This defines new PCRs (24-31) that are restricted to locality 5, which
can be used by an agent outside a domain to record information about its
measurements and activity. These PCRs cannot be initialized from the
hardware TPM (since most hardware TPMs do not define PCR 24+).
This definition may need to be changed in the future, as the TCG's VTPM
working group is working to define the meaning of PCRs above 23 on a
vTPM; the existing PC-client specification allows these PCRs to be
implementation-defined.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
stubdom/Makefile | 1 +
stubdom/vtpm-locality5-pcrs.patch | 33 +++++++++++++++++++++++++++++++++
stubdom/vtpm/README | 15 ++++++++++++++-
stubdom/vtpm/vtpm.c | 8 ++++----
stubdom/vtpm/vtpm_pcrs.h | 6 +++---
5 files changed, 55 insertions(+), 8 deletions(-)
create mode 100644 stubdom/vtpm-locality5-pcrs.patch
diff --git a/stubdom/Makefile b/stubdom/Makefile
index 95e10f3..a657fd2 100644
--- a/stubdom/Makefile
+++ b/stubdom/Makefile
@@ -209,6 +209,7 @@ tpm_emulator-$(XEN_TARGET_ARCH): tpm_emulator-$(TPMEMU_VERSION).tar.gz
patch -d $@ -p1 < tpmemu-$(TPMEMU_VERSION).patch;
patch -d $@ -p1 < vtpm-bufsize.patch
patch -d $@ -p1 < vtpm-locality.patch
+ patch -d $@ -p1 < vtpm-locality5-pcrs.patch
mkdir $@/build
cd $@/build; $(CMAKE) .. -DCMAKE_C_COMPILER=${CC} -DCMAKE_C_FLAGS="-std=c99 -DTPM_NO_EXTERN $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -Wno-declaration-after-statement"
touch $@
diff --git a/stubdom/vtpm-locality5-pcrs.patch b/stubdom/vtpm-locality5-pcrs.patch
new file mode 100644
index 0000000..f697035
--- /dev/null
+++ b/stubdom/vtpm-locality5-pcrs.patch
@@ -0,0 +1,33 @@
+diff --git a/tpm/tpm_data.c b/tpm/tpm_data.c
+index 50c9697..d8cac09 100644
+--- a/tpm/tpm_data.c
++++ b/tpm/tpm_data.c
+@@ -151,9 +151,12 @@ void tpm_init_data(void)
+ init_pcr_attr(22, TRUE, 0x04, 0x04);
+ init_pcr_attr(23, TRUE, 0x1f, 0x1f);
+ }
+- for (i = 24; i < TPM_NUM_PCR; i++) {
+- init_pcr_attr(i, TRUE, 0x00, 0x00);
+- }
++ for (i = 24; i < 28 && i < TPM_NUM_PCR; i++)
++ init_pcr_attr(i, FALSE, 0x00, 0x20);
++ for (i = 28; i < 32 && i < TPM_NUM_PCR; i++)
++ init_pcr_attr(i, TRUE, 0x20, 0x20);
++ for (i = 32; i < TPM_NUM_PCR; i++)
++ init_pcr_attr(i, FALSE, 0x00, 0xC0);
+ if (tpmConf & TPM_CONF_GENERATE_EK) {
+ /* generate a new endorsement key */
+ tpm_rsa_generate_key(&tpmData.permanent.data.endorsementKey, 2048);
+diff --git a/tpm/tpm_structures.h b/tpm/tpm_structures.h
+index f746c05..08cef1e 100644
+--- a/tpm/tpm_structures.h
++++ b/tpm/tpm_structures.h
+@@ -676,7 +676,7 @@ typedef struct tdTPM_CMK_MA_APPROVAL {
+ /*
+ * Number of PCRs of the TPM (must be a multiple of eight)
+ */
+-#define TPM_NUM_PCR 24
++#define TPM_NUM_PCR 32
+
+ /*
+ * TPM_PCR_SELECTION ([TPM_Part2], Section 8.1)
diff --git a/stubdom/vtpm/README b/stubdom/vtpm/README
index 11bdacb..b0bd8f9 100644
--- a/stubdom/vtpm/README
+++ b/stubdom/vtpm/README
@@ -1,7 +1,7 @@
Copyright (c) 2010-2012 United States Government, as represented by
the Secretary of Defense. All rights reserved.
