security/tpm: Fix TCPA log feature

Until now the TCPA log wasn't working correctly.

* Refactor TCPA log code.
* Add TCPA log dump fucntion.
* Make TCPA log available in bootblock.
* Fix TCPA log formatting.
* Add x86 and Cavium memory for early log.

Change-Id: Ic93133531b84318f48940d34bded48cbae739c44
Signed-off-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/29563
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
This commit is contained in:
Philipp Deppenwiese 2018-11-10 00:35:02 +01:00
parent 7a732b4781
commit c9b7d1fb57
20 changed files with 376 additions and 92 deletions

View File

@ -0,0 +1,7 @@
# Security
This section describes documentation about the security architecture of coreboot.
## Vendor
- [Measured Boot](vboot/measured_boot.md)

View File

@ -1,6 +1,8 @@
# Measured Boot
coreboot measured boot is implemented as Google Verified Boot extension. This
means in order to use it, vboot needs to be available for your platform.
means in order to use it, vboot needs to be available for your platform. The
goal of this implementation is to implement an easy to understand and
transparent measured boot mechanism.
## IBB/CRTM
The "Initial Boot Block" or "Core Root of Trust for Measurement" is the first
@ -21,10 +23,85 @@ measured boot extension because of platform constraints.
The "Static Root of Trust for Measurement" is the easiest way doing measurements
by measuring code before it is loaded.
### Measurements
SRTM mode measurements are done starting with the IBB as root of trust.
Only CBFS contents are measured at the moment.
#### CBFS files (stages, blobs)
* CBFS data is measured as raw data before decompression happens.
* CBFS header is excluded from measurements.
* Measurements are stored in PCR 2.
#### Runtime Data
* CBFS data which changes by external input dynamically. Never stays the same.
* It is identified by VBOOT_MEASURED_BOOT_RUNTIME_DATA kconfig option and
measured into a different PCR 3 in order to avoid PCR pre-calculation issues.
![][srtm]
[srtm]: srtm.png
### TCPA eventlog
coreboot makes use of its own TCPA log implementation. Normally the eventlog
specification can be found via the TCG homepage:
[UEFI Specification](https://trustedcomputinggroup.org/resource/tcg-efi-platform-specification/)
[BIOS Specification](https://www.trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientImplementation_1-21_1_00.pdf)
Both of them are not representing firmware measurements in a generalized way.
Therefore we have to implement our own solution.
We decided to provide an easy to understand TCPA log which can be read out
from the operating system and firmware itself.
#### Table Format
The first column describes the PCR index used for measurement.
The second column is the hash of the raw data. The third column contains
the hash algorithm used in the operation. The last column provides
information about what is measured. First the namespace from where the data
came from, CBFS or FMAP, then the name used to look up the data
(region or file name).
