security/tpm: Fix TCPA log feature

Until now the TCPA log wasn't working correctly.

* Refactor TCPA log code.
* Add TCPA log dump fucntion.
* Make TCPA log available in bootblock.
* Fix TCPA log formatting.
* Add x86 and Cavium memory for early log.

Change-Id: Ic93133531b84318f48940d34bded48cbae739c44
Signed-off-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/29563
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>

Documentation/security/index.md

@@ -0,0 +1,7 @@
+# Security
+
+This section describes documentation about the security architecture of coreboot.
+
+## Vendor
+
+- [Measured Boot](vboot/measured_boot.md)

Documentation/security/vboot/measured_boot.md

@@ -1,6 +1,8 @@
 # Measured Boot
 coreboot measured boot is implemented as Google Verified Boot extension. This
-means in order to use it, vboot needs to be available for your platform.
+means in order to use it, vboot needs to be available for your platform. The
+goal of this implementation is to implement an easy to understand and
+transparent measured boot mechanism.
 
 ## IBB/CRTM
 The "Initial Boot Block" or "Core Root of Trust for Measurement" is the first
@@ -21,10 +23,85 @@ measured boot extension because of platform constraints.
 The "Static Root of Trust for Measurement" is the easiest way doing measurements
 by measuring code before it is loaded.
 
+### Measurements
+SRTM mode measurements are done starting with the IBB as root of trust.
+Only CBFS contents are measured at the moment.
+
+#### CBFS files (stages, blobs)
+* CBFS data is measured as raw data before decompression happens.
+* CBFS header is excluded from measurements.
+* Measurements are stored in PCR 2.
+
+#### Runtime Data
+* CBFS data which changes by external input dynamically. Never stays the same.
+* It is identified by VBOOT_MEASURED_BOOT_RUNTIME_DATA kconfig option and
+  measured into a different PCR 3 in order to avoid PCR pre-calculation issues.
+
 ![][srtm]
 
