Bill XIE has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
As said in CB:34977, currently TPM and CRTM are initialized just before romstage loads a file within CBFS, or initialized in vboot_logic() if CONFIG_VBOOT is set.
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/lib/cbfs.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/misc.h M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 8 files changed, 136 insertions(+), 68 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/1
diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c index 91368fb..246e741 100644 --- a/src/lib/cbfs.c +++ b/src/lib/cbfs.c @@ -327,6 +327,9 @@ * devices. */ const struct cbfs_locator __weak cbfs_master_header_locator = { .name = "Master Header Locator", +#if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT) + .prepare = measured_boot_init_crtm, +#endif .locate = cbfs_master_header_props, };
diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc index a2d32cf..cb936cf 100644 --- a/src/security/tpm/Makefile.inc +++ b/src/security/tpm/Makefile.inc @@ -8,7 +8,10 @@ romstage-y += tss/tcg-1.2/tss.c
verstage-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c -postcar-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c + +ifneq ($(CONFIG_VBOOT_MEASURED_BOOT)$(CONFIG_VBOOT),) +postcar-y += tss/tcg-1.2/tss.c +endif
## TSPI
@@ -16,7 +19,10 @@ romstage-y += tspi/tspi.c
verstage-$(CONFIG_VBOOT) += tspi/tspi.c -postcar-$(CONFIG_VBOOT) += tspi/tspi.c + +ifneq ($(CONFIG_VBOOT_MEASURED_BOOT)$(CONFIG_VBOOT),) +postcar-y += tspi/tspi.c +endif
ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c @@ -45,7 +51,10 @@ romstage-y += tspi/tspi.c
verstage-$(CONFIG_VBOOT) += tspi/tspi.c -postcar-$(CONFIG_VBOOT) += tspi/tspi.c + +ifneq ($(CONFIG_VBOOT_MEASURED_BOOT)$(CONFIG_VBOOT),) +postcar-y += tspi/tspi.c +endif
ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c index 4698a4d..36dd3dd 100644 --- a/src/security/tpm/tspi/tspi.c +++ b/src/security/tpm/tspi/tspi.c @@ -20,7 +20,7 @@ #include <security/tpm/tspi.h> #include <security/tpm/tss.h> #include <stdlib.h> -#if CONFIG(VBOOT) +#if CONFIG(VBOOT) || CONFIG(VBOOT_MEASURED_BOOT) #include <vb2_api.h> #include <vb2_sha.h> #include <assert.h> @@ -220,7 +220,7 @@ return TPM_SUCCESS; }
-#if CONFIG(VBOOT) +#if CONFIG(VBOOT) || CONFIG(VBOOT_MEASURED_BOOT) uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr, const char *rname) { @@ -279,4 +279,4 @@ printk(BIOS_DEBUG, "TPM: Measured %s into PCR %d\n", rname, pcr); return TPM_SUCCESS; } -#endif /* VBOOT */ +#endif /* VBOOT || VBOOT_MEASURED_BOOT */ diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index c5146c6..955e8a6 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -13,7 +13,7 @@ ## GNU General Public License for more details. ##
-menu "Verified Boot (vboot)" +menu "vboot functionalities"
config VBOOT bool "Verify firmware with vboot." @@ -21,21 +21,17 @@ select VBOOT_MOCK_SECDATA if !TPM1 && !TPM2 depends on !MISSING_BOARD_RESET help - Enabling VBOOT will use vboot to verify the components of the firmware + Enabling verified voot will use vboot to verify the components of the firmware (stages, payload, etc).
-if VBOOT - -comment "Anti-Rollback Protection disabled because mocking secdata is enabled." - depends on VBOOT_MOCK_SECDATA - config VBOOT_MEASURED_BOOT - bool "Enable Measured Boot" + bool "Measure firmware components with vboot." default n depends on TPM1 || TPM2 depends on !VBOOT_RETURN_FROM_VERSTAGE help - Enables measured boot mode in vboot (experimental) + Enables measured boot will use vboot to measure the components of the firmware + (stages, payload, etc) to PCRs within TPM. (experimental)
config VBOOT_MEASURED_BOOT_RUNTIME_DATA string "Runtime data whitelist" @@ -45,6 +41,13 @@ Runtime data whitelist of cbfs filenames. Needs to be a comma separated list
+if VBOOT + +comment "Anti-Rollback Protection disabled because mocking secdata is enabled." + depends on VBOOT_MOCK_SECDATA + +comment "A non-trivial fmd file with sections required by vboot is needed." + config VBOOT_SLOTS_RW_A bool "Firmware RO + RW_A" help diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index d554f10..0729d9f 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -14,6 +14,58 @@ ## GNU General Public License for more details. ##
+ifneq ($(CONFIG_VBOOT_MEASURED_BOOT)$(CONFIG_VBOOT),) + +ifneq ($(CONFIG_TPM1)$(CONFIG_TPM2),) +verstage-y += tpm_common.c +endif + + +vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\ + $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\ + $(filter-out -I$(obj),$(1)))) + +# call with $1 = stage name to create rules for building the library +# for the stage and adding it to the stage's set of object files. +define vboot-for-stage +VB2_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw20.a +VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1))) +VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1)) +VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts)) +VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes +VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG + +$$(VB2_LIB_$(1)): $(obj)/config.h + printf " MAKE $(subst $(obj)/,,$(@))\n" + +FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \ + CC="$$(CC_$(1))" \ + CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \ + $(MAKE) -C $(VBOOT_SOURCE) \ + BUILD=$$(abspath $$(dir $$(VB2_LIB_$(1)))) \ + V=$(V) \ + fwlib20 + +$(1)-srcs += $$(VB2_LIB_$(1)) + +endef # vboot-for-stage + +CFLAGS_common += -I3rdparty/vboot/firmware/2lib/include + +$(eval $(call vboot-for-stage,bootblock)) +$(eval $(call vboot-for-stage,romstage)) +$(eval $(call vboot-for-stage,ramstage)) +$(eval $(call vboot-for-stage,postcar)) + +endif # CONFIG_VBOOT_MEASURED_BOOT || CONFIG_VBOOT + +ifeq ($(CONFIG_VBOOT_MEASURED_BOOT),y) +bootblock-y += vboot_crtm.c +verstage-y += vboot_crtm.c +romstage-y += vboot_crtm.c +ramstage-y += vboot_crtm.c +postcar-y += vboot_crtm.c +endif # CONFIG_VBOOT_MEASURED_BOOT + ifeq ($(CONFIG_VBOOT),y)
bootblock-y += bootmode.c @@ -22,6 +74,12 @@ verstage-y += bootmode.c postcar-y += bootmode.c
+bootblock-y += vboot_common.c +verstage-y += vboot_common.c +romstage-y += vboot_common.c +ramstage-y += vboot_common.c +postcar-y += vboot_common.c + # When VBOOT_STARTS_IN_ROMSTAGE is selected, DRAM is already up by # the time verstage runs. ifneq ($(CONFIG_VBOOT_STARTS_IN_ROMSTAGE),y) @@ -63,19 +121,7 @@ verstage-y += vboot_loader.c postcar-y += vboot_loader.c
-bootblock-y += vboot_common.c -verstage-y += vboot_common.c -romstage-y += vboot_common.c -ramstage-y += vboot_common.c -postcar-y += vboot_common.c
-ifeq ($(CONFIG_VBOOT_MEASURED_BOOT),y) -bootblock-y += vboot_crtm.c -verstage-y += vboot_crtm.c -romstage-y += vboot_crtm.c -ramstage-y += vboot_crtm.c -postcar-y += vboot_crtm.c -endif
bootblock-y += common.c verstage-y += vboot_logic.c @@ -89,10 +135,6 @@ romstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += secdata_tpm.c endif
-ifneq ($(CONFIG_TPM1)$(CONFIG_TPM2),) -verstage-y += tpm_common.c -endif - romstage-y += vboot_logic.c romstage-y += common.c
@@ -101,41 +143,6 @@
romstage-$(CONFIG_FSP2_0_USES_TPM_MRC_HASH) += mrc_cache_hash_tpm.c
-vboot-fixup-includes = $(patsubst -I%,-I$(top)/%,\ - $(patsubst $(src)/%.h,$(top)/$(src)/%.h,\ - $(filter-out -I$(obj),$(1)))) - -# call with $1 = stage name to create rules for building the library -# for the stage and adding it to the stage's set of object files. -define vboot-for-stage -VB2_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw20.a -VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1))) -VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1)) -VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts)) -VBOOT_CFLAGS_$(1) += -I$(abspath $(obj)) -Wno-missing-prototypes -VBOOT_CFLAGS_$(1) += -DVBOOT_DEBUG - -$$(VB2_LIB_$(1)): $(obj)/config.h - printf " MAKE $(subst $(obj)/,,$(@))\n" - +FIRMWARE_ARCH=$$(ARCHDIR-$$(ARCH-$(1)-y)) \ - CC="$$(CC_$(1))" \ - CFLAGS="$$(VBOOT_CFLAGS_$(1))" VBOOT2="y" \ - $(MAKE) -C $(VBOOT_SOURCE) \ - BUILD=$$(abspath $$(dir $$(VB2_LIB_$(1)))) \ - V=$(V) \ - fwlib20 - -$(1)-srcs += $$(VB2_LIB_$(1)) - -endef # vboot-for-stage - -CFLAGS_common += -I3rdparty/vboot/firmware/2lib/include - -$(eval $(call vboot-for-stage,bootblock)) -$(eval $(call vboot-for-stage,romstage)) -$(eval $(call vboot-for-stage,ramstage)) -$(eval $(call vboot-for-stage,postcar)) - ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
$(eval $(call vboot-for-stage,verstage)) diff --git a/src/security/vboot/misc.h b/src/security/vboot/misc.h index 725f5fd..8761b84 100644 --- a/src/security/vboot/misc.h +++ b/src/security/vboot/misc.h @@ -127,5 +127,21 @@ } }
+static inline int vboot_crtm_is_set(void) +{ + extern int crtm_is_set; + if (CONFIG(VBOOT)) { + return vboot_logic_executed(); + } else if(ENV_ROMSTAGE) { + return car_get_var(crtm_is_set); + } else { +#ifdef __PRE_RAM__ + return 0; +#else + return 1; +#endif + } +} +
#endif /* __VBOOT_MISC_H__ */ diff --git a/src/security/vboot/vboot_crtm.c b/src/security/vboot/vboot_crtm.c index e4266b2..92f05e5 100644 --- a/src/security/vboot/vboot_crtm.c +++ b/src/security/vboot/vboot_crtm.c @@ -19,11 +19,13 @@ #include <security/vboot/vboot_crtm.h> #include <security/vboot/misc.h> #include <string.h> +#include <timestamp.h>
/* * This functions sets the TCPA log namespace * for the cbfs file (region) lookup. */ + static int create_tcpa_metadata(const struct region_device *rdev, const char *cbfs_name, char log_string[TCPA_PCR_HASH_NAME]) { @@ -90,7 +92,8 @@ } }
- if (CONFIG(VBOOT_STARTS_IN_ROMSTAGE)) { + if (CONFIG(VBOOT_STARTS_IN_ROMSTAGE) || + CONFIG(VBOOT_MEASURED_BOOT)) { struct cbfsf romstage_data; /* measure romstage from RO */ if (cbfs_boot_locate(&romstage_data, @@ -164,7 +167,7 @@ struct region_device rdev; char tcpa_metadata[TCPA_PCR_HASH_NAME];
- if (!vboot_logic_executed()) + if (!vboot_crtm_is_set()) return 0;
cbfsf_file_type(fh, &cbfs_type); @@ -193,3 +196,26 @@
return tpm_measure_region(&rdev, pcr_index, tcpa_metadata); } + +int crtm_is_set CAR_GLOBAL; + +void measured_boot_init_crtm(void) +{ + if (ENV_ROMSTAGE) { + timestamp_add_now(TS_START_TPMINIT); + int result = tpm_setup(vboot_platform_is_resuming()); + timestamp_add_now(TS_END_TPMINIT); + + if (result == TPM_SUCCESS) { + result = vboot_init_crtm(); + if(result != VB2_SUCCESS) { + printk(BIOS_INFO, + "Initializing CRTM failed!"); + } else { + car_set_var(crtm_is_set, 1); + } + } else { + printk(BIOS_INFO, "TPM setup failed!"); + } + } +} diff --git a/src/security/vboot/vboot_crtm.h b/src/security/vboot/vboot_crtm.h index 64cb4f2..87bfa2d 100644 --- a/src/security/vboot/vboot_crtm.h +++ b/src/security/vboot/vboot_crtm.h @@ -53,6 +53,10 @@ * return 0 if successful, else an error */ uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name); +/* + * Initialize crtm without running vboot_logic() + */ +void measured_boot_init_crtm(void);
#else #define vboot_measure_cbfs_hook(fh, name) 0
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 1:
(3 comments)
https://review.coreboot.org/c/coreboot/+/35077/1/src/security/vboot/misc.h File src/security/vboot/misc.h:
https://review.coreboot.org/c/coreboot/+/35077/1/src/security/vboot/misc.h@1... PS1, Line 135: } else if(ENV_ROMSTAGE) { space required before the open parenthesis '('
https://review.coreboot.org/c/coreboot/+/35077/1/src/security/vboot/misc.h@1... PS1, Line 137: } else { else is not generally useful after a break or return
https://review.coreboot.org/c/coreboot/+/35077/1/src/security/vboot/vboot_cr... File src/security/vboot/vboot_crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/1/src/security/vboot/vboot_cr... PS1, Line 211: if(result != VB2_SUCCESS) { space required before the open parenthesis '('
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#2).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
As said in CB:34977, currently TPM and CRTM are initialized just before romstage loads a file within CBFS, or initialized in vboot_logic() if CONFIG_VBOOT is set.
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/lib/cbfs.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/misc.h M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 8 files changed, 138 insertions(+), 68 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/2
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 2:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/2/src/security/vboot/misc.h File src/security/vboot/misc.h:
https://review.coreboot.org/c/coreboot/+/35077/2/src/security/vboot/misc.h@1... PS2, Line 133: if (CONFIG(VBOOT)) { braces {} are not necessary for single statement blocks
https://review.coreboot.org/c/coreboot/+/35077/2/src/security/vboot/misc.h@1... PS2, Line 137: if (ENV_ROMSTAGE) { braces {} are not necessary for single statement blocks
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#3).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
As said in CB:34977, currently TPM and CRTM are initialized just before romstage loads a file within CBFS, or initialized in vboot_logic() if CONFIG_VBOOT is set.
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/lib/cbfs.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/misc.h M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 8 files changed, 136 insertions(+), 68 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/3
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 3:
(5 comments)
https://review.coreboot.org/c/coreboot/+/35077/2/src/security/vboot/misc.h File src/security/vboot/misc.h:
https://review.coreboot.org/c/coreboot/+/35077/2/src/security/vboot/misc.h@1... PS2, Line 133: if (CONFIG(VBOOT)) {
braces {} are not necessary for single statement blocks
Ack
https://review.coreboot.org/c/coreboot/+/35077/2/src/security/vboot/misc.h@1... PS2, Line 137: if (ENV_ROMSTAGE) {
braces {} are not necessary for single statement blocks
Ack
https://review.coreboot.org/c/coreboot/+/35077/1/src/security/vboot/misc.h File src/security/vboot/misc.h:
https://review.coreboot.org/c/coreboot/+/35077/1/src/security/vboot/misc.h@1... PS1, Line 135: } else if(ENV_ROMSTAGE) {
space required before the open parenthesis '('
Ack
https://review.coreboot.org/c/coreboot/+/35077/1/src/security/vboot/misc.h@1... PS1, Line 137: } else {
else is not generally useful after a break or return
Ack
https://review.coreboot.org/c/coreboot/+/35077/1/src/security/vboot/vboot_cr... File src/security/vboot/vboot_crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/1/src/security/vboot/vboot_cr... PS1, Line 211: if(result != VB2_SUCCESS) {
space required before the open parenthesis '('
Ack
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 4: Code-Review-2
I don't get the point of this patch. Please give me more documentation
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#5).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done when romstage is going to load another file within cbfs, after DRAM is initialized.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/lib/cbfs.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/misc.h M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 8 files changed, 136 insertions(+), 68 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/5
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 5:
Patch Set 4: Code-Review-2
I don't get the point of this patch. Please give me more documentation
Comment of this change is rewritten.
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 5:
(14 comments)
Thanks! I think this fundamentally goes into the right direction, just needs a bit of tweaking here and there.
Philipp, do you have any fundamental concerns about this? I think separating measured boot from verified boot makes sense.
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c@330 PS5, Line 330: #if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT) I'm not sure this prepare() callback is a good fit for this. First of all it only runs for programs (not other kinds of CBFS files), and secondly platforms can override cbfs_master_header_locator (currently done by soc/intel/apollolake).
Why not just put this at the end of bootblock_main()?
