From 6701b862aa96775609a7d42662ae4a98e43071bb Mon Sep 17 00:00:00 2001 From: kavsrf Date: Sun, 4 Dec 2016 13:46:48 +0300 Subject: TPM12 support --- DcsCfg/DcsCfg.h | 13 ++++++ DcsCfg/DcsCfg.inf | 2 + DcsCfg/DcsCfg.man | 19 +++++++- DcsCfg/DcsCfgMain.c | 128 +++++++++++++++++++++++++++++++++------------------- DcsCfg/DcsCfgTpm.c | 88 ++++++++++++++++++++++++++++++++++++ 5 files changed, 201 insertions(+), 49 deletions(-) create mode 100644 DcsCfg/DcsCfgTpm.c (limited to 'DcsCfg') diff --git a/DcsCfg/DcsCfg.h b/DcsCfg/DcsCfg.h index 2ffd50d..8a9a15a 100644 --- a/DcsCfg/DcsCfg.h +++ b/DcsCfg/DcsCfg.h @@ -161,6 +161,19 @@ TestTouch(); EFI_STATUS DcsInteractiveSetup(); +////////////////////////////////////////////////////////////////////////// +// TPM +////////////////////////////////////////////////////////////////////////// +EFI_STATUS +Tpm12ListPcrs( + UINT32 sPcr, + UINT32 ePcr + ); +EFI_STATUS +Tpm12NvList(); + +EFI_STATUS +Tpm12DcsConfigure(); #endif // DcsCfg_h__ diff --git a/DcsCfg/DcsCfg.inf b/DcsCfg/DcsCfg.inf index c7218aa..c057b96 100644 --- a/DcsCfg/DcsCfg.inf +++ b/DcsCfg/DcsCfg.inf @@ -34,6 +34,7 @@ DcsCfgGraphics.c DcsCfgBlockio.c DcsCfgTouch.c + DcsCfgTpm.c DcsCfgSetup.c [Packages] @@ -51,6 +52,7 @@ GraphLib PasswordLib DcsCfgLib + DcsTpmLib VeraCryptLib ShellLib diff --git a/DcsCfg/DcsCfg.man b/DcsCfg/DcsCfg.man index bb6fda4..72575dc 100644 --- a/DcsCfg/DcsCfg.man +++ b/DcsCfg/DcsCfg.man @@ -35,16 +35,20 @@ DcsCfg -ds -wipe .SH OPTIONS + -dc - check devices (try to authorize) -dl - block device list (order numbers are used in -db and -se) -ds – select device -de – end device to check (starts from select) - -dc check devices (try to authorize) -db - boot partition selection -aa - ask authorization parameters -ach - create header on block device -vec - block device encrypt -vdc - block device decrypt -vcp - block device change password + -rnd - select rnadom type (0 - none, 1 - file, 2- rdrand, 3 HMAC, 4 OPENSSL 5 TPM) + -rndgen - generate random file + -rndload - load rnd generator state from file + -rndsave - save rnd generator state to file -ul - USB device list -tl - touch device -tt - Test touch device @@ -55,18 +59,29 @@ DcsCfg -ds -wipe -bt - Beep device test -setup - interactive setup -pl - GPT list - -pf - file with GPT + -pf - file with GPT and params -ps - save GPT to file + -pz - delete info from GPT to file -pa - applay GPT from file to disk -pe - encrypt GPT -pd - decrypt GPT -pnt - partition number as template (from -pl) -phide - hide partions from to ; - start sector of hidden partition, - end sector of hidden partition + -pedt - partition number to edit(from -pl) + -pexec - edit