7023102 TCSD should store the TPM Event Log
authorWyllys Ingersoll <Wyllys.Ingersoll@Oracle.COM>
Tue, 13 Dec 2011 13:58:15 -0800
changeset 622 fd8f0e501744
parent 621 af87e89b2283
child 623 15f87c23a86e
7023102 TCSD should store the TPM Event Log
components/trousers/patches/svrside.c.patch
components/trousers/patches/tcsd.conf.in.patch
components/trousers/patches/tddl.c.patch
--- a/components/trousers/patches/svrside.c.patch	Tue Dec 13 13:42:07 2011 -0800
+++ b/components/trousers/patches/svrside.c.patch	Tue Dec 13 13:58:15 2011 -0800
@@ -1,11 +1,12 @@
---- src/tcsd/svrside.c.orig	Thu Jan 21 15:18:55 2010
-+++ src/tcsd/svrside.c	Thu Jan 28 17:37:07 2010
[email protected]@ -27,6 +27,13 @@
+--- src/tcsd/svrside.c	Wed Jun  9 13:19:00 2010
++++ src/tcsd/svrside.c.new	Thu Dec  8 12:58:00 2011
[email protected]@ -27,6 +27,14 @@
  #include <arpa/inet.h>
  #include <errno.h>
  #include <getopt.h>
 +#ifdef SOLARIS
 +#include <priv.h>
++#include <fcntl.h>
 +#endif
 +#ifndef HAVE_DAEMON
 +#include <fcntl.h>
@@ -14,12 +15,103 @@
  #include "trousers/tss.h"
  #include "trousers_types.h"
  #include "tcs_tsp.h"
[email protected]@ -207,6 +214,79 @@
[email protected]@ -44,6 +52,11 @@
+ static volatile int hup = 0, term = 0;
+ extern char *optarg;
+ 
++#ifdef SOLARIS
++static int
++get_event_log_from_kernel();
++#endif
++
+ static void
+ tcsd_shutdown(void)
+ {
[email protected]@ -170,6 +183,10 @@
+ 		(void)req_mgr_final();
+ 		return result;
+ 	}
++#ifdef SOLARIS
++	/* Not fatal if this fails */
++	(void) get_event_log_from_kernel();
++#endif
+ 
+ 	result = owner_evict_init();
+ 	if (result != TSS_SUCCESS) {
[email protected]@ -208,6 +225,147 @@
  }
  
  
 +#ifdef SOLARIS
 +
++extern int get_device_fd();
++
++#define TPM_IOCTL_GETEVTABLE    1
++struct tpm_evtable_ioblk {
++	uint32_t	buflen;
++	caddr_t		buf;
++};
++
++static int
++store_eventlog(char *filename, struct tpm_evtable_ioblk *evlog)
++{
++	int fd;
++	int bytes = 0;
++
++	fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, 0600);
++	if (fd == -1) {
++		LogError("Error opening logfile %s: %s", filename,
++		    strerror(errno));
++		return (-1);
++	}
++	while (bytes < evlog->buflen) {
++		int n;
++		n = write(fd, evlog->buf, evlog->buflen - bytes);
++		if (n == -1 && errno != EAGAIN) {
++			LogError("Error writing logfile %s: %s",
++			    filename, strerror(errno));
++			close(fd);
++			return (-1);
++		}
++		if (n != -1)
++			bytes += n;
++	}
++	close(fd);
++
++	return (0);
++}
++
++static int
++get_event_log_from_kernel()
++{
++	int fd = get_device_fd();
++	struct tpm_evtable_ioblk ioblk;
++
++	if (fd == -1)
++		return (-1);
++
++	(void) memset(&ioblk, 0, sizeof (ioblk));
++	if (ioctl(fd, TPM_IOCTL_GETEVTABLE, &ioblk)) {
++		LogDebug("Cannot get event log from kernel: %s",
++		    strerror(errno));
++		return (-1);
++	}
++	if (ioblk.buflen == 0)
++		return (0);
++
++	ioblk.buf = calloc(1, ioblk.buflen);
++	if (ioblk.buf == NULL) {
++		return (-1);
++	}
++	if (ioctl(fd, TPM_IOCTL_GETEVTABLE, &ioblk)) {
++		free(ioblk.buf);
++		LogDebug("Cannot get event log from kernel: %s",
++		    strerror(errno));
++		return (-1);
++	}
++
++	return (store_eventlog(tcsd_options.firmware_log_file, &ioblk));
++}
 +/*
 + * For Solaris, make the tcsd privilege aware and drop
 + * risky privileges if they are not needed.
@@ -94,7 +186,7 @@
  int
  main(int argc, char **argv)
  {
[email protected]@ -222,6 +302,9 @@
[email protected]@ -223,6 +381,9 @@
  		{"foreground", 0, NULL, 'f'},
  		{0, 0, 0, 0}
  	};
@@ -102,9 +194,9 @@
 +	int rv;
 +#endif
  
