Re: [PATCH v18 15/25] tss2: Add TPM2 Software Stack (TSS2) support

2024-08-26 Thread Gary Lin via Grub-devel 
On Thu, Aug 22, 2024 at 04:30:46PM +0200, Daniel Kiper wrote:
> On Fri, Jun 28, 2024 at 04:18:58PM +0800, Gary Lin via Grub-devel wrote:
> > A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
> > compose and submit TPM commands and parse reponses.
> >
> > A limited number of TPM commands may be accessed via the EFI TCG2
> > protocol. This protocol exposes functionality that is primarily geared
> > toward TPM usage within the context of Secure Boot. For all other TPM
> > commands, however, such as sealing and unsealing, this protocol does not
> > provide any help, with the exception of passthrough command submission.
> >
> > The SubmitCommand method allows a caller to send raw commands to the
> > system's TPM and to receive the corresponding response. These
> > command/response pairs are formatted using the TPM wire protocol. To
> > construct commands in this way, and to parse the TPM's response, it is
> > necessary to, first, possess knowledge of the various TPM structures, and,
> > second, of the TPM wire protocol itself.
> >
> > As such, this patch includes implementations of various TPM2_* functions
> > (inventoried below), and logic to write and read command and response
> > buffers, respectively, using the TPM wire protocol.
> >
> > Functions: TPM2_Create, TPM2_CreatePrimary, TPM2_EvictControl,
> > TPM2_FlushContext, TPM2_Load, TPM2_PCR_Read, TPM2_PolicyGetDigest,
> > TPM2_PolicyPCR, TPM2_ReadPublic, TPM2_StartAuthSession, TPM2_Unseal,
> > TPM2_LoadExternal, TPM2_Hash, TPM2_VerifySignature,
> > TPM2_PolicyAuthorize, TPM2_TestParms
> >
> > Cc: Stefan Berger 
> > Signed-off-by: Hernan Gatta 
> > Signed-off-by: Gary Lin 
> > ---
> >  grub-core/Makefile.core.def   |   11 +
> >  grub-core/lib/efi/tcg2.c  |  144 +
> >  grub-core/lib/tss2/tcg2.h |   35 ++
> >  grub-core/lib/tss2/tpm2_cmd.c | 1054 +
> >  grub-core/lib/tss2/tpm2_cmd.h |  157 +
> >  grub-core/lib/tss2/tss2.c |   21 +
> >  6 files changed, 1422 insertions(+)
> >  create mode 100644 grub-core/lib/efi/tcg2.c
> >  create mode 100644 grub-core/lib/tss2/tcg2.h
> >  create mode 100644 grub-core/lib/tss2/tpm2_cmd.c
> >  create mode 100644 grub-core/lib/tss2/tpm2_cmd.h
> >  create mode 100644 grub-core/lib/tss2/tss2.c
> >
> > diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> > index 5ba9c8548..b1865d3e1 100644
> > --- a/grub-core/Makefile.core.def
> > +++ b/grub-core/Makefile.core.def
> > @@ -2567,6 +2567,17 @@ module = {
> >enable = efi;
> >  };
> >
> > +module = {
> > +  name = tss2;
> > +  common = lib/tss2/buffer.c;
> > +  common = lib/tss2/tss2_mu.c;
> > +  common = lib/tss2/tpm2_cmd.c;
> > +  common = lib/tss2/tss2.c;
> > +  efi = lib/efi/tcg2.c;
> > +  enable = efi;
> > +  cppflags = '-I$(srcdir)/lib/tss2';
> > +};
> > +
> >  module = {
> >name = tr;
> >common = commands/tr.c;
> > diff --git a/grub-core/lib/efi/tcg2.c b/grub-core/lib/efi/tcg2.c
> > new file mode 100644
> > index 0..b15546f62
> > --- /dev/null
> > +++ b/grub-core/lib/efi/tcg2.c
> > @@ -0,0 +1,144 @@
> > +/*
> > + *  GRUB  --  GRand Unified Bootloader
> > + *  Copyright (C) 2024 Free Software Foundation, Inc.
> > + *  Copyright (C) 2022 Microsoft Corporation
> 
> Wrong order... I will not comment these mistakes any longer but all of
> them have to fixed.
> 
Sorry for that. The order issues are fixed in my WIP branch.

