<p>Philipp Deppenwiese has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/24904">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">security/vboot: Interface FSP 2.0 mrc caching<br><br>Change-Id: I41a458186c7981adaf3fea8974adec2ca8668f14<br>Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org><br>---<br>A src/drivers/intel/fsp2_0/include/fsp/memory_init.h<br>M src/drivers/intel/fsp2_0/memory_init.c<br>A src/security/vboot/mrc_cache_hash_tpm.c<br>3 files changed, 148 insertions(+), 95 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/04/24904/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/drivers/intel/fsp2_0/include/fsp/memory_init.h b/src/drivers/intel/fsp2_0/include/fsp/memory_init.h</span><br><span>new file mode 100644</span><br><span>index 0000000..2f21019</span><br><span>--- /dev/null</span><br><span>+++ b/src/drivers/intel/fsp2_0/include/fsp/memory_init.h</span><br><span>@@ -0,0 +1,30 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Facebook Inc</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef _FSP2_0_MEMORY_INIT_H_</span><br><span style="color: hsl(120, 100%, 40%);">+#define _FSP2_0_MEMORY_INIT_H_</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Updates mrc cache hash if it differs.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+void mrc_cache_update_hash(const uint8_t *data, size_t size);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Verifies mrc cache hash which is stored somewhere.</span><br><span style="color: hsl(120, 100%, 40%);">+ * return 1 verification was successful and 0 for error.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+int mrc_cache_verify_hash(const uint8_t *data, size_t size);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#endif /* _FSP2_0_MEMORY_INIT_H_ */</span><br><span>diff --git a/src/drivers/intel/fsp2_0/memory_init.c b/src/drivers/intel/fsp2_0/memory_init.c</span><br><span>index aa5909f..3dafa00 100644</span><br><span>--- a/src/drivers/intel/fsp2_0/memory_init.c</span><br><span>+++ b/src/drivers/intel/fsp2_0/memory_init.c</span><br><span>@@ -31,62 +31,19 @@</span><br><span> #include <string.h></span><br><span> #include <symbols.h></span><br><span> #include <timestamp.h></span><br><span style="color: hsl(0, 100%, 40%);">-#include <security/tpm/tspi.h></span><br><span> #include <security/vboot/vboot_common.h></span><br><span> #include <vb2_api.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <fsp/memory_init.h></span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-static void mrc_cache_update_tpm_hash(const uint8_t *data, size_t size)</span><br><span style="color: hsl(120, 100%, 40%);">+__attribute__((weak)) void mrc_cache_update_hash(const uint8_t *data,</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t size)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t data_hash[VB2_SHA256_DIGEST_SIZE];</span><br><span style="color: hsl(0, 100%, 40%);">- static const uint8_t dead_hash[VB2_SHA256_DIGEST_SIZE] = {</span><br><span style="color: hsl(0, 100%, 40%);">- 0xba, 0xad, 0xda, 0x1a, /* BAADDA1A */</span><br><span style="color: hsl(0, 100%, 40%);">- 0xde, 0xad, 0xde, 0xad, /* DEADDEAD */</span><br><span style="color: hsl(0, 100%, 40%);">- 0xde, 0xad, 0xda, 0x1a, /* DEADDA1A */</span><br><span style="color: hsl(0, 100%, 40%);">- 0xba, 0xad, 0xba, 0xad, /* BAADBAAD */</span><br><span style="color: hsl(0, 100%, 40%);">- 0xba, 0xad, 0xda, 0x1a, /* BAADDA1A */</span><br><span style="color: hsl(0, 100%, 40%);">- 0xde, 0xad, 0xde, 0xad, /* DEADDEAD */</span><br><span style="color: hsl(0, 100%, 40%);">- 0xde, 0xad, 0xda, 0x1a, /* DEADDA1A */</span><br><span style="color: hsl(0, 100%, 40%);">- 0xba, 0xad, 0xba, 0xad, /* BAADBAAD */</span><br><span style="color: hsl(0, 100%, 40%);">- };</span><br><span style="color: hsl(0, 100%, 40%);">- const uint8_t *hash_ptr = data_hash;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- /* We do not store normal mode data hash in TPM. */</span><br><span style="color: hsl(0, 100%, 40%);">- if (!vboot_recovery_mode_enabled())</span><br><span style="color: hsl(0, 100%, 40%);">- return;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- /* Bail out early if no mrc hash space is supported in TPM. */</span><br><span style="color: hsl(0, 100%, 40%);">- if (!IS_ENABLED(CONFIG_FSP2_0_USES_TPM_MRC_HASH))</span><br><span style="color: hsl(0, 100%, 40%);">- return;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- /* Initialize TPM driver. */</span><br><span style="color: hsl(0, 100%, 40%);">- if (tlcl_lib_init() != VB2_SUCCESS) {</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_ERR, "MRC: TPM driver initialization failed.\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- /* Calculate hash of data generated by MRC. */</span><br><span style="color: hsl(0, 100%, 40%);">- if (vb2_digest_buffer(data, size, VB2_HASH_SHA256, data_hash,</span><br><span style="color: hsl(0, 100%, 40%);">- sizeof(data_hash))) {</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_ERR, "MRC: SHA-256 calculation failed for data. "</span><br><span style="color: hsl(0, 100%, 40%);">- "Not updating TPM hash space.\n");</span><br><span style="color: hsl(0, 100%, 40%);">- /*</span><br><span style="color: hsl(0, 100%, 40%);">- * Since data is being updated in recovery cache, the hash</span><br><span style="color: hsl(0, 100%, 40%);">- * currently stored in TPM recovery hash space is no longer</span><br><span style="color: hsl(0, 100%, 40%);">- * valid. If we are not able to calculate hash of the data being</span><br><span style="color: hsl(0, 100%, 40%);">- * updated, reset all the bits in TPM recovery hash space to</span><br><span style="color: hsl(0, 100%, 40%);">- * pre-defined hash pattern.