Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#40).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TSPI_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/apollolake/Kconfig M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/Kconfig M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 39 files changed, 236 insertions(+), 110 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/40