<p>Philipp Deppenwiese has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/23756">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">security/vboot: Add boot mode selection<br><br>* Add Measured Boot mode.<br><br>Change-Id: I43d233d5a8766af2dd7f07cc0b64293a80d5d7d2<br>Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org><br>---<br>M src/arch/x86/postcar_loader.c<br>M src/include/program_loading.h<br>M src/lib/prog_ops.c<br>M src/mainboard/google/poppy/Kconfig<br>M src/mainboard/google/rotor/Kconfig<br>M src/mainboard/intel/cannonlake_rvp/Kconfig<br>M src/mainboard/intel/kblrvp/Kconfig<br>M src/security/tpm/tspi.h<br>M src/security/vboot/Kconfig<br>M src/security/vboot/antirollback.h<br>M src/security/vboot/secdata_mock.c<br>M src/security/vboot/secdata_tpm.c<br>M src/security/vboot/vboot_common.c<br>M src/security/vboot/vboot_logic.c<br>14 files changed, 180 insertions(+), 34 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/23756/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/arch/x86/postcar_loader.c b/src/arch/x86/postcar_loader.c</span><br><span>index 5523238..a1c2fc7 100644</span><br><span>--- a/src/arch/x86/postcar_loader.c</span><br><span>+++ b/src/arch/x86/postcar_loader.c</span><br><span>@@ -160,7 +160,7 @@</span><br><span> void run_postcar_phase(struct postcar_frame *pcf)</span><br><span> {</span><br><span> struct prog prog =</span><br><span style="color: hsl(0, 100%, 40%);">- PROG_INIT(PROG_UNKNOWN, CONFIG_CBFS_PREFIX "/postcar");</span><br><span style="color: hsl(120, 100%, 40%);">+ PROG_INIT(PROG_POSTCAR, CONFIG_CBFS_PREFIX "/postcar");</span><br><span> </span><br><span> postcar_commit_mtrrs(pcf);</span><br><span> </span><br><span>diff --git a/src/include/program_loading.h b/src/include/program_loading.h</span><br><span>index 416e2e9..428427b 100644</span><br><span>--- a/src/include/program_loading.h</span><br><span>+++ b/src/include/program_loading.h</span><br><span>@@ -35,6 +35,7 @@</span><br><span> PROG_PAYLOAD,</span><br><span> PROG_BL31,</span><br><span> PROG_BL32,</span><br><span style="color: hsl(120, 100%, 40%);">+ PROG_POSTCAR,</span><br><span> };</span><br><span> </span><br><span> /*</span><br><span>@@ -141,6 +142,10 @@</span><br><span> * special that needs to be done by the platform similar to the architecture</span><br><span> * code it needs to that as well. */</span><br><span> void platform_prog_run(struct prog *prog);</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Measured Boot specific</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+void measured_prog_run(struct prog *prog);</span><br><span> </span><br><span> struct prog_loader_ops {</span><br><span> const char *name;</span><br><span>diff --git a/src/lib/prog_ops.c b/src/lib/prog_ops.c</span><br><span>index 44a32d1..a0f2a54 100644</span><br><span>--- a/src/lib/prog_ops.c</span><br><span>+++ b/src/lib/prog_ops.c</span><br><span>@@ -37,6 +37,7 @@</span><br><span> </span><br><span> void prog_run(struct prog *prog)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ measured_prog_run(prog);</span><br><span> platform_prog_run(prog);</span><br><span> arch_prog_run(prog);</span><br><span> }</span><br><span>@@ -45,3 +46,8 @@</span><br><span> {</span><br><span> /* do nothing */</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+void __attribute__((weak)) measured_prog_run(struct prog *prog)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ /* do nothing */</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span>diff --git a/src/mainboard/google/poppy/Kconfig b/src/mainboard/google/poppy/Kconfig</span><br><span>index 9315d96..ee0b25d 100644</span><br><span>--- a/src/mainboard/google/poppy/Kconfig</span><br><span>+++ b/src/mainboard/google/poppy/Kconfig</span><br><span>@@ -120,7 +120,7 @@</span><br><span> select DRIVERS_I2C_MAX98927</span><br><span> select NO_FADT_8042</span><br><span> select VARIANT_HAS_CAMERA_ACPI</span><br><span style="color: hsl(0, 100%, 40%);">- select VARIANT_HAS_I2C_TPM if !VBOOT_MOCK_SECDATA</span><br><span style="color: hsl(120, 100%, 40%);">+ select VARIANT_HAS_I2C_TPM</span><br><span> </span><br><span> config VARIANT_SPECIFIC_OPTIONS_NAMI</span><br><span> def_bool n</span><br><span>@@ -129,21 +129,21 @@</span><br><span> select DRIVERS_PS2_KEYBOARD</span><br><span> select