diff options
| author | Matt DeVillier <matt.devillier@amd.corp-partner.google.com> | 2023-01-23 18:38:45 -0600 |
|---|---|---|
| committer | Felix Held <felix-coreboot@felixheld.de> | 2023-02-13 14:56:48 +0000 |
| commit | 1fbc1123d798137324cc8876db6386584c475da1 (patch) | |
| tree | d01ab54ffed0756d3610e82d741ad876c567bce4 | |
| parent | 9ce755d05ed56753105bce6f4d75f4ddbc98cb26 (diff) | |
| download | coreboot-1fbc1123d798137324cc8876db6386584c475da1.tar.gz coreboot-1fbc1123d798137324cc8876db6386584c475da1.tar.bz2 coreboot-1fbc1123d798137324cc8876db6386584c475da1.zip | |
soc/amd/common/block/gfx: Use TPM-stored hash for vbios cache validation
Write the SHA256 hash of the cached VBIOS data when saving to FMAP,
and use it to validate the data read from FMAP on subsequent boots.
Add TPM2 as a dependency to the selection of VBIOS_CACHE_IN_FMAP.
BUG=b:255812886
TEST=tested with rest of patch train
Change-Id: I9c8f23b000b90a1072aeb7a57d3b7b2b2bc626dc
Signed-off-by: Matt DeVillier <matt.devillier@amd.corp-partner.google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/72402
Reviewed-by: Martin L Roth <gaumless@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
| -rw-r--r-- | src/soc/amd/common/block/graphics/Kconfig | 2 | ||||
| -rw-r--r-- | src/soc/amd/common/block/graphics/graphics.c | 11 |
2 files changed, 7 insertions, 6 deletions
diff --git a/src/soc/amd/common/block/graphics/Kconfig b/src/soc/amd/common/block/graphics/Kconfig index 511f3043733f..75b40131386c 100644 --- a/src/soc/amd/common/block/graphics/Kconfig +++ b/src/soc/amd/common/block/graphics/Kconfig @@ -13,7 +13,7 @@ config SOC_AMD_COMMON_BLOCK_GRAPHICS_ATIF config SOC_AMD_GFX_CACHE_VBIOS_IN_FMAP bool "Support for caching modified VBIOS tables in flash" - depends on SOC_AMD_COMMON_BLOCK_GRAPHICS && CHROMEOS && RUN_FSP_GOP + depends on SOC_AMD_COMMON_BLOCK_GRAPHICS && CHROMEOS && RUN_FSP_GOP && TPM2 default n help Enable support for flash based VBIOS cache. diff --git a/src/soc/amd/common/block/graphics/graphics.c b/src/soc/amd/common/block/graphics/graphics.c index 843bf787eee0..70e3758b0840 100644 --- a/src/soc/amd/common/block/graphics/graphics.c +++ b/src/soc/amd/common/block/graphics/graphics.c @@ -9,6 +9,7 @@ #include <device/pci.h> #include <fmap.h> #include <fsp/graphics.h> +#include <security/vboot/vbios_cache_hash_tpm.h> #include <security/vboot/vboot_common.h> #include <soc/intel/common/vbt.h> #include <timestamp.h> @@ -234,6 +235,9 @@ static void write_vbios_cache_to_fmap(void *unused) VBIOS_CACHE_FMAP_SIZE) != VBIOS_CACHE_FMAP_SIZE) printk(BIOS_ERR, "Failed to save vbios data to flash; rdev_writeat() failed.\n"); + /* save data hash to TPM NVRAM for validation on subsequent boots */ + vbios_cache_update_hash(vbios_data, VBIOS_CACHE_FMAP_SIZE); + printk(BIOS_SPEW, "VBIOS cache successfully written to FMAP.\n"); } @@ -254,14 +258,11 @@ void vbios_load_from_cache(void) /* * Return true if VBIOS cache data is valid * - * For now, just compare first 2 bytes of data - * TODO: replace with TPM hash verification once implemented + * Compare hash of data with hash stored in TPM NVRAM */ bool vbios_cache_is_valid(void) { - bool is_valid = vbios_data[0] == 0x55 && vbios_data[1] == 0xaa; - printk(BIOS_SPEW, "VBIOS cache is %s\n", is_valid ? "valid" : "invalid"); - return is_valid; + return vbios_cache_verify_hash(vbios_data, VBIOS_CACHE_FMAP_SIZE) == CB_SUCCESS; } BOOT_STATE_INIT_ENTRY(BS_PRE_DEVICE, BS_ON_EXIT, read_vbios_cache_from_fmap, NULL); |