[coreboot-gerrit] Change in coreboot[master]: mrc_cache: Add TPM Hash verification

15 Oct 2020

Shelley Chen has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/46434 )
Change subject: mrc_cache: Add TPM Hash verification
......................................................................
mrc_cache: Add TPM Hash verification
As memory training data is stored in RW flash, so we need to add a
hash check in TPM NVRAM space to ensure that the mrc_cache data is not
modified when it shouldn't be.
BUG=b:150502246
BRANCH=None
TEST=Ensure memory training still works as expected
Change-Id: I7fa8c6a2e6e1a710a6b2b5e0c724cb53949c6337
Signed-off-by: Shelley Chen shchen@google.com
---
M src/drivers/mrc_cache/mrc_cache.c
M src/security/vboot/Makefile.inc
2 files changed, 11 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/34/46434/1

diff --git a/src/drivers/mrc_cache/mrc_cache.c b/src/drivers/mrc_cache/mrc_cache.c
index a083655..9291bdb 100644
--- a/src/drivers/mrc_cache/mrc_cache.c
+++ b/src/drivers/mrc_cache/mrc_cache.c
@@ -10,6 +10,7 @@
 #include <fmap.h>
 #include <ip_checksum.h>
 #include <region_file.h>
+#include <security/vboot/mrc_cache_hash_tpm.h>
 #include <security/vboot/vboot_common.h>
 #include <spi_flash.h>
@@ -185,6 +186,10 @@
    	return -1;
    }
+	// NOTE: we need to create the hash from both data and metadata values
+	if (CONFIG(SAVE_MRC_HASH) && !mrc_cache_verify_hash(data, data_size))
+		return -1;
+
    return 0;
 }
@@ -443,6 +448,8 @@
    } else {
    	printk(BIOS_DEBUG, "MRC: updated '%s'.\n", cr->name);
    	log_event_cache_update(cr->elog_slot, UPDATE_SUCCESS);
+		if (CONFIG(SAVE_MRC_HASH))
+			mrc_cache_update_hash(new_data, new_data_size);
    }
 }
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index e92396d..05e0468 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -93,6 +93,10 @@
 ramstage-y += vboot_common.c
 postcar-y += vboot_common.c
+bootblock-$(CONFIG_SAVE_MRC_HASH) += mrc_cache_hash_tpm.c
+romstage-$(CONFIG_SAVE_MRC_HASH) += mrc_cache_hash_tpm.c
+ramstage-$(CONFIG_SAVE_MRC_HASH) += mrc_cache_hash_tpm.c
+
 bootblock-y += common.c
 verstage-y += vboot_logic.c
 verstage-y += common.c
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/46434
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I7fa8c6a2e6e1a710a6b2b5e0c724cb53949c6337
Gerrit-Change-Number: 46434
Gerrit-PatchSet: 1
Gerrit-Owner: Shelley Chen shchen@google.com
Gerrit-Reviewer: Aaron Durbin adurbin@chromium.org
Gerrit-Reviewer: Martin Roth martinroth@google.com
Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com
Gerrit-MessageType: newchange



    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in coreboot[master]: mrc_cache: Add TPM Hash verification