 [srtm]: srtm.png
 
+### TCPA eventlog
+coreboot makes use of its own TCPA log implementation. Normally the eventlog
+specification can be found via the TCG homepage:
+
+[UEFI Specification](https://trustedcomputinggroup.org/resource/tcg-efi-platform-specification/)
+
+[BIOS Specification](https://www.trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientImplementation_1-21_1_00.pdf)
+
+Both of them are not representing firmware measurements in a generalized way.
+Therefore we have to implement our own solution.
+
+We decided to provide an easy to understand TCPA log which can be read out
+from the operating system and firmware itself.
+
+#### Table Format
+The first column describes the PCR index used for measurement.
+The second column is the hash of the raw data. The third column contains
+the hash algorithm used in the operation. The last column provides
+information about what is measured. First the namespace from where the data
+came from, CBFS or FMAP, then the name used to look up the data
+(region or file name).
+
+#### Example:
+```bash
+PCR-2 e8f2b57c9ec5ea06d1bbd3240a753974d4c3e7c8cd305c20a8ea26eed906dc89 SHA256 [FMAP: COREBOOT CBFS: bootblock]
+PCR-2 309a5fcb231d3a39127de2521792f332f9a69e05675ec52535d2dcded756dc19 SHA256 [FMAP: COREBOOT CBFS: fallback/verstage]
+PCR-2 0fbba07a833d4dcfc7024eaf313661a0ba8f80a05c6d29b8801c612e10e60dee SHA256 [FMAP: RO_VPD]
+PCR-2 431681113ed44cbf6f68a12c6e5687e901052f1d728a4777b2ad36e559962047 SHA256 [FMAP: GBB]
+PCR-2 f47a8ec3e9aff2318d896942282ad4fe37d6391c82914f54a5da8a37de1300c6 SHA256 [FMAP: SI_DESC]
+PCR-3 237f6f567f8597dbdff0a00690d34d21616af0dbe434b9a2d432b136c012765f SHA256 [FMAP: SI_ME]
+PCR-2 7d2c7ac4888bfd75cd5f56e8d61f69595121183afc81556c876732fd3782c62f SHA256 [FMAP: SI_GBE]
+PCR-0 62571891215b4efc1ceab744ce59dd0b66ea6f73 SHA1 [GBB flags]
+PCR-1 a66c8c2cda246d332d0c2025b6266e1e23c89410051002f46bfad1c9265f43d0 SHA256 [GBB HWID]
+PCR-2 ceca357524caf8fc73f5fa130f05a75293031962af884e18990d281eb259f5ff SHA256 [FMAP: FW_MAIN_B CBFS: fallback/romstage]
+PCR-2 548a097604e0a975de76f98b04c7f0b0ddec03883dd69179e47a784704a1c571 SHA256 [FMAP: FW_MAIN_B CBFS: fspm.bin]
+PCR-2 1e86b27008818244c221df2436b0113bd20a86ec6ec9d8259defe87f45d2f604 SHA256 [FMAP: FW_MAIN_B CBFS: spd2.bin]
+PCR-2 05d78005fcfc9edd4ca5625f11b1f49991d17bdb7cee33b72e722bc785db55ae SHA256 [FMAP: FW_MAIN_B CBFS: fallback/postcar]
+PCR-2 c13e95829af12a584046f1a6f3e1f6e4af691209324cfeeec573633399384141 SHA256 [FMAP: FW_MAIN_B CBFS: fallback/ramstage]
+PCR-2 a6ec2761b597abd252dba2a7237140ef4a5a8e0d47cad8afb65fa16314413401 SHA256 [FMAP: FW_MAIN_B CBFS: cpu_microcode_blob.bin]
+PCR-2 c81ffa40df0b6cd6cfde4f476d452a1f6f2217bc96a3b98a4fa4a037ee7039cf SHA256 [FMAP: FW_MAIN_B CBFS: fsps.bin]
+PCR-2 4e95f57bbf3c6627eb1c72be9c48df3aaa8e6da4f5f63d85e554cf6803505609 SHA256 [FMAP: FW_MAIN_B CBFS: vbt.bin]
+PCR-3 b7663f611ecf8637a59d72f623ae92a456c30377d4175e96021c85362f0323c8 SHA256 [FMAP: RW_NVRAM]
+PCR-2 178561f046e2adbc621b12b47d65be82756128e2a1fe5116b53ef3637da700e8 SHA256 [FMAP: FW_MAIN_B CBFS: fallback/dsdt.aml]
+PCR-2 091706f5fce3eb123dd9b96c15a9dcc459a694f5e5a86e7bf6064b819a8575c7 SHA256 [FMAP: FW_MAIN_B CBFS: fallback/payload]
+```
+
+#### Dump TCPA eventlog in the OS:
+```bash
+cbmem -L
+```
+
+#### Get CBFS file and print the hash
+```bash
+cbfstool coreboot.rom extract -r COREBOOT -n fallback/romstage -U -f /dev/stdout | sha256sum
+```
+
+#### Get FMAP partition and print the hash
+```bash
+cbfstool coreboot.rom read -n SI_ME -f /dev/stdout | sha256sum
+```
+
 ## DRTM Mode
 The "Dynamic Root of Trust for Measurement" is realised by platform features
 like Intel TXT or Boot Guard. The features provide a way of loading a signed
@@ -42,17 +119,21 @@ PCR-7 are left empty.
 
 ### PCR-0
 _Hash:_ SHA1
+
 _Description:_ Google VBoot GBB flags.
 
 ### PCR-1
 _Hash:_ SHA1/SHA256
+
 _Description:_ Google VBoot GBB HWID.
 
 ### PCR-2
 _Hash:_ SHA1/SHA256
+
 _Description:_ Core Root of Trust for Measurement which includes all stages,
 data and blobs.
 
 ### PCR-3
 _Hash:_ SHA1/SHA256
+
 _Description:_ Runtime data like hwinfo.hex or MRC cache.

src/arch/x86/car.ld

@@ -31,6 +31,10 @@
 #if IS_ENABLED(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK)
 	VBOOT2_WORK(., 16K)
 #endif
+	/* Vboot measured boot TCPA log measurements.
+	 * Needs to be transferred until CBMEM is available
+	 */
+	VBOOT2_TPM_LOG(., 2K)
 	/* Stack for CAR stages. Since it persists across all stages that
 	 * use CAR it can be reused. The chipset/SoC is expected to provide
 	 * the stack size. */

src/commonlib/include/commonlib/tcpa_log_serialized.h

@@ -19,13 +19,15 @@
 #include <stdint.h>
 
 #define MAX_TCPA_LOG_ENTRIES 50
-#define TCPA_LOG_STRING_LENGTH 512
-#define TCPA_FORMAT_HASH_LENGTH 128
 #define TCPA_DIGEST_MAX_LENGTH 64
-#define TCPA_PCR_HASH_NAME 256
+#define TCPA_PCR_HASH_NAME 50
+#define TCPA_PCR_HASH_LEN 10
+/* Assumption of 2K TCPA log size reserved for CAR/SRAM */
+#define MAX_PRERAM_TCPA_LOG_ENTRIES 15
 
 struct tcpa_entry {
 	uint32_t pcr;
+	char digest_type[TCPA_PCR_HASH_LEN];
 	uint8_t digest[TCPA_DIGEST_MAX_LENGTH];
 	uint32_t digest_length;
 	char name[TCPA_PCR_HASH_NAME];

src/include/memlayout.h

@@ -164,6 +164,10 @@
 	REGION(vboot2_work, addr, size, 16) \
 	_ = ASSERT(size >= 12K, "vboot2 work buffer must be at least 12K!");
 
