Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 6:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c@330 PS5, Line 330: #if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT)
The only exact match of "bootblock_main()" is specific to soc/cavium, and every less-exact match is […]
Yes, I meant bootblock_main_with_timestamp(). I wasn't aware that there are still platforms not using C_ENVIRONMENT_BOOTBLOCK... do you think it is important to support this feature there? You can assume that all future boards should be using it.
I'm generally not a big fan of the current way vboot_crtm.c backpedals to find and hash all the things been loaded before it. It loads the same stuff twice (well, technically, measured boot always loads the same stuff twice right now, but for the hook it might be easier to remedy in the future) and it also misses things if there are platform-specific files loaded by the bootblock or verstage.
Putting the TPM init into the bootblock would be one way to somewhat remedy this (except for measuring the bootblock itself or other files loaded earlier than where the TPM init happens). The other option I thought about was turning the whole thing around so that we don't extend the TPM registers immediately for all those early hashes, but we instead just record them (at the time things are loaded) and then "replay" those records to put them into the TPM later once it is up. We already have a record of all the hashes anyway (the TCPA log), we'd just have to redefine it from being a pure "stuff we wrote to the TPM" log into a "stuff we're *going* to write into the TPM" log.
So with that idea we'd have to keep track of whether the TPM is enabled (for vboot this happens in verstage, for non-vboot currently in ramstage via src/drivers/tpm/tpm.c) and change tpm_extend_pcr() to not call tlcl_extend() if it isn't. Instead we'd just write that hash to the TCPA log and continue. When tpm_setup() is called later, we'd have to go through the TCPA log and extend all hashes from there into the TPM.
Maybe that second variant would work better? (In that case, MEASURED_BOOT would just have to 'select TPM_INIT if !VBOOT' and then that platform-independent location to initialize it would be the TPM initialization driver called from the boot state machine in ramstage.)