<p>Frans Hendriks has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/c/coreboot/+/30218">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">security{tpm,verified_boot,mboot}:Add measured and verified boot.<br><br>coreboot supports verfied boot based on ChromeOS verified boot.<br>No verified boot support without dependency on ChromeOS is available.<br><br>Create measured boot (security/mboot) and verified_boot<br>(security/verified_boot) directories. These features use the security/lib<br>which is a 'wrapper' using only sha1, sha256 and sha512 of<br>3rdparty/vboot/firmware.<br><br>prog_locate_hook() is added and used to start verified boot.<br>At board level can be specified with parts of SPI must be verified and/or<br>measured.<br><br>BUG=N/A<br>TEST=Created verified binary and verify logging on Portwell PQ-M107<br><br>Change-Id: Ic1d5a21d40b6a31886777e8e9fe7b28c860f1a80<br>Signed-off-by: Frans Hendriks <fhendriks@eltan.com><br>---<br>M src/device/pci_device.c<br>M src/include/program_loading.h<br>M src/lib/prog_loaders.c<br>M src/security/Kconfig<br>M src/security/Makefile.inc<br>A src/security/include/cb_sha1.h<br>A src/security/include/cb_sha256.h<br>A src/security/include/cb_sha512.h<br>A src/security/include/cryptolib.h<br>A src/security/lib/Makefile.inc<br>A src/security/lib/cb_sha1.c<br>A src/security/lib/cb_sha256.c<br>A src/security/lib/cb_sha512.c<br>A src/security/mboot/Kconfig<br>A src/security/mboot/Makefile.inc<br>A src/security/mboot/mboot.c<br>A src/security/mboot/mboot.h<br>M src/security/tpm/tss.h<br>M src/security/tpm/tss/tcg-2.0/tss.c<br>M src/security/tpm/tss/tcg-2.0/tss_marshaling.c<br>M src/security/tpm/tss/tcg-2.0/tss_structures.h<br>A src/security/verified_boot/Kconfig<br>A src/security/verified_boot/Makefile.inc<br>A src/security/verified_boot/vboot_check.c<br>A src/security/verified_boot/vboot_check.h<br>25 files changed, 2,109 insertions(+), 21 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/18/30218/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/device/pci_device.c b/src/device/pci_device.c</span><br><span>index e35c22c..3e6316a 100644</span><br><span>--- a/src/device/pci_device.c</span><br><span>+++ b/src/device/pci_device.c</span><br><span>@@ -16,6 +16,7 @@</span><br><span> * Copyright (C) 2005-2009 coresystems GmbH</span><br><span> * (Written by Stefan Reinauer <stepan@coresystems.de> for coresystems GmbH)</span><br><span> * Copyright (C) 2014 Sage Electronic Engineering, LLC.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Eltan B.V.</span><br><span> *</span><br><span> * This program is free software; you can redistribute it and/or modify</span><br><span> * it under the terms of the GNU General Public License as published by</span><br><span>@@ -802,6 +803,11 @@</span><br><span> if (!should_run_oprom(dev))</span><br><span> return;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_VERIFIED_BOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!verified_boot_should_run_oprom(rom))</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> run_bios(dev, (unsigned long)ram);</span><br><span> gfx_set_init_done(1);</span><br><span> printk(BIOS_DEBUG, "VGA Option ROM was run\n");</span><br><span>diff --git a/src/include/program_loading.h b/src/include/program_loading.h</span><br><span>index 468f0b3..a382daf 100644</span><br><span>--- a/src/include/program_loading.h</span><br><span>+++ b/src/include/program_loading.h</span><br><span>@@ -3,6 +3,7 @@</span><br><span> *</span><br><span> * Copyright 2015 Google Inc.</span><br><span> * Copyright (C) 2014 Imagination Technologies</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Eltan B.V.</span><br><span> *</span><br><span> * This program is free software; you can redistribute it and/or modify</span><br><span> * it under the terms of the GNU General Public License as published by</span><br><span>@@ -136,6 +137,7 @@</span><br><span> </span><br><span> /* Locate the identified program to run. Return 0 on success. < 0 on error. */</span><br><span> int prog_locate(struct prog *prog);</span><br><span style="color: hsl(120, 100%, 40%);">+int prog_locate_hook(struct prog *prog);</span><br><span> </span><br><span> /* Run the program described by prog. */</span><br><span> void prog_run(struct prog *prog);</span><br><span>diff --git a/src/lib/prog_loaders.c b/src/lib/prog_loaders.c</span><br><span>index a9c9add..1d18b7a 100644</span><br><span>--- a/src/lib/prog_loaders.c</span><br><span>+++ b/src/lib/prog_loaders.c</span><br><span>@@ -2,6 +2,7 @@</span><br><span> * This file is part of the coreboot project.</span><br><span> *</span><br><span> * Copyright 2015 Google Inc.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Eltan B.V.</span><br><span> *</span><br><span> * This program is free software; you can redistribute it and/or modify</span><br><span> * it under the terms of the GNU General Public License as published by</span><br><span>@@ -39,6 +40,9 @@</span><br><span> {</span><br><span> struct cbfsf file;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (prog_locate_hook(prog))</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> cbfs_prepare_program_locate();</span><br><span> </span><br><span> if (cbfs_boot_locate(&file, prog_name(prog), NULL))</span><br><span>@@ -74,6 +78,7 @@</span><br><span> halt();</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+int __weak prog_locate_hook(struct prog *prog) {return 0;}</span><br><span> void __weak stage_cache_add(int stage_id,</span><br><span> const struct prog *stage) {}</span><br><span> void __weak stage_cache_load_stage(int stage_id,</span><br><span>diff --git a/src/security/Kconfig b/src/security/Kconfig</span><br><span>index 6a334ac..24d5e34 100644</span><br><span>--- a/src/security/Kconfig</span><br><span>+++ b/src/security/Kconfig</span><br><span>@@ -1,6 +1,7 @@</span><br><span> ## This file is part of the coreboot project.</span><br><span> ##</span><br><span> ## Copyright (C) 2017 Facebook Inc.</span><br><span style="color: hsl(120, 100%, 40%);">+## Copyright (C) 2018 Eltan B.V.</span><br><span> ##</span><br><span> ## This program is free software; you can redistribute it and/or modify</span><br><span> ## it under the terms of the GNU General Public License as published by</span><br><span>@@ -12,5 +13,7 @@</span><br><span> ## GNU General Public License for more details.</span><br><span> ##</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-source "src/security/vboot/Kconfig"</span><br><span style="color: hsl(120, 100%, 40%);">+source "src/security/mboot/Kconfig"</span><br><span> source "src/security/tpm/Kconfig"</span><br><span style="color: hsl(120, 100%, 40%);">+source "src/security/vboot/Kconfig"</span><br><span style="color: hsl(120, 100%, 40%);">+source "src/security/verified_boot/Kconfig"</span><br><span>diff --git a/src/security/Makefile.inc b/src/security/Makefile.inc</span><br><span>index a940b82..d325265 100644</span><br><span>--- a/src/security/Makefile.inc</span><br><span>+++ b/src/security/Makefile.inc</span><br><span>@@ -1,2 +1,29 @@</span><br><span style="color: hsl(0, 100%, 40%);">-subdirs-y += vboot</span><br><span style="color: hsl(120, 100%, 40%);">+## This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## Copyright (c) 2013 The Chromium OS Authors. All rights reserved.</span><br><span style="color: hsl(120, 100%, 40%);">+## Copyright (C) 2017 Facebook Inc.</span><br><span style="color: hsl(120, 100%, 40%);">+## Copyright (C) 2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+## it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+## the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+## but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+## GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+subdirs-y += lib</span><br><span style="color: hsl(120, 100%, 40%);">+subdirs-$(CONFIG_MBOOT) += mboot</span><br><span> subdirs-y += tpm</span><br><span style="color: hsl(120, 100%, 40%);">+subdirs-y += vboot</span><br><span style="color: hsl(120, 100%, 40%);">+subdirs-$(CONFIG_VERIFIED_BOOT) += verified_boot</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ifeq ($(CONFIG_TPM2),y)</span><br><span style="color: hsl(120, 100%, 40%);">+CPPFLAGS_common += -I$(src)/security/include</span><br><span style="color: hsl(120, 100%, 40%);">+else</span><br><span style="color: hsl(120, 100%, 40%);">+ifeq ($(CONFIG_MBOOT),y)</span><br><span style="color: hsl(120, 100%, 40%);">+CPPFLAGS_common += -I$(src)/security/include</span><br><span style="color: hsl(120, 100%, 40%);">+endif</span><br><span style="color: hsl(120, 100%, 40%);">+endif</span><br><span>diff --git a/src/security/include/cb_sha1.h b/src/security/include/cb_sha1.h</span><br><span>new file mode 100644</span><br><span>index 0000000..3b72355</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/include/cb_sha1.h</span><br><span>@@ -0,0 +1,21 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018. Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __SECURITY_SHA1_H__</span><br><span style="color: hsl(120, 100%, 40%);">+#define __SECURITY_SHA1_H__</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint8_t *cb_sha1(const uint8_t *data, uint64_t len, uint8_t *digest);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span>diff --git a/src/security/include/cb_sha256.h b/src/security/include/cb_sha256.h</span><br><span>new file mode 100644</span><br><span>index 0000000..89e98c7</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/include/cb_sha256.h</span><br><span>@@ -0,0 +1,23 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018. Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __SECURITY_SHA256_H__</span><br><span style="color: hsl(120, 100%, 40%);">+#define __SECURITY_SHA256_H__</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint8_t* cb_sha256(const uint8_t *data, uint64_t len, uint8_t *digest);</span><br><span style="color: hsl(120, 100%, 40%);">+uint8_t* cb_sha256_ex(const uint8_t *data, uint64_t len, uint8_t *digest,</span><br><span style="color: hsl(120, 100%, 40%);">+ bool endian);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span>diff --git a/src/security/include/cb_sha512.h b/src/security/include/cb_sha512.h</span><br><span>new file mode 100644</span><br><span>index 0000000..fa04f8a1</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/include/cb_sha512.h</span><br><span>@@ -0,0 +1,23 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018. Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __SECURITY_SHA512_H__</span><br><span style="color: hsl(120, 100%, 40%);">+#define __SECURITY_SHA512_H__</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint8_t* cb_sha512(const uint8_t *data, uint64_t len, uint8_t *digest);</span><br><span style="color: hsl(120, 100%, 40%);">+uint8_t* cb_sha512_ex(const uint8_t *data, uint64_t len, uint8_t *digest,</span><br><span style="color: hsl(120, 100%, 40%);">+ bool endian);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span>diff --git a/src/security/include/cryptolib.h b/src/security/include/cryptolib.h</span><br><span>new file mode 100644</span><br><span>index 0000000..21eb188</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/include/cryptolib.h</span><br><span>@@ -0,0 +1,29 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018. Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __SECURITY_CRYPTOLIB_H__</span><br><span style="color: hsl(120, 100%, 40%);">+#define __SECURITY_CRYPTOLIB_H__</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#define NEED_VB2_SHA_LIBRARY</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#include <2rsa.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <vb21_common.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <vb2_api.h></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#include "cb_sha1.h"</span><br><span style="color: hsl(120, 100%, 40%);">+#include "cb_sha512.h"</span><br><span style="color: hsl(120, 100%, 40%);">+#include "cb_sha256.h"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span>diff --git a/src/security/lib/Makefile.inc b/src/security/lib/Makefile.inc</span><br><span>new file mode 100644</span><br><span>index 0000000..c6c0fc0</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/lib/Makefile.inc</span><br><span>@@ -0,0 +1,53 @@</span><br><span style="color: hsl(120, 100%, 40%);">+#</span><br><span style="color: hsl(120, 100%, 40%);">+# This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+#</span><br><span style="color: hsl(120, 100%, 40%);">+# Copyright (C) 2015 - 2016 Intel Corporation. All Rights Reserved.</span><br><span style="color: hsl(120, 100%, 40%);">+# Copyright (C) 2017 - 2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+#</span><br><span style="color: hsl(120, 100%, 40%);">+# This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+# it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+# the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+#</span><br><span style="color: hsl(120, 100%, 40%);">+# This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+# but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+# GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+#</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+SECURITYLIB_INCLUDES = -I3rdparty/vboot/firmware/2lib/include -I3rdparty/vboot/firmware/lib21/include</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+CPPFLAGS_common+=$(SECURITYLIB_INCLUDES)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ifeq ($(CONFIG_VERIFIED_BOOT),y)</span><br><span style="color: hsl(120, 100%, 40%);">+bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += ../../../3rdparty/vboot/firmware/2lib/2common.c</span><br><span style="color: hsl(120, 100%, 40%);">+bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += ../../../3rdparty/vboot/firmware/2lib/2rsa.c</span><br><span style="color: hsl(120, 100%, 40%);">+bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += ../../../3rdparty/vboot/firmware/2lib/2sha_utility.c</span><br><span style="color: hsl(120, 100%, 40%);">+bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += ../../../3rdparty/vboot/firmware/lib21/packed_key.c</span><br><span style="color: hsl(120, 100%, 40%);">+ifeq ($(CONFIG_VERIFIED_BOOT_USE_SHA512),y)</span><br><span style="color: hsl(120, 100%, 40%);">+bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += cb_sha512.c</span><br><span style="color: hsl(120, 100%, 40%);">+bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += ../../../3rdparty/vboot/firmware/2lib/2sha512.c</span><br><span style="color: hsl(120, 100%, 40%);">+else</span><br><span style="color: hsl(120, 100%, 40%);">+bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += cb_sha256.c</span><br><span style="color: hsl(120, 100%, 40%);">+bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += ../../../3rdparty/vboot/firmware/2lib/2sha256.c</span><br><span style="color: hsl(120, 100%, 40%);">+endif</span><br><span style="color: hsl(120, 100%, 40%);">+endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ifeq ($(CONFIG_MBOOT),y)</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha1.c</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha512.c</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha256.c</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += cb_sha1.c</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += cb_sha512.c</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += cb_sha256.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += ../../../3rdparty/vboot/firmware/2lib/2common.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += ../../../3rdparty/vboot/firmware/2lib/2rsa.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha1.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha256.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha512.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += ../../../3rdparty/vboot/firmware/2lib/2sha_utility.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += ../../../3rdparty/vboot/firmware/lib21/packed_key.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += cb_sha1.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += cb_sha512.