+#define VBOOT2_TPM_LOG(addr, size) \
+	REGION(vboot2_tpm_log, addr, size, 16) \
+	_ = ASSERT(size >= 2K, "vboot2 tpm log buffer must be at least 2K!");
+
 #if ENV_VERSTAGE
 	#define VERSTAGE(addr, sz) \
 		SYMBOL(verstage, addr) \

src/security/tpm/Makefile.inc

@@ -12,11 +12,16 @@ postcar-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c
 
 ## TSPI
 
-ramstage-y += tspi/tspi.c tspi/log.c
-romstage-y += tspi/tspi.c tspi/log.c
+ramstage-y += tspi/tspi.c
+romstage-y += tspi/tspi.c
 
-verstage-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
-postcar-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
+verstage-$(CONFIG_VBOOT) += tspi/tspi.c
+postcar-$(CONFIG_VBOOT) += tspi/tspi.c
+
+ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
+romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
+verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
+postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
 
 endif # CONFIG_TPM1
 
@@ -36,10 +41,15 @@ postcar-$(CONFIG_VBOOT) += tss/tcg-2.0/tss.c
 
 ## TSPI
 
-ramstage-y += tspi/tspi.c tspi/log.c
-romstage-y += tspi/tspi.c tspi/log.c
+ramstage-y += tspi/tspi.c
+romstage-y += tspi/tspi.c
 
-verstage-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
-postcar-$(CONFIG_VBOOT) += tspi/tspi.c tspi/log.c
+verstage-$(CONFIG_VBOOT) += tspi/tspi.c
+postcar-$(CONFIG_VBOOT) += tspi/tspi.c
+
+ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
+romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
+verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
+postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
 
 endif # CONFIG_TPM2

src/security/tpm/tspi.h

@@ -21,26 +21,46 @@
 #include <security/tpm/tss.h>
 #include <commonlib/tcpa_log_serialized.h>
 #include <commonlib/region.h>
+#include <vb2_api.h>
 
-#define TPM_PCR_MAX_LEN		64
-#define HASH_DATA_CHUNK_SIZE	1024
+#define TPM_PCR_MAX_LEN 64
+#define HASH_DATA_CHUNK_SIZE 1024
+
+/**
+ * Clears the pre-RAM tcpa log data and initializes
+ * any content with default values
+ */
+void tcpa_preram_log_clear(void);
 
 /**
  * Add table entry for cbmem TCPA log.
+ * @param name Name of the hashed data
+ * @param pcr PCR used to extend hashed data
+ * @param diget_algo sets the digest algorithm
+ * @param digest sets the hash extended into the tpm
+ * @param digest_len the length of the digest
  */
 void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
+			      enum vb2_hash_algorithm digest_algo,
 			      const uint8_t *digest,
-			      const size_t digest_length);
+			      const size_t digest_len);
+
+/**
+ * Dump TCPA log entries on console
+ */
+void tcpa_log_dump(void *unused);
 
 /**
  * Ask vboot for a digest and extend a TPM PCR with it.
  * @param pcr sets the pcr index
+ * @param diget_algo sets the digest algorithm
  * @param digest sets the hash to extend into the tpm
  * @param digest_len the length of the digest
  * @param name sets additional info where the digest comes from
  * @return TPM_SUCCESS on success. If not a tpm error is returned
  */
-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, size_t digest_len,
+uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo,
+			uint8_t *digest, size_t digest_len,
 			const char *name);
 
 /**

src/security/tpm/tspi/log.c

@@ -14,67 +14,162 @@
  */
 
 #include <string.h>
-#include <cbmem.h>
 #include <console/console.h>
 #include <security/tpm/tspi.h>
+#include <arch/early_variables.h>
+#include <fmap.h>
+#include <region_file.h>
+#include <string.h>
+#include <security/vboot/symbols.h>
+#include <cbmem.h>
+#include <bootstate.h>
+
+static struct tcpa_table *tcpa_cbmem_init(void)
+{
+	MAYBE_STATIC struct tcpa_table *tclt = NULL;
+	if (tclt)
+		return tclt;
+
+	if (cbmem_possibly_online()) {
+		tclt = cbmem_find(CBMEM_ID_TCPA_LOG);
+		if (!tclt) {
+			size_t tcpa_log_len = sizeof(struct tcpa_table) +
+			MAX_TCPA_LOG_ENTRIES * sizeof(struct tcpa_entry);
+			tclt = cbmem_add(CBMEM_ID_TCPA_LOG, tcpa_log_len);
+			if (tclt) {
+				tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
+				tclt->num_entries = 0;
+			}
+		}
+	}
+	return tclt;
+}
 
 static struct tcpa_table *tcpa_log_init(void)
 {
 	MAYBE_STATIC struct tcpa_table *tclt = NULL;
 