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/Makefile.i... File src/security/tpm/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/Makefile.i... PS5, Line 10: CONFIG_VBOOT Just remove the conditional linking here (make it verstage-y and postcar-y) rather than making it more complicated. For normal C files there's no extra cost for linking more files, we can just link everything we have and let the garbage collector sort it out.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/tspi/tspi.... File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/tspi/tspi.... PS5, Line 25: #if CONFIG(VBOOT) || CONFIG(VBOOT_MEASURED_BOOT) We should make vboot library primitives (like hash functions) available unconditionally, so you should just take out the #if completely.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/tspi/tspi.... PS5, Line 246: #if CONFIG(VBOOT) || CONFIG(VBOOT_MEASURED_BOOT) ...here too.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Kconfig File src/security/vboot/Kconfig:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Kconfig@... PS5, Line 16: menu "vboot functionalities" I think you should move all the measured boot stuff (i.e. the relevant options from here and vboot_crtm.c) out of the vboot directory, and rename everything so that there's no more "vboot" in the names. Maybe just put it in src/security/tpm/tspi/crtm.c? (The TCPA log stuff is already there too so I think that would make sense.)
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Kconfig@... PS5, Line 24: verified voot Please don't replace perfectly fine help text with typos. ;)
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... File src/security/vboot/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 66: bootblock-y += vboot_common.c I don't see why this would need to move?
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 17: ifneq ($(CONFIG_VBOOT_MEASURED_BOOT)$(CONFIG_VBOOT),) Rather than building it for both vboot and measured boot, I think we should build and link the vboot library unconditionally. Only the actual verification stuff (e.g. the src/security/vboot/* files) should be conditional on CONFIG_VBOOT.
This change (building the library unconditionally) should probably be a separate patch, and then the patch factoring out measured boot on top of that.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 20: verstage-y += tpm_common.c Hmmm... no, this is not good, if you need this file for measured boot then it shouldn't be in this directory. All the files in src/security/vboot/ should only get built when CONFIG_VBOOT is active.
What do you need from there, anyway? Neither of the functions in there are required for measured boot.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 59: endif # CONFIG_VBOOT_MEASURED_BOOT || CONFIG_VBOOT This is where the ifneq ($(CONFIG_VBOOT),) should start. So everything above here should be built unconditionally, and everything below here should only be built for CONFIG_VBOOT.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 61: ifeq ($(CONFIG_VBOOT_MEASURED_BOOT),y) This is the stuff that should go into another directory.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 69: ifeq ($(CONFIG_VBOOT),y) (Slightly off-topic, but this ifeq seems to be pointless because CONFIG_VBOOT should always be y here.)
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/misc.h File src/security/vboot/misc.h:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/misc.h@1... PS5, Line 130: static inline int vboot_crtm_is_set(void) Does this need to be externally accessible anyway? I think you can keep this local to crtm.c.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/misc.h@1... PS5, Line 139: __PRE_RAM__ We use if (ENV_ROMSTAGE_OR_BEFORE) for this kind of stuff now (see Kyösti's recent patches).
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#6).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done when romstage is going to load another file within cbfs, after DRAM is initialized.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/lib/cbfs.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/misc.h M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 8 files changed, 129 insertions(+), 72 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/6
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 6:
(5 comments)
Thanks for your instructions, Julius! I am going to improve this patch progressively, from easier points to harder ones.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/Makefile.i... File src/security/tpm/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/Makefile.i... PS5, Line 10: CONFIG_VBOOT
Just remove the conditional linking here (make it verstage-y and postcar-y) rather than making it mo […]
Resolved as you pointed out.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/tspi/tspi.... File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/tspi/tspi.... PS5, Line 25: #if CONFIG(VBOOT) || CONFIG(VBOOT_MEASURED_BOOT)
We should make vboot library primitives (like hash functions) available unconditionally, so you shou […]
Resolved as you pointed out.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/tspi/tspi.... PS5, Line 246: #if CONFIG(VBOOT) || CONFIG(VBOOT_MEASURED_BOOT)
...here too.
Resolved as you pointed out.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/misc.h File src/security/vboot/misc.h:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/misc.h@1... PS5, Line 130: static inline int vboot_crtm_is_set(void)
Does this need to be externally accessible anyway? I think you can keep this local to crtm.c.
Resolved as you pointed out.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/misc.h@1... PS5, Line 139: __PRE_RAM__
We use if (ENV_ROMSTAGE_OR_BEFORE) for this kind of stuff now (see Kyösti's recent patches).
Resolved as you pointed out.
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 6:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c@330 PS5, Line 330: #if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT)
I'm not sure this prepare() callback is a good fit for this. […]
The only exact match of "bootblock_main()" is specific to soc/cavium, and every less-exact match is somehow platform-specific. For example, bootblock_main_with_timestamp() in lib/bootblock.c seems used on platforms with C_ENVIRONMENT_BOOTBLOCK selected, while platforms without C_ENVIRONMENT_BOOTBLOCK selected (including most x86 platforms prior to haswell) seem using a romcc-compiled bootblock from either src/arch/x86/bootblock_simple.c or bootblock_normal.c
We had better find a platform-independent location to hook measured_boot_init_crtm(), which is why I initially chose this prepare() callback.
Do you know a more platform-independent location for this?
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 6:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c@330 PS5, Line 330: #if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT)
The only exact match of "bootblock_main()" is specific to soc/cavium, and every less-exact match is […]
Yes, I meant bootblock_main_with_timestamp(). I wasn't aware that there are still platforms not using C_ENVIRONMENT_BOOTBLOCK... do you think it is important to support this feature there? You can assume that all future boards should be using it.
I'm generally not a big fan of the current way vboot_crtm.c backpedals to find and hash all the things been loaded before it. It loads the same stuff twice (well, technically, measured boot always loads the same stuff twice right now, but for the hook it might be easier to remedy in the future) and it also misses things if there are platform-specific files loaded by the bootblock or verstage.
Putting the TPM init into the bootblock would be one way to somewhat remedy this (except for measuring the bootblock itself or other files loaded earlier than where the TPM init happens). The other option I thought about was turning the whole thing around so that we don't extend the TPM registers immediately for all those early hashes, but we instead just record them (at the time things are loaded) and then "replay" those records to put them into the TPM later once it is up. We already have a record of all the hashes anyway (the TCPA log), we'd just have to redefine it from being a pure "stuff we wrote to the TPM" log into a "stuff we're *going* to write into the TPM" log.
So with that idea we'd have to keep track of whether the TPM is enabled (for vboot this happens in verstage, for non-vboot currently in ramstage via src/drivers/tpm/tpm.c) and change tpm_extend_pcr() to not call tlcl_extend() if it isn't. Instead we'd just write that hash to the TCPA log and continue. When tpm_setup() is called later, we'd have to go through the TCPA log and extend all hashes from there into the TPM.
Maybe that second variant would work better? (In that case, MEASURED_BOOT would just have to 'select TPM_INIT if !VBOOT' and then that platform-independent location to initialize it would be the TPM initialization driver called from the boot state machine in ramstage.)
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#7).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done when romstage is going to load another file within cbfs, after DRAM is initialized.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/lib/cbfs.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/misc.h M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 8 files changed, 129 insertions(+), 72 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/7
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 7:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c@330 PS5, Line 330: #if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT)
Yes, I meant bootblock_main_with_timestamp(). I wasn't aware that there are still platforms not using C_ENVIRONMENT_BOOTBLOCK... do you think it is important to support this feature there? You can assume that all future boards should be using it.
According to my understanding, C_ENVIRONMENT_BOOTBLOCK is on the direction of bootblock's evolution, buts sadly, the platforms I am currently owning and using have not migrated to C_ENVIRONMENT_BOOTBLOCK yet, so I may have to wait for it, or start trying the second variant somehow ;-)
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Kconfig File src/security/vboot/Kconfig:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Kconfig@... PS5, Line 24: verified voot
Please don't replace perfectly fine help text with typos. […]
Fixed as you pointed out.
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 7:
And again I am not happy about this change because it leads again to multiple threat models and ways how you do security as default coreboot security architecture. If you want to use measured boot without verified boot look into eltan's vendor implementation and use that instead.
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 7:
And again I am not happy about this change because it leads again to multiple threat models and ways how you do security as default coreboot security architecture.
I don't really understand your concerns here? Security should be configurable, since every feature comes with trade-offs and not everyone has the same requirements. That doesn't mean you can't have a single unified threat-model, it just means that threat model needs to separate out which configurations can protect against which threats. coreboot aims to be a firmware for everyone so we'll never want to force a single, rigid one-size-fits-all security model (for example, Chrome OS is not interested in measured boot and doesn't want it enabled). Instead we should provide a security toolbox that allows everyone to tune the security model to their requirements, and if someone has a need for measured-but-not-verified boot I see no reason why we shouldn't allow that (assuming it doesn't harm any other use case, which with a toughtful I don't think it should).
If you want to use measured boot without verified boot look into eltan's vendor implementation and use that instead.
I hope you aren't serious? We need less vendorcode fragementation, not more.
Philipp Deppenwiese has removed a vote from this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Removed Code-Review-2 by Philipp Deppenwiese zaolin.daisuki@gmail.com
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 7:
We need to refactor it. I looked through it and we should start to integrate it into vboot by adding new features
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#8).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done when romstage is going to load another file within cbfs, after DRAM is initialized.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/lib/cbfs.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/misc.h M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 8 files changed, 138 insertions(+), 37 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/8
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 13:
(1 comment)
This change is ready for review.
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c@330 PS5, Line 330: #if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT)
Yes, I meant bootblock_main_with_timestamp(). […]
The latest revision can basically work with C_ENVIRONMENT_BOOTBLOCK.
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#14).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done when romstage is going to load another file within cbfs, after DRAM is initialized.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/drivers/pc80/tpm/Makefile.inc M src/lib/bootblock.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/misc.h M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 9 files changed, 137 insertions(+), 68 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/14
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 14:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... File src/security/vboot/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 66: bootblock-y += vboot_common.c
I don't see why this would need to move?
Reverted.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 20: verstage-y += tpm_common.c
Hmmm... […]
It is a retained old logic, and going to be resolved when files for crtm are migrated out of vboot dir.
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#15).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done after the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by vboot_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/drivers/pc80/tpm/Makefile.inc M src/lib/bootblock.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/misc.h M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 9 files changed, 137 insertions(+), 68 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/15
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#16).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done after the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by vboot_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/drivers/pc80/tpm/Makefile.inc M src/lib/bootblock.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 8 files changed, 137 insertions(+), 66 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/16
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#17).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done after the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by vboot_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/drivers/pc80/tpm/Makefile.inc M src/lib/bootblock.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 8 files changed, 133 insertions(+), 62 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/17
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 17:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... File src/security/vboot/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 20: verstage-y += tpm_common.c
It is a retained old logic, and going to be resolved when files for crtm are migrated out of vboot d […]
Reverted, since it is originally for verstage (CONFIG_VBOOT) only.
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#18).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done after the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by vboot_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/drivers/pc80/tpm/Makefile.inc M src/lib/bootblock.c M src/security/tpm/Makefile.inc M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_crtm.h 8 files changed, 127 insertions(+), 62 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/18
Hello Aaron Durbin, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#19).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done after the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by vboot_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_logic.c 16 files changed, 127 insertions(+), 72 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/19
Hello Werner Zeh, Aaron Durbin, Julius Werner, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#20).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done after the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by vboot_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_logic.c 16 files changed, 128 insertions(+), 73 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/20
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 21:
(4 comments)
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... File src/security/vboot/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 17: ifneq ($(CONFIG_VBOOT_MEASURED_BOOT)$(CONFIG_VBOOT),)
Rather than building it for both vboot and measured boot, I think we should build and link the vboot […]
The another change to modify how vboot library is built is CB:37787.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 59: endif # CONFIG_VBOOT_MEASURED_BOOT || CONFIG_VBOOT
This is where the ifneq ($(CONFIG_VBOOT),) should start. […]
Done
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 61: ifeq ($(CONFIG_VBOOT_MEASURED_BOOT),y)
This is the stuff that should go into another directory.
Done
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Makefile... PS5, Line 69: ifeq ($(CONFIG_VBOOT),y)
(Slightly off-topic, but this ifeq seems to be pointless because CONFIG_VBOOT should always be y her […]
Done
Hello Werner Zeh, Aaron Durbin, Wim Vervoorn, Julius Werner, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#22).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done after the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by vboot_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_logic.c 16 files changed, 128 insertions(+), 73 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/22
Hello Werner Zeh, Aaron Durbin, Wim Vervoorn, Julius Werner, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#23).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done after the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_logic.c 16 files changed, 128 insertions(+), 73 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/23
Hello Werner Zeh, Aaron Durbin, Wim Vervoorn, Julius Werner, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#26).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done after the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_logic.c 16 files changed, 128 insertions(+), 73 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/26
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 26: Code-Review+1
Joel Kitching has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 27:
(10 comments)
https://review.coreboot.org/c/coreboot/+/35077/27/src/lib/bootblock.c File src/lib/bootblock.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/lib/bootblock.c@25 PS27, Line 25: #include <security/tpm/tspi/crtm.h> Check your alphabetical order. (Other files too.)
https://review.coreboot.org/c/coreboot/+/35077/27/src/lib/bootblock.c@73 PS27, Line 73: !CONFIG(VBOOT) && CONFIG(TSPI_MEASURED_BOOT) Why can't we just run this unconditionally here, and remove the call from verstage?
https://review.coreboot.org/c/coreboot/+/35077/27/src/mainboard/siemens/mc_a... File src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig:
https://review.coreboot.org/c/coreboot/+/35077/27/src/mainboard/siemens/mc_a... PS27, Line 16: config VBOOT : select TSPI_MEASURED_BOOT Shouldn't this live under TPM now?
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/Kconfig File src/security/tpm/Kconfig:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/Kconfig@1... PS27, Line 119: Runtime data whitelist of cbfs filenames. Needs to be a comma separated This line looks longer than all the others?
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.h:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... PS27, Line 56: * Try to keep a blank line in between function headers?
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... PS27, Line 25: This functions This function or these functions?
If singular, probably don't need a blank line below.
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... PS27, Line 162: int crtm_is_set; Can this be a static variable inside the function?
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... PS27, Line 218: boot_platform_is_resuming() If this is not just used by vboot_ anymore, we should find a better home for it.
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... PS27, Line 223: if (result != VB2_SUCCESS) { : printk(BIOS_INFO, : "Initializing CRTM failed!"); : } else { : crtm_is_set = 1; : } I think that printk can fit on one line now, with the longer coreboot.org line length limit.
And for one-statement conditional bodies, we don't need the {} braces here.
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... File src/security/vboot/vboot_logic.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... PS27, Line 329: if (CONFIG(TSPI_MEASURED_BOOT) && : !(ctx->flags & VB2_CONTEXT_S3_RESUME)) { : if (tspi_init_crtm() != VB2_SUCCESS) Can we just always run this in bootblock and remove the code here?
Hello Werner Zeh, Aaron Durbin, Wim Vervoorn, Julius Werner, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#28).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done after the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 25 files changed, 153 insertions(+), 109 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/28
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 27:
(9 comments)
https://review.coreboot.org/c/coreboot/+/35077/27/src/lib/bootblock.c File src/lib/bootblock.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/lib/bootblock.c@25 PS27, Line 25: #include <security/tpm/tspi/crtm.h>
Check your alphabetical order. (Other files too. […]
Done
https://review.coreboot.org/c/coreboot/+/35077/27/src/mainboard/siemens/mc_a... File src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig:
https://review.coreboot.org/c/coreboot/+/35077/27/src/mainboard/siemens/mc_a... PS27, Line 16: config VBOOT : select TSPI_MEASURED_BOOT
Shouldn't this live under TPM now?
Done in all changed variants.
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/Kconfig File src/security/tpm/Kconfig:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/Kconfig@1... PS27, Line 119: Runtime data whitelist of cbfs filenames. Needs to be a comma separated
This line looks longer than all the others?
Done
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.h:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... PS27, Line 56: *
Try to keep a blank line in between function headers?
Done
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... PS27, Line 25: This functions
This function or these functions? […]
Done
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... PS27, Line 162: int crtm_is_set;
Can this be a static variable inside the function?
No, crtm_is_set should be accessible with both tspi_crtm_is_set() and measured_boot_init_crtm().
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... PS27, Line 218: boot_platform_is_resuming()
If this is not just used by vboot_ anymore, we should find a better home for it.
Moved from vboot_common.h to bootmode.h as platform_is_resuming().
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/tpm/tspi/crtm... PS27, Line 223: if (result != VB2_SUCCESS) { : printk(BIOS_INFO, : "Initializing CRTM failed!"); : } else { : crtm_is_set = 1; : }
I think that printk can fit on one line now, with the longer coreboot.org line length limit. […]
Done
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... File src/security/vboot/vboot_logic.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... PS27, Line 329: if (CONFIG(TSPI_MEASURED_BOOT) && : !(ctx->flags & VB2_CONTEXT_S3_RESUME)) { : if (tspi_init_crtm() != VB2_SUCCESS)
Can we just always run this in bootblock and remove the code here?
