diff options
author | kavsrf <kavsrf@gmail.com> | 2016-12-04 13:46:48 +0300 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2017-06-05 17:36:42 +0200 |
commit | 6701b862aa96775609a7d42662ae4a98e43071bb (patch) | |
tree | 3900fcd874625898d9ab921ec6f2e3f5f8ef4b97 /DcsCfg | |
parent | ebe8c240166ef25ed0ca8898f8bfd34b415a75d0 (diff) | |
download | VeraCrypt-DCS-6701b862aa96775609a7d42662ae4a98e43071bb.tar.gz VeraCrypt-DCS-6701b862aa96775609a7d42662ae4a98e43071bb.zip |
TPM12 support
Diffstat (limited to 'DcsCfg')
-rw-r--r-- | DcsCfg/DcsCfg.h | 13 | ||||
-rw-r--r-- | DcsCfg/DcsCfg.inf | 2 | ||||
-rw-r--r-- | DcsCfg/DcsCfg.man | 19 | ||||
-rw-r--r-- | DcsCfg/DcsCfgMain.c | 128 | ||||
-rw-r--r-- | DcsCfg/DcsCfgTpm.c | 88 |
5 files changed, 201 insertions, 49 deletions
diff --git a/DcsCfg/DcsCfg.h b/DcsCfg/DcsCfg.h index 2ffd50d..8a9a15a 100644 --- a/DcsCfg/DcsCfg.h +++ b/DcsCfg/DcsCfg.h @@ -161,6 +161,19 @@ TestTouch(); EFI_STATUS
DcsInteractiveSetup();
+//////////////////////////////////////////////////////////////////////////
+// TPM
+//////////////////////////////////////////////////////////////////////////
+EFI_STATUS
+Tpm12ListPcrs(
+ UINT32 sPcr,
+ UINT32 ePcr
+ );
+EFI_STATUS
+Tpm12NvList();
+
+EFI_STATUS
+Tpm12DcsConfigure();
#endif // DcsCfg_h__
diff --git a/DcsCfg/DcsCfg.inf b/DcsCfg/DcsCfg.inf index c7218aa..c057b96 100644 --- a/DcsCfg/DcsCfg.inf +++ b/DcsCfg/DcsCfg.inf @@ -34,6 +34,7 @@ DcsCfgGraphics.c
DcsCfgBlockio.c
DcsCfgTouch.c
+ DcsCfgTpm.c
DcsCfgSetup.c
[Packages]
@@ -51,6 +52,7 @@ GraphLib
PasswordLib
DcsCfgLib
+ DcsTpmLib
VeraCryptLib
ShellLib
diff --git a/DcsCfg/DcsCfg.man b/DcsCfg/DcsCfg.man index bb6fda4..72575dc 100644 --- a/DcsCfg/DcsCfg.man +++ b/DcsCfg/DcsCfg.man @@ -35,16 +35,20 @@ DcsCfg -ds <BN> -wipe <start> <end> .SH OPTIONS
+ -dc - check devices (try to authorize)
-dl - block device list (order numbers are used in -db and -se)
-ds <BN> – select device
-de <BN> – end device to check (starts from select)
- -dc check devices (try to authorize)
-db <BN> - boot partition selection
-aa - ask authorization parameters
-ach - create header on block device
-vec <BN> - block device encrypt
-vdc <BN> - block device decrypt
-vcp <BN> - block device change password
+ -rnd <type> <param>- select rnadom type (0 - none, 1 - file, 2- rdrand, 3 HMAC, 4 OPENSSL 5 TPM)
+ -rndgen <file> - generate random file
+ -rndload - load rnd generator state from file
+ -rndsave - save rnd generator state to file
-ul - USB device list
-tl - touch device
-tt <TN> - Test touch device
@@ -55,18 +59,29 @@ DcsCfg -ds <BN> -wipe <start> <end> -bt - Beep device test
-setup - interactive setup
-pl - GPT list
- -pf <gpt_file_name> - file with GPT
+ -pf <gpt_file_name> - file with GPT and params
-ps - save GPT to file
+ -pz - delete info from GPT to file
-pa - applay GPT from file to disk
-pe - encrypt GPT
-pd - decrypt GPT
-pnt <PNT> - partition number as template (from -pl)
-phide <PHS> <PHE> - hide partions from <PHS> to <PHE>; <PHS> - start sector of hidden partition, <PHE> - end sector of hidden partition
+ -pedt <PN> - partition number to edit(from -pl)
+ -pexec - edit executable parameter
+ -prndsave - save random state to params
+ -prndload - load random state from params
+ -pwdcache - edit password cache in params
-kp <key_file_name> - keys file of platform to save
-srm <SRT> - mark disk as security regions container(write CRC of platform to 61 sector); <SRT> - number of possible security regions
-srw <SRT> - wipe security regions data with random data (write random data [62, 62 + 256 * SRT]) it has to be free! check first partition start sector!