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += cb_sha256.c</span><br><span style="color: hsl(120, 100%, 40%);">+endif</span><br><span>diff --git a/src/security/lib/cb_sha1.c b/src/security/lib/cb_sha1.c</span><br><span>new file mode 100644</span><br><span>index 0000000..cc9e176</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/lib/cb_sha1.c</span><br><span>@@ -0,0 +1,27 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/include/cryptolib.h></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint8_t *cb_sha1(const uint8_t* data, uint64_t len, uint8_t* digest)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ struct vb2_sha1_context ctx;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ vb2_sha1_init(&ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+ vb2_sha1_update(&ctx, data, len);</span><br><span style="color: hsl(120, 100%, 40%);">+ vb2_sha1_finalize(&ctx, digest);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return digest;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span>diff --git a/src/security/lib/cb_sha256.c b/src/security/lib/cb_sha256.c</span><br><span>new file mode 100644</span><br><span>index 0000000..082947b</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/lib/cb_sha256.c</span><br><span>@@ -0,0 +1,61 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/include/cryptolib.h></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint8_t* cb_sha256_ex(const uint8_t* data, uint64_t len, uint8_t* digest,</span><br><span style="color: hsl(120, 100%, 40%);">+ bool endian)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int i;</span><br><span style="color: hsl(120, 100%, 40%);">+ const uint8_t* input_ptr;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t result[VB2_SHA256_DIGEST_SIZE];</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t *result_ptr;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint64_t remaining_len;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct vb2_sha256_context ctx;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ vb2_sha256_init(&ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ input_ptr = data;</span><br><span style="color: hsl(120, 100%, 40%);">+ remaining_len = len;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Process data in at most UINT32_MAX byte chunks at a time. */</span><br><span style="color: hsl(120, 100%, 40%);">+ while (remaining_len) {</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t block_size;</span><br><span style="color: hsl(120, 100%, 40%);">+ block_size = (uint32_t) ((remaining_len >= UINT32_MAX) ?</span><br><span style="color: hsl(120, 100%, 40%);">+ UINT32_MAX : remaining_len);</span><br><span style="color: hsl(120, 100%, 40%);">+ vb2_sha256_update(&ctx, input_ptr, block_size);</span><br><span style="color: hsl(120, 100%, 40%);">+ remaining_len -= block_size;</span><br><span style="color: hsl(120, 100%, 40%);">+ input_ptr += block_size;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ result_ptr = result;</span><br><span style="color: hsl(120, 100%, 40%);">+ vb2_sha256_finalize(&ctx, result_ptr);</span><br><span style="color: hsl(120, 100%, 40%);">+ for (i = 0; i < VB2_SHA256_DIGEST_SIZE; ++i) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (endian) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* use big endian here */</span><br><span style="color: hsl(120, 100%, 40%);">+ digest[i] = *result_ptr++;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* use little endian here */</span><br><span style="color: hsl(120, 100%, 40%);">+ digest[VB2_SHA256_DIGEST_SIZE - i - 1] = *result_ptr++;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ return digest;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint8_t* cb_sha256(const uint8_t* data, uint64_t len, uint8_t* digest)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Returned the little endian SHA256 digest */</span><br><span style="color: hsl(120, 100%, 40%);">+ return cb_sha256_ex(data, len, digest, 0);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span>diff --git a/src/security/lib/cb_sha512.c b/src/security/lib/cb_sha512.c</span><br><span>new file mode 100644</span><br><span>index 0000000..0d6e6eb</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/lib/cb_sha512.c</span><br><span>@@ -0,0 +1,61 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/include/cryptolib.h></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint8_t* cb_sha512_ex(const uint8_t* data, uint64_t len, uint8_t* digest,</span><br><span style="color: hsl(120, 100%, 40%);">+ bool endian)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int i;</span><br><span style="color: hsl(120, 100%, 40%);">+ const uint8_t* input_ptr;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t result[VB2_SHA512_DIGEST_SIZE];</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t *result_ptr;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint64_t remaining_len;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct vb2_sha512_context ctx;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ vb2_sha512_init(&ctx);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ input_ptr = data;</span><br><span style="color: hsl(120, 100%, 40%);">+ remaining_len = len;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Process data in at most UINT32_MAX byte chunks at a time. */</span><br><span style="color: hsl(120, 100%, 40%);">+ while (remaining_len) {</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t block_size;</span><br><span style="color: hsl(120, 100%, 40%);">+ block_size = (uint32_t) ((remaining_len >= UINT32_MAX) ?</span><br><span style="color: hsl(120, 100%, 40%);">+ UINT32_MAX : remaining_len);</span><br><span style="color: hsl(120, 100%, 40%);">+ vb2_sha512_update(&ctx, input_ptr, block_size);</span><br><span style="color: hsl(120, 100%, 40%);">+ remaining_len -= block_size;</span><br><span style="color: hsl(120, 100%, 40%);">+ input_ptr += block_size;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ result_ptr = result;</span><br><span style="color: hsl(120, 100%, 40%);">+ vb2_sha512_finalize(&ctx, result_ptr);</span><br><span style="color: hsl(120, 100%, 40%);">+ for (i = 0; i < VB2_SHA512_DIGEST_SIZE; ++i) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (endian) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* use big endian here */</span><br><span style="color: hsl(120, 100%, 40%);">+ digest[i] = *result_ptr++;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* use little endian here */</span><br><span style="color: hsl(120, 100%, 40%);">+ digest[VB2_SHA512_DIGEST_SIZE - i - 1] = *result_ptr++;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ return digest;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint8_t* cb_sha512(const uint8_t* data, uint64_t len, uint8_t* digest)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Returned the little endian SHA512 digest */</span><br><span style="color: hsl(120, 100%, 40%);">+ return cb_sha512_ex(data, len, digest, 0);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span>diff --git a/src/security/mboot/Kconfig b/src/security/mboot/Kconfig</span><br><span>new file mode 100644</span><br><span>index 0000000..b262f6d</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/mboot/Kconfig</span><br><span>@@ -0,0 +1,43 @@</span><br><span style="color: hsl(120, 100%, 40%);">+## This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## Copyright (C) 2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+## it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+## the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+## but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+## GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+menu "Measured Boot (mboot)"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config MBOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Measure firmware with mboot."</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Enabling MBOOT will use mboot to measure the components of the firmware</span><br><span style="color: hsl(120, 100%, 40%);">+ (stages, payload, etc).</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config CRTM_VERSION_STRING</span><br><span style="color: hsl(120, 100%, 40%);">+ string "default CRTM version"</span><br><span style="color: hsl(120, 100%, 40%);">+ default "default CRTM version"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config MBOOT_UEFI_SUPPORT</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Enable mboot UEFI support"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on MBOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Add some specific items for UEFI support (not implemented yet)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config MBOOT_EVENTLOG</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Enable mboot eventlog"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ default y if MBOOT_UEFI_SUPPORT</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on MBOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Not only extend the PCRS but also log the events (not implemented yet)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+endmenu # Measured Boot (mboot)</span><br><span>diff --git a/src/security/mboot/Makefile.inc b/src/security/mboot/Makefile.inc</span><br><span>new file mode 100644</span><br><span>index 0000000..619b477</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/mboot/Makefile.inc</span><br><span>@@ -0,0 +1,23 @@</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## Copyright (C) 2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+## it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+## the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+## but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+## GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ifeq ($(CONFIG_MBOOT),y)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+CPPFLAGS_common += -I$(src)/security/mboot</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += mboot.c</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += mboot.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+endif # CONFIG_MBOOT</span><br><span>diff --git a/src/security/mboot/mboot.c b/src/security/mboot/mboot.c</span><br><span>new file mode 100644</span><br><span>index 0000000..6ed7999</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/mboot/mboot.c</span><br><span>@@ -0,0 +1,591 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2015 Intel Corporation</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#include <mboot.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <assert.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <build.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <vb2_api.h></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Get the list of currently active PCR banks in TPM.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval A map of active PCR banks.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+EFI_TCG2_EVENT_ALGORITHM_BITMAP tpm2_get_active_pcrs(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int status;</span><br><span style="color: hsl(120, 100%, 40%);">+ TPML_PCR_SELECTION Pcrs;</span><br><span style="color: hsl(120, 100%, 40%);">+ EFI_TCG2_EVENT_ALGORITHM_BITMAP tpmHashAlgorithmBitmap = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t activePcrBanks = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t index;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ status = tpm2_get_capability_pcrs(&Pcrs);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status != TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ tpmHashAlgorithmBitmap = EFI_TCG2_BOOT_HASH_ALG_SHA1;</span><br><span style="color: hsl(120, 100%, 40%);">+ activePcrBanks = EFI_TCG2_BOOT_HASH_ALG_SHA1;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ for (index = 0; index < Pcrs.count; index++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ switch (Pcrs.pcrSelections[index].hash) {</span><br><span style="color: hsl(120, 100%, 40%);">+ case TPM_ALG_SHA1:</span><br><span style="color: hsl(120, 100%, 40%);">+ tpmHashAlgorithmBitmap |=</span><br><span style="color: hsl(120, 100%, 40%);">+ EFI_TCG2_BOOT_HASH_ALG_SHA1;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!is_zero_buffer(</span><br><span style="color: hsl(120, 100%, 40%);">+ Pcrs.pcrSelections[index].pcrSelect,</span><br><span style="color: hsl(120, 100%, 40%);">+ Pcrs.pcrSelections[index].sizeofSelect))</span><br><span style="color: hsl(120, 100%, 40%);">+ activePcrBanks |=</span><br><span style="color: hsl(120, 100%, 40%);">+ EFI_TCG2_BOOT_HASH_ALG_SHA1;</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case TPM_ALG_SHA256:</span><br><span style="color: hsl(120, 100%, 40%);">+ tpmHashAlgorithmBitmap |= EFI_TCG2_BOOT_HASH_ALG_SHA256;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!is_zero_buffer(</span><br><span style="color: hsl(120, 100%, 40%);">+ Pcrs.pcrSelections[index].pcrSelect,</span><br><span style="color: hsl(120, 100%, 40%);">+ Pcrs.pcrSelections[index].sizeofSelect))</span><br><span style="color: hsl(120, 100%, 40%);">+ activePcrBanks |=</span><br><span style="color: hsl(120, 100%, 40%);">+ EFI_TCG2_BOOT_HASH_ALG_SHA256;</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case TPM_ALG_SHA384:</span><br><span style="color: hsl(120, 100%, 40%);">+ case TPM_ALG_SHA512:</span><br><span style="color: hsl(120, 100%, 40%);">+ case TPM_ALG_SM3_256:</span><br><span style="color: hsl(120, 100%, 40%);">+ default:</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: unsupported algorithm "</span><br><span style="color: hsl(120, 100%, 40%);">+ "reported - 0x%x\n", __FUNCTION__,</span><br><span style="color: hsl(120, 100%, 40%);">+ Pcrs.pcrSelections[index].hash);</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "Tcg2 Capability values from TPM\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "tpmHashAlgorithmBitmap - 0x%08x\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ tpmHashAlgorithmBitmap);</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "activePcrBanks - 0x%08x\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ activePcrBanks);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return activePcrBanks;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * tpm2_get_capability_pcrs</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Return the TPM PCR information.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This function parses the data got from tlcl_getcapability and returns the</span><br><span style="color: hsl(120, 100%, 40%);">+ * PcrSelection.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[out] Pcrs The Pcr Selection</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_SUCCESS Operation completed successfully.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_E_IOERROR The command was unsuccessful.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+int tpm2_get_capability_pcrs(TPML_PCR_SELECTION *Pcrs)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ TPMS_CAPABILITY_DATA TpmCap;</span><br><span style="color: hsl(120, 100%, 40%);">+ TPMI_YES_NO MoreData;</span><br><span style="color: hsl(120, 100%, 40%);">+ int status;</span><br><span style="color: hsl(120, 100%, 40%);">+ int index;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ status = tlcl_getcapability(TPM_CAP_PCRS, 0, 1, &MoreData, &TpmCap);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status == TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ Pcrs->count = TpmCap.data.assignedPCR.count;</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "Pcrs->count = %d\n", Pcrs->count);</span><br><span style="color: hsl(120, 100%, 40%);">+ for (index = 0; index < Pcrs->count; index++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ Pcrs->pcrSelections[index].hash =</span><br><span style="color: hsl(120, 100%, 40%);">+ swab16(TpmCap.data.assignedPCR.pcrSelections[index].hash);</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "Pcrs->pcrSelections[index].hash = 0x%x\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ Pcrs->pcrSelections[index].hash);</span><br><span style="color: hsl(120, 100%, 40%);">+ Pcrs->pcrSelections[index].sizeofSelect =</span><br><span style="color: hsl(120, 100%, 40%);">+ TpmCap.data.assignedPCR.pcrSelections[index].sizeofSelect;</span><br><span style="color: hsl(120, 100%, 40%);">+ memcpy(Pcrs->pcrSelections[index].pcrSelect,</span><br><span style="color: hsl(120, 100%, 40%);">+ TpmCap.data.assignedPCR.pcrSelections[index].pcrSelect,</span><br><span style="color: hsl(120, 100%, 40%);">+ Pcrs->pcrSelections[index].sizeofSelect);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * mboot_hash_extend_log</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Calculates the hash over the data and extends it in active PCR banks and</span><br><span style="color: hsl(120, 100%, 40%);">+ * then logs them in the event log.