GNUBoot/coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
coreboot-kgpe-d16/src/security/vboot/secdata_mock.c

72 lines
1.9 KiB
C
Raw Normal View History

treewide: Convert more license headers to SPDX style Change-Id: Ia3de79c7d71049da00ed108829eac6cb49ff3ed6 Signed-off-by: Patrick Georgi <pgeorgi@google.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/41205 Reviewed-by: HAOUAS Elyes <ehaouas@noos.fr> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2020-05-10 19:44:08 +02:00
/* SPDX-License-Identifier: BSD-3-Clause */
src/vboot: Add valid license headers to all files Change-Id: I77d7d6048fee9b378aa04c1a62b830e08f95ec22 Signed-off-by: Martin Roth <martinroth@google.com> Reviewed-on: https://review.coreboot.org/18407 Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Tested-by: build bot (Jenkins) Reviewed-by: Patrick Georgi <pgeorgi@google.com> Reviewed-by: Nico Huber <nico.h@gmx.de>
2017-02-10 03:06:16 +01:00
/*
vboot: add mocked secdata This patch allows a board without a secdata storage (typically TPM) to pass the verification stage if recovery path is taken. It's useful for bringup when the actual board is not ready. BUG=none BRANCH=none TEST=booted the kernel from a usb stick on a cygnus reference board Change-Id: I5ab97d1198057d102a1708338d71c606fe106c75 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 5d45acee31fd5b7bfe7444f12e3622bae49fc329 Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chrome-internal-review.googlesource.com/212418 Original-Reviewed-by: Daisuke Nojiri <dnojiri@google.com> Original-Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Original-Tested-by: Daisuke Nojiri <dnojiri@google.com> Original-Change-Id: Iddd9af19a2b6428704254af0c17b642e7a976fb8 Original-Reviewed-on: https://chromium-review.googlesource.com/265046 Reviewed-on: http://review.coreboot.org/9919 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2015-04-09 17:18:22 +02:00
* Functions for querying, manipulating and locking rollback indices
* stored in the TPM NVRAM.
*/
security/tpm: Unify the coreboot TPM software stack * Remove 2nd software stack in pc80 drivers directory. * Create TSPI interface for common usage. * Refactor TSS / TIS code base. * Add vendor tss (Cr50) directory. * Change kconfig options for TPM to TPM1. * Add user / board configuration with: * MAINBOARD_HAS_*_TPM # * BUS driver * MAINBOARD_HAS_TPM1 or MAINBOARD_HAS_TPM2 * Add kconfig TPM user selection (e.g. pluggable TPMs) * Fix existing headers and function calls. * Fix vboot for interface usage and antirollback mode. Change-Id: I7ec277e82a3c20c62a0548a1a2b013e6ce8f5b3f Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/24903 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2018-02-27 19:40:52 +01:00
#include <security/tpm/tspi.h>
vboot: add mocked secdata This patch allows a board without a secdata storage (typically TPM) to pass the verification stage if recovery path is taken. It's useful for bringup when the actual board is not ready. BUG=none BRANCH=none TEST=booted the kernel from a usb stick on a cygnus reference board Change-Id: I5ab97d1198057d102a1708338d71c606fe106c75 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 5d45acee31fd5b7bfe7444f12e3622bae49fc329 Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chrome-internal-review.googlesource.com/212418 Original-Reviewed-by: Daisuke Nojiri <dnojiri@google.com> Original-Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Original-Tested-by: Daisuke Nojiri <dnojiri@google.com> Original-Change-Id: Iddd9af19a2b6428704254af0c17b642e7a976fb8 Original-Reviewed-on: https://chromium-review.googlesource.com/265046 Reviewed-on: http://review.coreboot.org/9919 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2015-04-09 17:18:22 +02:00
#include <vb2_api.h>