#### Example:
```bash
PCR-2 e8f2b57c9ec5ea06d1bbd3240a753974d4c3e7c8cd305c20a8ea26eed906dc89 SHA256 [FMAP: COREBOOT CBFS: bootblock]
PCR-2 309a5fcb231d3a39127de2521792f332f9a69e05675ec52535d2dcded756dc19 SHA256 [FMAP: COREBOOT CBFS: fallback/verstage]
PCR-2 0fbba07a833d4dcfc7024eaf313661a0ba8f80a05c6d29b8801c612e10e60dee SHA256 [FMAP: RO_VPD]
PCR-2 431681113ed44cbf6f68a12c6e5687e901052f1d728a4777b2ad36e559962047 SHA256 [FMAP: GBB]
PCR-2 f47a8ec3e9aff2318d896942282ad4fe37d6391c82914f54a5da8a37de1300c6 SHA256 [FMAP: SI_DESC]
PCR-3 237f6f567f8597dbdff0a00690d34d21616af0dbe434b9a2d432b136c012765f SHA256 [FMAP: SI_ME]
PCR-2 7d2c7ac4888bfd75cd5f56e8d61f69595121183afc81556c876732fd3782c62f SHA256 [FMAP: SI_GBE]
PCR-0 62571891215b4efc1ceab744ce59dd0b66ea6f73 SHA1 [GBB flags]
PCR-1 a66c8c2cda246d332d0c2025b6266e1e23c89410051002f46bfad1c9265f43d0 SHA256 [GBB HWID]
PCR-2 ceca357524caf8fc73f5fa130f05a75293031962af884e18990d281eb259f5ff SHA256 [FMAP: FW_MAIN_B CBFS: fallback/romstage]
PCR-2 548a097604e0a975de76f98b04c7f0b0ddec03883dd69179e47a784704a1c571 SHA256 [FMAP: FW_MAIN_B CBFS: fspm.bin]
PCR-2 1e86b27008818244c221df2436b0113bd20a86ec6ec9d8259defe87f45d2f604 SHA256 [FMAP: FW_MAIN_B CBFS: spd2.bin]
PCR-2 05d78005fcfc9edd4ca5625f11b1f49991d17bdb7cee33b72e722bc785db55ae SHA256 [FMAP: FW_MAIN_B CBFS: fallback/postcar]
PCR-2 c13e95829af12a584046f1a6f3e1f6e4af691209324cfeeec573633399384141 SHA256 [FMAP: FW_MAIN_B CBFS: fallback/ramstage]
PCR-2 a6ec2761b597abd252dba2a7237140ef4a5a8e0d47cad8afb65fa16314413401 SHA256 [FMAP: FW_MAIN_B CBFS: cpu_microcode_blob.bin]
PCR-2 c81ffa40df0b6cd6cfde4f476d452a1f6f2217bc96a3b98a4fa4a037ee7039cf SHA256 [FMAP: FW_MAIN_B CBFS: fsps.bin]
PCR-2 4e95f57bbf3c6627eb1c72be9c48df3aaa8e6da4f5f63d85e554cf6803505609 SHA256 [FMAP: FW_MAIN_B CBFS: vbt.bin]
PCR-3 b7663f611ecf8637a59d72f623ae92a456c30377d4175e96021c85362f0323c8 SHA256 [FMAP: RW_NVRAM]
PCR-2 178561f046e2adbc621b12b47d65be82756128e2a1fe5116b53ef3637da700e8 SHA256 [FMAP: FW_MAIN_B CBFS: fallback/dsdt.aml]
PCR-2 091706f5fce3eb123dd9b96c15a9dcc459a694f5e5a86e7bf6064b819a8575c7 SHA256 [FMAP: FW_MAIN_B CBFS: fallback/payload]
```
#### Dump TCPA eventlog in the OS:
```bash
cbmem -L
```
#### Get CBFS file and print the hash
```bash
cbfstool coreboot.rom extract -r COREBOOT -n fallback/romstage -U -f /dev/stdout | sha256sum
```
#### Get FMAP partition and print the hash
```bash
cbfstool coreboot.rom read -n SI_ME -f /dev/stdout | sha256sum
```
## DRTM Mode
The "Dynamic Root of Trust for Measurement" is realised by platform features
like Intel TXT or Boot Guard. The features provide a way of loading a signed
@ -42,17 +119,21 @@ PCR-7 are left empty.
### PCR-0
_Hash:_ SHA1
_Description:_ Google VBoot GBB flags.
### PCR-1
_Hash:_ SHA1/SHA256
_Description:_ Google VBoot GBB HWID.
### PCR-2
_Hash:_ SHA1/SHA256
_Description:_ Core Root of Trust for Measurement which includes all stages,
data and blobs.
### PCR-3
_Hash:_ SHA1/SHA256
_Description:_ Runtime data like hwinfo.hex or MRC cache.

