diff options
| author | Bill XIE <persmule@hardenedlinux.org> | 2019-08-22 20:28:36 +0800 |
|---|---|---|
| committer | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2020-03-31 07:55:18 +0000 |
| commit | c79e96b4eb310db9d44e36e2dff072c01469c380 (patch) | |
| tree | eafc5710f120fa7f487118cada7c90ff91b251e9 /src/mainboard/siemens | |
| parent | 6b7bbc2b782938685ba08982c83c1694317a16b8 (diff) | |
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within
vboot should enable verified boot first, along with sections such
as GBB and RW slots defined with manually written fmd files, even
if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from
verified boot and make them two fully independent options. Crypto
routines necessary for measurement could be reused, and TPM and CRTM
init should be done somewhere other than vboot_logic_executed() if
verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock.
Before TPM gets set up, digests are not measured into tpm immediately,
but cached in TCPA log, and measured into determined PCRs right after
TPM is up.
This change allows those who do not want to use the verified boot
scheme implemented by vboot as well as its requirement of a more
complex partition scheme designed for chromeos to make use of the
measured boot functionality implemented within vboot library to
measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in
CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee
Signed-off-by: Bill XIE <persmule@hardenedlinux.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35077
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
Diffstat (limited to 'src/mainboard/siemens')
4 files changed, 4 insertions, 4 deletions
diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig index 6adf4e9c41..0f32907da2 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig @@ -9,12 +9,12 @@ config BOARD_SPECIFIC_OPTIONS select MAINBOARD_HAS_TPM2 select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI + select TPM_MEASURED_BOOT config CBFS_SIZE default 0xb4e000 config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig index b10bdc846b..55fb4b16bb 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig @@ -9,6 +9,7 @@ config BOARD_SPECIFIC_OPTIONS select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI select DRIVERS_I2C_PTN3460 + select TPM_MEASURED_BOOT config UART_FOR_CONSOLE default 1 @@ -17,7 +18,6 @@ config CBFS_SIZE default 0xb4e000 config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig index e46a0de6f9..bd0b0d7162 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig @@ -12,12 +12,12 @@ config BOARD_SPECIFIC_OPTIONS select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI select DRIVERS_I2C_PTN3460 + select TPM_MEASURED_BOOT config CBFS_SIZE default 0xb4e000 config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig index 864e808f17..852294a01d 100644 --- a/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig +++ b/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig @@ -11,9 +11,9 @@ config BOARD_SPECIFIC_OPTIONS select MAINBOARD_HAS_TPM2 select MAINBOARD_HAS_LPC_TPM select TPM_ON_FAST_SPI + select TPM_MEASURED_BOOT config VBOOT - select VBOOT_MEASURED_BOOT select VBOOT_VBNV_FLASH select VBOOT_NO_BOARD_SUPPORT select GBB_FLAG_DISABLE_LID_SHUTDOWN |