security/tpm: Unify the coreboot TPM software stack * Remove 2nd software stack in pc80 drivers directory. * Create TSPI interface for common usage. * Refactor TSS / TIS code base. * Add vendor tss (Cr50) directory. * Change kconfig options for TPM to TPM1. * Add user / board configuration with: * MAINBOARD_HAS_*_TPM # * BUS driver * MAINBOARD_HAS_TPM1 or MAINBOARD_HAS_TPM2 * Add kconfig TPM user selection (e.g. pluggable TPMs) * Fix existing headers and function calls. * Fix vboot for interface usage and antirollback mode. Change-Id: I7ec277e82a3c20c62a0548a1a2b013e6ce8f5b3f Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/24903 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2018-02-27 19:40:52 +01:00
#include "antirollback.h"
vboot: update vboot2 functions to use new vb2_error_t To make explicit when vboot2 error codes should be returned, use the new vb2_error_t type on all functions which return VB2_ERROR_* constants. Additionally, add required vboot submodule commit id e6700f4c: 2019-07-31 14:12:30 +0800 - (vboot: update vboot2 functions to use new vb2_error_t) NOTE: This patch was merged separately on the Chromium tree: https://chromium-review.googlesource.com/c/1728499 BUG=b:124141368, chromium:988410 TEST=make clean && make test-abuild BRANCH=none Change-Id: I804c2b407e496d0c8eb9833be629b7c40118415c Signed-off-by: Joel Kitching <kitching@google.com> Cq-Depend: chromium:1728292 Reviewed-on: https://review.coreboot.org/c/coreboot/+/34860 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2019-07-31 08:19:00 +02:00
vb2_error_t vb2ex_tpm_clear_owner(struct vb2_context *ctx)
vboot: add mocked secdata This patch allows a board without a secdata storage (typically TPM) to pass the verification stage if recovery path is taken. It's useful for bringup when the actual board is not ready. BUG=none BRANCH=none TEST=booted the kernel from a usb stick on a cygnus reference board Change-Id: I5ab97d1198057d102a1708338d71c606fe106c75 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 5d45acee31fd5b7bfe7444f12e3622bae49fc329 Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chrome-internal-review.googlesource.com/212418 Original-Reviewed-by: Daisuke Nojiri <dnojiri@google.com> Original-Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Original-Tested-by: Daisuke Nojiri <dnojiri@google.com> Original-Change-Id: Iddd9af19a2b6428704254af0c17b642e7a976fb8 Original-Reviewed-on: https://chromium-review.googlesource.com/265046 Reviewed-on: http://review.coreboot.org/9919 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2015-04-09 17:18:22 +02:00
{
security/tpm: Unify the coreboot TPM software stack * Remove 2nd software stack in pc80 drivers directory. * Create TSPI interface for common usage. * Refactor TSS / TIS code base. * Add vendor tss (Cr50) directory. * Change kconfig options for TPM to TPM1. * Add user / board configuration with: * MAINBOARD_HAS_*_TPM # * BUS driver * MAINBOARD_HAS_TPM1 or MAINBOARD_HAS_TPM2 * Add kconfig TPM user selection (e.g. pluggable TPMs) * Fix existing headers and function calls. * Fix vboot for interface usage and antirollback mode. Change-Id: I7ec277e82a3c20c62a0548a1a2b013e6ce8f5b3f Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/24903 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2018-02-27 19:40:52 +01:00
return VB2_SUCCESS;
vboot: add mocked secdata This patch allows a board without a secdata storage (typically TPM) to pass the verification stage if recovery path is taken. It's useful for bringup when the actual board is not ready. BUG=none BRANCH=none TEST=booted the kernel from a usb stick on a cygnus reference board Change-Id: I5ab97d1198057d102a1708338d71c606fe106c75 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 5d45acee31fd5b7bfe7444f12e3622bae49fc329 Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chrome-internal-review.googlesource.com/212418 Original-Reviewed-by: Daisuke Nojiri <dnojiri@google.com> Original-Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Original-Tested-by: Daisuke Nojiri <dnojiri@google.com> Original-Change-Id: Iddd9af19a2b6428704254af0c17b642e7a976fb8 Original-Reviewed-on: https://chromium-review.googlesource.com/265046 Reviewed-on: http://review.coreboot.org/9919 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2015-04-09 17:18:22 +02:00