DRIVERS_SPI_ACPI</span><br><span> select EXCLUDE_NATIVE_SD_INTERFACE</span><br><span style="color: hsl(0, 100%, 40%);">- select VARIANT_HAS_SPI_TPM if !VBOOT_MOCK_SECDATA</span><br><span style="color: hsl(120, 100%, 40%);">+ select VARIANT_HAS_SPI_TPM</span><br><span> </span><br><span> config VARIANT_SPECIFIC_OPTIONS_NAUTILUS</span><br><span> def_bool n</span><br><span> select DRIVERS_GENERIC_MAX98357A</span><br><span> select DRIVERS_I2C_DA7219</span><br><span> select DRIVERS_PS2_KEYBOARD</span><br><span style="color: hsl(0, 100%, 40%);">- select VARIANT_HAS_I2C_TPM if !VBOOT_MOCK_SECDATA</span><br><span style="color: hsl(120, 100%, 40%);">+ select VARIANT_HAS_I2C_TPM</span><br><span> </span><br><span> config VARIANT_SPECIFIC_OPTIONS_SORAKA</span><br><span> def_bool n</span><br><span> select DRIVERS_I2C_MAX98927</span><br><span> select NO_FADT_8042</span><br><span> select VARIANT_HAS_CAMERA_ACPI</span><br><span style="color: hsl(0, 100%, 40%);">- select VARIANT_HAS_I2C_TPM if !VBOOT_MOCK_SECDATA</span><br><span style="color: hsl(120, 100%, 40%);">+ select VARIANT_HAS_I2C_TPM</span><br><span> </span><br><span> config VBOOT</span><br><span> select EC_GOOGLE_CHROMEEC_SWITCHES</span><br><span>diff --git a/src/mainboard/google/rotor/Kconfig b/src/mainboard/google/rotor/Kconfig</span><br><span>index 437fa02..6b5319e 100644</span><br><span>--- a/src/mainboard/google/rotor/Kconfig</span><br><span>+++ b/src/mainboard/google/rotor/Kconfig</span><br><span>@@ -21,9 +21,6 @@</span><br><span> select MAINBOARD_HAS_CHROMEOS</span><br><span> select BOARD_ROMSIZE_KB_4096</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-config VBOOT</span><br><span style="color: hsl(0, 100%, 40%);">- select VBOOT_MOCK_SECDATA</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span> config MAINBOARD_DIR</span><br><span> string</span><br><span> default google/rotor</span><br><span>diff --git a/src/mainboard/intel/cannonlake_rvp/Kconfig b/src/mainboard/intel/cannonlake_rvp/Kconfig</span><br><span>index b69a5e9..511603b 100644</span><br><span>--- a/src/mainboard/intel/cannonlake_rvp/Kconfig</span><br><span>+++ b/src/mainboard/intel/cannonlake_rvp/Kconfig</span><br><span>@@ -61,5 +61,4 @@</span><br><span> </span><br><span> config VBOOT</span><br><span> select VBOOT_LID_SWITCH</span><br><span style="color: hsl(0, 100%, 40%);">- select VBOOT_MOCK_SECDATA</span><br><span> endif</span><br><span>diff --git a/src/mainboard/intel/kblrvp/Kconfig b/src/mainboard/intel/kblrvp/Kconfig</span><br><span>index f483063..e5d4fec 100644</span><br><span>--- a/src/mainboard/intel/kblrvp/Kconfig</span><br><span>+++ b/src/mainboard/intel/kblrvp/Kconfig</span><br><span>@@ -26,7 +26,6 @@</span><br><span> </span><br><span> config KBLRVP_NO_TPM</span><br><span> bool "No TPM"</span><br><span style="color: hsl(0, 100%, 40%);">- select VBOOT_MOCK_SECDATA if VBOOT</span><br><span> </span><br><span> config KBLRVP_TPM1_2</span><br><span> bool "TPM 1.1"</span><br><span>diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h</span><br><span>index bf2b7ae..775311e 100644</span><br><span>--- a/src/security/tpm/tspi.h</span><br><span>+++ b/src/security/tpm/tspi.h</span><br><span>@@ -21,6 +21,34 @@</span><br><span> </span><br><span> #define TPM_PCR_MAX_LENGTH 64</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+// PCR Registers used by coreboot</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_BOOTBLOCK_PCR 0</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_STAGE_VERSTAGE_PCR 0</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_STAGE_ROMSTAGE_PCR 1</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_STAGE_POSTCAR_PCR 2</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_STAGE_RAMSTAGE_PCR 2</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_PAYLOAD_PCR 3</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_FW_MAIN 1</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+// Vendor / Platform specific</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_INTEL_FSP_PCR 1</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_INTEL_FSPM_PCR 1</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_INTEL_FSPS_PCR 1</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_INTEL_NHLT_PCR 1</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_ARM_BL31_PCR 