-	if (!cbmem_possibly_online())
-		return NULL;
-
-	if (tclt != NULL)
-		return tclt;
-
-	tclt = (struct tcpa_table *) cbmem_entry_find(CBMEM_ID_TCPA_LOG);
-	if (tclt)
-		return tclt;
-
-	tclt = cbmem_add(CBMEM_ID_TCPA_LOG,
-			 sizeof(struct tcpa_table) +
-			 MAX_TCPA_LOG_ENTRIES *
-			 sizeof(struct tcpa_entry));
-
-	if (!tclt) {
-		printk(BIOS_ERR, "ERROR: Could not create TCPA log table\n");
-		return NULL;
+	/* We are dealing here with pre CBMEM environment.
+	 * If cbmem isn't available use CAR or SRAM */
+	if (!cbmem_possibly_online() &&
+		!IS_ENABLED(CONFIG_VBOOT_RETURN_FROM_VERSTAGE))
+		return (struct tcpa_table *)_vboot2_tpm_log;
+	else if (ENV_ROMSTAGE &&
+		!IS_ENABLED(CONFIG_VBOOT_RETURN_FROM_VERSTAGE)) {
+		tclt = tcpa_cbmem_init();
+		if (!tclt)
+			return (struct tcpa_table *)_vboot2_tpm_log;
+	} else {
+		tclt = tcpa_cbmem_init();
 	}
 
-	tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
-	tclt->num_entries = 0;
-
-	printk(BIOS_DEBUG, "TCPA log created at %p\n", tclt);
-
 	return tclt;
 }
 
-void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
-			      const uint8_t *digest, const size_t digest_length)
+void tcpa_log_dump(void *unused)
 {
+	int i, j;
 	struct tcpa_table *tclt;
-	struct tcpa_entry *tce;
 
 	tclt = tcpa_log_init();
-
 	if (!tclt)
 		return;
 
-	if (tclt->num_entries == tclt->max_entries) {
-		printk(BIOS_WARNING, "ERROR: TCPA log table is full\n");
+	printk(BIOS_INFO, "coreboot TCPA measurements:\n\n");
+	for (i = 0; i < tclt->num_entries; i++) {
+		struct tcpa_entry *tce = &tclt->entries[i];
+		if (tce) {
+			printk(BIOS_INFO, " PCR-%u ", tce->pcr);
+
+			for (j = 0; j < tce->digest_length; j++)
+				printk(BIOS_INFO, "%02x", tce->digest[j]);
+
+			printk(BIOS_INFO, " %s [%s]\n",
+				   tce->digest_type, tce->name);
+		}
+	}
+	printk(BIOS_INFO, "\n");
+}
+
+void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
+			enum vb2_hash_algorithm digest_algo,
+			const uint8_t *digest,
+			const size_t digest_len)
+{
+	struct tcpa_table *tclt = tcpa_log_init();
+	if (!tclt) {
+		printk(BIOS_WARNING, "TCPA: Log non-existent!\n");
 		return;
 	}
 
-	tce = &tclt->entries[tclt->num_entries++];
+	if (tclt->num_entries >= tclt->max_entries) {
+		printk(BIOS_WARNING, "TCPA: TCPA log table is full\n");
+		return;
+	}
 
+	if (!name) {
+		printk(BIOS_WARNING, "TCPA: TCPA entry name not set\n");
+		return;
+	}
+
+	struct tcpa_entry *tce = &tclt->entries[tclt->num_entries++];
 	strncpy(tce->name, name, TCPA_PCR_HASH_NAME - 1);
 	tce->pcr = pcr;
 
