diff options
| author | Tim Wawrzynczak <twawrzynczak@chromium.org> | 2021-10-27 14:54:54 -0600 |
|---|---|---|
| committer | Karthik Ramasubramanian <kramasub@google.com> | 2021-11-17 23:05:21 +0000 |
| commit | f6c53c054394e605f7c975bb7ac4a6bbb93c990c (patch) | |
| tree | 4bc804cd5ae192e4234d1281d556cd7725cbe9fe /src/security | |
| parent | 2e445ad1af7cfcbebffdec8863afac2faef748fa (diff) | |
security/vboot: Use default kernel secdata size
When fetching antirollback information for the kernel, it is not always
known ahead of time what the current size of the kernel secdata area
is. If the incorrect size is passed, the TPM will return back the
correct size, but at the cost of an extra transaction; when using cr50
over I2C, this can be as much as 20ms. Currently, the first attempt uses
the minimium size (aka version 0 or 0.2), and if another size is used
(which is the case for all modern cr50-based boards, version 1 or 1.0),
then a transaction is wasted on every boot.
Therefore, change the default size sent to the TPM to be the default one
used in the VB2 API instead of the minimum one.
BUG=b:201304784
TEST=verify TPM initialization time drops by ~20ms. Also the Kernel NV
Index is read correctly in the BIOS logs.
src/security/tpm/tss/tcg-2.0/tss.c:231 index 0x1007 return code 0
src/security/tpm/tss/tcg-2.0/tss.c:231 index 0x1008 return code 0
504:finished TPM initialization 99,953 (65,606)
Change-Id: I22d9c0079bb1175f24ff7317d116e79aa5ba08ed
Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/58669
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
Diffstat (limited to 'src/security')
| -rw-r--r-- | src/security/vboot/secdata_tpm.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c index a95e7d10a5..0bc4f839fe 100644 --- a/src/security/vboot/secdata_tpm.c +++ b/src/security/vboot/secdata_tpm.c @@ -58,16 +58,22 @@ uint32_t antirollback_read_space_kernel(struct vb2_context *ctx) } } - uint8_t size = VB2_SECDATA_KERNEL_MIN_SIZE; - - RETURN_ON_FAILURE(tlcl_read(KERNEL_NV_INDEX, ctx->secdata_kernel, - size)); + uint8_t size = VB2_SECDATA_KERNEL_SIZE; + uint32_t ret; + + /* Start with the version 1.0 size used by all modern cr50-boards. */ + ret = tlcl_read(KERNEL_NV_INDEX, ctx->secdata_kernel, size); + if (ret == TPM_E_RANGE) { + /* Fallback to version 0.2(minimum) size and re-read. */ + VBDEBUG("Antirollback: NV read out of range, trying min size\n"); + size = VB2_SECDATA_KERNEL_MIN_SIZE; + ret = tlcl_read(KERNEL_NV_INDEX, ctx->secdata_kernel, size); + } + RETURN_ON_FAILURE(ret); - if (vb2api_secdata_kernel_check(ctx, &size) - == VB2_ERROR_SECDATA_KERNEL_INCOMPLETE) + if (vb2api_secdata_kernel_check(ctx, &size) == VB2_ERROR_SECDATA_KERNEL_INCOMPLETE) /* Re-read. vboot will run the check and handle errors. */ - RETURN_ON_FAILURE(tlcl_read(KERNEL_NV_INDEX, - ctx->secdata_kernel, size)); + RETURN_ON_FAILURE(tlcl_read(KERNEL_NV_INDEX, ctx->secdata_kernel, size)); return TPM_SUCCESS; } |