2</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_ARM_BL32_PCR 2</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_VGA_OPTION_ROM_PCR 2</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_SPD_DATA_PCR 1</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_AMD_PSP_PCR 1</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_AMD_AGESA_PCR 1</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_NVIDIA_MTC_PCR 1</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_VBT_PCR 2</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_MICROCODE_PCR 1</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+// special</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_UNKNOWN_PCR 4</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /**</span><br><span> * TPM measurement with acpi log functionality based on binary data.</span><br><span> */</span><br><span>diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig</span><br><span>index ed613b6..6901ab8 100644</span><br><span>--- a/src/security/vboot/Kconfig</span><br><span>+++ b/src/security/vboot/Kconfig</span><br><span>@@ -26,6 +26,31 @@</span><br><span> </span><br><span> if VBOOT</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+choice</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+prompt "Boot mode"</span><br><span style="color: hsl(120, 100%, 40%);">+ default VBOOT_MODE_VERIFIED_BOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Select the boot mode in which VBOOT should run.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_MODE_VERIFIED_BOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Verified Boot"</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on TPM1 || TPM2</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_MODE_VERIFIED_BOOT_NO_ROLLBACK_PROTECTION</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Verified Boot (no TPM)"</span><br><span style="color: hsl(120, 100%, 40%);">+ select VBOOT_MOCK_SECDATA</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_MODE_MEASURED_BOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Measured Boot"</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on TPM1 || TPM2</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VBOOT_MODE_VERIFIED_AND_MEASURED_BOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Verified & Measured Boot"</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on TPM1 || TPM2</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+endchoice</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> config VBOOT_VBNV_CMOS</span><br><span> bool</span><br><span> default n</span><br><span>@@ -80,7 +105,7 @@</span><br><span> allocated in CBMEM.</span><br><span> </span><br><span> config VBOOT_MOCK_SECDATA</span><br><span style="color: hsl(0, 100%, 40%);">- bool "Mock secdata for firmware verification"</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Disable antirollback protection"</span><br><span> default n</span><br><span> help</span><br><span> Enabling VBOOT_MOCK_SECDATA will mock secdata for the firmware</span><br><span>diff --git a/src/security/vboot/antirollback.h b/src/security/vboot/antirollback.h</span><br><span>index ae2d665..a784026 100644</span><br><span>--- a/src/security/vboot/antirollback.h</span><br><span>+++ b/src/security/vboot/antirollback.h</span><br><span>@@ -66,4 +66,7 @@</span><br><span> uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,</span><br><span> enum vb2_pcr_digest which_digest);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/* Measure boot mode requiredment. Measures bootblock and verstage */</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t vboot_measure_self(void);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> #endif /* ANTIROLLBACK_H_ */</span><br><span>diff --git a/src/security/vboot/secdata_mock.c b/src/security/vboot/secdata_mock.c</span><br><span>index 3075d33..184c4ae 100644</span><br><span>--- a/src/security/vboot/secdata_mock.c</span><br><span>+++ b/src/security/vboot/secdata_mock.c</span><br><span>@@ -79,3 +79,8 @@</span><br><span> {</span><br><span> return VB2_SUCCESS;</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t vboot_measure_self(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ return VB2_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span>diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c</span><br><span>index 9dff2ff..3d3d590 100644</span><br><span>--- a/src/security/vboot/secdata_tpm.c</span><br><span>+++ b/src/security/vboot/secdata_tpm.c</span><br><span>@@ -37,6 +37,8 @@</span><br><span> #include <security/tpm/tspi.h></span><br><span> #include <vb2_api.h></span><br><span> #include <console/console.