summaryrefslogtreecommitdiff
path: root/src/security
diff options
context:
space:
mode:
Diffstat (limited to 'src/security')
-rw-r--r--src/security/intel/cbnt/Kconfig1
-rw-r--r--src/security/tpm/Kconfig8
-rw-r--r--src/security/tpm/tspi/tspi.c6
3 files changed, 14 insertions, 1 deletions
diff --git a/src/security/intel/cbnt/Kconfig b/src/security/intel/cbnt/Kconfig
index 415092b6c2..9208ab42ce 100644
--- a/src/security/intel/cbnt/Kconfig
+++ b/src/security/intel/cbnt/Kconfig
@@ -8,6 +8,7 @@ config INTEL_CBNT_SUPPORT
select INTEL_TXT
# With CBnT the bootblock is set up as a CBnT IBB and needs a fixed size
select FIXED_BOOTBLOCK_SIZE
+ select TPM_MEASURED_BOOT_INIT_BOOTBLOCK if TPM_MEASURED_BOOT
help
Enables Intel Converged Bootguard and Trusted Execution Technology
Support. This will enable one to add a Key Manifest (KM) and a Boot
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
index e1255d1680..13bef06985 100644
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@@ -106,6 +106,14 @@ config TPM_MEASURED_BOOT
help
Enables measured boot (experimental)
+config TPM_MEASURED_BOOT_INIT_BOOTBLOCK
+ bool
+ depends on TPM_MEASURED_BOOT && !VBOOT
+ help
+ Initialize TPM inside the bootblock instead of ramstage. This is
+ useful with some form of hardware assisted root of trust
+ measurement like Intel TXT/CBnT.
+
config TPM_MEASURED_BOOT_RUNTIME_DATA
string "Runtime data whitelist"
default ""
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c
index 6ef01383ce..7a8e2befdf 100644
--- a/src/security/tpm/tspi/tspi.c
+++ b/src/security/tpm/tspi/tspi.c
@@ -1,5 +1,6 @@
/* SPDX-License-Identifier: GPL-2.0-only */
+#include <rules.h>
#include <console/cbmem_console.h>
#include <console/console.h>
#include <security/tpm/tspi/crtm.h>
@@ -104,6 +105,9 @@ static inline int tspi_tpm_is_setup(void)
return vboot_logic_executed();
}
+ if (CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK))
+ return ENV_BOOTBLOCK ? tpm_is_setup : 1;
+
if (ENV_RAMSTAGE)
return tpm_is_setup;
@@ -180,7 +184,7 @@ uint32_t tpm_setup(int s3flag)
#if CONFIG(TPM1)
result = tpm1_invoke_state_machine();
#endif
- if (CONFIG(TPM_MEASURED_BOOT))
+ if (CONFIG(TPM_MEASURED_BOOT) && !CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK))
result = tspi_measure_cache_to_pcr();
tpm_is_setup = 1;