Philipp Deppenwiese submitted this change.
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within
vboot should enable verified boot first, along with sections such
as GBB and RW slots defined with manually written fmd files, even
if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from
verified boot and make them two fully independent options. Crypto
routines necessary for measurement could be reused, and TPM and CRTM
init should be done somewhere other than vboot_logic_executed() if
verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock.
Before TPM gets set up, digests are not measured into tpm immediately,
but cached in TCPA log, and measured into determined PCRs right after
TPM is up.
This change allows those who do not want to use the verified boot
scheme implemented by vboot as well as its requirement of a more
complex partition scheme designed for chromeos to make use of the
measured boot functionality implemented within vboot library to
measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in
CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee
Signed-off-by: Bill XIE <persmule@hardenedlinux.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35077
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
---
M src/arch/x86/car.ld
M src/include/memlayout.h
M src/include/symbols.h
M src/lib/cbfs.c
M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig
M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig
M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig
M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig
M src/security/tpm/Kconfig
M src/security/tpm/Makefile.inc
M src/security/tpm/tspi.h
A src/security/tpm/tspi/crtm.c
R src/security/tpm/tspi/crtm.h
M src/security/tpm/tspi/log.c
M src/security/tpm/tspi/tspi.c
M src/security/vboot/Kconfig
M src/security/vboot/Makefile.inc
M src/security/vboot/symbols.h
D src/security/vboot/vboot_crtm.c
M src/security/vboot/vboot_logic.c
M src/soc/cavium/cn81xx/include/soc/memlayout.ld
M src/soc/mediatek/mt8173/include/soc/memlayout.ld
M src/soc/mediatek/mt8183/include/soc/memlayout.ld
M src/soc/nvidia/tegra124/include/soc/memlayout.ld
M src/soc/nvidia/tegra210/include/soc/memlayout.ld
M src/soc/samsung/exynos5250/include/soc/memlayout.ld
26 files changed, 333 insertions(+), 301 deletions(-)
diff --git a/src/arch/x86/car.ld b/src/arch/x86/car.ld
index 5e5493a..92b26a0 100644
--- a/src/arch/x86/car.ld
+++ b/src/arch/x86/car.ld
@@ -20,8 +20,8 @@
/* Vboot measured boot TCPA log measurements.
* Needs to be transferred until CBMEM is available
*/
-#if CONFIG(VBOOT_MEASURED_BOOT)
- VBOOT2_TPM_LOG(., 2K)
+#if CONFIG(TPM_MEASURED_BOOT)
+ TPM_TCPA_LOG(., 2K)
#endif
/* Stack for CAR stages. Since it persists across all stages that
* use CAR it can be reused. The chipset/SoC is expected to provide
diff --git a/src/include/memlayout.h b/src/include/memlayout.h
index 62c9f7b..bf4b2c5 100644
--- a/src/include/memlayout.h
+++ b/src/include/memlayout.h
@@ -159,9 +159,9 @@
STR(vboot2 work buffer size must be equivalent to \
VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE! (sz)));
-#define VBOOT2_TPM_LOG(addr, size) \
- REGION(vboot2_tpm_log, addr, size, 16) \
- _ = ASSERT(size >= 2K, "vboot2 tpm log buffer must be at least 2K!");
+#define TPM_TCPA_LOG(addr, size) \
+ REGION(tpm_tcpa_log, addr, size, 16) \
+ _ = ASSERT(size >= 2K, "tpm tcpa log buffer must be at least 2K!");
#if ENV_VERSTAGE
#define VERSTAGE(addr, sz) \
diff --git a/src/include/symbols.h b/src/include/symbols.h
index 94e4668..e37405d 100644
--- a/src/include/symbols.h
+++ b/src/include/symbols.h
@@ -34,8 +34,11 @@
DECLARE_REGION(postram_cbfs_cache)
DECLARE_REGION(cbfs_cache)
DECLARE_REGION(fmap_cache)
-DECLARE_REGION(payload)
+DECLARE_REGION(tpm_tcpa_log)
+/* Regions for execution units. */
+
+DECLARE_REGION(payload)
/* "program" always refers to the current execution unit. */
DECLARE_REGION(program)
/* _<stage>_size is always the maximum amount allocated in memlayout, whereas
diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c
index 4f0b443..4392ab7 100644
--- a/src/lib/cbfs.c
+++ b/src/lib/cbfs.c
@@ -13,19 +13,19 @@
*/
#include <assert.h>
-#include <console/console.h>
-#include <string.h>
-#include <stdlib.h>
#include <boot_device.h>
#include <cbfs.h>
#include <commonlib/bsd/compression.h>
+#include <console/console.h>
#include <endian.h>
+#include <fmap.h>
#include <lib.h>
+#include <security/tpm/tspi/crtm.h>
+#include <security/vboot/vboot_common.h>
+#include <stdlib.h>
+#include <string.h>
#include <symbols.h>
#include <timestamp.h>
-#include <fmap.h>
-#include <security/vboot/vboot_crtm.h>
-#include <security/vboot/vboot_common.h>
#define ERROR(x...) printk(BIOS_ERR, "CBFS: " x)
#define LOG(x...) printk(BIOS_INFO, "CBFS: " x)
@@ -60,7 +60,7 @@
}
if (!ret)
- if (vboot_measure_cbfs_hook(fh, name))
+ if (tspi_measure_cbfs_hook(fh, name))
