security/intel/cbnt/measurement.c: support MTL and newer

SergiiDmytruk · SergiiDmytruk · commit b577aaac2174 · 2025-08-20T16:33:39.000+03:00
Differences from the previous way of measurements:
 - must log CRTM version to PCR-0
 - must log IBB hash (as is, provided in BPM)to PCR-0
 - need to extend PCR-0 with POLICY_DATA which is a subset of PCR0_DATA
   from the original ("conventional") way

Half of the changes is just moving things into if-statement.

Upstream-Status: Pending
Change-Id: Icc101aa03db99a741c3b7142aa00d42ec6569ae9
Signed-off-by: Sergii Dmytruk &lt;sergii.dmytruk@3mdeb.com&gt;
diff --git a/src/security/intel/cbnt/measurement.c b/src/security/intel/cbnt/measurement.c
@@ -38,6 +38,12 @@
 #define KM_HASH_USAGE_SDEV      (1 << 3)
 #define KM_HASH_USAGE_PFR_CPLD  (1 << 4)
 
+/*
+ * SRTM version is an upper-case hex dump of ACM's "Date" (offset 20) and "TXT SVN" (offset 28)
+ * fields as a NUL-terminated UTF16 string.
+ */
+#define SCRTM_VERSION_LENGTH  13
+
 /*
  * Definitions of the structures come from Intel document #575623 CBnT BWG v1.2.5 ("Intel
  * Converged Boot Guard and Intel Trusted Execution Technology (Intel TXT) BIOS Specification").
@@ -179,7 +185,8 @@ static const void *find_in_fit(uint8_t type, size_t *size)
 	return addr;
 }
 
-static enum cb_err get_ibbs_flags(bool *auth_measure, uint64_t *biosacm_sts_mask)
+static enum cb_err get_flags(bool *conventional_measurements, bool *auth_measure,
+			     uint64_t *biosacm_sts_mask)
 {
 	size_t bpm_len;
 	const struct bpm_header *bpm = find_in_fit(FIT_ENTRY_TYPE_BPM, &bpm_len);
@@ -188,6 +195,11 @@ static enum cb_err get_ibbs_flags(bool *auth_measure, uint64_t *biosacm_sts_mask
 		return CB_ERR;
 	}
 
+	/* Meteor Lake seems to be the first generation with new (more TCG-like) style of
+	   measurements. */
+	*conventional_measurements = !CONFIG(SOC_INTEL_METEORLAKE)
+				  && !CONFIG(SOC_INTEL_PANTHERLAKE_BASE);
+
 	const struct bpm_ibbs *ibbs = (const void *)bpm->se_element;
 	*auth_measure = (ibbs->flags & BPM_IBBS_FLAG_AUTH_MEASURE) != 0;
 	*biosacm_sts_mask =
@@ -613,6 +625,13 @@ static enum cb_err cap_pcrs(union cbnt_biosacm_policy biosacm_sts)
 	return CB_SUCCESS;
 }
 
+static char hex_digit(int nibble)
+{
+	if (nibble < 10)
+		return '0' + nibble;
+	return 'A' + nibble - 10;
+}
+
 void intel_cbnt_inject_ibg_measurements(void)
 {
 	const union cbnt_biosacm_policy biosacm_sts = {
@@ -639,25 +658,11 @@ void intel_cbnt_inject_ibg_measurements(void)
 		return;
 	}
 
-	/*
-	 * Making and hashing PCR-0 data.
-	 *
-	 * Pseudo-code of the data to be measured into PCR-0 for TigerLake and newer (older
-	 * hardware isn't supported yet):
-	 *
-	 *     struct {
-	 *          uint64_t ACM_POLICY_STATUS;
-	 *          uint16_t ACM.Header.SVN;
-	 *          uint8_t  ACM.Signature[ACM signature size];
-	 *          uint8_t  KM.Signature[KM signature size];
-	 *          uint8_t  BPM.Signature[BPM signature size];
-	 *          uint8_t  IBB.Digest[IBB digest size];
-	 *     } PCR0_DATA;
-	 */
-
+	bool conventional_measurements;
 	bool auth_measure;
 	uint64_t biosacm_sts_mask;
-	if (get_ibbs_flags(&auth_measure, &biosacm_sts_mask) != CB_SUCCESS) {
+	if (get_flags(&conventional_measurements, &auth_measure, &biosacm_sts_mask) !=
+	    CB_SUCCESS) {
 		printk(BIOS_ERR, "CBnT: failed to obtain IBBS flags from BPM\n");
 		return;
 	}
@@ -671,52 +676,151 @@ void intel_cbnt_inject_ibg_measurements(void)
 	struct obuf data_ob;
 	obuf_init(&data_ob, data, sizeof(data));
 
