[coreboot-gerrit] Change in coreboot[master]: mrc_cache: Add config MRC_SAVE_HASH_IN_TPM

16 Oct 2020

Shelley Chen has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/46509 )
Change subject: mrc_cache: Add config MRC_SAVE_HASH_IN_TPM
......................................................................
mrc_cache: Add config MRC_SAVE_HASH_IN_TPM
Use this config to specify whether we want to save a hash of the
MRC_CACHE in the TPM NVRAM space.  Replace all uses of
FSP2_0_USES_TPM_MRC_HASH with MRC_SAVE_HASH_IN_TPM and remove the
FSP2_0_USES_TPM_MRC_HASH config.
BUG=b:150502246
BRANCH=None
TEST=emerge-nami coreboot chromeos-bootimage
Change-Id: Ic5ffcdba27cb1f09c39c3835029c8d9cc3453af1
Signed-off-by: Shelley Chen shchen@google.com
---
M src/drivers/intel/fsp2_0/Kconfig
M src/drivers/intel/fsp2_0/memory_init.c
M src/drivers/mrc_cache/Kconfig
M src/security/vboot/Kconfig
M src/security/vboot/Makefile.inc
5 files changed, 15 insertions(+), 22 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/09/46509/1

diff --git a/src/drivers/intel/fsp2_0/Kconfig b/src/drivers/intel/fsp2_0/Kconfig
index 1a1da6c..59bb4e4 100644
--- a/src/drivers/intel/fsp2_0/Kconfig
+++ b/src/drivers/intel/fsp2_0/Kconfig
@@ -3,6 +3,7 @@
 config PLATFORM_USES_FSP2_0
    bool
    default n
+	select MRC_SAVE_HASH_IN_TPM if HAS_RECOVERY_MRC_CACHE
    help
      Include FSP 2.0 wrappers and functionality
@@ -141,23 +142,6 @@
      own stack that will be placed in DRAM and not in CAR, this is the
      amount of memory the FSP needs for its stack and heap.
-config FSP2_0_USES_TPM_MRC_HASH
-	bool
-	depends on TPM1 || TPM2
-	depends on VBOOT && VBOOT_STARTS_IN_BOOTBLOCK
-	default y if HAS_RECOVERY_MRC_CACHE
-	default n
-	select VBOOT_HAS_REC_HASH_SPACE
-	help
-	  Store hash of trained recovery MRC cache in NVRAM space in TPM.
-	  Use the hash to validate recovery MRC cache before using it.
-	  This hash needs to be updated every time recovery mode training
-	  is recomputed, or if the hash does not match recovery MRC cache.
-	  Selecting this option requires that TPM already be setup by this
-	  point in time.  Thus it is only compatible when the option
-	  VBOOT_STARTS_IN_BOOTBLOCK is selected, which causes verstage and
-	  TPM setup to occur prior to memory initialization.
-
 config FSP_PLATFORM_MEMORY_SETTINGS_VERSIONS
    bool
    help
diff --git a/src/drivers/intel/fsp2_0/memory_init.c b/src/drivers/intel/fsp2_0/memory_init.c
index 14aec98..09aad6b 100644
--- a/src/drivers/intel/fsp2_0/memory_init.c
+++ b/src/drivers/intel/fsp2_0/memory_init.c
@@ -19,15 +19,15 @@
 #include <symbols.h>
 #include <timestamp.h>
 #include <security/vboot/vboot_common.h>
-#include <security/tpm/tspi.h>
 #include <security/vboot/mrc_cache_hash_tpm.h>
+#include <security/tpm/tspi.h>
 #include <vb2_api.h>
 #include <types.h>
static uint8_t temp_ram[CONFIG_FSP_TEMP_RAM_SIZE] __aligned(sizeof(uint64_t));
/* TPM MRC hash functionality depends on vboot starting before memory init. */
-_Static_assert(!CONFIG(FSP2_0_USES_TPM_MRC_HASH) ||
+_Static_assert(!CONFIG(MRC_SAVE_HASH_IN_TPM) ||
           CONFIG(VBOOT_STARTS_IN_BOOTBLOCK),
           "for TPM MRC hash functionality, vboot must start in bootblock");
@@ -55,7 +55,7 @@
    			mrc_data_size) < 0)
    	printk(BIOS_ERR, "Failed to stash MRC data\n");
-	if (CONFIG(FSP2_0_USES_TPM_MRC_HASH))
+	if (CONFIG(MRC_SAVE_HASH_IN_TPM))
    	mrc_cache_update_hash(mrc_data, mrc_data_size);
 }
@@ -121,7 +121,7 @@
    if (data == NULL)
    	return;
-	if (CONFIG(FSP2_0_USES_TPM_MRC_HASH) &&
+	if (CONFIG(MRC_SAVE_HASH_IN_TPM) &&
        !mrc_cache_verify_hash(data, mrc_size))
    	return;
diff --git a/src/drivers/mrc_cache/Kconfig b/src/drivers/mrc_cache/Kconfig
index e09c5d8..bb97398 100644
--- a/src/drivers/mrc_cache/Kconfig
+++ b/src/drivers/mrc_cache/Kconfig
@@ -49,4 +49,12 @@
      that need to write back the MRC data in late ramstage boot
      states (MRC_WRITE_NV_LATE).
+config MRC_SAVE_HASH_IN_TPM
+	bool
+	depends on VBOOT && TPM2 && !TPM1
+	default n
+	help
+	  Store a hash of the MRC_CACHE training data in a TPM NVRAM
+	  space to ensure that it cannot be tampered with.
+
 endif # CACHE_MRC_SETTINGS
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index ee8d36a..094cbb9 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -159,6 +159,7 @@
config VBOOT_HAS_REC_HASH_SPACE
    bool
+	default y if MRC_SAVE_HASH_IN_TPM && HAS_RECOVERY_MRC_CACHE
    default n
    help
      Set this option to indicate to vboot that recovery data hash space
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index e92396d..d4dabe2 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -118,7 +118,7 @@
 ramstage-y += common.c
 postcar-y += common.c
-romstage-$(CONFIG_FSP2_0_USES_TPM_MRC_HASH) += mrc_cache_hash_tpm.c
+romstage-$(CONFIG_MRC_SAVE_HASH_IN_TPM) += mrc_cache_hash_tpm.c
ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/46509
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ic5ffcdba27cb1f09c39c3835029c8d9cc3453af1
Gerrit-Change-Number: 46509
Gerrit-PatchSet: 1
Gerrit-Owner: Shelley Chen shchen@google.com
Gerrit-Reviewer: Aaron Durbin adurbin@chromium.org
Gerrit-Reviewer: Andrey Petrov andrey.petrov@gmail.com
Gerrit-Reviewer: Martin Roth martinroth@google.com
Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com
Gerrit-Reviewer: Patrick Rudolph siro@das-labor.org
Gerrit-MessageType: newchange



    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in coreboot[master]: mrc_cache: Add config MRC_SAVE_HASH_IN_TPM