> > + *  GRUB is free software: you can redistribute it and/or modify
> > + *  it under the terms of the GNU General Public License as published by
> > + *  the Free Software Foundation, either version 3 of the License, or
> > + *  (at your option) any later version.
> > + *
> > + *  GRUB is distributed in the hope that it will be useful,
> > + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > + *  GNU General Public License for more details.
> > + *
> > + *  You should have received a copy of the GNU General Public License
> > + *  along with GRUB.  If not, see .
> > + */
> > +
> > +#include 
> > +#include 
> > +#include 
> > +#include 
> > +
> > +#include 
> > +
> > +static grub_err_t
> > +grub_tcg2_get_caps (grub_efi_tpm2_protocol_t *protocol, int *tpm2,
> > +   grub_size_t *max_output_size)
> > +{
> > +  grub_efi_status_t status;
> > +  static int has_caps = 0;
> 
> Please use bool instead.
> 
Sure.

> > +  static EFI_TCG2_BOOT_SERVICE_CAPABILITY caps =
> > +  {
> > +.Size = (grub_uint8_t) sizeof (caps)
> > +  };
> > +
> > +  if (has_caps)
> > +goto exit;
> > +
> > +  status = protocol->get_capability (protocol, &caps);
> > +  if (status != GRUB_EFI_SUCCESS || !caps.TPMPresentFlag)
> > +return GRUB_ERR_FILE_NOT_FOUND;
> > +
> > +  has_caps = 1;
> > +
> > + exit:
> > +  if (tpm2 != NULL)
> > +*tpm2 = caps.TPMPresentFlag;
> > +  if (max_output_size != NULL)
> > +*max_output_size = caps.MaxResponseSize;

Re: [PATCH v18 15/25] tss2: Add TPM2 Software Stack (TSS2) support

2024-08-22 Thread Daniel Kiper 
On Fri, Jun 28, 2024 at 04:18:58PM +0800, Gary Lin via Grub-devel wrote:
> A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
> compose and submit TPM commands and parse reponses.
>
> A limited number of TPM commands may be accessed via the EFI TCG2
> protocol. This protocol exposes functionality that is primarily geared
> toward TPM usage within the context of Secure Boot. For all other TPM
> commands, however, such as sealing and unsealing, this protocol does not
> provide any help, with the exception of passthrough command submission.
>
> The SubmitCommand method allows a caller to send raw commands to the
> system's TPM and to receive the corresponding response. These
> command/response pairs are formatted using the TPM wire protocol. To
> construct commands in this way, and to parse the TPM's response, it is
> necessary to, first, possess knowledge of the various TPM structures, and,
> second, of the TPM wire protocol itself.
>
> As such, this patch includes implementations of various TPM2_* functions
> (inventoried below), and logic to write and read command and response
> buffers, respectively, using the TPM wire protocol.
>
> Functions: TPM2_Create, TPM2_CreatePrimary, TPM2_EvictControl,
> TPM2_FlushContext, TPM2_Load, TPM2_PCR_Read, TPM2_PolicyGetDigest,
> TPM2_PolicyPCR, TPM2_ReadPublic, TPM2_StartAuthSession, TPM2_Unseal,
> TPM2_LoadExternal, TPM2_Hash, TPM2_VerifySignature,
> TPM2_PolicyAuthorize, TPM2_TestParms
>
> Cc: Stefan Berger 
> Signed-off-by: Hernan Gatta 
> Signed-off-by: Gary Lin 
> ---
>  grub-core/Makefile.core.def   |   11 +
>  grub-core/lib/efi/tcg2.c  |  144 +
>  grub-core/lib/tss2/tcg2.h |   35 ++
>  grub-core/lib/tss2/tpm2_cmd.c | 1054 +
>  grub-core/lib/tss2/tpm2_cmd.h |  157 +
>  grub-core/lib/tss2/tss2.c |   21 +
>  6 files changed, 1422 insertions(+)
>  create mode 100644 grub-core/lib/efi/tcg2.c
>  create mode 100644 grub-core/lib/tss2/tcg2.h
>  create mode 100644 grub-core/lib/tss2/tpm2_cmd.c
>  create mode 100644 grub-core/lib/tss2/tpm2_cmd.h
>  create mode 100644 grub-core/lib/tss2/tss2.c
>
> diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> index 5ba9c8548..b1865d3e1 100644
> --- a/grub-core/Makefile.core.def
> +++ b/grub-core/Makefile.core.def
> @@ -2567,6 +2567,17 @@ module = {
>enable = efi;
>  };
>
> +module = {
> +  name = tss2;
> +  common = lib/tss2/buffer.c;
> +  common = lib/tss2/tss2_mu.c;
> +  common = lib/tss2/tpm2_cmd.c;
> +  common = lib/tss2/tss2.c;
> +  efi = lib/efi/tcg2.c;
> +  enable = efi;
> +  cppflags = '-I$(srcdir)/lib/tss2';
> +};
> +
>  module = {
>name = tr;
>common = commands/tr.c;
> diff --git a/grub-core/lib/efi/tcg2.c b/grub-core/lib/efi/tcg2.c
> new file mode 100644
> index 0..b15546f62
> --- /dev/null
> +++ b/grub-core/lib/efi/tcg2.c
> @@ -0,0 +1,144 @@
> +/*
> + *  GRUB  --  GRand Unified Bootloader
> + *  Copyright (C) 2024 Free Software Foundation, Inc.
> + *  Copyright (C) 2022 Microsoft Corporation

