[tboot-devel] [PATCH] Fix unseal failure when the system wakes up after sleep mode

Tue, 13 Mar 2018 12:12:05 -0700 

# HG changeset patch
# User Seunghun Han <kkama...@gmail.com>
# Date 1520967280 -32400
#      Wed Mar 14 03:54:40 2018 +0900
# Node ID 7479fd963976b796ca486b0a9690aa70917f67a5
# Parent  59086d17f60d5649906a7eb8ed939cefb60f9dee
[tboot-devel]Fix unseal failure when the system wakes up after sleep mode.

I'm a senior security researcher at National Security Research Institute of
South Korea.

The current implementation of tboot does not choose correct locality of TPM 1.2,
therefore, unseal is failed and PCRs are not recovered when the system wakes up
after sleep mode.

The txt-stat messages are as follows.
>TBOOT: PCRs before unseal:
>TBOOT:   PCR 17: b5 e8 37 3e 1c 21 88 25 70 4e cf fd 29 ce 4f 5e 55 ce a0 22
>TBOOT:   PCR 18: 1b 49 9b e1 38 2f a2 d3 9d ba 14 d8 32 aa 8f 4a 20 b6 a2 be
>TBOOT: verifying pre_k_s3_state
>TBOOT: TPM: unseal data, return value = 0000003D
>TBOOT: failed to unseal blob
>TBOOT: TPM: Pcr 18 extend, return value = 0000003D
>TBOOT: creation or verification of S3 measurements failed.

To fix this bug, I added locality selection code to tpm12_init() function in
tpm_12.c file.
The tpm20_init() function in tpm_20.c file already has locality selection code,
therefore I just added it to tpm12_init() function.

diff -r 59086d17f60d -r 7479fd963976 tboot/common/tpm_12.c
--- a/tboot/common/tpm_12.c     Sun Feb 18 08:08:30 2018 -0800
+++ b/tboot/common/tpm_12.c     Wed Mar 14 03:54:40 2018 +0900
@@ -1671,6 +1671,12 @@
     if ( ti == NULL )
         return false;
 
+    if (!txt_is_launched())
+        ti->cur_loc = 0;
+    else
+        ti->cur_loc = 2;
+ 
+
     locality = ti->cur_loc;
     if ( !tpm_validate_locality(locality) ) {
         printk(TBOOT_WARN"TPM is not available.\n");
diff -r 59086d17f60d -r 7479fd963976 tboot/common/tpm_20.c
--- a/tboot/common/tpm_20.c     Sun Feb 18 08:08:30 2018 -0800
+++ b/tboot/common/tpm_20.c     Wed Mar 14 03:54:40 2018 +0900
@@ -2482,13 +2482,13 @@
     unsigned int i;
     tpm_info_list_t *info_list = get_tpm_info_list(g_sinit);
  
-   if ( ti == NULL )
+    if ( ti == NULL )
         return false;
    
-   if (!txt_is_launched())
-                ti->cur_loc = 0;
-     else
-                ti->cur_loc = 2;
+    if (!txt_is_launched())
+        ti->cur_loc = 0;
+    else
+        ti->cur_loc = 2;
    
 
     /* init version */

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to