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] activePcr bitmap of active PCR banks in TPM.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] flags flags associated with hash data. Currently unused.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] hashData data to be hashed.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] hashDataLen length of the data to be hashed.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] newEventHdr event header in TCG_PCR_EVENT2 format.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] eventLog description of the event.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] invalid invalidate the pcr</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_SUCCESS Operation completed successfully.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_E_IOERROR Unexpected device behavior.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+int mboot_hash_extend_log(EFI_TCG2_EVENT_ALGORITHM_BITMAP activePcr,</span><br><span style="color: hsl(120, 100%, 40%);">+ uint64_t flags, uint8_t *hashData, uint32_t hashDataLen,</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_PCR_EVENT2_HDR *newEventHdr, uint8_t *eventLog, uint8_t invalid)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int status;</span><br><span style="color: hsl(120, 100%, 40%);">+ TPMT_HA *digest = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ int digest_num = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Hash Data Length: %zu bytes\n", __FUNCTION__,</span><br><span style="color: hsl(120, 100%, 40%);">+ (size_t)hashDataLen);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (invalid){</span><br><span style="color: hsl(120, 100%, 40%);">+ digest = &(newEventHdr->digest.digests[digest_num]);</span><br><span style="color: hsl(120, 100%, 40%);">+ digest->digest.invalidate_pcrs = 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ digest->hashAlg = TPM_ALG_ERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+ digest_num++;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ /*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Generate SHA1 hash if SHA1 PCR bank is active in TPM</span><br><span style="color: hsl(120, 100%, 40%);">+ * currently</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (activePcr & EFI_TCG2_BOOT_HASH_ALG_SHA1) {</span><br><span style="color: hsl(120, 100%, 40%);">+ digest = &(newEventHdr->digest.digests[digest_num]);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (flags & MBOOT_HASH_PROVIDED) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* The hash is provided as data */</span><br><span style="color: hsl(120, 100%, 40%);">+ memcpy(digest->digest.sha1, (void *)hashData,</span><br><span style="color: hsl(120, 100%, 40%);">+ SHA1_DIGEST_SIZE);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ cb_sha1((const uint8_t *)hashData, hashDataLen,</span><br><span style="color: hsl(120, 100%, 40%);">+ digest->digest.sha1);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ digest->hashAlg = TPM_ALG_SHA1;</span><br><span style="color: hsl(120, 100%, 40%);">+ digest_num++;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: SHA1 Hash Digest:\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ mboot_print_buffer (digest->digest.sha1, SHA1_DIGEST_SIZE);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Generate SHA256 hash if SHA256 PCR bank is active in TPM</span><br><span style="color: hsl(120, 100%, 40%);">+ * currently</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (activePcr & EFI_TCG2_BOOT_HASH_ALG_SHA256) {</span><br><span style="color: hsl(120, 100%, 40%);">+ digest = &(newEventHdr->digest.digests[digest_num]);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (flags & MBOOT_HASH_PROVIDED) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* The hash is provided as data */</span><br><span style="color: hsl(120, 100%, 40%);">+ memcpy(digest->digest.sha256,</span><br><span style="color: hsl(120, 100%, 40%);">+ (void *)hashData, hashDataLen);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ cb_sha256(hashData, hashDataLen, digest->digest.sha256);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ digest->hashAlg = TPM_ALG_SHA256;</span><br><span style="color: hsl(120, 100%, 40%);">+ digest_num++;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: SHA256 Hash Digest:\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ mboot_print_buffer(digest->digest.sha256, SHA256_DIGEST_SIZE);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ newEventHdr->digest.count = digest_num;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ status = tlcl_extend_ex(</span><br><span style="color: hsl(120, 100%, 40%);">+ newEventHdr->pcrIndex,</span><br><span style="color: hsl(120, 100%, 40%);">+ &(newEventHdr->digest)</span><br><span style="color: hsl(120, 100%, 40%);">+ );</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT_EVENTLOG)</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Perform the logging of the measurement */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status == TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ status = log_event_tcg_20_format(newEventHdr, eventLog);</span><br><span style="color: hsl(120, 100%, 40%);">+ /* If SHA1 PCR bank is active, log the event in TCG 1.2 format tool */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (activePcr & EFI_TCG2_BOOT_HASH_ALG_SHA1)</span><br><span style="color: hsl(120, 100%, 40%);">+ status = log_event_tcg_12_format(newEventHdr, eventLog);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status != TPM_SUCCESS)</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: returned 0x%x\n", __FUNCTION__, status);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * invalidate_pcrs</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Invalidate PCRs 0-7 with extending 1 after tpm failure.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+void invalidate_pcrs(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int status, pcr;</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_PCR_EVENT2_HDR tcgEventHdr;</span><br><span style="color: hsl(120, 100%, 40%);">+ EFI_TCG2_EVENT_ALGORITHM_BITMAP ActivePcrs;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t invalidate;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ ActivePcrs = tpm2_get_active_pcrs();</span><br><span style="color: hsl(120, 100%, 40%);">+ invalidate = 1;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ for (pcr=0; pcr < 8; pcr++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Invalidating PCR %d\n", __FUNCTION__, pcr);</span><br><span style="color: hsl(120, 100%, 40%);">+ memset(&tcgEventHdr, 0, sizeof(tcgEventHdr));</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.pcrIndex = pcr;</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventType = EV_NO_ACTION;</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventSize = (uint32_t) sizeof(invalidate);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ status = mboot_hash_extend_log(ActivePcrs, 0,</span><br><span style="color: hsl(120, 100%, 40%);">+ (uint8_t *)&invalidate, tcgEventHdr.eventSize,</span><br><span style="color: hsl(120, 100%, 40%);">+ &tcgEventHdr, (uint8_t *)"Invalidate PCR", invalidate);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status != TPM_SUCCESS)</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: invalidating pcr %d returned"</span><br><span style="color: hsl(120, 100%, 40%);">+ " 0x%x\n", __FUNCTION__, pcr, status);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * is_zero_buffer</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Check if buffer is all zero.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] buffer Buffer to be checked.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] size Size of buffer to be checked.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TRUE buffer is all zero.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval FALSE buffer is not all zero.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+int is_zero_buffer(void *buffer, unsigned int size)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t *ptr;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ ptr = buffer;</span><br><span style="color: hsl(120, 100%, 40%);">+ while (size--) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (*(ptr++) != 0)</span><br><span style="color: hsl(120, 100%, 40%);">+ return false;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ return true;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Prints command or response buffer for debugging purposes.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] Buffer Buffer to print.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] BufferSize Buffer data length.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval None</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+void mboot_print_buffer(uint8_t *buffer, uint32_t bufferSize)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t index;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "Buffer Address: 0x%08x, Size: 0x%08x, Value:\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ (unsigned int)*buffer, bufferSize);</span><br><span style="color: hsl(120, 100%, 40%);">+ for (index = 0; index < bufferSize; index++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%02x ", *(buffer + index));</span><br><span style="color: hsl(120, 100%, 40%);">+ if ((index+1) % 16 == 0)</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "\n");</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * measures and logs the specified cbfs file.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] activePcr bitmap of active PCR banks in TPM.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] name name of the cbfs file to measure</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] type data type of the cbfs file.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] pcr pcr to extend.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] evenType tcg event type.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] event_msg description of the event.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_SUCCESS Operation completed successfully.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_E_IOERROR Unexpected device behavior.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+int mb_measure_log_worker(EFI_TCG2_EVENT_ALGORITHM_BITMAP activePcr,</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *name, uint32_t type, uint32_t pcr,</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_EVENTTYPE eventType, const char *event_msg)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int status;</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_PCR_EVENT2_HDR tcgEventHdr;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t *base;</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t size;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Measure %s\n", __FUNCTION__, name);</span><br><span style="color: hsl(120, 100%, 40%);">+ base = cbfs_boot_map_with_leak(name, type, &size);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (base == NULL) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: CBFS locate fail: %s\n", __FUNCTION__,</span><br><span style="color: hsl(120, 100%, 40%);">+ name);</span><br><span style="color: hsl(120, 100%, 40%);">+ return VB2_ERROR_READ_FILE_OPEN;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: CBFS locate success: %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__, name);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ memset(&tcgEventHdr, 0, sizeof(tcgEventHdr));</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.pcrIndex = pcr;</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventType = eventType;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (event_msg)</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventSize = (uint32_t) strlen(event_msg);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ status = mboot_hash_extend_log(activePcr, 0, base, size, &tcgEventHdr,</span><br><span style="color: hsl(120, 100%, 40%);">+ (uint8_t *)event_msg, 0);</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifdef __PRE_RAM__</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Called from early romstage</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ *mb_entry</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * initializes measured boot mechanism, initializes the</span><br><span style="color: hsl(120, 100%, 40%);">+ * tpm library and starts the tpm called by mb_measure</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * The function can be overridden at the mainboard level my simply creating a</span><br><span style="color: hsl(120, 100%, 40%);">+ * function with the same name there.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] wake_from_s3 1 if we are waking from S3, 0 standard boot</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_SUCCESS Operation completed successfully.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_E_IOERROR Unexpected device behavior.</span><br><span style="color: hsl(120, 100%, 40%);">+**/</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int __attribute__((weak)) mb_entry(int wake_from_s3)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int status;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Initialize TPM driver. */</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: tlcl_lib_init\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (tlcl_lib_init() != VB2_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "%s: TPM driver initialization failed.\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_E_IOERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (wake_from_s3) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: tlcl_resume\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ status = tlcl_resume();</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: tlcl_startup\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ status = tlcl_startup();</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status)</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "%s: StartUp failed 0x%x!\n", __FUNCTION__,</span><br><span style="color: hsl(120, 100%, 40%);">+ status);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * mb_measure</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * initial call to the measured boot mechanism, initializes the</span><br><span style="color: hsl(120, 100%, 40%);">+ * tpm library, starts the tpm and performs the measurements defined by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the coreboot platform.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * The pcrs will be invalidated if the measurement fails</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * The function can be overridden at the mainboard level my simply creating a</span><br><span style="color: hsl(120, 100%, 40%);">+ * function with the same name there.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] wake_from_s3 1 if we are waking from S3, 0 standard boot</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_SUCCESS Operation completed successfully.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_E_IOERROR Unexpected device behavior.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int __attribute__((weak))mb_measure(int wake_from_s3)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t status;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ status = mb_entry(wake_from_s3);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status == TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: StartUp, successful!\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ status = mb_measure_log_start();</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status == TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Measuring, successful!\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ invalidate_pcrs();</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "%s: Measuring returned 0x%x "</span><br><span style="color: hsl(120, 100%, 40%);">+ "unsuccessful! PCRs invalidated.\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__, status);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ invalidate_pcrs();</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "%s: StartUp returned 0x%x, unsuccessful!"