Arthur Heymans has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/75997?usp=email )
Change subject: UNTESTED: security/crtm: Don't measure anything on S3 resume ......................................................................
UNTESTED: security/crtm: Don't measure anything on S3 resume
To quote the TCG PC Client Platform Firmware Profile Specification: "7.3.9 S3 (Sleep) to S0 (Working) This transition is a resume from an S3 suspend state. Host Platform Reset and TPM_INIT are asserted. The SRTM issues the TPM2_Startup(STATE) command, loading the previously saved state, without re-measuring Pre-OS components. The SRTM passes2395 control to the OS. If there are any changes to the Host Platform’s components or configuration, measuring these changes is the responsibility of the OS"
Therefore coreboot should not measure anything in either the logs or PCR on S3 resume.
Signed-off-by: Arthur Heymans arthur@aheymans.xyz Change-Id: Ic4ed5a3ca8bb2f82931e08348754c173d7a78c53 --- M src/security/tpm/tspi/crtm.c 1 file changed, 11 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/97/75997/1
diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c index 36dffb8..02304fe 100644 --- a/src/security/tpm/tspi/crtm.c +++ b/src/security/tpm/tspi/crtm.c @@ -1,5 +1,6 @@ /* SPDX-License-Identifier: GPL-2.0-only */
+#include <acpi/acpi.h> #include <console/console.h> #include <fmap.h> #include <bootstate.h> @@ -35,6 +36,9 @@ */ static uint32_t tspi_init_crtm(void) { + if (acpi_is_wakeup_s3()) + return VB2_SUCCESS; + /* Initialize TPM PRERAM log. */ if (!tpm_log_available()) { tpm_preram_log_clear(); @@ -113,6 +117,9 @@ uint32_t pcr_index; char tpm_log_metadata[TPM_CB_LOG_PCR_HASH_NAME];
+ if (acpi_is_wakeup_s3()) + return TPM_SUCCESS; + if (!tpm_log_available()) { if (tspi_init_crtm() != VB2_SUCCESS) { printk(BIOS_WARNING, @@ -156,8 +163,7 @@
/* We are dealing here with pre CBMEM environment. * If cbmem isn't available use CAR or SRAM */ - if (!cbmem_possibly_online() && - !CONFIG(VBOOT_RETURN_FROM_VERSTAGE)) + if (!ENV_HAS_CBMEM && !CONFIG(VBOOT_RETURN_FROM_VERSTAGE)) return _tpm_log; else if (ENV_CREATES_CBMEM && !CONFIG(VBOOT_RETURN_FROM_VERSTAGE)) { @@ -207,6 +213,9 @@ #if !CONFIG(VBOOT_RETURN_FROM_VERSTAGE) static void recover_tpm_log(int is_recovery) { + if (is_recovery) + return; + const void *preram_log = _tpm_log; void *ram_log = tpm_log_cbmem_init();