</span><br><span style="color: hsl(0, 100%, 40%);">- */</span><br><span style="color: hsl(0, 100%, 40%);">- hash_ptr = dead_hash;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- /* Write hash of data to TPM space. */</span><br><span style="color: hsl(0, 100%, 40%);">- if (antirollback_write_space_rec_hash(hash_ptr, VB2_SHA256_DIGEST_SIZE)</span><br><span style="color: hsl(0, 100%, 40%);">- != TPM_SUCCESS) {</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_ERR, "MRC: Could not save hash to TPM.\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_INFO, "MRC: TPM MRC hash updated successfully.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+__attribute__((weak)) int mrc_cache_verify_hash(const uint8_t *data,</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t size)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span> }</span><br><span> </span><br><span> static void save_memory_training_data(bool s3wake, uint32_t fsp_version)</span><br><span>@@ -113,7 +70,7 @@</span><br><span> mrc_data_size) < 0)</span><br><span> printk(BIOS_ERR, "Failed to stash MRC data\n");</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- mrc_cache_update_tpm_hash(mrc_data, mrc_data_size);</span><br><span style="color: hsl(120, 100%, 40%);">+ mrc_cache_update_hash(mrc_data, mrc_data_size);</span><br><span> }</span><br><span> </span><br><span> static void do_fsp_post_memory_init(bool s3wake, uint32_t fsp_version)</span><br><span>@@ -148,48 +105,6 @@</span><br><span> romstage_handoff_init(s3wake);</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-static int mrc_cache_verify_tpm_hash(const uint8_t *data, size_t size)</span><br><span style="color: hsl(0, 100%, 40%);">-{</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t data_hash[VB2_SHA256_DIGEST_SIZE];</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t tpm_hash[VB2_SHA256_DIGEST_SIZE];</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- /* We do not store normal mode data hash in TPM. */</span><br><span style="color: hsl(0, 100%, 40%);">- if (!vboot_recovery_mode_enabled())</span><br><span style="color: hsl(0, 100%, 40%);">- return 1;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- if (!IS_ENABLED(CONFIG_FSP2_0_USES_TPM_MRC_HASH))</span><br><span style="color: hsl(0, 100%, 40%);">- return 1;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- /* Calculate hash of data read from RECOVERY_MRC_CACHE. */</span><br><span style="color: hsl(0, 100%, 40%);">- if (vb2_digest_buffer(data, size, VB2_HASH_SHA256, data_hash,</span><br><span style="color: hsl(0, 100%, 40%);">- sizeof(data_hash))) {</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_ERR, "MRC: SHA-256 calculation failed for data.\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return 0;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- /* Initialize TPM driver. */</span><br><span style="color: hsl(0, 100%, 40%);">- if (tlcl_lib_init() != VB2_SUCCESS) {</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_ERR, "MRC: TPM driver initialization failed.\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return 0;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- /* Read hash of MRC data saved in TPM. */</span><br><span style="color: hsl(0, 100%, 40%);">- if (antirollback_read_space_rec_hash(tpm_hash, sizeof(tpm_hash))</span><br><span style="color: hsl(0, 100%, 40%);">- != TPM_SUCCESS) {</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_ERR, "MRC: Could not read hash from TPM.\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return 0;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- if (memcmp(tpm_hash, data_hash, sizeof(tpm_hash))) {</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_ERR, "MRC: Hash comparison failed.\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return 0;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_INFO, "MRC: Hash comparison successful. "</span><br><span style="color: hsl(0, 100%, 40%);">- "Using data from RECOVERY_MRC_CACHE\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return 1;</span><br><span style="color: hsl(0, 100%, 40%);">-}</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span> static void fsp_fill_mrc_cache(FSPM_ARCH_UPD *arch_upd, uint32_t fsp_version)</span><br><span> {</span><br><span> struct region_device rdev;</span><br><span>@@ -222,7 +137,7 @@</span><br><span> if (data == NULL)</span><br><span> return;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (!mrc_cache_verify_tpm_hash(data, region_device_sz(&rdev)))</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!mrc_cache_verify_hash(data, region_device_sz(&rdev)))</span><br><span> return;</span><br><span> </span><br><span> /* MRC cache found */</span><br><span>diff --git a/src/security/vboot/mrc_cache_hash_tpm.c b/src/security/vboot/mrc_cache_hash_tpm.c</span><br><span>new file mode 100644</span><br><span>index 0000000..986aa63</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/vboot/mrc_cache_hash_tpm.c</span><br><span>@@ -0,0 +1,108 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Facebook Inc</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; either version 2 of the License, or</span><br><span style="color: hsl(120, 100%, 40%);">+ * (at your option) any later version.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/vboot/antirollback.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <program_loading.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/vboot/vboot_common.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <vb2_api.