Change in coreboot[master]: security/vboot: Provide stub functions for TPM in bootblock - coreboot-gerrit

31 Mar 2020

Werner Zeh has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/39971 )
Change subject: security/vboot: Provide stub functions for TPM in bootblock
......................................................................
security/vboot: Provide stub functions for TPM in bootblock
With commit c79e96b4eb310db9d44e36e2dff072c01469c380
(security/vboot: Decouple measured boot from verified boot) the measured
boot logic was decoupled from VBOOT and the TSS layer of the TPM driver
was added to the bootblock. If now TPM_MEASURED_BOOT and VBOOT are
selected at the same time, the TPM functions called by the TSS layer are
missing during link time of the bootblock as at least the LPC TPM driver
is not enabled for bootblcok.
On the other side enabling the LPC TPM driver in bootblock leads to an
increased bootblock which on Apollo Lake does not fit anymore.
Since the intention of the mentioned patch was to decouple the both
features MEASURED_BOOT and VBOOT while still keep it possible to have
both enabled at the same time the missing functions need to be available
in bootblock though they are not needed (just to be able to link).
For this reason this patch provides a new Kconfig switch called
'TPM_IN_BOOTBLOCK' which, when set, will enable the full TPM
functionality in bootblock. As it is disabled per default just empty
stubs will be compiled for bootblock. If a platform needs the full TPM
driver in bootblock it can simply select 'TPM_IN_BOOTBLOCK'.
Change-Id: I888928a6577f4b920b5ee8b65daf23aa46e3aff8
Signed-off-by: Werner Zeh werner.zeh@siemens.com
---
M src/drivers/crb/tis.c
M src/drivers/i2c/tpm/tis.c
M src/drivers/i2c/tpm/tis_atmel.c
M src/drivers/pc80/tpm/Makefile.inc
M src/drivers/pc80/tpm/tis.c
M src/drivers/spi/tpm/tis.c
M src/security/tpm/Kconfig
7 files changed, 77 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/71/39971/1

