Changeset 91005 in vbox for trunk/src/VBox

Timestamp:

Aug 30, 2021 4:32:25 PM (3 years ago)

Author:

vboxsync

Message:

Security: The underlying driver specifies the input buffer size of the TPM for the device emulation to use and not the other way around, bugref:10075

Location:

trunk/src/VBox/Devices/Security

Files:

• DevTpm.cpp (modified) (10 diffs)
• DrvTpmEmu.cpp (modified) (9 diffs)
• DrvTpmHost.cpp (modified) (7 diffs)

trunk/src/VBox/Devices/Security/DevTpm.cpp

@@ -48 +48 @@
 /** Default revision ID. */
 #define TPM_RID_DEFAULT                                 0x01
+/** Maximum size of the data buffer in bytes. */
+#define TPM_DATA_BUFFER_SIZE_MAX                        3968
 
 /** The TPM MMIO base default as defined in chapter 5.2. */
@@ -418 +420 @@
 /** Locality data buffer. */
 #define TPM_CRB_LOCALITY_REG_DATA_BUFFER                     0x80
-/** Size of the data buffer. */
-#define TPM_CRB_LOCALITY_REG_DATA_BUFFER_SIZE                3968
 /** @} */
 
@@ -507 +507 @@
     TPMVERSION                      enmTpmVers;
 
+    /** Size of the command/response buffer. */
+    uint32_t                        cbCmdResp;
     /** Offset into the Command/Response buffer. */
     uint32_t                        offCmdResp;
     /** Command/Response buffer. */
-    uint8_t                         abCmdResp[TPM_CRB_LOCALITY_REG_DATA_BUFFER_SIZE];
+    uint8_t                         abCmdResp[TPM_DATA_BUFFER_SIZE_MAX];
 } DEVTPM;
 /** Pointer to the shared TPM device state. */
@@ -683 +685 @@
         && pThis->enmState == DEVTPMSTATE_CMD_COMPLETION)
     {
-        if (pThis->offCmdResp <= sizeof(pThis->abCmdResp) - cb)
+        if (pThis->offCmdResp <= pThis->cbCmdResp - cb)
         {
             memcpy(pu64, &pThis->abCmdResp[pThis->offCmdResp], cb);
@@ -810 +812 @@
     {
         pThis->enmState = DEVTPMSTATE_CMD_RECEPTION;
-        if (pThis->offCmdResp <= sizeof(pThis->abCmdResp) - cb)
+        if (pThis->offCmdResp <=  pThis->cbCmdResp - cb)
         {
             memcpy(&pThis->abCmdResp[pThis->offCmdResp], &u64, cb);
@@ -935 +937 @@
     /* Special path for the data buffer. */
     if (   uReg >= TPM_CRB_LOCALITY_REG_DATA_BUFFER
-        && uReg < TPM_CRB_LOCALITY_REG_DATA_BUFFER + TPM_CRB_LOCALITY_REG_DATA_BUFFER_SIZE
+        && uReg < TPM_CRB_LOCALITY_REG_DATA_BUFFER + pThis->cbCmdResp
         && bLoc == pThis->bLoc
         && pThis->enmState == DEVTPMSTATE_CMD_COMPLETION)
@@ -1026 +1028 @@
         case TPM_CRB_LOCALITY_REG_CTRL_CMD_SZ:
         case TPM_CRB_LOCALITY_REG_CTRL_RSP_SZ:
-            u64 = TPM_CRB_LOCALITY_REG_DATA_BUFFER_SIZE;
+            u64 = pThis->cbCmdResp;
             break;
         case TPM_CRB_LOCALITY_REG_CTRL_RSP_ADDR:
@@ -1064 +1066 @@
     /* Special path for the data buffer. */
     if (   uReg >= TPM_CRB_LOCALITY_REG_DATA_BUFFER
-        && uReg < TPM_CRB_LOCALITY_REG_DATA_BUFFER + TPM_CRB_LOCALITY_REG_DATA_BUFFER_SIZE
+        && uReg < TPM_CRB_LOCALITY_REG_DATA_BUFFER + pThis->cbCmdResp
         && bLoc == pThis->bLoc
         && (   pThis->enmState == DEVTPMSTATE_READY
@@ -1510 +1512 @@
         AssertLogRelMsgReturn(pThisCC->pDrvTpm, ("TPM#%d: Driver is missing the TPM interface.\n", iInstance), VERR_PDM_MISSING_INTERFACE);
 
+        pThis->fLocChangeSup = pThisCC->pDrvTpm->pfnGetLocalityMax(pThisCC->pDrvTpm) > 0;
+        pThis->cbCmdResp     = RT_MIN(pThisCC->pDrvTpm->pfnGetBufferSize(pThisCC->pDrvTpm), TPM_DATA_BUFFER_SIZE_MAX);
+
         /* Startup the TPM here instead of in the power on callback as we can convey errors here to the upper layer. */
-        rc = pThisCC->pDrvTpm->pfnStartup(pThisCC->pDrvTpm, sizeof(pThis->abCmdResp));
+        rc = pThisCC->pDrvTpm->pfnStartup(pThisCC->pDrvTpm);
         if (RT_FAILURE(rc))
             return PDMDEV_SET_ERROR(pDevIns, rc, N_("Failed to startup the TPM"));
@@ -1518 +1523 @@
         if (pThis->enmTpmVers == TPMVERSION_UNKNOWN)
             return PDMDEV_SET_ERROR(pDevIns, VERR_NOT_SUPPORTED, N_("The emulated TPM version is not supported"));
-
-        pThis->fLocChangeSup = pThisCC->pDrvTpm->pfnGetLocalityMax(pThisCC->pDrvTpm) > 0;
     }
     else if (rc == VERR_PDM_NO_ATTACHED_DRIVER)

trunk/src/VBox/Devices/Security/DrvTpmEmu.cpp

@@ -235 +235 @@
 {
     /** The locality resetting trying to reset the established bit. */
-    uint8_t                    bLoc;
+    uint8_t                     bLoc;
 } SWTPMCMDRSTEST;
 /** Pointer to a response data struct for SWTPMCMD_GET_TPMESTABLISHED. */
@@ -241 +241 @@
 /** Pointer to a const response data struct for SWTPMCMD_GET_TPMESTABLISHED. */
 typedef const SWTPMCMDRSTEST *PCSWTPMCMDRSTEST;
+
+
+/**
+ * Additional command data for SWTPMCMD_SET_BUFFERSIZE.
+ */
+typedef struct SWTPMCMDSETBUFSZ
+{
+    /** The buffer size to set, 0 to query for the currently used buffer size. */
+    uint32_t                    cbBuffer;
+} SWTPMCMDSETBUFSZ;
+/** Pointer to a command data struct for SWTPMCMD_SET_BUFFERSIZE. */
+typedef SWTPMCMDSETBUFSZ *PSWTPMCMDSETBUFSZ;
+/** Pointer to a const command data struct for SWTPMCMD_SET_BUFFERSIZE. */
+typedef const SWTPMCMDSETBUFSZ *PCSWTPMCMDSETBUFSZ;
+
+
+/**
+ * Response data for a SWTPMCMD_SET_BUFFERSIZE command.
+ */
+typedef struct SWTPMRESPSETBUFSZ
+{
+    /** Buffer size in use. */
+    uint32_t                    cbBuffer;
+    /** Minimum supported buffer size. */
+    uint32_t                    cbBufferMin;
+    /** Maximum supported buffer size. */
+    uint32_t                    cbBufferMax;
+} SWTPMRESPSETBUFSZ;
+/** Pointer to a response data struct for SWTPMCMD_SET_BUFFERSIZE. */
+typedef SWTPMRESPSETBUFSZ *PSWTPMRESPSETBUFSZ;
+/** Pointer to a const response data struct for SWTPMCMD_SET_BUFFERSIZE. */
+typedef const SWTPMRESPSETBUFSZ *PCSWTPMRESPSETBUFSZ;
 
 
@@ -281 +313 @@
     /** Capabilities offered by the TPM emulator. */
     uint32_t            fCaps;
+    /** Buffer size for the emulated TPM. */
+    uint32_t            cbBuffer;
 } DRVTPMEMU;
 /** Pointer to the TPM emulator instance data. */
@@ -537 +571 @@
 
 /**
+ * Queries the maximum supported buffer size by the emulation.
+ *
+ * @returns VBox status code.
+ * @param   pThis               Pointer to the TPM emulator driver instance data.
+ * @param   pcbBufferMax        Where to store the maximum supported buffer size on success.
+ */
+static int drvTpmEmuQueryBufferSzMax(PDRVTPMEMU pThis, uint32_t *pcbBufferMax)
+{
+    SWTPMCMDSETBUFSZ Cmd;
+    SWTPMRESPSETBUFSZ Resp;
+    uint32_t u32Resp = 0;
+
+    RT_ZERO(Cmd); RT_ZERO(Resp);
+    Cmd.cbBuffer = RT_H2BE_U32(0);
+    int rc = drvTpmEmuExecCtrlCmdEx(pThis, SWTPMCMD_SET_BUFFERSIZE, &Cmd, sizeof(Cmd), &u32Resp,
+                                    &Resp, sizeof(Resp), RT_MS_10SEC);
+    if (RT_SUCCESS(rc))
+    {
+        if (u32Resp == 0)
+            *pcbBufferMax = RT_BE2H_U32(Resp.cbBufferMax);
+        else
+            rc = VERR_NET_IO_ERROR;
+    }
+
+    return rc;
+}
+
+
+/**
+ * Queries the maximum supported buffer size by the emulation.
+ *
+ * @returns VBox status code.
+ * @param   pThis               Pointer to the TPM emulator driver instance data.
+ * @param   cbBuffer            The buffer size to set.
+ */
+static int drvTpmEmuSetBufferSz(PDRVTPMEMU pThis, uint32_t cbBuffer)
+{
+    SWTPMCMDSETBUFSZ Cmd;
+    SWTPMRESPSETBUFSZ Resp;
+    uint32_t u32Resp = 0;
+
+    RT_ZERO(Cmd); RT_ZERO(Resp);
+    Cmd.cbBuffer = RT_H2BE_U32(cbBuffer);
+    int rc = drvTpmEmuExecCtrlCmdEx(pThis, SWTPMCMD_SET_BUFFERSIZE, &Cmd, sizeof(Cmd), &u32Resp,
+                                    &Resp, sizeof(Resp), RT_MS_10SEC);
+    if (   RT_SUCCESS(rc)
+        && u32Resp != 0)
+        rc = VERR_NET_IO_ERROR;
+
+    return rc;
+}
+
+
+/**
  * Sets the given locality for the emulated TPM.
  *
@@ -562 +650 @@
 
 /** @interface_method_impl{PDMITPMCONNECTOR,pfnStartup} */
-static DECLCALLBACK(int) drvTpmEmuStartup(PPDMITPMCONNECTOR pInterface, size_t cbCmdResp)
-{
-    RT_NOREF(cbCmdResp);
+static DECLCALLBACK(int) drvTpmEmuStartup(PPDMITPMCONNECTOR pInterface)
+{
     PDRVTPMEMU pThis = RT_FROM_MEMBER(pInterface, DRVTPMEMU, ITpmConnector);
 
@@ -607 +694 @@
     RT_NOREF(pInterface);
     return 4;
+}
+
+
+/** @interface_method_impl{PDMITPMCONNECTOR,pfnGetBufferSize} */
+static DECLCALLBACK(uint32_t) drvTpmEmuGetBufferSize(PPDMITPMCONNECTOR pInterface)
+{
+    PDRVTPMEMU pThis = RT_FROM_MEMBER(pInterface, DRVTPMEMU, ITpmConnector);
+    return pThis->cbBuffer;
 }
 
@@ -804 +899 @@
     pThis->ITpmConnector.pfnGetVersion              = drvTpmEmuGetVersion;
     pThis->ITpmConnector.pfnGetLocalityMax          = drvTpmEmuGetLocalityMax;
+    pThis->ITpmConnector.pfnGetBufferSize           = drvTpmEmuGetBufferSize;
     pThis->ITpmConnector.pfnGetEstablishedFlag      = drvTpmEmuGetEstablishedFlag;
     pThis->ITpmConnector.pfnResetEstablishedFlag    = drvTpmEmuResetEstablishedFlag;
@@ -812 +908 @@
      * Validate and read the configuration.
      */
-    PDMDRV_VALIDATE_CONFIG_RETURN(pDrvIns, "Location", "");
+    PDMDRV_VALIDATE_CONFIG_RETURN(pDrvIns, "Location|BufferSize", "");
 
     char szLocation[_1K];
@@ -919 +1015 @@
                                    N_("DrvTpmEmu#%d Emulated TPM version of %s does not offer required set of capabilities (%#x requested vs. %#x offered)"),
                                    pDrvIns->iInstance, szLocation, fCapsReq, pThis->fCaps);
+
+    uint32_t cbBufferMax = 0;
+    rc = drvTpmEmuQueryBufferSzMax(pThis, &cbBufferMax);
+    if (RT_FAILURE(rc))
+        return PDMDrvHlpVMSetError(pDrvIns, rc, RT_SRC_POS,
+                                   N_("DrvTpmEmu#%d failed to query maximum buffer size from %s"),
+                                   pDrvIns->iInstance, szLocation);
+
+    /* Configure the buffer size. */
+    rc = CFGMR3QueryU32Def(pCfg, "BufferSize", &pThis->cbBuffer, cbBufferMax);
+    if (RT_FAILURE(rc))
+        return PDMDrvHlpVMSetError(pDrvIns, rc, RT_SRC_POS,
+                                   N_("Configuration error: querying \"BufferSize\" resulted in %Rrc"), rc);
+
+    /* Set the buffer size. */
+    rc = drvTpmEmuSetBufferSz(pThis, pThis->cbBuffer);
+    if (RT_FAILURE(rc))
+        return PDMDrvHlpVMSetError(pDrvIns, rc, RT_SRC_POS,
+                                   N_("DrvTpmEmu#%d failed to set buffer size to %u for %s"),
+                                   pDrvIns->iInstance, pThis->cbBuffer, szLocation);
 
     /* Connect the data channel now. */

trunk/src/VBox/Devices/Security/DrvTpmHost.cpp

@@ -45 +45 @@
 
 /**
+ * TPM 1.2 buffer size capability response.
+ */
+#pragma pack(1)
+typedef struct TPMRESPGETBUFSZ
+{
+    TPMRESPHDR                  Hdr;
+    uint32_t                    u32Length;
+    uint32_t                    cbBuf;
+} TPMRESPGETBUFSZ;
+#pragma pack()
+typedef TPMRESPGETBUFSZ *PTPMRESPGETBUFSZ;
+typedef const TPMRESPGETBUFSZ *PCTPMRESPGETBUFSZ;
+
+
+/**
+ * TPM 2.0 buffer size capability response.
+ */
+#pragma pack(1)
+typedef struct TPM2RESPGETBUFSZ
+{
+    TPMRESPHDR                  Hdr;
+    uint8_t                     fMore;
+    uint32_t                    u32Cap;
+    uint32_t                    u32Count;
+    uint32_t                    u32Prop;
+    uint32_t                    u32Value;
+} TPM2RESPGETBUFSZ;
+#pragma pack()
+typedef TPM2RESPGETBUFSZ *PTPM2RESPGETBUFSZ;
+typedef const TPM2RESPGETBUFSZ *PCTPM2RESPGETBUFSZ;
+
+
+/**
  * TPM Host driver instance data.
  *
@@ -58 +91 @@
     /** Handle to the host TPM. */
     RTTPM               hTpm;
-
+    /** Cached TPM version. */
+    TPMVERSION          enmTpmVersion;
+    /** Cached buffer size of the host TPM. */
+    uint32_t            cbBuffer;
 } DRVTPMHOST;
 /** Pointer to the TPM emulator instance data. */
@@ -68 +104 @@
 *********************************************************************************************************************************/
 
+/**
+ * Queries the buffer size of the host TPM.
+ *
+ * @returns VBox status code.
+ * @param   pThis               The host TPM driver instance data.
+ */
+static int drvTpmHostQueryBufferSize(PDRVTPMHOST pThis)
+{
+    uint8_t abResp[_1K];
+    int rc = VINF_SUCCESS;
+
+    switch (pThis->enmTpmVersion)
+    {
+        case TPMVERSION_1_2:
+        {
+            TPMREQGETCAPABILITY Req;
+
+            Req.Hdr.u16Tag     = RT_H2BE_U16(TPM_TAG_RQU_COMMAND);
+            Req.Hdr.cbReq      = RT_H2BE_U32(sizeof(Req));
+            Req.Hdr.u32Ordinal = RT_H2BE_U32(TPM_ORD_GETCAPABILITY);
+            Req.u32Cap         = RT_H2BE_U32(TPM_CAP_PROPERTY);
+            Req.u32Length      = RT_H2BE_U32(sizeof(uint32_t));
+            Req.u32SubCap      = RT_H2BE_U32(TPM_CAP_PROP_INPUT_BUFFER);
+            rc = RTTpmReqExec(pThis->hTpm, 0 /*bLoc*/, &Req, sizeof(Req), &abResp[0], sizeof(abResp), NULL /*pcbResp*/);
+            break;
+        }
+        case TPMVERSION_2_0:
+        {
+            TPM2REQGETCAPABILITY Req;
+
+            Req.Hdr.u16Tag     = RT_H2BE_U16(TPM2_ST_NO_SESSIONS);
+            Req.Hdr.cbReq      = RT_H2BE_U32(sizeof(Req));
+            Req.Hdr.u32Ordinal = RT_H2BE_U32(TPM2_CC_GET_CAPABILITY);
+            Req.u32Cap         = RT_H2BE_U32(TPM2_CAP_TPM_PROPERTIES);
+            Req.u32Property    = RT_H2BE_U32(TPM2_PT_INPUT_BUFFER);
+            Req.u32Count       = RT_H2BE_U32(1);
+            rc = RTTpmReqExec(pThis->hTpm, 0 /*bLoc*/, &Req, sizeof(Req), &abResp[0], sizeof(abResp), NULL /*pcbResp*/);
+            break;
+        }
+        default:
+            AssertFailed();
+    }
+
+    if (RT_SUCCESS(rc))
+    {
+        switch (pThis->enmTpmVersion)
+        {
+            case TPMVERSION_1_2:
+            {
+                PCTPMRESPGETBUFSZ pResp = (PCTPMRESPGETBUFSZ)&abResp[0];
+
+                if (   RTTpmRespGetSz(&pResp->Hdr) == sizeof(*pResp)
+                    && RT_BE2H_U32(pResp->u32Length) == sizeof(uint32_t))
+                    pThis->cbBuffer = RT_BE2H_U32(pResp->cbBuf);
+                else
+                    rc = VERR_INVALID_PARAMETER;
+                break;
+            }
+            case TPMVERSION_2_0:
+            {
+                PCTPM2RESPGETBUFSZ pResp = (PCTPM2RESPGETBUFSZ)&abResp[0];
+
+                if (   RTTpmRespGetSz(&pResp->Hdr) == sizeof(*pResp)
+                    && RT_BE2H_U32(pResp->u32Count) == 1)
+                    pThis->cbBuffer = RT_BE2H_U32(pResp->u32Value);
+                else
+                    rc = VERR_INVALID_PARAMETER;
+                break;
+            }
+            default:
+                AssertFailed();
+        }
+    }
+
+    return rc;
+}
+
+
 /** @interface_method_impl{PDMITPMCONNECTOR,pfnStartup} */
-static DECLCALLBACK(int) drvTpmHostStartup(PPDMITPMCONNECTOR pInterface, size_t cbCmdResp)
-{
-    RT_NOREF(pInterface, cbCmdResp);
+static DECLCALLBACK(int) drvTpmHostStartup(PPDMITPMCONNECTOR pInterface)
+{
+    RT_NOREF(pInterface);
     return VINF_SUCCESS;
 }
@@ -96 +210 @@
 {
     PDRVTPMHOST pThis = RT_FROM_MEMBER(pInterface, DRVTPMHOST, ITpmConnector);
-    RTTPMVERSION enmVersion = RTTpmGetVersion(pThis->hTpm);
-
-    switch (enmVersion)
-    {
-        case RTTPMVERSION_1_2:
-            return TPMVERSION_1_2;
-        case RTTPMVERSION_2_0:
-            return TPMVERSION_2_0;
-        case RTTPMVERSION_UNKNOWN:
-        default:
-            return TPMVERSION_UNKNOWN;
-    }
-
-    AssertFailed(); /* Shouldn't get here. */
-    return TPMVERSION_UNKNOWN;
+    return pThis->enmTpmVersion;
 }
 
@@ -119 +219 @@
     PDRVTPMHOST pThis = RT_FROM_MEMBER(pInterface, DRVTPMHOST, ITpmConnector);
     return RTTpmGetLocalityMax(pThis->hTpm);
+}
+
+
+/** @interface_method_impl{PDMITPMCONNECTOR,pfnGetBufferSize} */
+static DECLCALLBACK(uint32_t) drvTpmHostGetBufferSize(PPDMITPMCONNECTOR pInterface)
+{
+    PDRVTPMHOST pThis = RT_FROM_MEMBER(pInterface, DRVTPMHOST, ITpmConnector);
+    return pThis->cbBuffer;
 }
 
@@ -209 +317 @@
     pThis->ITpmConnector.pfnGetVersion              = drvTpmHostGetVersion;
     pThis->ITpmConnector.pfnGetLocalityMax          = drvTpmHostGetLocalityMax;
+    pThis->ITpmConnector.pfnGetBufferSize           = drvTpmHostGetBufferSize;
     pThis->ITpmConnector.pfnGetEstablishedFlag      = drvTpmHostGetEstablishedFlag;
     pThis->ITpmConnector.pfnResetEstablishedFlag    = drvTpmHostResetEstablishedFlag;
@@ -228 +337 @@
     if (RT_FAILURE(rc))
         return PDMDrvHlpVMSetError(pDrvIns, rc, RT_SRC_POS,
-                                   N_("DrvTpmHost%d: Opening TPM with id %u failed with %Rrc"), idTpm, rc);
+                                   N_("DrvTpmHost%d: Opening TPM with id %u failed with %Rrc"), pDrvIns->iInstance, idTpm, rc);
+
+    RTTPMVERSION enmVersion = RTTpmGetVersion(pThis->hTpm);
+
+    switch (enmVersion)
+    {
+        case RTTPMVERSION_1_2:
+            pThis->enmTpmVersion = TPMVERSION_1_2;
+            break;
+        case RTTPMVERSION_2_0:
+            pThis->enmTpmVersion = TPMVERSION_2_0;
+            break;
+        case RTTPMVERSION_UNKNOWN:
+        default:
+            return PDMDrvHlpVMSetError(pDrvIns, VERR_NOT_SUPPORTED, RT_SRC_POS,
+                                       N_("DrvTpmHost%d: TPM version %u of TPM id %u is not supported"),
+                                       pDrvIns->iInstance, enmVersion, idTpm);
+    }
+
+    rc = drvTpmHostQueryBufferSize(pThis);
+    if (RT_FAILURE(rc))
+        return PDMDrvHlpVMSetError(pDrvIns, rc, RT_SRC_POS,
+                                   N_("DrvTpmHost%d: Querying input buffer size of TPM with id %u failed with %Rrc"), idTpm, rc);
 
     LogRel(("DrvTpmHost#%d: Connected to TPM %u.\n", pDrvIns->iInstance, idTpm));