</span><br><span style="color: hsl(120, 100%, 40%);">+ "PCRs invalidated.\n", __FUNCTION__, status);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * mb_measure_log_start</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * performs the measurements defined by the the board routines.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * The logging is defined by the mb_log_list structure and mb_log_list_count.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * These items need to be defined in the mainboard part of the mboot</span><br><span style="color: hsl(120, 100%, 40%);">+ * implementation</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * The function can be overridden at the mainboard level my simply creating a</span><br><span style="color: hsl(120, 100%, 40%);">+ * function with the same name there.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] none</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_SUCCESS Operation completed successfully.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_E_IOERROR Unexpected device behavior.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+int __attribute__((weak))mb_measure_log_start(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int status;</span><br><span style="color: hsl(120, 100%, 40%);">+ EFI_TCG2_EVENT_ALGORITHM_BITMAP ActivePcrs;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t i;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ ActivePcrs = tpm2_get_active_pcrs();</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ActivePcrs == 0x0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: No Active PCR Bank in TPM.\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_E_IOERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT_UEFI_SUPPORT)</span><br><span style="color: hsl(120, 100%, 40%);">+ status = log_efi_specid_event(ActivePcrs);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status != TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Fail! Specification ID version event"</span><br><span style="color: hsl(120, 100%, 40%);">+ "can't be logged. ABORTING!!!\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+ status = mb_crtm(ActivePcrs);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status == TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Success! CRTM Version measured.\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Fail! CRTM Version can't be measured."</span><br><span style="color: hsl(120, 100%, 40%);">+ " ABORTING!!!\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Log the items defined by the mainboard */</span><br><span style="color: hsl(120, 100%, 40%);">+ for (i = 0; i < mb_log_list_count; i++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ status = mb_measure_log_worker(</span><br><span style="color: hsl(120, 100%, 40%);">+ ActivePcrs, mb_log_list[i].cbfs_name,</span><br><span style="color: hsl(120, 100%, 40%);">+ mb_log_list[i].cbfs_type, mb_log_list[i].pcr,</span><br><span style="color: hsl(120, 100%, 40%);">+ mb_log_list[i].eventType,</span><br><span style="color: hsl(120, 100%, 40%);">+ mb_log_list[i].event_msg);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status == TPM_SUCCESS)</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Success! %s measured to pcr"</span><br><span style="color: hsl(120, 100%, 40%);">+ "%d.\n", __FUNCTION__, mb_log_list[i].cbfs_name,</span><br><span style="color: hsl(120, 100%, 40%);">+ mb_log_list[i].pcr);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Fail! %s can't be measured."</span><br><span style="color: hsl(120, 100%, 40%);">+ "ABORTING!!!\n", __FUNCTION__,</span><br><span style="color: hsl(120, 100%, 40%);">+ mb_log_list[i].cbfs_name);</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static const uint8_t crtm_version[] = CONFIG_CRTM_VERSION_STRING \</span><br><span style="color: hsl(120, 100%, 40%);">+ COREBOOT_VERSION COREBOOT_EXTRA_VERSION " " COREBOOT_BUILD;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT_EVENTLOG)</span><br><span style="color: hsl(120, 100%, 40%);">+static const uint8_t me_message[] = "HASH RETURNED BY ME";</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * mb_crtm</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * measures the crtm version. this consists of a string than can be</span><br><span style="color: hsl(120, 100%, 40%);">+ * defined using make menuconfig and automatically generated version</span><br><span style="color: hsl(120, 100%, 40%);">+ * information.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * The function can be overridden at the mainboard level my simply creating a</span><br><span style="color: hsl(120, 100%, 40%);">+ * function with the same name there.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] activePcr bitmap of the support</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_SUCCESS Operation completed successfully.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_E_IOERROR Unexpected device behavior.</span><br><span style="color: hsl(120, 100%, 40%);">+**/</span><br><span style="color: hsl(120, 100%, 40%);">+int __attribute__((weak))mb_crtm(EFI_TCG2_EVENT_ALGORITHM_BITMAP activePcr)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int status;</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_PCR_EVENT2_HDR tcgEventHdr;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t hash[SHA256_DIGEST_SIZE];</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Use FirmwareVersion string to represent CRTM version. */</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Measure CRTM Version\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ memset(&tcgEventHdr, 0, sizeof(tcgEventHdr));</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.pcrIndex = MBOOT_PCR_INDEX_0;</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventType = EV_S_CRTM_VERSION;</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventSize = sizeof(crtm_version);</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: EventSize - %u\n", __FUNCTION__,</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventSize);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ status = mboot_hash_extend_log(activePcr, 0, (uint8_t *)crtm_version,</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventSize, &tcgEventHdr, (uint8_t *) crtm_version,</span><br><span style="color: hsl(120, 100%, 40%);">+ 0);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "Measure CRTM Version returned 0x%x\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ status);</span><br><span style="color: hsl(120, 100%, 40%);">+ goto mb_crtm_end;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ status = get_intel_me_hash(hash);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "get_intel_me_hash returned 0x%x\n", status);</span><br><span style="color: hsl(120, 100%, 40%);">+ status = TPM_E_IOERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+ goto mb_crtm_end;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Add the me hash */</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Add the hash returned by the ME\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ memset(&tcgEventHdr, 0, sizeof(tcgEventHdr));</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.pcrIndex = MBOOT_PCR_INDEX_0;</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventType = EV_S_CRTM_CONTENTS;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT_EVENTLOG)</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventSize = sizeof(me_message);</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: EventSize - %u\n", __FUNCTION__,</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventSize);</span><br><span style="color: hsl(120, 100%, 40%);">+#else</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventSize = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ status = mboot_hash_extend_log(activePcr, MBOOT_HASH_PROVIDED, hash,</span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(hash), &tcgEventHdr,</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT_EVENTLOG)</span><br><span style="color: hsl(120, 100%, 40%);">+ (uint8_t *) me_message,</span><br><span style="color: hsl(120, 100%, 40%);">+#else</span><br><span style="color: hsl(120, 100%, 40%);">+ NULL,</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+ 0);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status)</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "Add ME hash returned 0x%x\n", status);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+mb_crtm_end:</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status)</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: returned 0x%x\n", __FUNCTION__, status);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+#endif // __PRE_RAM__</span><br><span>diff --git a/src/security/mboot/mboot.h b/src/security/mboot/mboot.h</span><br><span>new file mode 100644</span><br><span>index 0000000..1449e4e</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/mboot/mboot.h</span><br><span>@@ -0,0 +1,135 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2015 Intel Corporation</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef MBOOT_H</span><br><span style="color: hsl(120, 100%, 40%);">+#define MBOOT_H</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#include <arch/io.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <arch/acpi.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <string.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <console/console.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/include/cryptolib.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <cbfs.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <lib.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <boot/coreboot_tables.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/tpm/tss/tcg-2.0/tss_structures.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/tpm/tss.h></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/* TPM2 interface */</span><br><span style="color: hsl(120, 100%, 40%);">+#define EFI_TPM2_ACPI_TABLE_START_METHOD_TIS 6</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_SHA1_160_HASH_LEN 0x14</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/* Part 2, section 5.4: TPM_DIGEST */</span><br><span style="color: hsl(120, 100%, 40%);">+typedef struct tdTPM_DIGEST{</span><br><span style="color: hsl(120, 100%, 40%);">+ int8_t digest[TPM_SHA1_160_HASH_LEN];</span><br><span style="color: hsl(120, 100%, 40%);">+} TPM_DIGEST;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/* Index to a PCR register */</span><br><span style="color: hsl(120, 100%, 40%);">+typedef uint32_t TPM_PCRINDEX;</span><br><span style="color: hsl(120, 100%, 40%);">+typedef uint32_t TCG_EVENTTYPE;</span><br><span style="color: hsl(120, 100%, 40%);">+typedef TPM_PCRINDEX TCG_PCRINDEX;</span><br><span style="color: hsl(120, 100%, 40%);">+typedef TPM_DIGEST TCG_DIGEST;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/* TCG_PCR_EVENT_HDR */</span><br><span style="color: hsl(120, 100%, 40%);">+typedef struct tdTCG_PCR_EVENT_HDR {</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_PCRINDEX pcrIndex;</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_EVENTTYPE eventType;</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_DIGEST digest;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t eventSize;</span><br><span style="color: hsl(120, 100%, 40%);">+} __packed TCG_PCR_EVENT_HDR;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/* TCG_PCR_EVENT2_HDR */</span><br><span style="color: hsl(120, 100%, 40%);">+typedef struct tdTCG_PCR_EVENT2_HDR {</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_PCRINDEX pcrIndex;</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_EVENTTYPE eventType;</span><br><span style="color: hsl(120, 100%, 40%);">+ TPML_DIGEST_VALUES digest;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t eventSize;</span><br><span style="color: hsl(120, 100%, 40%);">+} __packed TCG_PCR_EVENT2_HDR;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+typedef uint32_t EFI_TCG2_EVENT_ALGORITHM_BITMAP;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#define EFI_TCG2_BOOT_HASH_ALG_SHA1 0x00000001</span><br><span style="color: hsl(120, 100%, 40%);">+#define EFI_TCG2_BOOT_HASH_ALG_SHA256 0x00000002</span><br><span style="color: hsl(120, 100%, 40%);">+#define EFI_TCG2_BOOT_HASH_ALG_SHA384 0x00000004</span><br><span style="color: hsl(120, 100%, 40%);">+#define EFI_TCG2_BOOT_HASH_ALG_SHA512 0x00000008</span><br><span style="color: hsl(120, 100%, 40%);">+#define EFI_TCG2_BOOT_HASH_ALG_SM3_256 0x00000010</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/* Standard event types */</span><br><span style="color: hsl(120, 100%, 40%);">+#define EV_POST_CODE ((TCG_EVENTTYPE) 0x00000001)</span><br><span style="color: hsl(120, 100%, 40%);">+#define EV_NO_ACTION ((TCG_EVENTTYPE) 0x00000003)</span><br><span style="color: hsl(120, 100%, 40%);">+#define EV_SEPARATOR ((TCG_EVENTTYPE) 0x00000004)</span><br><span style="color: hsl(120, 100%, 40%);">+#define EV_S_CRTM_CONTENTS ((TCG_EVENTTYPE) 0x00000007)</span><br><span style="color: hsl(120, 100%, 40%);">+#define EV_S_CRTM_VERSION ((TCG_EVENTTYPE) 0x00000008)</span><br><span style="color: hsl(120, 100%, 40%);">+#define EV_CPU_MICROCODE ((TCG_EVENTTYPE) 0x00000009)</span><br><span style="color: hsl(120, 100%, 40%);">+#define EV_TABLE_OF_DEVICES ((TCG_EVENTTYPE) 0x0000000B)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#define MBOOT_PCR_INDEX_0 0x0</span><br><span style="color: hsl(120, 100%, 40%);">+#define MBOOT_PCR_INDEX_1 0x1</span><br><span style="color: hsl(120, 100%, 40%);">+#define MBOOT_PCR_INDEX_2 0x2</span><br><span style="color: hsl(120, 100%, 40%);">+#define MBOOT_PCR_INDEX_3 0x3</span><br><span style="color: hsl(120, 100%, 40%);">+#define MBOOT_PCR_INDEX_4 0x4</span><br><span style="color: hsl(120, 100%, 40%);">+#define MBOOT_PCR_INDEX_5 0x5</span><br><span style="color: hsl(120, 100%, 40%);">+#define MBOOT_PCR_INDEX_6 0x6</span><br><span style="color: hsl(120, 100%, 40%);">+#define MBOOT_PCR_INDEX_7 0x7</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * used to indicate a hash is provide so there is no need to perform the</span><br><span style="color: hsl(120, 100%, 40%);">+ * measurement</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+#define MBOOT_HASH_PROVIDED (0x00000001)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int is_zero_buffer(void *, unsigned int);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int mboot_hash_extend_log(EFI_TCG2_EVENT_ALGORITHM_BITMAP activePcr,</span><br><span style="color: hsl(120, 100%, 40%);">+ uint64_t flags, uint8_t *hashData, uint32_t hashDataLen,</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_PCR_EVENT2_HDR *newEventHdr, uint8_t *eventLog, uint8_t invalid);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+void mboot_print_buffer(uint8_t *buffer, uint32_t bufferSize);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int mb_crtm(EFI_TCG2_EVENT_ALGORITHM_BITMAP activePcr);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+typedef struct {</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *cbfs_name;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t cbfs_type;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t pcr;</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_EVENTTYPE eventType;</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *event_msg;</span><br><span style="color: hsl(120, 100%, 40%);">+} mboot_measure_item_t;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int mb_measure_log_worker(EFI_TCG2_EVENT_ALGORITHM_BITMAP activePcr,</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *name, uint32_t type, uint32_t pcr,</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_EVENTTYPE eventType, const char *event_msg);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int mb_measure_log_start(void);</span><br><span style="color: hsl(120, 100%, 40%);">+void invalidate_pcrs(void);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+EFI_TCG2_EVENT_ALGORITHM_BITMAP tpm2_get_active_pcrs(void);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int tpm2_get_capability_pcrs(TPML_PCR_SELECTION *Pcrs);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+extern const mboot_measure_item_t mb_log_list[];</span><br><span style="color: hsl(120, 100%, 40%);">+extern const uint32_t mb_log_list_count;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int mb_measure(int wake_from_s3);</span><br><span style="color: hsl(120, 100%, 40%);">+int mb_entry(int wake_from_s3);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int log_event_tcg_20_format(TCG_PCR_EVENT2_HDR *, uint8_t *);</span><br><span style="color: hsl(120, 100%, 40%);">+int log_event_tcg_12_format(TCG_PCR_EVENT2_HDR *, uint8_t *);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int get_intel_me_hash(uint8_t *hash);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#endif /* MBOOT_H */</span><br><span>diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h</span><br><span>index c4f2608..79596e5 100644</span><br><span>--- a/src/security/tpm/tss.h</span><br><span>+++ b/src/security/tpm/tss.h</span><br><span>@@ -1,4 +1,5 @@</span><br><span> /* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Eltan B.V.