diff --git a/src/drivers/crb/tis.c b/src/drivers/crb/tis.c
index b1fbad0..ef10002 100644
--- a/src/drivers/crb/tis.c
+++ b/src/drivers/crb/tis.c
@@ -44,6 +44,10 @@
int tis_open(void)
 {
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    if (tpm_is_open) {
    	printk(BIOS_ERR, "%s called twice.\n", __func__);
    	return -1;
@@ -62,6 +66,10 @@
int tis_close(void)
 {
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    if (tpm_is_open) {
/*
@@ -78,6 +86,10 @@
 {
    struct tpm2_info info;
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    // Wake TPM up (if necessary)
    if (tpm2_init() != 0)
    	return -1;
@@ -93,6 +105,10 @@
int tis_sendrecv(const uint8_t *sendbuf, size_t sbuf_size, uint8_t *recvbuf, size_t *rbuf_len)
 {
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    int len = tpm2_process_command(sendbuf, sbuf_size, recvbuf, *rbuf_len);
if (len == 0)
diff --git a/src/drivers/i2c/tpm/tis.c b/src/drivers/i2c/tpm/tis.c
index 8b07bb7..b7b9009 100644
--- a/src/drivers/i2c/tpm/tis.c
+++ b/src/drivers/i2c/tpm/tis.c
@@ -35,6 +35,10 @@
 {
    int rc;
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    if (chip.is_open) {
    	printk(BIOS_DEBUG, "tis_open() called twice.\n");
    	return -1;
@@ -53,6 +57,10 @@
int tis_close(void)
 {
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    if (chip.is_open) {
    	tpm_vendor_cleanup(&chip);
    	chip.is_open = 0;
@@ -63,6 +71,10 @@
int tis_init(void)
 {
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    return tpm_vendor_probe(CONFIG_DRIVER_TPM_I2C_BUS,
    			CONFIG_DRIVER_TPM_I2C_ADDR);
 }
@@ -133,6 +145,10 @@
 int tis_sendrecv(const uint8_t *sendbuf, size_t sbuf_size,
    	uint8_t *recvbuf, size_t *rbuf_len)
 {
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    ASSERT(sbuf_size >= 10);
/* Display the TPM command */
diff --git a/src/drivers/i2c/tpm/tis_atmel.c b/src/drivers/i2c/tpm/tis_atmel.c
index 74b4830..497e4fe 100644
--- a/src/drivers/i2c/tpm/tis_atmel.c
+++ b/src/drivers/i2c/tpm/tis_atmel.c
@@ -59,6 +59,10 @@
    int status;
    struct stopwatch sw;
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    ASSERT(sbuf_size >= 10);
    if (CONFIG(DRIVER_TPM_DISPLAY_TIS_BYTES)) {
    	/* Display the TPM command */
diff --git a/src/drivers/pc80/tpm/Makefile.inc b/src/drivers/pc80/tpm/Makefile.inc
index 0de1b76..cba3e43 100644
--- a/src/drivers/pc80/tpm/Makefile.inc
+++ b/src/drivers/pc80/tpm/Makefile.inc
@@ -1,3 +1,4 @@
+bootblock-$(CONFIG_LPC_TPM) += tis.c
 verstage-$(CONFIG_LPC_TPM) += tis.c
 romstage-$(CONFIG_LPC_TPM) += tis.c
 ramstage-$(CONFIG_LPC_TPM) += tis.c
diff --git a/src/drivers/pc80/tpm/tis.c b/src/drivers/pc80/tpm/tis.c
index a35ef83..000abe1 100644
--- a/src/drivers/pc80/tpm/tis.c
+++ b/src/drivers/pc80/tpm/tis.c
@@ -635,6 +635,10 @@
  */
 int tis_init(void)
 {
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return TPM_DRIVER_ERR;
+	}
+
    if (tis_probe())
    	return TPM_DRIVER_ERR;
    return 0;
@@ -652,6 +656,10 @@
 {
    u8 locality = 0; /* we use locality zero for everything */
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return TPM_DRIVER_ERR;
+	}
+
    if (tis_close())
    	return TPM_DRIVER_ERR;
@@ -684,6 +692,11 @@
 int tis_close(void)
 {
    u8 locality = 0;
+
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return TPM_DRIVER_ERR;
+	}
+
    if (tis_has_access(locality)) {
    	tis_drop_access(locality);
    	if (tis_wait_dropped_access(locality)) {
@@ -711,6 +724,10 @@
 int tis_sendrecv(const uint8_t *sendbuf, size_t send_size,
    	 uint8_t *recvbuf, size_t *recv_len)
 {
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return TPM_DRIVER_ERR;
+	}
+
    if (tis_senddata(sendbuf, send_size)) {
    	printf("%s:%d failed sending data to TPM\n",
    	       __FILE__, __LINE__);
diff --git a/src/drivers/spi/tpm/tis.c b/src/drivers/spi/tpm/tis.c
index 6230751..2f2fe4a 100644
--- a/src/drivers/spi/tpm/tis.c
+++ b/src/drivers/spi/tpm/tis.c
@@ -33,6 +33,9 @@
int tis_open(void)
 {
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
    if (tpm_is_open) {
    	printk(BIOS_ERR, "tis_open() called twice.\n");
    	return -1;
@@ -42,6 +45,10 @@
int tis_close(void)
 {
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    if (tpm_is_open) {
/*
@@ -59,6 +66,10 @@
    struct spi_slave spi;
    struct tpm2_info info;
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    if (spi_setup_slave(CONFIG_DRIVER_TPM_SPI_BUS,
    		    CONFIG_DRIVER_TPM_SPI_CHIP, &spi)) {
    	printk(BIOS_ERR, "Failed to setup TPM SPI slave\n");
@@ -82,6 +93,10 @@
 int tis_sendrecv(const uint8_t *sendbuf, size_t sbuf_size,
    	 uint8_t *recvbuf, size_t *rbuf_len)
 {
+	if (ENV_BOOTBLOCK && !CONFIG(TPM_IN_BOOTBLOCK)) {
+		return -1;
+	}
+
    int len = tpm2_process_command(sendbuf, sbuf_size, recvbuf, *rbuf_len);
if (len == 0)
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
index d8652b2..5c6f1aa 100644
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@@ -117,4 +117,12 @@
      Runtime data whitelist of cbfs filenames. Needs to be a
      comma separated list
+config TPM_IN_BOOTBLOCK
+	bool "Enable TPM driver in bootblock"
+	default n
+	depends on TPM_MEASURED_BOOT
+	help
+	  Enable the TPM driver in bootblock. Select this option if the bootblock
+	  has enough space to include the TPM driver.
+
 endmenu # Trusted Platform Module (tpm)
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/39971
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I888928a6577f4b920b5ee8b65daf23aa46e3aff8
Gerrit-Change-Number: 39971
Gerrit-PatchSet: 1
Gerrit-Owner: Werner Zeh werner.zeh@siemens.com
Gerrit-MessageType: newchange



    