Arthur Heymans has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/52753 )
Change subject: security/tpm/crtm: Measure FMAP into TPM ......................................................................
security/tpm/crtm: Measure FMAP into TPM
FMAP is used to look up cbfs files or other FMAP region so it should be measured too.
TESTED: on qemu q35 with swtpm
Change-Id: Ic424a094e7f790cce45c5a98b8bc6d46a8dcca1b Signed-off-by: Arthur Heymans arthur@aheymans.xyz --- M src/security/tpm/tspi/crtm.c 1 file changed, 11 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/53/52753/1
diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c index 80483d5..147fc76 100644 --- a/src/security/tpm/tspi/crtm.c +++ b/src/security/tpm/tspi/crtm.c @@ -59,6 +59,17 @@ return VB2_SUCCESS; }
+ struct region_device fmap; + if (fmap_locate_area_as_rdev("FMAP", &fmap) == 0) { + if (tpm_measure_region(&fmap, TPM_CRTM_PCR, "FMAP: FMAP")) { + printk(BIOS_ERR, + "TSPI: Couldn't measure FMAP into CRTM!\n"); + return VB2_ERROR_UNKNOWN; + } + } else { + printk(BIOS_ERR, "TSPI: Could not find FMAP!\n"); + } + /* measure bootblock from RO */ struct cbfsf bootblock_data; struct region_device bootblock_fmap;