Attention is currently required from: Arthur Heymans, Christian Walter, Ivan Kuzneczov, Julius Werner.
Hello Arthur Heymans, Christian Walter, Julius Werner, build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/85605?usp=email
to look at the new patch set (#6).
The following approvals got outdated and were removed: Verified+1 by build bot (Jenkins)
Change subject: drivers/mrc_cache: Measure MRC cache as runtime data ......................................................................
drivers/mrc_cache: Measure MRC cache as runtime data
MRC cache used to be measured as runtime data when it was resided in CBFS before commit 82aa8338c74 ("drivers/mrc_cache: Always generate an FMAP region"). This patch will restore this behavior for MRC cache stored in FMAP region outside of CBFS.
Now, MRC cache will be measured at the end of mrc_cache_load_current(), mrc_cache_current_mmap_leak() and update_mrc_cache_by_type(), to guarantee that a tamper with the memory (like https://badram.eu/ ) will be detected, controlled by Kconfig option TPM_MEASURE_MRC_CACHE.
TEST=Empty MRC cache is not measured. Changing DIMM causes both the old cache and new cache being measured, and so the runtime data measurement, which could be used as an alarm for memory tampering. Starting from the second boot after changing DIMM, the runtime data measurement becomes stable.
Signed-off-by: Ivan Kuzneczov ivan.kuzneczov@hardenedvault.net Change-Id: I0d82642c24de1b317851d0afd44985195e92c104 --- M src/drivers/mrc_cache/mrc_cache.c M src/security/tpm/Kconfig 2 files changed, 36 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/05/85605/6