return -1;
return ret;
diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig
index 6adf4e9..0f32907 100644
--- a/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig
+++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig
@@ -9,12 +9,12 @@
select MAINBOARD_HAS_TPM2
select MAINBOARD_HAS_LPC_TPM
select TPM_ON_FAST_SPI
+ select TPM_MEASURED_BOOT
config CBFS_SIZE
default 0xb4e000
config VBOOT
- select VBOOT_MEASURED_BOOT
select VBOOT_VBNV_FLASH
select VBOOT_NO_BOARD_SUPPORT
select GBB_FLAG_DISABLE_LID_SHUTDOWN
diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig
index b10bdc8..55fb4b1 100644
--- a/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig
+++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig
@@ -9,6 +9,7 @@
select MAINBOARD_HAS_LPC_TPM
select TPM_ON_FAST_SPI
select DRIVERS_I2C_PTN3460
+ select TPM_MEASURED_BOOT
config UART_FOR_CONSOLE
default 1
@@ -17,7 +18,6 @@
default 0xb4e000
config VBOOT
- select VBOOT_MEASURED_BOOT
select VBOOT_VBNV_FLASH
select VBOOT_NO_BOARD_SUPPORT
select GBB_FLAG_DISABLE_LID_SHUTDOWN
diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig
index e46a0de..bd0b0d7 100644
--- a/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig
+++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig
@@ -12,12 +12,12 @@
select MAINBOARD_HAS_LPC_TPM
select TPM_ON_FAST_SPI
select DRIVERS_I2C_PTN3460
+ select TPM_MEASURED_BOOT
config CBFS_SIZE
default 0xb4e000
config VBOOT
- select VBOOT_MEASURED_BOOT
select VBOOT_VBNV_FLASH
select VBOOT_NO_BOARD_SUPPORT
select GBB_FLAG_DISABLE_LID_SHUTDOWN
diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig
index 864e808..852294a 100644
--- a/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig
+++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig
@@ -11,9 +11,9 @@
select MAINBOARD_HAS_TPM2
select MAINBOARD_HAS_LPC_TPM
select TPM_ON_FAST_SPI
+ select TPM_MEASURED_BOOT
config VBOOT
- select VBOOT_MEASURED_BOOT
select VBOOT_VBNV_FLASH
select VBOOT_NO_BOARD_SUPPORT
select GBB_FLAG_DISABLE_LID_SHUTDOWN
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
index 1766939..d8652b2 100644
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@@ -100,4 +100,21 @@
or VBOOT on the Intel Arrandale processor, which issues a
CPU-only reset during the romstage.
+config TPM_MEASURED_BOOT
+ bool "Enable Measured Boot"
+ default n
+ select VBOOT_LIB
+ depends on TPM1 || TPM2
+ depends on !VBOOT_RETURN_FROM_VERSTAGE
+ help
+ Enables measured boot (experimental)
+
+config TPM_MEASURED_BOOT_RUNTIME_DATA
+ string "Runtime data whitelist"
+ default ""
+ depends on TPM_MEASURED_BOOT
+ help
+ Runtime data whitelist of cbfs filenames. Needs to be a
+ comma separated list
+
endmenu # Trusted Platform Module (tpm)
diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc
index a2d32cf..c36183d 100644
--- a/src/security/tpm/Makefile.inc
+++ b/src/security/tpm/Makefile.inc
@@ -6,22 +6,17 @@
ramstage-y += tss/tcg-1.2/tss.c
romstage-y += tss/tcg-1.2/tss.c
-
-verstage-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c
-postcar-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c
+bootblock-y += tss/tcg-1.2/tss.c
+verstage-y += tss/tcg-1.2/tss.c
+postcar-y += tss/tcg-1.2/tss.c
## TSPI
ramstage-y += tspi/tspi.c
romstage-y += tspi/tspi.c
-
-verstage-$(CONFIG_VBOOT) += tspi/tspi.c
-postcar-$(CONFIG_VBOOT) += tspi/tspi.c
-
-ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
+bootblock-y += tspi/tspi.c
+verstage-y += tspi/tspi.c
+postcar-y += tspi/tspi.c
endif # CONFIG_TPM1
@@ -39,17 +34,31 @@
postcar-y += tss/tcg-2.0/tss_marshaling.c
postcar-y += tss/tcg-2.0/tss.c
+bootblock-y += tss/tcg-2.0/tss_marshaling.c
+bootblock-y += tss/tcg-2.0/tss.c
+
## TSPI
ramstage-y += tspi/tspi.c
romstage-y += tspi/tspi.c
-
+bootblock-y += tspi/tspi.c
verstage-$(CONFIG_VBOOT) += tspi/tspi.c
-postcar-$(CONFIG_VBOOT) += tspi/tspi.c
-
-ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
+postcar-y += tspi/tspi.c
endif # CONFIG_TPM2
+
+ifeq ($(CONFIG_TPM_MEASURED_BOOT),y)
+
+bootblock-y += tspi/crtm.c
+verstage-y += tspi/crtm.c
+romstage-y += tspi/crtm.c
+ramstage-y += tspi/crtm.c
+postcar-y += tspi/crtm.c
+
+ramstage-y += tspi/log.c
+romstage-y += tspi/log.c
+verstage-y += tspi/log.c
+postcar-y += tspi/log.c
+bootblock-y += tspi/log.c
+
+endif # CONFIG_TPM_MEASURED_BOOT
diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h
index 6854401..7ea90e2 100644
--- a/src/security/tpm/tspi.h
+++ b/src/security/tpm/tspi.h
@@ -24,6 +24,12 @@
#define HASH_DATA_CHUNK_SIZE 1024
/**
+ * Get the pointer to the single instance of global
+ * tcpa log data, and initialize it when necessary
+ */
+struct tcpa_table *tcpa_log_init(void);
+
+/**
* Clears the pre-RAM tcpa log data and initializes
* any content with default values
*/
@@ -47,6 +53,7 @@
*/
void tcpa_log_dump(void *unused);
+
/**
* Ask vboot for a digest and extend a TPM PCR with it.