- 	while ((c = getopt_long(argc, argv, "fh", long_options, &option_index)) != -1) {
- 		switch (c) {
[email protected]@ -287,6 +372,11 @@
+ 	unsetenv("TCSD_USE_TCP_DEVICE");
+ 	while ((c = getopt_long(argc, argv, "fhe", long_options, &option_index)) != -1) {
[email protected]@ -294,6 +455,11 @@
  			return -1;
  		}
  	}
--- a/components/trousers/patches/tcsd.conf.in.patch	Tue Dec 13 13:42:07 2011 -0800
+++ b/components/trousers/patches/tcsd.conf.in.patch	Tue Dec 13 13:58:15 2011 -0800
@@ -1,11 +1,19 @@
---- dist/tcsd.conf.in.old	Thu Apr  7 07:53:52 2011
-+++ dist/tcsd.conf.in	Thu Apr  7 07:55:18 2011
[email protected]@ -54,7 +54,7 @@
+--- dist/tcsd.conf.in	Thu Jan 28 08:27:50 2010
++++ dist/tcsd.conf.in.new	Fri Nov 18 10:35:22 2011
[email protected]@ -37,6 +37,7 @@
+ #
+ # firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
+ #
++firmware_log_file=/var/tpm/system/pcrevent.log
+ 
+ # Option: kernel_log_file
+ # Values: Any absolute directory path
[email protected]@ -54,7 +55,7 @@
  # Description: A list of PCR indices that are manipulated only by the system
  #  firmware and therefore are not extended or logged by the TCSD.
  #
 -# firmware_pcrs =
-+firmware_pcrs =0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
++firmware_pcrs =0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,20,21
  #
  
  # Option: kernel_pcrs
--- a/components/trousers/patches/tddl.c.patch	Tue Dec 13 13:42:07 2011 -0800
+++ b/components/trousers/patches/tddl.c.patch	Tue Dec 13 13:58:15 2011 -0800
@@ -1,5 +1,5 @@
---- src/tddl/tddl.c.old	2010-04-12 22:24:21.000000000 -0700
-+++ src/tddl/tddl.c 2011-07-12 13:14:57.362305220 -0700
+--- src/tddl/tddl.c	Mon Apr 12 22:24:21 2010
++++ src/tddl/tddl.c.new	Thu Sep 22 12:28:25 2011
 @@ -18,13 +18,17 @@
  
  #include "trousers/tss.h"
@@ -18,7 +18,21 @@
  	{"/dev/tpm", TDDL_UNDEF, TDDL_UNDEF},
  	{NULL, 0, 0}
  };
[email protected]@ -63,7 +67,7 @@
[email protected]@ -42,6 +46,13 @@
+ #include <netdb.h>
+ #include <fcntl.h>
+ 
++#ifdef SOLARIS
++int
++get_device_fd()
++{
++	return (opened_device->fd);
++}
++#endif
+ 
+ int
+ open_device()
[email protected]@ -63,7 +74,7 @@
  	 
  		
  		fd = socket(AF_INET, SOCK_STREAM, 0);
@@ -27,7 +41,7 @@
  			struct hostent *host = gethostbyname(tcp_device_hostname);
  			if (host != NULL) {   
  				struct sockaddr_in addr;
[email protected]@ -105,12 +109,16 @@
[email protected]@ -105,12 +116,16 @@
  		/* tpm_device_paths is filled out in tddl.h */
  		for (i = 0; tpm_device_nodes[i].path != NULL; i++) {
  			errno = 0;
@@ -47,7 +61,7 @@
  		opened_device = &(tpm_device_nodes[i]);
  		tpm_device_nodes[i].fd = fd;
  	}
[email protected]@ -181,11 +189,13 @@
[email protected]@ -181,11 +196,13 @@
  			/* fall through */
  		case TDDL_TRANSMIT_IOCTL:
  			errno = 0;
@@ -61,7 +75,7 @@
  			LogInfo("Falling back to Read/Write device support.");
  			/* fall through */
  		case TDDL_TRANSMIT_RW:
[email protected]@ -255,6 +265,7 @@
[email protected]@ -255,6 +272,7 @@
  
  TSS_RESULT Tddli_Cancel(void)
  {
@@ -69,7 +83,7 @@
  	int rc;
  
  	if (opened_device->transmit == TDDL_TRANSMIT_IOCTL) {
[email protected]@ -270,4 +281,7 @@
[email protected]@ -270,4 +288,7 @@
  	} else {
  		return TDDLERR(TSS_E_NOTIMPL);
  	}