Nice, I think this is on the right track.
11 comments:
Patch Set #44, Line 34: VBOOT2_TPM_LOG
If you rename the Kconfig option, maybe also rename this region?
Patch Set #44, Line 38: int platform_is_resuming(void);
This rename touches enough files that you should put it in its own patch.
However, why do you need to move this out of vboot anyway? I don't see this touched by the core part of your patch.
File src/security/tpm/Kconfig:
Patch Set #44, Line 105: TSPI_MEASURED_BOOT
For consistency with existing options I think TPM_MEASURED_BOOT would fit better.
File src/security/tpm/Makefile.inc:
Patch Set #44, Line 18: $(CONFIG_VBOOT)
nit: can also just put a 'y' here
Patch Set #44, Line 50: ifneq ($(CONFIG_TPM1)$(CONFIG_TPM2),)
Should be unnecessary because CONFIG_TSPI_MEASURED_BOOT already depends on these.
Patch Set #44, Line 56: _entry
Should this be _entries() (or just tcpa_log_replay_table())?
File src/security/tpm/tspi/crtm.c:
Patch Set #44, Line 160: void measured_boot_init_crtm(void)
Does this really need to be an explicitly called function? Can't you just put something like
if (ENV_BOOTBLOCK) {
static bool initialized = 0;
if (!initialized) {
tspi_init_crtm();
initialized = 1;
}
}
at the top of tspi_measure_cbfs_hook()?
Patch Set #44, Line 162: if (ENV_BOOTBLOCK) {
This is only called from the bootblock so I think this check is superfluous?
File src/security/tpm/tspi/tspi.c:
Patch Set #44, Line 22: #if CONFIG(VBOOT_LIB)
Don't conditionalize #includes. Just include these unconditionally. vboot is always checked out even if it isn't built so that should still work.
Patch Set #44, Line 114: return vboot_logic_executed();
There's a slight problem here in that vboot_logic.c itself extends some PCRs before it sets the vboot_executed variable to 1. But since you're already introducing a tpm_is_setup() global you can use that, so doing
if (CONFIG(VBOOT))
return vboot_logic_executed || tpm_is_setup;
should work.
Patch Set #44, Line 309: rname, pcr, tspi_tpm_is_setup()?"measur":"logg");
nit: spaces around ternary operatory, please
To view, visit change 35077. To unsubscribe, or for help writing mail filters, visit settings.