* @param pcr sets the pcr index
diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c
new file mode 100644
index 0000000..dc7d7d2
--- /dev/null
+++ b/src/security/tpm/tspi/crtm.c
@@ -0,0 +1,197 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#include <console/console.h>
+#include <fmap.h>
+#include <cbfs.h>
+#include "crtm.h"
+#include <string.h>
+
+/*
+ * This function sets the TCPA log namespace
+ * for the cbfs file (region) lookup.
+ */
+static int create_tcpa_metadata(const struct region_device *rdev,
+ const char *cbfs_name, char log_string[TCPA_PCR_HASH_NAME])
+{
+ int i;
+ struct region_device fmap;
+ static const char *const fmap_cbfs_names[] = {
+ "COREBOOT",
+ "FW_MAIN_A",
+ "FW_MAIN_B",
+ "RW_LEGACY"
+ };
+
+ for (i = 0; i < ARRAY_SIZE(fmap_cbfs_names); i++) {
+ if (fmap_locate_area_as_rdev(fmap_cbfs_names[i], &fmap) == 0) {
+ if (region_is_subregion(region_device_region(&fmap),
+ region_device_region(rdev))) {
+ snprintf(log_string, TCPA_PCR_HASH_NAME,
+ "FMAP: %s CBFS: %s",
+ fmap_cbfs_names[i], cbfs_name);
+ return 0;
+ }
+ }
+ }
+
+ return -1;
+}
+
+static int tcpa_log_initialized;
+static inline int tcpa_log_available(void)
+{
+ if (ENV_BOOTBLOCK)
+ return tcpa_log_initialized;
+
+ return 1;
+}
+
+uint32_t tspi_init_crtm(void)
+{
+ struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock");
+
+ /* Initialize TCPA PRERAM log. */
+ if (!tcpa_log_available()) {
+ tcpa_preram_log_clear();
+ tcpa_log_initialized = 1;
+ } else {
+ printk(BIOS_WARNING, "TSPI: CRTM already initialized!\n");
+ return VB2_SUCCESS;
+ }
+
+ /* measure bootblock from RO */
+ struct cbfsf bootblock_data;
+ struct region_device bootblock_fmap;
+ if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) {
+ if (tpm_measure_region(&bootblock_fmap,
+ TPM_CRTM_PCR,
+ "FMAP: BOOTBLOCK"))
+ return VB2_ERROR_UNKNOWN;
+ } else {
+ if (cbfs_boot_locate(&bootblock_data,
+ prog_name(&bootblock), NULL)) {
+ /*
+ * measurement is done in
+ * tspi_measure_cbfs_hook()
+ */
+ printk(BIOS_INFO,
+ "TSPI: Couldn't measure bootblock into CRTM!\n");
+ return VB2_ERROR_UNKNOWN;
+ }
+ }
+
+ return VB2_SUCCESS;
+}
+
+static bool is_runtime_data(const char *name)
+{
+ const char *whitelist = CONFIG_TPM_MEASURED_BOOT_RUNTIME_DATA;
+ size_t whitelist_len = sizeof(CONFIG_TPM_MEASURED_BOOT_RUNTIME_DATA) - 1;
+ size_t name_len = strlen(name);
+ int i;
+
+ if (!whitelist_len || !name_len)
+ return false;
+
+ for (i = 0; (i + name_len) <= whitelist_len; i++) {
+ if (!strcmp(whitelist + i, name))
+ return true;
+ }
+
+ return false;
+}
+
+uint32_t tspi_measure_cbfs_hook(struct cbfsf *fh, const char *name)
+{
+ uint32_t pcr_index;
+ uint32_t cbfs_type;
+ struct region_device rdev;
+ char tcpa_metadata[TCPA_PCR_HASH_NAME];
+
+ if (!tcpa_log_available()) {
+ if (tspi_init_crtm() != VB2_SUCCESS) {
+ printk(BIOS_WARNING,
+ "Initializing CRTM failed!");
+ return 0;
+ }
+ printk(BIOS_DEBUG, "CRTM initialized.");
+ }
+
+ cbfsf_file_type(fh, &cbfs_type);
+ cbfs_file_data(&rdev, fh);
+
+ switch (cbfs_type) {
+ case CBFS_TYPE_MRC:
+ case CBFS_TYPE_MRC_CACHE:
+ pcr_index = TPM_RUNTIME_DATA_PCR;
+ break;
+ case CBFS_TYPE_STAGE:
+ case CBFS_TYPE_SELF:
+ case CBFS_TYPE_FIT:
+ pcr_index = TPM_CRTM_PCR;
+ break;
+ default:
+ if (is_runtime_data(name))
+ pcr_index = TPM_RUNTIME_DATA_PCR;
+ else
+ pcr_index = TPM_CRTM_PCR;
+ break;
+ }
+
+ if (create_tcpa_metadata(&rdev, name, tcpa_metadata) < 0)