}
vboot: update vboot2 functions to use new vb2_error_t To make explicit when vboot2 error codes should be returned, use the new vb2_error_t type on all functions which return VB2_ERROR_* constants. Additionally, add required vboot submodule commit id e6700f4c: 2019-07-31 14:12:30 +0800 - (vboot: update vboot2 functions to use new vb2_error_t) NOTE: This patch was merged separately on the Chromium tree: https://chromium-review.googlesource.com/c/1728499 BUG=b:124141368, chromium:988410 TEST=make clean && make test-abuild BRANCH=none Change-Id: I804c2b407e496d0c8eb9833be629b7c40118415c Signed-off-by: Joel Kitching <kitching@google.com> Cq-Depend: chromium:1728292 Reviewed-on: https://review.coreboot.org/c/coreboot/+/34860 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2019-07-31 08:19:00 +02:00
vb2_error_t antirollback_read_space_firmware(struct vb2_context *ctx)
vboot: add mocked secdata This patch allows a board without a secdata storage (typically TPM) to pass the verification stage if recovery path is taken. It's useful for bringup when the actual board is not ready. BUG=none BRANCH=none TEST=booted the kernel from a usb stick on a cygnus reference board Change-Id: I5ab97d1198057d102a1708338d71c606fe106c75 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 5d45acee31fd5b7bfe7444f12e3622bae49fc329 Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chrome-internal-review.googlesource.com/212418 Original-Reviewed-by: Daisuke Nojiri <dnojiri@google.com> Original-Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Original-Tested-by: Daisuke Nojiri <dnojiri@google.com> Original-Change-Id: Iddd9af19a2b6428704254af0c17b642e7a976fb8 Original-Reviewed-on: https://chromium-review.googlesource.com/265046 Reviewed-on: http://review.coreboot.org/9919 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2015-04-09 17:18:22 +02:00
{
vboot: Fix MOCK_SECDATA for new naming scheme CB:37655 updated all secdata_xxx to secdata_firmware_xxx, but forgot the code that's only compiled when MOCK_SECDATA is set. This patch fixes it. Change-Id: Icf12fe405d7ce46345ccbdcb76f6aa1b56ed0194 Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/37772 Reviewed-by: Furquan Shaikh <furquan@google.com> Reviewed-by: Joel Kitching <kitching@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2019-12-16 19:13:34 +01:00
vb2api_secdata_firmware_create(ctx);
security/tpm: Unify the coreboot TPM software stack * Remove 2nd software stack in pc80 drivers directory. * Create TSPI interface for common usage. * Refactor TSS / TIS code base. * Add vendor tss (Cr50) directory. * Change kconfig options for TPM to TPM1. * Add user / board configuration with: * MAINBOARD_HAS_*_TPM # * BUS driver * MAINBOARD_HAS_TPM1 or MAINBOARD_HAS_TPM2 * Add kconfig TPM user selection (e.g. pluggable TPMs) * Fix existing headers and function calls. * Fix vboot for interface usage and antirollback mode. Change-Id: I7ec277e82a3c20c62a0548a1a2b013e6ce8f5b3f Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/24903 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2018-02-27 19:40:52 +01:00
return VB2_SUCCESS;
vboot: add mocked secdata This patch allows a board without a secdata storage (typically TPM) to pass the verification stage if recovery path is taken. It's useful for bringup when the actual board is not ready. BUG=none BRANCH=none TEST=booted the kernel from a usb stick on a cygnus reference board Change-Id: I5ab97d1198057d102a1708338d71c606fe106c75 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 5d45acee31fd5b7bfe7444f12e3622bae49fc329 Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chrome-internal-review.googlesource.com/212418 Original-Reviewed-by: Daisuke Nojiri <dnojiri@google.com> Original-Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Original-Tested-by: Daisuke Nojiri <dnojiri@google.com> Original-Change-Id: Iddd9af19a2b6428704254af0c17b642e7a976fb8 Original-Reviewed-on: https://chromium-review.googlesource.com/265046 Reviewed-on: http://review.coreboot.org/9919 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2015-04-09 17:18:22 +02:00
}
vboot: update vboot2 functions to use new vb2_error_t To make explicit when vboot2 error codes should be returned, use the new vb2_error_t type on all functions which return VB2_ERROR_* constants. Additionally, add required vboot submodule commit id e6700f4c: 2019-07-31 14:12:30 +0800 - (vboot: update vboot2 functions to use new vb2_error_t) NOTE: This patch was merged separately on the Chromium tree: https://chromium-review.googlesource.com/c/1728499 BUG=b:124141368, chromium:988410 TEST=make clean && make test-abuild BRANCH=none Change-Id: I804c2b407e496d0c8eb9833be629b7c40118415c Signed-off-by: Joel Kitching <kitching@google.com> Cq-Depend: chromium:1728292 Reviewed-on: https://review.coreboot.org/c/coreboot/+/34860 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2019-07-31 08:19:00 +02:00
vb2_error_t antirollback_write_space_firmware(struct vb2_context *ctx)
vboot: add mocked secdata This patch allows a board without a secdata storage (typically TPM) to pass the verification stage if recovery path is taken. It's useful for bringup when the actual board is not ready. BUG=none BRANCH=none TEST=booted the kernel from a usb stick on a cygnus reference board Change-Id: I5ab97d1198057d102a1708338d71c606fe106c75 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 5d45acee31fd5b7bfe7444f12e3622bae49fc329 Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chrome-internal-review.googlesource.com/212418 Original-Reviewed-by: Daisuke Nojiri <dnojiri@google.com> Original-Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Original-Tested-by: Daisuke Nojiri <dnojiri@google.com> Original-Change-Id: Iddd9af19a2b6428704254af0c17b642e7a976fb8 Original-Reviewed-on: https://chromium-review.googlesource.com/265046 Reviewed-on: http://review.coreboot.org/9919 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2015-04-09 17:18:22 +02:00
{
security/tpm: Unify the coreboot TPM software stack * Remove 2nd software stack in pc80 drivers directory. * Create TSPI interface for common usage. * Refactor TSS / TIS code base. * Add vendor tss (Cr50) directory. * Change kconfig options for TPM to TPM1. * Add user / board configuration with: * MAINBOARD_HAS_*_TPM # * BUS driver * MAINBOARD_HAS_TPM1 or MAINBOARD_HAS_TPM2 * Add kconfig TPM user selection (e.g. pluggable TPMs) * Fix existing headers and function calls. * Fix vboot for interface usage and antirollback mode. Change-Id: I7ec277e82a3c20c62a0548a1a2b013e6ce8f5b3f Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/24903 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2018-02-27 19:40:52 +01:00
return VB2_SUCCESS;
vboot: add mocked secdata This patch allows a board without a secdata storage (typically TPM) to pass the verification stage if recovery path is taken. It's useful for bringup when the actual board is not ready. BUG=none BRANCH=none TEST=booted the kernel from a usb stick on a cygnus reference board Change-Id: I5ab97d1198057d102a1708338d71c606fe106c75 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 5d45acee31fd5b7bfe7444f12e3622bae49fc329 Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chrome-internal-review.googlesource.com/212418 Original-Reviewed-by: Daisuke Nojiri <dnojiri@google.com> Original-Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Original-Tested-by: Daisuke Nojiri <dnojiri@google.com> Original-Change-Id: Iddd9af19a2b6428704254af0c17b642e7a976fb8 Original-Reviewed-on: https://chromium-review.googlesource.com/265046 Reviewed-on: http://review.coreboot.org/9919 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2015-04-09 17:18:22 +02:00
}
ec_sync: Run EFS2 in romstage EFS2 allows EC RO to enable PD for special cases. When doing so, it sets NO_BOOT flag to avoid booting the OS. AP needs to get NO_BOOT flag from Cr50 and enforce that. This patch makes verstage get a boot mode and a mirrored hash stored in kernel secdata from Cr50. This patch also makes romstage write an expected EC hash (a.k.a. Hexp) to Cr50 (if there is an update). BUG=b:147298634, chromium:1045217, b:148259137 BRANCH=none TEST=Verify software sync succeeds on Puff. Signed-off-by: dnojiri <dnojiri@chromium.org> Change-Id: I1f387b6e920205b9cc4c8536561f2a279c36413d Reviewed-on: https://review.coreboot.org/c/coreboot/+/40389 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2020-04-03 19:56:43 +02:00
vb2_error_t antirollback_read_space_kernel(struct vb2_context *ctx)
{
vboot/secdata_mock: Make v0 kernel secdata context The new kernel secdata v1 stores the last read EC hash, and reboots the device during EC software sync when that hash didn't match the currently active hash on the EC (this is used with TPM_CR50 to support EC-EFS2 and pretty much a no-op for other devices). Generally, of course the whole point of secdata is always that it persists across reboots, but with MOCK_SECDATA we can't do that. Previously we always happened to somewhat get away with presenting freshly-reinitialized data for MOCK_SECDATA on every boot, but with the EC hash feature in secdata v1, that would cause a reboot loop. The simplest solution is to just pretend we're a secdata v0 device when using MOCK_SECDATA. This was encountered on using a firmware built with MOCK_SECDATA but had EC software sync enabled. BUG=b:187843114 BRANCH=None TEST=`USE=mocktpm cros build-ap -b keeby`; Flash keeby device, verify that DUT does not continuously reboot with EC software sync enabled. Signed-off-by: Aseda Aboagye <aaboagye@google.com> Change-Id: Id8e81afcddadf27d9eec274f7f85ff1520315aaa Reviewed-on: https://review.coreboot.org/c/coreboot/+/54304 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2021-05-14 21:33:46 +02:00
/*
* The new kernel secdata v1 stores the last read EC hash, and reboots the
* device during EC software sync when that hash didn't match the currently
* active hash on the EC (this is used with TPM_CR50 to support EC-EFS2 and
* pretty much a no-op for other devices). Generally, of course the whole
* point of secdata is always that it persists across reboots, but with
* MOCK_SECDATA we can't do that. Previously we always happened to somewhat
* get away with presenting freshly-reinitialized data for MOCK_SECDATA on
* every boot, but with the EC hash feature in secdata v1, that would cause
* a reboot loop. The simplest solution is to just pretend we're a secdata
* v0 device when using MOCK_SECDATA.
*/
vb2api_secdata_kernel_create_v0(ctx);
ec_sync: Run EFS2 in romstage EFS2 allows EC RO to enable PD for special cases. When doing so, it sets NO_BOOT flag to avoid booting the OS. AP needs to get NO_BOOT flag from Cr50 and enforce that. This patch makes verstage get a boot mode and a mirrored hash stored in kernel secdata from Cr50. This patch also makes romstage write an expected EC hash (a.k.a. Hexp) to Cr50 (if there is an update). BUG=b:147298634, chromium:1045217, b:148259137 BRANCH=none TEST=Verify software sync succeeds on Puff. Signed-off-by: dnojiri <dnojiri@chromium.org> Change-Id: I1f387b6e920205b9cc4c8536561f2a279c36413d Reviewed-on: https://review.coreboot.org/c/coreboot/+/40389 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2020-04-03 19:56:43 +02:00
return VB2_SUCCESS;
}
vb2_error_t antirollback_write_space_kernel(struct vb2_context *ctx)
{
return VB2_SUCCESS;
}
vboot: update vboot2 functions to use new vb2_error_t To make explicit when vboot2 error codes should be returned, use the new vb2_error_t type on all functions which return VB2_ERROR_* constants. Additionally, add required vboot submodule commit id e6700f4c: 2019-07-31 14:12:30 +0800 - (vboot: update vboot2 functions to use new vb2_error_t) NOTE: This patch was merged separately on the Chromium tree: https://chromium-review.googlesource.com/c/1728499 BUG=b:124141368, chromium:988410 TEST=make clean && make test-abuild BRANCH=none Change-Id: I804c2b407e496d0c8eb9833be629b7c40118415c Signed-off-by: Joel Kitching <kitching@google.com> Cq-Depend: chromium:1728292 Reviewed-on: https://review.coreboot.org/c/coreboot/+/34860 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2019-07-31 08:19:00 +02:00
vb2_error_t antirollback_lock_space_firmware(void)
vboot: add mocked secdata This patch allows a board without a secdata storage (typically TPM) to pass the verification stage if recovery path is taken. It's useful for bringup when the actual board is not ready. BUG=none BRANCH=none TEST=booted the kernel from a usb stick on a cygnus reference board Change-Id: I5ab97d1198057d102a1708338d71c606fe106c75 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 5d45acee31fd5b7bfe7444f12e3622bae49fc329 Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chrome-internal-review.googlesource.com/212418 Original-Reviewed-by: Daisuke Nojiri <dnojiri@google.com> Original-Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Original-Tested-by: Daisuke Nojiri <dnojiri@google.com> Original-Change-Id: Iddd9af19a2b6428704254af0c17b642e7a976fb8 Original-Reviewed-on: https://chromium-review.googlesource.com/265046 Reviewed-on: http://review.coreboot.org/9919 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2015-04-09 17:18:22 +02:00
{
security/tpm: Unify the coreboot TPM software stack * Remove 2nd software stack in pc80 drivers directory. * Create TSPI interface for common usage. * Refactor TSS / TIS code base. * Add vendor tss (Cr50) directory. * Change kconfig options for TPM to TPM1. * Add user / board configuration with: * MAINBOARD_HAS_*_TPM # * BUS driver * MAINBOARD_HAS_TPM1 or MAINBOARD_HAS_TPM2 * Add kconfig TPM user selection (e.g. pluggable TPMs) * Fix existing headers and function calls. * Fix vboot for interface usage and antirollback mode. Change-Id: I7ec277e82a3c20c62a0548a1a2b013e6ce8f5b3f Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/24903 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2018-02-27 19:40:52 +01:00
return VB2_SUCCESS;
vboot: add mocked secdata This patch allows a board without a secdata storage (typically TPM) to pass the verification stage if recovery path is taken. It's useful for bringup when the actual board is not ready. BUG=none BRANCH=none TEST=booted the kernel from a usb stick on a cygnus reference board Change-Id: I5ab97d1198057d102a1708338d71c606fe106c75 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 5d45acee31fd5b7bfe7444f12e3622bae49fc329 Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Original-Reviewed-on: https://chrome-internal-review.googlesource.com/212418 Original-Reviewed-by: Daisuke Nojiri <dnojiri@google.com> Original-Commit-Queue: Daisuke Nojiri <dnojiri@google.com> Original-Tested-by: Daisuke Nojiri <dnojiri@google.com> Original-Change-Id: Iddd9af19a2b6428704254af0c17b642e7a976fb8 Original-Reviewed-on: https://chromium-review.googlesource.com/265046 Reviewed-on: http://review.coreboot.org/9919 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
2015-04-09 17:18:22 +02:00
}
vboot: Add support for recovery hash space in TPM 1. Add a new index for recovery hash space in TPM - 0x100b 2. Add helper functions to read/write/lock recovery hash space in TPM 3. Add Kconfig option that can be selected by mainboards that want to define this space. 4. Lock this new space while jumping from RO to RW. BUG=chrome-os-partner:59355 BRANCH=None TEST=Verified use of recovery hash space on reef. Change-Id: I1cacd54f0a896d0f2af32d4b7c9ae581a918f9bb Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/17273 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2016-11-08 08:47:11 +01:00
security/vboot: Make mrc_cache hash functions generic We need to extend the functionality of the mrc_cache hash functions to work for both recovery and normal mrc_cache data. Updating the API of these functions to pass in an index to identify the hash indices for recovery and normal mode. BUG=b:150502246 BRANCH=None TEST=make sure memory training still works on nami Change-Id: I9c0bb25eafc731ca9c7a95113ab940f55997fc0f Signed-off-by: Shelley Chen <shchen@google.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/46432 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Furquan Shaikh <furquan@google.com>
2020-10-16 22:15:59 +02:00
vb2_error_t antirollback_lock_space_mrc_hash(uint32_t index)
vboot: Add support for recovery hash space in TPM 1. Add a new index for recovery hash space in TPM - 0x100b 2. Add helper functions to read/write/lock recovery hash space in TPM 3. Add Kconfig option that can be selected by mainboards that want to define this space. 4. Lock this new space while jumping from RO to RW. BUG=chrome-os-partner:59355 BRANCH=None TEST=Verified use of recovery hash space on reef. Change-Id: I1cacd54f0a896d0f2af32d4b7c9ae581a918f9bb Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/17273 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2016-11-08 08:47:11 +01:00
{
security/tpm: Unify the coreboot TPM software stack * Remove 2nd software stack in pc80 drivers directory. * Create TSPI interface for common usage. * Refactor TSS / TIS code base. * Add vendor tss (Cr50) directory. * Change kconfig options for TPM to TPM1. * Add user / board configuration with: * MAINBOARD_HAS_*_TPM # * BUS driver * MAINBOARD_HAS_TPM1 or MAINBOARD_HAS_TPM2 * Add kconfig TPM user selection (e.g. pluggable TPMs) * Fix existing headers and function calls. * Fix vboot for interface usage and antirollback mode. Change-Id: I7ec277e82a3c20c62a0548a1a2b013e6ce8f5b3f Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/24903 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2018-02-27 19:40:52 +01:00
return VB2_SUCCESS;
vboot: Add support for recovery hash space in TPM 1. Add a new index for recovery hash space in TPM - 0x100b 2. Add helper functions to read/write/lock recovery hash space in TPM 3. Add Kconfig option that can be selected by mainboards that want to define this space. 4. Lock this new space while jumping from RO to RW. BUG=chrome-os-partner:59355 BRANCH=None TEST=Verified use of recovery hash space on reef. Change-Id: I1cacd54f0a896d0f2af32d4b7c9ae581a918f9bb Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/17273 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2016-11-08 08:47:11 +01:00
}
vboot: Add mock functions for recovery space read/write For the boards that intend to use mock tpm and have recovery mrc cache support enabled, provide mock functions to read and write mrc hash space. Reading MRC hash space returns TPM_SUCCESS as later checks take care of comparing the hash value and retraining if hash comparison fails. Thus, in case of mock tpm, device would always end up doing the memory retraining in recovery mode. BUG=chrome-os-partner:62413 BRANCH=None TEST=Verified that eve builds with mock tpm selected. Change-Id: I7817cda7821fadeea0e887cb9860804256dabfd9 Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/18248 Tested-by: build bot (Jenkins) Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
2017-01-27 00:33:01 +01:00
security/vboot: Make mrc_cache hash functions generic We need to extend the functionality of the mrc_cache hash functions to work for both recovery and normal mrc_cache data. Updating the API of these functions to pass in an index to identify the hash indices for recovery and normal mode. BUG=b:150502246 BRANCH=None TEST=make sure memory training still works on nami Change-Id: I9c0bb25eafc731ca9c7a95113ab940f55997fc0f Signed-off-by: Shelley Chen <shchen@google.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/46432 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Furquan Shaikh <furquan@google.com>
2020-10-16 22:15:59 +02:00
vb2_error_t antirollback_read_space_mrc_hash(uint32_t index, uint8_t *data, uint32_t size)
vboot: Add mock functions for recovery space read/write For the boards that intend to use mock tpm and have recovery mrc cache support enabled, provide mock functions to read and write mrc hash space. Reading MRC hash space returns TPM_SUCCESS as later checks take care of comparing the hash value and retraining if hash comparison fails. Thus, in case of mock tpm, device would always end up doing the memory retraining in recovery mode. BUG=chrome-os-partner:62413 BRANCH=None TEST=Verified that eve builds with mock tpm selected. Change-Id: I7817cda7821fadeea0e887cb9860804256dabfd9 Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/18248 Tested-by: build bot (Jenkins) Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
2017-01-27 00:33:01 +01:00
{
security/tpm: Unify the coreboot TPM software stack * Remove 2nd software stack in pc80 drivers directory. * Create TSPI interface for common usage. * Refactor TSS / TIS code base. * Add vendor tss (Cr50) directory. * Change kconfig options for TPM to TPM1. * Add user / board configuration with: * MAINBOARD_HAS_*_TPM # * BUS driver * MAINBOARD_HAS_TPM1 or MAINBOARD_HAS_TPM2 * Add kconfig TPM user selection (e.g. pluggable TPMs) * Fix existing headers and function calls. * Fix vboot for interface usage and antirollback mode. Change-Id: I7ec277e82a3c20c62a0548a1a2b013e6ce8f5b3f Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/24903 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2018-02-27 19:40:52 +01:00
return VB2_SUCCESS;
vboot: Add mock functions for recovery space read/write For the boards that intend to use mock tpm and have recovery mrc cache support enabled, provide mock functions to read and write mrc hash space. Reading MRC hash space returns TPM_SUCCESS as later checks take care of comparing the hash value and retraining if hash comparison fails. Thus, in case of mock tpm, device would always end up doing the memory retraining in recovery mode. BUG=chrome-os-partner:62413 BRANCH=None TEST=Verified that eve builds with mock tpm selected. Change-Id: I7817cda7821fadeea0e887cb9860804256dabfd9 Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/18248 Tested-by: build bot (Jenkins) Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
2017-01-27 00:33:01 +01:00
}
security/vboot: Make mrc_cache hash functions generic We need to extend the functionality of the mrc_cache hash functions to work for both recovery and normal mrc_cache data. Updating the API of these functions to pass in an index to identify the hash indices for recovery and normal mode. BUG=b:150502246 BRANCH=None TEST=make sure memory training still works on nami Change-Id: I9c0bb25eafc731ca9c7a95113ab940f55997fc0f Signed-off-by: Shelley Chen <shchen@google.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/46432 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Furquan Shaikh <furquan@google.com>
2020-10-16 22:15:59 +02:00
vb2_error_t antirollback_write_space_mrc_hash(uint32_t index, const uint8_t *data,
vboot: update vboot2 functions to use new vb2_error_t To make explicit when vboot2 error codes should be returned, use the new vb2_error_t type on all functions which return VB2_ERROR_* constants. Additionally, add required vboot submodule commit id e6700f4c: 2019-07-31 14:12:30 +0800 - (vboot: update vboot2 functions to use new vb2_error_t) NOTE: This patch was merged separately on the Chromium tree: https://chromium-review.googlesource.com/c/1728499 BUG=b:124141368, chromium:988410 TEST=make clean && make test-abuild BRANCH=none Change-Id: I804c2b407e496d0c8eb9833be629b7c40118415c Signed-off-by: Joel Kitching <kitching@google.com> Cq-Depend: chromium:1728292 Reviewed-on: https://review.coreboot.org/c/coreboot/+/34860 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2019-07-31 08:19:00 +02:00
uint32_t size)
vboot: Select CONFIG_{TPM,TPM2} only if MOCK_SECDATA is not selected 1. Select CONFIG_{TPM,TPM2} only when MOCK_SECDATA is not selected. 2. Provide tlcl_lib_init for mock TPM case. BUG=b:37682566 TEST=Verified that when mock TPM is used, CONFIG_TPM is not set anymore in coreboot config. Change-Id: If3bdd1528e153b164e9d62ee9cbcc4c3666b8b66 Signed-off-by: Furquan Shaikh <furquan@chromium.org> Reviewed-on: https://review.coreboot.org/19456 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin <adurbin@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2017-04-26 07:32:34 +02:00
{
return VB2_SUCCESS;
}
Reference in a new issue Copy permalink