diff options
| author | Bill XIE <persmule@hardenedlinux.org> | 2019-08-22 20:28:36 +0800 |
|---|---|---|
| committer | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2020-03-31 07:55:18 +0000 |
| commit | c79e96b4eb310db9d44e36e2dff072c01469c380 (patch) | |
| tree | eafc5710f120fa7f487118cada7c90ff91b251e9 /src/security/tpm/tspi/tspi.c | |
| parent | 6b7bbc2b782938685ba08982c83c1694317a16b8 (diff) | |
| download | coreboot-c79e96b4eb310db9d44e36e2dff072c01469c380.tar.gz coreboot-c79e96b4eb310db9d44e36e2dff072c01469c380.tar.bz2 coreboot-c79e96b4eb310db9d44e36e2dff072c01469c380.zip | |
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within
vboot should enable verified boot first, along with sections such
as GBB and RW slots defined with manually written fmd files, even
if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from
verified boot and make them two fully independent options. Crypto
routines necessary for measurement could be reused, and TPM and CRTM
init should be done somewhere other than vboot_logic_executed() if
verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock.
Before TPM gets set up, digests are not measured into tpm immediately,
but cached in TCPA log, and measured into determined PCRs right after
TPM is up.
This change allows those who do not want to use the verified boot
scheme implemented by vboot as well as its requirement of a more
complex partition scheme designed for chromeos to make use of the
measured boot functionality implemented within vboot library to
measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in
CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee
Signed-off-by: Bill XIE <persmule@hardenedlinux.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35077
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
Diffstat (limited to 'src/security/tpm/tspi/tspi.c')
| -rw-r--r-- | src/security/tpm/tspi/tspi.c | 52 |
1 files changed, 37 insertions, 15 deletions
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c index 0095183ca23e..4f0cc972a760 100644 --- a/src/security/tpm/tspi/tspi.c +++ b/src/security/tpm/tspi/tspi.c @@ -14,13 +14,14 @@ #include <console/cbmem_console.h> #include <console/console.h> +#include <security/tpm/tspi/crtm.h> #include <security/tpm/tspi.h> #include <security/tpm/tss.h> -#if CONFIG(VBOOT) +#include <assert.h> +#include <security/vboot/misc.h> +#include <string.h> #include <vb2_api.h> #include <vb2_sha.h> -#include <assert.h> -#endif #if CONFIG(TPM1) static uint32_t tpm1_invoke_state_machine(void) @@ -100,6 +101,18 @@ static uint32_t tpm_setup_epilogue(uint32_t result) return result; } +static int tpm_is_setup; +static inline int tspi_tpm_is_setup(void) +{ + if (CONFIG(VBOOT)) + return vboot_logic_executed() || tpm_is_setup; + + if (ENV_RAMSTAGE) + return tpm_is_setup; + + return 0; +} + /* * tpm_setup starts the TPM and establishes the root of trust for the * anti-rollback mechanism. tpm_setup can fail for three reasons. 1 A bug. @@ -170,7 +183,10 @@ uint32_t tpm_setup(int s3flag) #if CONFIG(TPM1) result = tpm1_invoke_state_machine(); #endif + if (CONFIG(TPM_MEASURED_BOOT)) + result = tspi_measure_cache_to_pcr(); + tpm_is_setup = 1; return tpm_setup_epilogue(result); } @@ -210,18 +226,27 @@ uint32_t tpm_extend_pcr(int pcr, enum vb2_hash_algorithm digest_algo, if (!digest) return TPM_E_IOERROR; - result = tlcl_extend(pcr, digest, NULL); - if (result != TPM_SUCCESS) - return result; + if (tspi_tpm_is_setup()) { + result = tlcl_lib_init(); + if (result != TPM_SUCCESS) { + printk(BIOS_ERR, "TPM: Can't initialize library.\n"); + return result; + } + + printk(BIOS_DEBUG, "TPM: Extending digest for %s into PCR %d\n", name, pcr); + result = tlcl_extend(pcr, digest, NULL); + if (result != TPM_SUCCESS) + return result; + } - if (CONFIG(VBOOT_MEASURED_BOOT)) + if (CONFIG(TPM_MEASURED_BOOT)) tcpa_log_add_table_entry(name, pcr, digest_algo, digest, digest_len); return TPM_SUCCESS; } -#if CONFIG(VBOOT) +#if CONFIG(VBOOT_LIB) uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr, const char *rname) { @@ -234,11 +259,7 @@ uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr, if (!rdev || !rname) return TPM_E_INVALID_ARG; - result = tlcl_lib_init(); - if (result != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't initialize library.\n"); - return result; - } + if (CONFIG(TPM1)) { hash_alg = VB2_HASH_SHA1; } else { /* CONFIG_TPM2 */ @@ -277,7 +298,8 @@ uint32_t tpm_measure_region(const struct region_device *rdev, uint8_t pcr, printk(BIOS_ERR, "TPM: Extending hash into PCR failed.\n"); return result; } - printk(BIOS_DEBUG, "TPM: Measured %s into PCR %d\n", rname, pcr); + printk(BIOS_DEBUG, "TPM: Digest of %s to PCR %d %s\n", + rname, pcr, tspi_tpm_is_setup() ? "measured" : "logged"); return TPM_SUCCESS; } -#endif /* VBOOT */ +#endif /* VBOOT_LIB */ |