+ return VB2_ERROR_UNKNOWN;
+
+ return tpm_measure_region(&rdev, pcr_index, tcpa_metadata);
+}
+
+int tspi_measure_cache_to_pcr(void)
+{
+ int i;
+ enum vb2_hash_algorithm hash_alg;
+ struct tcpa_table *tclt = tcpa_log_init();
+
+ if (!tclt) {
+ printk(BIOS_WARNING, "TCPA: Log non-existent!\n");
+ return VB2_ERROR_UNKNOWN;
+ }
+ if (CONFIG(TPM1)) {
+ hash_alg = VB2_HASH_SHA1;
+ } else { /* CONFIG_TPM2 */
+ hash_alg = VB2_HASH_SHA256;
+ }
+
+
+ printk(BIOS_DEBUG, "TPM: Write digests cached in TCPA log to PCR\n");
+ for (i = 0; i < tclt->num_entries; i++) {
+ struct tcpa_entry *tce = &tclt->entries[i];
+ if (tce) {
+ printk(BIOS_DEBUG, "TPM: Write digest for"
+ " %s into PCR %d\n",
+ tce->name, tce->pcr);
+ int result = tlcl_extend(tce->pcr,
+ tce->digest,
+ NULL);
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR, "TPM: Writing digest"
+ " of %s into PCR failed with error"
+ " %d\n",
+ tce->name, result);
+ return VB2_ERROR_UNKNOWN;
+ }
+ }
+ }
+
+ return VB2_SUCCESS;
+}
diff --git a/src/security/vboot/vboot_crtm.h b/src/security/tpm/tspi/crtm.h
similarity index 78%
rename from src/security/vboot/vboot_crtm.h
rename to src/security/tpm/tspi/crtm.h
index ba3dd45..dfd91e1 100644
--- a/src/security/vboot/vboot_crtm.h
+++ b/src/security/tpm/tspi/crtm.h
@@ -12,8 +12,8 @@
* GNU General Public License for more details.
*/
-#ifndef __SECURITY_VBOOT_CRTM_H__
-#define __SECURITY_VBOOT_CRTM_H__
+#ifndef __SECURITY_TSPI_CRTM_H__
+#define __SECURITY_TSPI_CRTM_H__
#include <commonlib/cbfs.h>
#include <program_loading.h>
@@ -43,18 +43,23 @@
* Takes the current vboot context as parameter for s3 checks.
* returns on success VB2_SUCCESS, else a vboot error.
*/
-uint32_t vboot_init_crtm(void);
+uint32_t tspi_init_crtm(void);
-#if CONFIG(VBOOT_MEASURED_BOOT)
+/**
+ * Measure digests cached in TCPA log entries into PCRs
+ */
+int tspi_measure_cache_to_pcr(void);
+
+#if CONFIG(TPM_MEASURED_BOOT)
/*
* Measures cbfs data via hook (cbfs)
* fh is the cbfs file handle to measure
* return 0 if successful, else an error
*/
-uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name);
+uint32_t tspi_measure_cbfs_hook(struct cbfsf *fh, const char *name);
#else
-#define vboot_measure_cbfs_hook(fh, name) 0
+#define tspi_measure_cbfs_hook(fh, name) 0
#endif
-#endif /* __VBOOT_VBOOT_CRTM_H__ */
+#endif /* __SECURITY_TSPI_CRTM_H__ */
diff --git a/src/security/tpm/tspi/log.c b/src/security/tpm/tspi/log.c
index 068d78d..e43f74d 100644
--- a/src/security/tpm/tspi/log.c
+++ b/src/security/tpm/tspi/log.c
@@ -16,7 +16,7 @@
#include <security/tpm/tspi.h>
#include <region_file.h>
#include <string.h>
-#include <security/vboot/symbols.h>
+#include <symbols.h>
#include <cbmem.h>
#include <bootstate.h>
#include <vb2_sha.h>
@@ -42,7 +42,7 @@
return tclt;
}
-static struct tcpa_table *tcpa_log_init(void)
+struct tcpa_table *tcpa_log_init(void)
{
MAYBE_STATIC_BSS struct tcpa_table *tclt = NULL;
@@ -50,12 +50,12 @@
* If cbmem isn't available use CAR or SRAM */
if (!cbmem_possibly_online() &&
!CONFIG(VBOOT_RETURN_FROM_VERSTAGE))
- return (struct tcpa_table *)_vboot2_tpm_log;
+ return (struct tcpa_table *)_tpm_tcpa_log;
else if (ENV_ROMSTAGE &&
!CONFIG(VBOOT_RETURN_FROM_VERSTAGE)) {
tclt = tcpa_cbmem_init();
if (!tclt)
- return (struct tcpa_table *)_vboot2_tpm_log;
+ return (struct tcpa_table *)_tpm_tcpa_log;
} else {
tclt = tcpa_cbmem_init();
}
@@ -128,7 +128,7 @@