-sra <SRN> - add <gpt_file_name> to security region <SRN>
-wipe <SS SE> - write random data to sectors range [SS,SE]
+ -osdecrypt - decrypt OS (rescue)
+ -osrestorekey - restore key (rescue)
+ -tpmpcrs <s> <e>- print PCRs
+ -tpmnvlist - List NV regions in TPM
+ -tpmcfg - Configure TPM
.SH DESCRIPTION
diff --git a/DcsCfg/DcsCfgMain.c b/DcsCfg/DcsCfgMain.c index 59ff730..6e4c863 100644 --- a/DcsCfg/DcsCfgMain.c +++ b/DcsCfg/DcsCfgMain.c @@ -34,51 +34,53 @@ https://opensource.org/licenses/LGPL-3.0 //////////////////////////////////////////////////////////////////////////
// Main
//////////////////////////////////////////////////////////////////////////
-#define OPT_DISK_CHECK L"-dc"
-#define OPT_DISK_LIST L"-dl"
-#define OPT_DISK_START L"-ds"
-#define OPT_DISK_END L"-de"
-#define OPT_DISK_BOOT L"-db"
-#define OPT_AUTH_ASK L"-aa"
-#define OPT_AUTH_CREATE_HEADER L"-ach"
-#define OPT_RND L"-rnd"
-#define OPT_RND_GEN L"-rndgen"
-#define OPT_RND_LOAD L"-rndload"
-#define OPT_RND_SAVE L"-rndsave"
-#define OPT_VOLUME_ENCRYPT L"-vec"
-#define OPT_VOLUME_DECRYPT L"-vdc"
-#define OPT_VOLUME_CHANGEPWD L"-vcp"
-#define OPT_USB_LIST L"-ul"
-#define OPT_TOUCH_LIST L"-tl"
-#define OPT_TOUCH_TEST L"-tt"
-#define OPT_GRAPH_LIST L"-gl"
-#define OPT_GRAPH_DEVICE L"-gd"
-#define OPT_GRAPH_MODE L"-gm"
-#define OPT_BEEP_LIST L"-bl"
-#define OPT_BEEP_TEST L"-bt"
-#define OPT_SETUP L"-setup"
-#define OPT_PARTITION_LIST L"-pl"
-#define OPT_PARTITION_FILE L"-pf"
-#define OPT_PARTITION_SAVE L"-ps"
-#define OPT_PARTITION_ZERO L"-pz"
-#define OPT_PARTITION_APPLY L"-pa"
-#define OPT_PARTITION_ENCRYPT L"-pe"
-#define OPT_PARTITION_DECRYPT L"-pd"
-#define OPT_PARTITION_IDX_TEMPLATE L"-pnt"
-#define OPT_PARTITION_HIDE L"-phide"
-#define OPT_PARTITION_EDIT L"-pedt"
-#define OPT_PARTITION_EDIT_EXEC L"-pexec"
-#define OPT_PARTITION_RND_LOAD L"-prndload"
-#define OPT_PARTITION_RND_SAVE L"-prndsave"
+#define OPT_DISK_CHECK L"-dc"
+#define OPT_DISK_LIST L"-dl"
+#define OPT_DISK_START L"-ds"
+#define OPT_DISK_END L"-de"
+#define OPT_DISK_BOOT L"-db"
+#define OPT_AUTH_ASK L"-aa"
+#define OPT_AUTH_CREATE_HEADER L"-ach"
+#define OPT_RND L"-rnd"
+#define OPT_RND_GEN L"-rndgen"
+#define OPT_RND_LOAD L"-rndload"
+#define OPT_RND_SAVE L"-rndsave"
+#define OPT_VOLUME_ENCRYPT L"-vec"
+#define OPT_VOLUME_DECRYPT L"-vdc"
+#define OPT_VOLUME_CHANGEPWD L"-vcp"
+#define OPT_USB_LIST L"-ul"
+#define OPT_TOUCH_LIST L"-tl"
+#define OPT_TOUCH_TEST L"-tt"
+#define OPT_GRAPH_LIST L"-gl"
+#define OPT_GRAPH_DEVICE L"-gd"
+#define OPT_GRAPH_MODE L"-gm"