Done
Hello Werner Zeh, Patrick Rudolph, Aaron Durbin, Wim Vervoorn, Julius Werner, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#29).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done after the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 25 files changed, 154 insertions(+), 109 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/29
Hello Werner Zeh, Patrick Rudolph, Aaron Durbin, Wim Vervoorn, Julius Werner, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#30).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 25 files changed, 154 insertions(+), 109 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/30
Hello Werner Zeh, Patrick Rudolph, Aaron Durbin, Wim Vervoorn, Julius Werner, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#31).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 25 files changed, 155 insertions(+), 109 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/31
Hello Werner Zeh, Patrick Rudolph, Aaron Durbin, Wim Vervoorn, Julius Werner, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#32).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 25 files changed, 162 insertions(+), 113 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/32
Hello Werner Zeh, Patrick Rudolph, Aaron Durbin, Wim Vervoorn, Julius Werner, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#33).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 25 files changed, 168 insertions(+), 108 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/33
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 33:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/27/src/lib/bootblock.c File src/lib/bootblock.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/lib/bootblock.c@73 PS27, Line 73: !CONFIG(VBOOT) && CONFIG(TSPI_MEASURED_BOOT)
Why can't we just run this unconditionally here, and remove the call from verstage?
Reverted to this, for what is observed in https://qa.coreboot.org/job/coreboot-gerrit/112654/
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... File src/security/vboot/vboot_logic.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... PS27, Line 329: if (CONFIG(TSPI_MEASURED_BOOT) && : !(ctx->flags & VB2_CONTEXT_S3_RESUME)) { : if (tspi_init_crtm() != VB2_SUCCESS)
Done
It seems that we cannot, for some platform has limited bootblock size, see https://qa.coreboot.org/job/coreboot-gerrit/112654/
Joel Kitching has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 33:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... File src/security/vboot/vboot_logic.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... PS27, Line 329: if (CONFIG(TSPI_MEASURED_BOOT) && : !(ctx->flags & VB2_CONTEXT_S3_RESUME)) { : if (tspi_init_crtm() != VB2_SUCCESS)
It seems that we cannot, for some platform has limited bootblock size, see https://qa.coreboot. […]
So what if you are using a SIEMENS_MC_APL2 board and want to enable TSPI_MEASURED_BOOT?
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 33:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... File src/security/vboot/vboot_logic.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... PS27, Line 329: if (CONFIG(TSPI_MEASURED_BOOT) && : !(ctx->flags & VB2_CONTEXT_S3_RESUME)) { : if (tspi_init_crtm() != VB2_SUCCESS)
So what if you are using a SIEMENS_MC_APL2 board and want to enable TSPI_MEASURED_BOOT?
I may have to let crtm be initialized in verstage, along with VBOOT.
Joel Kitching has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 33:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... File src/security/vboot/vboot_logic.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... PS27, Line 329: if (CONFIG(TSPI_MEASURED_BOOT) && : !(ctx->flags & VB2_CONTEXT_S3_RESUME)) { : if (tspi_init_crtm() != VB2_SUCCESS)
I may have to let crtm be initialized in verstage, along with VBOOT.
What if we want to use TSPI_MEASURED_BOOT without VBOOT? Isn't that the whole point of this CL?
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 33:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... File src/security/vboot/vboot_logic.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... PS27, Line 329: if (CONFIG(TSPI_MEASURED_BOOT) && : !(ctx->flags & VB2_CONTEXT_S3_RESUME)) { : if (tspi_init_crtm() != VB2_SUCCESS)
What if we want to use TSPI_MEASURED_BOOT without VBOOT? Isn't that the whole point of this CL?
I have no good idea now. I may have to conclude that TSPI_MEASURED_BOOT cannot be decoupled from VBOOT on platforms require VBOOT_SEPARATE_VERSTAGE, for their space for bootblock is too small.
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 33:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... File src/security/vboot/vboot_logic.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... PS27, Line 329: if (CONFIG(TSPI_MEASURED_BOOT) && : !(ctx->flags & VB2_CONTEXT_S3_RESUME)) { : if (tspi_init_crtm() != VB2_SUCCESS)
I have no good idea now. […]
I may have to conclude that TSPI_MEASURED_BOOT cannot be decoupled from VBOOT on platforms with only 32KiB (0x8000) for bootblock. I am composing the condition set for it.
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 33:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c@330 PS5, Line 330: #if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT)
The latest revision can basically work with C_ENVIRONMENT_BOOTBLOCK.
Now the problem is that the bootblock on some platform is too small to contain the code to initialize crtm. I believe that is why a separate verstage is necessary on such platform. One path is to leave measured boot dependent on verified boot on these platform, another could be initializing crtm on romstage with a cbfs locator for those platforms as patchset 5 did. Repurposing verstage may also be possible, but it is beyond my ability. Which path do you prefer? Or is there any better ideas?
Hello Werner Zeh, Patrick Rudolph, Aaron Durbin, Wim Vervoorn, Julius Werner, Philipp Deppenwiese, build bot (Jenkins), Patrick Georgi, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#34).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TSPI_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/apollolake/Kconfig M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/Kconfig M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 39 files changed, 223 insertions(+), 109 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/34
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#35).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TSPI_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/apollolake/Kconfig M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/Kconfig M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 39 files changed, 222 insertions(+), 109 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/35
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#36).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TSPI_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/apollolake/Kconfig M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/Kconfig M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 39 files changed, 251 insertions(+), 109 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/36
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#37).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.(currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage.)
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 25 files changed, 162 insertions(+), 113 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/37
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#38).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TSPI_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/apollolake/Kconfig M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/Kconfig M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 39 files changed, 247 insertions(+), 109 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/38
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 39:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c@330 PS5, Line 330: #if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT)
Now the problem is that the bootblock on some platform is too small to contain the code to initializ […]
In general I think it's perfectly fine to just not support certain platforms for now if you don't need them.
But I also think this is yet another sign that the approach of doing all the TPM init in the bootblock is not that great, and the other approach I have outlined may be better: just record the hashes you were planning to write to the TPM in the TCPA log during early stages, and then later update the TPM to match in ramstage. This way you only need the TPM drivers in ramstage and can save all that code size in the earlier stages, I think it is a lot more efficient approach overall. What do you think?
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#40).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TSPI_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/apollolake/Kconfig M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/Kconfig M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 39 files changed, 236 insertions(+), 110 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/40
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#41).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TSPI_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/apollolake/Kconfig M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/Kconfig M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 39 files changed, 234 insertions(+), 110 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/41
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 41:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c@330 PS5, Line 330: #if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT)
In general I think it's perfectly fine to just not support certain platforms for now if you don't ne […]
I think you are right. But since this can now work at least for a lot of platforms, I am going to maintain it for a while, until I make a breakthrough on the direction of TCPA-log-caching.
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#42).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 27 files changed, 231 insertions(+), 172 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/42
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 42:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c@330 PS5, Line 330: #if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT)
I think you are right. […]
With further inspection, Turning from former direction to "TCPA-log-caching" turns out not so hard as I have imagined. The latest revision now is already implemented in "cache-and-replay" way.
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#43).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 27 files changed, 233 insertions(+), 172 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/43
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 44:
(11 comments)
Nice, I think this is on the right track.
https://review.coreboot.org/c/coreboot/+/35077/44/src/arch/x86/car.ld File src/arch/x86/car.ld:
https://review.coreboot.org/c/coreboot/+/35077/44/src/arch/x86/car.ld@34 PS44, Line 34: VBOOT2_TPM_LOG If you rename the Kconfig option, maybe also rename this region?
https://review.coreboot.org/c/coreboot/+/35077/44/src/include/bootmode.h File src/include/bootmode.h:
https://review.coreboot.org/c/coreboot/+/35077/44/src/include/bootmode.h@38 PS44, Line 38: int platform_is_resuming(void); This rename touches enough files that you should put it in its own patch.
However, why do you need to move this out of vboot anyway? I don't see this touched by the core part of your patch.
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/Kconfig File src/security/tpm/Kconfig:
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/Kconfig@1... PS44, Line 105: TSPI_MEASURED_BOOT For consistency with existing options I think TPM_MEASURED_BOOT would fit better.
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/Makefile.... File src/security/tpm/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/Makefile.... PS44, Line 18: $(CONFIG_VBOOT) nit: can also just put a 'y' here
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/Makefile.... PS44, Line 50: ifneq ($(CONFIG_TPM1)$(CONFIG_TPM2),) Should be unnecessary because CONFIG_TSPI_MEASURED_BOOT already depends on these.
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi.h File src/security/tpm/tspi.h:
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi.h@56 PS44, Line 56: _entry Should this be _entries() (or just tcpa_log_replay_table())?
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/crtm... PS44, Line 160: void measured_boot_init_crtm(void) Does this really need to be an explicitly called function? Can't you just put something like
if (ENV_BOOTBLOCK) { static bool initialized = 0; if (!initialized) { tspi_init_crtm(); initialized = 1; } }
at the top of tspi_measure_cbfs_hook()?
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/crtm... PS44, Line 162: if (ENV_BOOTBLOCK) { This is only called from the bootblock so I think this check is superfluous?
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/tspi... File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/tspi... PS44, Line 22: #if CONFIG(VBOOT_LIB) Don't conditionalize #includes. Just include these unconditionally. vboot is always checked out even if it isn't built so that should still work.
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/tspi... PS44, Line 114: return vboot_logic_executed(); There's a slight problem here in that vboot_logic.c itself extends some PCRs before it sets the vboot_executed variable to 1. But since you're already introducing a tpm_is_setup() global you can use that, so doing
if (CONFIG(VBOOT)) return vboot_logic_executed || tpm_is_setup;
should work.
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/tspi... PS44, Line 309: rname, pcr, tspi_tpm_is_setup()?"measur":"logg"); nit: spaces around ternary operatory, please
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#45).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/memlayout.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 26 files changed, 209 insertions(+), 164 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/45
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 45:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/45/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/45/src/include/memlayout.h@16... PS45, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/45/src/include/memlayout.h@16... PS45, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 45:
(11 comments)
https://review.coreboot.org/c/coreboot/+/35077/44/src/arch/x86/car.ld File src/arch/x86/car.ld:
https://review.coreboot.org/c/coreboot/+/35077/44/src/arch/x86/car.ld@34 PS44, Line 34: VBOOT2_TPM_LOG
If you rename the Kconfig option, maybe also rename this region?
Renamed as TPM_TCPA_LOG.
https://review.coreboot.org/c/coreboot/+/35077/44/src/include/bootmode.h File src/include/bootmode.h:
https://review.coreboot.org/c/coreboot/+/35077/44/src/include/bootmode.h@38 PS44, Line 38: int platform_is_resuming(void);
This rename touches enough files that you should put it in its own patch. […]
All affected spot is reverted.
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/Kconfig File src/security/tpm/Kconfig:
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/Kconfig@1... PS44, Line 105: TSPI_MEASURED_BOOT
For consistency with existing options I think TPM_MEASURED_BOOT would fit better.
Done
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/Makefile.... File src/security/tpm/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/Makefile.... PS44, Line 18: $(CONFIG_VBOOT)
nit: can also just put a 'y' here
Done
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/Makefile.... PS44, Line 50: ifneq ($(CONFIG_TPM1)$(CONFIG_TPM2),)
Should be unnecessary because CONFIG_TSPI_MEASURED_BOOT already depends on these.
Done
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi.h File src/security/tpm/tspi.h:
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi.h@56 PS44, Line 56: _entry
Should this be _entries() (or just tcpa_log_replay_table())?
Done
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/crtm... PS44, Line 160: void measured_boot_init_crtm(void)
Does this really need to be an explicitly called function? Can't you just put something like […]
Simply doing this will cause coreboot to crash even before ehci debug becomes available, maybe because tspi_init_crtm() calls cbfs_boot_locate(), which will eventually calls tspi_measure_cbfs_hook(), forming an unwanted recursion.
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/crtm... PS44, Line 162: if (ENV_BOOTBLOCK) {
This is only called from the bootblock so I think this check is superfluous?
Done
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/tspi... File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/tspi... PS44, Line 22: #if CONFIG(VBOOT_LIB)
Don't conditionalize #includes. Just include these unconditionally. […]
Done
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/tspi... PS44, Line 114: return vboot_logic_executed();
There's a slight problem here in that vboot_logic. […]
Done
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/tspi... PS44, Line 309: rname, pcr, tspi_tpm_is_setup()?"measur":"logg");
nit: spaces around ternary operatory, please
Done
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#46).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/memlayout.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 27 files changed, 327 insertions(+), 298 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/46
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 46:
(3 comments)
https://review.coreboot.org/c/coreboot/+/35077/46/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/46/src/include/memlayout.h@16... PS46, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/46/src/include/memlayout.h@16... PS46, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
https://review.coreboot.org/c/coreboot/+/35077/46/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/46/src/security/tpm/tspi/crtm... PS46, Line 33: static const char *fmap_cbfs_names[] = { static const char * array should probably be static const char * const
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#47).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/memlayout.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 27 files changed, 327 insertions(+), 298 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/47
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 47:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/47/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/47/src/include/memlayout.h@16... PS47, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/47/src/include/memlayout.h@16... PS47, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 47:
(1 comment)
Patch Set 39:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/44/src/security/tpm/tspi/crtm... PS44, Line 160: void measured_boot_init_crtm(void)
Simply doing this will cause coreboot to crash even before ehci debug becomes available, maybe becau […]
Finally I have achieved this by adjusting the timing to set flags.
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 48:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/48/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/48/src/include/memlayout.h@16... PS48, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/48/src/include/memlayout.h@16... PS48, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#49).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/memlayout.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 27 files changed, 326 insertions(+), 298 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/49
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 49:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/49/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/49/src/include/memlayout.h@16... PS49, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/49/src/include/memlayout.h@16... PS49, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#50).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/memlayout.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 27 files changed, 326 insertions(+), 298 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/50
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 50:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/50/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/50/src/include/memlayout.h@16... PS50, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/50/src/include/memlayout.h@16... PS50, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#51).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/drivers/pc80/tpm/Makefile.inc M src/include/memlayout.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 27 files changed, 325 insertions(+), 298 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/51
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 51:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/51/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/51/src/include/memlayout.h@16... PS51, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/51/src/include/memlayout.h@16... PS51, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 52:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/52/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/52/src/include/memlayout.h@16... PS52, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/52/src/include/memlayout.h@16... PS52, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 53:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/53/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/53/src/include/memlayout.h@16... PS53, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/53/src/include/memlayout.h@16... PS53, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 53:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/53/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/53/src/include/memlayout.h@16... PS53, Line 163: #define TPM_TCPA_LOG(addr, size) \
Macros with multiple statements should be enclosed in a do - while loop
This should only apply to operative macros, bot not declarative ones, including those used to declare global variables.
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 54:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/54/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/54/src/include/memlayout.h@16... PS54, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/54/src/include/memlayout.h@16... PS54, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 54: Code-Review+1
(7 comments)
Thanks, I think this looks good now from my side (other than a few obvious one line fixes I commented). I'll leave the final review and +2 to Philipp since this is all his code.
https://review.coreboot.org/c/coreboot/+/35077/54/src/drivers/pc80/tpm/Makef... File src/drivers/pc80/tpm/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/35077/54/src/drivers/pc80/tpm/Makef... PS54, Line 5: bootblock-$(CONFIG_LPC_TPM) += tis.c No longer necessary.
https://review.coreboot.org/c/coreboot/+/35077/54/src/lib/bootblock.c File src/lib/bootblock.c:
https://review.coreboot.org/c/coreboot/+/35077/54/src/lib/bootblock.c@24 PS54, Line 24: #include <security/tpm/tspi/crtm.h> No longer necessary.
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/tpm/tspi/crtm... PS54, Line 52: static int tcpa_log_initialized; This whole thing with a global variable and several functions seems a bit heavy-handed to me... I think you could've achieved the same by just flipping the lines in my suggestion:
if (ENV_BOOTBLOCK) { static bool initialized = 0; if (!initialized) { initialized = 1; tspi_init_crtm(); } }
But I'm fine with this too if you think it makes the code clearer.
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/tpm/tspi/crtm... PS54, Line 55: if (ENV_DECOMPRESSOR) nit: not wrong, but the decompressor can never include CBFS code anyway so also not really necessary
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/tpm/tspi/crtm... PS54, Line 73: printk(BIOS_INFO, "TSPI: CRTM already initialized!\n"); I don't see why you need this? This should never be printed, right? (Or maybe it does during that recursion thing you mentioned, but then I'm not sure why you'd always want this message to be printed.)
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/tpm/tspi/crtm... PS54, Line 129: "Initializing CRTM failed!"); Should probably return 0 here?
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/vboot/symbols... File src/security/vboot/symbols.h:
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/vboot/symbols... PS54, Line 23: DECLARE_REGION(tpm_tcpa_log) nit: move this to <symbols.h>? (Not really sure why this separate file still exists anyway, we've been throwing all kinds of optional feature or arch specific stuff into <symbols.h> lately.)
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#55).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M 3rdparty/blobs M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 27 files changed, 327 insertions(+), 302 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/55
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 55:
(3 comments)
https://review.coreboot.org/c/coreboot/+/35077/55/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/55/src/include/memlayout.h@16... PS55, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/55/src/include/memlayout.h@16... PS55, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
https://review.coreboot.org/c/coreboot/+/35077/55/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/55/src/security/tpm/tspi/crtm... PS55, Line 129: else else should follow close brace '}'
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 55:
(5 comments)
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/tpm/tspi/crtm... PS54, Line 52: static int tcpa_log_initialized;
This whole thing with a global variable and several functions seems a bit heavy-handed to me... […]
Done
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/tpm/tspi/crtm... PS54, Line 55: if (ENV_DECOMPRESSOR)
nit: not wrong, but the decompressor can never include CBFS code anyway so also not really necessary
Done
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/tpm/tspi/crtm... PS54, Line 73: printk(BIOS_INFO, "TSPI: CRTM already initialized!\n");
I don't see why you need this? This should never be printed, right? (Or maybe it does during that re […]
Yes, this should never be printed, so it may be useful to catch some unlikely event in which tspi_init_crtm() is entered more than once, so I would like to retain it, but with log level changed to BIOS_WARNING.