Wrong order... I will not comment these mistakes any longer but all of
them have to fixed.

> + *  GRUB is free software: you can redistribute it and/or modify
> + *  it under the terms of the GNU General Public License as published by
> + *  the Free Software Foundation, either version 3 of the License, or
> + *  (at your option) any later version.
> + *
> + *  GRUB is distributed in the hope that it will be useful,
> + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
> + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + *  GNU General Public License for more details.
> + *
> + *  You should have received a copy of the GNU General Public License
> + *  along with GRUB.  If not, see .
> + */
> +
> +#include 
> +#include 
> +#include 
> +#include 
> +
> +#include 
> +
> +static grub_err_t
> +grub_tcg2_get_caps (grub_efi_tpm2_protocol_t *protocol, int *tpm2,
> + grub_size_t *max_output_size)
> +{
> +  grub_efi_status_t status;
> +  static int has_caps = 0;

Please use bool instead.

> +  static EFI_TCG2_BOOT_SERVICE_CAPABILITY caps =
> +  {
> +.Size = (grub_uint8_t) sizeof (caps)
> +  };
> +
> +  if (has_caps)
> +goto exit;
> +
> +  status = protocol->get_capability (protocol, &caps);
> +  if (status != GRUB_EFI_SUCCESS || !caps.TPMPresentFlag)
> +return GRUB_ERR_FILE_NOT_FOUND;
> +
> +  has_caps = 1;
> +
> + exit:
> +  if (tpm2 != NULL)
> +*tpm2 = caps.TPMPresentFlag;
> +  if (max_output_size != NULL)
> +*max_output_size = caps.MaxResponseSize;
> +
> +  return GRUB_ERR_NONE;
> +}

[...]

> diff --git a/grub-core/lib/tss2/tpm2_cmd.c b/grub-core/lib/tss2/tpm2_cmd.c
> new file mode 100644
> index 0..5de886655
> --- /dev/null
> +++ b/grub-core/lib/tss2/tpm2_cmd.c
> @@ -0,0 +1,1054 @@
> +/*
> + *  GRUB  --  GRand Unified Bootloader
> + *  Copyright (C) 2024 Free Software Foundation, Inc.
> + *  Copyright (C) 2022 Microsof

[PATCH v18 15/25] tss2: Add TPM2 Software Stack (TSS2) support

2024-06-28 Thread Gary Lin via Grub-devel 
A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
compose and submit TPM commands and parse reponses.

A limited number of TPM commands may be accessed via the EFI TCG2
protocol. This protocol exposes functionality that is primarily geared
toward TPM usage within the context of Secure Boot. For all other TPM
commands, however, such as sealing and unsealing, this protocol does not
provide any help, with the exception of passthrough command submission.

The SubmitCommand method allows a caller to send raw commands to the
system's TPM and to receive the corresponding response. These
command/response pairs are formatted using the TPM wire protocol. To
construct commands in this way, and to parse the TPM's response, it is
necessary to, first, possess knowledge of the various TPM structures, and,
second, of the TPM wire protocol itself.

As such, this patch includes implementations of various TPM2_* functions
(inventoried below), and logic to write and read command and response
buffers, respectively, using the TPM wire protocol.

