New rollback_index API.

firmware/lib/rollback_index.c

 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  *
  * Functions for querying, manipulating and locking rollback indices
  * stored in the TPM NVRAM.
  */
 
 #include "rollback_index.h"
 
 #include "tlcl.h"
 #include "tss_constants.h"
 #include "utility.h"
 
-uint16_t g_firmware_key_version = 0;
-uint16_t g_firmware_version = 0;
-uint16_t g_kernel_key_version = 0;
-uint16_t g_kernel_version = 0;
+static int g_rollback_recovery_mode = 0;
 
 /* disable MSVC warning on const logical expression (as in } while(0);) */
 __pragma(warning (disable: 4127))
 
 #define RETURN_ON_FAILURE(tpm_command) do {             \
     uint32_t result;                                    \
     if ((result = (tpm_command)) != TPM_SUCCESS) {      \
       return result;                                    \
     }                                                   \
   } while (0)
@@ skipping 97 matching lines @@
   uint32_t must_use_backup;
   RETURN_ON_FAILURE(TlclRead(KERNEL_MUST_USE_BACKUP_NV_INDEX,
                              (uint8_t*) &must_use_backup, sizeof(uint32_t)));
   if (must_use_backup != distrust) {
      RETURN_ON_FAILURE(SafeWrite(KERNEL_MUST_USE_BACKUP_NV_INDEX,
                                  (uint8_t*) &distrust, sizeof(uint32_t)));
   }
   return TPM_SUCCESS;
 }
 
-static uint32_t GetTPMRollbackIndices(int type) {
-  uint32_t firmware_versions;
-  uint32_t kernel_versions;
-
-  /* We perform the reads, making sure they succeed. A failure means that the
-   * rollback index locations are missing or somehow messed up.  We let the
-   * caller deal with that.
-   */
-  switch (type) {
-  case FIRMWARE_VERSIONS:
-    RETURN_ON_FAILURE(TlclRead(FIRMWARE_VERSIONS_NV_INDEX,
-                               (uint8_t*) &firmware_versions,
-                               sizeof(firmware_versions)));
-    g_firmware_key_version = (uint16_t) (firmware_versions >> 16);
-    g_firmware_version = (uint16_t) (firmware_versions & 0xffff);
-    break;
-  case KERNEL_VERSIONS:
-    RETURN_ON_FAILURE(TlclRead(KERNEL_VERSIONS_NV_INDEX,
-                               (uint8_t*) &kernel_versions,
-                               sizeof(kernel_versions)));
-    g_kernel_key_version = (uint16_t) (kernel_versions >> 16);
-    g_kernel_version = (uint16_t) (kernel_versions & 0xffff);
-    break;
-  }
-
-  return TPM_SUCCESS;
-}
-
 /* Checks if the kernel version space has been mucked with.  If it has,
  * reconstructs it using the backup value.
  */
 uint32_t RecoverKernelSpace(void) {
   uint32_t perms = 0;
   uint8_t buffer[KERNEL_SPACE_SIZE];
   int read_OK = 0;
   int perms_OK = 0;
   uint32_t backup_combined_versions;
   uint32_t must_use_backup;
@@ skipping 63 matching lines @@
                              sizeof(past_developer)));
   if (past_developer != current_developer) {
     RETURN_ON_FAILURE(TPMClearAndReenable());
     RETURN_ON_FAILURE(SafeWrite(DEVELOPER_MODE_NV_INDEX,
                                 (uint8_t*) &current_developer,
                                 sizeof(current_developer)));
   }
   return TPM_SUCCESS;
 }
 