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/tpm/tspi.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <cbfs.h></span><br><span> </span><br><span> #include "antirollback.h"</span><br><span> </span><br><span>@@ -445,10 +447,6 @@</span><br><span> {</span><br><span> uint32_t rv;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- rv = vboot_setup_tpm(ctx);</span><br><span style="color: hsl(0, 100%, 40%);">- if (rv)</span><br><span style="color: hsl(0, 100%, 40%);">- return rv;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span> /* Read the firmware space. */</span><br><span> rv = read_space_firmware(ctx);</span><br><span> if (rv == TPM_E_BADINDEX) {</span><br><span>@@ -521,3 +519,30 @@</span><br><span> return VB2_ERROR_EX_TPM_CLEAR_OWNER;</span><br><span> return VB2_SUCCESS;</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t vboot_measure_self(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ struct cbfsf file1, file2;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct prog bootblock = PROG_INIT(PROG_UNKNOWN, "bootblock");</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ struct prog verstage =</span><br><span style="color: hsl(120, 100%, 40%);">+ PROG_INIT(PROG_VERSTAGE, CONFIG_CBFS_PREFIX "/verstage");</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* load verstage from RO */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (cbfs_boot_locate(&file1, prog_name(&bootblock), NULL))</span><br><span style="color: hsl(120, 100%, 40%);">+ return VB2_ERROR_UNKNOWN;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ cbfs_file_data(prog_rdev(&bootblock), &file1);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (cbfs_boot_locate(&file2, prog_name(&verstage), NULL))</span><br><span style="color: hsl(120, 100%, 40%);">+ return VB2_ERROR_UNKNOWN;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ cbfs_file_data(prog_rdev(&verstage), &file2);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ tpm_measure_region(TPM_BOOTBLOCK_PCR, prog_rdev(&bootblock),</span><br><span style="color: hsl(120, 100%, 40%);">+ "bootblock");</span><br><span style="color: hsl(120, 100%, 40%);">+ tpm_measure_region(TPM_STAGE_VERSTAGE_PCR, prog_rdev(&verstage),</span><br><span style="color: hsl(120, 100%, 40%);">+ CONFIG_CBFS_PREFIX "/verstage");</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return VB2_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span>diff --git a/src/security/vboot/vboot_common.c b/src/security/vboot/vboot_common.c</span><br><span>index 3ef9070..5dbf77e 100644</span><br><span>--- a/src/security/vboot/vboot_common.c</span><br><span>+++ b/src/security/vboot/vboot_common.c</span><br><span>@@ -18,12 +18,14 @@</span><br><span> #include <cbmem.h></span><br><span> #include <console/cbmem_console.h></span><br><span> #include <console/console.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <program_loading.h></span><br><span> #include <fmap.h></span><br><span> #include <reset.h></span><br><span> #include <rules.h></span><br><span> #include <stddef.h></span><br><span> #include <string.h></span><br><span> #include <security/vboot/vboot_common.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/tpm/tspi.h></span><br><span> </span><br><span> int vboot_named_region_device(const char *name, struct region_device *rdev)</span><br><span> {</span><br><span>@@ -100,6 +102,55 @@</span><br><span> return sd->recovery_reason;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+#if !ENV_BOOTBLOCK</span><br><span style="color: hsl(120, 100%, 40%);">+void measured_prog_run(struct prog *prog)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ switch (prog->type) {</span><br><span style="color: hsl(120, 100%, 40%);">+ case PROG_VERSTAGE:</span><br><span style="color: hsl(120, 100%, 40%);">+ tpm_measure_region(TPM_STAGE_VERSTAGE_PCR, prog_rdev(prog),</span><br><span style="color: hsl(120, 100%, 40%);">+ prog->name);</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case PROG_ROMSTAGE:</span><br><span style="color: hsl(120, 100%, 40%);">+ tpm_measure_region(TPM_STAGE_ROMSTAGE_PCR, prog_rdev(prog),</span><br><span style="color: hsl(120, 100%, 40%);">+ prog->name);</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case PROG_RAMSTAGE:</span><br><span style="color: hsl(120, 100%, 40%);">+ tpm_measure_region(TPM_STAGE_RAMSTAGE_PCR, prog_rdev(prog),</span><br><span style="color: hsl(120, 100%, 40%);">+ prog->name);</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case PROG_BL32:</span><br><span style="color: hsl(120, 100%, 40%);">+ tpm_measure_region(TPM_ARM_BL32_PCR, prog_rdev(prog),</span><br><span style="color: hsl(120, 100%, 40%);">+ prog->name);</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case PROG_BL31:</span><br><span style="color: hsl(120, 100%, 40%);">+ tpm_measure_region(TPM_ARM_BL31_PCR, prog_rdev(prog),</span><br><span style="color: hsl(120, 100%, 40%);">+ prog->name);</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case PROG_PAYLOAD:</span><br><span style="color: hsl(120, 100%, 40%);">+ tpm_measure_region(TPM_PAYLOAD_PCR, prog_rdev(prog),</span><br><span style="color: hsl(120, 100%, 40%);">+ prog->name);</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case PROG_REFCODE:</span><br><span style="color: hsl(120, 100%, 40%);">+ tpm_measure_region(TPM_INTEL_FSP_PCR, prog_rdev(prog),</span><br><span style="color: hsl(120, 100%, 40%);">+ prog->name);</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case PROG_POSTCAR:</span><br><span style="color: hsl(120, 100%, 40%);">+ tpm_measure_region(TPM_STAGE_POSTCAR_PCR, prog_rdev(prog),</span><br><span style="color: hsl(120, 100%, 40%);">+ prog->name);</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case PROG_UNKNOWN:</span><br><span style="color: hsl(120, 100%, 40%);">+ if (prog->name) {</span><br><span style="color: hsl(120, 100%, 40%);">+ tpm_measure_region(TPM_UNKNOWN_PCR, prog_rdev(prog),</span><br><span style="color: hsl(120, 100%, 40%);">+ prog->name);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ die("Can't execute program if measured boot is active "</span><br><span style="color: hsl(120, 100%, 40%);">+ "and no program name given.");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* ============================ VBOOT REBOOT ============================== */</span><br><span> void __attribute__((weak)) vboot_platform_prepare_reboot(void)</span><br><span> {</span><br><span>diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c</span><br><span>index 3651a27..6067f6c 100644</span><br><span>--- a/src/security/vboot/vboot_logic.c</span><br><span>+++ b/src/security/vboot/vboot_logic.c</span><br><span>@@ -9,7 +9,7 @@</span><br><span> *</span><br><span> * This program is distributed in the hope that it will be useful,</span><br><span> * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(0, 100%, 40%);">- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See themeasure_self</span><br><span> * GNU General Public License for more details.</span><br><span> */</span><br><span> </span><br><span>@@ -19,11 +19,11 @@</span><br><span> #include <console/console.h></span><br><span> #include <console/vtxprintf.h></span><br><span> #include <delay.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/vboot/misc.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/vboot/vbnv.h></span><br><span> #include <string.h></span><br><span> #include <timestamp.h></span><br><span> #include <vb2_api.h></span><br><span style="color: hsl(0, 100%, 40%);">-#include <security/vboot/misc.h></span><br><span style="color: hsl(0, 100%, 40%);">-#include <security/vboot/vbnv.h></span><br><span> </span><br><span> #include "antirollback.h"</span><br><span> </span><br><span>@@ -53,11 +53,8 @@</span><br><span> return;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-int vb2ex_read_resource(struct vb2_context *ctx,</span><br><span style="color: hsl(0, 100%, 40%);">- enum vb2_resource_index index,</span><br><span style="color: hsl(0, 100%, 40%);">- uint32_t offset,</span><br><span style="color: hsl(0, 100%, 40%);">- void *buf,</span><br><span style="color: hsl(0, 100%, 40%);">- uint32_t size)</span><br><span style="color: hsl(120, 100%, 