src/security/vboot: Set up secure counter space in TPM NVRAM
High Definition (HD) protected content playback requires secure counters that are updated at regular interval while the protected content is playing. To support similar use-cases, define space for secure counters in TPM NVRAM and initialize them. These counters are defined once during the factory initialization stage. Also add VBOOT_DEFINE_WIDEVINE_COUNTERS config item to enable these secure counters only on the mainboard where they are required/used. BUG=b:205261728 TEST=Build and boot to OS in guybrush. Ensure that the secure counters are defined successfully in TPM NVRAM space. tlcl_define_space: response is 0 tlcl_define_space: response is 0 tlcl_define_space: response is 0 tlcl_define_space: response is 0 On reboot if forced to redefine the space, it is identified as already defined. tlcl_define_space: response is 14c define_space():219: define_space: Secure Counter space already exists tlcl_define_space: response is 14c define_space():219: define_space: Secure Counter space already exists tlcl_define_space: response is 14c define_space():219: define_space: Secure Counter space already exists tlcl_define_space: response is 14c define_space():219: define_space: Secure Counter space already exists Change-Id: I915fbdada60e242d911b748ad5dc28028de9b657 Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/59476 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Raul Rangel <rrangel@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
This commit is contained in:
parent
ac812eda0b
commit
4fcf13a51d
|
@ -282,6 +282,14 @@ config VBOOT_X86_SHA256_ACCELERATION
|
||||||
Use sha256msg1, sha256msg2, sha256rnds2 instruction to accelerate
|
Use sha256msg1, sha256msg2, sha256rnds2 instruction to accelerate
|
||||||
SHA hash calculation in vboot.
|
SHA hash calculation in vboot.
|
||||||
|
|
||||||
|
config VBOOT_DEFINE_WIDEVINE_COUNTERS
|
||||||
|
bool
|
||||||
|
default n
|
||||||
|
help
|
||||||
|
Set up Widevine Secure Counters in TPM NVRAM by defining space. Enabling this
|
||||||
|
config will only define the counter space. Counters need to be incremented
|
||||||
|
separately before any read operation is performed on them.
|
||||||
|
|
||||||
menu "GBB configuration"
|
menu "GBB configuration"
|
||||||
|
|
||||||
config GBB_HWID
|
config GBB_HWID
|
||||||
|
|
|
@ -29,6 +29,11 @@ enum vb2_pcr_digest;
|
||||||
#define MRC_RW_HASH_NV_INDEX 0x100d
|
#define MRC_RW_HASH_NV_INDEX 0x100d
|
||||||
#define HASH_NV_SIZE VB2_SHA256_DIGEST_SIZE
|
#define HASH_NV_SIZE VB2_SHA256_DIGEST_SIZE
|
||||||
#define ENT_ROLLBACK_COUNTER_INDEX 0x100e
|
#define ENT_ROLLBACK_COUNTER_INDEX 0x100e
|
||||||
|
/* Widevine Secure Counter space */
|
||||||
|
#define WIDEVINE_COUNTER_NV_INDEX(n) (0x3000 + (n))
|
||||||
|
#define NUM_WIDEVINE_COUNTERS 4
|
||||||
|
#define WIDEVINE_COUNTER_NAME "Widevine Secure Counter"
|
||||||
|
#define WIDEVINE_COUNTER_SIZE sizeof(uint64_t)
|
||||||
/* Zero-Touch Enrollment related spaces */
|
/* Zero-Touch Enrollment related spaces */
|
||||||
#define ZTE_BOARD_ID_NV_INDEX 0x3fff00
|
#define ZTE_BOARD_ID_NV_INDEX 0x3fff00
|
||||||
#define ZTE_RMA_SN_BITS_INDEX 0x3fff01
|
#define ZTE_RMA_SN_BITS_INDEX 0x3fff01
|
||||||
|
|
|
@ -158,6 +158,18 @@ static const TPMA_NV zte_rma_bytes_attr = {
|
||||||
.TPMA_NV_POLICY_DELETE = 1,
|
.TPMA_NV_POLICY_DELETE = 1,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
static const TPMA_NV rw_orderly_counter_attributes = {
|
||||||
|
.TPMA_NV_COUNTER = 1,
|
||||||
|
.TPMA_NV_ORDERLY = 1,
|
||||||
|
.TPMA_NV_AUTHREAD = 1,
|
||||||
|
.TPMA_NV_AUTHWRITE = 1,
|
||||||
|
.TPMA_NV_PLATFORMCREATE = 1,
|
||||||
|
.TPMA_NV_WRITE_STCLEAR = 1,
|
||||||
|
.TPMA_NV_PPREAD = 1,
|
||||||
|
.TPMA_NV_PPWRITE = 1,
|
||||||
|
.TPMA_NV_NO_DA = 1,
|
||||||
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* This policy digest was obtained using TPM2_PolicyOR on 3 digests
|
* This policy digest was obtained using TPM2_PolicyOR on 3 digests
|
||||||
* corresponding to a sequence of
|
* corresponding to a sequence of
|
||||||
|
@ -350,6 +362,19 @@ static uint32_t enterprise_rollback_create_counter(void)
|
||||||
rw_counter_attributes, NULL, 0);
|
rw_counter_attributes, NULL, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static uint32_t setup_widevine_counter_spaces(void)
|
||||||
|
{
|
||||||
|
uint32_t index, rv;
|
||||||
|
|
||||||
|
for (index = 0; index < NUM_WIDEVINE_COUNTERS; index++) {
|
||||||
|
rv = define_space(WIDEVINE_COUNTER_NAME, WIDEVINE_COUNTER_NV_INDEX(index),
|
||||||
|
WIDEVINE_COUNTER_SIZE, rw_orderly_counter_attributes, NULL, 0);
|
||||||
|
if (rv != TPM_SUCCESS)
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
return TPM_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
|
static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
|
||||||
{
|
{
|
||||||
RETURN_ON_FAILURE(tlcl_force_clear());
|
RETURN_ON_FAILURE(tlcl_force_clear());
|
||||||
|
@ -391,6 +416,11 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
|
||||||
if (CONFIG(CHROMEOS))
|
if (CONFIG(CHROMEOS))
|
||||||
RETURN_ON_FAILURE(enterprise_rollback_create_counter());
|
RETURN_ON_FAILURE(enterprise_rollback_create_counter());
|
||||||
|
|
||||||
|
/* Define widevine counter space. No need to increment/write to the secure counters
|
||||||
|
and are expected to be incremented during the first use. */
|
||||||
|
if (CONFIG(VBOOT_DEFINE_WIDEVINE_COUNTERS))
|
||||||
|
RETURN_ON_FAILURE(setup_widevine_counter_spaces());
|
||||||
|
|
||||||
RETURN_ON_FAILURE(setup_firmware_space(ctx));
|
RETURN_ON_FAILURE(setup_firmware_space(ctx));
|
||||||
|
|
||||||
return TPM_SUCCESS;
|
return TPM_SUCCESS;
|
||||||
|
|
Loading…
Reference in New Issue