</span><br><span> * Use of this source code is governed by a BSD-style license that can be</span><br><span> * found in the LICENSE file.</span><br><span> */</span><br><span>@@ -121,6 +122,37 @@</span><br><span> */</span><br><span> uint32_t tlcl_continue_self_test(void);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_TPM2)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/**</span><br><span style="color: hsl(120, 100%, 40%);">+ * Issue tpm get capability command</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tlcl_getcapability(TPM_CAP Capability, uint32_t Property,</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t PropertyCount, TPMI_YES_NO *MoreData,</span><br><span style="color: hsl(120, 100%, 40%);">+ TPMS_CAPABILITY_DATA *CapabilityData );</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/**</span><br><span style="color: hsl(120, 100%, 40%);">+ * Issue more flexible process command</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+void *tpm_process_command_ex(TPM_CC command, void *command_body,</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t command_size, size_t *response_size, bool marshal);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * tlcl_extend command that allows more digests to be passed in at the same</span><br><span style="color: hsl(120, 100%, 40%);">+ * time</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tlcl_extend_ex(int pcr_num, const TPML_DIGEST_VALUES *in_digests);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/**</span><br><span style="color: hsl(120, 100%, 40%);">+ * Return size of digest.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] HashAlgo Hash algorithm</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @return size of digest</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+uint16_t tlcl_get_hash_size_from_algo(TPMI_ALG_HASH hashAlgo);</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /**</span><br><span> * Write [length] bytes of [data] to space at [index]. The TPM error code is</span><br><span> * returned.</span><br><span>@@ -144,7 +176,7 @@</span><br><span> uint32_t tlcl_physical_presence_cmd_enable(void);</span><br><span> </span><br><span> /**</span><br><span style="color: hsl(0, 100%, 40%);">- * Finalize the physical presence settings: sofware PP is enabled, hardware PP</span><br><span style="color: hsl(120, 100%, 40%);">+ * Finalize the physical presence settings: software PP is enabled, hardware PP</span><br><span> * is disabled, and the lifetime lock is set. The TPM error code is returned.</span><br><span> */</span><br><span> uint32_t tlcl_finalize_physical_presence(void);</span><br><span>diff --git a/src/security/tpm/tss/tcg-2.0/tss.c b/src/security/tpm/tss/tcg-2.0/tss.c</span><br><span>index e579bff..21619ec 100644</span><br><span>--- a/src/security/tpm/tss/tcg-2.0/tss.c</span><br><span>+++ b/src/security/tpm/tss/tcg-2.0/tss.c</span><br><span>@@ -1,5 +1,6 @@</span><br><span> /*</span><br><span> * Copyright 2016 The Chromium OS Authors. All rights reserved.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright 2017-2018 Eltan B.V.</span><br><span> * Use of this source code is governed by a BSD-style license that can be</span><br><span> * found in the LICENSE file.</span><br><span> */</span><br><span>@@ -15,6 +16,12 @@</span><br><span> #include "tss_structures.h"</span><br><span> #include "tss_marshaling.h"</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+static INTERNAL_HASH_INFO mHashInfo[] = {</span><br><span style="color: hsl(120, 100%, 40%);">+ {TPM_ALG_ERROR, 1},</span><br><span style="color: hsl(120, 100%, 40%);">+ {TPM_ALG_SHA1, SHA1_DIGEST_SIZE},</span><br><span style="color: hsl(120, 100%, 40%);">+ {TPM_ALG_SHA256, SHA256_DIGEST_SIZE},</span><br><span style="color: hsl(120, 100%, 40%);">+};</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /*</span><br><span> * This file provides interface between firmware and TPM2 device. The TPM1.2</span><br><span> * API was copied as is and relevant functions modified to comply with the</span><br><span>@@ -53,6 +60,49 @@</span><br><span> return tpm_unmarshal_response(command, &ib);</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+void *tpm_process_command_ex(TPM_CC command, void *command_body,</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t command_size, size_t *response_size, bool marshal)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ struct obuf ob;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct ibuf ib;</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t out_size;</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t in_size;</span><br><span style="color: hsl(120, 100%, 40%);">+ const uint8_t *sendb;</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Command/response buffer. */</span><br><span style="color: hsl(120, 100%, 40%);">+ static uint8_t cr_buffer[TPM_BUFFER_SIZE] CAR_GLOBAL;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t *cr_buffer_ptr = car_get_var_ptr(cr_buffer);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (marshal) {</span><br><span style="color: hsl(120, 100%, 40%);">+ obuf_init(&ob, cr_buffer_ptr, sizeof(cr_buffer));</span><br><span style="color: hsl(120, 100%, 40%);">+ if (tpm_marshal_command(command, command_body, &ob) < 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "command %#x\n", command);</span><br><span style="color: hsl(120, 100%, 40%);">+ return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ sendb = obuf_contents(&ob, &out_size);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ sendb = command_body;</span><br><span style="color: hsl(120, 100%, 40%);">+ out_size = command_size;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ in_size = sizeof(cr_buffer);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (tis_sendrecv(sendb, out_size, cr_buffer_ptr, &in_size)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "tpm transaction failed\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ ibuf_init(&ib, cr_buffer_ptr, in_size);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (response_size)</span><br><span style="color: hsl(120, 100%, 40%);">+ *response_size = in_size;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (marshal)</span><br><span style="color: hsl(120, 100%, 40%);">+ return tpm_unmarshal_response(command, &ib);</span><br><span style="color: hsl(120, 100%, 40%);">+ else</span><br><span style="color: hsl(120, 100%, 40%);">+ return cr_buffer_ptr;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static uint32_t tlcl_send_startup(TPM_SU type)</span><br><span> {</span><br><span> struct tpm2_startup startup;</span><br><span>@@ -68,7 +118,7 @@</span><br><span> }</span><br><span> </span><br><span> printk(BIOS_INFO, "%s: Startup return code is %x\n",</span><br><span style="color: hsl(0, 100%, 40%);">- __func__, response->hdr.tpm_code);</span><br><span style="color: hsl(120, 100%, 40%);">+ __func__, response->hdr.tpm_code);</span><br><span> </span><br><span> switch (response->hdr.tpm_code) {</span><br><span> case TPM_RC_INITIALIZE:</span><br><span>@@ -130,7 +180,7 @@</span><br><span> * sha256 digest.</span><br><span> */</span><br><span> uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest,</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t *out_digest)</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t *out_digest)</span><br><span> {</span><br><span> struct tpm2_pcr_extend_cmd pcr_ext_cmd;</span><br><span> struct tpm2_response *response;</span><br><span>@@ -139,11 +189,69 @@</span><br><span> pcr_ext_cmd.digests.count = 1;</span><br><span> pcr_ext_cmd.digests.digests[0].hashAlg = TPM_ALG_SHA256;</span><br><span> memcpy(pcr_ext_cmd.digests.digests[0].digest.sha256, in_digest,</span><br><span style="color: hsl(0, 100%, 40%);">- sizeof(pcr_ext_cmd.digests.digests[0].digest.sha256));</span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(TPMU_HA));</span><br><span> </span><br><span> response = tpm_process_command(TPM2_PCR_Extend, &pcr_ext_cmd);</span><br><span> </span><br><span> printk(BIOS_INFO, "%s: response is %x\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __func__, response ? response->hdr.tpm_code : -1);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!response || response->hdr.tpm_code)</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_E_IOERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Handle multiple digests (SHA1 and SHA256 at the moment)</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tlcl_extend_ex(int pcr_num, const TPML_DIGEST_VALUES *in_digests)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ struct tpm2_pcr_extend_cmd pcr_ext_cmd;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct tpm2_response *response;</span><br><span style="color: hsl(120, 100%, 40%);">+ int i;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ pcr_ext_cmd.pcrHandle = HR_PCR + pcr_num;</span><br><span style="color: hsl(120, 100%, 40%);">+ pcr_ext_cmd.digests.count = in_digests->count;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: pcr = %d\n", __FUNCTION__, pcr_num );</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: in_digests->count = %d\n", __FUNCTION__,</span><br><span style="color: hsl(120, 100%, 40%);">+ in_digests->count);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ for (i = 0; i < in_digests->count ; i++) {</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ pcr_ext_cmd.digests.digests[i].hashAlg =</span><br><span style="color: hsl(120, 100%, 40%);">+ in_digests->digests[i].hashAlg;</span><br><span style="color: hsl(120, 100%, 40%);">+ memcpy( (void *) pcr_ext_cmd.digests.digests[i].digest.sha256,</span><br><span style="color: hsl(120, 100%, 40%);">+ (void *) in_digests->digests[i].digest.sha256,</span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(TPMU_HA));</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk (BIOS_SPEW, "%s: in_digests[%d]->hash_alg = 0x%x\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__, i, in_digests->digests[i].hashAlg);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ response = tpm_process_command(TPM2_PCR_Extend, &pcr_ext_cmd);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ //</span><br><span style="color: hsl(120, 100%, 40%);">+ // Check if we are invalidating the pcrs, ignore the error if this is the case</span><br><span style="color: hsl(120, 100%, 40%);">+ //</span><br><span style="color: hsl(120, 100%, 40%);">+ if (in_digests->count == 1) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (in_digests->digests[0].hashAlg == TPM_ALG_ERROR) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (in_digests->digests[0].digest.invalidate_pcrs == 1) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (response) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if ((response->hdr.tpm_code &</span><br><span style="color: hsl(120, 100%, 40%);">+ ~TPM_RC_N_MASK) == (TPM_RC_P |</span><br><span style="color: hsl(120, 100%, 40%);">+ TPM_RC_HASH)){</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s:"</span><br><span style="color: hsl(120, 100%, 40%);">+ " TPM_RC_HASH returned this is"</span><br><span style="color: hsl(120, 100%, 40%);">+ " expected\n", __func__ );</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "%s: response is 0x%x\n",</span><br><span> __func__, response ? response->hdr.tpm_code : -1);</span><br><span> if (!response || response->hdr.tpm_code)</span><br><span> return TPM_E_IOERROR;</span><br><span>@@ -178,13 +286,22 @@</span><br><span> uint32_t tlcl_lib_init(void)</span><br><span> {</span><br><span> uint8_t done = car_get_var(tlcl_init_done);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: tlcl_init_done is %d\n", __FUNCTION__, done );</span><br><span> if (done)</span><br><span> return VB2_SUCCESS;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (tis_init())</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: calling tis_init\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (tis_init()) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "%s: tis_init returned error\n", __FUNCTION__);</span><br><span> return VB2_ERROR_UNKNOWN;</span><br><span style="color: hsl(0, 100%, 40%);">- if (tis_open())</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: calling tis_open\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (tis_open()) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "%s: tis_open returned error\n", __FUNCTION__);</span><br><span> return VB2_ERROR_UNKNOWN;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> </span><br><span> car_set_var(tlcl_init_done, 1);</span><br><span> </span><br><span>@@ -361,3 +478,61 @@</span><br><span> </span><br><span> return TPM_SUCCESS;</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Issue the tpm2 get capability command</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Please note that the CapabilityData is not unmarshalled.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tlcl_getcapability(TPM_CAP Capability, uint32_t Property,</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t PropertyCount, TPMI_YES_NO *MoreData,</span><br><span style="color: hsl(120, 100%, 40%);">+ TPMS_CAPABILITY_DATA *CapabilityData)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ struct tpm2_get_capability cmd;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct tpm2_response *response;</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t response_size;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ cmd.capability = Capability;</span><br><span style="color: hsl(120, 100%, 40%);">+ cmd.property = Property;</span><br><span style="color: hsl(120, 100%, 40%);">+ cmd.propertyCount = PropertyCount;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (PropertyCount > 1) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "%s: PropertyCount more than one not supported"</span><br><span style="color: hsl(120, 100%, 40%);">+ " yet\n", __func__ );</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ response = tpm_process_command_ex(TPM2_GetCapability, &cmd, 0, &response_size, 1);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!response) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "%s: Command Failed\n", __func__ );</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_E_IOERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (MoreData)</span><br><span style="color: hsl(120, 100%, 40%);">+ *MoreData = response->gc.more_data;</span><br><span style="color: hsl(120, 100%, 40%);">+ memcpy(CapabilityData, &response->gc.cd, response_size -</span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(TPMI_YES_NO) - sizeof(struct tpm_header));</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/**</span><br><span style="color: hsl(120, 100%, 40%);">+ Return size of digest.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ @param[in] HashAlgo Hash algorithm</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ @return size of digest</span><br><span style="color: hsl(120, 100%, 40%);">+**/</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint16_t tlcl_get_hash_size_from_algo(TPMI_ALG_HASH hashAlgo)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ uint16_t index;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ for (index = 0; index < sizeof(mHashInfo)/sizeof(mHashInfo[0]);</span><br><span style="color: hsl(120, 100%, 40%);">+ index++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (mHashInfo[index].hashAlgo == hashAlgo)</span><br><span style="color: hsl(120, 100%, 40%);">+ return mHashInfo[index].hashSize;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: unknown hash algorithm %d\n", __FUNCTION__,</span><br><span style="color: hsl(120, 100%, 40%);">+ hashAlgo );</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span>diff --git a/src/security/tpm/tss/tcg-2.0/tss_marshaling.c b/src/security/tpm/tss/tcg-2.0/tss_marshaling.c</span><br><span>index 49ac5e8..183b903 100644</span><br><span>--- a/src/security/tpm/tss/tcg-2.0/tss_marshaling.c</span><br><span>+++ b/src/security/tpm/tss/tcg-2.0/tss_marshaling.c</span><br><span>@@ -1,5 +1,6 @@</span><br><span> /*</span><br><span> * Copyright 2016 The Chromium OS Authors. All rights reserved.