security/tpm: make usage of PCRs configurable via Kconfig

At this moment, only GBB flags are moved from PCR-0 to PCR-1 when
vboot-compatibility is not enabled.

Change-Id: Ib3a192d902072f6f8d415c2952a36522b5bf09f9
Ticket: https://ticket.coreboot.org/issues/424
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/68750
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Michał Żygowski <michal.zygowski@3mdeb.com>

3 files changed, 26 insertions, 15 deletions

diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
index 8466d80dbe..39134c1c71 100644
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@@ -152,4 +152,23 @@ config TPM_MEASURED_BOOT_RUNTIME_DATA
 	  Runtime data whitelist of cbfs filenames. Needs to be a
 	  space delimited list
 
+config PCR_BOOT_MODE
+	int
+	default 0 if CHROMEOS
+	default 1
+
+config PCR_HWID
+	int
+	default 1
+
+config PCR_SRTM
+	int
+	default 2
+
+# PCR for measuring data which changes during runtime
+# e.g. CMOS, NVRAM...
+config PCR_RUNTIME_DATA
+	int
+	default 3
+
 endmenu # Trusted Platform Module (tpm)
diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c
index a7efcf2145..36dffb8576 100644
--- a/src/security/tpm/tspi/crtm.c
+++ b/src/security/tpm/tspi/crtm.c
@@ -46,7 +46,7 @@ static uint32_t tspi_init_crtm(void)
 
 	struct region_device fmap;
 	if (fmap_locate_area_as_rdev("FMAP", &fmap) == 0) {
-		if (tpm_measure_region(&fmap, TPM_CRTM_PCR, "FMAP: FMAP")) {
+		if (tpm_measure_region(&fmap, CONFIG_PCR_SRTM, "FMAP: FMAP")) {
 			printk(BIOS_ERR,
 			       "TSPI: Couldn't measure FMAP into CRTM!\n");
 			return VB2_ERROR_UNKNOWN;
@@ -60,7 +60,7 @@ static uint32_t tspi_init_crtm(void)
 		struct region_device bootblock_fmap;
 		if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) {
 			if (tpm_measure_region(&bootblock_fmap,
-					TPM_CRTM_PCR,
+					CONFIG_PCR_SRTM,
 					"FMAP: BOOTBLOCK"))
 				return VB2_ERROR_UNKNOWN;
 		}
@@ -79,7 +79,7 @@ static uint32_t tspi_init_crtm(void)
 		/* Since none of the above conditions are met let the SOC code measure the
 		 * bootblock. This accomplishes for cases where the bootblock is treated
 		 * in a special way (e.g. part of IFWI or located in a different CBFS). */
-		if (tspi_soc_measure_bootblock(TPM_CRTM_PCR)) {
+		if (tspi_soc_measure_bootblock(CONFIG_PCR_SRTM)) {
 			printk(BIOS_INFO,
 			       "TSPI: Couldn't measure bootblock into CRTM on SoC level!\n");
 			return VB2_ERROR_UNKNOWN;
@@ -124,7 +124,7 @@ uint32_t tspi_cbfs_measurement(const char *name, uint32_t type, const struct vb2
 
 	switch (type) {
 	case CBFS_TYPE_MRC_CACHE:
-		pcr_index = TPM_RUNTIME_DATA_PCR;
+		pcr_index = CONFIG_PCR_RUNTIME_DATA;
 		break;
 	/*
 	 * mrc.bin is code executed on CPU, so it
@@ -134,13 +134,13 @@ uint32_t tspi_cbfs_measurement(const char *name, uint32_t type, const struct vb2
 	case CBFS_TYPE_STAGE:
 	case CBFS_TYPE_SELF:
 	case CBFS_TYPE_FIT_PAYLOAD:
-		pcr_index = TPM_CRTM_PCR;
+		pcr_index = CONFIG_PCR_SRTM;
 		break;
 	default:
 		if (is_runtime_data(name))
-			pcr_index = TPM_RUNTIME_DATA_PCR;
+			pcr_index = CONFIG_PCR_RUNTIME_DATA;
 		else
-			pcr_index = TPM_CRTM_PCR;
+			pcr_index = CONFIG_PCR_SRTM;
 		break;
 	}
 
diff --git a/src/security/tpm/tspi/crtm.h b/src/security/tpm/tspi/crtm.h
index ffa4867594..2bc1d1fad9 100644
--- a/src/security/tpm/tspi/crtm.h
+++ b/src/security/tpm/tspi/crtm.h
@@ -8,14 +8,6 @@
 #include <types.h>
 #include <vb2_sha.h>
 
-/* CRTM */
-#define TPM_CRTM_PCR 2
-
-/* PCR for measuring data which changes during runtime
- * e.g. CMOS, NVRAM...
- */
-#define TPM_RUNTIME_DATA_PCR 3
-
 #if CONFIG(TPM_LOG_CB) && CONFIG(TPM1)
 #  define TPM_MEASURE_ALGO VB2_HASH_SHA1
 #elif CONFIG(TPM_LOG_CB) && CONFIG(TPM2)