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/tpm/tspi/crtm... PS54, Line 129: "Initializing CRTM failed!");
Should probably return 0 here?
fixed as you pointed out, and log level is changed to BIOS_WARNING.
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/vboot/symbols... File src/security/vboot/symbols.h:
https://review.coreboot.org/c/coreboot/+/35077/54/src/security/vboot/symbols... PS54, Line 23: DECLARE_REGION(tpm_tcpa_log)
nit: move this to <symbols. […]
Done
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#56).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M 3rdparty/blobs M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 27 files changed, 327 insertions(+), 302 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/56
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 56:
(3 comments)
https://review.coreboot.org/c/coreboot/+/35077/56/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/56/src/include/memlayout.h@16... PS56, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/56/src/include/memlayout.h@16... PS56, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
https://review.coreboot.org/c/coreboot/+/35077/56/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/56/src/security/tpm/tspi/crtm... PS56, Line 128: } else { else is not generally useful after a break or return
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#57).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 26 files changed, 326 insertions(+), 301 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/57
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 57:
(3 comments)
https://review.coreboot.org/c/coreboot/+/35077/57/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/57/src/include/memlayout.h@16... PS57, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/57/src/include/memlayout.h@16... PS57, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
https://review.coreboot.org/c/coreboot/+/35077/57/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/57/src/security/tpm/tspi/crtm... PS57, Line 128: } else { else is not generally useful after a break or return
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 57:
(3 comments)
https://review.coreboot.org/c/coreboot/+/35077/54/src/drivers/pc80/tpm/Makef... File src/drivers/pc80/tpm/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/35077/54/src/drivers/pc80/tpm/Makef... PS54, Line 5: bootblock-$(CONFIG_LPC_TPM) += tis.c
No longer necessary.
Done
https://review.coreboot.org/c/coreboot/+/35077/54/src/lib/bootblock.c File src/lib/bootblock.c:
https://review.coreboot.org/c/coreboot/+/35077/54/src/lib/bootblock.c@24 PS54, Line 24: #include <security/tpm/tspi/crtm.h>
No longer necessary.
Done
https://review.coreboot.org/c/coreboot/+/35077/55/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/55/src/security/tpm/tspi/crtm... PS55, Line 129: else
else should follow close brace '}'
Done
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 58:
(3 comments)
https://review.coreboot.org/c/coreboot/+/35077/58/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/58/src/include/memlayout.h@16... PS58, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/58/src/include/memlayout.h@16... PS58, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
https://review.coreboot.org/c/coreboot/+/35077/58/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/58/src/security/tpm/tspi/crtm... PS58, Line 128: } else { else is not generally useful after a break or return
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#59).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 26 files changed, 325 insertions(+), 301 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/59
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 59:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/58/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/58/src/security/tpm/tspi/crtm... PS58, Line 128: } else {
else is not generally useful after a break or return
Done
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 59:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/59/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/59/src/include/memlayout.h@16... PS59, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/59/src/include/memlayout.h@16... PS59, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 60:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/60/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/60/src/include/memlayout.h@16... PS60, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/60/src/include/memlayout.h@16... PS60, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#61).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
From this revision on, cbfs_locate_file_in_region() is also hooked to measurement, unless in ENV_SMM.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
TODO: Make measurement work in smm (e.g. SMMSTORE as runtime data).
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 26 files changed, 338 insertions(+), 303 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/61
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 61:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/61/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/61/src/include/memlayout.h@16... PS61, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/61/src/include/memlayout.h@16... PS61, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 61:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/61/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/61/src/lib/cbfs.c@105 PS61, Line 105: return ret; This is changing what files we measure (whereas the rest of your patch changes a lot of the inner workings of measurement but not the end result), so if you want this I think you should put it in a separate patch.
https://review.coreboot.org/c/coreboot/+/35077/61/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/61/src/security/tpm/tspi/crtm... PS61, Line 143: case CBFS_TYPE_MRC: This, too, is probably correct but should be a separate patch.
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#62).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 26 files changed, 325 insertions(+), 301 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/62
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 62:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/62/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/62/src/include/memlayout.h@16... PS62, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/62/src/include/memlayout.h@16... PS62, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 62:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/61/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/61/src/lib/cbfs.c@105 PS61, Line 105: return ret;
This is changing what files we measure (whereas the rest of your patch changes a lot of the inner wo […]
Okay, I am going to revert it.
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 62:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/61/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/35077/61/src/lib/cbfs.c@105 PS61, Line 105: return ret;
Okay, I am going to revert it.
They are a separate patch CB:38858 now.
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 62: Code-Review+1
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/63/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/63/src/include/memlayout.h@16... PS63, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/63/src/include/memlayout.h@16... PS63, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Patrick Rudolph has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63: Code-Review-1
That turns CONFIG_MEASURED_BOOT into something out of scope of TCG measured boot. You can no longer call it CRTM. It doesn't even make sense to measure most stuff at runtime, you could calculate the hashes when generating the ROM, as you extend everything in ramstage anyway. Please also add proper documentation of the this approach in Documentation/.
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63:
Hi Patrick, can you clarify your concern? Do you think this approach is somehow less reliable than the previous one? If VBOOT is enabled, then all of coreboot is verified (and therefore trusted) anyway, so I don't see how it makes a difference at what point exactly in coreboot we're writing the hashes to the TPM. If VBOOT isn't enabled, you can't trust any of the code and a malicious bootblock/verstage could have extended bad hashes already. In essence this is not doing anything that the older version didn't already do for bootblock and verstage, it's just doing that for romstage and ramstage as well because it greatly simplifies the design.
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63: Code-Review-2
Replaying TCPA log measurements isn't a good idea. Breaks our measured boot implementation
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63:
@persmule Please contact me through slack
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63:
Replaying TCPA log measurements isn't a good idea. Breaks our measured boot implementation
Again, would you mind clarifying your concern? How does this "break" anything? The measured values at the end should be the same, and so are the security guarantees (as I explained above).
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/63/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/63/src/include/memlayout.h@16... PS63, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/63/src/include/memlayout.h@16... PS63, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63:
As Patrick already pointed out. This implementation isn't TCG compatible. Using a TCPA log for adding measurements later in a bootflow can lead to security issues. We use the measured boot implementation for customers which require tcg compability
Werner Zeh has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63: Code-Review-1
The current implementation ensures that, once CRTM is initialized in an early stage (let's say verstage), the rest of the stages are trustworthy as they are measured into a PCR _before_ they will be executed. So now you just need to make sure that the SPI flash contents until that early stage and including are trustworthy and the rest of the stages is now captured by the measurement.
Moving this "root of trust" into the latest stage (ramstage) by just replaying the TCPA log into the PCRs there leads to the situation that now all the stages until ramstage and including are not trustworthy anymore as one can change the code to just mimic the needed PCR values.
Maybe someone uses current measured boot in a slightly different manner than it used to be used in a pure VBOOT environment, without a strict RO partition in the flash and have a different way of ensuring the trust of the flash contents (I remember that eltan did something like this, see [1]). In this situation it is way more easier to ensure the integrity of just bootblock and verstage instead of checking all the stages.
[1] https://www.youtube.com/watch?v=D4oQjcP6AVI&list=PLiWdJ1SEk1_A5lAhz6jnqs...
Patrick Rudolph has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63:
Patch Set 63:
Hi Patrick, can you clarify your concern? Do you think this approach is somehow less reliable than the previous one? If VBOOT is enabled, then all of coreboot is verified (and therefore trusted) anyway, so I don't see how it makes a difference at what point exactly in coreboot we're writing the hashes to the TPM. If VBOOT isn't enabled, you can't trust any of the code and a malicious bootblock/verstage could have extended bad hashes already. In essence this is not doing anything that the older version didn't already do for bootblock and verstage, it's just doing that for romstage and ramstage as well because it greatly simplifies the design.
I fully understand the technical reasons to replay the TCPA log and that it simplifies the design a lot. In case of disabled VBOOT you could still write-protect the bootblock (CB:32705 could be extended to do that), which acts then as CRTM and then do a measured boot.
A *measured boot* is by definition extending the PCR *before* running the measured code. However by only putting it into TCPA log it's no a measured boot at all. I'm fine with this commit as long as it is documented and called "hashed boot" or something.
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63:
Let me summarize the history of this patch:
After most platform switched to C_ENVIRONMENT_BOOTBLOCK, I have been improving this patch following the ORIGINAL way: Initialize the TPM in bootblock, and measure components of CRTM right after it, but on some platform the bootblock is too small to link with vboot library and TPM-Initialization code (recorded in patchset 27~33). These platforms usually needs a verstage if VBOOT is enabled. I managed to handle this by letting these platforms initialize the TPM and CRTM on romstage, like how it is done in patchset 7. The last revision working in this way is patchset 41.
On the other hand, Julius Werner started to propose his scheme, in which digests are "cached" in TCPA log and "replayed" to PCR after TPM is Initialized, since patchset 6, and he advised me again, in patchset 40, after I met the obstacle described above, to follow his scheme, as done in revisions after patchset 41.
If Julius' scheme breaks the standard, I can revert to patchset 41 or even much earlier revision as the base for further development, but now the key problem is, what is the most proper stage in which TPM is initialized, and CRTM is settled? At least I have no idea of this.
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 63:
A *measured boot* is by definition extending the PCR *before* running the measured code. However by only putting it into TCPA log it's no a measured boot at all.
Well, you're not doing that either, so I don't see why one of these implementations should somehow be allowed to call itself "measured boot" or considered compliant to some spec in a way the other isn't. Philipp's original implementation measures the bootblock and verstage long after they've started running already.
Maybe someone uses current measured boot in a slightly different manner than it used to be used in a pure VBOOT environment, without a strict RO partition in the flash and have a different way of ensuring the trust of the flash contents (I remember that eltan did something like this, see [1]). In this situation it is way more easier to ensure the integrity of just bootblock and verstage instead of checking all the stages.
I think our overall goal with adding security features to coreboot should be to have enough flexibility to support everyone's high-level use cases without making an unmaintainable mess of things. Right now the two trust models we support are essentially a) run VBOOT and write-protect RO_SECTION and b) don't run VBOOT and write-protect the whole CBFS. In both of these, as long as your bootblock is trusted your ramstage is guaranteed to be trusted as well, so I don't see the point of treating the two in any way different for measurement purposes.
It would be nice to support more models in the future (and I'm actively working on something that can chain trust from the bootblock through all stages to allow other trust anchors like BootGuard), but they need to be reasonably designed. I don't think "maybe someone trusts their verstage but not their ramstage" is a useful model -- I don't see how anything in coreboot currently supports that, and I can't think of a real scenario where that would be useful. Eltan is doing a bunch of weird stuff in their vendorcode but they're running their own measurement solution there anyway (and the point of vendorcode is also that vendors throw whatever they want in there but in return they can't expect the rest of the community to maintain it for them).
The fundamental problem is that we need to start measuring *somewhere*, and you will always have this issue that stages which came before that have to be backfilled somehow. Doing it in verstage doesn't really work because builds without CONFIG(VBOOT) don't have that stage. Bill tried writing code that puts it in the bootblock but that becomes a mess because many platforms are already at the very edge of what their bootblocks can fit and TPM drivers aren't small. ramstage is really the best spot for this -- we already have the TPM driver there anyway and there are the fewest size restrictions. In all the security models we support, you either cannot trust any part of coreboot (then even doing it in the bootblock is not good enough) or you are verified all the way through to ramstage and doing it there is just as secure as doing it earlier. It makes the design easier and I really don't see the downside.
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#64).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TSPI_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/apollolake/Kconfig M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/Kconfig M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 39 files changed, 233 insertions(+), 110 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/64
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 64:
Revert to patchset 41 and rebased. I am going to port a lot of minor changes done in previous version gradually.
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#65).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TPM_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/intel/apollolake/Kconfig M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/Kconfig M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 39 files changed, 233 insertions(+), 110 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/65
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#66).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TPM_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/include/memlayout.h M src/include/symbols.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/intel/apollolake/Kconfig M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/Kconfig M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 49 files changed, 251 insertions(+), 127 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/66
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 66:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/66/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/66/src/include/memlayout.h@16... PS66, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/66/src/include/memlayout.h@16... PS66, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#67).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TPM_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/bootmode.h M src/include/memlayout.h M src/include/symbols.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h M src/security/vboot/vboot_common.h M src/security/vboot/vboot_logic.c M src/soc/amd/common/block/acpi/acpi.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/intel/apollolake/Kconfig M src/soc/intel/baytrail/pmutil.c M src/soc/intel/braswell/Kconfig M src/soc/intel/braswell/pmutil.c M src/soc/intel/broadwell/pmutil.c M src/soc/intel/common/block/pmc/pmclib.c M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld M src/southbridge/intel/common/pmbase.c M src/vendorcode/eltan/security/verified_boot/vboot_check.c 49 files changed, 251 insertions(+), 127 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/67
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 67:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/67/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/67/src/include/memlayout.h@16... PS67, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/67/src/include/memlayout.h@16... PS67, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Patrick Rudolph has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 67: Code-Review+1
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/67/src/soc/intel/braswell/pmu... File src/soc/intel/braswell/pmutil.c:
https://review.coreboot.org/c/coreboot/+/35077/67/src/soc/intel/braswell/pmu... PS67, Line 386: int platform_is_resuming(void) that rename can easily be factored out in a separate commit
Hello Patrick Rudolph, Aaron Durbin, Julius Werner, Frans Hendriks, build bot (Jenkins), Patrick Georgi, Werner Zeh, Wim Vervoorn, Vanessa Eusebio, Philipp Deppenwiese, David Guckian, Martin Roth,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#68).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
currently in this change it is done before the C_ENVIRONMENT bootblock loads romstage if bootblock has enough space (greater than 32KiB, controlled by flag TPM_CRTM_INIT_OUTSIDE_BOOTBLOCK), otherwise, CRTM is initialized in romstage with a cbfs_locator hook, or along with vboot if it is enabled.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/cpu/amd/agesa/Kconfig M src/cpu/amd/pi/Kconfig M src/cpu/intel/slot_1/Kconfig M src/cpu/intel/socket_441/Kconfig M src/cpu/intel/socket_m/Kconfig M src/drivers/pc80/tpm/Makefile.inc M src/include/memlayout.h M src/include/symbols.h M src/lib/bootblock.c M src/lib/cbfs.c M src/mainboard/aopen/dxplplusu/Kconfig M src/mainboard/emulation/qemu-i440fx/Kconfig M src/mainboard/emulation/qemu-q35/Kconfig M src/mainboard/portwell/m107/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc R src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/intel/apollolake/Kconfig M src/soc/intel/braswell/Kconfig M src/soc/intel/denverton_ns/Kconfig M src/soc/intel/icelake/Kconfig M src/soc/intel/quark/Kconfig M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 40 files changed, 220 insertions(+), 102 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/68
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 68:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/68/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/68/src/include/memlayout.h@16... PS68, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/68/src/include/memlayout.h@16... PS68, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 68:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/67/src/soc/intel/braswell/pmu... File src/soc/intel/braswell/pmutil.c:
https://review.coreboot.org/c/coreboot/+/35077/67/src/soc/intel/braswell/pmu... PS67, Line 386: int platform_is_resuming(void)
that rename can easily be factored out in a separate commit
Done. It becomes CB:39103.
Philipp Deppenwiese has removed a vote from this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Removed Code-Review-2 by Philipp Deppenwiese zaolin.daisuki@gmail.com
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 68:
@persmule Do we need TPM_CRTM_INIT_OUTSIDE_BOOTBLOCK mainboard specific. We could add it to the src/soc/*/*/Kconfig instead.
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 68:
Patch Set 68:
@persmule Do we need TPM_CRTM_INIT_OUTSIDE_BOOTBLOCK mainboard specific. We could add it to the src/soc/*/*/Kconfig instead.
Currently it is CPU-specific. I add this flag to platforms where C_ENV_BOOTBLOCK_SIZE < 0x10000.
It has been added to src/soc/intel/braswell/Kconfig, src/soc/intel/denverton_ns/Kconfig, src/soc/intel/icelake/Kconfig, src/soc/intel/apollolake/Kconfig, src/soc/intel/quark/Kconfig.
Could comparison be made in Kconfig, or could we just make condition around (CONFIG(C_ENV_BOOTBLOCK_SIZE) < 0x10000) in C code?
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 69:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/69/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/69/src/include/memlayout.h@16... PS69, Line 163: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/69/src/include/memlayout.h@16... PS69, Line 163: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 69: Code-Review-2
Sorry, but this is making a giant mess of things again. We're now up to three different configurations (start extending in bootblock, verstage, or romstage), and the code is littered all over the place.