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Eltan B.V.</span><br><span> * Use of this source code is governed by a BSD-style license that can be</span><br><span> * found in the LICENSE file.</span><br><span> */</span><br><span>@@ -12,6 +13,7 @@</span><br><span> </span><br><span> #include "tss_marshaling.h"</span><br><span> #include <security/tpm/tss/vendor/cr50/cr50.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/tpm/tss.h></span><br><span> </span><br><span> static uint16_t tpm_tag CAR_GLOBAL; /* Depends on the command type. */</span><br><span> </span><br><span>@@ -82,7 +84,7 @@</span><br><span> </span><br><span> rc |= marshal_TPMI_ALG_HASH(ob, tpmtha->hashAlg);</span><br><span> rc |= obuf_write(ob, tpmtha->digest.sha256,</span><br><span style="color: hsl(0, 100%, 40%);">- sizeof(tpmtha->digest.sha256));</span><br><span style="color: hsl(120, 100%, 40%);">+ tlcl_get_hash_size_from_algo(tpmtha->hashAlg));</span><br><span> </span><br><span> return rc;</span><br><span> }</span><br><span>@@ -398,6 +400,22 @@</span><br><span> rc |= ibuf_read_be32(ib, &pp->value);</span><br><span> }</span><br><span> break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case TPM_CAP_PCRS:</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ibuf_read_be32(ib, &gcr->cd.data.assignedPCR.count))</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (gcr->cd.data.assignedPCR.count > ARRAY_SIZE</span><br><span style="color: hsl(120, 100%, 40%);">+ (gcr->cd.data.assignedPCR.pcrSelections)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "%s:%s:%d - %d - too many properties\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FILE__, __func__, __LINE__,</span><br><span style="color: hsl(120, 100%, 40%);">+ gcr->cd.data.assignedPCR.count);</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ for (i = 0; i < gcr->cd.data.assignedPCR.count; i++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ TPMS_PCR_SELECTION *pp =</span><br><span style="color: hsl(120, 100%, 40%);">+ gcr->cd.data.assignedPCR.pcrSelections + i;</span><br><span style="color: hsl(120, 100%, 40%);">+ rc |= ibuf_read(ib, pp, sizeof(TPMS_PCR_SELECTION));</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span> default:</span><br><span> printk(BIOS_ERR,</span><br><span> "%s:%d - unable to unmarshal capability response",</span><br><span>@@ -448,12 +466,12 @@</span><br><span> }</span><br><span> </span><br><span> /*</span><br><span style="color: hsl(0, 100%, 40%);">- * Let's ignore the authorisation section. It should be 5 bytes total,</span><br><span style="color: hsl(120, 100%, 40%);">+ * Let's ignore the authorization section. It should be 5 bytes total,</span><br><span> * just confirm that this is the case and report any discrepancy.</span><br><span> */</span><br><span> if (ibuf_remaining(ib) != 5)</span><br><span> printk(BIOS_ERR,</span><br><span style="color: hsl(0, 100%, 40%);">- "%s:%d - unexpected authorisation seciton size %zd\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ "%s:%d - unexpected authorization section size %zd\n",</span><br><span> __func__, __LINE__, ibuf_remaining(ib));</span><br><span> </span><br><span> ibuf_oob_drain(ib, ibuf_remaining(ib));</span><br><span>diff --git a/src/security/tpm/tss/tcg-2.0/tss_structures.h b/src/security/tpm/tss/tcg-2.0/tss_structures.h</span><br><span>index 2bac633..0f2787a 100644</span><br><span>--- a/src/security/tpm/tss/tcg-2.0/tss_structures.h</span><br><span>+++ b/src/security/tpm/tss/tcg-2.0/tss_structures.h</span><br><span>@@ -1,5 +1,6 @@</span><br><span> /*</span><br><span> * Copyright 2016 The Chromium OS Authors. All rights reserved.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright 2017-2018 Eltan B.V.</span><br><span> * Use of this source code is governed by a BSD-style license that can be</span><br><span> * found in the LICENSE file.</span><br><span> */</span><br><span>@@ -22,6 +23,12 @@</span><br><span> #define TPM2_RC_SUCCESS 0</span><br><span> #define TPM2_RC_NV_DEFINED 0x14c</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+//</span><br><span style="color: hsl(120, 100%, 40%);">+// We set this to two here as we only support SHA1 and SHA256 right now.</span><br><span style="color: hsl(120, 100%, 40%);">+// Should be updated when additional algorithms are supported</span><br><span style="color: hsl(120, 100%, 40%);">+//</span><br><span style="color: hsl(120, 100%, 40%);">+#define HASH_COUNT 2</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Basic TPM2 types. */</span><br><span> typedef uint16_t TPM_SU;</span><br><span> typedef uint16_t TPM_ALG_ID;</span><br><span>@@ -36,12 +43,28 @@</span><br><span> typedef TPM_HANDLE TPM_RH;</span><br><span> </span><br><span> /* Some hardcoded algorithm values. */</span><br><span style="color: hsl(0, 100%, 40%);">-#define TPM_ALG_HMAC ((TPM_ALG_ID)0x0005)</span><br><span style="color: hsl(0, 100%, 40%);">-#define TPM_ALG_NULL ((TPM_ALG_ID)0x0010)</span><br><span style="color: hsl(0, 100%, 40%);">-#define TPM_ALG_SHA1 ((TPM_ALG_ID)0x0004)</span><br><span style="color: hsl(0, 100%, 40%);">-#define TPM_ALG_SHA256 ((TPM_ALG_ID)0x000b)</span><br><span style="color: hsl(120, 100%, 40%);">+// Table 7 - TPM_ALG_ID Constants</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_ALG_ERROR ((TPM_ALG_ID)0x0000)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_ALG_HMAC ((TPM_ALG_ID)0x0005)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_ALG_NULL ((TPM_ALG_ID)0x0010)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_ALG_SHA1 ((TPM_ALG_ID)0x0004)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_ALG_SHA256 ((TPM_ALG_ID)0x000b)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_ALG_SHA384 ((TPM_ALG_ID)0x000C)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_ALG_SHA512 ((TPM_ALG_ID)0x000D)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_ALG_SM3_256 ((TPM_ALG_ID)0x0012)</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+// Annex A Algorithm Constants</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+// Table 205 - Defines for SHA1 Hash Values</span><br><span style="color: hsl(120, 100%, 40%);">+#define SHA1_DIGEST_SIZE 20</span><br><span style="color: hsl(120, 100%, 40%);">+// Table 206 - Defines for SHA256 Hash Values</span><br><span> #define SHA256_DIGEST_SIZE 32</span><br><span style="color: hsl(120, 100%, 40%);">+// Table 207 - Defines for SHA384 Hash Values</span><br><span style="color: hsl(120, 100%, 40%);">+//#define SHA384_DIGEST_SIZE 48</span><br><span style="color: hsl(120, 100%, 40%);">+// Table 208 - Defines for SHA512 Hash Values</span><br><span style="color: hsl(120, 100%, 40%);">+#define SHA512_DIGEST_SIZE 64</span><br><span style="color: hsl(120, 100%, 40%);">+// Table 209 - Defines for SM3_256 Hash Values</span><br><span style="color: hsl(120, 100%, 40%);">+//#define SM3_256_DIGEST_SIZE 32</span><br><span> </span><br><span> /* Some hardcoded hierarchies. */</span><br><span> #define TPM_RH_NULL 0x40000007</span><br><span>@@ -79,6 +102,12 @@</span><br><span> space is defined by the lower 16 bits. */</span><br><span> #define TPM_CC_VENDOR_BIT_MASK 0x20000000</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+// Table 15 - TPM_RC Constants (Actions)</span><br><span style="color: hsl(120, 100%, 40%);">+#define RC_FMT1 (TPM_RC)(0x080)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_RC_HASH (TPM_RC)(RC_FMT1 + 0x003)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_RC_P (TPM_RC)(0x040)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_RC_N_MASK (TPM_RC)(0xF00)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Startup values. */</span><br><span> #define TPM_SU_CLEAR 0</span><br><span> #define TPM_SU_STATE 1</span><br><span>@@ -144,7 +173,9 @@</span><br><span> };</span><br><span> </span><br><span> /* Various TPM capability types to use when querying the device. */</span><br><span style="color: hsl(120, 100%, 40%);">+// Table 21 - TPM_CAP Constants</span><br><span> typedef uint32_t TPM_CAP;</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM_CAP_PCRS ((TPM_CAP)0x00000005)</span><br><span> #define TPM_CAP_TPM_PROPERTIES ((TPM_CAP)0x00000006)</span><br><span> </span><br><span> typedef TPM_HANDLE TPMI_RH_NV_AUTH;</span><br><span>@@ -224,16 +255,37 @@</span><br><span> sizeof(TPMI_YES_NO) - sizeof(TPM_CAP) - sizeof(uint32_t))</span><br><span> #define MAX_TPM_PROPERTIES (MAX_CAP_DATA/sizeof(TPMS_TAGGED_PROPERTY))</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+#define IMPLEMENTATION_PCR 24</span><br><span style="color: hsl(120, 100%, 40%);">+#define PLATFORM_PCR 24</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#define PCR_SELECT_MIN ((PLATFORM_PCR + 7) / 8)</span><br><span style="color: hsl(120, 100%, 40%);">+#define PCR_SELECT_MAX ((IMPLEMENTATION_PCR + 7) / 8)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Somewhat arbitrary, leave enough room for command wrappers. */</span><br><span> #define MAX_NV_BUFFER_SIZE (TPM_BUFFER_SIZE - sizeof(struct tpm_header) - 50)</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+// Table 81 - TPMS_PCR_SELECTION Structure</span><br><span style="color: hsl(120, 100%, 40%);">+typedef struct {</span><br><span style="color: hsl(120, 100%, 40%);">+ TPMI_ALG_HASH hash;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t sizeofSelect;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t pcrSelect[PCR_SELECT_MAX];</span><br><span style="color: hsl(120, 100%, 40%);">+} __packed TPMS_PCR_SELECTION;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+// Table 98 - TPML_PCR_SELECTION Structure</span><br><span style="color: hsl(120, 100%, 40%);">+typedef struct {</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t count;</span><br><span style="color: hsl(120, 100%, 40%);">+ TPMS_PCR_SELECTION pcrSelections[HASH_COUNT];</span><br><span style="color: hsl(120, 100%, 40%);">+} __packed TPML_PCR_SELECTION;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+// Table 100 - TPML_TAGGED_TPM_PROPERTY Structure</span><br><span> typedef struct {</span><br><span> uint32_t count;</span><br><span> TPMS_TAGGED_PROPERTY tpmProperty[MAX_TPM_PROPERTIES];</span><br><span> } TPML_TAGGED_TPM_PROPERTY;</span><br><span> </span><br><span> typedef union {</span><br><span style="color: hsl(0, 100%, 40%);">- TPML_TAGGED_TPM_PROPERTY tpmProperties;</span><br><span style="color: hsl(120, 100%, 40%);">+ TPML_TAGGED_TPM_PROPERTY tpmProperties;</span><br><span style="color: hsl(120, 100%, 40%);">+ TPML_PCR_SELECTION assignedPCR;</span><br><span> } TPMU_CAPABILITIES;</span><br><span> </span><br><span> typedef struct {</span><br><span>@@ -271,22 +323,30 @@</span><br><span> } TPM2B_MAX_NV_BUFFER;</span><br><span> </span><br><span> /*</span><br><span style="color: hsl(0, 100%, 40%);">- * This is a union, but as of now we support just one digest - sha256, so</span><br><span style="color: hsl(0, 100%, 40%);">- * there is just one element.</span><br><span style="color: hsl(120, 100%, 40%);">+ * This is a union, but as of now we support just sha1 and sha256</span><br><span> */</span><br><span style="color: hsl(120, 100%, 40%);">+// Table 66 - TPMU_HA Union</span><br><span> typedef union {</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t sha256[SHA256_DIGEST_SIZE];</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t invalidate_pcrs;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t sha1[SHA1_DIGEST_SIZE];</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t sha256[SHA256_DIGEST_SIZE];</span><br><span> } TPMU_HA;</span><br><span> </span><br><span> typedef struct {</span><br><span style="color: hsl(120, 100%, 40%);">+ TPMI_ALG_HASH hashAlgo;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint16_t hashSize;</span><br><span style="color: hsl(120, 100%, 40%);">+} INTERNAL_HASH_INFO;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+typedef struct {</span><br><span> TPMI_ALG_HASH hashAlg;</span><br><span> TPMU_HA digest;</span><br><span> } TPMT_HA;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+// Table 96 -- TPML_DIGEST_VALUES Structure <I/O></span><br><span> typedef struct {</span><br><span> uint32_t count;</span><br><span style="color: hsl(0, 100%, 40%);">- TPMT_HA digests[1]; /* Limit max number of hashes to 1. */</span><br><span style="color: hsl(0, 100%, 40%);">-} TPML_DIGEST_VALUES;</span><br><span style="color: hsl(120, 100%, 40%);">+ TPMT_HA digests[HASH_COUNT];</span><br><span style="color: hsl(120, 100%, 40%);">+} __packed TPML_DIGEST_VALUES;</span><br><span> </span><br><span> struct nv_read_response {</span><br><span> uint32_t params_size;</span><br><span>diff --git a/src/security/verified_boot/Kconfig b/src/security/verified_boot/Kconfig</span><br><span>new file mode 100644</span><br><span>index 0000000..09a86a6</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/verified_boot/Kconfig</span><br><span>@@ -0,0 +1,61 @@</span><br><span style="color: hsl(120, 100%, 40%);">+## This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## Copyright (C) 2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+## it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+## the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+## but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+## GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+menu "Verified Boot (verified_boot)"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VERIFIED_BOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Enable Verified Boot"</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VERIFIED_BOOT_SIGNED_MANIFEST</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "Enable Signed Manifest"</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on VERIFIED_BOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VERIFIED_BOOT_USE_SHA512</span><br><span style="color: hsl(120, 100%, 40%);">+ bool "SHA512 hashes"</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on VERIFIED_BOOT</span><br><span style="color: hsl(120, 100%, 40%);">+ default n</span><br><span style="color: hsl(120, 100%, 40%);">+ help</span><br><span style="color: hsl(120, 100%, 40%);">+ Use SHA512 for the vboot operations, this applies to the</span><br><span style="color: hsl(120, 100%, 40%);">+ digests in the manifest and the manifest digest.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config OEM_MANIFEST_LOC</span><br><span style="color: hsl(120, 100%, 40%);">+ hex "Manifest Location"</span><br><span style="color: hsl(120, 100%, 40%);">+ default 0xFFFFF840</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VERIFIED_BOOT_MANIFEST</span><br><span style="color: hsl(120, 100%, 40%);">+ string "Verified boot manifest file"</span><br><span style="color: hsl(120, 100%, 40%);">+ default "mainboard/vendor/board/manifest.h"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config OEM_MANIFEST_ITEMS</span><br><span style="color: hsl(120, 100%, 40%);">+ int "Manifest Items"</span><br><span style="color: hsl(120, 100%, 40%);">+ default 10</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config OEM_MANIFEST_ITEM_SIZE</span><br><span style="color: hsl(120, 100%, 40%);">+ int</span><br><span style="color: hsl(120, 100%, 40%);">+ default 64 if VERIFIED_BOOT_USE_SHA512</span><br><span style="color: hsl(120, 100%, 40%);">+ default 32</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VERIFIED_BOOT_KEY_LOCATION</span><br><span style="color: hsl(120, 100%, 40%);">+ hex "Verified boot Key Location"</span><br><span style="color: hsl(120, 100%, 40%);">+ depends on VERIFIED_BOOT_SIGNED_MANIFEST</span><br><span style="color: hsl(120, 100%, 40%);">+ default 0xFFFFF500</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+config VERIFIED_BOOT_KEY_SIZE</span><br><span style="color: hsl(120, 100%, 40%);">+ int</span><br><span style="color: hsl(120, 100%, 40%);">+ default 554 if VERIFIED_BOOT_USE_SHA512</span><br><span style="color: hsl(120, 100%, 40%);">+ default 520</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+endmenu # Verified Boot (verified_boot)</span><br><span>diff --git a/src/security/verified_boot/Makefile.inc b/src/security/verified_boot/Makefile.inc</span><br><span>new file mode 100644</span><br><span>index 0000000..23044b4</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/verified_boot/Makefile.inc</span><br><span>@@ -0,0 +1,47 @@</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## Copyright (C) 2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+## it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+## the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+## This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+## but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+## GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+##</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ifeq ($(CONFIG_VERIFIED_BOOT),y)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+CPPFLAGS_common += -I$(src)/security/verified_boot</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += vboot_check.c</span><br><span style="color: hsl(120, 100%, 40%);">+romstage-y += vboot_check.c</span><br><span style="color: hsl(120, 100%, 40%);">+ramstage-y += vboot_check.