security/vboot: Add Support for Intel PTT

Add support for Intel PTT. For supporting Intel PTT we need to disable
read and write access to the TPM NVRAM during the bootblock. TPM NVRAM
will only be available once the DRAM is initialized. To circumvent this,
we mock secdata if HAVE_INTEL_PTT is set. The underlying problem is,
that the iTPM only supports a stripped down instruction set while the
Intel ME is not fully booted up. Details can be found in Intel document
number 571993 - Paragraph 2.10.

Change-Id: I08c9a839f53f96506be5fb68f7c1ed5bf6692505
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34510
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>

1 files changed, 29 insertions, 0 deletions

diff --git a/src/security/vboot/tpm_common.h b/src/security/vboot/tpm_common.h
new file mode 100644
index 0000000000..6bb32bbf1d
--- /dev/null
+++ b/src/security/vboot/tpm_common.h
@@ -0,0 +1,29 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#if CONFIG(TPM1) || CONFIG(TPM2)
+
+/* Start of the root of trust */
+uint32_t vboot_setup_tpm(struct vb2_context *ctx);
+
+/* vboot_extend_pcr function for vb2 context */
+uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
+			  enum vb2_pcr_digest which_digest);
+
+#else
+
+#define vboot_setup_tpm(ctx) 0
+
+#define vboot_extend_pcr(ctx, pcr, which_digest) 0
+
+#endif