From: Tergel Myanganbayar <tergel@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Tergel Myanganbayar <tergel@linux.ibm.com>,
Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>,
Stefan Berger <stefanb@linux.ibm.com>,
Tergel Myanganbayar <tergel@u.northwestern.edu>
Subject: [PATCH ima-evm-utils] add support for reading per bank TPM 2.0 PCRs via sysfs
Date: Fri, 2 Sep 2022 19:08:15 -0400 [thread overview]
Message-ID: <20220902230815.35448-1-tergel@linux.ibm.com> (raw)
Until Linux kernel version 5.11, a TSS was required to read TPM 2.0 PCR
values. A feature which exposed the per bank TPM 2.0 PCRs directly via
sysfs was upstreamed in newer Kernel versions.
Use this recent feature in IMA-EVM-UTILS to remove TSS dependency.
Signed-off-by: Tergel Myanganbayar <tergel@linux.ibm.com>
---
src/evmctl.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/src/evmctl.c b/src/evmctl.c
index 46a34cc..d5fe988 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1899,6 +1899,7 @@ static int read_one_bank(struct tpm_bank_info *tpm_bank, FILE *fp)
static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */
static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
+static char tpm2_pcr_path[28] = "/sys/class/tpm/tpm0/pcr-sha";
/* Read one of the TPM 1.2 sysfs files if present */
static int read_sysfs_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
@@ -1922,7 +1923,55 @@ static int read_sysfs_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
for (i = 1; i < num_banks; i++)
tpm_banks[i].supported = 0;
return 0;
+}
+
+static int read_tpm2_one_bank(struct tpm_bank_info *tpm_bank, int bank)
+{
+ FILE *fp;
+ char file_name[NAME_MAX];
+ char digest[MAX_DIGEST_SIZE + 1];
+ char *p;
+ int i;
+
+ for (i = 0; i < NUM_PCRS; i++) {
+ sprintf(file_name, "%s%d/%d", tpm2_pcr_path, bank, i);
+ fp = fopen(file_name, "r");
+ if (!fp)
+ return -1;
+
+ p = fgets(digest, (tpm_bank->digest_size * 2 + 1), fp);
+ if (!p)
+ return -1;
+
+ hex2bin(tpm_bank->pcr[i], digest, tpm_bank->digest_size);
+ fclose(fp);
+ }
+ return 0;
+}
+
+static int read_sysfs_tpm2_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
+{
+ int banks[2] = {1, 256};
+ int rt, j;
+ int tpm_enabled = 0;
+ if (imaevm_params.verbose > LOG_INFO)
+ log_info("Trying to read TPM 2.0 PCRs via sysfs.\n");
+
+ for (j = 0; j < num_banks; j++) {
+ rt = read_tpm2_one_bank(&tpm_banks[j], banks[j]);
+ tpm_banks[j].supported = 0;
+
+ if (rt < 0)
+ continue;
+
+ tpm_enabled = 1;
+ tpm_banks[j].supported = 1;
+ }
+
+ if (tpm_enabled == 0)
+ return -1;
+ return 0;
}
/* Read PCRs from per-bank file(s) specified via --pcrs */
@@ -2008,6 +2057,9 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank)
if (read_sysfs_pcrs(num_banks, bank) == 0)
return 0;
+ if (read_sysfs_tpm2_pcrs(num_banks, bank) == 0)
+ return 0;
+
/* Any userspace applications available for reading TPM 2.0 PCRs? */
if (!tpm2_pcr_supported()) {
log_debug("Failed to read TPM 2.0 PCRs\n");
@@ -2024,6 +2076,7 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank)
bank[i].pcr[pcr_handle],
bank[i].digest_size,
&errmsg);
+ bank[i].supported = 1;
if (err) {
log_debug("Failed to read %s PCRs: (%s)\n",
bank[i].algo_name, errmsg);
--
2.32.1 (Apple Git-133)
next reply other threads:[~2022-09-02 23:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-02 23:08 Tergel Myanganbayar [this message]
2022-09-03 1:54 ` [PATCH ima-evm-utils] add support for reading per bank TPM 2.0 PCRs via sysfs Stefan Berger
2022-09-04 17:08 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220902230815.35448-1-tergel@linux.ibm.com \
--to=tergel@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=stefanb@linux.ibm.com \
--cc=tergel@u.northwestern.edu \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.