View File

@ -31,6 +31,10 @@
#if IS_ENABLED(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK)
VBOOT2_WORK(., 16K)
#endif
/* Vboot measured boot TCPA log measurements.
* Needs to be transferred until CBMEM is available
*/
VBOOT2_TPM_LOG(., 2K)
/* Stack for CAR stages. Since it persists across all stages that
* use CAR it can be reused. The chipset/SoC is expected to provide
* the stack size. */

View File

@ -19,13 +19,15 @@
#include <stdint.h>
#define MAX_TCPA_LOG_ENTRIES 50
#define TCPA_LOG_STRING_LENGTH 512
#define TCPA_FORMAT_HASH_LENGTH 128
#define TCPA_DIGEST_MAX_LENGTH 64
#define TCPA_PCR_HASH_NAME 256
#define TCPA_PCR_HASH_NAME 50
#define TCPA_PCR_HASH_LEN 10
/* Assumption of 2K TCPA log size reserved for CAR/SRAM */
#define MAX_PRERAM_TCPA_LOG_ENTRIES 15
struct tcpa_entry {
uint32_t pcr;
char digest_type[TCPA_PCR_HASH_LEN];
uint8_t digest[TCPA_DIGEST_MAX_LENGTH];
uint32_t digest_length;
char name[TCPA_PCR_HASH_NAME];

View File

@ -164,6 +164,10 @@
REGION(vboot2_work, addr, size, 16) \
_ = ASSERT(size >= 12K, "vboot2 work buffer must be at least 12K!");
#define VBOOT2_TPM_LOG(addr, size) \
REGION(vboot2_tpm_log, addr, size, 16) \
_ = ASSERT(size >= 2K, "vboot2 tpm log buffer must be at least 2K!");
#if ENV_VERSTAGE
#define VERSTAGE(addr, sz) \
SYMBOL(verstage, addr) \

View File

@ -12,11 +12,16 @@ postcar-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c
## TSPI
ramstage-y += tspi/tspi.c tspi/log.c
romstage-y += tspi/tspi.c tspi/log.c
ramstage-y += tspi/tspi.c
romstage-y += tspi/tspi.c
verstage-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
postcar-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
verstage-$(CONFIG_VBOOT) += tspi/tspi.c
postcar-$(CONFIG_VBOOT) += tspi/tspi.c
ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
endif # CONFIG_TPM1
@ -36,10 +41,15 @@ postcar-$(CONFIG_VBOOT) += tss/tcg-2.0/tss.c
## TSPI
ramstage-y += tspi/tspi.c tspi/log.c
romstage-y += tspi/tspi.c tspi/log.c
ramstage-y += tspi/tspi.c
romstage-y += tspi/tspi.c
verstage-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
postcar-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
verstage-$(CONFIG_VBOOT) += tspi/tspi.c
postcar-$(CONFIG_VBOOT) += tspi/tspi.c
ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
endif # CONFIG_TPM2

View File

@ -21,26 +21,46 @@
#include <security/tpm/tss.h>
#include <commonlib/tcpa_log_serialized.h>
#include <commonlib/region.h>
#include <vb2_api.h>
#define TPM_PCR_MAX_LEN 64
#define HASH_DATA_CHUNK_SIZE 1024
#define TPM_PCR_MAX_LEN 64
#define HASH_DATA_CHUNK_SIZE 1024
/**
* Clears the pre-RAM tcpa log data and initializes
* any content with default values
*/
void tcpa_preram_log_clear(void);
/**
* Add table entry for cbmem TCPA log.
* @param name Name of the hashed data
* @param pcr PCR used to extend hashed data
* @param diget_algo sets the digest algorithm
* @param digest sets the hash extended into the tpm
* @param digest_len the length of the digest
*/
void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
enum vb2_hash_algorithm digest_algo,
const uint8_t *digest,
const size_t digest_length);
const size_t digest_len);
/**
* Dump TCPA log entries on console
*/
void tcpa_log_dump(void *unused);
/**
* Ask vboot for a digest and extend a TPM PCR with it.
* @param pcr sets the pcr index
* @param diget_algo sets the digest algorithm
* @param digest sets the hash to extend into the tpm
* @param digest_len the length of the digest
* @param name sets additional info where the digest comes from
* @return TPM_SUCCESS on success. If not a tpm error is returned
*/
uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, size_t digest_len,
uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo,
uint8_t *digest, size_t digest_len,
const char *name);
/**

