GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security/tpm: Include mrc.bin in CRTM if present 

mrc.bin, on platforms where it is present, is code executed on CPU, so
it should be considered a part of CRTM.

cbfs_locate_file_in_region() is hooked to measurement here too, since
mrc.bin is loaded with it, and CBFS_TYPE_MRC (the type of mrc.bin) is
measured to TPM_CRTM_PCR rather than TPM_RUNTIME_DATA_PCR.

TODO: I have heard that SMM is too resource-limited to link with vboot
library, so currently tspi_measure_cbfs_hook() is masked in SMM.
Please correct me if I am wrong.

Change-Id: Ib4c3cf47b919864056baf725001ca8a4aaafa110
Signed-off-by: Bill XIE <persmule@hardenedlinux.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/38858
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
This commit is contained in:
Bill XIE 2020-02-13 11:11:35 +08:00 committed by Philipp Deppenwiese
parent ea861ce831
commit bad08c2c29
3 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/lib/cbfs.c
View File

@ -56,7 +56,10 @@ int cbfs_boot_locate(struct cbfsf *fh, const char *name, uint32_t *type)
* Files can be added to the RO_REGION_ONLY config option to use this feature. * Files can be added to the RO_REGION_ONLY config option to use this feature.
*/ */
printk(BIOS_DEBUG, "Fall back to RO region for %s\n", name); printk(BIOS_DEBUG, "Fall back to RO region for %s\n", name);
ret = cbfs_locate_file_in_region(fh, "COREBOOT", name, type); if (fmap_locate_area_as_rdev("COREBOOT", &rdev))
ERROR("RO region not found\n");
else
ret = cbfs_locate(fh, &rdev, name, type);
} }
if (!ret) if (!ret)
@ -86,14 +89,18 @@ int cbfs_locate_file_in_region(struct cbfsf *fh, const char *region_name,
const char *name, uint32_t *type) const char *name, uint32_t *type)
{ {
struct region_device rdev; struct region_device rdev;
int ret = 0;
if (fmap_locate_area_as_rdev(region_name, &rdev)) { if (fmap_locate_area_as_rdev(region_name, &rdev)) {
LOG("%s region not found while looking for %s\n", LOG("%s region not found while looking for %s\n",
region_name, name); region_name, name);
return -1; return -1;
} }
return cbfs_locate(fh, &rdev, name, type); ret = cbfs_locate(fh, &rdev, name, type);
if (!ret)
if (tspi_measure_cbfs_hook(fh, name))
return -1;
return ret;
} }
size_t cbfs_load_and_decompress(const struct region_device *rdev, size_t offset, size_t cbfs_load_and_decompress(const struct region_device *rdev, size_t offset,

6
src/security/tpm/tspi/crtm.c
View File

@ -133,10 +133,14 @@ uint32_t tspi_measure_cbfs_hook(struct cbfsf *fh, const char *name)
cbfs_file_data(&rdev, fh); cbfs_file_data(&rdev, fh);
switch (cbfs_type) { switch (cbfs_type) {
case CBFS_TYPE_MRC:
case CBFS_TYPE_MRC_CACHE: case CBFS_TYPE_MRC_CACHE:
pcr_index = TPM_RUNTIME_DATA_PCR; pcr_index = TPM_RUNTIME_DATA_PCR;
break; break;
/*
* mrc.bin is code executed on CPU, so it
* should not be considered runtime data
*/
case CBFS_TYPE_MRC:
case CBFS_TYPE_STAGE: case CBFS_TYPE_STAGE:
case CBFS_TYPE_SELF: case CBFS_TYPE_SELF:
case CBFS_TYPE_FIT: case CBFS_TYPE_FIT:

2
src/security/tpm/tspi/crtm.h
View File

@ -50,7 +50,7 @@ uint32_t tspi_init_crtm(void);
*/ */
int tspi_measure_cache_to_pcr(void); int tspi_measure_cache_to_pcr(void);
#if CONFIG(TPM_MEASURED_BOOT) #if !ENV_SMM && CONFIG(TPM_MEASURED_BOOT)
/* /*
* Measures cbfs data via hook (cbfs) * Measures cbfs data via hook (cbfs)
* fh is the cbfs file handle to measure * fh is the cbfs file handle to measure