From: Mario Limonciello Date: Sat, 17 Dec 2022 13:48:32 +0000 (-0600) Subject: tpm: Add support for sha384 X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=99f36cb494db5ba978a0dcb0b226afabb41d7ff1;p=fwupd.git tpm: Add support for sha384 --- diff --git a/plugins/tpm/fu-tpm-eventlog-common.c b/plugins/tpm/fu-tpm-eventlog-common.c index 606774801..cc66ed690 100644 --- a/plugins/tpm/fu-tpm-eventlog-common.c +++ b/plugins/tpm/fu-tpm-eventlog-common.c @@ -159,10 +159,13 @@ fu_tpm_eventlog_calc_checksums(GPtrArray *items, guint8 pcr, GError **error) { guint cnt_sha1 = 0; guint cnt_sha256 = 0; + guint cnt_sha384 = 0; guint8 digest_sha1[TPM2_SHA1_DIGEST_SIZE] = {0x0}; guint8 digest_sha256[TPM2_SHA256_DIGEST_SIZE] = {0x0}; + guint8 digest_sha384[TPM2_SHA384_DIGEST_SIZE] = {0x0}; gsize digest_sha1_len = sizeof(digest_sha1); gsize digest_sha256_len = sizeof(digest_sha256); + gsize digest_sha384_len = sizeof(digest_sha384); g_autoptr(GPtrArray) csums = g_ptr_array_new_with_free_func(g_free); /* sanity check */ @@ -189,6 +192,7 @@ fu_tpm_eventlog_calc_checksums(GPtrArray *items, guint8 pcr, GError **error) /* the final byte indicates the locality from which TPM2_Startup() * was issued -- which is the initial value of PCR0 */ if (strncmp((const char *)buf, "StartupLocality", bufsz - 2) == 0) { + digest_sha384[TPM2_SHA384_DIGEST_SIZE - 1] = buf[bufsz - 1]; digest_sha256[TPM2_SHA256_DIGEST_SIZE - 1] = buf[bufsz - 1]; digest_sha1[TPM2_SHA1_DIGEST_SIZE - 1] = buf[bufsz - 1]; continue; @@ -218,12 +222,24 @@ fu_tpm_eventlog_calc_checksums(GPtrArray *items, guint8 pcr, GError **error) g_checksum_get_digest(csum_sha256, digest_sha256, &digest_sha256_len); cnt_sha256++; } + if (item->checksum_sha384 != NULL) { + g_autoptr(GChecksum) csum_sha384 = g_checksum_new(G_CHECKSUM_SHA384); + g_checksum_update(csum_sha384, + (const guchar *)digest_sha384, + digest_sha384_len); + g_checksum_update( + csum_sha384, + (const guchar *)g_bytes_get_data(item->checksum_sha384, NULL), + g_bytes_get_size(item->checksum_sha384)); + g_checksum_get_digest(csum_sha384, digest_sha384, &digest_sha384_len); + cnt_sha384++; + } } - if (cnt_sha1 == 0 && cnt_sha256 == 0) { + if (cnt_sha1 == 0 && cnt_sha256 == 0 && cnt_sha384 == 0) { g_set_error_literal(error, G_IO_ERROR, G_IO_ERROR_INVALID_DATA, - "no SHA1 or SHA256 data"); + "no SHA1, SHA256, or SHA384 data"); return NULL; } if (cnt_sha1 > 0) { @@ -236,5 +252,10 @@ fu_tpm_eventlog_calc_checksums(GPtrArray *items, guint8 pcr, GError **error) blob_sha256 = g_bytes_new_static(digest_sha256, sizeof(digest_sha256)); g_ptr_array_add(csums, fu_tpm_eventlog_strhex(blob_sha256)); } + if (cnt_sha384 > 0) { + g_autoptr(GBytes) blob_sha384 = NULL; + blob_sha384 = g_bytes_new_static(digest_sha384, sizeof(digest_sha384)); + g_ptr_array_add(csums, fu_tpm_eventlog_strhex(blob_sha384)); + } return g_steal_pointer(&csums); } diff --git a/plugins/tpm/fu-tpm-eventlog-common.h b/plugins/tpm/fu-tpm-eventlog-common.h index 217221ece..3fdece953 100644 --- a/plugins/tpm/fu-tpm-eventlog-common.h +++ b/plugins/tpm/fu-tpm-eventlog-common.h @@ -46,6 +46,7 @@ typedef struct { FuTpmEventlogItemKind kind; GBytes *checksum_sha1; GBytes *checksum_sha256; + GBytes *checksum_sha384; GBytes *blob; } FuTpmEventlogItem; diff --git a/plugins/tpm/fu-tpm-eventlog-parser.c b/plugins/tpm/fu-tpm-eventlog-parser.c index d57aece97..f56ea5c8f 100644 --- a/plugins/tpm/fu-tpm-eventlog-parser.c +++ b/plugins/tpm/fu-tpm-eventlog-parser.c @@ -42,6 +42,8 @@ fu_tpm_eventlog_parser_item_free(FuTpmEventlogItem *item) g_bytes_unref(item->checksum_sha1); if (item->checksum_sha256 != NULL) g_bytes_unref(item->checksum_sha256); + if (item->checksum_sha384 != NULL) + g_bytes_unref(item->checksum_sha384); g_free(item); } @@ -66,6 +68,10 @@ fu_tpm_eventlog_item_to_string(FuTpmEventlogItem *item, guint idt, GString *str) g_autofree gchar *csum = fu_tpm_eventlog_strhex(item->checksum_sha256); fu_string_append(str, idt, "ChecksumSha256", csum); } + if (item->checksum_sha384 != NULL) { + g_autofree gchar *csum = fu_tpm_eventlog_strhex(item->checksum_sha384); + fu_string_append(str, idt, "ChecksumSha384", csum); + } if (item->blob != NULL) { g_autofree gchar *blobstr = fu_tpm_eventlog_blobstr(item->blob); if (blobstr != NULL) @@ -98,6 +104,7 @@ fu_tpm_eventlog_parser_parse_blob_v2(const guint8 *buf, guint32 datasz = 0; g_autoptr(GBytes) checksum_sha1 = NULL; g_autoptr(GBytes) checksum_sha256 = NULL; + g_autoptr(GBytes) checksum_sha384 = NULL; /* read entry */ if (!fu_memread_uint32_safe(buf, @@ -169,6 +176,9 @@ fu_tpm_eventlog_parser_parse_blob_v2(const guint8 *buf, else if (alg_type == TPM2_ALG_SHA256) checksum_sha256 = g_bytes_new_take(g_steal_pointer(&digest), alg_size); + else if (alg_type == TPM2_ALG_SHA384) + checksum_sha384 = + g_bytes_new_take(g_steal_pointer(&digest), alg_size); /* next block */ idx += alg_size; diff --git a/plugins/tpm/fu-tpm-plugin.c b/plugins/tpm/fu-tpm-plugin.c index c0be3bc2c..5eacaaf2f 100644 --- a/plugins/tpm/fu-tpm-plugin.c +++ b/plugins/tpm/fu-tpm-plugin.c @@ -90,6 +90,10 @@ fu_tpm_plugin_device_added(FuPlugin *plugin, FuDevice *dev) fu_plugin_add_report_metadata(plugin, "Pcr0_SHA256", csum); continue; } + if (csum_type == G_CHECKSUM_SHA384) { + fu_plugin_add_report_metadata(plugin, "Pcr0_SHA384", csum); + continue; + } } } @@ -256,6 +260,8 @@ fu_tpm_plugin_eventlog_report_metadata(FuPlugin *plugin) checksum = fu_tpm_eventlog_strhex(item->checksum_sha1); else if (item->checksum_sha256 != NULL) checksum = fu_tpm_eventlog_strhex(item->checksum_sha256); + else if (item->checksum_sha384 != NULL) + checksum = fu_tpm_eventlog_strhex(item->checksum_sha384); else continue; g_string_append_printf(str, "0x%08x %s", item->kind, checksum);