void tcpa_preram_log_clear(void)
{
printk(BIOS_INFO, "TCPA: Clearing coreboot TCPA log\n");
- struct tcpa_table *tclt = (struct tcpa_table *)_vboot2_tpm_log;
+ struct tcpa_table *tclt = (struct tcpa_table *)_tpm_tcpa_log;
tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
tclt->num_entries = 0;
}
@@ -136,7 +136,7 @@
#if !CONFIG(VBOOT_RETURN_FROM_VERSTAGE)
static void recover_tcpa_log(int is_recovery)
{
- struct tcpa_table *preram_log = (struct tcpa_table *)_vboot2_tpm_log;
+ struct tcpa_table *preram_log = (struct tcpa_table *)_tpm_tcpa_log;
struct tcpa_table *ram_log = NULL;
int i;
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c
index 0095183..4f0cc97 100644
--- a/src/security/tpm/tspi/tspi.c
+++ b/src/security/tpm/tspi/tspi.c
@@ -14,13 +14,14 @@
#include <console/cbmem_console.h>
#include <console/console.h>
+#include <security/tpm/tspi/crtm.h>
#include <security/tpm/tspi.h>
#include <security/tpm/tss.h>
-#if CONFIG(VBOOT)
+#include <assert.h>
+#include <security/vboot/misc.h>
+#include <string.h>
#include <vb2_api.h>
#include <vb2_sha.h>
-#include <assert.h>
-#endif
#if CONFIG(TPM1)
static uint32_t tpm1_invoke_state_machine(void)
@@ -100,6 +101,18 @@
return result;
}
+static int tpm_is_setup;
+static inline int tspi_tpm_is_setup(void)
+{
+ if (CONFIG(VBOOT))
+ return vboot_logic_executed() || tpm_is_setup;
+
+ if (ENV_RAMSTAGE)
+ return tpm_is_setup;
+
+ return 0;
+}
+
/*
* tpm_setup starts the TPM and establishes the root of trust for the
* anti-rollback mechanism. tpm_setup can fail for three reasons. 1 A bug.
@@ -170,7 +183,10 @@
#if CONFIG(TPM1)
result = tpm1_invoke_state_machine();
#endif
+ if (CONFIG(TPM_MEASURED_BOOT))
+ result = tspi_measure_cache_to_pcr();
+ tpm_is_setup = 1;
return tpm_setup_epilogue(result);
}
@@ -210,18 +226,27 @@
if (!digest)
return TPM_E_IOERROR;
- result = tlcl_extend(pcr, digest, NULL);
- if (result != TPM_SUCCESS)
- return result;
+ if (tspi_tpm_is_setup()) {
+ result = tlcl_lib_init();
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR, "TPM: Can't initialize library.\n");
+ return result;
+ }
- if (CONFIG(VBOOT_MEASURED_BOOT))
+ printk(BIOS_DEBUG, "TPM: Extending digest for %s into PCR %d\n", name, pcr);
+ result = tlcl_extend(pcr, digest, NULL);
+ if (result != TPM_SUCCESS)
+ return result;
+ }
+
+ if (CONFIG(TPM_MEASURED_BOOT))
tcpa_log_add_table_entry(name, pcr, digest_algo,
digest, digest_len);
return TPM_SUCCESS;
}
-#if CONFIG(VBOOT)
+#if CONFIG(VBOOT_LIB)
uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr,
const char *rname)
{
@@ -234,11 +259,7 @@
if (!rdev || !rname)
return TPM_E_INVALID_ARG;
- result = tlcl_lib_init();
- if (result != TPM_SUCCESS) {
- printk(BIOS_ERR, "TPM: Can't initialize library.\n");
- return result;
- }
+
if (CONFIG(TPM1)) {
hash_alg = VB2_HASH_SHA1;
} else { /* CONFIG_TPM2 */
@@ -277,7 +298,8 @@
printk(BIOS_ERR, "TPM: Extending hash into PCR failed.\n");
return result;
}
- printk(BIOS_DEBUG, "TPM: Measured %s into PCR %d\n", rname, pcr);
+ printk(BIOS_DEBUG, "TPM: Digest of %s to PCR %d %s\n",
+ rname, pcr, tspi_tpm_is_setup() ? "measured" : "logged");
return TPM_SUCCESS;
}
-#endif /* VBOOT */
+#endif /* VBOOT_LIB */
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index 6e0021d..f273265 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -35,22 +35,6 @@
comment "Anti-Rollback Protection disabled because mocking secdata is enabled."