I just want to clarify (because I actually forgot that myself halfway through the discussion that *Patchset 61 actually changes nothing about when hashes get extended to the TPM when CONFIG(VBOOT) is enabled!* In the Patchset 61 version, hashes are written to the TPM as soon as tspi_tpm_is_setup() returns true, which it does after tpm_setup() runs. When CONFIG(VBOOT) is enabled, that happens in verstage! So the TCPA log replay (which happens as part of tpm_setup()) also happens in verstage. The only hashes that actually get replayed from memory in this configuration are the bootblock and verstage themselves, which the old version would manually measure after the fact at that same point. For CONFIG(VBOOT) builds, this doesn't write anything to the TPM at a later point than the old version did (and it actually also measures other platform-specific files that the bootblock might load, which was a hole in the old version).
So can we please go back to discussion the problem with that approach? Because it really doesn't change anything for the configuration you care about.
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 69:
We're now up to three different configurations (start extending in bootblock, verstage, or romstage)
What should I do to make this patchset acceptable for YOU? The current COUPLED measurement also starts extending in bootblock, verstage, or romstage, since "verstage" could be a part of bootblock on platforms with enough space for it.
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 69:
What should I do to make this patchset acceptable for YOU? The current COUPLED measurement also starts extending in bootblock, verstage, or romstage, since "verstage" could be a part of bootblock on platforms with enough space for it.
I really want a clear explanation for and discussion on why the patch set 63 approach does not work from the people who -2ed it. I have now asked for this *multiple* times (both here and on other channels) and there's nothing but silence coming back. Just crapping all over a CL with vague concerns but completely refusing to discuss it in detail is not a proper way to collaborate on an open-source project.
The other approach is just plain *better*. It is a lot cleaner, keeps dependencies from spreading all over the place, covers edge cases that even the current implementation doesn't and *does not change anything about when stuff is measured for the current use cases!* If you want to make progress on this CL, please revert to that patch set and I will +2 it. If we then see -2s again without willingness to discuss on a technical level I will escalate the matter as necessary.
Hello build bot (Jenkins), Patrick Georgi, Frans Hendriks, Julius Werner, Patrick Rudolph, Aaron Durbin, Philipp Deppenwiese, David Guckian, Martin Roth, Vanessa Eusebio, Werner Zeh, Wim Vervoorn,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#70).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 26 files changed, 324 insertions(+), 300 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/70
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 70:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/70/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/70/src/include/memlayout.h@16... PS70, Line 162: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/70/src/include/memlayout.h@16... PS70, Line 162: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 70:
Patch Set 69:
What should I do to make this patchset acceptable for YOU? The current COUPLED measurement also starts extending in bootblock, verstage, or romstage, since "verstage" could be a part of bootblock on platforms with enough space for it.
I really want a clear explanation for and discussion on why the patch set 63 approach does not work from the people who -2ed it. I have now asked for this *multiple* times (both here and on other channels) and there's nothing but silence coming back. Just crapping all over a CL with vague concerns but completely refusing to discuss it in detail is not a proper way to collaborate on an open-source project.
The other approach is just plain *better*. It is a lot cleaner, keeps dependencies from spreading all over the place, covers edge cases that even the current implementation doesn't and *does not change anything about when stuff is measured for the current use cases!* If you want to make progress on this CL, please revert to that patch set and I will +2 it. If we then see -2s again without willingness to discuss on a technical level I will escalate the matter as necessary.
Done. If only doing so would make progress on it. I just do not want to be squeezed in between.
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 70: Code-Review+2
(5 comments)
https://review.coreboot.org/c/coreboot/+/35077/27/src/lib/bootblock.c File src/lib/bootblock.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/lib/bootblock.c@73 PS27, Line 73: !CONFIG(VBOOT) && CONFIG(TSPI_MEASURED_BOOT)
Reverted to this, for what is observed in https://qa.coreboot. […]
Done
https://review.coreboot.org/c/coreboot/+/35077/61/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/61/src/security/tpm/tspi/crtm... PS61, Line 143: case CBFS_TYPE_MRC:
This, too, is probably correct but should be a separate patch.
Done
https://review.coreboot.org/c/coreboot/+/35077/61/src/security/tpm/tspi/crtm... PS61, Line 143: case CBFS_TYPE_MRC:
This, too, is probably correct but should be a separate patch.
Done
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Kconfig File src/security/vboot/Kconfig:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/Kconfig@... PS5, Line 16: menu "vboot functionalities"
I think you should move all the measured boot stuff (i.e. […]
Done
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... File src/security/vboot/vboot_logic.c:
https://review.coreboot.org/c/coreboot/+/35077/27/src/security/vboot/vboot_l... PS27, Line 329: if (CONFIG(TSPI_MEASURED_BOOT) && : !(ctx->flags & VB2_CONTEXT_S3_RESUME)) { : if (tspi_init_crtm() != VB2_SUCCESS)
I may have to conclude that TSPI_MEASURED_BOOT cannot be decoupled from VBOOT on platforms with only […]
No longer relevant.
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 70: Code-Review-2
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 70:
Now we are back at tcpa log replay. Not gonna happen. It impacts the security of a measured boot
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 70:
Okay Philipp, this doesn't work. You can't just keep -2ing this patch with a one-liner justification but completely refuse to discuss any of the technical details. I have now repeatedly asked you to clarify how this is any worse than the existing implementation (because it isn't) both in this CL and through other channels but there's just nothing but silence from you. Please remember our official Gerrit Guidelines which state:
- If you give a patch a -2, you are responsible for giving concrete
recommendations for what could be changed to resolve the issue the patch addresses. If you feel strongly that a patch should NEVER be merged, you are responsible for defending your position and listening to other points of view. Giving a -2 and walking away is not acceptable
Please re-read my comment from Feb 25 above and respond to it. This patch *changes absolutely nothing* about when hashes get extended to the TPM for your existing use case! It is just rewriting logic to do essentially exactly the same thing in a cleaner way, with better coverage for edge cases (e.g. other files loaded from the bootblock) and supporting a new operation mode that you don't need to use if you're concerned about it's security guarantees. If you still have concerns despite that, please describe them concretely in a response with more than one sentence.
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 70: Code-Review+2
(3 comments)
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/crtm... PS70, Line 30: static const char * const fmap_cbfs_names[] = { : "COREBOOT", : "FW_MAIN_A", : "FW_MAIN_B", : "RW_LEGACY"}; this isn't really compliant with the code style. How about:
static const char *const fmap_cbfs_names[] = { "COREBOOT", "FW_MAIN_A", "FW_MAIN_B", "RW_LEGACY", };
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... PS70, Line 235: printk(BIOS_DEBUG, "TPM: Extending digest for" This string fits in one line without breaking (96-char limit)
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... PS70, Line 302: "measur" : "logg" Ehm, I don't think saving two characters is that much of a big deal... Could we have full words in both cases of the ternary operator, please?
Patrick Georgi has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 70:
Patch Set 70:
Now we are back at tcpa log replay. Not gonna happen. It impacts the security of a measured boot
So I've read through the discussion, and while there are a few potential security issues that I could imagine with TCPA log replay, I don't see how the very same issues wouldn't apply to the retroactive measuring that we have now.
So how is the replay approach worse than what we have right now? And, if it is a problem, isn't the proper solution to push tpm init earlier - which, in the replay case, seems to automatically solve any issues because any further measurement is done at the time the stage is loaded? Which is the same approach I'd take to close any gaps in the current retroactive measuring scheme.
From my point of view these two approaches seem to be equivalent in impact, with the major difference being a code design improvement by the change (as claimed by Julius, I haven't looked at the big design picture yet), so what's the problem with this change?
It's possible that I missed something big (as said I haven't gone through the entire design here, just the question of when measurements happen and from which data source), but if the TCPA log stored in (CAR) memory isn't trustworthy from bootblock to romstage, any assurance that measurements are worth anything is bound to go down the drain, no?
One thing that could be negatively affected is compliance to some bullshit firmware security standard, but even NIST SP 800-147 and SP 800-155 don't seem to say anything about how measuring is supposed to happen. 155 mentions the word "replay", but in a very specific context that doesn't apply here ("not just a replay of an earlier good response"). If it helps, we could probably call the early TCPA log a "PCR cache"?
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 70:
And, if it is a problem, isn't the proper solution to push tpm init earlier - which, in the replay case, seems to automatically solve any issues because any further measurement is done at the time the stage is loaded?
Pushing TPM init into the bootblock causes practical issues on many platforms with bootblock size restrictions, and the benefit is questionable. We'd still have to measure the bootblock itself retroactively after all, so I don't think doing the same for the verstage really makes a big difference. Like you mentioned this is what the existing solution already does too, so I don't think anyone really has a concern with that (the concern rather seems to be between verstage and ramstage, but as mentioned when CONFIG_VBOOT is on we still start extending hashes in verstage with this patch). There's also always CONFIG_SEPARATE_VERSTAGE=n to close this gap if desired.
Since it already seems to be hard enough to get consensus on this patch as is, I'd like to keep the discussions focused on what this patch does vs. the previous implementation (hopefully we can come to agree that it doesn't reduce any security guarantees, and merge it). Let's leave concerns that the currently implementation doesn't solve either for another time.
Patrick Georgi has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 70:
Patch Set 70: Since it already seems to be hard enough to get consensus on this patch as is, I'd like to keep the discussions focused on what this patch does vs. the previous implementation (hopefully we can come to agree that it doesn't reduce any security guarantees, and merge it). Let's leave concerns that the currently implementation doesn't solve either for another time.
Sorry, I wasn't clear enough there: any such change should be in a future commit. This really is complex enough as is.
Hello build bot (Jenkins), Patrick Georgi, Frans Hendriks, Julius Werner, Angel Pons, Patrick Rudolph, Aaron Durbin, Philipp Deppenwiese, David Guckian, Martin Roth, Vanessa Eusebio, Werner Zeh, Wim Vervoorn,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#71).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within VBOOT should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by VBOOT as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within VBOOT library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 26 files changed, 324 insertions(+), 300 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/71
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 71:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/71/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/71/src/include/memlayout.h@16... PS71, Line 162: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/71/src/include/memlayout.h@16... PS71, Line 162: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 71:
(3 comments)
If it helps, we could probably call the early TCPA log a "PCR cache"?
This is just how I call it personally.
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/crtm... PS70, Line 30: static const char * const fmap_cbfs_names[] = { : "COREBOOT", : "FW_MAIN_A", : "FW_MAIN_B", : "RW_LEGACY"};
this isn't really compliant with the code style. How about: […]
Done. It is actually a left-behind.
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... PS70, Line 235: printk(BIOS_DEBUG, "TPM: Extending digest for"
This string fits in one line without breaking (96-char limit)
Done
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... PS70, Line 302: "measur" : "logg"
Ehm, I don't think saving two characters is that much of a big deal... […]
Done
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 71: Code-Review+2
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/crtm... PS70, Line 30: static const char * const fmap_cbfs_names[] = { : "COREBOOT", : "FW_MAIN_A", : "FW_MAIN_B", : "RW_LEGACY"};
Done. It is actually a left-behind.
Thanks!
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 71: Code-Review+1
Frans Hendriks has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 71:
(1 comment)
Should vboot be spelled all lowercase as in CB:39799
https://review.coreboot.org/c/coreboot/+/35077/71//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/35077/71//COMMIT_MSG@10 PS71, Line 10: VBOOT should enable verified boot first, along with sections such Should vboot be spelled all lowercase as in CB:39799
Hello build bot (Jenkins), Patrick Georgi, Frans Hendriks, Angel Pons, Julius Werner, Patrick Rudolph, Aaron Durbin, Philipp Deppenwiese, David Guckian, Martin Roth, Vanessa Eusebio, Werner Zeh, Wim Vervoorn,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#72).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within vboot should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Digests are not measured into tpm immediately before TPM gets set up, but recorded into TCPA log only, and measured into tpm right after TPM is up by "replaying" recorded digests.
This change allows those who do not want to use the verified boot scheme implemented by vboot as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within vboot library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 26 files changed, 324 insertions(+), 300 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/72
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 72:
(1 comment)
Patch Set 71:
(1 comment)
Should vboot be spelled all lowercase as in CB:39799
https://review.coreboot.org/c/coreboot/+/35077/71//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/35077/71//COMMIT_MSG@10 PS71, Line 10: VBOOT should enable verified boot first, along with sections such
Should vboot be spelled all lowercase as in CB:39799
Done
Frans Hendriks has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 72: Code-Review+1
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 72: Code-Review+2
Patrick Georgi has removed a vote from this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Removed Code-Review-2 by Philipp Deppenwiese zaolin.daisuki@gmail.com
Patrick Georgi has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 72:
I removed Philipp's CR-2 given that he didn't react to any concerns and questions. Keeping commits hostage like this is _not_ okay.
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 72: Code-Review-2
(1 comment)
I couldn't react the last few days because of my vacation.
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... PS70, Line 110: return tpm_is_setup; The ramstage has its own init system so it's unclear if the tpm is set up..
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 72:
Will do it later today.
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 72:
(1 comment)
I understand the approach of decopupling measured boot from vboot in order to support other use cases. What I don't understand is why we need to extend measurements from the TCPA log into the TPM. If the measurements are done before? BTW it took me months to get my stuff merged in the past. I went on a vacation for a week and we don't have time to wait for another?
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... File src/security/tpm/tspi/log.c:
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... PS72, Line 115: int result = tlcl_extend(tce->pcr, Please explain me why we need to extend measurements which are already extended into a TPM again by using the unsafe and optional TCPA log?
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 72:
(2 comments)
I understand the approach of decopupling measured boot from vboot in order to support other use cases. What I don't understand is why we need to extend measurements from the TCPA log into the TPM. If the measurements are done before?
This is only about measurements that couldn't be written to the TPM at the time they were measured because the TPM was not up yet. The previous implementation just tried to manually reload and re-measure all those files after we set up the TPM. With this patch, we instead use the same code that runs after the TPM is up to measure them at the time they're loaded, we just don't write them to the TPM yet, and then we know at the time the TPM comes up that all those things we need to backfill are exactly what's currently in our TCPA log. It's just cleaner than trying to build that list manually, it covers more edge cases (e.g. for platforms that load other platform-specific files in the bootblock before running verstage), it will be more efficient once we get to the point where we really measure the same bytes we're loading (which I where I'm hoping to get CBFS eventually), it conveniently allows us to solve the !CONFIG_VBOOT case with the same code as well, and it still extends everything at effectively the same time and in the same order as the old implementation.
BTW it took me months to get my stuff merged in the past. I went on a vacation for a week and we don't have time to wait for another?
Come on, we've been trying to discuss this for over a month and there was never any response. Scroll up and you can see my earlier comments. I don't think anyone wants to rush anything through here, but if you just don't say *anything* that makes it impossible to make progress and you have to understand that it frustrates people. If you want to have some more time to look at this in detail just name a reasonable deadline and stick to it and I'm sure we can accommodate that. Nobody wants to have a fight over this, it's just the complete lack of willingness to communicate that sucks.
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... File src/security/tpm/tspi/log.c:
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... PS72, Line 115: int result = tlcl_extend(tce->pcr,
Please explain me why we need to extend measurements which are already extended into a TPM again by […]
Not sure what you mean, we are only extending every measurement once. Basically, there is always a time before the TPM is up and a time after the TPM is up. This function runs only once during boot, at the end of tpm_setup() (so for CONFIG_VBOOT that happens in verstage). At that point all hashes that were previously cached in the TCPA log get written out to the TPM. (Anything measured afterwards goes directly to the TPM and this function doesn't run again.)
So any file loaded before the TPM is up gets cached in the TCPA log and written out at the time the TPM comes up. For CONFIG_VBOOT, this is usually only the bootblock and verstage. Whereas the previous implementation would manually reload those stages from flash to measure them at verstage-time, this patch measures them at the time they're loaded, stores them in the TCPA log and writes them out during the verstage. So they still get written out at the same time as they used to.
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... PS70, Line 110: return tpm_is_setup;
The ramstage has its own init system so it's unclear if the tpm is set up..
This line is for the !CONFIG_VBOOT case where tpm_setup() is called in ramstage. In that case, this will return 0 before tpm_setup() is called and 1 after. All other (= earlier) stages will always return 0.
For the CONFIG_VBOOT case, it's always decided on line 107 and this line doesn't matter. for CONFIG_VBOOT all stages after verstage will return true from vboot_logic_executed().
I think this should behave correctly in all cases, do you have any specific concerns?
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 72: -Code-Review
(2 comments)
Patch Set 72:
(2 comments)
I understand the approach of decopupling measured boot from vboot in order to support other use cases. What I don't understand is why we need to extend measurements from the TCPA log into the TPM. If the measurements are done before?
This is only about measurements that couldn't be written to the TPM at the time they were measured because the TPM was not up yet. The previous implementation just tried to manually reload and re-measure all those files after we set up the TPM. With this patch, we instead use the same code that runs after the TPM is up to measure them at the time they're loaded, we just don't write them to the TPM yet, and then we know at the time the TPM comes up that all those things we need to backfill are exactly what's currently in our TCPA log. It's just cleaner than trying to build that list manually, it covers more edge cases (e.g. for platforms that load other platform-specific files in the bootblock before running verstage), it will be more efficient once we get to the point where we really measure the same bytes we're loading (which I where I'm hoping to get CBFS eventually), it conveniently allows us to solve the !CONFIG_VBOOT case with the same code as well, and it still extends everything at effectively the same time and in the same order as the old implementation.
