diff options
author | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2018-11-08 10:59:40 +0100 |
---|---|---|
committer | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2019-02-25 22:29:16 +0000 |
commit | 66f9a09916368bfab09da42ef0beed84a4bb7206 (patch) | |
tree | 57ab1cd5851055c117db7fee991d03207b28c69d /src/lib | |
parent | bacd57dfaf7b4c5d3bc5400dbd82b896d0ed23cc (diff) |
security/vboot: Add measured boot mode
* Introduce a measured boot mode into vboot.
* Add hook for stage measurements in prog_loader and cbfs.
* Implement and hook-up CRTM in vboot and check for suspend.
Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e
Signed-off-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/c/29547
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/cbfs.c | 35 |
1 files changed, 21 insertions, 14 deletions
diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c index a5c9f85238..3e2ccf3db4 100644 --- a/src/lib/cbfs.c +++ b/src/lib/cbfs.c @@ -26,6 +26,7 @@ #include <timestamp.h> #include <fmap.h> #include "fmap_config.h" +#include <security/vboot/vboot_crtm.h> #define ERROR(x...) printk(BIOS_ERR, "CBFS: " x) #define LOG(x...) printk(BIOS_INFO, "CBFS: " x) @@ -59,7 +60,12 @@ int cbfs_boot_locate(struct cbfsf *fh, const char *name, uint32_t *type) return -1; } - return cbfs_locate(fh, &rdev, name, type); + int ret = cbfs_locate(fh, &rdev, name, type); + if (!ret) + if (vboot_measure_cbfs_hook(fh, name)) + return -1; + + return ret; } void *cbfs_boot_map_with_leak(const char *name, uint32_t type, size_t *size) @@ -79,13 +85,13 @@ void *cbfs_boot_map_with_leak(const char *name, uint32_t type, size_t *size) } int cbfs_locate_file_in_region(struct cbfsf *fh, const char *region_name, - const char *name, uint32_t *type) + const char *name, uint32_t *type) { struct region_device rdev; if (fmap_locate_area_as_rdev(region_name, &rdev)) { LOG("%s region not found while looking for %s\n", - region_name, name); + region_name, name); return -1; } @@ -107,7 +113,7 @@ size_t cbfs_load_and_decompress(const struct region_device *rdev, size_t offset, case CBFS_COMPRESS_LZ4: if ((ENV_BOOTBLOCK || ENV_VERSTAGE) && - !IS_ENABLED(CONFIG_COMPRESS_PRERAM_STAGES)) + !IS_ENABLED(CONFIG_COMPRESS_PRERAM_STAGES)) return 0; /* Load the compressed image to the end of the available memory @@ -130,7 +136,7 @@ size_t cbfs_load_and_decompress(const struct region_device *rdev, size_t offset, if (ENV_ROMSTAGE && IS_ENABLED(CONFIG_POSTCAR_STAGE)) return 0; if ((ENV_ROMSTAGE || ENV_POSTCAR) - && !IS_ENABLED(CONFIG_COMPRESS_RAMSTAGE)) + && !IS_ENABLED(CONFIG_COMPRESS_RAMSTAGE)) return 0; void *map = rdev_mmap(rdev, offset, in_size); if (map == NULL) @@ -157,9 +163,9 @@ static inline int tohex4(unsigned int c) static void tohex16(unsigned int val, char *dest) { - dest[0] = tohex4(val>>12); - dest[1] = tohex4((val>>8) & 0xf); - dest[2] = tohex4((val>>4) & 0xf); + dest[0] = tohex4(val >> 12); + dest[1] = tohex4((val >> 8) & 0xf); + dest[2] = tohex4((val >> 4) & 0xf); dest[3] = tohex4(val & 0xf); } @@ -167,8 +173,8 @@ void *cbfs_boot_map_optionrom(uint16_t vendor, uint16_t device) { char name[17] = "pciXXXX,XXXX.rom"; - tohex16(vendor, name+3); - tohex16(device, name+8); + tohex16(vendor, name + 3); + tohex16(device, name + 8); return cbfs_boot_map_with_leak(name, CBFS_TYPE_OPTIONROM, NULL); } @@ -202,8 +208,9 @@ size_t cbfs_boot_load_file(const char *name, void *buf, size_t buf_size, return 0; if (cbfsf_decompression_info(&fh, &compression_algo, - &decompressed_size) < 0 - || decompressed_size > buf_size) + &decompressed_size) + < 0 + || decompressed_size > buf_size) return 0; return cbfs_load_and_decompress(&fh.data, 0, region_device_sz(&fh.data), @@ -249,7 +256,7 @@ int cbfs_prog_stage_load(struct prog *pstage) /* Hacky way to not load programs over read only media. The stages * that would hit this path initialize themselves. */ if (ENV_VERSTAGE && !IS_ENABLED(CONFIG_NO_XIP_EARLY_STAGES) && - IS_ENABLED(CONFIG_BOOT_DEVICE_MEMORY_MAPPED)) { + IS_ENABLED(CONFIG_BOOT_DEVICE_MEMORY_MAPPED)) { void *mapping = rdev_mmap(fh, foffset, fsize); rdev_munmap(fh, mapping); if (mapping == load) @@ -354,7 +361,7 @@ int cbfs_boot_region_properties(struct cbfs_props *props) continue; LOG("'%s' located CBFS at [%zx:%zx)\n", - ops->name, props->offset, props->offset + props->size); + ops->name, props->offset, props->offset + props->size); return 0; } |