diff options
| author | Arthur Heymans <arthur@aheymans.xyz> | 2021-03-29 14:23:53 +0200 |
|---|---|---|
| committer | Arthur Heymans <arthur@aheymans.xyz> | 2021-05-06 08:26:41 +0000 |
| commit | 6f8e9443aa55ad27045fb437fd8df3386d66ba3e (patch) | |
| tree | 32d21070ab5343979b6f95bae77567d26d6230d6 /src/security/tpm | |
| parent | 59a621abc70464352eaf540bd6cb896935b9ba72 (diff) | |
security/tpm: Add option to init TPM in bootblock
When using a hardware assisted root of trust measurement, like Intel
TXT/CBnT, the TPM init needs to happen inside the bootblock to form a
proper chain of trust.
Change-Id: Ifacba5d9ab19b47968b4f2ed5731ded4aac55022
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/51923
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'src/security/tpm')
| -rw-r--r-- | src/security/tpm/Kconfig | 8 | ||||
| -rw-r--r-- | src/security/tpm/tspi/tspi.c | 6 |
2 files changed, 13 insertions, 1 deletions
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig index e1255d1680..13bef06985 100644 --- a/src/security/tpm/Kconfig +++ b/src/security/tpm/Kconfig @@ -106,6 +106,14 @@ config TPM_MEASURED_BOOT help Enables measured boot (experimental) +config TPM_MEASURED_BOOT_INIT_BOOTBLOCK + bool + depends on TPM_MEASURED_BOOT && !VBOOT + help + Initialize TPM inside the bootblock instead of ramstage. This is + useful with some form of hardware assisted root of trust + measurement like Intel TXT/CBnT. + config TPM_MEASURED_BOOT_RUNTIME_DATA string "Runtime data whitelist" default "" diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c index 6ef01383ce..7a8e2befdf 100644 --- a/src/security/tpm/tspi/tspi.c +++ b/src/security/tpm/tspi/tspi.c @@ -1,5 +1,6 @@ /* SPDX-License-Identifier: GPL-2.0-only */ +#include <rules.h> #include <console/cbmem_console.h> #include <console/console.h> #include <security/tpm/tspi/crtm.h> @@ -104,6 +105,9 @@ static inline int tspi_tpm_is_setup(void) return vboot_logic_executed(); } + if (CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK)) + return ENV_BOOTBLOCK ? tpm_is_setup : 1; + if (ENV_RAMSTAGE) return tpm_is_setup; @@ -180,7 +184,7 @@ uint32_t tpm_setup(int s3flag) #if CONFIG(TPM1) result = tpm1_invoke_state_machine(); #endif - if (CONFIG(TPM_MEASURED_BOOT)) + if (CONFIG(TPM_MEASURED_BOOT) && !CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK)) result = tspi_measure_cache_to_pcr(); tpm_is_setup = 1; |