diff options
| author | Arthur Heymans <arthur@aheymans.xyz> | 2021-03-29 14:23:53 +0200 |
|---|---|---|
| committer | Arthur Heymans <arthur@aheymans.xyz> | 2021-05-06 08:26:41 +0000 |
| commit | 6f8e9443aa55ad27045fb437fd8df3386d66ba3e (patch) | |
| tree | 32d21070ab5343979b6f95bae77567d26d6230d6 | |
| parent | 59a621abc70464352eaf540bd6cb896935b9ba72 (diff) | |
| download | coreboot-6f8e9443aa55ad27045fb437fd8df3386d66ba3e.tar.gz coreboot-6f8e9443aa55ad27045fb437fd8df3386d66ba3e.tar.bz2 coreboot-6f8e9443aa55ad27045fb437fd8df3386d66ba3e.zip | |
security/tpm: Add option to init TPM in bootblock
When using a hardware assisted root of trust measurement, like Intel
TXT/CBnT, the TPM init needs to happen inside the bootblock to form a
proper chain of trust.
Change-Id: Ifacba5d9ab19b47968b4f2ed5731ded4aac55022
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/51923
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
| -rw-r--r-- | src/drivers/pc80/tpm/Makefile.inc | 1 | ||||
| -rw-r--r-- | src/drivers/tpm/Kconfig | 3 | ||||
| -rw-r--r-- | src/lib/bootblock.c | 7 | ||||
| -rw-r--r-- | src/security/intel/cbnt/Kconfig | 1 | ||||
| -rw-r--r-- | src/security/tpm/Kconfig | 8 | ||||
| -rw-r--r-- | src/security/tpm/tspi/tspi.c | 6 |
6 files changed, 24 insertions, 2 deletions
diff --git a/src/drivers/pc80/tpm/Makefile.inc b/src/drivers/pc80/tpm/Makefile.inc index a16f6afdc4cd..8b2a864ecbfc 100644 --- a/src/drivers/pc80/tpm/Makefile.inc +++ b/src/drivers/pc80/tpm/Makefile.inc @@ -1,3 +1,4 @@ +bootblock-$(CONFIG_MAINBOARD_HAS_LPC_TPM) += tis.c verstage-$(CONFIG_MAINBOARD_HAS_LPC_TPM) += tis.c romstage-$(CONFIG_MAINBOARD_HAS_LPC_TPM) += tis.c ramstage-$(CONFIG_MAINBOARD_HAS_LPC_TPM) += tis.c diff --git a/src/drivers/tpm/Kconfig b/src/drivers/tpm/Kconfig index 128f9bfecd89..79b860f89b4f 100644 --- a/src/drivers/tpm/Kconfig +++ b/src/drivers/tpm/Kconfig @@ -1,7 +1,8 @@ config TPM_INIT_RAMSTAGE bool default y if TPM1 || TPM2 - depends on !VBOOT && !VENDORCODE_ELTAN_VBOOT && !VENDORCODE_ELTAN_MBOOT + depends on !VBOOT && !VENDORCODE_ELTAN_VBOOT && !VENDORCODE_ELTAN_MBOOT \ + && !TPM_MEASURED_BOOT_INIT_BOOTBLOCK help This driver automatically initializes the TPM if vboot is not used. The TPM driver init is done during the ramstage chip init phase. diff --git a/src/lib/bootblock.c b/src/lib/bootblock.c index 23fb39227643..598996492121 100644 --- a/src/lib/bootblock.c +++ b/src/lib/bootblock.c @@ -1,5 +1,6 @@ /* SPDX-License-Identifier: GPL-2.0-only */ +#include <acpi/acpi.h> #include <arch/exception.h> #include <bootblock_common.h> #include <console/console.h> @@ -8,6 +9,7 @@ #include <option.h> #include <post.h> #include <program_loading.h> +#include <security/tpm/tspi.h> #include <symbols.h> #include <timestamp.h> @@ -56,6 +58,11 @@ void bootblock_main_with_timestamp(uint64_t base_timestamp, bootblock_soc_init(); bootblock_mainboard_init(); + if (CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK)) { + int s3resume = acpi_is_wakeup_s3(); + tpm_setup(s3resume); + } + timestamp_add_now(TS_END_BOOTBLOCK); run_romstage(); diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig index 415092b6c2ca..9208ab42cefc 100644 --- a/src/security/intel/cbnt/Kconfig +++ b/src/security/intel/cbnt/Kconfig @@ -8,6 +8,7 @@ config INTEL_CBNT_SUPPORT select INTEL_TXT # With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size select FIXED_BOOTBLOCK_SIZE + select TPM_MEASURED_BOOT_INIT_BOOTBLOCK if TPM_MEASURED_BOOT help Enables Intel Converged Bootguard and Trusted Execution Technology Support. This will enable one to add a Key Manifest (KM) and a Boot diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig index e1255d1680de..13bef069858a 100644 --- a/src/security/tpm/Kconfig +++ b/src/security/tpm/Kconfig @@ -106,6 +106,14 @@ config TPM_MEASURED_BOOT help Enables measured boot (experimental) +config TPM_MEASURED_BOOT_INIT_BOOTBLOCK + bool + depends on TPM_MEASURED_BOOT && !VBOOT + help + Initialize TPM inside the bootblock instead of ramstage. This is + useful with some form of hardware assisted root of trust + measurement like Intel TXT/CBnT. + config TPM_MEASURED_BOOT_RUNTIME_DATA string "Runtime data whitelist" default "" diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c index 6ef01383ce23..7a8e2befdf0a 100644 --- a/src/security/tpm/tspi/tspi.c +++ b/src/security/tpm/tspi/tspi.c @@ -1,5 +1,6 @@ /* SPDX-License-Identifier: GPL-2.0-only */ +#include <rules.h> #include <console/cbmem_console.h> #include <console/console.h> #include <security/tpm/tspi/crtm.h> @@ -104,6 +105,9 @@ static inline int tspi_tpm_is_setup(void) return vboot_logic_executed(); } + if (CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK)) + return ENV_BOOTBLOCK ? tpm_is_setup : 1; + if (ENV_RAMSTAGE) return tpm_is_setup; @@ -180,7 +184,7 @@ uint32_t tpm_setup(int s3flag) #if CONFIG(TPM1) result = tpm1_invoke_state_machine(); #endif - if (CONFIG(TPM_MEASURED_BOOT)) + if (CONFIG(TPM_MEASURED_BOOT) && !CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK)) result = tspi_measure_cache_to_pcr(); tpm_is_setup = 1; |