depends on VBOOT_MOCK_SECDATA
-config VBOOT_MEASURED_BOOT
- bool "Enable Measured Boot"
- default n
- depends on TPM1 || TPM2
- depends on !VBOOT_RETURN_FROM_VERSTAGE
- help
- Enables measured boot mode in vboot (experimental)
-
-config VBOOT_MEASURED_BOOT_RUNTIME_DATA
- string "Runtime data whitelist"
- default ""
- depends on VBOOT_MEASURED_BOOT
- help
- Runtime data whitelist of cbfs filenames. Needs to be a comma separated
- list
-
config VBOOT_SLOTS_RW_A
bool "Firmware RO + RW_A"
help
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index e7560dd..d1cc2da 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -105,14 +105,6 @@
ramstage-y += vboot_common.c
postcar-y += vboot_common.c
-ifeq ($(CONFIG_VBOOT_MEASURED_BOOT),y)
-bootblock-y += vboot_crtm.c
-verstage-y += vboot_crtm.c
-romstage-y += vboot_crtm.c
-ramstage-y += vboot_crtm.c
-postcar-y += vboot_crtm.c
-endif
-
bootblock-y += common.c
verstage-y += vboot_logic.c
verstage-y += common.c
diff --git a/src/security/vboot/symbols.h b/src/security/vboot/symbols.h
index 778c8ee..8f6063e 100644
--- a/src/security/vboot/symbols.h
+++ b/src/security/vboot/symbols.h
@@ -19,6 +19,4 @@
DECLARE_REGION(vboot2_work)
-DECLARE_REGION(vboot2_tpm_log)
-
#endif /* __VBOOT_SYMBOLS_H__ */
diff --git a/src/security/vboot/vboot_crtm.c b/src/security/vboot/vboot_crtm.c
deleted file mode 100644
index 40b56ed..0000000
--- a/src/security/vboot/vboot_crtm.c
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- * This file is part of the coreboot project.
- *
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; version 2 of the License.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- */
-
-#include <console/console.h>
-#include <fmap.h>
-#include <cbfs.h>
-#include <security/vboot/vboot_crtm.h>
-#include <security/vboot/misc.h>
-#include <string.h>
-
-/*
- * This functions sets the TCPA log namespace
- * for the cbfs file (region) lookup.
- */
-static int create_tcpa_metadata(const struct region_device *rdev,
- const char *cbfs_name, char log_string[TCPA_PCR_HASH_NAME])
-{
- int i;
- struct region_device fmap;
- static const char *fmap_cbfs_names[] = {
- "COREBOOT",
- "FW_MAIN_A",
- "FW_MAIN_B",
- "RW_LEGACY"};
-
- for (i = 0; i < ARRAY_SIZE(fmap_cbfs_names); i++) {
- if (fmap_locate_area_as_rdev(fmap_cbfs_names[i], &fmap) == 0) {
- if (region_is_subregion(region_device_region(&fmap),
- region_device_region(rdev))) {
- snprintf(log_string, TCPA_PCR_HASH_NAME,
- "FMAP: %s CBFS: %s",
- fmap_cbfs_names[i], cbfs_name);
- return 0;
- }
- }
- }
-
- return -1;
-}
-
-uint32_t vboot_init_crtm(void)
-{
- struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock");
- struct prog verstage =
- PROG_INIT(PROG_VERSTAGE, CONFIG_CBFS_PREFIX "/verstage");
- struct prog romstage =
- PROG_INIT(PROG_ROMSTAGE, CONFIG_CBFS_PREFIX "/romstage");
- char tcpa_metadata[TCPA_PCR_HASH_NAME];
-
- /* Initialize TCPE PRERAM log. */
- tcpa_preram_log_clear();
-
- /* measure bootblock from RO */
- struct cbfsf bootblock_data;
- struct region_device bootblock_fmap;
- if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) {
- if (tpm_measure_region(&bootblock_fmap,
- TPM_CRTM_PCR,
- "FMAP: BOOTBLOCK"))
- return VB2_ERROR_UNKNOWN;
- } else {
- if (cbfs_boot_locate(&bootblock_data,
- prog_name(&bootblock), NULL) == 0) {
- cbfs_file_data(prog_rdev(&bootblock), &bootblock_data);
-
- if (create_tcpa_metadata(prog_rdev(&bootblock),
- prog_name(&bootblock), tcpa_metadata) < 0)
- return VB2_ERROR_UNKNOWN;
-
- if (tpm_measure_region(prog_rdev(&bootblock),
- TPM_CRTM_PCR,
- tcpa_metadata))
- return VB2_ERROR_UNKNOWN;
- } else {
- printk(BIOS_INFO,
- "VBOOT: Couldn't measure bootblock into CRTM!\n");
- return VB2_ERROR_UNKNOWN;
- }
- }
-
- if (CONFIG(VBOOT_STARTS_IN_ROMSTAGE)) {
- struct cbfsf romstage_data;
- /* measure romstage from RO */
- if (cbfs_boot_locate(&romstage_data,
- prog_name(&romstage), NULL) == 0) {
- cbfs_file_data(prog_rdev(&romstage), &romstage_data);
-
- if (create_tcpa_metadata(prog_rdev(&romstage),
- prog_name(&romstage), tcpa_metadata) < 0)
- return VB2_ERROR_UNKNOWN;
-
- if (tpm_measure_region(prog_rdev(&romstage),
- TPM_CRTM_PCR,
- tcpa_metadata))
- return VB2_ERROR_UNKNOWN;
- } else {
- printk(BIOS_INFO,
- "VBOOT: Couldn't measure %s into CRTM!\n",
- CONFIG_CBFS_PREFIX "/romstage");
- return VB2_ERROR_UNKNOWN;
- }
- }
-
- if (CONFIG(VBOOT_SEPARATE_VERSTAGE)) {
- struct cbfsf verstage_data;
- /* measure verstage from RO */
- if (cbfs_boot_locate(&verstage_data,
- prog_name(&verstage), NULL) == 0) {
- cbfs_file_data(prog_rdev(&verstage), &verstage_data);
-
- if (create_tcpa_metadata(prog_rdev(&verstage),
- prog_name(&verstage), tcpa_metadata) < 0)
- return VB2_ERROR_UNKNOWN;
-
- if (tpm_measure_region(prog_rdev(&verstage),
- TPM_CRTM_PCR,
- tcpa_metadata))
- return VB2_ERROR_UNKNOWN;
- } else {
- printk(BIOS_INFO,
- "VBOOT: Couldn't measure %s into CRTM!\n",
- CONFIG_CBFS_PREFIX "/verstage");
- return VB2_ERROR_UNKNOWN;
- }
- }
-
- return VB2_SUCCESS;
-}
-
-static bool is_runtime_data(const char *name)
-{
- const char *whitelist = CONFIG_VBOOT_MEASURED_BOOT_RUNTIME_DATA;
- size_t whitelist_len = sizeof(CONFIG_VBOOT_MEASURED_BOOT_RUNTIME_DATA) - 1;
- size_t name_len = strlen(name);
- int i;
-
- if (!whitelist_len || !name_len)
- return false;
-
- for (i = 0; (i + name_len) <= whitelist_len; i++) {
- if (!strcmp(whitelist + i, name))
- return true;
- }
-
- return false;
-}
-
-uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name)
-{
- uint32_t pcr_index;
- uint32_t cbfs_type;
- struct region_device rdev;
- char tcpa_metadata[TCPA_PCR_HASH_NAME];
-
- if (!vboot_logic_executed())
- return 0;
-
- cbfsf_file_type(fh, &cbfs_type);
- cbfs_file_data(&rdev, fh);
-
- switch (cbfs_type) {
- case CBFS_TYPE_MRC:
- case CBFS_TYPE_MRC_CACHE:
- pcr_index = TPM_RUNTIME_DATA_PCR;
- break;
- case CBFS_TYPE_STAGE:
- case CBFS_TYPE_SELF:
- case CBFS_TYPE_FIT:
- pcr_index = TPM_CRTM_PCR;
- break;
- default:
- if (is_runtime_data(name))
- pcr_index = TPM_RUNTIME_DATA_PCR;
- else
- pcr_index = TPM_CRTM_PCR;
- break;
- }
-
- if (create_tcpa_metadata(&rdev, name, tcpa_metadata) < 0)
- return VB2_ERROR_UNKNOWN;
-
- return tpm_measure_region(&rdev, pcr_index, tcpa_metadata);
-}
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index b72df96..80f7aaa 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@@ -17,13 +17,13 @@
#include <bootmode.h>
#include <cbmem.h>
#include <fmap.h>
+#include <security/tpm/tspi/crtm.h>
+#include <security/vboot/misc.h>
+#include <security/vboot/vbnv.h>
+#include <security/vboot/tpm_common.h>
#include <string.h>
#include <timestamp.h>
#include <vb2_api.h>
-#include <security/vboot/misc.h>
-#include <security/vboot/vbnv.h>
-#include <security/vboot/vboot_crtm.h>
-#include <security/vboot/tpm_common.h>
#include "antirollback.h"
@@ -283,14 +283,6 @@
antirollback_read_space_firmware(ctx);
timestamp_add_now(TS_END_TPMINIT);
- /* Enable measured boot mode */
- if (CONFIG(VBOOT_MEASURED_BOOT) &&
