summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/security/tpm/Kconfig4
-rw-r--r--src/security/vboot/tpm_common.c6
-rw-r--r--src/security/vboot/vboot_logic.c5
3 files changed, 13 insertions, 2 deletions
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
index e129f51d26..5eb58378ed 100644
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@@ -165,6 +165,10 @@ config PCR_SRTM
int
default 2
+config PCR_FW_VER
+ int
+ default 10
+
# PCR for measuring data which changes during runtime
# e.g. CMOS, NVRAM...
config PCR_RUNTIME_DATA
diff --git a/src/security/vboot/tpm_common.c b/src/security/vboot/tpm_common.c
index c330cc2dcd..997c4e9cd9 100644
--- a/src/security/vboot/tpm_common.c
+++ b/src/security/vboot/tpm_common.c
@@ -8,7 +8,7 @@
#define TPM_PCR_BOOT_MODE "VBOOT: boot mode"
#define TPM_PCR_GBB_HWID_NAME "VBOOT: GBB HWID"
-#define TPM_PCR_MINIMUM_DIGEST_SIZE 20
+#define TPM_PCR_FIRMWARE_VERSION "VBOOT: firmware ver"
tpm_result_t vboot_setup_tpm(struct vb2_context *ctx)
{
@@ -54,6 +54,10 @@ tpm_result_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
case HWID_DIGEST_PCR:
return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo),
TPM_PCR_GBB_HWID_NAME);
+ /* firmware version */
+ case FIRMWARE_VERSION_PCR:
+ return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo),
+ TPM_PCR_FIRMWARE_VERSION);
default:
return TPM_CB_FAIL;
}
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index 93a188cc7a..f98b083d69 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@@ -190,7 +190,10 @@ static tpm_result_t extend_pcrs(struct vb2_context *ctx)
rc = vboot_extend_pcr(ctx, CONFIG_PCR_BOOT_MODE, BOOT_MODE_PCR);
if (rc)
return rc;
- return vboot_extend_pcr(ctx, CONFIG_PCR_HWID, HWID_DIGEST_PCR);
+ rc = vboot_extend_pcr(ctx, CONFIG_PCR_HWID, HWID_DIGEST_PCR);
+ if (rc)
+ return rc;
+ return vboot_extend_pcr(ctx, CONFIG_PCR_FW_VER, FIRMWARE_VERSION_PCR);
}
#define EC_EFS_BOOT_MODE_VERIFIED_RW 0x00