-	if (digest_length > TCPA_DIGEST_MAX_LENGTH) {
-		printk(BIOS_WARNING, "ERROR: PCR digest too long for TCPA log entry\n");
+	if (digest_len > TCPA_DIGEST_MAX_LENGTH) {
+		printk(BIOS_WARNING, "TCPA: PCR digest too long for TCPA log entry\n");
 		return;
 	}
-	memcpy(tce->digest, digest, digest_length);
-	tce->digest_length = digest_length;
+
+	strncpy(tce->digest_type,
+			vb2_get_hash_algorithm_name(digest_algo),
+			TCPA_PCR_HASH_LEN - 1);
+	tce->digest_length = digest_len;
+	memcpy(tce->digest, digest, tce->digest_length);
 }
+
+void tcpa_preram_log_clear(void)
+{
+	printk(BIOS_INFO, "TCPA: Clearing coreboot TCPA log\n");
+	struct tcpa_table *tclt = (struct tcpa_table *)_vboot2_tpm_log;
+	tclt->max_entries = MAX_TCPA_LOG_ENTRIES;
+	tclt->num_entries = 0;
+}
+
+#if !IS_ENABLED(CONFIG_VBOOT_RETURN_FROM_VERSTAGE)
+static void recover_tcpa_log(int is_recovery)
+{
+	struct tcpa_table *preram_log = (struct tcpa_table *)_vboot2_tpm_log;
+	struct tcpa_table *ram_log = NULL;
+	int i;
+
+	if (preram_log->num_entries > MAX_PRERAM_TCPA_LOG_ENTRIES) {
+		printk(BIOS_WARNING, "TCPA: Pre-RAM TCPA log is too full, possible corruption\n");
+		return;
+	}
+
+	ram_log = tcpa_cbmem_init();
+	if (!ram_log) {
+		printk(BIOS_WARNING, "TCPA: CBMEM not available something went wrong\n");
+		return;
+	}
+
+	for (i = 0; i < preram_log->num_entries; i++) {
+		struct tcpa_entry *tce = &ram_log->entries[ram_log->num_entries++];
+		strncpy(tce->name, preram_log->entries[i].name, TCPA_PCR_HASH_NAME - 1);
+		tce->pcr = preram_log->entries[i].pcr;
+
+		if (preram_log->entries[i].digest_length > TCPA_DIGEST_MAX_LENGTH) {
+			printk(BIOS_WARNING, "TCPA: PCR digest too long for TCPA log entry\n");
+			return;
+		}
+
+		strncpy(tce->digest_type, preram_log->entries[i].digest_type, TCPA_PCR_HASH_LEN - 1);
+		tce->digest_length = MIN(preram_log->entries[i].digest_length, TCPA_DIGEST_MAX_LENGTH);
+		memcpy(tce->digest, preram_log->entries[i].digest, tce->digest_length);
+	}
+}
+ROMSTAGE_CBMEM_INIT_HOOK(recover_tcpa_log);
+#endif
+
+BOOT_STATE_INIT_ENTRY(BS_PAYLOAD_BOOT, BS_ON_ENTRY, tcpa_log_dump, NULL);

src/security/tpm/tspi/tspi.c

@@ -202,8 +202,8 @@ uint32_t tpm_clear_and_reenable(void)
 	return TPM_SUCCESS;
 }
 
-uint32_t tpm_extend_pcr(int pcr, uint8_t *digest,
-			size_t digest_len, const char *name)
+uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo,
+			uint8_t *digest, size_t digest_len, const char *name)
 {
 	uint32_t result;
 
@@ -214,6 +214,10 @@ uint32_t tpm_extend_pcr(int pcr, uint8_t *digest,
 	if (result != TPM_SUCCESS)
 		return result;
 
+	if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT))
+		tcpa_log_add_table_entry(name, pcr, digest_algo,
+			digest, digest_len);
+
 	return TPM_SUCCESS;
 }
 
@@ -235,10 +239,11 @@ uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr,
 		printk(BIOS_ERR, "TPM: Can't initialize library.\n");
 		return result;
 	}
-	if (IS_ENABLED(CONFIG_TPM1))
+	if (IS_ENABLED(CONFIG_TPM1)) {
 		hash_alg = VB2_HASH_SHA1;
-	else /* CONFIG_TPM2 */
+	} else { /* CONFIG_TPM2 */
 		hash_alg = VB2_HASH_SHA256;
+	}
 
 	digest_len = vb2_digest_size(hash_alg);
 	assert(digest_len <= sizeof(digest));
@@ -267,7 +272,7 @@ uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr,
 		printk(BIOS_ERR, "TPM: Error finalizing hash.\n");
 		return TPM_E_HASH_ERROR;
 	}
-	result = tpm_extend_pcr(pcr, digest, digest_len, rname);
+	result = tpm_extend_pcr(pcr, hash_alg, digest, digest_len, rname);
 	if (result != TPM_SUCCESS) {
 		printk(BIOS_ERR, "TPM: Extending hash into PCR failed.\n");
 		return result;

