summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorWerner Zeh <werner.zeh@siemens.com>2022-05-19 09:16:28 +0200
committerFelix Held <felix-coreboot@felixheld.de>2022-05-24 13:44:28 +0000
commit5c808e03e2d80edd9ecd6a2a9268152b477940b6 (patch)
treef49680d445e435871dd5bbbef3c5e569dd644a47 /src
parentca29a191d591e1e3e47e1577418916f72e6e108a (diff)
security/tpm/crtm: Add a function to measure the bootblock on SoC level
On platforms where the bootblock is not included in CBFS anymore (because it is part of another firmware section (IFWI or a different CBFS), the CRTM measurement fails. This patch adds a new function to provide a way at SoC level to measure the bootblock. Following patches will add functionality to retrieve the bootblock from the SoC related location and measure it from there. In this way the really executed code will be measured. Change-Id: I6d0da1e95a9588eb5228f63151bb04bfccfcf04b Signed-off-by: Werner Zeh <werner.zeh@siemens.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/64492 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Diffstat (limited to 'src')
-rw-r--r--src/security/tpm/tspi/crtm.c11
-rw-r--r--src/security/tpm/tspi/crtm.h6
-rw-r--r--src/soc/amd/common/block/cpu/noncar/Makefile.inc1
-rw-r--r--src/soc/amd/common/block/cpu/noncar/bootblock_measure.c8
-rw-r--r--src/soc/intel/apollolake/Makefile.inc1
-rw-r--r--src/soc/intel/apollolake/bootblock/bootblock_measure.c8
6 files changed, 34 insertions, 1 deletions
diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c
index 6f8f58fcd1..41f6a9483a 100644
--- a/src/security/tpm/tspi/crtm.c
+++ b/src/security/tpm/tspi/crtm.c
@@ -73,7 +73,16 @@ static uint32_t tspi_init_crtm(void)
return VB2_ERROR_UNKNOWN;
}
cbfs_unmap(mapping);
- } /* else: TODO: Add SoC specific measurement methods. */
+ } else {
+ /* Since none of the above conditions are met let the SOC code measure the
+ * bootblock. This accomplishes for cases where the bootblock is treated
+ * in a special way (e.g. part of IFWI or located in a different CBFS). */
+ if (tspi_soc_measure_bootblock(TPM_CRTM_PCR)) {
+ printk(BIOS_INFO,
+ "TSPI: Couldn't measure bootblock into CRTM on SoC level!\n");
+ return VB2_ERROR_UNKNOWN;
+ }
+ }
return VB2_SUCCESS;
}
diff --git a/src/security/tpm/tspi/crtm.h b/src/security/tpm/tspi/crtm.h
index c4d051d988..bd5bc5785d 100644
--- a/src/security/tpm/tspi/crtm.h
+++ b/src/security/tpm/tspi/crtm.h
@@ -28,4 +28,10 @@ int tspi_measure_cache_to_pcr(void);
*/
uint32_t tspi_cbfs_measurement(const char *name, uint32_t type, const struct vb2_hash *hash);
+/*
+ * Provide a function on SoC level to measure the bootblock for cases where bootblock is
+ * neither in FMAP nor in CBFS (e.g. in IFWI).
+ */
+int tspi_soc_measure_bootblock(int pcr_index);
+
#endif /* __SECURITY_TSPI_CRTM_H__ */
diff --git a/src/soc/amd/common/block/cpu/noncar/Makefile.inc b/src/soc/amd/common/block/cpu/noncar/Makefile.inc
index 71927961db..2ffe52b361 100644
--- a/src/soc/amd/common/block/cpu/noncar/Makefile.inc
+++ b/src/soc/amd/common/block/cpu/noncar/Makefile.inc
@@ -3,6 +3,7 @@ ifeq ($(CONFIG_SOC_AMD_COMMON_BLOCK_NONCAR),y)
bootblock-y += early_cache.c
bootblock-y += pre_c.S
bootblock-y += write_resume_eip.c
+bootblock-$(CONFIG_TPM_MEASURED_BOOT) += bootblock_measure.c
romstage-y += memmap.c
ramstage-y += cpu.c
romstage-y += cpu.c
diff --git a/src/soc/amd/common/block/cpu/noncar/bootblock_measure.c b/src/soc/amd/common/block/cpu/noncar/bootblock_measure.c
new file mode 100644
index 0000000000..16ba154bb7
--- /dev/null
+++ b/src/soc/amd/common/block/cpu/noncar/bootblock_measure.c
@@ -0,0 +1,8 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+
+#include <security/tpm/tspi/crtm.h>
+
+int tspi_soc_measure_bootblock(int pcr_index)
+{
+ return 1;
+}
diff --git a/src/soc/intel/apollolake/Makefile.inc b/src/soc/intel/apollolake/Makefile.inc
index a6d42247e2..a4ed87f45d 100644
--- a/src/soc/intel/apollolake/Makefile.inc
+++ b/src/soc/intel/apollolake/Makefile.inc
@@ -4,6 +4,7 @@ subdirs-y += ../../../cpu/intel/common
subdirs-y += ../../../cpu/intel/microcode
subdirs-y += ../../../cpu/intel/turbo
+bootblock-$(CONFIG_TPM_MEASURED_BOOT) += bootblock/bootblock_measure.c
bootblock-y += bootblock/bootblock.c
bootblock-y += ../common/block/cpu/pm_timer_emulation.c
bootblock-y += car.c
diff --git a/src/soc/intel/apollolake/bootblock/bootblock_measure.c b/src/soc/intel/apollolake/bootblock/bootblock_measure.c
new file mode 100644
index 0000000000..16ba154bb7
--- /dev/null
+++ b/src/soc/intel/apollolake/bootblock/bootblock_measure.c
@@ -0,0 +1,8 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+
+#include <security/tpm/tspi/crtm.h>
+
+int tspi_soc_measure_bootblock(int pcr_index)
+{
+ return 1;
+}