diff options
| author | Bill XIE <persmule@hardenedlinux.org> | 2019-08-22 20:28:36 +0800 |
|---|---|---|
| committer | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2020-03-31 07:55:18 +0000 |
| commit | c79e96b4eb310db9d44e36e2dff072c01469c380 (patch) | |
| tree | eafc5710f120fa7f487118cada7c90ff91b251e9 /src/security/vboot/Kconfig | |
| parent | 6b7bbc2b782938685ba08982c83c1694317a16b8 (diff) | |
security/vboot: Decouple measured boot from verified boot
Currently, those who want to use measured boot implemented within
vboot should enable verified boot first, along with sections such
as GBB and RW slots defined with manually written fmd files, even
if they do not actually want to verify anything.
As discussed in CB:34977, measured boot should be decoupled from
verified boot and make them two fully independent options. Crypto
routines necessary for measurement could be reused, and TPM and CRTM
init should be done somewhere other than vboot_logic_executed() if
verified boot is not enabled.
In this revision, only TCPA log is initialized during bootblock.
Before TPM gets set up, digests are not measured into tpm immediately,
but cached in TCPA log, and measured into determined PCRs right after
TPM is up.
This change allows those who do not want to use the verified boot
scheme implemented by vboot as well as its requirement of a more
complex partition scheme designed for chromeos to make use of the
measured boot functionality implemented within vboot library to
measure the boot process.
TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in
CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().
Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee
Signed-off-by: Bill XIE <persmule@hardenedlinux.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35077
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
Diffstat (limited to 'src/security/vboot/Kconfig')
| -rw-r--r-- | src/security/vboot/Kconfig | 16 |
1 files changed, 0 insertions, 16 deletions
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index 6e0021d58d..f273265054 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -35,22 +35,6 @@ if VBOOT comment "Anti-Rollback Protection disabled because mocking secdata is enabled." depends on VBOOT_MOCK_SECDATA -config VBOOT_MEASURED_BOOT - bool "Enable Measured Boot" - default n - depends on TPM1 || TPM2 - depends on !VBOOT_RETURN_FROM_VERSTAGE - help - Enables measured boot mode in vboot (experimental) - -config VBOOT_MEASURED_BOOT_RUNTIME_DATA - string "Runtime data whitelist" - default "" - depends on VBOOT_MEASURED_BOOT - help - Runtime data whitelist of cbfs filenames. Needs to be a comma separated - list - config VBOOT_SLOTS_RW_A bool "Firmware RO + RW_A" help |