src/security/vboot/secdata_tpm.c

@@ -80,10 +80,11 @@ uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
 
 	switch (which_digest) {
 	case BOOT_MODE_PCR:
-		return tpm_extend_pcr(pcr, buffer, size,
+		return tpm_extend_pcr(pcr, VB2_HASH_SHA1, buffer, size,
 				      TPM_PCR_GBB_FLAGS_NAME);
 	case HWID_DIGEST_PCR:
-		return tpm_extend_pcr(pcr, buffer, size, TPM_PCR_GBB_HWID_NAME);
+		return tpm_extend_pcr(pcr, VB2_HASH_SHA256, buffer,
+					  size, TPM_PCR_GBB_HWID_NAME);
 	default:
 		return VB2_ERROR_UNKNOWN;
 	}

src/security/vboot/symbols.h

@@ -20,4 +20,6 @@
 
 DECLARE_REGION(vboot2_work)
 
+DECLARE_REGION(vboot2_tpm_log)
+
 #endif /* __VBOOT_SYMBOLS_H__ */

src/security/vboot/vboot_crtm.c

@@ -18,6 +18,36 @@
 #include <security/vboot/vboot_crtm.h>
 #include <security/vboot/misc.h>
 
+/*
+ * This functions sets the TCPA log namespace
+ * for the cbfs file (region) lookup.
+ */
+static int create_tcpa_metadata(const struct region_device *rdev,
+		const char *cbfs_name, char log_string[TCPA_PCR_HASH_NAME])
+{
+	int i;
+	struct region_device fmap;
+	const static char *fmap_cbfs_names[] = {
+	"COREBOOT",
+	"FW_MAIN_A",
+	"FW_MAIN_B",
+	"RW_LEGACY"};
+
+	for (i = 0; i < ARRAY_SIZE(fmap_cbfs_names); i++) {
+		if (fmap_locate_area_as_rdev(fmap_cbfs_names[i], &fmap) == 0) {
+			if (region_is_subregion(region_device_region(&fmap),
+				region_device_region(rdev))) {
+				snprintf(log_string, TCPA_PCR_HASH_NAME,
+					"FMAP: %s CBFS: %s",
+					fmap_cbfs_names[i], cbfs_name);
+				return 0;
+			}
+		}
+	}
+
+	return -1;
+}
+
 uint32_t vboot_init_crtm(void)
 {
 	struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock");
@@ -25,6 +55,10 @@ uint32_t vboot_init_crtm(void)
 		PROG_INIT(PROG_VERSTAGE, CONFIG_CBFS_PREFIX "/verstage");
 	struct prog romstage =
 		PROG_INIT(PROG_ROMSTAGE, CONFIG_CBFS_PREFIX "/romstage");
+	char tcpa_metadata[TCPA_PCR_HASH_NAME];
+
+	/* Initialize TCPE PRERAM log. */
+	tcpa_preram_log_clear();
 
 	/* measure bootblock from RO */
 	struct cbfsf bootblock_data;
@@ -32,16 +66,20 @@ uint32_t vboot_init_crtm(void)
 	if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) {
 		if (tpm_measure_region(&bootblock_fmap,
 				       TPM_CRTM_PCR,
-				       prog_name(&bootblock)))
+				       "FMAP: BOOTBLOCK"))
 			return VB2_ERROR_UNKNOWN;
 	} else {
 		if (cbfs_boot_locate(&bootblock_data,
 			prog_name(&bootblock), NULL) == 0) {
 			cbfs_file_data(prog_rdev(&bootblock), &bootblock_data);
 
+			if (create_tcpa_metadata(prog_rdev(&bootblock),
+				prog_name(&bootblock), tcpa_metadata) < 0)
+				return VB2_ERROR_UNKNOWN;
+
 			if (tpm_measure_region(prog_rdev(&bootblock),
-					       TPM_CRTM_PCR,
-					       prog_name(&bootblock)))
+					TPM_CRTM_PCR,
+					tcpa_metadata))
 				return VB2_ERROR_UNKNOWN;
 		} else {
 			printk(BIOS_INFO,
@@ -57,9 +95,13 @@ uint32_t vboot_init_crtm(void)
 			prog_name(&romstage), NULL) == 0) {
 			cbfs_file_data(prog_rdev(&romstage), &romstage_data);
 
