Philipp Deppenwiese (zaolin.daisuki@googlemail.com) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/14134
-gerrit
commit 67713d10ca7c0196f52430d43b1511c756080e03 Author: Philipp Deppenwiese zaolin@das-labor.org Date: Mon Mar 14 14:37:08 2016 +0100
Documentation/RFC: WIP - Add initial TPM documentation.
Change-Id: I9fe050b802ef9c1ea05ce9b5442e70b5c7ee1d90 --- Documentation/RFC/tpm.md | 115 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+)
diff --git a/Documentation/RFC/tpm.md b/Documentation/RFC/tpm.md new file mode 100644 index 0000000..1bf7564 --- /dev/null +++ b/Documentation/RFC/tpm.md @@ -0,0 +1,115 @@ +# Introduction + +TPM v1.2 support in coreboot came with supporting Chromebook's and Thinkpad's in the coreboot tree. Currently the implementation is used for vboot2 and the standalone trustedboot version of coreboot. TPM support can be easily activated via: + +__Menuconfig:__ +``` +Generic Drivers + -> [*] Enable TPM support +``` + +At the moment only Static Root of Trust for Measurement __(SRTM)__ is supported ! + +# TDDL + +__Code:__ +``` +src/drivers/tpm/ +``` + +Support for LPC and I2C bus protocols is given within all stages of coreboot. + +# TSS and TSPI + +__Code:__ +``` +src/lib/tpm/ +src/include/tpm/ +``` + +The TSS and TSPI is integrated into coreboot through all stages. For coreboot standalone trusted computing functions the TSPI should be used as it is stated in TCG specification. For vboot2 the TSS will be the state of the art API. + +## TSS Generator + +The TCG specified a lot of functions for use with the tpm. Therefore Google wrote his own automatic code generation which generates the tss_structures. + +__Code:__ +``` +util/tss-generator/ +``` + +__Command:__ +```bash +./tss-generator > tss_structures.h +``` + +# Trusted Boot + +Besides the vboot2 implementation, coreboot supports it's own trustedboot which is used to improve boot security and platform protection. It's not mandatory, opt-in and can be activated if needed. So it's an alternative toy secureboot which locks out users the most times and ensures that the PC is under control of the user. Keep in mind a trustedboot is enforced via operating system and not by the firmware ! Which means you are free to choose whatever you do ! + +__Menuconfig:__ +``` +Security + -> [*] Enable TrustedBoot support + -> [*] Microcode measurement + -> [*] Configuration Data measurement + -> [*] Option ROM's measurement + -> [*] Intel MRC measurement + -> [*] AMD PSP & AGESA measurement + -> [*] GBE measurement + -> [*] Descriptor measurement + -> [*] ME code section measurement +``` + +## Specification + +For the coreboot TPM measurement specification PCR 0 - 7 is used. Which is common to be used for firmware only measurement. + +__PCR-00:__ +``` +BOOTBLOCK (optional) CBFS: bootblock +``` + +__PCR-01:__ +``` +ROMSTAGE, MICROCODE CBFS: fallback/romstage ; cpu_microcode_blob.bin +``` + +__PCR-02:__ +``` +RAMSTAGE, SMM CBFS: fallback/ramstage +``` + +__PCR-03:__ +``` +OPTIONS ROMS CBFS: pciXXXX,XXXX.rom +``` + +__PCR-04:__ +``` +CMOS CONFIGURATION RUNTIME +``` + +__PCR-05:__ +``` +PAYLOAD CBFS: fallback/payload +``` + +__PCR-06:__ +``` +MRC, PSP +``` + +__PCR-07:__ +``` +DESCRIPTOR, GBE, ME (optional) SPI +``` + +## Hooks +## PCR Measurement +## TCPA Log + +The TCPA Log for coreboot isn't TCG specification conform. + +# Payloads +## Seabios