom/tpm_emulator-x86_64/tpm/tpm_cmd_handler.c:3366:3: error: expected expression before ‘||’ token
stubdom/tpm_emulator-x86_64/tpm/tpm_cmd_handler.c:3366:14: error: expected statement before ‘)’ token

Same on i386. I think there is an extra ) On the previous line. Did you
compile test this?

In any case I will now await v3.

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH v2 1/2] vtpm: deep quote flags

[Emil Condrea]

[-- Attachment #1.1: Type: text/plain, Size: 1034 bytes --]

Strangely! Of course that I compiled it but it seems that a rebuild
was needed in order to reapply the patch for the tpm emulator.
I will do both changes. After rebuilding vtpmmgr and vtpm I will
resend the patches.


On Wed, Apr 15, 2015 at 6:50 PM, Ian Campbell <ian.campbell@citrix.com>
wrote:

> On Wed, 2015-04-15 at 16:34 +0100, Ian Campbell wrote:
> > On Wed, 2015-04-15 at 18:09 +0300, Emil Condrea wrote:
> > > Thanks! Should it remove it and resend the patches ?
> >
> > I'll do it on commit (which I'm about to do).
>
> Except:
> stubdom/tpm_emulator-x86_64/tpm/tpm_cmd_handler.c: In function
> ‘execute_TPM_DeepQuote’:
> stubdom/tpm_emulator-x86_64/tpm/tpm_cmd_handler.c:3366:3: error: expected
> expression before ‘||’ token
> stubdom/tpm_emulator-x86_64/tpm/tpm_cmd_handler.c:3366:14: error: expected
> statement before ‘)’ token
>
> Same on i386. I think there is an extra ) On the previous line. Did you
> compile test this?
>
> In any case I will now await v3.
>
> Ian.
>
>

[-- Attachment #1.2: Type: text/html, Size: 1492 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel