Google Git
Sign in
chromium / chromiumos / third_party / trousers / refs/heads/stabilize-6480.B^! / .
commit2bb0f13ac760eab16e4e524f7083ce03dbf01d35[log] [tgz]
authorDarren Krahn <dkrahn@chromium.org>Wed Jun 18 20:29:44 2014
committerchrome-internal-fetch <chrome-internal-fetch@google.com>Fri Jul 18 04:43:50 2014
treefe7385d685cc734b663eaf895fd226e6fa0fd126
parenta1ad36cd5f73f9358c99b1e9da8f79aedae10ff0 [diff]
Add support for querying TPM DAD counter on more systems.

Previously only Infineon TPMs were queried.

BUG=none
TEST=Manually checked histograms on the following platforms:
- parrot->nuvoton tpm
- stout->stmicro tpm

Change-Id: I641571f9d63e94f44a402053ef3ff976ef580edb
Reviewed-on: https://chromium-review.googlesource.com/204486
Reviewed-by: Luigi Semenzato <semenzato@chromium.org>
Commit-Queue: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>

diff --git a/init/tcsd.conf b/init/tcsd.conf
index 30c2704..6a76576 100644
--- a/init/tcsd.conf
+++ b/init/tcsd.conf

@@ -50,18 +50,33 @@
     fi
   fi
 
-  # On some TPMs we can check the dictionary-attack counter.
+  # Check the dictionary-attack counter.
   if grep -q "Manufacturer: 0x49465800" /sys/class/misc/tpm0/device/caps; then
+    # Infineon has a vendor-specific capability for this. The following command
+    # queries the TPM_CAP_MFR capability area.
     tpm_command="00 c1 00 00 00 16 00 00 00 65 00 00 00 10 00 00 00 04 00 00 \
                  08 02"
-    count=$(($(tpmc raw $tpm_command | awk 'NR == 3 { print $8; }' || echo 0)))
-    metrics_client -b -e Platform.TPM.DictionaryAttackCounter $count 30 ||
-        logger -t "$UPSTART_JOB" "metrics_client -e: status $?"
-    if [ $count -ne 0 ]; then
-      logger -t "$UPSTART_JOB" "WARNING: Non-zero dictionary attack counter found: $count"
-      metrics_client -b -v TPM.NonZeroDictionaryAttackCounter ||
-          logger -t "$UPSTART_JOB" "metrics_client -v: status $?"
-    fi
+    # The output is vendor-specific; we're interested in the 24th byte. The
+    # output is printed in rows of 8 bytes so we want row 3, field 8.
+    count=$(($(tpmc raw $tpm_command | awk 'NR == 3 { print $8; }')))
+  elif [ -e /sys/class/misc/tpm0/device/caps ]; then
+    # If not Infineon, try to query the TPM_CAP_DA_LOGIC capability area with a
+    # TPM_ET_SRK entity type.
+    tpm_command="00 c1 00 00 00 14 00 00 00 65 00 00 00 19 00 00 00 02 00 04"
+    # The output is a TPM_DA_INFO structure; we're interested in the least
+    # significant byte of the currentCount field (row 3, field 3).
+    count=$(($(tpmc raw $tpm_command | awk 'NR == 3 { print $3; }')))
+  fi
+  if [ "$count" == "" ]; then
+    # Report 100 when we don't know the counter value.
+    count=100
+  fi
+  metrics_client -b -e Platform.TPM.DictionaryAttackCounter $count 100 ||
+      logger -t "$UPSTART_JOB" "metrics_client -e: status $?"
+  if [ $count -ne 0 ]; then
+    logger -t "$UPSTART_JOB" "WARNING: Non-zero dictionary attack counter found: $count"
+    metrics_client -b -v TPM.NonZeroDictionaryAttackCounter ||
+        logger -t "$UPSTART_JOB" "metrics_client -v: status $?"
   fi
 end script