November 12 2012
-Authors: Matthew Fioravante (JHUAPL),
+Authors: Matthew Fioravante (JHUAPL), Daniel De Graaf (NSA)
This document describes the operation and command line interface
of vtpm-stubdom. See docs/misc/vtpm.txt for details on the
@@ -68,6 +68,19 @@ hwinitpcr=<PCRSPEC>: Initialize the virtual Platform Configuration Registers
will copy pcrs 5, 12, 13, 14, 15, and 16.
------------------------------
+VIRTUAL-TPM SPECIFIC FEATURES
+------------------------------
+
+The virtual TPM emulator provides some extensions to the TPM specification that
+are useful in a virtualized environment. The featues added to the emulator are:
+
+ * Support for specifying localities beyond the standard 0-4
+ * Extended PCRs 24-31 that can only be extended by locality 5
+
+Locality 5 is intended for use by a measurement agent running outside the
+primary domain using the VM.
+
+------------------------------
REFERENCES
------------------------------
diff --git a/stubdom/vtpm/vtpm.c b/stubdom/vtpm/vtpm.c
index eb7912f..aaf1a24 100644
--- a/stubdom/vtpm/vtpm.c
+++ b/stubdom/vtpm/vtpm.c
@@ -253,18 +253,18 @@ int parse_cmd_line(int argc, char** argv)
opt_args.hwinitpcrs = VTPM_PCRNONE;
} else if(sscanf(pch, "%u", &v1) == 1) {
//Set one
- if(v1 >= TPM_NUM_PCR) {
+ if(v1 >= VTPM_NUMPCRS) {
error("hwinitpcr error: Invalid PCR index %u", v1);
return -1;
}
opt_args.hwinitpcrs |= (1 << v1);
} else if(sscanf(pch, "%u-%u", &v1, &v2) == 2) {
//Set range
- if(v1 >= TPM_NUM_PCR) {
+ if(v1 >= VTPM_NUMPCRS) {
error("hwinitpcr error: Invalid PCR index %u", v1);
return -1;
}
- if(v2 >= TPM_NUM_PCR) {
+ if(v2 >= VTPM_NUMPCRS) {
error("hwinitpcr error: Invalid PCR index %u", v1);
return -1;
}
@@ -312,7 +312,7 @@ int parse_cmd_line(int argc, char** argv)
pcrstr[0] = '\0';
info("The following PCRs will be initialized with values from the hardware TPM:");
- for(unsigned int i = 0; i < TPM_NUM_PCR; ++i) {
+ for(unsigned int i = 0; i < VTPM_NUMPCRS; ++i) {
if(opt_args.hwinitpcrs & (1 << i)) {
ptr += sprintf(ptr, "%u, ", i);
}
diff --git a/stubdom/vtpm/vtpm_pcrs.h b/stubdom/vtpm/vtpm_pcrs.h
index 11835f9..bd9068c 100644
--- a/stubdom/vtpm/vtpm_pcrs.h
+++ b/stubdom/vtpm/vtpm_pcrs.h
@@ -40,11 +40,11 @@
#define VTPM_PCR22 1 << 22
#define VTPM_PCR23 1 << 23
-#define VTPM_PCRALL (1 << TPM_NUM_PCR) - 1
-#define VTPM_PCRNONE 0
-
#define VTPM_NUMPCRS 24
+#define VTPM_PCRALL (1 << VTPM_NUMPCRS) - 1
+#define VTPM_PCRNONE 0
+
struct tpmfront_dev;
TPM_RESULT vtpm_initialize_hw_pcrs(struct tpmfront_dev* tpmfront_dev, unsigned long pcrs);
--
1.7.11.7
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
can be used by an agent outside a domain to record information about its
measurements and activity. These PCRs cannot be initialized from the
hardware TPM (since most hardware TPMs do not define PCR 24+).
