sandbox: tpm: Support extending a PCR multiple times

It is fairly easy to handle this case and it makes the emulator more
useful, since PCRs are commonly extended several times.

Add support for this, using U-Boot's sha256 support.

For now sandbox only supports a single PCR, but that is enough for the
tests that currently exist.

Signed-off-by: Simon Glass <sjg@chromium.org>

diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c
index 3c4bbcdf2eee151df875e0d0347cb11ea057914e..ac6eb143539d6cf972438911e411304d8dbf1b97 100644 (file)
--- a/drivers/tpm/tpm2_tis_sandbox.c
+++ b/drivers/tpm/tpm2_tis_sandbox.c
@@ -11,6 +11,7 @@
 #include <asm/unaligned.h>
 #include <linux/bitops.h>
 #include <u-boot/crc.h>
+#include <u-boot/sha256.h>
 #include "sandbox_common.h"
 
 /* Hierarchies */
@@ -39,13 +40,6 @@ enum tpm2_cap_tpm_property {
 
 #define SANDBOX_TPM_PCR_NB 1
 
-static const u8 sandbox_extended_once_pcr[] = {
-       0xf5, 0xa5, 0xfd, 0x42, 0xd1, 0x6a, 0x20, 0x30,
-       0x27, 0x98, 0xef, 0x6e, 0xd3, 0x09, 0x97, 0x9b,
-       0x43, 0x00, 0x3d, 0x23, 0x20, 0xd9, 0xf0, 0xe8,
-       0xea, 0x98, 0x31, 0xa9, 0x27, 0x59, 0xfb, 0x4b,
-};
-
 /*
  * Information about our TPM emulation. This is preserved in the sandbox
  * state file if enabled.
@@ -407,15 +401,17 @@ static int sandbox_tpm2_extend(struct udevice *dev, int pcr_index,
                               const u8 *extension)
 {
        struct sandbox_tpm2 *tpm = dev_get_priv(dev);
-       int i;
+       sha256_context ctx;
+
+       /* Zero the PCR if this is the first use */
+       if (!tpm->pcr_extensions[pcr_index])
+               memset(tpm->pcr[pcr_index], '\0', TPM2_DIGEST_LEN);
 
-       /* Only simulate the first extensions from all '0' with only '0' */
-       for (i = 0; i < TPM2_DIGEST_LEN; i++)
-               if (tpm->pcr[pcr_index][i] || extension[i])
-                       return TPM2_RC_FAILURE;
+       sha256_starts(&ctx);
+       sha256_update(&ctx, tpm->pcr[pcr_index], TPM2_DIGEST_LEN);
+       sha256_update(&ctx, extension, TPM2_DIGEST_LEN);
+       sha256_finish(&ctx, tpm->pcr[pcr_index]);
 
-       memcpy(tpm->pcr[pcr_index], sandbox_extended_once_pcr,
-              TPM2_DIGEST_LEN);
        tpm->pcr_extensions[pcr_index]++;
 
        return 0;

diff --git a/test/py/tests/test_tpm2.py b/test/py/tests/test_tpm2.py
index 70f906da511e3fd2c80dd87c1bdb3df252c25bca..ac04f7191ecadec623a9f7aebf15981db98d61e5 100644 (file)
--- a/test/py/tests/test_tpm2.py
+++ b/test/py/tests/test_tpm2.py
@@ -216,7 +216,9 @@ def test_tpm2_pcr_extend(u_boot_console):
     output = u_boot_console.run_command('echo $?')
     assert output.endswith('0')
 
-    read_pcr = u_boot_console.run_command('tpm2 pcr_read 0 0x%x' % ram)
+    # Read the value back into a different place so we can still use 'ram' as
+    # our zero bytes
+    read_pcr = u_boot_console.run_command('tpm2 pcr_read 0 0x%x' % (ram + 0x20))
     output = u_boot_console.run_command('echo $?')
     assert output.endswith('0')
     assert 'f5 a5 fd 42 d1 6a 20 30 27 98 ef 6e d3 09 97 9b' in read_pcr
@@ -226,6 +228,20 @@ def test_tpm2_pcr_extend(u_boot_console):
     new_updates = int(re.findall(r'\d+', str)[0])
     assert (updates + 1) == new_updates
 
+    u_boot_console.run_command('tpm2 pcr_extend 0 0x%x' % ram)
+    output = u_boot_console.run_command('echo $?')
+    assert output.endswith('0')
+
+    read_pcr = u_boot_console.run_command('tpm2 pcr_read 0 0x%x' % (ram + 0x20))
+    output = u_boot_console.run_command('echo $?')
+    assert output.endswith('0')
+    assert '7a 05 01 f5 95 7b df 9c b3 a8 ff 49 66 f0 22 65' in read_pcr
+    assert 'f9 68 65 8b 7a 9c 62 64 2c ba 11 65 e8 66 42 f5' in read_pcr
+
+    str = re.findall(r'\d+ known updates', read_pcr)[0]
+    new_updates = int(re.findall(r'\d+', str)[0])
+    assert (updates + 2) == new_updates
+
 @pytest.mark.buildconfigspec('cmd_tpm_v2')
 def test_tpm2_cleanup(u_boot_console):
     """Ensure the TPM is cleared from password or test related configuration."""