View File

@ -14,67 +14,162 @@
*/
#include <string.h>
#include <cbmem.h>
#include <console/console.h>
#include <security/tpm/tspi.h>
#include <arch/early_variables.h>
#include <fmap.h>
#include <region_file.h>
#include <string.h>
#include <security/vboot/symbols.h>
#include <cbmem.h>
#include <bootstate.h>
static struct tcpa_table *tcpa_cbmem_init(void)
{
MAYBE_STATIC struct tcpa_table *tclt = NULL;
if (tclt)
return tclt;
if (cbmem_possibly_online()) {
tclt = cbmem_find(CBMEM_ID_TCPA_LOG);
if (!tclt) {
size_t tcpa_log_len = sizeof(struct tcpa_table) +
MAX_TCPA_LOG_ENTRIES * sizeof(struct tcpa_entry);
tclt = cbmem_add(CBMEM_ID_TCPA_LOG, tcpa_log_len);
if (tclt) {
tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
tclt->num_entries = 0;
}
}
}
return tclt;
}
static struct tcpa_table *tcpa_log_init(void)
{
MAYBE_STATIC struct tcpa_table *tclt = NULL;
if (!cbmem_possibly_online())
return NULL;
if (tclt != NULL)
return tclt;
tclt = (struct tcpa_table *) cbmem_entry_find(CBMEM_ID_TCPA_LOG);
if (tclt)
return tclt;
tclt = cbmem_add(CBMEM_ID_TCPA_LOG,
sizeof(struct tcpa_table) +
MAX_TCPA_LOG_ENTRIES *
sizeof(struct tcpa_entry));
if (!tclt) {
printk(BIOS_ERR, "ERROR: Could not create TCPA log table\n");
return NULL;
/* We are dealing here with pre CBMEM environment.
* If cbmem isn't available use CAR or SRAM */
if (!cbmem_possibly_online() &&
!IS_ENABLED(CONFIG_VBOOT_RETURN_FROM_VERSTAGE))
return (struct tcpa_table *)_vboot2_tpm_log;
else if (ENV_ROMSTAGE &&
!IS_ENABLED(CONFIG_VBOOT_RETURN_FROM_VERSTAGE)) {
tclt = tcpa_cbmem_init();
if (!tclt)
return (struct tcpa_table *)_vboot2_tpm_log;
} else {
tclt = tcpa_cbmem_init();
}
tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
tclt->num_entries = 0;
printk(BIOS_DEBUG, "TCPA log created at %p\n", tclt);
return tclt;
}
void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
const uint8_t *digest, const size_t digest_length)
void tcpa_log_dump(void *unused)
{
int i, j;
struct tcpa_table *tclt;
struct tcpa_entry *tce;
tclt = tcpa_log_init();
if (!tclt)
return;
if (tclt->num_entries == tclt->max_entries) {
printk(BIOS_WARNING, "ERROR: TCPA log table is full\n");
printk(BIOS_INFO, "coreboot TCPA measurements:\n\n");
for (i = 0; i < tclt->num_entries; i++) {
struct tcpa_entry *tce = &tclt->entries[i];
if (tce) {
printk(BIOS_INFO, " PCR-%u ", tce->pcr);
for (j = 0; j < tce->digest_length; j++)
printk(BIOS_INFO, "%02x", tce->digest[j]);
printk(BIOS_INFO, " %s [%s]\n",
tce->digest_type, tce->name);
}
}
printk(BIOS_INFO, "\n");
}
void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
enum vb2_hash_algorithm digest_algo,
const uint8_t *digest,
const size_t digest_len)
{
struct tcpa_table *tclt = tcpa_log_init();
if (!tclt) {
printk(BIOS_WARNING, "TCPA: Log non-existent!\n");
return;
}
tce = &tclt->entries[tclt->num_entries++];
if (tclt->num_entries >= tclt->max_entries) {
printk(BIOS_WARNING, "TCPA: TCPA log table is full\n");
return;
}
if (!name) {
printk(BIOS_WARNING, "TCPA: TCPA entry name not set\n");
return;
}
struct tcpa_entry *tce = &tclt->entries[tclt->num_entries++];
strncpy(tce->name, name, TCPA_PCR_HASH_NAME - 1);
tce->pcr = pcr;
if (digest_length > TCPA_DIGEST_MAX_LENGTH) {
printk(BIOS_WARNING, "ERROR: PCR digest too long for TCPA log entry\n");
if (digest_len > TCPA_DIGEST_MAX_LENGTH) {
printk(BIOS_WARNING, "TCPA: PCR digest too long for TCPA log entry\n");
return;
}
memcpy(tce->digest, digest, digest_length);
tce->digest_length = digest_length;
strncpy(tce->digest_type,
vb2_get_hash_algorithm_name(digest_algo),
TCPA_PCR_HASH_LEN - 1);
tce->digest_length = digest_len;
memcpy(tce->digest, digest, tce->digest_length);
}
void tcpa_preram_log_clear(void)
{
printk(BIOS_INFO, "TCPA: Clearing coreboot TCPA log\n");
struct tcpa_table *tclt = (struct tcpa_table *)_vboot2_tpm_log;
tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
tclt->num_entries = 0;
}
#if !IS_ENABLED(CONFIG_VBOOT_RETURN_FROM_VERSTAGE)
static void recover_tcpa_log(int is_recovery)
{
struct tcpa_table *preram_log = (struct tcpa_table *)_vboot2_tpm_log;
struct tcpa_table *ram_log = NULL;
int i;
if (preram_log->num_entries > MAX_PRERAM_TCPA_LOG_ENTRIES) {
printk(BIOS_WARNING, "TCPA: Pre-RAM TCPA log is too full, possible corruption\n");
return;
}
ram_log = tcpa_cbmem_init();
if (!ram_log) {
printk(BIOS_WARNING, "TCPA: CBMEM not available something went wrong\n");
return;
}
for (i = 0; i < preram_log->num_entries; i++) {
struct tcpa_entry *tce = &ram_log->entries[ram_log->num_entries++];
strncpy(tce->name, preram_log->entries[i].name, TCPA_PCR_HASH_NAME - 1);
tce->pcr = preram_log->entries[i].pcr;
if (preram_log->entries[i].digest_length > TCPA_DIGEST_MAX_LENGTH) {
printk(BIOS_WARNING, "TCPA: PCR digest too long for TCPA log entry\n");
return;
}
strncpy(tce->digest_type, preram_log->entries[i].digest_type, TCPA_PCR_HASH_LEN - 1);
tce->digest_length = MIN(preram_log->entries[i].digest_length, TCPA_DIGEST_MAX_LENGTH);
memcpy(tce->digest, preram_log->entries[i].digest, tce->digest_length);
}
}
ROMSTAGE_CBMEM_INIT_HOOK(recover_tcpa_log);
#endif
BOOT_STATE_INIT_ENTRY(BS_PAYLOAD_BOOT, BS_ON_ENTRY, tcpa_log_dump, NULL);

View File

@ -202,8 +202,8 @@ uint32_t tpm_clear_and_reenable(void)
return TPM_SUCCESS;
}
uint32_t tpm_extend_pcr(int pcr, uint8_t *digest,
size_t digest_len, const char *name)
uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo,
uint8_t *digest, size_t digest_len, const char *name)
{
uint32_t result;
@ -214,6 +214,10 @@ uint32_t tpm_extend_pcr(int pcr, uint8_t *digest,
if (result != TPM_SUCCESS)
return result;
if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT))
tcpa_log_add_table_entry(name, pcr, digest_algo,
digest, digest_len);
return TPM_SUCCESS;
}
@ -235,10 +239,11 @@ uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr,
printk(BIOS_ERR, "TPM: Can't initialize library.\n");
return result;
}
if (IS_ENABLED(CONFIG_TPM1))
if (IS_ENABLED(CONFIG_TPM1)) {
hash_alg = VB2_HASH_SHA1;
else /* CONFIG_TPM2 */
} else { /* CONFIG_TPM2 */
hash_alg = VB2_HASH_SHA256;
}
digest_len = vb2_digest_size(hash_alg);
assert(digest_len <= sizeof(digest));
@ -267,7 +272,7 @@ uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr,
printk(BIOS_ERR, "TPM: Error finalizing hash.\n");
return TPM_E_HASH_ERROR;
}
result = tpm_extend_pcr(pcr, digest, digest_len, rname);
result = tpm_extend_pcr(pcr, hash_alg, digest, digest_len, rname);
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Extending hash into PCR failed.\n");
return result;

View File

@ -80,10 +80,11 @@ uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
switch (which_digest) {
case BOOT_MODE_PCR:
return tpm_extend_pcr(pcr, buffer, size,
return tpm_extend_pcr(pcr, VB2_HASH_SHA1, buffer, size,
TPM_PCR_GBB_FLAGS_NAME);
case HWID_DIGEST_PCR:
return tpm_extend_pcr(pcr, buffer, size, TPM_PCR_GBB_HWID_NAME);
return tpm_extend_pcr(pcr, VB2_HASH_SHA256, buffer,
size, TPM_PCR_GBB_HWID_NAME);
default:
return VB2_ERROR_UNKNOWN;
}

View File

@ -20,4 +20,6 @@
DECLARE_REGION(vboot2_work)
DECLARE_REGION(vboot2_tpm_log)
#endif /* __VBOOT_SYMBOLS_H__ */

View File

@ -18,6 +18,36 @@
#include <security/vboot/vboot_crtm.h>
#include <security/vboot/misc.h>
/*
* This functions sets the TCPA log namespace
* for the cbfs file (region) lookup.
*/
static int create_tcpa_metadata(const struct region_device *rdev,
const char *cbfs_name, char log_string[TCPA_PCR_HASH_NAME])
{
int i;
struct region_device fmap;
const static char *fmap_cbfs_names[] = {
"COREBOOT",
"FW_MAIN_A",
"FW_MAIN_B",
"RW_LEGACY"};
for (i = 0; i < ARRAY_SIZE(fmap_cbfs_names); i++) {
if (fmap_locate_area_as_rdev(fmap_cbfs_names[i], &fmap) == 0) {
if (region_is_subregion(region_device_region(&fmap),
region_device_region(rdev))) {
snprintf(log_string, TCPA_PCR_HASH_NAME,
"FMAP: %s CBFS: %s",
fmap_cbfs_names[i], cbfs_name);
return 0;
}
}
}
return -1;
}
uint32_t vboot_init_crtm(void)
{
struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock");
@ -25,6 +55,10 @@ uint32_t vboot_init_crtm(void)
PROG_INIT(PROG_VERSTAGE, CONFIG_CBFS_PREFIX "/verstage");
struct prog romstage =
PROG_INIT(PROG_ROMSTAGE, CONFIG_CBFS_PREFIX "/romstage");
char tcpa_metadata[TCPA_PCR_HASH_NAME];
/* Initialize TCPE PRERAM log. */
tcpa_preram_log_clear();
/* measure bootblock from RO */
struct cbfsf bootblock_data;
@ -32,16 +66,20 @@ uint32_t vboot_init_crtm(void)
if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) {
if (tpm_measure_region(&bootblock_fmap,
TPM_CRTM_PCR,
prog_name(&bootblock)))
"FMAP: BOOTBLOCK"))
return VB2_ERROR_UNKNOWN;
} else {
if (cbfs_boot_locate(&bootblock_data,
prog_name(&bootblock), NULL) == 0) {
cbfs_file_data(prog_rdev(&bootblock), &bootblock_data);
if (create_tcpa_metadata(prog_rdev(&bootblock),
prog_name(&bootblock), tcpa_metadata) < 0)
return VB2_ERROR_UNKNOWN;
if (tpm_measure_region(prog_rdev(&bootblock),
TPM_CRTM_PCR,
prog_name(&bootblock)))
TPM_CRTM_PCR,
tcpa_metadata))
return VB2_ERROR_UNKNOWN;
} else {
printk(BIOS_INFO,
@ -57,9 +95,13 @@ uint32_t vboot_init_crtm(void)
prog_name(&romstage), NULL) == 0) {
cbfs_file_data(prog_rdev(&romstage), &romstage_data);
if (create_tcpa_metadata(prog_rdev(&romstage),
prog_name(&romstage), tcpa_metadata) < 0)
return VB2_ERROR_UNKNOWN;
if (tpm_measure_region(prog_rdev(&romstage),
TPM_CRTM_PCR,
CONFIG_CBFS_PREFIX "/romstage"))
TPM_CRTM_PCR,
tcpa_metadata))
return VB2_ERROR_UNKNOWN;
} else {
printk(BIOS_INFO,
@ -76,9 +118,13 @@ uint32_t vboot_init_crtm(void)
prog_name(&verstage), NULL) == 0) {
cbfs_file_data(prog_rdev(&verstage), &verstage_data);
if (create_tcpa_metadata(prog_rdev(&verstage),
prog_name(&verstage), tcpa_metadata) < 0)
return VB2_ERROR_UNKNOWN;
if (tpm_measure_region(prog_rdev(&verstage),
TPM_CRTM_PCR,
CONFIG_CBFS_PREFIX "/verstage"))
TPM_CRTM_PCR,
tcpa_metadata))
return VB2_ERROR_UNKNOWN;
} else {
printk(BIOS_INFO,
@ -114,6 +160,7 @@ uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name)
uint32_t pcr_index;
uint32_t cbfs_type;
struct region_device rdev;
char tcpa_metadata[TCPA_PCR_HASH_NAME];
if (!vb2_logic_executed())
return 0;
@ -139,6 +186,8 @@ uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name)
break;
}
return tpm_measure_region(&rdev, pcr_index,
name);
if (create_tcpa_metadata(&rdev, name, tcpa_metadata) < 0)
return VB2_ERROR_UNKNOWN;
return tpm_measure_region(&rdev, pcr_index, tcpa_metadata);
}

View File

@ -35,7 +35,8 @@ SECTIONS
PRERAM_CBMEM_CONSOLE(BOOTROM_OFFSET + 0x8000, 8K)
BOOTBLOCK(BOOTROM_OFFSET + 0x20000, 64K)
VBOOT2_WORK(BOOTROM_OFFSET + 0x30000, 12K)
VERSTAGE(BOOTROM_OFFSET + 0x33000, 52K)
VBOOT2_TPM_LOG(BOOTROM_OFFSET + 0x33000, 2K)
VERSTAGE(BOOTROM_OFFSET + 0x33800, 50K)
ROMSTAGE(BOOTROM_OFFSET + 0x40000, 256K)
SRAM_END(BOOTROM_OFFSET + 0x80000)

View File

@ -46,7 +46,8 @@ SECTIONS
REGION(gram_bootblock, 0x1a000000, 28K, 1)
ROMSTAGE(0x1a007000, 60K)
VBOOT2_WORK(0x1a016000, 12K)
PRERAM_CBFS_CACHE(0x1a019000, 48K)
VBOOT2_TPM_LOG(0x1a019000, 2K)
PRERAM_CBFS_CACHE(0x1a019800, 46K)
SRAM_END(0x1a066000)
/* Bootblock executes out of KSEG0 and sets up the identity mapping.

View File

@ -39,7 +39,8 @@ SECTIONS
SRAM_START(0x00100000)
VBOOT2_WORK(0x00100000, 12K)
PRERAM_CBMEM_CONSOLE(0x00103000, 16K)
VBOOT2_TPM_LOG(0x00103000, 2K)
PRERAM_CBMEM_CONSOLE(0x00103800, 14K)
WATCHDOG_TOMBSTONE(0x00107000, 4)
PRERAM_CBFS_CACHE(0x00107004, 16K - 4)
TIMESTAMP(0x0010B000, 4K)

View File

@ -29,7 +29,8 @@ SECTIONS
{
SRAM_START(0x00100000)
VBOOT2_WORK(0x00100000, 12K)
PRERAM_CBMEM_CONSOLE(0x00103000, 16K)
VBOOT2_TPM_LOG(0x00103000, 2K)
PRERAM_CBMEM_CONSOLE(0x00103800, 14K)
WATCHDOG_TOMBSTONE(0x00107000, 4)
PRERAM_CBFS_CACHE(0x00107004, 16K - 4)
TIMESTAMP(0x0010B000, 4K)