Functions: TPM2_Create, TPM2_CreatePrimary, TPM2_EvictControl,
TPM2_FlushContext, TPM2_Load, TPM2_PCR_Read, TPM2_PolicyGetDigest,
TPM2_PolicyPCR, TPM2_ReadPublic, TPM2_StartAuthSession, TPM2_Unseal,
TPM2_LoadExternal, TPM2_Hash, TPM2_VerifySignature,
TPM2_PolicyAuthorize, TPM2_TestParms

Cc: Stefan Berger 
Signed-off-by: Hernan Gatta 
Signed-off-by: Gary Lin 
---
 grub-core/Makefile.core.def   |   11 +
 grub-core/lib/efi/tcg2.c  |  144 +
 grub-core/lib/tss2/tcg2.h |   35 ++
 grub-core/lib/tss2/tpm2_cmd.c | 1054 +
 grub-core/lib/tss2/tpm2_cmd.h |  157 +
 grub-core/lib/tss2/tss2.c |   21 +
 6 files changed, 1422 insertions(+)
 create mode 100644 grub-core/lib/efi/tcg2.c
 create mode 100644 grub-core/lib/tss2/tcg2.h
 create mode 100644 grub-core/lib/tss2/tpm2_cmd.c
 create mode 100644 grub-core/lib/tss2/tpm2_cmd.h
 create mode 100644 grub-core/lib/tss2/tss2.c

diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 5ba9c8548..b1865d3e1 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -2567,6 +2567,17 @@ module = {
   enable = efi;
 };
 
+module = {
+  name = tss2;
+  common = lib/tss2/buffer.c;
+  common = lib/tss2/tss2_mu.c;
+  common = lib/tss2/tpm2_cmd.c;
+  common = lib/tss2/tss2.c;
+  efi = lib/efi/tcg2.c;
+  enable = efi;
+  cppflags = '-I$(srcdir)/lib/tss2';
+};
+
 module = {
   name = tr;
   common = commands/tr.c;
diff --git a/grub-core/lib/efi/tcg2.c b/grub-core/lib/efi/tcg2.c
new file mode 100644
index 0..b15546f62
--- /dev/null
+++ b/grub-core/lib/efi/tcg2.c
@@ -0,0 +1,144 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2024 Free Software Foundation, Inc.
+ *  Copyright (C) 2022 Microsoft Corporation
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see .
+ */
+
+#include 
+#include 
+#include 
+#include 
+
+#include 
+
+static grub_err_t
+grub_tcg2_get_caps (grub_efi_tpm2_protocol_t *protocol, int *tpm2,
+   grub_size_t *max_output_size)
+{
+  grub_efi_status_t status;
+  static int has_caps = 0;
+  static EFI_TCG2_BOOT_SERVICE_CAPABILITY caps =
+  {
+.Size = (grub_uint8_t) sizeof (caps)
+  };
+
+  if (has_caps)
+goto exit;
+
+  status = protocol->get_capability (protocol, &caps);
+  if (status != GRUB_EFI_SUCCESS || !caps.TPMPresentFlag)
+return GRUB_ERR_FILE_NOT_FOUND;
+
+  has_caps = 1;
+
+ exit:
+  if (tpm2 != NULL)
+*tpm2 = caps.TPMPresentFlag;
+  if (max_output_size != NULL)
+*max_output_size = caps.MaxResponseSize;
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_tcg2_get_protocol (grub_efi_tpm2_protocol_t **protocol)
+{
+  static grub_guid_t tpm2_guid = EFI_TPM2_GUID;
+  static grub_efi_tpm2_protocol_t *tpm2_protocol = NULL;
+  int tpm2;
+  grub_efi_handle_t *handles;
+  grub_efi_uintn_t num_handles;
+  grub_efi_handle_t tpm2_handle;
+  grub_err_t err = GRUB_ERR_FILE_NOT_FOUND;
+
+  if (tpm2_protocol != NULL)
+{
+  *protocol = tpm2_protocol;
+  return GRUB_ERR_NONE;
+}
+
+  handles = grub_efi_locate_handle (GRUB_EFI_BY_PROTOCOL, &tpm2_guid, NULL,
+   &num_handles);
+  if (handles == NULL || num_handles == 0)
+return err;
+
+  tpm2_handle = handles[0];
+
+  tpm2_protocol = grub_efi_open_protocol (tpm2_handle, &tpm2_guid,
+