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+cbfs-files-y += oemmanifest.bin</span><br><span style="color: hsl(120, 100%, 40%);">+oemmanifest.bin-file := $(obj)/oemmanifest.bin</span><br><span style="color: hsl(120, 100%, 40%);">+oemmanifest.bin-position := $(CONFIG_OEM_MANIFEST_LOC)</span><br><span style="color: hsl(120, 100%, 40%);">+oemmanifest.bin-type := 0x50</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+$(obj)/oemmanifest.bin:</span><br><span style="color: hsl(120, 100%, 40%);">+ifeq ($(CONFIG_VERIFIED_BOOT_SIGNED_MANIFEST),y)</span><br><span style="color: hsl(120, 100%, 40%);">+ dd if=/dev/zero of=$@ seek=8 bs=$(CONFIG_OEM_MANIFEST_ITEM_SIZE) count=$(CONFIG_OEM_MANIFEST_ITEMS)</span><br><span style="color: hsl(120, 100%, 40%);">+else # ($(CONFIG_VERIFIED_BOOT_SIGNED_MANIFEST),y)</span><br><span style="color: hsl(120, 100%, 40%);">+ dd if=/dev/zero of=$@ bs=$(CONFIG_OEM_MANIFEST_ITEM_SIZE) count=$(CONFIG_OEM_MANIFEST_ITEMS)</span><br><span style="color: hsl(120, 100%, 40%);">+endif # ($(CONFIG_VERIFIED_BOOT_SIGNED_MANIFEST),y)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ifeq ($(CONFIG_VERIFIED_BOOT_SIGNED_MANIFEST),y)</span><br><span style="color: hsl(120, 100%, 40%);">+cbfs-files-y += vboot_public_key.bin</span><br><span style="color: hsl(120, 100%, 40%);">+vboot_public_key.bin-file := $(obj)/vboot_public_key.bin</span><br><span style="color: hsl(120, 100%, 40%);">+vboot_public_key.bin-position := $(CONFIG_VERIFIED_BOOT_KEY_LOCATION)</span><br><span style="color: hsl(120, 100%, 40%);">+vboot_public_key.bin-type := 0x50</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+$(obj)/vboot_public_key.bin:</span><br><span style="color: hsl(120, 100%, 40%);">+ dd if=/dev/zero of=$@ bs=$(CONFIG_VERIFIED_BOOT_KEY_SIZE) count=1</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+endif # ($(CONFIG_VERIFIED_BOOT_SIGNED_MANIFEST),y)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+endif # CONFIG_VERIFIED_BOOT</span><br><span>diff --git a/src/security/verified_boot/vboot_check.c b/src/security/verified_boot/vboot_check.c</span><br><span>new file mode 100644</span><br><span>index 0000000..ab5f8d6</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/verified_boot/vboot_check.c</span><br><span>@@ -0,0 +1,468 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2016 Intel Corp.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2017-2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+#include <vboot_check.h></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#define RSA_PUBLICKEY_FILE_NAME "vboot_public_key.bin"</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_VERIFIED_BOOT_USE_SHA512)</span><br><span style="color: hsl(120, 100%, 40%);">+#define DIGEST_SIZE SHA512_DIGEST_SIZE</span><br><span style="color: hsl(120, 100%, 40%);">+#else</span><br><span style="color: hsl(120, 100%, 40%);">+#define DIGEST_SIZE SHA256_DIGEST_SIZE</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_VERIFIED_BOOT_SIGNED_MANIFEST)</span><br><span style="color: hsl(120, 100%, 40%);">+int verified_boot_check_manifest(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ struct vb2_public_key key;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t digest[DIGEST_SIZE];</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t size = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t* signature = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t *buffer;</span><br><span style="color: hsl(120, 100%, 40%);">+ const struct vb2_workbuf wb;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ cbfs_boot_map_with_leak("oemmanifest.bin", CBFS_TYPE_RAW, &size);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (size != (CONFIG_OEM_MANIFEST_ITEMS * DIGEST_SIZE) + 256) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "ERROR: Incorrect manifest size!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ goto fail;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ buffer = cbfs_boot_map_with_leak(RSA_PUBLICKEY_FILE_NAME,</span><br><span style="color: hsl(120, 100%, 40%);">+ CBFS_TYPE_RAW, &size);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ size = DIGEST_SIZE;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!vb2_unpack_key_data(&key, buffer, size)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "ERROR: Unable to create RSA Public Key !\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_VERIFIED_BOOT_USE_SHA512)</span><br><span style="color: hsl(120, 100%, 40%);">+ key.hash_alg = VB2_HASH_SHA512;</span><br><span style="color: hsl(120, 100%, 40%);">+#else</span><br><span style="color: hsl(120, 100%, 40%);">+ key.sig_alg = VB2_HASH_SHA256;</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ //</span><br><span style="color: hsl(120, 100%, 40%);">+ // Create a big endian digest</span><br><span style="color: hsl(120, 100%, 40%);">+ //</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_VERIFIED_BOOT_USE_SHA512)</span><br><span style="color: hsl(120, 100%, 40%);">+ cb_sha512_ex((const uint8_t*)CONFIG_OEM_MANIFEST_LOC,</span><br><span style="color: hsl(120, 100%, 40%);">+ CONFIG_OEM_MANIFEST_ITEMS * DIGEST_SIZE, digest, 1);</span><br><span style="color: hsl(120, 100%, 40%);">+#else</span><br><span style="color: hsl(120, 100%, 40%);">+ cb_sha256_ex((const uint8_t*)CONFIG_OEM_MANIFEST_LOC,</span><br><span style="color: hsl(120, 100%, 40%);">+ CONFIG_OEM_MANIFEST_ITEMS * DIGEST_SIZE, digest, 1);</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ signature = (uint8_t*)CONFIG_OEM_MANIFEST_LOC +</span><br><span style="color: hsl(120, 100%, 40%);">+ CONFIG_OEM_MANIFEST_ITEMS * DIGEST_SIZE;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* TODO * parameter 4 is vb2_workbuf workflow */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!vb2_rsa_verify_digest(&key, signature, digest, &wb)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "ERROR: Signature verification failed for"</span><br><span style="color: hsl(120, 100%, 40%);">+ "hash table !!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ goto fail;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Successfully verified hash_table signature.\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+fail:</span><br><span style="color: hsl(120, 100%, 40%);">+ die("HASH table verification failed!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ * measure_item</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ * extends the defined pcr using the hash calculated by the verified boot</span><br><span style="color: hsl(120, 100%, 40%);">+ * routines.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] pcr PCR to extend</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] *hashData Pointer to the hash data</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] hashDataLen Length of the hash data</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] *event_msg Message to log or display</span><br><span style="color: hsl(120, 100%, 40%);">+ * @param[in] eventType Event type to use when logging</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_SUCCESS Operation completed successfully.</span><br><span style="color: hsl(120, 100%, 40%);">+ * @retval TPM_E_IOERROR Unexpected device behavior.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+static int measure_item(uint32_t pcr, uint8_t *hashData, uint32_t hashDataLen,</span><br><span style="color: hsl(120, 100%, 40%);">+ int8_t *event_msg, TCG_EVENTTYPE eventType)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int status = TPM_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+ EFI_TCG2_EVENT_ALGORITHM_BITMAP ActivePcrs;</span><br><span style="color: hsl(120, 100%, 40%);">+ TCG_PCR_EVENT2_HDR tcgEventHdr;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ ActivePcrs = tpm2_get_active_pcrs();</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ memset(&tcgEventHdr, 0, sizeof(tcgEventHdr));</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.pcrIndex = pcr;</span><br><span style="color: hsl(120, 100%, 40%);">+ tcgEventHdr.eventType = eventType;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (event_msg) {</span><br><span style="color: hsl(120, 100%, 40%);">+ status = mboot_hash_extend_log(ActivePcrs, MBOOT_HASH_PROVIDED,</span><br><span style="color: hsl(120, 100%, 40%);">+ hashData, hashDataLen, &tcgEventHdr,</span><br><span style="color: hsl(120, 100%, 40%);">+ (uint8_t*)event_msg, 0);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (status == TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Success! %s measured to pcr"</span><br><span style="color: hsl(120, 100%, 40%);">+ "%d.\n", __FUNCTION__, event_msg, pcr);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_DEBUG, "%s: Fail! %s can't be measured. "</span><br><span style="color: hsl(120, 100%, 40%);">+ "ABORTING!!!\n", __FUNCTION__, event_msg);</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ return status;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static void verified_boot_check_buffer(const char *name, void *start,</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t size, uint32_t hash_index</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ ,int32_t pcr</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+ )</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t digest[DIGEST_SIZE];</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ int status;</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "%s: %s HASH verification buffer %p size %d\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__, name, start, (int) size);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (start && size) {</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_VERIFIED_BOOT_USE_SHA512)</span><br><span style="color: hsl(120, 100%, 40%);">+ cb_sha512((const uint8_t*)start, size, digest);</span><br><span style="color: hsl(120, 100%, 40%);">+#else</span><br><span style="color: hsl(120, 100%, 40%);">+ cb_sha256((const uint8_t*)start, size, digest);</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (memcmp((void *)((uint8_t *)CONFIG_OEM_MANIFEST_LOC +</span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(digest) * hash_index), digest, sizeof(digest))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "%s: buffer hash\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ hexdump(digest, sizeof(digest));</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "%s: manifest hash\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ hexdump((void *)((uint8_t *)CONFIG_OEM_MANIFEST_LOC +</span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(digest) * hash_index), sizeof(digest));</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_EMERG, "%s ", name);</span><br><span style="color: hsl(120, 100%, 40%);">+ die("HASH verification failed!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ if (pcr != -1) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "%s: measuring %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__, name);</span><br><span style="color: hsl(120, 100%, 40%);">+ status = measure_item(pcr, digest,</span><br><span style="color: hsl(120, 100%, 40%);">+ sizeof(digest), (int8_t *)name,</span><br><span style="color: hsl(120, 100%, 40%);">+ 0);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "%s HASH verification success\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ name);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_EMERG, "Invalid buffer ");</span><br><span style="color: hsl(120, 100%, 40%);">+ die("HASH verification failed!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+void verified_boot_check_cbfsfile(const char *name, uint32_t type,</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t hash_index, void **buffer, uint32_t *filesize</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ ,int32_t pcr</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+ )</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ void *start;</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t size;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ start = cbfs_boot_map_with_leak(name, type & ~VERIFIED_BOOT_COPY_BLOCK,</span><br><span style="color: hsl(120, 100%, 40%);">+ &size);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (start && size) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Speed up processing by copying the file content to memory</span><br><span style="color: hsl(120, 100%, 40%);">+ * first</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __PRE_RAM__</span><br><span style="color: hsl(120, 100%, 40%);">+ if ((type & VERIFIED_BOOT_COPY_BLOCK) && (buffer) && (*buffer)</span><br><span style="color: hsl(120, 100%, 40%);">+ && ((uint32_t) start ></span><br><span style="color: hsl(120, 100%, 40%);">+ (uint32_t)(~(CONFIG_CBFS_SIZE-1)))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "%s: move buffer to "</span><br><span style="color: hsl(120, 100%, 40%);">+ "memory\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Move the file to a memory bufferof which we know it</span><br><span style="color: hsl(120, 100%, 40%);">+ * doesn't harm</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+ memcpy(*buffer, start, size);</span><br><span style="color: hsl(120, 100%, 40%);">+ start = *buffer;</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "%s: done\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+#endif // __PRE_RAM__</span><br><span style="color: hsl(120, 100%, 40%);">+ verified_boot_check_buffer(name, start, size, hash_index</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ ,pcr</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+ );</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_EMERG, "CBFS Failed to get file content for %s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ name);</span><br><span style="color: hsl(120, 100%, 40%);">+ die("HASH verification failed!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ if (buffer)</span><br><span style="color: hsl(120, 100%, 40%);">+ *buffer = start;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (filesize)</span><br><span style="color: hsl(120, 100%, 40%);">+ *filesize = size;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+void process_verify_list(const verify_item_t list[])</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int i = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ while (list[i].type != VERIFY_TERMINATOR) {</span><br><span style="color: hsl(120, 100%, 40%);">+ switch (list[i].type) {</span><br><span style="color: hsl(120, 100%, 40%);">+ case VERIFY_FILE:</span><br><span style="color: hsl(120, 100%, 40%);">+ verified_boot_check_cbfsfile(list[i].name,</span><br><span style="color: hsl(120, 100%, 40%);">+ list[i].data.file.cbfs_type,</span><br><span style="color: hsl(120, 100%, 40%);">+ list[i].hash_index, NULL, NULL</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ ,list[i].pcr</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+ );</span><br><span style="color: hsl(120, 100%, 40%);">+ if (list[i].data.file.related_items) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "process related"</span><br><span style="color: hsl(120, 100%, 40%);">+ "items\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ process_verify_list((verify_item_t *)</span><br><span style="color: hsl(120, 100%, 40%);">+ list[i].data.file.related_items);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ case VERIFY_BLOCK:</span><br><span style="color: hsl(120, 100%, 40%);">+ verified_boot_check_buffer(list[i].name,</span><br><span style="color: hsl(120, 100%, 40%);">+ (void *) list[i].data.block.start,</span><br><span style="color: hsl(120, 100%, 40%);">+ list[i].data.block.size,</span><br><span style="color: hsl(120, 100%, 40%);">+ list[i].hash_index</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ ,list[i].pcr</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+ );</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ default:</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_EMERG, "INVALID TYPE IN VERIFY"</span><br><span style="color: hsl(120, 100%, 40%);">+ "LIST 0x%x\n", list[i].type);</span><br><span style="color: hsl(120, 100%, 40%);">+ die("HASH verification failed!