diff options
| -rw-r--r-- | src/security/tpm/tspi/crtm.c | 11 | ||||
| -rw-r--r-- | src/security/tpm/tspi/crtm.h | 6 | ||||
| -rw-r--r-- | src/soc/amd/common/block/cpu/noncar/Makefile.inc | 1 | ||||
| -rw-r--r-- | src/soc/amd/common/block/cpu/noncar/bootblock_measure.c | 8 | ||||
| -rw-r--r-- | src/soc/intel/apollolake/Makefile.inc | 1 | ||||
| -rw-r--r-- | src/soc/intel/apollolake/bootblock/bootblock_measure.c | 8 |
6 files changed, 34 insertions, 1 deletions
diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c index 6f8f58fcd1..41f6a9483a 100644 --- a/src/security/tpm/tspi/crtm.c +++ b/src/security/tpm/tspi/crtm.c @@ -73,7 +73,16 @@ static uint32_t tspi_init_crtm(void) return VB2_ERROR_UNKNOWN; } cbfs_unmap(mapping); - } /* else: TODO: Add SoC specific measurement methods. */ + } else { + /* Since none of the above conditions are met let the SOC code measure the + * bootblock. This accomplishes for cases where the bootblock is treated + * in a special way (e.g. part of IFWI or located in a different CBFS). */ + if (tspi_soc_measure_bootblock(TPM_CRTM_PCR)) { + printk(BIOS_INFO, + "TSPI: Couldn't measure bootblock into CRTM on SoC level!\n"); + return VB2_ERROR_UNKNOWN; + } + } return VB2_SUCCESS; } diff --git a/src/security/tpm/tspi/crtm.h b/src/security/tpm/tspi/crtm.h index c4d051d988..bd5bc5785d 100644 --- a/src/security/tpm/tspi/crtm.h +++ b/src/security/tpm/tspi/crtm.h @@ -28,4 +28,10 @@ int tspi_measure_cache_to_pcr(void); */ uint32_t tspi_cbfs_measurement(const char *name, uint32_t type, const struct vb2_hash *hash); +/* + * Provide a function on SoC level to measure the bootblock for cases where bootblock is + * neither in FMAP nor in CBFS (e.g. in IFWI). + */ +int tspi_soc_measure_bootblock(int pcr_index); + #endif /* __SECURITY_TSPI_CRTM_H__ */ diff --git a/src/soc/amd/common/block/cpu/noncar/Makefile.inc b/src/soc/amd/common/block/cpu/noncar/Makefile.inc index 71927961db..2ffe52b361 100644 --- a/src/soc/amd/common/block/cpu/noncar/Makefile.inc +++ b/src/soc/amd/common/block/cpu/noncar/Makefile.inc @@ -3,6 +3,7 @@ ifeq ($(CONFIG_SOC_AMD_COMMON_BLOCK_NONCAR),y) bootblock-y += early_cache.c bootblock-y += pre_c.S bootblock-y += write_resume_eip.c +bootblock-$(CONFIG_TPM_MEASURED_BOOT) += bootblock_measure.c romstage-y += memmap.c ramstage-y += cpu.c romstage-y += cpu.c diff --git a/src/soc/amd/common/block/cpu/noncar/bootblock_measure.c b/src/soc/amd/common/block/cpu/noncar/bootblock_measure.c new file mode 100644 index 0000000000..16ba154bb7 --- /dev/null +++ b/src/soc/amd/common/block/cpu/noncar/bootblock_measure.c @@ -0,0 +1,8 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#include <security/tpm/tspi/crtm.h> + +int tspi_soc_measure_bootblock(int pcr_index) +{ + return 1; +} diff --git a/src/soc/intel/apollolake/Makefile.inc b/src/soc/intel/apollolake/Makefile.inc index a6d42247e2..a4ed87f45d 100644 --- a/src/soc/intel/apollolake/Makefile.inc +++ b/src/soc/intel/apollolake/Makefile.inc @@ -4,6 +4,7 @@ subdirs-y += ../../../cpu/intel/common subdirs-y += ../../../cpu/intel/microcode subdirs-y += ../../../cpu/intel/turbo +bootblock-$(CONFIG_TPM_MEASURED_BOOT) += bootblock/bootblock_measure.c bootblock-y += bootblock/bootblock.c bootblock-y += ../common/block/cpu/pm_timer_emulation.c bootblock-y += car.c diff --git a/src/soc/intel/apollolake/bootblock/bootblock_measure.c b/src/soc/intel/apollolake/bootblock/bootblock_measure.c new file mode 100644 index 0000000000..16ba154bb7 --- /dev/null +++ b/src/soc/intel/apollolake/bootblock/bootblock_measure.c @@ -0,0 +1,8 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#include <security/tpm/tspi/crtm.h> + +int tspi_soc_measure_bootblock(int pcr_index) +{ + return 1; +} |