+#define OPT_BEEP_LIST L"-bl"
+#define OPT_BEEP_TEST L"-bt"
+#define OPT_SETUP L"-setup"
+#define OPT_PARTITION_LIST L"-pl"
+#define OPT_PARTITION_FILE L"-pf"
+#define OPT_PARTITION_SAVE L"-ps"
+#define OPT_PARTITION_ZERO L"-pz"
+#define OPT_PARTITION_APPLY L"-pa"
+#define OPT_PARTITION_ENCRYPT L"-pe"
+#define OPT_PARTITION_DECRYPT L"-pd"
+#define OPT_PARTITION_IDX_TEMPLATE L"-pnt"
+#define OPT_PARTITION_HIDE L"-phide"
+#define OPT_PARTITION_EDIT L"-pedt"
+#define OPT_PARTITION_EDIT_EXEC L"-pexec"
+#define OPT_PARTITION_RND_LOAD L"-prndload"
+#define OPT_PARTITION_RND_SAVE L"-prndsave"
#define OPT_PARTITION_EDIT_PWD_CACHE L"-pwdcache"
-#define OPT_KEYFILE_PLATFORM L"-kp"
-#define OPT_SECREGION_MARK L"-srm"
-#define OPT_SECREGION_WIPE L"-srw"
-#define OPT_SECREGION_ADD L"-sra"
-#define OPT_WIPE L"-wipe"
-#define OPT_OS_DECRYPT L"-osdecrypt"
-#define OPT_OS_RESTORE_KEY L"-osrestorekey"
-
+#define OPT_KEYFILE_PLATFORM L"-kp"
+#define OPT_SECREGION_MARK L"-srm"
+#define OPT_SECREGION_WIPE L"-srw"
+#define OPT_SECREGION_ADD L"-sra"
+#define OPT_WIPE L"-wipe"
+#define OPT_OS_DECRYPT L"-osdecrypt"
+#define OPT_OS_RESTORE_KEY L"-osrestorekey"
+#define OPT_TPM_PCRS L"-tpmpcrs"
+#define OPT_TPM_NVLIST L"-tpmnvlist"
+#define OPT_TPM_CFG L"-tpmcfg"
STATIC CONST SHELL_PARAM_ITEM ParamList[] = {
{ OPT_DISK_LIST, TypeValue },
{ OPT_DISK_CHECK, TypeFlag },
@@ -124,6 +126,9 @@ STATIC CONST SHELL_PARAM_ITEM ParamList[] = { { OPT_WIPE, TypeDoubleValue },
{ OPT_OS_DECRYPT, TypeFlag },
{ OPT_OS_RESTORE_KEY, TypeFlag },
+ { OPT_TPM_PCRS, TypeDoubleValue },
+ { OPT_TPM_NVLIST, TypeFlag },
+ { OPT_TPM_CFG, TypeFlag },
{ NULL, TypeMax }
};
@@ -257,6 +262,30 @@ DcsCfgMain( TestTouch();
}
+ // TPM
+ if (ShellCommandLineGetFlag(Package, OPT_TPM_PCRS)) {
+ CONST CHAR16* opt1 = NULL;
+ CONST CHAR16* opt2 = NULL;
+ UINT32 sPcr;
+ UINT32 ePcr;
+ opt1 = ShellCommandLineGetValue(Package, OPT_TPM_PCRS);
+ sPcr = (UINT32)StrDecimalToUintn(opt1);
+ opt2 = StrStr(opt1, L" ");
+ if (opt2 != NULL) {
+ opt2++;
+ }
+ ePcr = (UINT32)StrDecimalToUintn(opt2);
+ Tpm12ListPcrs(sPcr, ePcr);
+ }
+
+ if (ShellCommandLineGetFlag(Package, OPT_TPM_NVLIST)) {
+ Tpm12NvList();
+ }
+
+ if (ShellCommandLineGetFlag(Package, OPT_TPM_CFG)) {
+ Tpm12DcsConfigure();
+ }
+
// Graph
if (ShellCommandLineGetFlag(Package, OPT_GRAPH_DEVICE)) {
CONST CHAR16* opt = NULL;
@@ -294,15 +323,20 @@ DcsCfgMain( // Create random
if (ShellCommandLineGetFlag(Package, OPT_RND)) {
CONST CHAR16* opt = NULL;
- CONST CHAR16* context = NULL;
+ CHAR16* context = NULL;
UINTN rndType;