View File

@ -27,9 +27,10 @@ SECTIONS
{
SRAM_START(0x40000000)
TTB(0x40000000, 16K + 32)
PRERAM_CBMEM_CONSOLE(0x40004020, 8K - 32)
PRERAM_CBFS_CACHE(0x40006000, 16K)
VBOOT2_WORK(0x4000A000, 16K)
PRERAM_CBMEM_CONSOLE(0x40004020, 6K - 32)
PRERAM_CBFS_CACHE(0x40005800, 16K)
VBOOT2_WORK(0x40009800, 16K)
VBOOT2_TPM_LOG(0x4000D800, 2K)
STACK(0x4000E000, 8K)
BOOTBLOCK(0x40010000, 30K)
VERSTAGE(0x40017800, 72K)

View File

@ -28,18 +28,19 @@
SECTIONS
{
SRAM_START(0x40000000)
PRERAM_CBMEM_CONSOLE(0x40000000, 4K)
PRERAM_CBFS_CACHE(0x40001000, 36K)
VBOOT2_WORK(0x4000A000, 12K)
PRERAM_CBMEM_CONSOLE(0x40000000, 2K)
PRERAM_CBFS_CACHE(0x40000800, 32K)
VBOOT2_WORK(0x40008800, 12K)
VBOOT2_TPM_LOG(0x4000B800, 2K)
#if ENV_ARM64
STACK(0x4000D000, 3K)
STACK(0x4000C000, 3K)
#else /* AVP gets a separate stack to avoid any chance of handoff races. */
STACK(0x4000DC00, 3K)
STACK(0x4000CC00, 3K)
#endif
TIMESTAMP(0x4000E800, 2K)
BOOTBLOCK(0x4000F000, 28K)
VERSTAGE(0x40016000, 64K)
ROMSTAGE(0x40026000, 104K)
TIMESTAMP(0x4000D800, 2K)
BOOTBLOCK(0x4000E000, 28K)
VERSTAGE(0x40015000, 66K)
ROMSTAGE(0x40025800, 106K)
SRAM_END(0x40040000)
DRAM_START(0x80000000)

View File

@ -31,7 +31,8 @@ SECTIONS
ROMSTAGE(0x2030000, 128K)
/* 32K hole */
TTB(0x2058000, 16K)
PRERAM_CBFS_CACHE(0x205C000, 80K)
PRERAM_CBFS_CACHE(0x205C000, 78K)
VBOOT2_TPM_LOG(0x206F800, 2K)
VBOOT2_WORK(0x2070000, 16K)
STACK(0x2074000, 16K)
SRAM_END(0x2078000)

View File

@ -690,8 +690,6 @@ static void dump_tcpa_log(void)
const struct tcpa_table *tclt_p;
size_t size;
struct mapping tcpa_mapping;
char log_string[TCPA_LOG_STRING_LENGTH];
char hash[TCPA_FORMAT_HASH_LENGTH];
if (tcpa_log.tag != LB_TAG_TCPA_LOG) {
fprintf(stderr, "No tcpa log found in coreboot table.\n");
@ -716,13 +714,12 @@ static void dump_tcpa_log(void)
for (i = 0; i < tclt_p->num_entries; i++) {
const struct tcpa_entry *tce = &tclt_p->entries[i];
memset(log_string, 0, TCPA_LOG_STRING_LENGTH);
for (j = 0; j < tce->digest_length; j++)
sprintf((char *)&(hash[j * 2]), "%02x", tce->digest[j]);
printf(" PCR-%u ", tce->pcr);
snprintf(log_string, TCPA_LOG_STRING_LENGTH, "%u %s 00 [%s]\n",
tce->pcr, hash, tce->name);
printf("%s", log_string);
for (j = 0; j < tce->digest_length; j++)
printf("%02x", tce->digest[j]);
printf(" %s [%s]\n", tce->digest_type, tce->name);
}
unmap_memory(&tcpa_mapping);