-	/* ACM_POLICY_STATUS (won't run out of space on this one) */
-	(void)obuf_write_le64(&data_ob, biosacm_sts.raw & biosacm_sts_mask);
+	if (conventional_measurements) {
+		/*
+		 * Making and hashing PCR-0 data.
+		 *
+		 * Pseudo-code of the data to be measured into PCR-0 for TigerLake and newer
+		 * (older hardware isn't supported yet):
+		 *
+		 *     struct {
+		 *          uint64_t ACM_POLICY_STATUS;
+		 *          uint16_t ACM.Header.SVN;
+		 *          uint8_t  ACM.Signature[ACM signature size];
+		 *          uint8_t  KM.Signature[KM signature size];
+		 *          uint8_t  BPM.Signature[BPM signature size];
+		 *          uint8_t  IBB.Digest[IBB digest size];
+		 *     } PCR0_DATA;
+		 */
+
+		/* ACM_POLICY_STATUS (won't run out of space on this one) */
+		(void)obuf_write_le64(&data_ob, biosacm_sts.raw & biosacm_sts_mask);
+
+		if (fill_pcr0_acm_fields(&data_ob) != CB_SUCCESS) {
+			printk(BIOS_ERR,
+			       "CBnT: failed to fill ACM fields of PCR-0 measurement data\n");
+			return;
+		}
 
-	if (fill_pcr0_acm_fields(&data_ob) != CB_SUCCESS) {
-		printk(BIOS_ERR, "CBnT: failed to fill ACM fields of PCR-0 measurement data\n");
-		return;
-	}
+		if (copy_km_signature(&data_ob) != CB_SUCCESS) {
+			printk(BIOS_ERR,
+			       "CBnT: failed to copy KM signature for PCR-0 measurement\n");
+			return;
+		}
 
-	if (copy_km_signature(&data_ob) != CB_SUCCESS) {
-		printk(BIOS_ERR, "CBnT: failed to copy KM signature for PCR-0 measurement\n");
-		return;
-	}
+		if (copy_bpm_signature(&data_ob) != CB_SUCCESS) {
+			printk(BIOS_ERR,
+			       "CBnT: failed to copy BPM signature for PCR-0 measurement\n");
+			return;
+		}
 
-	if (copy_bpm_signature(&data_ob) != CB_SUCCESS) {
-		printk(BIOS_ERR, "CBnT: failed to copy BPM signature for PCR-0 measurement\n");
-		return;
-	}
+		struct vb2_hash hash;
+		if (vb2_hash_calculate(vboot_hwcrypto_allowed(), data,
+				       obuf_nr_written(&data_ob), tpm_log_alg(), &hash)) {
+			printk(BIOS_ERR, "CBnT: failed to hash PCR-0 measurement data\n");
+			return;
+		}
 
-	struct vb2_hash hash;
-	if (vb2_hash_calculate(vboot_hwcrypto_allowed(), data, obuf_nr_written(&data_ob),
-			       tpm_log_alg(), &hash)) {
-		printk(BIOS_ERR, "CBnT: failed to hash PCR-0 measurement data\n");
-		return;
-	}
+		/* Per BWG this should be logged with EV_S_CRTM_CONTENTS type. */
+		tpm_log_add_table_entry(CBNT_EVENT_LOG_MESSAGE, 0, hash.algo, hash.raw,
+					vb2_digest_size(hash.algo));
 
-	/* Per BWG this should be logged with EV_S_CRTM_CONTENTS type. */
-	tpm_log_add_table_entry(CBNT_EVENT_LOG_MESSAGE, 0, hash.algo, hash.raw,
-				vb2_digest_size(hash.algo));
+		/* Optionally making and hashing PCR-7 data (not supported since MTL). */
+		if (auth_measure) {
+			/* Reuse the first 2 fields of PCR-0 data which are identical in both
+			   cases. */
+			obuf_init(&data_ob, data, sizeof(data));
+			(void)obuf_oob_fill(&data_ob, sizeof(uint64_t) + sizeof(uint16_t));
+
+			if (!make_pcr7_hash(&data_ob, &hash)) {
+				printk(BIOS_ERR,
+				       "CBnT: failed to build and hash PCR-7 measurement data\n");
+				return;
+			}
+
+			/* Per BWG this should be logged with EV_EFI_VARIABLE_DRIVER_CONFIG type
+			   and event name should be a Unicode string. */
+			tpm_log_add_table_entry(CBNT_EVENT_LOG_MESSAGE, 7, hash.algo, hash.raw,
+						vb2_digest_size(hash.algo));
+			printk(BIOS_INFO, "CBnT: reconstructed PCR-7 measurement\n");
+		}
 
-	/* Making and hashing PCR-7 data. */
-	if (auth_measure) {
-		/* Reuse the first 2 fields of PCR-0 data which are identical in both cases. */
+	} else {
+		size_t acm_len;
+		const struct acm_header_v3 *acm = find_in_fit(FIT_ENTRY_TYPE_SACM, &acm_len);
+		if (acm == NULL) {
+			printk(BIOS_ERR, "CBnT: failed to find SACM\n");
+			return;
+		}
+
+		uint8_t crtm_version[6];
+		memcpy(&crtm_version[0], &acm->date, 4);
+		memcpy(&crtm_version[4], &acm->txt_svn, 2);
+
+		char crtm_version_str[SCRTM_VERSION_LENGTH] = {0};
+		uint16_t crtm_version_utf16[SCRTM_VERSION_LENGTH] = {0};
+		for (int i = 0; i < sizeof(crtm_version); ++i) {
+			crtm_version_str[i*2 + 0] = hex_digit(crtm_version[i] >> 4);
+			crtm_version_str[i*2 + 1] = hex_digit(crtm_version[i] & 0xf);
+
+			crtm_version_utf16[i*2 + 0] = crtm_version_str[i*2 + 0];
+			crtm_version_utf16[i*2 + 1] = crtm_version_str[i*2 + 1];
+		}
+
+		struct vb2_hash hash;
+		if (vb2_hash_calculate(vboot_hwcrypto_allowed(), crtm_version_utf16,
+				       sizeof(crtm_version_utf16), tpm_log_alg(), &hash)) {
+			printk(BIOS_ERR, "CBnT: failed to hash CRTM version\n");
+			return;
+		}
+		/* Per BWG this should be logged with EV_S_CRTM_VERSION type. */
+		tpm_log_add_table_entry(crtm_version_str, 0, hash.algo, hash.raw,
+					vb2_digest_size(hash.algo));
+
+		if (copy_ibb_hash(&data_ob, tpm2_alg_from_vb2_hash(tpm_log_alg())) !=
+		    CB_SUCCESS) {
+			printk(BIOS_ERR, "CBnT: failed to obtain IBB digest\n");
+			return;
+		}
+		/* Per BWG this should be logged with EV_POST_CODE type. */
+		tpm_log_add_table_entry("Boot Guard Measured IBB", 0, tpm_log_alg(), data,
+					obuf_nr_written(&data_ob));
+
+		/*
+		 * struct {
+		 *      uint64_t ACM_POLICY_STATUS;
+		 *      uint8_t  KM.Signature[KM signature size];
+		 *      uint8_t  BPM.Signature[BPM signature size];
+		 * } POLICY_DATA;
+		 */
 		obuf_init(&data_ob, data, sizeof(data));
-		(void)obuf_oob_fill(&data_ob, sizeof(uint64_t) + sizeof(uint16_t));
 
-		if (!make_pcr7_hash(&data_ob, &hash)) {
+		/* ACM_POLICY_STATUS (won't run out of space on this one) */
+		(void)obuf_write_le64(&data_ob, biosacm_sts.raw & biosacm_sts_mask);
+		if (copy_acm_signature(&data_ob) != CB_SUCCESS) {
+			printk(BIOS_ERR, "CBnT: failed to copy ACM signature\n");
+			return;
+		}
+		if (copy_km_signature(&data_ob) != CB_SUCCESS) {
+			printk(BIOS_ERR, "CBnT: failed to copy KM signature\n");
+			return;
+		}
+		if (copy_bpm_signature(&data_ob) != CB_SUCCESS) {
 			printk(BIOS_ERR,
-			       "CBnT: failed to build and hash PCR-7 measurement data\n");
+			       "CBnT: failed to copy BPM signature for PCR-0 measurement\n");
+			return;
+		}
+		if (vb2_hash_calculate(vboot_hwcrypto_allowed(), data,
+				       obuf_nr_written(&data_ob), tpm_log_alg(), &hash)) {
+			printk(BIOS_ERR, "CBnT: failed to hash POLICY_DATA\n");
+			return;
+		}
+		/* Per BWG this should be logged with EV_POST_CODE type. */
+		if (tpm_extend_pcr(0, hash.algo, hash.raw, vb2_digest_size(hash.algo),
+				   "BIOS Measured Boot Guard Policy") != TPM_SUCCESS) {
+			printk(BIOS_ERR, "CBnT: failed to extend POLICY_DATA\n");
 			return;
 		}
-
-		/* Per BWG this should be logged with EV_EFI_VARIABLE_DRIVER_CONFIG type and
-		   event name should be a Unicode string. */
-		tpm_log_add_table_entry(CBNT_EVENT_LOG_MESSAGE, 7, hash.algo, hash.raw,
-					vb2_digest_size(hash.algo));
-		printk(BIOS_INFO, "CBnT: reconstructed PCR-7 measurement\n");
 	}
 
 	/*
