From bad08c2c29210530e584436a562a1c03a68eb693 Mon Sep 17 00:00:00 2001 From: Bill XIE Date: Thu, 13 Feb 2020 11:11:35 +0800 Subject: security/tpm: Include mrc.bin in CRTM if present mrc.bin, on platforms where it is present, is code executed on CPU, so it should be considered a part of CRTM. cbfs_locate_file_in_region() is hooked to measurement here too, since mrc.bin is loaded with it, and CBFS_TYPE_MRC (the type of mrc.bin) is measured to TPM_CRTM_PCR rather than TPM_RUNTIME_DATA_PCR. TODO: I have heard that SMM is too resource-limited to link with vboot library, so currently tspi_measure_cbfs_hook() is masked in SMM. Please correct me if I am wrong. Change-Id: Ib4c3cf47b919864056baf725001ca8a4aaafa110 Signed-off-by: Bill XIE Reviewed-on: https://review.coreboot.org/c/coreboot/+/38858 Tested-by: build bot (Jenkins) Reviewed-by: Julius Werner --- src/security/tpm/tspi/crtm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src/security/tpm/tspi/crtm.c') diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c index dc7d7d21f0..304cea38e9 100644 --- a/src/security/tpm/tspi/crtm.c +++ b/src/security/tpm/tspi/crtm.c @@ -133,10 +133,14 @@ uint32_t tspi_measure_cbfs_hook(struct cbfsf *fh, const char *name) cbfs_file_data(&rdev, fh); switch (cbfs_type) { - case CBFS_TYPE_MRC: case CBFS_TYPE_MRC_CACHE: pcr_index = TPM_RUNTIME_DATA_PCR; break; + /* + * mrc.bin is code executed on CPU, so it + * should not be considered runtime data + */ + case CBFS_TYPE_MRC: case CBFS_TYPE_STAGE: case CBFS_TYPE_SELF: case CBFS_TYPE_FIT: -- cgit v1.2.3