executable parameter + -prndsave - save random state to params + -prndload - load random state from params + -pwdcache - edit password cache in params -kp - keys file of platform to save -srm - mark disk as security regions container(write CRC of platform to 61 sector); - number of possible security regions -srw - wipe security regions data with random data (write random data [62, 62 + 256 * SRT]) it has to be free! check first partition start sector! -sra - add to security region -wipe - write random data to sectors range [SS,SE] + -osdecrypt - decrypt OS (rescue) + -osrestorekey - restore key (rescue) + -tpmpcrs - print PCRs + -tpmnvlist - List NV regions in TPM + -tpmcfg - Configure TPM .SH DESCRIPTION diff --git a/DcsCfg/DcsCfgMain.c b/DcsCfg/DcsCfgMain.c index 59ff730..6e4c863 100644 --- a/DcsCfg/DcsCfgMain.c +++ b/DcsCfg/DcsCfgMain.c @@ -34,51 +34,53 @@ https://opensource.org/licenses/LGPL-3.0 ////////////////////////////////////////////////////////////////////////// // Main ////////////////////////////////////////////////////////////////////////// -#define OPT_DISK_CHECK L"-dc" -#define OPT_DISK_LIST L"-dl" -#define OPT_DISK_START L"-ds" -#define OPT_DISK_END L"-de" -#define OPT_DISK_BOOT L"-db" -#define OPT_AUTH_ASK L"-aa" -#define OPT_AUTH_CREATE_HEADER L"-ach" -#define OPT_RND L"-rnd" -#define OPT_RND_GEN L"-rndgen" -#define OPT_RND_LOAD L"-rndload" -#define OPT_RND_SAVE L"-rndsave" -#define OPT_VOLUME_ENCRYPT L"-vec" -#define OPT_VOLUME_DECRYPT L"-vdc" -#define OPT_VOLUME_CHANGEPWD L"-vcp" -#define OPT_USB_LIST L"-ul" -#define OPT_TOUCH_LIST L"-tl" -#define OPT_TOUCH_TEST L"-tt" -#define OPT_GRAPH_LIST L"-gl" -#define OPT_GRAPH_DEVICE L"-gd" -#define OPT_GRAPH_MODE L"-gm" -#define OPT_BEEP_LIST L"-bl" -#define OPT_BEEP_TEST L"-bt" -#define OPT_SETUP L"-setup" -#define OPT_PARTITION_LIST L"-pl" -#define OPT_PARTITION_FILE L"-pf" -#define OPT_PARTITION_SAVE L"-ps" -#define OPT_PARTITION_ZERO L"-pz" -#define OPT_PARTITION_APPLY L"-pa" -#define OPT_PARTITION_ENCRYPT L"-pe" -#define OPT_PARTITION_DECRYPT L"-pd" -#define OPT_PARTITION_IDX_TEMPLATE L"-pnt" -#define OPT_PARTITION_HIDE L"-phide" -#define OPT_PARTITION_EDIT L"-pedt" -#define OPT_PARTITION_EDIT_EXEC L"-pexec" -#define OPT_PARTITION_RND_LOAD L"-prndload" -#define OPT_PARTITION_RND_SAVE L"-prndsave" +#define OPT_DISK_CHECK L"-dc" +#define OPT_DISK_LIST L"-dl" +#define OPT_DISK_START L"-ds" +#define OPT_DISK_END L"-de" +#define OPT_DISK_BOOT L"-db" +#define OPT_AUTH_ASK L"-aa" +#define OPT_AUTH_CREATE_HEADER L"-ach" +#define OPT_RND L"-rnd" +#define OPT_RND_GEN L"-rndgen" +#define OPT_RND_LOAD L"-rndload" +#define OPT_RND_SAVE L"-rndsave" +#define