40%);">+int vb2ex_read_resource(struct vb2_context *ctx, enum vb2_resource_index index,</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t offset, void *buf, uint32_t size)</span><br><span> {</span><br><span> struct region_device rdev;</span><br><span> const char *name;</span><br><span>@@ -86,24 +83,21 @@</span><br><span> }</span><br><span> </span><br><span> /* No-op stubs that can be overridden by SoCs with hardware crypto support. */</span><br><span style="color: hsl(0, 100%, 40%);">-__attribute__((weak))</span><br><span style="color: hsl(0, 100%, 40%);">-int vb2ex_hwcrypto_digest_init(enum vb2_hash_algorithm hash_alg,</span><br><span style="color: hsl(0, 100%, 40%);">- uint32_t data_size)</span><br><span style="color: hsl(120, 100%, 40%);">+__attribute__((weak)) int</span><br><span style="color: hsl(120, 100%, 40%);">+vb2ex_hwcrypto_digest_init(enum vb2_hash_algorithm hash_alg, uint32_t data_size)</span><br><span> {</span><br><span> return VB2_ERROR_EX_HWCRYPTO_UNSUPPORTED;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-__attribute__((weak))</span><br><span style="color: hsl(0, 100%, 40%);">-int vb2ex_hwcrypto_digest_extend(const uint8_t *buf, uint32_t size)</span><br><span style="color: hsl(120, 100%, 40%);">+__attribute__((weak)) int vb2ex_hwcrypto_digest_extend(const uint8_t *buf,</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t size)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- BUG(); /* Should never get called if init() returned an error. */</span><br><span> return VB2_ERROR_UNKNOWN;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-__attribute__((weak))</span><br><span style="color: hsl(0, 100%, 40%);">-int vb2ex_hwcrypto_digest_finalize(uint8_t *digest, uint32_t digest_size)</span><br><span style="color: hsl(120, 100%, 40%);">+__attribute__((weak)) int vb2ex_hwcrypto_digest_finalize(uint8_t *digest,</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t digest_size)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- BUG(); /* Should never get called if init() returned an error. */</span><br><span> return VB2_ERROR_UNKNOWN;</span><br><span> }</span><br><span> </span><br><span>@@ -249,7 +243,7 @@</span><br><span> }</span><br><span> </span><br><span> static int locate_firmware(struct vb2_context *ctx,</span><br><span style="color: hsl(0, 100%, 40%);">- struct region_device *fw_main)</span><br><span style="color: hsl(120, 100%, 40%);">+ struct region_device *fw_main)</span><br><span> {</span><br><span> const char *name;</span><br><span> </span><br><span>@@ -313,6 +307,15 @@</span><br><span> vboot_platform_is_resuming())</span><br><span> ctx.flags |= VB2_CONTEXT_S3_RESUME;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ /* setup tpm */</span><br><span style="color: hsl(120, 100%, 40%);">+ vboot_setup_tpm(&ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Enable measured boot mode */</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_VBOOT_MODE_MEASURED_BOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ if (vboot_measure_self() != VB2_SUCCESS)</span><br><span style="color: hsl(120, 100%, 40%);">+ die("Initializing measured boot mode failed!");</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Read secdata from TPM. Initialize TPM if secdata not found. We don't</span><br><span> * check the return value here because vb2api_fw_phase1 will catch</span><br><span> * invalid secdata and tell us what to do (=reboot). */</span><br><span>@@ -351,7 +354,7 @@</span><br><span> if (rv == VB2_ERROR_API_PHASE1_RECOVERY) {</span><br><span> printk(BIOS_INFO, "Recovery requested (%x)\n", rv);</span><br><span> save_if_needed(&ctx);</span><br><span style="color: hsl(0, 100%, 40%);">- extend_pcrs(&ctx); /* ignore failures */</span><br><span style="color: hsl(120, 100%, 40%);">+ extend_pcrs(&ctx); /* ignore failures */</span><br><span> timestamp_add_now(TS_END_VBOOT);</span><br><span> return;</span><br><span> }</span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/23756">change 23756</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/23756"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I43d233d5a8766af2dd7f07cc0b64293a80d5d7d2 </div>
<div style="display:none"> Gerrit-Change-Number: 23756 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki@gmail.com> </div>