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/tpm/tss.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <fsp/memory_init.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <console/console.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <string.h></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+void mrc_cache_update_hash(const uint8_t *data, size_t size)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t data_hash[VB2_SHA256_DIGEST_SIZE];</span><br><span style="color: hsl(120, 100%, 40%);">+ static const uint8_t dead_hash[VB2_SHA256_DIGEST_SIZE] = {</span><br><span style="color: hsl(120, 100%, 40%);">+ 0xba, 0xad, 0xda, 0x1a, /* BAADDA1A */</span><br><span style="color: hsl(120, 100%, 40%);">+ 0xde, 0xad, 0xde, 0xad, /* DEADDEAD */</span><br><span style="color: hsl(120, 100%, 40%);">+ 0xde, 0xad, 0xda, 0x1a, /* DEADDA1A */</span><br><span style="color: hsl(120, 100%, 40%);">+ 0xba, 0xad, 0xba, 0xad, /* BAADBAAD */</span><br><span style="color: hsl(120, 100%, 40%);">+ 0xba, 0xad, 0xda, 0x1a, /* BAADDA1A */</span><br><span style="color: hsl(120, 100%, 40%);">+ 0xde, 0xad, 0xde, 0xad, /* DEADDEAD */</span><br><span style="color: hsl(120, 100%, 40%);">+ 0xde, 0xad, 0xda, 0x1a, /* DEADDA1A */</span><br><span style="color: hsl(120, 100%, 40%);">+ 0xba, 0xad, 0xba, 0xad, /* BAADBAAD */</span><br><span style="color: hsl(120, 100%, 40%);">+ };</span><br><span style="color: hsl(120, 100%, 40%);">+ const uint8_t *hash_ptr = data_hash;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* We do not store normal mode data hash in TPM. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!vboot_recovery_mode_enabled())</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Initialize TPM driver. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (tlcl_lib_init() != VB2_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "MRC: TPM driver initialization failed.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Calculate hash of data generated by MRC. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (vb2_digest_buffer(data, size, VB2_HASH_SHA256, data_hash,</span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(data_hash))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "MRC: SHA-256 calculation failed for data. "</span><br><span style="color: hsl(120, 100%, 40%);">+ "Not updating TPM hash space.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ /*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Since data is being updated in recovery cache, the hash</span><br><span style="color: hsl(120, 100%, 40%);">+ * currently stored in TPM recovery hash space is no longer</span><br><span style="color: hsl(120, 100%, 40%);">+ * valid. If we are not able to calculate hash of the data being</span><br><span style="color: hsl(120, 100%, 40%);">+ * updated, reset all the bits in TPM recovery hash space to</span><br><span style="color: hsl(120, 100%, 40%);">+ * pre-defined hash pattern.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+ hash_ptr = dead_hash;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Write hash of data to TPM space. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (antirollback_write_space_rec_hash(hash_ptr, VB2_SHA256_DIGEST_SIZE)</span><br><span style="color: hsl(120, 100%, 40%);">+ != TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "MRC: Could not save hash to TPM.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "MRC: TPM MRC hash updated successfully.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int mrc_cache_verify_hash(const uint8_t *data, size_t size)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t data_hash[VB2_SHA256_DIGEST_SIZE];</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t tpm_hash[VB2_SHA256_DIGEST_SIZE];</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* We do not store normal mode data hash in TPM. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!vboot_recovery_mode_enabled())</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Calculate hash of data read from RECOVERY_MRC_CACHE. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (vb2_digest_buffer(data, size, VB2_HASH_SHA256, data_hash,</span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(data_hash))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "MRC: SHA-256 calculation failed for data.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Initialize TPM driver. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (tlcl_lib_init() != VB2_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "MRC: TPM driver initialization failed.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Read hash of MRC data saved in TPM. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (antirollback_read_space_rec_hash(tpm_hash, sizeof(tpm_hash))</span><br><span style="color: hsl(120, 100%, 40%);">+ != TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "MRC: Could not read hash from TPM.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (memcmp(tpm_hash, data_hash, sizeof(tpm_hash))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "MRC: Hash comparison failed.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "MRC: Hash comparison successful. "</span><br><span style="color: hsl(120, 100%, 40%);">+ "Using data from RECOVERY_MRC_CACHE\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/24904">change 24904</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/24904"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I41a458186c7981adaf3fea8974adec2ca8668f14 </div>
<div style="display:none"> Gerrit-Change-Number: 24904 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki@gmail.com> </div>