From 6f8e9443aa55ad27045fb437fd8df3386d66ba3e Mon Sep 17 00:00:00 2001
From: Arthur Heymans <arthur@aheymans.xyz>
Date: Mon, 29 Mar 2021 14:23:53 +0200
Subject: security/tpm: Add option to init TPM in bootblock

When using a hardware assisted root of trust measurement, like Intel
TXT/CBnT, the TPM init needs to happen inside the bootblock to form a
proper chain of trust.

Change-Id: Ifacba5d9ab19b47968b4f2ed5731ded4aac55022
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/51923
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
 src/lib/bootblock.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/lib')

diff --git a/src/lib/bootblock.c b/src/lib/bootblock.c
index 23fb392276..5989964921 100644
--- a/src/lib/bootblock.c
+++ b/src/lib/bootblock.c
@@ -1,5 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0-only */
 
+#include <acpi/acpi.h>
 #include <arch/exception.h>
 #include <bootblock_common.h>
 #include <console/console.h>
@@ -8,6 +9,7 @@
 #include <option.h>
 #include <post.h>
 #include <program_loading.h>
+#include <security/tpm/tspi.h>
 #include <symbols.h>
 #include <timestamp.h>
 
@@ -56,6 +58,11 @@ void bootblock_main_with_timestamp(uint64_t base_timestamp,
 	bootblock_soc_init();
 	bootblock_mainboard_init();
 
+	if (CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK)) {
+		int s3resume = acpi_is_wakeup_s3();
+		tpm_setup(s3resume);
+	}
+
 	timestamp_add_now(TS_END_BOOTBLOCK);
 
 	run_romstage();
-- 
cgit v1.2.3