-static uint32_t SetupTPM_(int mode, int developer_flag) {
+/* SetupTPM starts the TPM and establishes the root of trust for the
+ * anti-rollback mechanism.  SetupTPM can fail for three reasons.  1 A bug. 2 a
+ * TPM hardware failure. 3 An unexpected TPM state due to some attack.  In
+ * general we cannot easily distinguish the kind of failure, so our strategy is
+ * to reboot in recovery mode in all cases.  The recovery mode calls SetupTPM
+ * again, which executes (almost) the same sequence of operations.  There is a
+ * good chance that, if recovery mode was entered because of a TPM failure, the
+ * failure will repeat itself.  (In general this is impossible to guarantee
+ * because we have no way of creating the exact TPM initial state at the
+ * previous boot.)  In recovery mode, we ignore the failure and continue, thus
+ * giving the recovery kernel a chance to fix things (that's why we don't set
+ * bGlobalLock).  The choice is between a knowingly insecure device and a
+ * bricked device.
+ *
+ * As a side note, observe that we go through considerable hoops to avoid using
+ * the STCLEAR permissions for the index spaces.  We do this to avoid writing
+ * to the TPM flashram at every reboot or wake-up, because of concerns about
+ * the durability of the NVRAM.
+ */
+static uint32_t SetupTPM(int recovery_mode,
+                         int developer_mode) {
   uint8_t disable;
   uint8_t deactivated;
+
   TlclLibInit();
   RETURN_ON_FAILURE(TlclStartup());
   RETURN_ON_FAILURE(TlclContinueSelfTest());
   RETURN_ON_FAILURE(TlclAssertPhysicalPresence());
   /* Checks that the TPM is enabled and activated. */
   RETURN_ON_FAILURE(TlclGetFlags(&disable, &deactivated));
   if (disable || deactivated) {
     RETURN_ON_FAILURE(TlclSetEnable());
     RETURN_ON_FAILURE(TlclSetDeactivated(0));
     return TPM_E_MUST_REBOOT;
   }
   /* We expect this to fail the first time we run on a device, because the TPM
    * has not been initialized yet.
    */
   if (RecoverKernelSpace() != TPM_SUCCESS) {
     int initialized = 0;
     RETURN_ON_FAILURE(GetSpacesInitialized(&initialized));
     if (initialized) {
       return TPM_E_ALREADY_INITIALIZED;
     } else {
       RETURN_ON_FAILURE(InitializeSpaces());
       RETURN_ON_FAILURE(RecoverKernelSpace());
     }
   }
   RETURN_ON_FAILURE(BackupKernelSpace());
-  RETURN_ON_FAILURE(SetDistrustKernelSpaceAtNextBoot(mode == RO_RECOVERY_MODE));
-  RETURN_ON_FAILURE(GetTPMRollbackIndices(FIRMWARE_VERSIONS));
-  RETURN_ON_FAILURE(GetTPMRollbackIndices(KERNEL_VERSIONS));
+  RETURN_ON_FAILURE(SetDistrustKernelSpaceAtNextBoot(recovery_mode));
+  RETURN_ON_FAILURE(CheckDeveloperModeTransition(developer_mode));
 
-  RETURN_ON_FAILURE(CheckDeveloperModeTransition(developer_flag));
-
-  /* As a courtesy (I hope) to the caller, lock the firmware versions if we are
-   * in recovery mode.  The normal mode may need to update the firmware
-   * versions, so they cannot be locked here.
-   */
-  if (mode == RO_RECOVERY_MODE) {
-    RETURN_ON_FAILURE(LockFirmwareVersions());
+  if (recovery_mode) {
+    /* In recovery mode global variables are usable. */
+    g_rollback_recovery_mode = 1;
   }
   return TPM_SUCCESS;
 }
 
-/* SetupTPM starts the TPM and establishes the root of trust for the
- * anti-rollback mechanism.  SetupTPM can fail for three reasons.  1 A bug. 2 a
- * TPM hardware failure. 3 An unexpected TPM state due to some attack.  In
- * general we cannot easily distinguish the kind of failure, so our strategy is
- * to reboot in recovery mode in all cases.  The recovery mode calls SetupTPM
- * again, which executes (almost) the same sequence of operations.  There is a
- * good chance that, if recovery mode was entered because of a TPM failure, the
- * failure will repeat itself.  (In general this is impossible to guarantee
- * because we have no way of creating the exact TPM initial state at the
- * previous boot.)  In recovery mode, we ignore the failure and continue, thus
- * giving the recovery kernel a chance to fix things (that's why we don't set
- * bGlobalLock).  The choice is between a knowingly insecure device and a
- * bricked device.
- *
- * As a side note, observe that we go through considerable hoops to avoid using
- * the STCLEAR permissions for the index spaces.  We do this to avoid writing
- * to the TPM flashram at every reboot or wake-up, because of concerns about
- * the durability of the NVRAM.
- */
-uint32_t SetupTPM(int mode, int developer_flag) {
-  switch (mode) {
-  case RO_RECOVERY_MODE:
-  case RO_NORMAL_MODE: {
-    uint32_t result = SetupTPM_(mode, developer_flag);
-    if (mode == RO_NORMAL_MODE) {
-      return result;
-    } else {
-      /* In recovery mode we want to keep going even if there are errors. */
-      return TPM_SUCCESS;
-    }
-  }
-  case RW_NORMAL_MODE:
-    RETURN_ON_FAILURE(GetTPMRollbackIndices(KERNEL_VERSIONS));
-  default:
-    return TPM_E_INTERNAL_INCONSISTENCY;
-  }
-}
-
-uint32_t GetStoredVersions(int type, uint16_t* key_version, uint16_t* version) {
-  /* TODO: should verify that SetupTPM() has been called.
-   *
-   * Note that SetupTPM() does hardware setup AND sets global variables.  When
-   * we get down into kernel verification, the hardware setup persists, but we
-   * lose the global variables.
-   */
-  switch (type) {
-    case FIRMWARE_VERSIONS:
-      *key_version = g_firmware_key_version;
-      *version = g_firmware_version;
-      break;
-    case KERNEL_VERSIONS:
-      *key_version = g_kernel_key_version;
-      *version = g_kernel_version;
-      break;
-  }
-
-  return TPM_SUCCESS;
-}
-
-uint32_t WriteStoredVersions(int type, uint16_t key_version, uint16_t version) {
-  uint32_t combined_version = (key_version << 16) & version;
-  switch (type) {
-    case FIRMWARE_VERSIONS:
-      RETURN_ON_FAILURE(SafeWrite(FIRMWARE_VERSIONS_NV_INDEX,
-                                  (uint8_t*) &combined_version,
-                                  sizeof(uint32_t)));
-      break;
-
-    case KERNEL_VERSIONS:
-      RETURN_ON_FAILURE(SafeWrite(KERNEL_VERSIONS_NV_INDEX,
-                                  (uint8_t*) &combined_version,
-                                  sizeof(uint32_t)));
-  }
-  return TPM_SUCCESS;
-}
-
-uint32_t LockFirmwareVersions() {
-  return TlclSetGlobalLock();
-}
-
-uint32_t LockKernelVersionsByLockingPP() {
-  return TlclLockPhysicalPresence();
-}
-
 /* disable MSVC warnings on unused arguments */
 __pragma(warning (disable: 4100))
 
-/* NEW APIS!  HELP ME LUIGI, YOU'RE MY ONLY HOPE! */
+uint32_t RollbackFirmwareSetup(int developer_mode) {
+  return SetupTPM(0, developer_mode);
+}
 
-uint32_t RollbackFirmwareSetup(int developer_mode,
-                               uint16_t* key_version, uint16_t* version) {
+uint32_t RollbackFirmwareRead(uint16_t* key_version, uint16_t* version) {
+  uint32_t firmware_versions;
+  /* Gets firmware versions. */
+  RETURN_ON_FAILURE(TlclRead(FIRMWARE_VERSIONS_NV_INDEX,
+                             (uint8_t*) &firmware_versions,
+                             sizeof(firmware_versions)));
+  *key_version = (uint16_t) (firmware_versions >> 16);
+  *version = (uint16_t) (firmware_versions & 0xffff);
   return TPM_SUCCESS;
 }
 
 uint32_t RollbackFirmwareWrite(uint16_t key_version, uint16_t version) {
-  return TPM_SUCCESS;
+  uint32_t combined_version = (key_version << 16) & version;
+  return SafeWrite(FIRMWARE_VERSIONS_NV_INDEX,
+                   (uint8_t*) &combined_version,
+                   sizeof(uint32_t));
 }
 
 uint32_t RollbackFirmwareLock(void) {
-  return TPM_SUCCESS;
+  return TlclSetGlobalLock();
 }
 
 uint32_t RollbackKernelRecovery(int developer_mode) {
+  uint32_t result = SetupTPM(1, developer_mode);
+  if (result == TPM_SUCCESS) {
+    RETURN_ON_FAILURE(TlclSetGlobalLock());
+  }
   return TPM_SUCCESS;
 }
 
 uint32_t RollbackKernelRead(uint16_t* key_version, uint16_t* version) {
+  uint32_t kernel_versions;
+  if (g_rollback_recovery_mode) {
+    *key_version = 0;
+    *version = 0;
+  } else {
+    /* Reads kernel versions from TPM. */
+    RETURN_ON_FAILURE(TlclRead(KERNEL_VERSIONS_NV_INDEX,
+                               (uint8_t*) &kernel_versions,
+                               sizeof(kernel_versions)));
+    *key_version = (uint16_t) (kernel_versions >> 16);
+    *version = (uint16_t) (kernel_versions & 0xffff);
+  }
   return TPM_SUCCESS;
 }
 
 uint32_t RollbackKernelWrite(uint16_t key_version, uint16_t version) {
+  if (!g_rollback_recovery_mode) {
+    uint32_t combined_version = (key_version << 16) & version;
+    return SafeWrite(KERNEL_VERSIONS_NV_INDEX,
+                     (uint8_t*) &combined_version,
+                     sizeof(uint32_t));
+  }
   return TPM_SUCCESS;
 }
 
 uint32_t RollbackKernelLock(void) {
-  return TPM_SUCCESS;
+  if (!g_rollback_recovery_mode) {
+    return TlclLockPhysicalPresence();
+  } else {
+    return TPM_SUCCESS;
+  }
 }