diff options
| author | Shelley Chen <shchen@google.com> | 2020-10-16 13:37:09 -0700 |
|---|---|---|
| committer | Julius Werner <jwerner@chromium.org> | 2020-10-20 23:25:50 +0000 |
| commit | df0481e9e1f46193a9f456602987a1a3694102f3 (patch) | |
| tree | e3eddb667839efd83bb4972563f514a2e02d7a60 /src/security/vboot/secdata_tpm.c | |
| parent | a79803cf299a2c4912d5368951c6356df2dcd906 (diff) | |
security/vboot: Add new TPM NVRAM index MRC_RW_HASH_NV_INDEX
Add new index for MRC_CACHE data in RW. Also update antirollback
functions to handle this new index where necessary.
BUG=b:150502246
BRANCH=None
TEST=make sure memory training still works on nami
Change-Id: I2de3c23aa56d3b576ca54dbd85c75e5b80199560
Signed-off-by: Shelley Chen <shchen@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46511
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Diffstat (limited to 'src/security/vboot/secdata_tpm.c')
| -rw-r--r-- | src/security/vboot/secdata_tpm.c | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c index 451f0438f3..0304b923fb 100644 --- a/src/security/vboot/secdata_tpm.c +++ b/src/security/vboot/secdata_tpm.c @@ -164,9 +164,14 @@ static uint32_t set_kernel_space(const void *kernel_blob) static uint32_t set_mrc_hash_space(uint32_t index, const uint8_t *data) { - return set_space("MRC Hash", index, data, HASH_NV_SIZE, - ro_space_attributes, pcr0_unchanged_policy, - sizeof(pcr0_unchanged_policy)); + if (index == MRC_REC_HASH_NV_INDEX) { + return set_space("RO MRC Hash", index, data, HASH_NV_SIZE, + ro_space_attributes, pcr0_unchanged_policy, + sizeof(pcr0_unchanged_policy)); + } else { + return set_space("RW MRC Hash", index, data, HASH_NV_SIZE, + rw_space_attributes, NULL, 0); + } } static uint32_t _factory_initialize_tpm(struct vb2_context *ctx) @@ -183,6 +188,13 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx) */ RETURN_ON_FAILURE(set_kernel_space(ctx->secdata_kernel)); + /* + * Define and set rec hash space, if available. No need to + * create the RW hash space because we will definitely boot + * once in normal mode before shipping, meaning that the space + * will get created with correct permissions while still in in + * our hands. + */ if (CONFIG(VBOOT_HAS_REC_HASH_SPACE)) RETURN_ON_FAILURE(set_mrc_hash_space(MRC_REC_HASH_NV_INDEX, mrc_hash_data)); @@ -304,7 +316,13 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx) ctx->secdata_firmware, VB2_SECDATA_FIRMWARE_SIZE)); - /* Define and set rec hash space, if available. */ + /* + * Define and set rec hash space, if available. No need to + * create the RW hash space because we will definitely boot + * once in normal mode before shipping, meaning that the space + * will get created with correct permissions while still in in + * our hands. + */ if (CONFIG(VBOOT_HAS_REC_HASH_SPACE)) RETURN_ON_FAILURE(set_mrc_hash_space(MRC_REC_HASH_NV_INDEX, mrc_hash_data)); |