static void tpm_hash2pcr(struct xc_dom_image *dom, char *cmdline)
{
struct tpmfront_dev* tpm = init_tpmfront(NULL);
uint8_t *resp;
size_t resplen = 0;
struct pcr_extend_cmd cmd;
/* If all guests have access to a vTPM, it may be useful to replace this
* with ASSERT(tpm) to prevent configuration errors from allowing a guest
* to boot without a TPM (or with a TPM that has not been sent any
* measurements, which could allow forging the measurements).
*/
if (!tpm)
return;
cmd.tag = bswap_16(TPM_TAG_RQU_COMMAND);
cmd.size = bswap_32(sizeof(cmd));
cmd.ord = bswap_32(TPM_ORD_Extend);
cmd.pcr = bswap_32(4); // PCR #4 for kernel
sha1(dom->kernel_blob, dom->kernel_size, cmd.hash);
tpmfront_cmd(tpm, (void*)&cmd, sizeof(cmd), &resp, &resplen);
cmd.pcr = bswap_32(5); // PCR #5 for cmdline
sha1(cmdline, strlen(cmdline), cmd.hash);
tpmfront_cmd(tpm, (void*)&cmd, sizeof(cmd), &resp, &resplen);
cmd.pcr = bswap_32(5); // PCR #5 for initrd
sha1(dom->ramdisk_blob, dom->ramdisk_size, cmd.hash);
tpmfront_cmd(tpm, (void*)&cmd, sizeof(cmd), &resp, &resplen);
shutdown_tpmfront(tpm);
}
static void tpm_hash2pcr(struct xc_dom_image *dom, char *cmdline)
{
struct tpmfront_dev* tpm = init_tpmfront(NULL);
struct pcr_extend_rsp *resp;
size_t resplen = 0;
struct pcr_extend_cmd cmd;
int rv;
/*
* If vtpm_label was specified on the command line, require a vTPM to be
* attached and for the domain providing the vTPM to have the given
* label.
*/
if (vtpm_label) {
char ctx[128];
if (!tpm) {
printf("No TPM found and vtpm_label specified, aborting!\n");
do_exit();
}
rv = evtchn_get_peercontext(tpm->evtchn, ctx, sizeof(ctx) - 1);
if (rv < 0) {
printf("Could not verify vtpm_label: %d\n", rv);
do_exit();
}
ctx[127] = 0;
rv = strcmp(ctx, vtpm_label);
if (rv && vtpm_label[0] == '*') {
int match_len = strlen(vtpm_label) - 1;
int offset = strlen(ctx) - match_len;
if (offset > 0)
rv = strcmp(ctx + offset, vtpm_label + 1);
}
if (rv) {
printf("Mismatched vtpm_label: '%s' != '%s'\n", ctx, vtpm_label);
do_exit();
}
} else if (!tpm) {
return;
}
cmd.tag = bswap_16(TPM_TAG_RQU_COMMAND);
cmd.size = bswap_32(sizeof(cmd));
cmd.ord = bswap_32(TPM_ORD_Extend);
cmd.pcr = bswap_32(4); // PCR #4 for kernel
sha1(dom->kernel_blob, dom->kernel_size, cmd.hash);
rv = tpmfront_cmd(tpm, (void*)&cmd, sizeof(cmd), (void*)&resp, &resplen);
ASSERT(rv == 0 && resp->status == 0);
cmd.pcr = bswap_32(5); // PCR #5 for cmdline
sha1(cmdline, strlen(cmdline), cmd.hash);
rv = tpmfront_cmd(tpm, (void*)&cmd, sizeof(cmd), (void*)&resp, &resplen);
ASSERT(rv == 0 && resp->status == 0);
cmd.pcr = bswap_32(5); // PCR #5 for initrd
sha1(dom->modules[0].blob, dom->modules[0].size, cmd.hash);
rv = tpmfront_cmd(tpm, (void*)&cmd, sizeof(cmd), (void*)&resp, &resplen);
ASSERT(rv == 0 && resp->status == 0);
shutdown_tpmfront(tpm);
}