OPT_VOLUME_ENCRYPT L"-vec" +#define OPT_VOLUME_DECRYPT L"-vdc" +#define OPT_VOLUME_CHANGEPWD L"-vcp" +#define OPT_USB_LIST L"-ul" +#define OPT_TOUCH_LIST L"-tl" +#define OPT_TOUCH_TEST L"-tt" +#define OPT_GRAPH_LIST L"-gl" +#define OPT_GRAPH_DEVICE L"-gd" +#define OPT_GRAPH_MODE L"-gm" +#define OPT_BEEP_LIST L"-bl" +#define OPT_BEEP_TEST L"-bt" +#define OPT_SETUP L"-setup" +#define OPT_PARTITION_LIST L"-pl" +#define OPT_PARTITION_FILE L"-pf" +#define OPT_PARTITION_SAVE L"-ps" +#define OPT_PARTITION_ZERO L"-pz" +#define OPT_PARTITION_APPLY L"-pa" +#define OPT_PARTITION_ENCRYPT L"-pe" +#define OPT_PARTITION_DECRYPT L"-pd" +#define OPT_PARTITION_IDX_TEMPLATE L"-pnt" +#define OPT_PARTITION_HIDE L"-phide" +#define OPT_PARTITION_EDIT L"-pedt" +#define OPT_PARTITION_EDIT_EXEC L"-pexec" +#define OPT_PARTITION_RND_LOAD L"-prndload" +#define OPT_PARTITION_RND_SAVE L"-prndsave" #define OPT_PARTITION_EDIT_PWD_CACHE L"-pwdcache" -#define OPT_KEYFILE_PLATFORM L"-kp" -#define OPT_SECREGION_MARK L"-srm" -#define OPT_SECREGION_WIPE L"-srw" -#define OPT_SECREGION_ADD L"-sra" -#define OPT_WIPE L"-wipe" -#define OPT_OS_DECRYPT L"-osdecrypt" -#define OPT_OS_RESTORE_KEY L"-osrestorekey" - +#define OPT_KEYFILE_PLATFORM L"-kp" +#define OPT_SECREGION_MARK L"-srm" +#define OPT_SECREGION_WIPE L"-srw" +#define OPT_SECREGION_ADD L"-sra" +#define OPT_WIPE L"-wipe" +#define OPT_OS_DECRYPT L"-osdecrypt" +#define OPT_OS_RESTORE_KEY L"-osrestorekey" +#define OPT_TPM_PCRS L"-tpmpcrs" +#define OPT_TPM_NVLIST L"-tpmnvlist" +#define OPT_TPM_CFG L"-tpmcfg" STATIC CONST SHELL_PARAM_ITEM ParamList[] = { { OPT_DISK_LIST, TypeValue }, { OPT_DISK_CHECK, TypeFlag }, @@ -124,6 +126,9 @@ STATIC CONST SHELL_PARAM_ITEM ParamList[] = { { OPT_WIPE, TypeDoubleValue }, { OPT_OS_DECRYPT, TypeFlag }, { OPT_OS_RESTORE_KEY, TypeFlag }, + { OPT_TPM_PCRS, TypeDoubleValue }, + { OPT_TPM_NVLIST, TypeFlag }, + { OPT_TPM_CFG, TypeFlag }, { NULL, TypeMax } }; @@ -257,6 +262,30 @@ DcsCfgMain( TestTouch(); } + // TPM + if (ShellCommandLineGetFlag(Package, OPT_TPM_PCRS)) { + CONST CHAR16* opt1 = NULL; + CONST CHAR16* opt2 = NULL; + UINT32 sPcr; + UINT32 ePcr; + opt1 = ShellCommandLineGetValue(Package, OPT_TPM_PCRS); + sPcr = (UINT32)StrDecimalToUintn(opt1); + opt2 = StrStr(opt1, L" "); + if (opt2 != NULL) { + opt2++; + } + ePcr = (UINT32)StrDecimalToUintn(opt2); + Tpm12ListPcrs(sPcr, ePcr); + } + + if (ShellCommandLineGetFlag(Package, OPT_TPM_NVLIST)) { + Tpm12NvList(); + } + + if (ShellCommandLineGetFlag(Package, OPT_TPM_CFG)) { + Tpm12DcsConfigure(); + } + // Graph if (ShellCommandLineGetFlag(Package, OPT_GRAPH_DEVICE)) { CONST CHAR16* opt = NULL; @@ -294,15 +323,20 @@ DcsCfgMain( // Create random if (ShellCommandLineGetFlag(Package, OPT_RND)) { CONST CHAR16* opt = NULL; - CONST CHAR16* context = NULL; + CHAR16* context = NULL; UINTN rndType; + UINTN contextSize = 0; opt = ShellCommandLineGetValue(Package, OPT_RND); rndType = StrDecimalToUintn(opt); - context = StrStr(opt, L" "); + context = (CHAR16*)StrStr(opt, L" "); if (context != NULL) { context++; + contextSize = StrLen(context) * 2; + if (!EFI_ERROR(FileExist(NULL, context))) { + FileLoad(NULL, context, &context, &contextSize); + } } - res = RndInit(rndType, (CHAR16*)context, &gRnd); + res = RndInit(rndType, context, contextSize, &gRnd); if (EFI_ERROR(res)) { ERR_PRINT(L"Random: %r\n", res); } diff --git a/DcsCfg/DcsCfgTpm.c b/DcsCfg/DcsCfgTpm.c new file mode 100644 index 0000000..5003132 --- /dev/null +++ b/DcsCfg/DcsCfgTpm.c @@ -0,0 +1,88 @@ +/** @file +This is DCS configuration, TPM + +Copyright (c) 2016. Disk Cryptography Services for EFI (DCS), Alex Kolotnikov +Copyright (c) 2016. VeraCrypt, Mounir IDRASSI + +This program and the accompanying materials +are licensed and made available under the terms and conditions +of the GNU Lesser General Public License, version 3.0 (LGPL-3.0). + +The full text of the license may be found at +https://opensource.org/licenses/LGPL-3.0 +**/ + +#include +#include +#include +#include +#include "DcsVeraCrypt.h" + +EFI_STATUS +Tpm12ListPcrs( + UINT32 sPcr, + UINT32 ePcr + ) { + EFI_STATUS res; + res = InitTpm12(); + if (EFI_ERROR(res)) { + ERR_PRINT(L"%r\n", res); + return res; + } + return Tpm12DumpPcrs(sPcr, ePcr); +} + +EFI_STATUS +Tpm12NvList( + ) { + EFI_STATUS res; + UINT32 count; + UINT32 i; + UINT32 nv[256]; + res = InitTpm12(); + if (EFI_ERROR(res)) { + ERR_PRINT(L"%r\n", res); + return res; + } + count = sizeof(nv); + res = Tpm12GetNvList(&count, nv); + if (EFI_ERROR(res)) { + ERR_PRINT(L"%r\n", res); + return res; + } + count = count >> 2; + for (i = 0; i < count; ++i) { + UINT32 index = SwapBytes32(nv[i]); + UINT32 attr = 0; + UINT32 dataSz = 0; + UINT32 pcrR = 0; + UINT32 pcrW = 0; + OUT_PRINT(L"%H%08x%N ", index); + res = Tpm12NvDetails(index, &attr, &dataSz, &pcrR, &pcrW); + if (EFI_ERROR(res)) { + ERR_PRINT(L"%r\n", res); + continue; + } + + OUT_PRINT(L"Attr[%08x] PcrR[%08x] PcrW[%08x] [%d] ", attr, pcrR, pcrW, dataSz); + OUT_PRINT(L"\n"); + } + return res; +} + +EFI_STATUS +Tpm12DcsConfigure( + ) { + EFI_STATUS res; + Password pwd; + ZeroMem(&pwd, sizeof(pwd)); + CE(GetTpm()); + CE(RndInit(RndTypeTpm, NULL, 0, &gRnd)); + CE(gTpm->Configure(gTpm)); + CE(gTpm->Apply(gTpm, &pwd)); + return res; + +err: + ERR_PRINT(L"%r, line %d", res, gCELine); + return res; +} -- cgit v1.2.3