This definition may need to be changed in the future, as the TCG's VTPM
working group is working to define the meaning of PCRs above 23 on a
vTPM; the existing PC-client specification allows these PCRs to be
implementation-defined.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
stubdom/Makefile | 1 +
stubdom/vtpm-locality5-pcrs.patch | 33 +++++++++++++++++++++++++++++++++
stubdom/vtpm/README | 15 ++++++++++++++-
stubdom/vtpm/vtpm.c | 8 ++++----
stubdom/vtpm/vtpm_pcrs.h | 6 +++---
5 files changed, 55 insertions(+), 8 deletions(-)
create mode 100644 stubdom/vtpm-locality5-pcrs.patch
diff --git a/stubdom/Makefile b/stubdom/Makefile
index 95e10f3..a657fd2 100644
--- a/stubdom/Makefile
+++ b/stubdom/Makefile
@@ -209,6 +209,7 @@ tpm_emulator-$(XEN_TARGET_ARCH): tpm_emulator-$(TPMEMU_VERSION).tar.gz
patch -d $@ -p1 < tpmemu-$(TPMEMU_VERSION).patch;
patch -d $@ -p1 < vtpm-bufsize.patch
patch -d $@ -p1 < vtpm-locality.patch
+ patch -d $@ -p1 < vtpm-locality5-pcrs.patch
mkdir $@/build
cd $@/build; $(CMAKE) .. -DCMAKE_C_COMPILER=${CC} -DCMAKE_C_FLAGS="-std=c99 -DTPM_NO_EXTERN $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -Wno-declaration-after-statement"
touch $@
diff --git a/stubdom/vtpm-locality5-pcrs.patch b/stubdom/vtpm-locality5-pcrs.patch
new file mode 100644
index 0000000..f697035
--- /dev/null
+++ b/stubdom/vtpm-locality5-pcrs.patch
@@ -0,0 +1,33 @@
+diff --git a/tpm/tpm_data.c b/tpm/tpm_data.c
+index 50c9697..d8cac09 100644
+--- a/tpm/tpm_data.c
++++ b/tpm/tpm_data.c
+@@ -151,9 +151,12 @@ void tpm_init_data(void)
+ init_pcr_attr(22, TRUE, 0x04, 0x04);
+ init_pcr_attr(23, TRUE, 0x1f, 0x1f);
+ }
+- for (i = 24; i < TPM_NUM_PCR; i++) {
+- init_pcr_attr(i, TRUE, 0x00, 0x00);
+- }
++ for (i = 24; i < 28 && i < TPM_NUM_PCR; i++)
++ init_pcr_attr(i, FALSE, 0x00, 0x20);
++ for (i = 28; i < 32 && i < TPM_NUM_PCR; i++)
++ init_pcr_attr(i, TRUE, 0x20, 0x20);
++ for (i = 32; i < TPM_NUM_PCR; i++)
++ init_pcr_attr(i, FALSE, 0x00, 0xC0);
+ if (tpmConf & TPM_CONF_GENERATE_EK) {
+ /* generate a new endorsement key */
+ tpm_rsa_generate_key(&tpmData.permanent.data.endorsementKey, 2048);
+diff --git a/tpm/tpm_structures.h b/tpm/tpm_structures.h
+index f746c05..08cef1e 100644
+--- a/tpm/tpm_structures.h
++++ b/tpm/tpm_structures.h
+@@ -676,7 +676,7 @@ typedef struct tdTPM_CMK_MA_APPROVAL {
+ /*
+ * Number of PCRs of the TPM (must be a multiple of eight)
+ */
+-#define TPM_NUM_PCR 24
++#define TPM_NUM_PCR 32
+
+ /*
+ * TPM_PCR_SELECTION ([TPM_Part2], Section 8.1)
diff --git a/stubdom/vtpm/README b/stubdom/vtpm/README
index 11bdacb..b0bd8f9 100644
--- a/stubdom/vtpm/README
+++ b/stubdom/vtpm/README
@@ -1,7 +1,7 @@
Copyright (c) 2010-2012 United States Government, as represented by
the Secretary of Defense. All rights reserved.
