diff options
| author | Christian Walter <christian.walter@9elements.com> | 2019-07-23 10:26:30 +0200 |
|---|---|---|
| committer | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2019-08-06 12:07:49 +0000 |
| commit | 0bd84ed25066fc28d3a0750d429a29c64bfb955d (patch) | |
| tree | 7b61020acdf77ec01a1163851713386d3724ac31 /src/security/vboot/secdata_tpm.c | |
| parent | 6d2dbe11ae1f4ae21b3f15699831e53d47e270cd (diff) | |
security/vboot: Add Support for Intel PTT
Add support for Intel PTT. For supporting Intel PTT we need to disable
read and write access to the TPM NVRAM during the bootblock. TPM NVRAM
will only be available once the DRAM is initialized. To circumvent this,
we mock secdata if HAVE_INTEL_PTT is set. The underlying problem is,
that the iTPM only supports a stripped down instruction set while the
Intel ME is not fully booted up. Details can be found in Intel document
number 571993 - Paragraph 2.10.
Change-Id: I08c9a839f53f96506be5fb68f7c1ed5bf6692505
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34510
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Diffstat (limited to 'src/security/vboot/secdata_tpm.c')
| -rw-r--r-- | src/security/vboot/secdata_tpm.c | 41 |
1 files changed, 1 insertions, 40 deletions
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c index 39cd6141fd..09c7e72b9b 100644 --- a/src/security/vboot/secdata_tpm.c +++ b/src/security/vboot/secdata_tpm.c @@ -33,6 +33,7 @@ */ #include <security/vboot/antirollback.h> +#include <security/vboot/tpm_common.h> #include <stdlib.h> #include <string.h> #include <security/tpm/tspi.h> @@ -65,31 +66,6 @@ static uint32_t safe_write(uint32_t index, const void *data, uint32_t length); -uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr, - enum vb2_pcr_digest which_digest) -{ - uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE]; - uint32_t size = sizeof(buffer); - int rv; - - rv = vb2api_get_pcr_digest(ctx, which_digest, buffer, &size); - if (rv != VB2_SUCCESS) - return rv; - if (size < TPM_PCR_MINIMUM_DIGEST_SIZE) - return VB2_ERROR_UNKNOWN; - - switch (which_digest) { - case BOOT_MODE_PCR: - return tpm_extend_pcr(pcr, VB2_HASH_SHA1, buffer, size, - TPM_PCR_GBB_FLAGS_NAME); - case HWID_DIGEST_PCR: - return tpm_extend_pcr(pcr, VB2_HASH_SHA256, buffer, - size, TPM_PCR_GBB_HWID_NAME); - default: - return VB2_ERROR_UNKNOWN; - } -} - static uint32_t read_space_firmware(struct vb2_context *ctx) { int attempts = 3; @@ -443,25 +419,10 @@ static uint32_t factory_initialize_tpm(struct vb2_context *ctx) return TPM_SUCCESS; } -uint32_t vboot_setup_tpm(struct vb2_context *ctx) -{ - uint32_t result; - - result = tpm_setup(ctx->flags & VB2_CONTEXT_S3_RESUME); - if (result == TPM_E_MUST_REBOOT) - ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT; - - return result; -} - uint32_t antirollback_read_space_firmware(struct vb2_context *ctx) { uint32_t rv; - rv = vboot_setup_tpm(ctx); - if (rv) - return rv; - /* Read the firmware space. */ rv = read_space_firmware(ctx); if (rv == TPM_E_BADINDEX) { |