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ i++;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static void process_named_list(const verify_item_t list[], const char *name,</span><br><span style="color: hsl(120, 100%, 40%);">+ void **buffer, uint32_t *size)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int i = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ while (list[i].type != VERIFY_TERMINATOR) {</span><br><span style="color: hsl(120, 100%, 40%);">+ switch (list[i].type) {</span><br><span style="color: hsl(120, 100%, 40%);">+ case VERIFY_FILE:</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!strcmp(name, list[i].name)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (list[i].data.file.related_items) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "process"</span><br><span style="color: hsl(120, 100%, 40%);">+ "related items\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ process_verify_list((verify_item_t *)list[i].data.file.related_items);</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "process related items done\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ verified_boot_check_cbfsfile(</span><br><span style="color: hsl(120, 100%, 40%);">+ list[i].name,</span><br><span style="color: hsl(120, 100%, 40%);">+ list[i].data.file.cbfs_type,</span><br><span style="color: hsl(120, 100%, 40%);">+ list[i].hash_index, buffer,</span><br><span style="color: hsl(120, 100%, 40%);">+ size</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ ,list[i].pcr</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+ );</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ default:</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_EMERG, "INVALID TYPE IN NAMED LIST"</span><br><span style="color: hsl(120, 100%, 40%);">+ "0x%x\n", list[i].type);</span><br><span style="color: hsl(120, 100%, 40%);">+ die("HASH verification failed!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ i++;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_EMERG, "%s NOT IN LIST\n", name);</span><br><span style="color: hsl(120, 100%, 40%);">+ die("HASH verification failed!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifdef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * BOOTBLOCK</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+extern verify_item_t bootblock_verify_list[];</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+void verified_boot_bootblock_check(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: processing bootblock items\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_VERIFIED_BOOT_SIGNED_MANIFEST)</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: check the manifest\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (verified_boot_check_manifest() != 0)</span><br><span style="color: hsl(120, 100%, 40%);">+ die("invalid manifest");</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //IS_ENABLED(CONFIG_VERIFIED_BOOT_SIGNED_MANIFEST)</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: process bootblock verify list\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ process_verify_list(bootblock_verify_list);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //__BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifdef __ROMSTAGE__</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * ROMSTAGE</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+extern verify_item_t ramstage_verify_list[];</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int prog_locate_hook(struct prog *prog)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ if (prog->type == PROG_RAMSTAGE) {</span><br><span style="color: hsl(120, 100%, 40%);">+ process_named_list(ramstage_verify_list, prog->name, NULL,</span><br><span style="color: hsl(120, 100%, 40%);">+ NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+extern verify_item_t romstage_verify_list[];</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+void verified_boot_early_check(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: processing early items\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#if !IS_ENABLED(CONFIG_C_ENVIRONMENT_BOOTBLOCK)</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_VERIFIED_BOOT_SIGNED_MANIFEST)</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: check the manifest\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (verified_boot_check_manifest() != 0)</span><br><span style="color: hsl(120, 100%, 40%);">+ die("invalid manifest")</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //IS_ENABLED(CONFIG_VERIFIED_BOOT_SIGNED_MANIFEST)</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //!IS_ENABLED(CONFIG_C_ENVIRONMENT_BOOTBLOCK)</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: process early verify list\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ process_verify_list(romstage_verify_list);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //__ROMSTAGE__</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifdef __RAMSTAGE__</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * RAM STAGE</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static int process_oprom_list(const verify_item_t list[],</span><br><span style="color: hsl(120, 100%, 40%);">+ struct rom_header *rom_header)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ int i = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct pci_data *rom_data;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t viddevid = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (le32_to_cpu(rom_header->signature) != PCI_ROM_HDR) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "Incorrect expansion ROM header "</span><br><span style="color: hsl(120, 100%, 40%);">+ "signature %04x DONT START\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ le32_to_cpu(rom_header->signature));</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ rom_data = (((void *)rom_header) + le32_to_cpu(rom_header->data));</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ viddevid |= (rom_data->vendor << 16);</span><br><span style="color: hsl(120, 100%, 40%);">+ viddevid |= rom_data->device;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ while (list[i].type != VERIFY_TERMINATOR) {</span><br><span style="color: hsl(120, 100%, 40%);">+ switch (list[i].type) {</span><br><span style="color: hsl(120, 100%, 40%);">+ case VERIFY_OPROM:</span><br><span style="color: hsl(120, 100%, 40%);">+ if (viddevid == list[i].data.oprom.viddev) {</span><br><span style="color: hsl(120, 100%, 40%);">+ verified_boot_check_buffer(list[i].name,</span><br><span style="color: hsl(120, 100%, 40%);">+ (void *) rom_header,</span><br><span style="color: hsl(120, 100%, 40%);">+ rom_header->size * 512,</span><br><span style="color: hsl(120, 100%, 40%);">+ list[i].hash_index</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ ,list[i].pcr</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+ );</span><br><span style="color: hsl(120, 100%, 40%);">+ if (list[i].data.oprom.related_items) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: process"</span><br><span style="color: hsl(120, 100%, 40%);">+ " related items\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ process_verify_list((verify_item_t *)list[i].data.oprom.related_items);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: option rom can"</span><br><span style="color: hsl(120, 100%, 40%);">+ "be started\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ default:</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_EMERG, "%s: INVALID TYPE IN OPTION"</span><br><span style="color: hsl(120, 100%, 40%);">+ " ROM LIST 0x%x\n", __FUNCTION__,</span><br><span style="color: hsl(120, 100%, 40%);">+ list[i].type);</span><br><span style="color: hsl(120, 100%, 40%);">+ die("HASH verification failed!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ i++;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "%s: option rom not in list DONT START\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+extern verify_item_t payload_verify_list[];</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int prog_locate_hook(struct prog *prog)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ if (prog->type == PROG_PAYLOAD) {</span><br><span style="color: hsl(120, 100%, 40%);">+ void *buffer = (void*) 0x01000000;</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: requesting %s\n", __FUNCTION__, prog->name);</span><br><span style="color: hsl(120, 100%, 40%);">+ process_named_list(payload_verify_list, prog->name, &buffer, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_SPEW, "%s: running allowed\n", __FUNCTION__);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+extern verify_item_t oprom_verify_list[];</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int verified_boot_should_run_oprom(struct rom_header *rom_header)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ return process_oprom_list(oprom_verify_list, rom_header);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //__PRE_RAM__</span><br><span>diff --git a/src/security/verified_boot/vboot_check.h b/src/security/verified_boot/vboot_check.h</span><br><span>new file mode 100644</span><br><span>index 0000000..de5fd20</span><br><span>--- /dev/null</span><br><span>+++ b/src/security/verified_boot/vboot_check.h</span><br><span>@@ -0,0 +1,94 @@</span><br><span style="color: hsl(120, 100%, 40%);">+/*</span><br><span style="color: hsl(120, 100%, 40%);">+ * This file is part of the coreboot project.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2016 Intel Corp.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2017-2018 Eltan B.V.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is free software; you can redistribute it and/or modify</span><br><span style="color: hsl(120, 100%, 40%);">+ * it under the terms of the GNU General Public License as published by</span><br><span style="color: hsl(120, 100%, 40%);">+ * the Free Software Foundation; version 2 of the License.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This program is distributed in the hope that it will be useful,</span><br><span style="color: hsl(120, 100%, 40%);">+ * but WITHOUT ANY WARRANTY; without even the implied warranty of</span><br><span style="color: hsl(120, 100%, 40%);">+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span><br><span style="color: hsl(120, 100%, 40%);">+ * GNU General Public License for more details.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifndef VBOOT_CHECK_H</span><br><span style="color: hsl(120, 100%, 40%);">+#define VBOOT_CHECK_H</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#include <cbfs.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <device/device.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <device/pci.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <lib.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include CONFIG_VERIFIED_BOOT_MANIFEST</span><br><span style="color: hsl(120, 100%, 40%);">+#include <console/console.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/include/cryptolib.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <string.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <program_loading.h></span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+#include <mboot.h></span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#define VERIFIED_BOOT_COPY_BLOCK 0x80000000</span><br><span style="color: hsl(120, 100%, 40%);">+/* These method verifies the SHA256 hash over the 'named' CBFS component.</span><br><span style="color: hsl(120, 100%, 40%);">+ * 'type' denotes the type of CBFS component i.e. stage, payload or fsp.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+#ifdef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+void verified_boot_bootblock_check(void);</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+#ifdef __ROMSTAGE__</span><br><span style="color: hsl(120, 100%, 40%);">+void verified_boot_early_check(void);</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+int verified_boot_check_manifest(void);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#ifdef __BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+void verified_boot_check_cbfsfile(const char *name, uint32_t type,</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t hash_index, void **buffer, uint32_t *filesize);</span><br><span style="color: hsl(120, 100%, 40%);">+#else //__BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+void verified_boot_check_cbfsfile(const char *name, uint32_t type,</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t hash_index, void **buffer, uint32_t *filesize, int32_t pcr);</span><br><span style="color: hsl(120, 100%, 40%);">+#else</span><br><span style="color: hsl(120, 100%, 40%);">+void verified_boot_check_cbfsfile(const char *name, uint32_t type,</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t hash_index, void **buffer, uint32_t *filesize);</span><br><span style="color: hsl(120, 100%, 40%);">+#endif</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //__BOOTBLOCK__</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+typedef enum {</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ VERIFY_TERMINATOR = 0,</span><br><span style="color: hsl(120, 100%, 40%);">+ VERIFY_FILE,</span><br><span style="color: hsl(120, 100%, 40%);">+ VERIFY_BLOCK,</span><br><span style="color: hsl(120, 100%, 40%);">+ VERIFY_OPROM</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+} verify_type;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+typedef struct {</span><br><span style="color: hsl(120, 100%, 40%);">+ verify_type type;</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *name;</span><br><span style="color: hsl(120, 100%, 40%);">+ union {</span><br><span style="color: hsl(120, 100%, 40%);">+ struct {</span><br><span style="color: hsl(120, 100%, 40%);">+ const void *related_items;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t cbfs_type;</span><br><span style="color: hsl(120, 100%, 40%);">+ } file;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct {</span><br><span style="color: hsl(120, 100%, 40%);">+ const void *start;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t size;</span><br><span style="color: hsl(120, 100%, 40%);">+ } block;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct {</span><br><span style="color: hsl(120, 100%, 40%);">+ const void *related_items;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t viddev;</span><br><span style="color: hsl(120, 100%, 40%);">+ } oprom;</span><br><span style="color: hsl(120, 100%, 40%);">+ } data;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint32_t hash_index;</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+ int32_t pcr;</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //IS_ENABLED(CONFIG_MBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+} verify_item_t;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+void process_verify_list(const verify_item_t list[]);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+#endif //VBOOT_CHECK_H</span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/c/coreboot/+/30218">change 30218</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/c/coreboot/+/30218"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Ic1d5a21d40b6a31886777e8e9fe7b28c860f1a80 </div>
<div style="display:none"> Gerrit-Change-Number: 30218 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Frans Hendriks <fhendriks@eltan.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>