[coreboot-gerrit] Change in ...coreboot[master]: security/vboot: Add fmap measurements

24 Feb 2019

Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/31597
Change subject: security/vboot: Add fmap measurements
......................................................................
security/vboot: Add fmap measurements
* Hook into fmap location
* Add static measurements for IFD to the CRTM
Change-Id: If7e4972805fbc8d19ab55d1f5e506836791c7bf0
Signed-off-by: Philipp Deppenwiese zaolin.daisuki@gmail.com
---
M src/lib/fmap.c
M src/security/vboot/vboot_crtm.c
M src/security/vboot/vboot_crtm.h
3 files changed, 76 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/97/31597/1

diff --git a/src/lib/fmap.c b/src/lib/fmap.c
index 9602134..ae0aaf8 100644
--- a/src/lib/fmap.c
+++ b/src/lib/fmap.c
@@ -20,6 +20,7 @@
 #include <commonlib/fmap_serialized.h>
 #include <stddef.h>
 #include <string.h>
+#include <security/vboot/vboot_crtm.h>
#include "fmap_config.h"
@@ -77,7 +78,12 @@
    if (fmap_locate_area(name, &ar))
    	return -1;
-	return boot_device_ro_subregion(&ar, area);
+	int ret = boot_device_ro_subregion(&ar, area);
+	if (!ret)
+		if (vboot_measure_fmap_hook(area, name))
+			return -1;
+
+	return ret;
 }
int fmap_locate_area_as_rdev_rw(const char *name, struct region_device *area)
@@ -87,7 +93,12 @@
    if (fmap_locate_area(name, &ar))
    	return -1;
-	return boot_device_rw_subregion(&ar, area);
+	int ret = boot_device_rw_subregion(&ar, area);
+	if (!ret)
+		if (vboot_measure_fmap_hook(area, name))
+			return -1;
+
+	return ret;
 }
int fmap_locate_area(const char *name, struct region *ar)
diff --git a/src/security/vboot/vboot_crtm.c b/src/security/vboot/vboot_crtm.c
index 1914f20..a474fd0 100644
--- a/src/security/vboot/vboot_crtm.c
+++ b/src/security/vboot/vboot_crtm.c
@@ -18,6 +18,16 @@
 #include <security/vboot/vboot_crtm.h>
 #include <security/vboot/misc.h>
+const static char *fmap_runtime_data[] = {
+	"UNIFIED_MRC_CACHE",
+	"RW_MRC_CACHE",
+	"RW_ELOG",
+	"RW_VPD",
+	"RW_NVRAM",
+	"RECOVERY_MRC_CACHE",
+	"RW_VAR_MRC_CACHE",
+	"SMMSTORE"};
+
 uint32_t vboot_init_crtm(void)
 {
    struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock");
@@ -88,6 +98,36 @@
    	}
    }
+	/* IFD measurements */
+	struct region_device fmap;
+	if (fmap_locate_area_as_rdev("RO_VPD", &fmap) == 0)
+		if (tpm_measure_region(&fmap, TPM_CRTM_PCR, "Read-only VPD") != TPM_SUCCESS)
+			return VB2_ERROR_UNKNOWN;
+
+	if (fmap_locate_area_as_rdev("GBB", &fmap) == 0)
+		if (tpm_measure_region(&fmap, TPM_CRTM_PCR, "Google Binary Blob") != TPM_SUCCESS)
+			return VB2_ERROR_UNKNOWN;
+
+	if (fmap_locate_area_as_rdev("SI_DESC", &fmap) == 0)
+		if (tpm_measure_region(&fmap, TPM_CRTM_PCR, "Intel Flash Descriptor") != TPM_SUCCESS)
+			return VB2_ERROR_UNKNOWN;
+
+	if (fmap_locate_area_as_rdev("SI_ME", &fmap) == 0)
+		if (tpm_measure_region(&fmap, TPM_RUNTIME_DATA_PCR, "Intel ME") != TPM_SUCCESS)
+			return VB2_ERROR_UNKNOWN;
+
+	if (fmap_locate_area_as_rdev("SI_EC", &fmap) == 0)
+		if (tpm_measure_region(&fmap, TPM_RUNTIME_DATA_PCR, "EC firmware") != TPM_SUCCESS)
+			return VB2_ERROR_UNKNOWN;
+
+	if (fmap_locate_area_as_rdev("SI_GBE", &fmap) == 0)
+		if (tpm_measure_region(&fmap, TPM_CRTM_PCR, "Intel GbE") != TPM_SUCCESS)
+			return VB2_ERROR_UNKNOWN;
+
+	if (fmap_locate_area_as_rdev("SI_PDR", &fmap) == 0)
+		if (tpm_measure_region(&fmap, TPM_RUNTIME_DATA_PCR, "Platform Data") != TPM_SUCCESS)
+			return VB2_ERROR_UNKNOWN;
+
    return VB2_SUCCESS;
 }
@@ -142,3 +182,18 @@
    return tpm_measure_region(&rdev, pcr_index,
    			  name);
 }
+
+uint32_t vboot_measure_fmap_hook(struct region_device *rdev, const char *name)
+{
+	int i;
+
+	if (!vb2_logic_executed())
+		return 0;
+
+	for (i = 0; i < sizeof(fmap_runtime_data) / sizeof(fmap_runtime_data[0]); i++) {
+		if (!strncmp(fmap_runtime_data[i], name, sizeof(fmap_runtime_data[i])))
+			return tpm_measure_region(rdev, TPM_RUNTIME_DATA_PCR, name);
+	}
+
+	return 0;
+}
diff --git a/src/security/vboot/vboot_crtm.h b/src/security/vboot/vboot_crtm.h
index d28e96e..259e486 100644
--- a/src/security/vboot/vboot_crtm.h
+++ b/src/security/vboot/vboot_crtm.h
@@ -54,8 +54,16 @@
  */
 uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name);
+/*
+ * Measures fmap data via hook (fmap)
+ * rdev is the region device handle to measure
+ * return 0 if successful, else an error
+ */
+uint32_t vboot_measure_fmap_hook(struct region_device *rdev, const char *name);
+
 #else
 #define vboot_measure_cbfs_hook(fh, name) 0
+#define vboot_measure_fmap_hook(rdev, name) 0
 #endif
#endif /* __VBOOT_VBOOT_CRTM_H__ */
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/31597
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: If7e4972805fbc8d19ab55d1f5e506836791c7bf0
Gerrit-Change-Number: 31597
Gerrit-PatchSet: 1
Gerrit-Owner: Philipp Deppenwiese zaolin.daisuki@gmail.com
Gerrit-MessageType: newchange



    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in ...coreboot[master]: security/vboot: Add fmap measurements