Philipp Deppenwiese has uploaded this change for review.
security/vboot: Add fmap measurements
* Hook into fmap location
* Add static measurements for IFD to the CRTM
Change-Id: If7e4972805fbc8d19ab55d1f5e506836791c7bf0
Signed-off-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
---
M src/lib/fmap.c
M src/security/vboot/vboot_crtm.c
M src/security/vboot/vboot_crtm.h
3 files changed, 76 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/97/31597/1
diff --git a/src/lib/fmap.c b/src/lib/fmap.c
index 9602134..ae0aaf8 100644
--- a/src/lib/fmap.c
+++ b/src/lib/fmap.c
@@ -20,6 +20,7 @@
#include <commonlib/fmap_serialized.h>
#include <stddef.h>
#include <string.h>
+#include <security/vboot/vboot_crtm.h>
#include "fmap_config.h"
@@ -77,7 +78,12 @@
if (fmap_locate_area(name, &ar))
return -1;
- return boot_device_ro_subregion(&ar, area);
+ int ret = boot_device_ro_subregion(&ar, area);
+ if (!ret)
+ if (vboot_measure_fmap_hook(area, name))
+ return -1;
+
+ return ret;
}
int fmap_locate_area_as_rdev_rw(const char *name, struct region_device *area)
@@ -87,7 +93,12 @@
if (fmap_locate_area(name, &ar))
return -1;
- return boot_device_rw_subregion(&ar, area);
+ int ret = boot_device_rw_subregion(&ar, area);
+ if (!ret)
+ if (vboot_measure_fmap_hook(area, name))
+ return -1;
+
+ return ret;
}
int fmap_locate_area(const char *name, struct region *ar)
diff --git a/src/security/vboot/vboot_crtm.c b/src/security/vboot/vboot_crtm.c
index 1914f20..a474fd0 100644
--- a/src/security/vboot/vboot_crtm.c
+++ b/src/security/vboot/vboot_crtm.c
@@ -18,6 +18,16 @@
#include <security/vboot/vboot_crtm.h>
#include <security/vboot/misc.h>
+const static char *fmap_runtime_data[] = {
+ "UNIFIED_MRC_CACHE",
+ "RW_MRC_CACHE",
+ "RW_ELOG",
+ "RW_VPD",
+ "RW_NVRAM",
+ "RECOVERY_MRC_CACHE",
+ "RW_VAR_MRC_CACHE",
+ "SMMSTORE"};
+
uint32_t vboot_init_crtm(void)
{
struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock");
@@ -88,6 +98,36 @@
}
}
+ /* IFD measurements */
+ struct region_device fmap;
+ if (fmap_locate_area_as_rdev("RO_VPD", &fmap) == 0)
+ if (tpm_measure_region(&fmap, TPM_CRTM_PCR, "Read-only VPD") != TPM_SUCCESS)
+ return VB2_ERROR_UNKNOWN;
+
+ if (fmap_locate_area_as_rdev("GBB", &fmap) == 0)
+ if (tpm_measure_region(&fmap, TPM_CRTM_PCR, "Google Binary Blob") != TPM_SUCCESS)
+ return VB2_ERROR_UNKNOWN;
+
+ if (fmap_locate_area_as_rdev("SI_DESC", &fmap) == 0)
+ if (tpm_measure_region(&fmap, TPM_CRTM_PCR, "Intel Flash Descriptor") != TPM_SUCCESS)
+ return VB2_ERROR_UNKNOWN;
+
+ if (fmap_locate_area_as_rdev("SI_ME", &fmap) == 0)
+ if (tpm_measure_region(&fmap, TPM_RUNTIME_DATA_PCR, "Intel ME") != TPM_SUCCESS)
+ return VB2_ERROR_UNKNOWN;
+
+ if (fmap_locate_area_as_rdev("SI_EC", &fmap) == 0)
+ if (tpm_measure_region(&fmap, TPM_RUNTIME_DATA_PCR, "EC firmware") != TPM_SUCCESS)
+ return VB2_ERROR_UNKNOWN;
+
+ if (fmap_locate_area_as_rdev("SI_GBE", &fmap) == 0)
+ if (tpm_measure_region(&fmap, TPM_CRTM_PCR, "Intel GbE") != TPM_SUCCESS)
+ return VB2_ERROR_UNKNOWN;
+
+ if (fmap_locate_area_as_rdev("SI_PDR", &fmap) == 0)
+ if (tpm_measure_region(&fmap, TPM_RUNTIME_DATA_PCR, "Platform Data") != TPM_SUCCESS)
+ return VB2_ERROR_UNKNOWN;
+
return VB2_SUCCESS;
}
@@ -142,3 +182,18 @@
return tpm_measure_region(&rdev, pcr_index,
name);
}
+
+uint32_t vboot_measure_fmap_hook(struct region_device *rdev, const char *name)
+{
+ int i;
+
+ if (!vb2_logic_executed())
+ return 0;
+
+ for (i = 0; i < sizeof(fmap_runtime_data) / sizeof(fmap_runtime_data[0]); i++) {
+ if (!strncmp(fmap_runtime_data[i], name, sizeof(fmap_runtime_data[i])))
+ return tpm_measure_region(rdev, TPM_RUNTIME_DATA_PCR, name);
+ }
+
+ return 0;
+}
diff --git a/src/security/vboot/vboot_crtm.h b/src/security/vboot/vboot_crtm.h
index d28e96e..259e486 100644
--- a/src/security/vboot/vboot_crtm.h
+++ b/src/security/vboot/vboot_crtm.h
@@ -54,8 +54,16 @@
*/
uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name);
+/*
+ * Measures fmap data via hook (fmap)
+ * rdev is the region device handle to measure
+ * return 0 if successful, else an error
+ */
+uint32_t vboot_measure_fmap_hook(struct region_device *rdev, const char *name);
+
#else
#define vboot_measure_cbfs_hook(fh, name) 0
+#define vboot_measure_fmap_hook(rdev, name) 0
#endif
#endif /* __VBOOT_VBOOT_CRTM_H__ */
To view, visit change 31597. To unsubscribe, or for help writing mail filters, visit settings.