+			if (create_tcpa_metadata(prog_rdev(&romstage),
+				prog_name(&romstage), tcpa_metadata) < 0)
+				return VB2_ERROR_UNKNOWN;
+
 			if (tpm_measure_region(prog_rdev(&romstage),
-					       TPM_CRTM_PCR,
-					       CONFIG_CBFS_PREFIX "/romstage"))
+				TPM_CRTM_PCR,
+				tcpa_metadata))
 				return VB2_ERROR_UNKNOWN;
 		} else {
 			printk(BIOS_INFO,
@@ -76,9 +118,13 @@ uint32_t vboot_init_crtm(void)
 			prog_name(&verstage), NULL) == 0) {
 			cbfs_file_data(prog_rdev(&verstage), &verstage_data);
 
+			if (create_tcpa_metadata(prog_rdev(&verstage),
+				prog_name(&verstage), tcpa_metadata) < 0)
+				return VB2_ERROR_UNKNOWN;
+
 			if (tpm_measure_region(prog_rdev(&verstage),
-					       TPM_CRTM_PCR,
-					       CONFIG_CBFS_PREFIX "/verstage"))
+				TPM_CRTM_PCR,
+				tcpa_metadata))
 				return VB2_ERROR_UNKNOWN;
 		} else {
 			printk(BIOS_INFO,
@@ -114,6 +160,7 @@ uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name)
 	uint32_t pcr_index;
 	uint32_t cbfs_type;
 	struct region_device rdev;
+	char tcpa_metadata[TCPA_PCR_HASH_NAME];
 
 	if (!vb2_logic_executed())
 		return 0;
@@ -139,6 +186,8 @@ uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name)
 		break;
 	}
 
-	return tpm_measure_region(&rdev, pcr_index,
-				  name);
+	if (create_tcpa_metadata(&rdev, name, tcpa_metadata) < 0)
+		return VB2_ERROR_UNKNOWN;
+
+	return tpm_measure_region(&rdev, pcr_index, tcpa_metadata);
 }

src/soc/cavium/cn81xx/include/soc/memlayout.ld

@@ -35,7 +35,8 @@ SECTIONS
 	PRERAM_CBMEM_CONSOLE(BOOTROM_OFFSET + 0x8000, 8K)
 	BOOTBLOCK(BOOTROM_OFFSET + 0x20000, 64K)
 	VBOOT2_WORK(BOOTROM_OFFSET + 0x30000, 12K)
-	VERSTAGE(BOOTROM_OFFSET + 0x33000, 52K)
+	VBOOT2_TPM_LOG(BOOTROM_OFFSET + 0x33000, 2K)
+	VERSTAGE(BOOTROM_OFFSET + 0x33800, 50K)
 	ROMSTAGE(BOOTROM_OFFSET + 0x40000, 256K)
 
 	SRAM_END(BOOTROM_OFFSET + 0x80000)

src/soc/imgtec/pistachio/include/soc/memlayout.ld

@@ -46,7 +46,8 @@ SECTIONS
 	REGION(gram_bootblock, 0x1a000000, 28K, 1)
 	ROMSTAGE(0x1a007000, 60K)
 	VBOOT2_WORK(0x1a016000, 12K)
-	PRERAM_CBFS_CACHE(0x1a019000, 48K)
+	VBOOT2_TPM_LOG(0x1a019000, 2K)
+	PRERAM_CBFS_CACHE(0x1a019800, 46K)
 	SRAM_END(0x1a066000)
 
 	/* Bootblock executes out of KSEG0 and sets up the identity mapping.

src/soc/mediatek/mt8173/include/soc/memlayout.ld

@@ -39,7 +39,8 @@ SECTIONS
 
 	SRAM_START(0x00100000)
 	VBOOT2_WORK(0x00100000, 12K)
-	PRERAM_CBMEM_CONSOLE(0x00103000, 16K)
+	VBOOT2_TPM_LOG(0x00103000, 2K)
+	PRERAM_CBMEM_CONSOLE(0x00103800, 14K)
 	WATCHDOG_TOMBSTONE(0x00107000, 4)
 	PRERAM_CBFS_CACHE(0x00107004, 16K - 4)
 	TIMESTAMP(0x0010B000, 4K)

src/soc/mediatek/mt8183/include/soc/memlayout.ld

@@ -29,7 +29,8 @@ SECTIONS
 {
 	SRAM_START(0x00100000)
 	VBOOT2_WORK(0x00100000, 12K)
-	PRERAM_CBMEM_CONSOLE(0x00103000, 16K)
+	VBOOT2_TPM_LOG(0x00103000, 2K)
+	PRERAM_CBMEM_CONSOLE(0x00103800, 14K)
 	WATCHDOG_TOMBSTONE(0x00107000, 4)
 	PRERAM_CBFS_CACHE(0x00107004, 16K - 4)
 	TIMESTAMP(0x0010B000, 4K)