November 12 2012
-Authors: Matthew Fioravante (JHUAPL),
+Authors: Matthew Fioravante (JHUAPL), Daniel De Graaf (NSA)
This document describes the operation and command line interface
of vtpm-stubdom. See docs/misc/vtpm.txt for details on the
@@ -68,6 +68,19 @@ hwinitpcr=<PCRSPEC>: Initialize the virtual Platform Configuration Registers
will copy pcrs 5, 12, 13, 14, 15, and 16.
------------------------------
+VIRTUAL-TPM SPECIFIC FEATURES
+------------------------------
+
+The virtual TPM emulator provides some extensions to the TPM specification that
+are useful in a virtualized environment. The featues added to the emulator are:
+
+ * Support for specifying localities beyond the standard 0-4
+ * Extended PCRs 24-31 that can only be extended by locality 5
+
+Locality 5 is intended for use by a measurement agent running outside the
+primary domain using the VM.
+
+------------------------------
REFERENCES
------------------------------
diff --git a/stubdom/vtpm/vtpm.c b/stubdom/vtpm/vtpm.c
index eb7912f..aaf1a24 100644
--- a/stubdom/vtpm/vtpm.c
+++ b/stubdom/vtpm/vtpm.c
@@ -253,18 +253,18 @@ int parse_cmd_line(int argc, char** argv)
opt_args.hwinitpcrs = VTPM_PCRNONE;
} else if(sscanf(pch, "%u", &v1) == 1) {
//Set one
- if(v1 >= TPM_NUM_PCR) {
+ if(v1 >= VTPM_NUMPCRS) {
error("hwinitpcr error: Invalid PCR index %u", v1);
return -1;
}
opt_args.hwinitpcrs |= (1 << v1);
} else if(sscanf(pch, "%u-%u", &v1, &v2) == 2) {
//Set range
- if(v1 >= TPM_NUM_PCR) {
+ if(v1 >= VTPM_NUMPCRS) {
error("hwinitpcr error: Invalid PCR index %u", v1);
return -1;
}
- if(v2 >= TPM_NUM_PCR) {
+ if(v2 >= VTPM_NUMPCRS) {
error("hwinitpcr error: Invalid PCR index %u", v1);
return -1;
}
@@ -312,7 +312,7 @@ int parse_cmd_line(int argc, char** argv)
pcrstr[0] = '\0';
info("The following PCRs will be initialized with values from the hardware TPM:");
- for(unsigned int i = 0; i < TPM_NUM_PCR; ++i) {
+ for(unsigned int i = 0; i < VTPM_NUMPCRS; ++i) {
if(opt_args.hwinitpcrs & (1 << i)) {
ptr += sprintf(ptr, "%u, ", i);
}
diff --git a/stubdom/vtpm/vtpm_pcrs.h b/stubdom/vtpm/vtpm_pcrs.h
index 11835f9..bd9068c 100644
--- a/stubdom/vtpm/vtpm_pcrs.h
+++ b/stubdom/vtpm/vtpm_pcrs.h
@@ -40,11 +40,11 @@
#define VTPM_PCR22 1 << 22
#define VTPM_PCR23 1 << 23
-#define VTPM_PCRALL (1 << TPM_NUM_PCR) - 1
-#define VTPM_PCRNONE 0
-
#define VTPM_NUMPCRS 24
+#define VTPM_PCRALL (1 << VTPM_NUMPCRS) - 1
+#define VTPM_PCRNONE 0
+
struct tpmfront_dev;
TPM_RESULT vtpm_initialize_hw_pcrs(struct tpmfront_dev* tpmfront_dev, unsigned long pcrs);
--
1.7.11.7
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel