swtpm: Add support for setting the locality on the TPM

Implement the CMD_SET_LOCALITY command.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

diff --git a/src/swtpm/ctrlchannel.c b/src/swtpm/ctrlchannel.c
index 2b01617dc2a498b828e68bda6b46591cf8592a2c..5709951646466eea15f204fdff1c28587f9fedbb 100644 (file)
--- a/src/swtpm/ctrlchannel.c
+++ b/src/swtpm/ctrlchannel.c
@@ -229,6 +229,7 @@ int ctrlchannel_process_fd(int fd,
     ptm_hdata *data;
     ptm_getstate *pgs;
     ptm_setstate *pss;
+    ptm_loc *pl;
 
     size_t out_len = 0;
     TPM_RESULT res;
@@ -258,6 +259,7 @@ int ctrlchannel_process_fd(int fd,
             PTM_CAP_SHUTDOWN |
             PTM_CAP_STOP |
             PTM_CAP_GET_TPMESTABLISHED |
+            PTM_CAP_SET_LOCALITY |
             PTM_CAP_RESET_TPMESTABLISHED |
             PTM_CAP_HASHING |
             PTM_CAP_GET_STATEBLOB |
@@ -348,6 +350,22 @@ int ctrlchannel_process_fd(int fd,
         out_len = sizeof(re->u.resp);
         break;
 
+    case CMD_SET_LOCALITY:
+        if (n < (ssize_t)sizeof(pl->u.req.loc)) /* rw */
+            goto err_bad_input;
+
+        pl = (ptm_loc *)input.body;
+        if (pl->u.req.loc > 4) {
+            res = TPM_BAD_LOCALITY;
+        } else {
+            res = TPM_SUCCESS;
+            *locality = pl->u.req.loc;
+        }
+
+        *res_p = htobe32(res);
+        out_len = sizeof(re->u.resp);
+        break;
+
     case CMD_HASH_START:
         if (!*tpm_running)
             goto err_not_running;

diff --git a/tests/test_ctrlchannel b/tests/test_ctrlchannel
index 0909106b42cf244ad4aa56a9f7ace22de9e1db52..1ed25e48099f5af5e3e27f9680c48a20066a15b4 100755 (executable)
--- a/tests/test_ctrlchannel
+++ b/tests/test_ctrlchannel
@@ -43,7 +43,7 @@ socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CLIENT:$SOCK_PATH 2>&1 | \
        sed -n '/^ /p' | \
        tail -n1 > $RESP_PATH
 res="$(cat $RESP_PATH)"
-exp=" 00 00 00 00 00 00 07 f7"
+exp=" 00 00 00 00 00 00 07 ff"
 if [ "$res" != "$exp" ]; then
        echo "Error: Unexpected response from CMD_GET_CAPABILITY:"
        echo "       actual  : $res"
@@ -180,7 +180,7 @@ socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CLIENT:$SOCK_PATH 2>&1 | \
        sed -n '/^ /p' | \
        tail -n1 > $RESP_PATH
 res="$(cat $RESP_PATH)"
-exp=" 00 00 00 00 00 00 07 f7"
+exp=" 00 00 00 00 00 00 07 ff"
 if [ "$res" != "$exp" ]; then
        echo "Error: Socket TPM: Unexpected response from CMD_GET_CAPABILITY:"
        echo "       actual  : $res"
@@ -625,6 +625,46 @@ if [ "$RES" != "$exp" ]; then
 fi
 
 
+# Reset PCR 20 while in locality 0 -- should not work
+exec 100<>/dev/tcp/localhost/65530
+echo -en '\x00\xC1\x00\x00\x00\x0F\x00\x00\x00\xC8\x00\x03\x00\x00\x10' >&100
+RES=$(cat <&100 | od -t x1 -A n)
+exp=' 00 c4 00 00 00 0a 00 00 00 33'
+if [ "$RES" != "$exp" ]; then
+       echo "Error: Trying to reset PCR 20 in locality 0 returned unexpected result"
+       echo "expected: $exp"
+       echo "received: $RES"
+       exit 1
+fi
+
+# In locality 2 we can reset PCR 20
+# Set the localoty on the TPM: CMD_SET_LOCALITY = 00 00 00 05 <locality>
+echo -en '\x00\x00\x00\x05\x02' > $CMD_PATH
+socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
+       sed -n '/^ /p' | \
+       tail -n1 > $RESP_PATH
+res="$(cat $RESP_PATH)"
+exp=" 00 00 00 00"
+if [ "$res" != "$exp" ]; then
+       echo "Error: Socket TPM: Unexpected response from CMD_SET_LOCALITY:"
+       echo "       actual  : $res"
+       echo "       expected: $exp"
+       exit 1
+fi
+
+# Reset PCR 20 while in locality 2 -- has to work
+exec 100<>/dev/tcp/localhost/65530
+echo -en '\x00\xC1\x00\x00\x00\x0F\x00\x00\x00\xC8\x00\x03\x00\x00\x10' >&100
+RES=$(cat <&100 | od -t x1 -A n)
+exp=' 00 c4 00 00 00 0a 00 00 00 00'
+if [ "$RES" != "$exp" ]; then
+       echo "Error: Could not reset PCR 20 in locality 2"
+       echo "expected: $exp"
+       echo "received: $RES"
+       exit 1
+fi
+
+
 # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
 echo -en '\x00\x00\x00\x03' > $CMD_PATH
 socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \