diff --git a/src/arch/x86/car.ld b/src/arch/x86/car.ld index 5e5493a355..92b26a0877 100644 --- a/src/arch/x86/car.ld +++ b/src/arch/x86/car.ld @@ -20,8 +20,8 @@ /* Vboot measured boot TCPA log measurements. * Needs to be transferred until CBMEM is available */ -#if CONFIG(VBOOT_MEASURED_BOOT) - VBOOT2_TPM_LOG(., 2K) +#if CONFIG(TPM_MEASURED_BOOT) + TPM_TCPA_LOG(., 2K) #endif /* Stack for CAR stages. Since it persists across all stages that * use CAR it can be reused. The chipset/SoC is expected to provide diff --git a/src/include/memlayout.h b/src/include/memlayout.h index 62c9f7b7aa..bf4b2c5323 100644 --- a/src/include/memlayout.h +++ b/src/include/memlayout.h @@ -159,9 +159,9 @@ STR(vboot2 work buffer size must be equivalent to \ VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE! (sz))); -#define VBOOT2_TPM_LOG(addr, size) \ - REGION(vboot2_tpm_log, addr, size, 16) \ - _ = ASSERT(size >= 2K, "vboot2 tpm log buffer must be at least 2K!"); +#define TPM_TCPA_LOG(addr, size) \ + REGION(tpm_tcpa_log, addr, size, 16) \ + _ = ASSERT(size >= 2K, "tpm tcpa log buffer must be at least 2K!"); #if ENV_VERSTAGE #define VERSTAGE(addr, sz) \ diff --git a/src/include/symbols.h b/src/include/symbols.h index 94e4668ecb..e37405d4a1 100644 --- a/src/include/symbols.h +++ b/src/include/symbols.h @@ -34,8 +34,11 @@ DECLARE_REGION(preram_cbfs_cache) DECLARE_REGION(postram_cbfs_cache) DECLARE_REGION(cbfs_cache) DECLARE_REGION(fmap_cache) -DECLARE_REGION(payload) +DECLARE_REGION(tpm_tcpa_log) +/* Regions for execution units. */ + +DECLARE_REGION(payload) /* "program" always refers to the current execution unit. */ DECLARE_REGION(program) /* __size is always the maximum amount allocated in memlayout, whereas diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c index 4f0b443360..4392ab7ab0 100644 --- a/src/lib/cbfs.c +++ b/src/lib/cbfs.c @@ -13,19 +13,19 @@ */ #include -#include -#include -#include #include #include #include +#include #include +#include #include +#include +#include +#include +#include #include #include -#include -#include -#include #define ERROR(x...) printk(BIOS_ERR, "CBFS: " x) #define LOG(x...) printk(BIOS_INFO, "CBFS: " x) @@ -60,7 +60,7 @@ int cbfs_boot_locate(struct cbfsf *fh, const char *name, uint32_t *type) } if (!ret) - if (vboot_measure_cbfs_hook(fh, name)) + if (tspi_measure_cbfs_hook(fh, name)) return -1; return ret; diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig index 6adf4e9c41..0f32907da2 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig @@ -9,12 +9,12 @@ config BOARD_SPECIFIC_OPTIONS select MAINBOARD_HAS_TPM2 select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI + select TPM_MEASURED_BOOT config CBFS_SIZE default 0xb4e000 config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig index b10bdc846b..55fb4b16bb 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig @@ -9,6 +9,7 @@ config BOARD_SPECIFIC_OPTIONS select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI select DRIVERS_I2C_PTN3460 + select TPM_MEASURED_BOOT config UART_FOR_CONSOLE default 1 @@ -17,7 +18,6 @@ config CBFS_SIZE default 0xb4e000 config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig index e46a0de6f9..bd0b0d7162 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig @@ -12,12 +12,12 @@ config BOARD_SPECIFIC_OPTIONS select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI select DRIVERS_I2C_PTN3460 + select TPM_MEASURED_BOOT config CBFS_SIZE default 0xb4e000 config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig index 864e808f17..852294a01d 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig @@ -11,9 +11,9 @@ config BOARD_SPECIFIC_OPTIONS select MAINBOARD_HAS_TPM2 select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI + select TPM_MEASURED_BOOT config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig index 1766939c4c..d8652b2017 100644 --- a/src/security/tpm/Kconfig +++ b/src/security/tpm/Kconfig @@ -100,4 +100,21 @@ config TPM_STARTUP_IGNORE_POSTINIT or VBOOT on the Intel Arrandale processor, which issues a CPU-only reset during the romstage. +config TPM_MEASURED_BOOT + bool "Enable Measured Boot" + default n + select VBOOT_LIB + depends on TPM1 || TPM2 + depends on !VBOOT_RETURN_FROM_VERSTAGE + help + Enables measured boot (experimental) + +config TPM_MEASURED_BOOT_RUNTIME_DATA + string "Runtime data whitelist" + default "" + depends on TPM_MEASURED_BOOT + help + Runtime data whitelist of cbfs filenames. Needs to be a + comma separated list + endmenu # Trusted Platform Module (tpm) diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc index a2d32cff89..c36183dd9b 100644 --- a/src/security/tpm/Makefile.inc +++ b/src/security/tpm/Makefile.inc @@ -6,22 +6,17 @@ ifeq ($(CONFIG_TPM1),y) ramstage-y += tss/tcg-1.2/tss.c romstage-y += tss/tcg-1.2/tss.c - -verstage-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c -postcar-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c +bootblock-y += tss/tcg-1.2/tss.c +verstage-y += tss/tcg-1.2/tss.c +postcar-y += tss/tcg-1.2/tss.c ## TSPI ramstage-y += tspi/tspi.c romstage-y += tspi/tspi.c - -verstage-$(CONFIG_VBOOT) += tspi/tspi.c -postcar-$(CONFIG_VBOOT) += tspi/tspi.c - -ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c +bootblock-y += tspi/tspi.c +verstage-y += tspi/tspi.c +postcar-y += tspi/tspi.c endif # CONFIG_TPM1 @@ -39,17 +34,31 @@ verstage-$(CONFIG_VBOOT) += tss/tcg-2.0/tss.c postcar-y += tss/tcg-2.0/tss_marshaling.c postcar-y += tss/tcg-2.0/tss.c +bootblock-y += tss/tcg-2.0/tss_marshaling.c +bootblock-y += tss/tcg-2.0/tss.c + ## TSPI ramstage-y += tspi/tspi.c romstage-y += tspi/tspi.c - +bootblock-y += tspi/tspi.c verstage-$(CONFIG_VBOOT) += tspi/tspi.c -postcar-$(CONFIG_VBOOT) += tspi/tspi.c - -ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c -postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c +postcar-y += tspi/tspi.c endif # CONFIG_TPM2 + +ifeq ($(CONFIG_TPM_MEASURED_BOOT),y) + +bootblock-y += tspi/crtm.c +verstage-y += tspi/crtm.c +romstage-y += tspi/crtm.c +ramstage-y += tspi/crtm.c +postcar-y += tspi/crtm.c + +ramstage-y += tspi/log.c +romstage-y += tspi/log.c +verstage-y += tspi/log.c +postcar-y += tspi/log.c +bootblock-y += tspi/log.c + +endif # CONFIG_TPM_MEASURED_BOOT diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h index 6854401d03..7ea90e280e 100644 --- a/src/security/tpm/tspi.h +++ b/src/security/tpm/tspi.h @@ -23,6 +23,12 @@ #define TPM_PCR_MAX_LEN 64 #define HASH_DATA_CHUNK_SIZE 1024 +/** + * Get the pointer to the single instance of global + * tcpa log data, and initialize it when necessary + */ +struct tcpa_table *tcpa_log_init(void); + /** * Clears the pre-RAM tcpa log data and initializes * any content with default values @@ -47,6 +53,7 @@ void tcpa_log_add_table_entry(const char *name, const uint32_t pcr, */ void tcpa_log_dump(void *unused); + /** * Ask vboot for a digest and extend a TPM PCR with it. * @param pcr sets the pcr index diff --git a/src/security/vboot/vboot_crtm.c b/src/security/tpm/tspi/crtm.c similarity index 52% rename from src/security/vboot/vboot_crtm.c rename to src/security/tpm/tspi/crtm.c index 40b56ed881..dc7d7d21f0 100644 --- a/src/security/vboot/vboot_crtm.c +++ b/src/security/tpm/tspi/crtm.c @@ -15,12 +15,11 @@ #include #include #include -#include -#include +#include "crtm.h" #include /* - * This functions sets the TCPA log namespace + * This function sets the TCPA log namespace * for the cbfs file (region) lookup. */ static int create_tcpa_metadata(const struct region_device *rdev, @@ -28,11 +27,12 @@ static int create_tcpa_metadata(const struct region_device *rdev, { int i; struct region_device fmap; - static const char *fmap_cbfs_names[] = { - "COREBOOT", - "FW_MAIN_A", - "FW_MAIN_B", - "RW_LEGACY"}; + static const char *const fmap_cbfs_names[] = { + "COREBOOT", + "FW_MAIN_A", + "FW_MAIN_B", + "RW_LEGACY" + }; for (i = 0; i < ARRAY_SIZE(fmap_cbfs_names); i++) { if (fmap_locate_area_as_rdev(fmap_cbfs_names[i], &fmap) == 0) { @@ -49,17 +49,27 @@ static int create_tcpa_metadata(const struct region_device *rdev, return -1; } -uint32_t vboot_init_crtm(void) +static int tcpa_log_initialized; +static inline int tcpa_log_available(void) +{ + if (ENV_BOOTBLOCK) + return tcpa_log_initialized; + + return 1; +} + +uint32_t tspi_init_crtm(void) { struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock"); - struct prog verstage = - PROG_INIT(PROG_VERSTAGE, CONFIG_CBFS_PREFIX "/verstage"); - struct prog romstage = - PROG_INIT(PROG_ROMSTAGE, CONFIG_CBFS_PREFIX "/romstage"); - char tcpa_metadata[TCPA_PCR_HASH_NAME]; - /* Initialize TCPE PRERAM log. */ - tcpa_preram_log_clear(); + /* Initialize TCPA PRERAM log. */ + if (!tcpa_log_available()) { + tcpa_preram_log_clear(); + tcpa_log_initialized = 1; + } else { + printk(BIOS_WARNING, "TSPI: CRTM already initialized!\n"); + return VB2_SUCCESS; + } /* measure bootblock from RO */ struct cbfsf bootblock_data; @@ -71,66 +81,13 @@ uint32_t vboot_init_crtm(void) return VB2_ERROR_UNKNOWN; } else { if (cbfs_boot_locate(&bootblock_data, - prog_name(&bootblock), NULL) == 0) { - cbfs_file_data(prog_rdev(&bootblock), &bootblock_data); - - if (create_tcpa_metadata(prog_rdev(&bootblock), - prog_name(&bootblock), tcpa_metadata) < 0) - return VB2_ERROR_UNKNOWN; - - if (tpm_measure_region(prog_rdev(&bootblock), - TPM_CRTM_PCR, - tcpa_metadata)) - return VB2_ERROR_UNKNOWN; - } else { + prog_name(&bootblock), NULL)) { + /* + * measurement is done in + * tspi_measure_cbfs_hook() + */ printk(BIOS_INFO, - "VBOOT: Couldn't measure bootblock into CRTM!\n"); - return VB2_ERROR_UNKNOWN; - } - } - - if (CONFIG(VBOOT_STARTS_IN_ROMSTAGE)) { - struct cbfsf romstage_data; - /* measure romstage from RO */ - if (cbfs_boot_locate(&romstage_data, - prog_name(&romstage), NULL) == 0) { - cbfs_file_data(prog_rdev(&romstage), &romstage_data); - - if (create_tcpa_metadata(prog_rdev(&romstage), - prog_name(&romstage), tcpa_metadata) < 0) - return VB2_ERROR_UNKNOWN; - - if (tpm_measure_region(prog_rdev(&romstage), - TPM_CRTM_PCR, - tcpa_metadata)) - return VB2_ERROR_UNKNOWN; - } else { - printk(BIOS_INFO, - "VBOOT: Couldn't measure %s into CRTM!\n", - CONFIG_CBFS_PREFIX "/romstage"); - return VB2_ERROR_UNKNOWN; - } - } - - if (CONFIG(VBOOT_SEPARATE_VERSTAGE)) { - struct cbfsf verstage_data; - /* measure verstage from RO */ - if (cbfs_boot_locate(&verstage_data, - prog_name(&verstage), NULL) == 0) { - cbfs_file_data(prog_rdev(&verstage), &verstage_data); - - if (create_tcpa_metadata(prog_rdev(&verstage), - prog_name(&verstage), tcpa_metadata) < 0) - return VB2_ERROR_UNKNOWN; - - if (tpm_measure_region(prog_rdev(&verstage), - TPM_CRTM_PCR, - tcpa_metadata)) - return VB2_ERROR_UNKNOWN; - } else { - printk(BIOS_INFO, - "VBOOT: Couldn't measure %s into CRTM!\n", - CONFIG_CBFS_PREFIX "/verstage"); + "TSPI: Couldn't measure bootblock into CRTM!\n"); return VB2_ERROR_UNKNOWN; } } @@ -140,8 +97,8 @@ uint32_t vboot_init_crtm(void) static bool is_runtime_data(const char *name) { - const char *whitelist = CONFIG_VBOOT_MEASURED_BOOT_RUNTIME_DATA; - size_t whitelist_len = sizeof(CONFIG_VBOOT_MEASURED_BOOT_RUNTIME_DATA) - 1; + const char *whitelist = CONFIG_TPM_MEASURED_BOOT_RUNTIME_DATA; + size_t whitelist_len = sizeof(CONFIG_TPM_MEASURED_BOOT_RUNTIME_DATA) - 1; size_t name_len = strlen(name); int i; @@ -156,15 +113,21 @@ static bool is_runtime_data(const char *name) return false; } -uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name) +uint32_t tspi_measure_cbfs_hook(struct cbfsf *fh, const char *name) { uint32_t pcr_index; uint32_t cbfs_type; struct region_device rdev; char tcpa_metadata[TCPA_PCR_HASH_NAME]; - if (!vboot_logic_executed()) - return 0; + if (!tcpa_log_available()) { + if (tspi_init_crtm() != VB2_SUCCESS) { + printk(BIOS_WARNING, + "Initializing CRTM failed!"); + return 0; + } + printk(BIOS_DEBUG, "CRTM initialized."); + } cbfsf_file_type(fh, &cbfs_type); cbfs_file_data(&rdev, fh); @@ -192,3 +155,43 @@ uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name) return tpm_measure_region(&rdev, pcr_index, tcpa_metadata); } + +int tspi_measure_cache_to_pcr(void) +{ + int i; + enum vb2_hash_algorithm hash_alg; + struct tcpa_table *tclt = tcpa_log_init(); + + if (!tclt) { + printk(BIOS_WARNING, "TCPA: Log non-existent!\n"); + return VB2_ERROR_UNKNOWN; + } + if (CONFIG(TPM1)) { + hash_alg = VB2_HASH_SHA1; + } else { /* CONFIG_TPM2 */ + hash_alg = VB2_HASH_SHA256; + } + + + printk(BIOS_DEBUG, "TPM: Write digests cached in TCPA log to PCR\n"); + for (i = 0; i < tclt->num_entries; i++) { + struct tcpa_entry *tce = &tclt->entries[i]; + if (tce) { + printk(BIOS_DEBUG, "TPM: Write digest for" + " %s into PCR %d\n", + tce->name, tce->pcr); + int result = tlcl_extend(tce->pcr, + tce->digest, + NULL); + if (result != TPM_SUCCESS) { + printk(BIOS_ERR, "TPM: Writing digest" + " of %s into PCR failed with error" + " %d\n", + tce->name, result); + return VB2_ERROR_UNKNOWN; + } + } + } + + return VB2_SUCCESS; +} diff --git a/src/security/vboot/vboot_crtm.h b/src/security/tpm/tspi/crtm.h similarity index 78% rename from src/security/vboot/vboot_crtm.h rename to src/security/tpm/tspi/crtm.h index ba3dd45abe..dfd91e1c0e 100644 --- a/src/security/vboot/vboot_crtm.h +++ b/src/security/tpm/tspi/crtm.h @@ -12,8 +12,8 @@ * GNU General Public License for more details. */ -#ifndef __SECURITY_VBOOT_CRTM_H__ -#define __SECURITY_VBOOT_CRTM_H__ +#ifndef __SECURITY_TSPI_CRTM_H__ +#define __SECURITY_TSPI_CRTM_H__ #include #include @@ -43,18 +43,23 @@ * Takes the current vboot context as parameter for s3 checks. * returns on success VB2_SUCCESS, else a vboot error. */ -uint32_t vboot_init_crtm(void); +uint32_t tspi_init_crtm(void); -#if CONFIG(VBOOT_MEASURED_BOOT) +/** + * Measure digests cached in TCPA log entries into PCRs + */ +int tspi_measure_cache_to_pcr(void); + +#if CONFIG(TPM_MEASURED_BOOT) /* * Measures cbfs data via hook (cbfs) * fh is the cbfs file handle to measure * return 0 if successful, else an error */ -uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name); +uint32_t tspi_measure_cbfs_hook(struct cbfsf *fh, const char *name); #else -#define vboot_measure_cbfs_hook(fh, name) 0 +#define tspi_measure_cbfs_hook(fh, name) 0 #endif -#endif /* __VBOOT_VBOOT_CRTM_H__ */ +#endif /* __SECURITY_TSPI_CRTM_H__ */ diff --git a/src/security/tpm/tspi/log.c b/src/security/tpm/tspi/log.c index 068d78da19..e43f74d069 100644 --- a/src/security/tpm/tspi/log.c +++ b/src/security/tpm/tspi/log.c @@ -16,7 +16,7 @@ #include #include #include -#include +#include #include #include #include @@ -42,7 +42,7 @@ static struct tcpa_table *tcpa_cbmem_init(void) return tclt; } -static struct tcpa_table *tcpa_log_init(void) +struct tcpa_table *tcpa_log_init(void) { MAYBE_STATIC_BSS struct tcpa_table *tclt = NULL; @@ -50,12 +50,12 @@ static struct tcpa_table *tcpa_log_init(void) * If cbmem isn't available use CAR or SRAM */ if (!cbmem_possibly_online() && !CONFIG(VBOOT_RETURN_FROM_VERSTAGE)) - return (struct tcpa_table *)_vboot2_tpm_log; + return (struct tcpa_table *)_tpm_tcpa_log; else if (ENV_ROMSTAGE && !CONFIG(VBOOT_RETURN_FROM_VERSTAGE)) { tclt = tcpa_cbmem_init(); if (!tclt) - return (struct tcpa_table *)_vboot2_tpm_log; + return (struct tcpa_table *)_tpm_tcpa_log; } else { tclt = tcpa_cbmem_init(); } @@ -128,7 +128,7 @@ void tcpa_log_add_table_entry(const char *name, const uint32_t pcr, void tcpa_preram_log_clear(void) { printk(BIOS_INFO, "TCPA: Clearing coreboot TCPA log\n"); - struct tcpa_table *tclt = (struct tcpa_table *)_vboot2_tpm_log; + struct tcpa_table *tclt = (struct tcpa_table *)_tpm_tcpa_log; tclt->max_entries = MAX_TCPA_LOG_ENTRIES; tclt->num_entries = 0; } @@ -136,7 +136,7 @@ void tcpa_preram_log_clear(void) #if !CONFIG(VBOOT_RETURN_FROM_VERSTAGE) static void recover_tcpa_log(int is_recovery) { - struct tcpa_table *preram_log = (struct tcpa_table *)_vboot2_tpm_log; + struct tcpa_table *preram_log = (struct tcpa_table *)_tpm_tcpa_log; struct tcpa_table *ram_log = NULL; int i; diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c index 0095183ca2..4f0cc972a7 100644 --- a/src/security/tpm/tspi/tspi.c +++ b/src/security/tpm/tspi/tspi.c @@ -14,13 +14,14 @@ #include #include +#include #include #include -#if CONFIG(VBOOT) +#include +#include +#include #include #include -#include -#endif #if CONFIG(TPM1) static uint32_t tpm1_invoke_state_machine(void) @@ -100,6 +101,18 @@ static uint32_t tpm_setup_epilogue(uint32_t result) return result; } +static int tpm_is_setup; +static inline int tspi_tpm_is_setup(void) +{ + if (CONFIG(VBOOT)) + return vboot_logic_executed() || tpm_is_setup; + + if (ENV_RAMSTAGE) + return tpm_is_setup; + + return 0; +} + /* * tpm_setup starts the TPM and establishes the root of trust for the * anti-rollback mechanism. tpm_setup can fail for three reasons. 1 A bug. @@ -170,7 +183,10 @@ uint32_t tpm_setup(int s3flag) #if CONFIG(TPM1) result = tpm1_invoke_state_machine(); #endif + if (CONFIG(TPM_MEASURED_BOOT)) + result = tspi_measure_cache_to_pcr(); + tpm_is_setup = 1; return tpm_setup_epilogue(result); } @@ -210,18 +226,27 @@ uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo, if (!digest) return TPM_E_IOERROR; - result = tlcl_extend(pcr, digest, NULL); - if (result != TPM_SUCCESS) - return result; + if (tspi_tpm_is_setup()) { + result = tlcl_lib_init(); + if (result != TPM_SUCCESS) { + printk(BIOS_ERR, "TPM: Can't initialize library.\n"); + return result; + } - if (CONFIG(VBOOT_MEASURED_BOOT)) + printk(BIOS_DEBUG, "TPM: Extending digest for %s into PCR %d\n", name, pcr); + result = tlcl_extend(pcr, digest, NULL); + if (result != TPM_SUCCESS) + return result; + } + + if (CONFIG(TPM_MEASURED_BOOT)) tcpa_log_add_table_entry(name, pcr, digest_algo, digest, digest_len); return TPM_SUCCESS; } -#if CONFIG(VBOOT) +#if CONFIG(VBOOT_LIB) uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr, const char *rname) { @@ -234,11 +259,7 @@ uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr, if (!rdev || !rname) return TPM_E_INVALID_ARG; - result = tlcl_lib_init(); - if (result != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't initialize library.\n"); - return result; - } + if (CONFIG(TPM1)) { hash_alg = VB2_HASH_SHA1; } else { /* CONFIG_TPM2 */ @@ -277,7 +298,8 @@ uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr, printk(BIOS_ERR, "TPM: Extending hash into PCR failed.\n"); return result; } - printk(BIOS_DEBUG, "TPM: Measured %s into PCR %d\n", rname, pcr); + printk(BIOS_DEBUG, "TPM: Digest of %s to PCR %d %s\n", + rname, pcr, tspi_tpm_is_setup() ? "measured" : "logged"); return TPM_SUCCESS; } -#endif /* VBOOT */ +#endif /* VBOOT_LIB */ diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index 6e0021d58d..f273265054 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -35,22 +35,6 @@ if VBOOT comment "Anti-Rollback Protection disabled because mocking secdata is enabled." depends on VBOOT_MOCK_SECDATA -config VBOOT_MEASURED_BOOT - bool "Enable Measured Boot" - default n - depends on TPM1 || TPM2 - depends on !VBOOT_RETURN_FROM_VERSTAGE - help - Enables measured boot mode in vboot (experimental) - -config VBOOT_MEASURED_BOOT_RUNTIME_DATA - string "Runtime data whitelist" - default "" - depends on VBOOT_MEASURED_BOOT - help - Runtime data whitelist of cbfs filenames. Needs to be a comma separated - list - config VBOOT_SLOTS_RW_A bool "Firmware RO + RW_A" help diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index e7560dd911..d1cc2da807 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -105,14 +105,6 @@ romstage-y += vboot_common.c ramstage-y += vboot_common.c postcar-y += vboot_common.c -ifeq ($(CONFIG_VBOOT_MEASURED_BOOT),y) -bootblock-y += vboot_crtm.c -verstage-y += vboot_crtm.c -romstage-y += vboot_crtm.c -ramstage-y += vboot_crtm.c -postcar-y += vboot_crtm.c -endif - bootblock-y += common.c verstage-y += vboot_logic.c verstage-y += common.c diff --git a/src/security/vboot/symbols.h b/src/security/vboot/symbols.h index 778c8ee949..8f6063efac 100644 --- a/src/security/vboot/symbols.h +++ b/src/security/vboot/symbols.h @@ -19,6 +19,4 @@ DECLARE_REGION(vboot2_work) -DECLARE_REGION(vboot2_tpm_log) - #endif /* __VBOOT_SYMBOLS_H__ */ diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index b72df9650b..80f7aaa86b 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -17,13 +17,13 @@ #include #include #include +#include +#include +#include +#include #include #include #include -#include -#include -#include -#include #include "antirollback.h" @@ -283,14 +283,6 @@ void verstage_main(void) antirollback_read_space_firmware(ctx); timestamp_add_now(TS_END_TPMINIT); - /* Enable measured boot mode */ - if (CONFIG(VBOOT_MEASURED_BOOT) && - !(ctx->flags & VB2_CONTEXT_S3_RESUME)) { - if (vboot_init_crtm() != VB2_SUCCESS) - die_with_post_code(POST_INVALID_ROM, - "Initializing measured boot mode failed!"); - } - if (get_recovery_mode_switch()) { ctx->flags |= VB2_CONTEXT_FORCE_RECOVERY_MODE; if (CONFIG(VBOOT_DISABLE_DEV_ON_RECOVERY)) diff --git a/src/soc/cavium/cn81xx/include/soc/memlayout.ld b/src/soc/cavium/cn81xx/include/soc/memlayout.ld index 74786693db..f3b044235f 100644 --- a/src/soc/cavium/cn81xx/include/soc/memlayout.ld +++ b/src/soc/cavium/cn81xx/include/soc/memlayout.ld @@ -34,7 +34,7 @@ SECTIONS PRERAM_CBMEM_CONSOLE(BOOTROM_OFFSET + 0x8000, 8K) BOOTBLOCK(BOOTROM_OFFSET + 0x20000, 64K) VBOOT2_WORK(BOOTROM_OFFSET + 0x30000, 12K) - VBOOT2_TPM_LOG(BOOTROM_OFFSET + 0x33000, 2K) + TPM_TCPA_LOG(BOOTROM_OFFSET + 0x33000, 2K) VERSTAGE(BOOTROM_OFFSET + 0x33800, 50K) ROMSTAGE(BOOTROM_OFFSET + 0x40000, 256K) diff --git a/src/soc/mediatek/mt8173/include/soc/memlayout.ld b/src/soc/mediatek/mt8173/include/soc/memlayout.ld index 89ee8f4e31..2a617b7567 100644 --- a/src/soc/mediatek/mt8173/include/soc/memlayout.ld +++ b/src/soc/mediatek/mt8173/include/soc/memlayout.ld @@ -38,7 +38,7 @@ SECTIONS SRAM_START(0x00100000) VBOOT2_WORK(0x00100000, 12K) - VBOOT2_TPM_LOG(0x00103000, 2K) + TPM_TCPA_LOG(0x00103000, 2K) FMAP_CACHE(0x00103800, 2K) PRERAM_CBMEM_CONSOLE(0x00104000, 12K) WATCHDOG_TOMBSTONE(0x00107000, 4) diff --git a/src/soc/mediatek/mt8183/include/soc/memlayout.ld b/src/soc/mediatek/mt8183/include/soc/memlayout.ld index 6e523d8e32..d2f9a060f8 100644 --- a/src/soc/mediatek/mt8183/include/soc/memlayout.ld +++ b/src/soc/mediatek/mt8183/include/soc/memlayout.ld @@ -30,7 +30,7 @@ SECTIONS { SRAM_START(0x00100000) VBOOT2_WORK(0x00100000, 12K) - VBOOT2_TPM_LOG(0x00103000, 2K) + TPM_TCPA_LOG(0x00103000, 2K) FMAP_CACHE(0x00103800, 2K) WATCHDOG_TOMBSTONE(0x00104000, 4) PRERAM_CBMEM_CONSOLE(0x00104004, 63K - 4) diff --git a/src/soc/nvidia/tegra124/include/soc/memlayout.ld b/src/soc/nvidia/tegra124/include/soc/memlayout.ld index 0128a86048..adb47b1541 100644 --- a/src/soc/nvidia/tegra124/include/soc/memlayout.ld +++ b/src/soc/nvidia/tegra124/include/soc/memlayout.ld @@ -30,7 +30,7 @@ SECTIONS FMAP_CACHE(0x40005800, 2K) PRERAM_CBFS_CACHE(0x40006000, 14K) VBOOT2_WORK(0x40009800, 12K) - VBOOT2_TPM_LOG(0x4000D800, 2K) + TPM_TCPA_LOG(0x4000D800, 2K) STACK(0x4000E000, 8K) BOOTBLOCK(0x40010000, 30K) VERSTAGE(0x40017800, 72K) diff --git a/src/soc/nvidia/tegra210/include/soc/memlayout.ld b/src/soc/nvidia/tegra210/include/soc/memlayout.ld index ff44591e94..fdd0e8811f 100644 --- a/src/soc/nvidia/tegra210/include/soc/memlayout.ld +++ b/src/soc/nvidia/tegra210/include/soc/memlayout.ld @@ -31,7 +31,7 @@ SECTIONS FMAP_CACHE(0x40000800, 2K) PRERAM_CBFS_CACHE(0x40001000, 28K) VBOOT2_WORK(0x40008000, 12K) - VBOOT2_TPM_LOG(0x4000B000, 2K) + TPM_TCPA_LOG(0x4000B000, 2K) #if ENV_ARM64 STACK(0x4000B800, 3K) #else /* AVP gets a separate stack to avoid any chance of handoff races. */ diff --git a/src/soc/samsung/exynos5250/include/soc/memlayout.ld b/src/soc/samsung/exynos5250/include/soc/memlayout.ld index db637fff28..d117aac828 100644 --- a/src/soc/samsung/exynos5250/include/soc/memlayout.ld +++ b/src/soc/samsung/exynos5250/include/soc/memlayout.ld @@ -32,7 +32,7 @@ SECTIONS TTB(0x2058000, 16K) PRERAM_CBFS_CACHE(0x205C000, 76K) FMAP_CACHE(0x206F000, 2K) - VBOOT2_TPM_LOG(0x206F800, 2K) + TPM_TCPA_LOG(0x206F800, 2K) VBOOT2_WORK(0x2070000, 12K) STACK(0x2074000, 16K) SRAM_END(0x2078000)