+ UINTN contextSize = 0;
opt = ShellCommandLineGetValue(Package, OPT_RND);
rndType = StrDecimalToUintn(opt);
- context = StrStr(opt, L" ");
+ context = (CHAR16*)StrStr(opt, L" ");
if (context != NULL) {
context++;
+ contextSize = StrLen(context) * 2;
+ if (!EFI_ERROR(FileExist(NULL, context))) {
+ FileLoad(NULL, context, &context, &contextSize);
+ }
}
- res = RndInit(rndType, (CHAR16*)context, &gRnd);
+ res = RndInit(rndType, context, contextSize, &gRnd);
if (EFI_ERROR(res)) {
ERR_PRINT(L"Random: %r\n", res);
}
diff --git a/DcsCfg/DcsCfgTpm.c b/DcsCfg/DcsCfgTpm.c new file mode 100644 index 0000000..5003132 --- /dev/null +++ b/DcsCfg/DcsCfgTpm.c @@ -0,0 +1,88 @@ +/** @file
+This is DCS configuration, TPM
+
+Copyright (c) 2016. Disk Cryptography Services for EFI (DCS), Alex Kolotnikov
+Copyright (c) 2016. VeraCrypt, Mounir IDRASSI
+
+This program and the accompanying materials
+are licensed and made available under the terms and conditions
+of the GNU Lesser General Public License, version 3.0 (LGPL-3.0).
+
+The full text of the license may be found at
+https://opensource.org/licenses/LGPL-3.0
+**/
+
+#include <Library/CommonLib.h>
+#include <Library/DcsTpmLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DcsCfgLib.h>
+#include "DcsVeraCrypt.h"
+
+EFI_STATUS
+Tpm12ListPcrs(
+ UINT32 sPcr,
+ UINT32 ePcr
+ ) {
+ EFI_STATUS res;
+ res = InitTpm12();
+ if (EFI_ERROR(res)) {
+ ERR_PRINT(L"%r\n", res);
+ return res;
+ }
+ return Tpm12DumpPcrs(sPcr, ePcr);
+}
+
+EFI_STATUS
+Tpm12NvList(
+ ) {
+ EFI_STATUS res;
+ UINT32 count;
+ UINT32 i;
+ UINT32 nv[256];
+ res = InitTpm12();
+ if (EFI_ERROR(res)) {
+ ERR_PRINT(L"%r\n", res);
+ return res;
+ }
+ count = sizeof(nv);
+ res = Tpm12GetNvList(&count, nv);
+ if (EFI_ERROR(res)) {
+ ERR_PRINT(L"%r\n", res);
+ return res;
+ }
+ count = count >> 2;
+ for (i = 0; i < count; ++i) {
+ UINT32 index = SwapBytes32(nv[i]);
+ UINT32 attr = 0;
+ UINT32 dataSz = 0;
+ UINT32 pcrR = 0;
+ UINT32 pcrW = 0;
+ OUT_PRINT(L"%H%08x%N ", index);
+ res = Tpm12NvDetails(index, &attr, &dataSz, &pcrR, &pcrW);
+ if (EFI_ERROR(res)) {
+ ERR_PRINT(L"%r\n", res);
+ continue;
+ }
+
+ OUT_PRINT(L"Attr[%08x] PcrR[%08x] PcrW[%08x] [%d] ", attr, pcrR, pcrW, dataSz);
+ OUT_PRINT(L"\n");
+ }
+ return res;
+}
+
+EFI_STATUS
+Tpm12DcsConfigure(
+ ) {
+ EFI_STATUS res;
+ Password pwd;
+ ZeroMem(&pwd, sizeof(pwd));
+ CE(GetTpm());
+ CE(RndInit(RndTypeTpm, NULL, 0, &gRnd));
+ CE(gTpm->Configure(gTpm));
+ CE(gTpm->Apply(gTpm, &pwd));
+ return res;
+
+err:
+ ERR_PRINT(L"%r, line %d", res, gCELine);
+ return res;
+}
|