- !(ctx->flags & VB2_CONTEXT_S3_RESUME)) {
- if (vboot_init_crtm() != VB2_SUCCESS)
- die_with_post_code(POST_INVALID_ROM,
- "Initializing measured boot mode failed!");
- }
-
if (get_recovery_mode_switch()) {
ctx->flags |= VB2_CONTEXT_FORCE_RECOVERY_MODE;
if (CONFIG(VBOOT_DISABLE_DEV_ON_RECOVERY))
diff --git a/src/soc/cavium/cn81xx/include/soc/memlayout.ld b/src/soc/cavium/cn81xx/include/soc/memlayout.ld
index 7478669..f3b0442 100644
--- a/src/soc/cavium/cn81xx/include/soc/memlayout.ld
+++ b/src/soc/cavium/cn81xx/include/soc/memlayout.ld
@@ -34,7 +34,7 @@
PRERAM_CBMEM_CONSOLE(BOOTROM_OFFSET + 0x8000, 8K)
BOOTBLOCK(BOOTROM_OFFSET + 0x20000, 64K)
VBOOT2_WORK(BOOTROM_OFFSET + 0x30000, 12K)
- VBOOT2_TPM_LOG(BOOTROM_OFFSET + 0x33000, 2K)
+ TPM_TCPA_LOG(BOOTROM_OFFSET + 0x33000, 2K)
VERSTAGE(BOOTROM_OFFSET + 0x33800, 50K)
ROMSTAGE(BOOTROM_OFFSET + 0x40000, 256K)
diff --git a/src/soc/mediatek/mt8173/include/soc/memlayout.ld b/src/soc/mediatek/mt8173/include/soc/memlayout.ld
index 89ee8f4..2a617b7 100644
--- a/src/soc/mediatek/mt8173/include/soc/memlayout.ld
+++ b/src/soc/mediatek/mt8173/include/soc/memlayout.ld
@@ -38,7 +38,7 @@
SRAM_START(0x00100000)
VBOOT2_WORK(0x00100000, 12K)
- VBOOT2_TPM_LOG(0x00103000, 2K)
+ TPM_TCPA_LOG(0x00103000, 2K)
FMAP_CACHE(0x00103800, 2K)
PRERAM_CBMEM_CONSOLE(0x00104000, 12K)
WATCHDOG_TOMBSTONE(0x00107000, 4)
diff --git a/src/soc/mediatek/mt8183/include/soc/memlayout.ld b/src/soc/mediatek/mt8183/include/soc/memlayout.ld
index 6e523d8..d2f9a06 100644
--- a/src/soc/mediatek/mt8183/include/soc/memlayout.ld
+++ b/src/soc/mediatek/mt8183/include/soc/memlayout.ld
@@ -30,7 +30,7 @@
{
SRAM_START(0x00100000)
VBOOT2_WORK(0x00100000, 12K)
- VBOOT2_TPM_LOG(0x00103000, 2K)
+ TPM_TCPA_LOG(0x00103000, 2K)
FMAP_CACHE(0x00103800, 2K)
WATCHDOG_TOMBSTONE(0x00104000, 4)
PRERAM_CBMEM_CONSOLE(0x00104004, 63K - 4)
diff --git a/src/soc/nvidia/tegra124/include/soc/memlayout.ld b/src/soc/nvidia/tegra124/include/soc/memlayout.ld
index 0128a86..adb47b1 100644
--- a/src/soc/nvidia/tegra124/include/soc/memlayout.ld
+++ b/src/soc/nvidia/tegra124/include/soc/memlayout.ld
@@ -30,7 +30,7 @@
FMAP_CACHE(0x40005800, 2K)
PRERAM_CBFS_CACHE(0x40006000, 14K)
VBOOT2_WORK(0x40009800, 12K)
- VBOOT2_TPM_LOG(0x4000D800, 2K)
+ TPM_TCPA_LOG(0x4000D800, 2K)
STACK(0x4000E000, 8K)
BOOTBLOCK(0x40010000, 30K)
VERSTAGE(0x40017800, 72K)
diff --git a/src/soc/nvidia/tegra210/include/soc/memlayout.ld b/src/soc/nvidia/tegra210/include/soc/memlayout.ld
index ff44591..fdd0e88 100644
--- a/src/soc/nvidia/tegra210/include/soc/memlayout.ld
+++ b/src/soc/nvidia/tegra210/include/soc/memlayout.ld
@@ -31,7 +31,7 @@
FMAP_CACHE(0x40000800, 2K)
PRERAM_CBFS_CACHE(0x40001000, 28K)
VBOOT2_WORK(0x40008000, 12K)
- VBOOT2_TPM_LOG(0x4000B000, 2K)
+ TPM_TCPA_LOG(0x4000B000, 2K)
#if ENV_ARM64
STACK(0x4000B800, 3K)
#else /* AVP gets a separate stack to avoid any chance of handoff races. */
diff --git a/src/soc/samsung/exynos5250/include/soc/memlayout.ld b/src/soc/samsung/exynos5250/include/soc/memlayout.ld
index db637ff..d117aac 100644
--- a/src/soc/samsung/exynos5250/include/soc/memlayout.ld
+++ b/src/soc/samsung/exynos5250/include/soc/memlayout.ld
@@ -32,7 +32,7 @@
TTB(0x2058000, 16K)
PRERAM_CBFS_CACHE(0x205C000, 76K)
FMAP_CACHE(0x206F000, 2K)
- VBOOT2_TPM_LOG(0x206F800, 2K)
+ TPM_TCPA_LOG(0x206F800, 2K)
VBOOT2_WORK(0x2070000, 12K)
STACK(0x2074000, 16K)
SRAM_END(0x2078000)
To view, visit change 35077. To unsubscribe, or for help writing mail filters, visit settings.