src/soc/nvidia/tegra124/include/soc/memlayout.ld

@@ -27,9 +27,10 @@ SECTIONS
 {
 	SRAM_START(0x40000000)
 	TTB(0x40000000, 16K + 32)
-	PRERAM_CBMEM_CONSOLE(0x40004020, 8K - 32)
-	PRERAM_CBFS_CACHE(0x40006000, 16K)
-	VBOOT2_WORK(0x4000A000, 16K)
+	PRERAM_CBMEM_CONSOLE(0x40004020, 6K - 32)
+	PRERAM_CBFS_CACHE(0x40005800, 16K)
+	VBOOT2_WORK(0x40009800, 16K)
+	VBOOT2_TPM_LOG(0x4000D800, 2K)
 	STACK(0x4000E000, 8K)
 	BOOTBLOCK(0x40010000, 30K)
 	VERSTAGE(0x40017800, 72K)

src/soc/nvidia/tegra210/include/soc/memlayout.ld

@@ -28,18 +28,19 @@
 SECTIONS
 {
 	SRAM_START(0x40000000)
-	PRERAM_CBMEM_CONSOLE(0x40000000, 4K)
-	PRERAM_CBFS_CACHE(0x40001000, 36K)
-	VBOOT2_WORK(0x4000A000, 12K)
+	PRERAM_CBMEM_CONSOLE(0x40000000, 2K)
+	PRERAM_CBFS_CACHE(0x40000800, 32K)
+	VBOOT2_WORK(0x40008800, 12K)
+	VBOOT2_TPM_LOG(0x4000B800, 2K)
 #if ENV_ARM64
-	STACK(0x4000D000, 3K)
+	STACK(0x4000C000, 3K)
 #else	/* AVP gets a separate stack to avoid any chance of handoff races. */
-	STACK(0x4000DC00, 3K)
+	STACK(0x4000CC00, 3K)
 #endif
-	TIMESTAMP(0x4000E800, 2K)
-	BOOTBLOCK(0x4000F000, 28K)
-	VERSTAGE(0x40016000, 64K)
-	ROMSTAGE(0x40026000, 104K)
+	TIMESTAMP(0x4000D800, 2K)
+	BOOTBLOCK(0x4000E000, 28K)
+	VERSTAGE(0x40015000, 66K)
+	ROMSTAGE(0x40025800, 106K)
 	SRAM_END(0x40040000)
 
 	DRAM_START(0x80000000)

src/soc/samsung/exynos5250/include/soc/memlayout.ld

@@ -31,7 +31,8 @@ SECTIONS
 	ROMSTAGE(0x2030000, 128K)
 	/* 32K hole */
 	TTB(0x2058000, 16K)
-	PRERAM_CBFS_CACHE(0x205C000, 80K)
+	PRERAM_CBFS_CACHE(0x205C000, 78K)
+	VBOOT2_TPM_LOG(0x206F800, 2K)
 	VBOOT2_WORK(0x2070000, 16K)
 	STACK(0x2074000, 16K)
 	SRAM_END(0x2078000)

util/cbmem/cbmem.c

@@ -690,8 +690,6 @@ static void dump_tcpa_log(void)
 	const struct tcpa_table *tclt_p;
 	size_t size;
 	struct mapping tcpa_mapping;
-	char log_string[TCPA_LOG_STRING_LENGTH];
-	char hash[TCPA_FORMAT_HASH_LENGTH];
 
 	if (tcpa_log.tag != LB_TAG_TCPA_LOG) {
 		fprintf(stderr, "No tcpa log found in coreboot table.\n");
@@ -716,13 +714,12 @@ static void dump_tcpa_log(void)
 	for (i = 0; i < tclt_p->num_entries; i++) {
 		const struct tcpa_entry *tce = &tclt_p->entries[i];
 
-		memset(log_string, 0, TCPA_LOG_STRING_LENGTH);
-		for (j = 0; j < tce->digest_length; j++)
-			sprintf((char *)&(hash[j * 2]), "%02x", tce->digest[j]);
+		printf(" PCR-%u ", tce->pcr);
 
-		snprintf(log_string, TCPA_LOG_STRING_LENGTH, "%u %s 00 [%s]\n",
-			 tce->pcr, hash, tce->name);
-		printf("%s", log_string);
+		for (j = 0; j < tce->digest_length; j++)
+			printf("%02x", tce->digest[j]);
+
+		printf(" %s [%s]\n", tce->digest_type, tce->name);
 	}
 
 	unmap_memory(&tcpa_mapping);