BTW it took me months to get my stuff merged in the past. I went on a vacation for a week and we don't have time to wait for another?
Come on, we've been trying to discuss this for over a month and there was never any response. Scroll up and you can see my earlier comments. I don't think anyone wants to rush anything through here, but if you just don't say *anything* that makes it impossible to make progress and you have to understand that it frustrates people. If you want to have some more time to look at this in detail just name a reasonable deadline and stick to it and I'm sure we can accommodate that. Nobody wants to have a fight over this, it's just the complete lack of willingness to communicate that sucks.
We are an Open Source project right? Sometimes people are busy, vacationing or vanish for a longer time. I wouldn't call it lack of willingness to communicate. I just have to prioritize my time and the coreboot community work is currently at the end of my list. So I can see that this raised some frustration on your and persmule side. Sorry for that.
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... File src/security/tpm/tspi/log.c:
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... PS72, Line 115: int result = tlcl_extend(tce->pcr,
Not sure what you mean, we are only extending every measurement once. […]
So we missuse the tcpa log as PCR cache. IMHO we should try to initialize the TPM in bootblock itself. Probably with less code so it can fit on size constraint platforms. I guess Eltan already did the work for that on some platforms. The bootblock then can measure itself. What we have now is a so called PCR cache. If it stays like that, please rename the tcpa log function to pcr cache and move it into the crtm. It's obviously confusing that it has nothing todo with a TCPA log and it will lead to false assumptions again.
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/c/coreboot/+/35077/70/src/security/tpm/tspi/tspi... PS70, Line 110: return tpm_is_setup;
This line is for the !CONFIG_VBOOT case where tpm_setup() is called in ramstage. […]
Ack
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 72:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... File src/security/tpm/tspi/log.c:
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... PS72, Line 115: int result = tlcl_extend(tce->pcr,
If it stays like that, please rename the tcpa log function to pcr cache and move it into the crtm.
Which function(s) should be renamed? To what name? And How to "move it into the crtm"?
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 72:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... File src/security/tpm/tspi/log.c:
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... PS72, Line 91: int tcpa_log_replay_table(void) Please rename this function to pcr cache or something similar and move it into the ..crtm.c
Hello build bot (Jenkins), Patrick Georgi, Frans Hendriks, Julius Werner, Angel Pons, Patrick Rudolph, Aaron Durbin, Philipp Deppenwiese, David Guckian, Martin Roth, Vanessa Eusebio, Werner Zeh, Wim Vervoorn,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#73).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within vboot should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Before TPM gets set up, digests are not measured into tpm immediately, but cached in TCPA log, and measured into determined PCRs right after TPM is up.
This change allows those who do not want to use the verified boot scheme implemented by vboot as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within vboot library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 26 files changed, 333 insertions(+), 301 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/73
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 73:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/73/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/73/src/include/memlayout.h@16... PS73, Line 162: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/73/src/include/memlayout.h@16... PS73, Line 162: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Hello build bot (Jenkins), Patrick Georgi, Frans Hendriks, Julius Werner, Angel Pons, Patrick Rudolph, Aaron Durbin, Philipp Deppenwiese, David Guckian, Martin Roth, Vanessa Eusebio, Werner Zeh, Wim Vervoorn,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/35077
to look at the new patch set (#74).
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within vboot should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Before TPM gets set up, digests are not measured into tpm immediately, but cached in TCPA log, and measured into determined PCRs right after TPM is up.
This change allows those who do not want to use the verified boot scheme implemented by vboot as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within vboot library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 26 files changed, 333 insertions(+), 301 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/35077/74
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 74:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... File src/security/tpm/tspi/log.c:
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... PS72, Line 91: int tcpa_log_replay_table(void)
Please rename this function to pcr cache or something similar and move it into the ..crtm. […]
Done. It is moved into crtm.c as tspi_measure_cache_to_pcr().
build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 74:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35077/74/src/include/memlayout.h File src/include/memlayout.h:
https://review.coreboot.org/c/coreboot/+/35077/74/src/include/memlayout.h@16... PS74, Line 162: #define TPM_TCPA_LOG(addr, size) \ Macros with multiple statements should be enclosed in a do - while loop
https://review.coreboot.org/c/coreboot/+/35077/74/src/include/memlayout.h@16... PS74, Line 162: #define TPM_TCPA_LOG(addr, size) \ macros should not use a trailing semicolon
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 74:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... File src/security/tpm/tspi/log.c:
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... PS72, Line 91: int tcpa_log_replay_table(void)
Done. It is moved into crtm.c as tspi_measure_cache_to_pcr().
Done
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 74:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... File src/security/tpm/tspi/log.c:
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... PS72, Line 115: int result = tlcl_extend(tce->pcr,
If it stays like that, please rename the tcpa log function to pcr cache and move it into the crtm. […]
Done
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 74: Code-Review+2
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 74: Code-Review+2
(1 comment)
We are an Open Source project right? Sometimes people are busy, vacationing or vanish for a longer time. I wouldn't call it lack of willingness to communicate. I just have to prioritize my time and the coreboot community work is currently at the end of my list. So I can see that this raised some frustration on your and persmule side. Sorry for that.
Yeah sure, it's just either you can argue against a change going in or you can withdraw from the project for a bit, you can't really do both (at least for too long). What I meant by "willingness to communicate" was just that I had no idea whether you even read the counter-arguments or when (if ever) to expect a response. Next time please just say that you're on vacation until X or you'll need two weeks to find the time to look at it in detail or something, and then we know what to expect and can give you the time.
Thanks for coming around on this issue now.
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... File src/security/tpm/tspi/log.c:
https://review.coreboot.org/c/coreboot/+/35077/72/src/security/tpm/tspi/log.... PS72, Line 115: int result = tlcl_extend(tce->pcr,
Done
Well, I wouldn't call it misuse, it's just killing two birds with one stone. We have the TCPA log anyway and it happens to look exactly like a PCR cache would need to look, sounds like a great opportunity to me.
Initializing the TPM in the bootblock is the obvious alternative but I really think it is inferior. We're already at the very limit for bootblock size on many boards, so doing this would both mean making this feature permanently unavailable on many boards and would also make future development much harder on other boards that would now be pushed very closely to that limit. And what for? Is there really a technical concern about this or is it just that it vaguely feels wrong? (It can't be about security because we're not extending the hashes to the TPM any later than the old solution used to.)
And doing it in the bootblock would still be less flexible, too. I'm bringing up a Qualcomm platform right now where the SPI controller that talks to the TPM needs a firmware blob loaded from CBFS to work. That's a kind of chicken and egg problem you cannot solve unless you're willing to cache hashes somewhere.
Werner Zeh has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 74: Code-Review+2
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/74/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/74/src/security/tpm/tspi/crtm... PS74, Line 108: for (i = 0; (i + name_len) <= whitelist_len; i++) { : if (!strcmp(whitelist + i, name)) : return true; : } This code still does not take care of the delimiter character (used to be comma separated list here). We should keep this in mind and fix in a folloow up commit (sorry for being late).
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 74:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35077/74/src/security/tpm/tspi/crtm... File src/security/tpm/tspi/crtm.c:
https://review.coreboot.org/c/coreboot/+/35077/74/src/security/tpm/tspi/crtm... PS74, Line 108: for (i = 0; (i + name_len) <= whitelist_len; i++) { : if (!strcmp(whitelist + i, name)) : return true; : }
This code still does not take care of the delimiter character (used to be comma separated list here) […]
Yep that should happen in a follow up
Philipp Deppenwiese has submitted this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within vboot should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock. Before TPM gets set up, digests are not measured into tpm immediately, but cached in TCPA log, and measured into determined PCRs right after TPM is up.
This change allows those who do not want to use the verified boot scheme implemented by vboot as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within vboot library to measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE persmule@hardenedlinux.org Reviewed-on: https://review.coreboot.org/c/coreboot/+/35077 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Philipp Deppenwiese zaolin.daisuki@gmail.com Reviewed-by: Julius Werner jwerner@chromium.org Reviewed-by: Werner Zeh werner.zeh@siemens.com --- M src/arch/x86/car.ld M src/include/memlayout.h M src/include/symbols.h M src/lib/cbfs.c M src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig M src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig M src/security/tpm/Kconfig M src/security/tpm/Makefile.inc M src/security/tpm/tspi.h A src/security/tpm/tspi/crtm.c R src/security/tpm/tspi/crtm.h M src/security/tpm/tspi/log.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/symbols.h D src/security/vboot/vboot_crtm.c M src/security/vboot/vboot_logic.c M src/soc/cavium/cn81xx/include/soc/memlayout.ld M src/soc/mediatek/mt8173/include/soc/memlayout.ld M src/soc/mediatek/mt8183/include/soc/memlayout.ld M src/soc/nvidia/tegra124/include/soc/memlayout.ld M src/soc/nvidia/tegra210/include/soc/memlayout.ld M src/soc/samsung/exynos5250/include/soc/memlayout.ld 26 files changed, 333 insertions(+), 301 deletions(-)
Approvals: build bot (Jenkins): Verified Philipp Deppenwiese: Looks good to me, approved Werner Zeh: Looks good to me, approved Julius Werner: Looks good to me, approved
diff --git a/src/arch/x86/car.ld b/src/arch/x86/car.ld index 5e5493a..92b26a0 100644 --- a/src/arch/x86/car.ld +++ b/src/arch/x86/car.ld @@ -20,8 +20,8 @@ /* Vboot measured boot TCPA log measurements. * Needs to be transferred until CBMEM is available */ -#if CONFIG(VBOOT_MEASURED_BOOT) - VBOOT2_TPM_LOG(., 2K) +#if CONFIG(TPM_MEASURED_BOOT) + TPM_TCPA_LOG(., 2K) #endif /* Stack for CAR stages. Since it persists across all stages that * use CAR it can be reused. The chipset/SoC is expected to provide diff --git a/src/include/memlayout.h b/src/include/memlayout.h index 62c9f7b..bf4b2c5 100644 --- a/src/include/memlayout.h +++ b/src/include/memlayout.h @@ -159,9 +159,9 @@ STR(vboot2 work buffer size must be equivalent to \ VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE! (sz)));
-#define VBOOT2_TPM_LOG(addr, size) \ - REGION(vboot2_tpm_log, addr, size, 16) \ - _ = ASSERT(size >= 2K, "vboot2 tpm log buffer must be at least 2K!"); +#define TPM_TCPA_LOG(addr, size) \ + REGION(tpm_tcpa_log, addr, size, 16) \ + _ = ASSERT(size >= 2K, "tpm tcpa log buffer must be at least 2K!");
#if ENV_VERSTAGE #define VERSTAGE(addr, sz) \ diff --git a/src/include/symbols.h b/src/include/symbols.h index 94e4668..e37405d 100644 --- a/src/include/symbols.h +++ b/src/include/symbols.h @@ -34,8 +34,11 @@ DECLARE_REGION(postram_cbfs_cache) DECLARE_REGION(cbfs_cache) DECLARE_REGION(fmap_cache) -DECLARE_REGION(payload) +DECLARE_REGION(tpm_tcpa_log)
+/* Regions for execution units. */ + +DECLARE_REGION(payload) /* "program" always refers to the current execution unit. */ DECLARE_REGION(program) /* _<stage>_size is always the maximum amount allocated in memlayout, whereas diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c index 4f0b443..4392ab7 100644 --- a/src/lib/cbfs.c +++ b/src/lib/cbfs.c @@ -13,19 +13,19 @@ */
#include <assert.h> -#include <console/console.h> -#include <string.h> -#include <stdlib.h> #include <boot_device.h> #include <cbfs.h> #include <commonlib/bsd/compression.h> +#include <console/console.h> #include <endian.h> +#include <fmap.h> #include <lib.h> +#include <security/tpm/tspi/crtm.h> +#include <security/vboot/vboot_common.h> +#include <stdlib.h> +#include <string.h> #include <symbols.h> #include <timestamp.h> -#include <fmap.h> -#include <security/vboot/vboot_crtm.h> -#include <security/vboot/vboot_common.h>
#define ERROR(x...) printk(BIOS_ERR, "CBFS: " x) #define LOG(x...) printk(BIOS_INFO, "CBFS: " x) @@ -60,7 +60,7 @@ }
if (!ret) - if (vboot_measure_cbfs_hook(fh, name)) + if (tspi_measure_cbfs_hook(fh, name)) return -1;
return ret; diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig index 6adf4e9..0f32907 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig @@ -9,12 +9,12 @@ select MAINBOARD_HAS_TPM2 select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI + select TPM_MEASURED_BOOT
config CBFS_SIZE default 0xb4e000
config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig index b10bdc8..55fb4b1 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig @@ -9,6 +9,7 @@ select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI select DRIVERS_I2C_PTN3460 + select TPM_MEASURED_BOOT
config UART_FOR_CONSOLE default 1 @@ -17,7 +18,6 @@ default 0xb4e000
config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig index e46a0de..bd0b0d7 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig @@ -12,12 +12,12 @@ select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI select DRIVERS_I2C_PTN3460 + select TPM_MEASURED_BOOT
config CBFS_SIZE default 0xb4e000
config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig index 864e808..852294a 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig @@ -11,9 +11,9 @@ select MAINBOARD_HAS_TPM2 select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI + select TPM_MEASURED_BOOT
config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig index 1766939..d8652b2 100644 --- a/src/security/tpm/Kconfig +++ b/src/security/tpm/Kconfig @@ -100,4 +100,21 @@ or VBOOT on the Intel Arrandale processor, which issues a CPU-only reset during the romstage.
+config TPM_MEASURED_BOOT + bool "Enable Measured Boot" + default n + select VBOOT_LIB + depends on TPM1 || TPM2 + depends on !VBOOT_RETURN_FROM_VERSTAGE + help + Enables measured boot (experimental) + +config TPM_MEASURED_BOOT_RUNTIME_DATA + string "Runtime data whitelist" + default "" + depends on TPM_MEASURED_BOOT + help + Runtime data whitelist of cbfs filenames. Needs to be a + comma separated list + endmenu # Trusted Platform Module (tpm) diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc index a2d32cf..c36183d 100644 --- a/src/security/tpm/Makefile.inc +++ b/src/security/tpm/Makefile.inc @@ -6,22 +6,17 @@
ramstage-y += tss/tcg-1.2/tss.c romstage-y += tss/tcg-1.2/tss.c - -verstage-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c -postcar-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c +bootblock-y += tss/tcg-1.2/tss.c +verstage-y += tss/tcg-1.2/tss.c +postcar-y += tss/tcg-1.2/tss.c
## TSPI
ramstage-y += tspi/tspi.c romstage-y += tspi/tspi.c - -verstage-$(CONFIG_VBOOT) += tspi/tspi.c -postcar-$(CONFIG_VBOOT) += tspi/tspi.c - -ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c +bootblock-y += tspi/tspi.c +verstage-y += tspi/tspi.c +postcar-y += tspi/tspi.c
endif # CONFIG_TPM1
@@ -39,17 +34,31 @@ postcar-y += tss/tcg-2.0/tss_marshaling.c postcar-y += tss/tcg-2.0/tss.c
+bootblock-y += tss/tcg-2.0/tss_marshaling.c +bootblock-y += tss/tcg-2.0/tss.c + ## TSPI
ramstage-y += tspi/tspi.c romstage-y += tspi/tspi.c - +bootblock-y += tspi/tspi.c verstage-$(CONFIG_VBOOT) += tspi/tspi.c -postcar-$(CONFIG_VBOOT) += tspi/tspi.c - -ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c +postcar-y += tspi/tspi.c
endif # CONFIG_TPM2 + +ifeq ($(CONFIG_TPM_MEASURED_BOOT),y) + +bootblock-y += tspi/crtm.c +verstage-y += tspi/crtm.c +romstage-y += tspi/crtm.c +ramstage-y += tspi/crtm.c +postcar-y += tspi/crtm.c + +ramstage-y += tspi/log.c +romstage-y += tspi/log.c +verstage-y += tspi/log.c +postcar-y += tspi/log.c +bootblock-y += tspi/log.c + +endif # CONFIG_TPM_MEASURED_BOOT diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h index 6854401..7ea90e2 100644 --- a/src/security/tpm/tspi.h +++ b/src/security/tpm/tspi.h @@ -24,6 +24,12 @@ #define HASH_DATA_CHUNK_SIZE 1024
/** + * Get the pointer to the single instance of global + * tcpa log data, and initialize it when necessary + */ +struct tcpa_table *tcpa_log_init(void); + +/** * Clears the pre-RAM tcpa log data and initializes * any content with default values */ @@ -47,6 +53,7 @@ */ void tcpa_log_dump(void *unused);
+ /** * Ask vboot for a digest and extend a TPM PCR with it. * @param pcr sets the pcr index diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c new file mode 100644 index 0000000..dc7d7d2 --- /dev/null +++ b/src/security/tpm/tspi/crtm.c @@ -0,0 +1,197 @@ +/* + * This file is part of the coreboot project. + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <console/console.h> +#include <fmap.h> +#include <cbfs.h> +#include "crtm.h" +#include <string.h> + +/* + * This function sets the TCPA log namespace + * for the cbfs file (region) lookup. + */ +static int create_tcpa_metadata(const struct region_device *rdev, + const char *cbfs_name, char log_string[TCPA_PCR_HASH_NAME]) +{ + int i; + struct region_device fmap; + static const char *const fmap_cbfs_names[] = { + "COREBOOT", + "FW_MAIN_A", + "FW_MAIN_B", + "RW_LEGACY" + }; + + for (i = 0; i < ARRAY_SIZE(fmap_cbfs_names); i++) { + if (fmap_locate_area_as_rdev(fmap_cbfs_names[i], &fmap) == 0) { + if (region_is_subregion(region_device_region(&fmap), + region_device_region(rdev))) { + snprintf(log_string, TCPA_PCR_HASH_NAME, + "FMAP: %s CBFS: %s", + fmap_cbfs_names[i], cbfs_name); + return 0; + } + } + } + + return -1; +} + +static int tcpa_log_initialized; +static inline int tcpa_log_available(void) +{ + if (ENV_BOOTBLOCK) + return tcpa_log_initialized; + + return 1; +} + +uint32_t tspi_init_crtm(void) +{ + struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock"); + + /* Initialize TCPA PRERAM log. */ + if (!tcpa_log_available()) { + tcpa_preram_log_clear(); + tcpa_log_initialized = 1; + } else { + printk(BIOS_WARNING, "TSPI: CRTM already initialized!\n"); + return VB2_SUCCESS; + } + + /* measure bootblock from RO */ + struct cbfsf bootblock_data; + struct region_device bootblock_fmap; + if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) { + if (tpm_measure_region(&bootblock_fmap, + TPM_CRTM_PCR, + "FMAP: BOOTBLOCK")) + return VB2_ERROR_UNKNOWN; + } else { + if (cbfs_boot_locate(&bootblock_data, + prog_name(&bootblock), NULL)) { + /* + * measurement is done in + * tspi_measure_cbfs_hook() + */ + printk(BIOS_INFO, + "TSPI: Couldn't measure bootblock into CRTM!\n"); + return VB2_ERROR_UNKNOWN; + } + } + + return VB2_SUCCESS; +} + +static bool is_runtime_data(const char *name) +{ + const char *whitelist = CONFIG_TPM_MEASURED_BOOT_RUNTIME_DATA; + size_t whitelist_len = sizeof(CONFIG_TPM_MEASURED_BOOT_RUNTIME_DATA) - 1; + size_t name_len = strlen(name); + int i; + + if (!whitelist_len || !name_len) + return false; + + for (i = 0; (i + name_len) <= whitelist_len; i++) { + if (!strcmp(whitelist + i, name)) + return true; + } + + return false; +} + +uint32_t tspi_measure_cbfs_hook(struct cbfsf *fh, const char *name) +{ + uint32_t pcr_index; + uint32_t cbfs_type; + struct region_device rdev; + char tcpa_metadata[TCPA_PCR_HASH_NAME]; + + if (!tcpa_log_available()) { + if (tspi_init_crtm() != VB2_SUCCESS) { + printk(BIOS_WARNING, + "Initializing CRTM failed!"); + return 0; + } + printk(BIOS_DEBUG, "CRTM initialized."); + } + + cbfsf_file_type(fh, &cbfs_type); + cbfs_file_data(&rdev, fh); + + switch (cbfs_type) { + case CBFS_TYPE_MRC: + case CBFS_TYPE_MRC_CACHE: + pcr_index = TPM_RUNTIME_DATA_PCR; + break; + case CBFS_TYPE_STAGE: + case CBFS_TYPE_SELF: + case CBFS_TYPE_FIT: + pcr_index = TPM_CRTM_PCR; + break; + default: + if (is_runtime_data(name)) + pcr_index = TPM_RUNTIME_DATA_PCR; + else + pcr_index = TPM_CRTM_PCR; + break; + } + + if (create_tcpa_metadata(&rdev, name, tcpa_metadata) < 0) + return VB2_ERROR_UNKNOWN; + + return tpm_measure_region(&rdev, pcr_index, tcpa_metadata); +} + +int tspi_measure_cache_to_pcr(void) +{ + int i; + enum vb2_hash_algorithm hash_alg; + struct tcpa_table *tclt = tcpa_log_init(); + + if (!tclt) { + printk(BIOS_WARNING, "TCPA: Log non-existent!\n"); + return VB2_ERROR_UNKNOWN; + } + if (CONFIG(TPM1)) { + hash_alg = VB2_HASH_SHA1; + } else { /* CONFIG_TPM2 */ + hash_alg = VB2_HASH_SHA256; + } + + + printk(BIOS_DEBUG, "TPM: Write digests cached in TCPA log to PCR\n"); + for (i = 0; i < tclt->num_entries; i++) { + struct tcpa_entry *tce = &tclt->entries[i]; + if (tce) { + printk(BIOS_DEBUG, "TPM: Write digest for" + " %s into PCR %d\n", + tce->name, tce->pcr); + int result = tlcl_extend(tce->pcr, + tce->digest, + NULL); + if (result != TPM_SUCCESS) { + printk(BIOS_ERR, "TPM: Writing digest" + " of %s into PCR failed with error" + " %d\n", + tce->name, result); + return VB2_ERROR_UNKNOWN; + } + } + } + + return VB2_SUCCESS; +} diff --git a/src/security/vboot/vboot_crtm.h b/src/security/tpm/tspi/crtm.h similarity index 78% rename from src/security/vboot/vboot_crtm.h rename to src/security/tpm/tspi/crtm.h index ba3dd45..dfd91e1 100644 --- a/src/security/vboot/vboot_crtm.h +++ b/src/security/tpm/tspi/crtm.h @@ -12,8 +12,8 @@ * GNU General Public License for more details. */
-#ifndef __SECURITY_VBOOT_CRTM_H__ -#define __SECURITY_VBOOT_CRTM_H__ +#ifndef __SECURITY_TSPI_CRTM_H__ +#define __SECURITY_TSPI_CRTM_H__
#include <commonlib/cbfs.h> #include <program_loading.h> @@ -43,18 +43,23 @@ * Takes the current vboot context as parameter for s3 checks. * returns on success VB2_SUCCESS, else a vboot error. */ -uint32_t vboot_init_crtm(void); +uint32_t tspi_init_crtm(void);
-#if CONFIG(VBOOT_MEASURED_BOOT) +/** + * Measure digests cached in TCPA log entries into PCRs + */ +int tspi_measure_cache_to_pcr(void); + +#if CONFIG(TPM_MEASURED_BOOT) /* * Measures cbfs data via hook (cbfs) * fh is the cbfs file handle to measure * return 0 if successful, else an error */ -uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name); +uint32_t tspi_measure_cbfs_hook(struct cbfsf *fh, const char *name);
#else -#define vboot_measure_cbfs_hook(fh, name) 0 +#define tspi_measure_cbfs_hook(fh, name) 0 #endif
-#endif /* __VBOOT_VBOOT_CRTM_H__ */ +#endif /* __SECURITY_TSPI_CRTM_H__ */ diff --git a/src/security/tpm/tspi/log.c b/src/security/tpm/tspi/log.c index 068d78d..e43f74d 100644 --- a/src/security/tpm/tspi/log.c +++ b/src/security/tpm/tspi/log.c @@ -16,7 +16,7 @@ #include <security/tpm/tspi.h> #include <region_file.h> #include <string.h> -#include <security/vboot/symbols.h> +#include <symbols.h> #include <cbmem.h> #include <bootstate.h> #include <vb2_sha.h> @@ -42,7 +42,7 @@ return tclt; }
-static struct tcpa_table *tcpa_log_init(void) +struct tcpa_table *tcpa_log_init(void) { MAYBE_STATIC_BSS struct tcpa_table *tclt = NULL;
@@ -50,12 +50,12 @@ * If cbmem isn't available use CAR or SRAM */ if (!cbmem_possibly_online() && !CONFIG(VBOOT_RETURN_FROM_VERSTAGE)) - return (struct tcpa_table *)_vboot2_tpm_log; + return (struct tcpa_table *)_tpm_tcpa_log; else if (ENV_ROMSTAGE && !CONFIG(VBOOT_RETURN_FROM_VERSTAGE)) { tclt = tcpa_cbmem_init(); if (!tclt) - return (struct tcpa_table *)_vboot2_tpm_log; + return (struct tcpa_table *)_tpm_tcpa_log; } else { tclt = tcpa_cbmem_init(); } @@ -128,7 +128,7 @@ void tcpa_preram_log_clear(void) { printk(BIOS_INFO, "TCPA: Clearing coreboot TCPA log\n"); - struct tcpa_table *tclt = (struct tcpa_table *)_vboot2_tpm_log; + struct tcpa_table *tclt = (struct tcpa_table *)_tpm_tcpa_log; tclt->max_entries = MAX_TCPA_LOG_ENTRIES; tclt->num_entries = 0; } @@ -136,7 +136,7 @@ #if !CONFIG(VBOOT_RETURN_FROM_VERSTAGE) static void recover_tcpa_log(int is_recovery) { - struct tcpa_table *preram_log = (struct tcpa_table *)_vboot2_tpm_log; + struct tcpa_table *preram_log = (struct tcpa_table *)_tpm_tcpa_log; struct tcpa_table *ram_log = NULL; int i;
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c index 0095183..4f0cc97 100644 --- a/src/security/tpm/tspi/tspi.c +++ b/src/security/tpm/tspi/tspi.c @@ -14,13 +14,14 @@
#include <console/cbmem_console.h> #include <console/console.h> +#include <security/tpm/tspi/crtm.h> #include <security/tpm/tspi.h> #include <security/tpm/tss.h> -#if CONFIG(VBOOT) +#include <assert.h> +#include <security/vboot/misc.h> +#include <string.h> #include <vb2_api.h> #include <vb2_sha.h> -#include <assert.h> -#endif
#if CONFIG(TPM1) static uint32_t tpm1_invoke_state_machine(void) @@ -100,6 +101,18 @@ return result; }
+static int tpm_is_setup; +static inline int tspi_tpm_is_setup(void) +{ + if (CONFIG(VBOOT)) + return vboot_logic_executed() || tpm_is_setup; + + if (ENV_RAMSTAGE) + return tpm_is_setup; + + return 0; +} + /* * tpm_setup starts the TPM and establishes the root of trust for the * anti-rollback mechanism. tpm_setup can fail for three reasons. 1 A bug. @@ -170,7 +183,10 @@ #if CONFIG(TPM1) result = tpm1_invoke_state_machine(); #endif + if (CONFIG(TPM_MEASURED_BOOT)) + result = tspi_measure_cache_to_pcr();
+ tpm_is_setup = 1; return tpm_setup_epilogue(result); }
@@ -210,18 +226,27 @@ if (!digest) return TPM_E_IOERROR;
- result = tlcl_extend(pcr, digest, NULL); - if (result != TPM_SUCCESS) - return result; + if (tspi_tpm_is_setup()) { + result = tlcl_lib_init(); + if (result != TPM_SUCCESS) { + printk(BIOS_ERR, "TPM: Can't initialize library.\n"); + return result; + }
- if (CONFIG(VBOOT_MEASURED_BOOT)) + printk(BIOS_DEBUG, "TPM: Extending digest for %s into PCR %d\n", name, pcr); + result = tlcl_extend(pcr, digest, NULL); + if (result != TPM_SUCCESS) + return result; + } + + if (CONFIG(TPM_MEASURED_BOOT)) tcpa_log_add_table_entry(name, pcr, digest_algo, digest, digest_len);
return TPM_SUCCESS; }
-#if CONFIG(VBOOT) +#if CONFIG(VBOOT_LIB) uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr, const char *rname) { @@ -234,11 +259,7 @@
if (!rdev || !rname) return TPM_E_INVALID_ARG; - result = tlcl_lib_init(); - if (result != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't initialize library.\n"); - return result; - } + if (CONFIG(TPM1)) { hash_alg = VB2_HASH_SHA1; } else { /* CONFIG_TPM2 */ @@ -277,7 +298,8 @@ printk(BIOS_ERR, "TPM: Extending hash into PCR failed.\n"); return result; } - printk(BIOS_DEBUG, "TPM: Measured %s into PCR %d\n", rname, pcr); + printk(BIOS_DEBUG, "TPM: Digest of %s to PCR %d %s\n", + rname, pcr, tspi_tpm_is_setup() ? "measured" : "logged"); return TPM_SUCCESS; } -#endif /* VBOOT */ +#endif /* VBOOT_LIB */ diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index 6e0021d..f273265 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -35,22 +35,6 @@ comment "Anti-Rollback Protection disabled because mocking secdata is enabled." depends on VBOOT_MOCK_SECDATA
-config VBOOT_MEASURED_BOOT - bool "Enable Measured Boot" - default n - depends on TPM1 || TPM2 - depends on !VBOOT_RETURN_FROM_VERSTAGE - help - Enables measured boot mode in vboot (experimental) - -config VBOOT_MEASURED_BOOT_RUNTIME_DATA - string "Runtime data whitelist" - default "" - depends on VBOOT_MEASURED_BOOT - help - Runtime data whitelist of cbfs filenames. Needs to be a comma separated - list - config VBOOT_SLOTS_RW_A bool "Firmware RO + RW_A" help diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index e7560dd..d1cc2da 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -105,14 +105,6 @@ ramstage-y += vboot_common.c postcar-y += vboot_common.c
-ifeq ($(CONFIG_VBOOT_MEASURED_BOOT),y) -bootblock-y += vboot_crtm.c -verstage-y += vboot_crtm.c -romstage-y += vboot_crtm.c -ramstage-y += vboot_crtm.c -postcar-y += vboot_crtm.c -endif - bootblock-y += common.c verstage-y += vboot_logic.c verstage-y += common.c diff --git a/src/security/vboot/symbols.h b/src/security/vboot/symbols.h index 778c8ee..8f6063e 100644 --- a/src/security/vboot/symbols.h +++ b/src/security/vboot/symbols.h @@ -19,6 +19,4 @@
DECLARE_REGION(vboot2_work)
-DECLARE_REGION(vboot2_tpm_log) - #endif /* __VBOOT_SYMBOLS_H__ */ diff --git a/src/security/vboot/vboot_crtm.c b/src/security/vboot/vboot_crtm.c deleted file mode 100644 index 40b56ed..0000000 --- a/src/security/vboot/vboot_crtm.c +++ /dev/null @@ -1,194 +0,0 @@ -/* - * This file is part of the coreboot project. - * - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - */ - -#include <console/console.h> -#include <fmap.h> -#include <cbfs.h> -#include <security/vboot/vboot_crtm.h> -#include <security/vboot/misc.h> -#include <string.h> - -/* - * This functions sets the TCPA log namespace - * for the cbfs file (region) lookup. - */ -static int create_tcpa_metadata(const struct region_device *rdev, - const char *cbfs_name, char log_string[TCPA_PCR_HASH_NAME]) -{ - int i; - struct region_device fmap; - static const char *fmap_cbfs_names[] = { - "COREBOOT", - "FW_MAIN_A", - "FW_MAIN_B", - "RW_LEGACY"}; - - for (i = 0; i < ARRAY_SIZE(fmap_cbfs_names); i++) { - if (fmap_locate_area_as_rdev(fmap_cbfs_names[i], &fmap) == 0) { - if (region_is_subregion(region_device_region(&fmap), - region_device_region(rdev))) { - snprintf(log_string, TCPA_PCR_HASH_NAME, - "FMAP: %s CBFS: %s", - fmap_cbfs_names[i], cbfs_name); - return 0; - } - } - } - - return -1; -} - -uint32_t vboot_init_crtm(void) -{ - struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock"); - struct prog verstage = - PROG_INIT(PROG_VERSTAGE, CONFIG_CBFS_PREFIX "/verstage"); - struct prog romstage = - PROG_INIT(PROG_ROMSTAGE, CONFIG_CBFS_PREFIX "/romstage"); - char tcpa_metadata[TCPA_PCR_HASH_NAME]; - - /* Initialize TCPE PRERAM log. */ - tcpa_preram_log_clear(); - - /* measure bootblock from RO */ - struct cbfsf bootblock_data; - struct region_device bootblock_fmap; - if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) { - if (tpm_measure_region(&bootblock_fmap, - TPM_CRTM_PCR, - "FMAP: BOOTBLOCK")) - return VB2_ERROR_UNKNOWN; - } else { - if (cbfs_boot_locate(&bootblock_data, - prog_name(&bootblock), NULL) == 0) { - cbfs_file_data(prog_rdev(&bootblock), &bootblock_data); - - if (create_tcpa_metadata(prog_rdev(&bootblock), - prog_name(&bootblock), tcpa_metadata) < 0) - return VB2_ERROR_UNKNOWN; - - if (tpm_measure_region(prog_rdev(&bootblock), - TPM_CRTM_PCR, - tcpa_metadata)) - return VB2_ERROR_UNKNOWN; - } else { - printk(BIOS_INFO, - "VBOOT: Couldn't measure bootblock into CRTM!\n"); - return VB2_ERROR_UNKNOWN; - } - } - - if (CONFIG(VBOOT_STARTS_IN_ROMSTAGE)) { - struct cbfsf romstage_data; - /* measure romstage from RO */ - if (cbfs_boot_locate(&romstage_data, - prog_name(&romstage), NULL) == 0) { - cbfs_file_data(prog_rdev(&romstage), &romstage_data); - - if (create_tcpa_metadata(prog_rdev(&romstage), - prog_name(&romstage), tcpa_metadata) < 0) - return VB2_ERROR_UNKNOWN; - - if (tpm_measure_region(prog_rdev(&romstage), - TPM_CRTM_PCR, - tcpa_metadata)) - return VB2_ERROR_UNKNOWN; - } else { - printk(BIOS_INFO, - "VBOOT: Couldn't measure %s into CRTM!\n", - CONFIG_CBFS_PREFIX "/romstage"); - return VB2_ERROR_UNKNOWN; - } - } - - if (CONFIG(VBOOT_SEPARATE_VERSTAGE)) { - struct cbfsf verstage_data; - /* measure verstage from RO */ - if (cbfs_boot_locate(&verstage_data, - prog_name(&verstage), NULL) == 0) { - cbfs_file_data(prog_rdev(&verstage), &verstage_data); - - if (create_tcpa_metadata(prog_rdev(&verstage), - prog_name(&verstage), tcpa_metadata) < 0) - return VB2_ERROR_UNKNOWN; - - if (tpm_measure_region(prog_rdev(&verstage), - TPM_CRTM_PCR, - tcpa_metadata)) - return VB2_ERROR_UNKNOWN; - } else { - printk(BIOS_INFO, - "VBOOT: Couldn't measure %s into CRTM!\n", - CONFIG_CBFS_PREFIX "/verstage"); - return VB2_ERROR_UNKNOWN; - } - } - - return VB2_SUCCESS; -} - -static bool is_runtime_data(const char *name) -{ - const char *whitelist = CONFIG_VBOOT_MEASURED_BOOT_RUNTIME_DATA; - size_t whitelist_len = sizeof(CONFIG_VBOOT_MEASURED_BOOT_RUNTIME_DATA) - 1; - size_t name_len = strlen(name); - int i; - - if (!whitelist_len || !name_len) - return false; - - for (i = 0; (i + name_len) <= whitelist_len; i++) { - if (!strcmp(whitelist + i, name)) - return true; - } - - return false; -} - -uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name) -{ - uint32_t pcr_index; - uint32_t cbfs_type; - struct region_device rdev; - char tcpa_metadata[TCPA_PCR_HASH_NAME]; - - if (!vboot_logic_executed()) - return 0; - - cbfsf_file_type(fh, &cbfs_type); - cbfs_file_data(&rdev, fh); - - switch (cbfs_type) { - case CBFS_TYPE_MRC: - case CBFS_TYPE_MRC_CACHE: - pcr_index = TPM_RUNTIME_DATA_PCR; - break; - case CBFS_TYPE_STAGE: - case CBFS_TYPE_SELF: - case CBFS_TYPE_FIT: - pcr_index = TPM_CRTM_PCR; - break; - default: - if (is_runtime_data(name)) - pcr_index = TPM_RUNTIME_DATA_PCR; - else - pcr_index = TPM_CRTM_PCR; - break; - } - - if (create_tcpa_metadata(&rdev, name, tcpa_metadata) < 0) - return VB2_ERROR_UNKNOWN; - - return tpm_measure_region(&rdev, pcr_index, tcpa_metadata); -} diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index b72df96..80f7aaa 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -17,13 +17,13 @@ #include <bootmode.h> #include <cbmem.h> #include <fmap.h> +#include <security/tpm/tspi/crtm.h> +#include <security/vboot/misc.h> +#include <security/vboot/vbnv.h> +#include <security/vboot/tpm_common.h> #include <string.h> #include <timestamp.h> #include <vb2_api.h> -#include <security/vboot/misc.h> -#include <security/vboot/vbnv.h> -#include <security/vboot/vboot_crtm.h> -#include <security/vboot/tpm_common.h>
#include "antirollback.h"
@@ -283,14 +283,6 @@ antirollback_read_space_firmware(ctx); timestamp_add_now(TS_END_TPMINIT);
- /* Enable measured boot mode */ - if (CONFIG(VBOOT_MEASURED_BOOT) && - !(ctx->flags & VB2_CONTEXT_S3_RESUME)) { - if (vboot_init_crtm() != VB2_SUCCESS) - die_with_post_code(POST_INVALID_ROM, - "Initializing measured boot mode failed!"); - } - if (get_recovery_mode_switch()) { ctx->flags |= VB2_CONTEXT_FORCE_RECOVERY_MODE; if (CONFIG(VBOOT_DISABLE_DEV_ON_RECOVERY)) diff --git a/src/soc/cavium/cn81xx/include/soc/memlayout.ld b/src/soc/cavium/cn81xx/include/soc/memlayout.ld index 7478669..f3b0442 100644 --- a/src/soc/cavium/cn81xx/include/soc/memlayout.ld +++ b/src/soc/cavium/cn81xx/include/soc/memlayout.ld @@ -34,7 +34,7 @@ PRERAM_CBMEM_CONSOLE(BOOTROM_OFFSET + 0x8000, 8K) BOOTBLOCK(BOOTROM_OFFSET + 0x20000, 64K) VBOOT2_WORK(BOOTROM_OFFSET + 0x30000, 12K) - VBOOT2_TPM_LOG(BOOTROM_OFFSET + 0x33000, 2K) + TPM_TCPA_LOG(BOOTROM_OFFSET + 0x33000, 2K) VERSTAGE(BOOTROM_OFFSET + 0x33800, 50K) ROMSTAGE(BOOTROM_OFFSET + 0x40000, 256K)
diff --git a/src/soc/mediatek/mt8173/include/soc/memlayout.ld b/src/soc/mediatek/mt8173/include/soc/memlayout.ld index 89ee8f4..2a617b7 100644 --- a/src/soc/mediatek/mt8173/include/soc/memlayout.ld +++ b/src/soc/mediatek/mt8173/include/soc/memlayout.ld @@ -38,7 +38,7 @@
SRAM_START(0x00100000) VBOOT2_WORK(0x00100000, 12K) - VBOOT2_TPM_LOG(0x00103000, 2K) + TPM_TCPA_LOG(0x00103000, 2K) FMAP_CACHE(0x00103800, 2K) PRERAM_CBMEM_CONSOLE(0x00104000, 12K) WATCHDOG_TOMBSTONE(0x00107000, 4) diff --git a/src/soc/mediatek/mt8183/include/soc/memlayout.ld b/src/soc/mediatek/mt8183/include/soc/memlayout.ld index 6e523d8..d2f9a06 100644 --- a/src/soc/mediatek/mt8183/include/soc/memlayout.ld +++ b/src/soc/mediatek/mt8183/include/soc/memlayout.ld @@ -30,7 +30,7 @@ { SRAM_START(0x00100000) VBOOT2_WORK(0x00100000, 12K) - VBOOT2_TPM_LOG(0x00103000, 2K) + TPM_TCPA_LOG(0x00103000, 2K) FMAP_CACHE(0x00103800, 2K) WATCHDOG_TOMBSTONE(0x00104000, 4) PRERAM_CBMEM_CONSOLE(0x00104004, 63K - 4) diff --git a/src/soc/nvidia/tegra124/include/soc/memlayout.ld b/src/soc/nvidia/tegra124/include/soc/memlayout.ld index 0128a86..adb47b1 100644 --- a/src/soc/nvidia/tegra124/include/soc/memlayout.ld +++ b/src/soc/nvidia/tegra124/include/soc/memlayout.ld @@ -30,7 +30,7 @@ FMAP_CACHE(0x40005800, 2K) PRERAM_CBFS_CACHE(0x40006000, 14K) VBOOT2_WORK(0x40009800, 12K) - VBOOT2_TPM_LOG(0x4000D800, 2K) + TPM_TCPA_LOG(0x4000D800, 2K) STACK(0x4000E000, 8K) BOOTBLOCK(0x40010000, 30K) VERSTAGE(0x40017800, 72K) diff --git a/src/soc/nvidia/tegra210/include/soc/memlayout.ld b/src/soc/nvidia/tegra210/include/soc/memlayout.ld index ff44591..fdd0e88 100644 --- a/src/soc/nvidia/tegra210/include/soc/memlayout.ld +++ b/src/soc/nvidia/tegra210/include/soc/memlayout.ld @@ -31,7 +31,7 @@ FMAP_CACHE(0x40000800, 2K) PRERAM_CBFS_CACHE(0x40001000, 28K) VBOOT2_WORK(0x40008000, 12K) - VBOOT2_TPM_LOG(0x4000B000, 2K) + TPM_TCPA_LOG(0x4000B000, 2K) #if ENV_ARM64 STACK(0x4000B800, 3K) #else /* AVP gets a separate stack to avoid any chance of handoff races. */ diff --git a/src/soc/samsung/exynos5250/include/soc/memlayout.ld b/src/soc/samsung/exynos5250/include/soc/memlayout.ld index db637ff..d117aac 100644 --- a/src/soc/samsung/exynos5250/include/soc/memlayout.ld +++ b/src/soc/samsung/exynos5250/include/soc/memlayout.ld @@ -32,7 +32,7 @@ TTB(0x2058000, 16K) PRERAM_CBFS_CACHE(0x205C000, 76K) FMAP_CACHE(0x206F000, 2K) - VBOOT2_TPM_LOG(0x206F800, 2K) + TPM_TCPA_LOG(0x206F800, 2K) VBOOT2_WORK(0x2070000, 12K) STACK(0x2074000, 16K) SRAM_END(0x2078000)
9elements QA has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 75:
Automatic boot test returned (PASS/FAIL/TOTAL): 3/0/3 Emulation targets: EMULATION_QEMU_X86_Q35 using payload TianoCore : SUCCESS : https://lava.9esec.io/r/1933 EMULATION_QEMU_X86_Q35 using payload SeaBIOS : SUCCESS : https://lava.9esec.io/r/1932 EMULATION_QEMU_X86_I440FX using payload SeaBIOS : SUCCESS : https://lava.9esec.io/r/1931
Please note: This test is under development and might not be accurate at all!
Werner Zeh has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 75:
BTW: This patch does not compile on Apollo Lake when both TPM_MEASURED_BOOT and VBOOT are selected at the same time. This is because Alollo Lake selects VBOOT_STARTS_IN_BOOTBLOCK and now tss.c is added to the bootblock while the tpm driver is not. So there is a linker error right now:
uild/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tpm_process_command': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:44: undefined reference to `tis_sendrecv' build/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tlcl_lib_init': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:198: undefined reference to `tis_init' coreboot/src/security/tpm/tss/tcg-2.0/tss.c:203: undefined reference to `tis_open'
Was it meant to have these two options (TPM_MEASURED_BOOT and VBOOT) now exclusive?
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 75:
Patch Set 75:
BTW: This patch does not compile on Apollo Lake when both TPM_MEASURED_BOOT and VBOOT are selected at the same time. This is because Alollo Lake selects VBOOT_STARTS_IN_BOOTBLOCK and now tss.c is added to the bootblock while the tpm driver is not. So there is a linker error right now:
uild/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tpm_process_command': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:44: undefined reference to `tis_sendrecv' build/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tlcl_lib_init': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:198: undefined reference to `tis_init' coreboot/src/security/tpm/tss/tcg-2.0/tss.c:203: undefined reference to `tis_open'
Was it meant to have these two options (TPM_MEASURED_BOOT and VBOOT) now exclusive?
It means an "bootblock-$(CONFIG_LPC_TPM) += tis.c" may need to be added into each Makefile.inc of tpm implementations.
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 75:
Patch Set 75:
Patch Set 75:
BTW: This patch does not compile on Apollo Lake when both TPM_MEASURED_BOOT and VBOOT are selected at the same time. This is because Alollo Lake selects VBOOT_STARTS_IN_BOOTBLOCK and now tss.c is added to the bootblock while the tpm driver is not. So there is a linker error right now:
uild/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tpm_process_command': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:44: undefined reference to `tis_sendrecv' build/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tlcl_lib_init': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:198: undefined reference to `tis_init' coreboot/src/security/tpm/tss/tcg-2.0/tss.c:203: undefined reference to `tis_open'
Was it meant to have these two options (TPM_MEASURED_BOOT and VBOOT) now exclusive?
It means an "bootblock-$(CONFIG_LPC_TPM) += tis.c" may need to be added into each Makefile.inc of tpm implementations.
Or similar statements.
Werner Zeh has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
BTW: This patch does not compile on Apollo Lake when both TPM_MEASURED_BOOT and VBOOT are selected at the same time. This is because Alollo Lake selects VBOOT_STARTS_IN_BOOTBLOCK and now tss.c is added to the bootblock while the tpm driver is not. So there is a linker error right now:
uild/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tpm_process_command': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:44: undefined reference to `tis_sendrecv' build/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tlcl_lib_init': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:198: undefined reference to `tis_init' coreboot/src/security/tpm/tss/tcg-2.0/tss.c:203: undefined reference to `tis_open'
Was it meant to have these two options (TPM_MEASURED_BOOT and VBOOT) now exclusive?
It means an "bootblock-$(CONFIG_LPC_TPM) += tis.c" may need to be added into each Makefile.inc of tpm implementations.
Or similar statements.
Not possible when bootblock is not large enough. This is where you originaly come from. The alternative would be to provide empty stubs just for the bootblock as the functions in question are not needed in this case. I will upload a patch soon.
Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
BTW: This patch does not compile on Apollo Lake when both TPM_MEASURED_BOOT and VBOOT are selected at the same time. This is because Alollo Lake selects VBOOT_STARTS_IN_BOOTBLOCK and now tss.c is added to the bootblock while the tpm driver is not. So there is a linker error right now:
uild/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tpm_process_command': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:44: undefined reference to `tis_sendrecv' build/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tlcl_lib_init': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:198: undefined reference to `tis_init' coreboot/src/security/tpm/tss/tcg-2.0/tss.c:203: undefined reference to `tis_open'
Was it meant to have these two options (TPM_MEASURED_BOOT and VBOOT) now exclusive?
It means an "bootblock-$(CONFIG_LPC_TPM) += tis.c" may need to be added into each Makefile.inc of tpm implementations.
Or similar statements.
Not possible when bootblock is not large enough. This is where you originaly come from. The alternative would be to provide empty stubs just for the bootblock as the functions in question are not needed in this case. I will upload a patch soon.
Does Apollo Lake have a separate verstage if VBOOT is enabled?
Werner Zeh has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
BTW: This patch does not compile on Apollo Lake when both TPM_MEASURED_BOOT and VBOOT are selected at the same time. This is because Alollo Lake selects VBOOT_STARTS_IN_BOOTBLOCK and now tss.c is added to the bootblock while the tpm driver is not. So there is a linker error right now:
uild/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tpm_process_command': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:44: undefined reference to `tis_sendrecv' build/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tlcl_lib_init': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:198: undefined reference to `tis_init' coreboot/src/security/tpm/tss/tcg-2.0/tss.c:203: undefined reference to `tis_open'
Was it meant to have these two options (TPM_MEASURED_BOOT and VBOOT) now exclusive?
It means an "bootblock-$(CONFIG_LPC_TPM) += tis.c" may need to be added into each Makefile.inc of tpm implementations.
Or similar statements.
Not possible when bootblock is not large enough. This is where you originaly come from. The alternative would be to provide empty stubs just for the bootblock as the functions in question are not needed in this case. I will upload a patch soon.
Does Apollo Lake have a separate verstage if VBOOT is enabled?
Yes.
Werner Zeh has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
BTW: This patch does not compile on Apollo Lake when both TPM_MEASURED_BOOT and VBOOT are selected at the same time. This is because Alollo Lake selects VBOOT_STARTS_IN_BOOTBLOCK and now tss.c is added to the bootblock while the tpm driver is not. So there is a linker error right now:
uild/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tpm_process_command': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:44: undefined reference to `tis_sendrecv' build/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tlcl_lib_init': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:198: undefined reference to `tis_init' coreboot/src/security/tpm/tss/tcg-2.0/tss.c:203: undefined reference to `tis_open'
Was it meant to have these two options (TPM_MEASURED_BOOT and VBOOT) now exclusive?
It means an "bootblock-$(CONFIG_LPC_TPM) += tis.c" may need to be added into each Makefile.inc of tpm implementations.
Or similar statements.
Not possible when bootblock is not large enough. This is where you originaly come from. The alternative would be to provide empty stubs just for the bootblock as the functions in question are not needed in this case. I will upload a patch soon.
Does Apollo Lake have a separate verstage if VBOOT is enabled?
Yes.
Addressed in https://review.coreboot.org/c/coreboot/+/39971
-
9elements QA (Code Review) -
Angel Pons (Code Review)
-
Bill XIE (Code Review)
-
build bot (Jenkins) (Code Review)
-
Frans Hendriks (Code Review)
-
Joel Kitching (Code Review)
-
Julius Werner (Code Review)
-
Patrick Georgi (Code Review)
-
Patrick Rudolph (Code Review)
-
Philipp Deppenwiese (Code Review)
-
Werner Zeh (Code Review)
-
Wim Vervoorn (Code Review)