From 4129c2614c2bb774b7d43a7cfc12130121f90c55 Mon Sep 17 00:00:00 2001 From: Sergii Dmytruk Date: Mon, 24 Oct 2022 01:17:41 +0300 Subject: security/tpm: make usage of PCRs configurable via Kconfig MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit At this moment, only GBB flags are moved from PCR-0 to PCR-1 when vboot-compatibility is not enabled. Change-Id: Ib3a192d902072f6f8d415c2952a36522b5bf09f9 Ticket: https://ticket.coreboot.org/issues/424 Signed-off-by: Sergii Dmytruk Reviewed-on: https://review.coreboot.org/c/coreboot/+/68750 Tested-by: build bot (Jenkins) Reviewed-by: Michał Żygowski --- src/security/tpm/Kconfig | 19 +++++++++++++++++++ src/security/tpm/tspi/crtm.c | 14 +++++++------- src/security/tpm/tspi/crtm.h | 8 -------- 3 files changed, 26 insertions(+), 15 deletions(-) (limited to 'src/security/tpm') diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig index 8466d80dbe..39134c1c71 100644 --- a/src/security/tpm/Kconfig +++ b/src/security/tpm/Kconfig @@ -152,4 +152,23 @@ config TPM_MEASURED_BOOT_RUNTIME_DATA Runtime data whitelist of cbfs filenames. Needs to be a space delimited list +config PCR_BOOT_MODE + int + default 0 if CHROMEOS + default 1 + +config PCR_HWID + int + default 1 + +config PCR_SRTM + int + default 2 + +# PCR for measuring data which changes during runtime +# e.g. CMOS, NVRAM... +config PCR_RUNTIME_DATA + int + default 3 + endmenu # Trusted Platform Module (tpm) diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c index a7efcf2145..36dffb8576 100644 --- a/src/security/tpm/tspi/crtm.c +++ b/src/security/tpm/tspi/crtm.c @@ -46,7 +46,7 @@ static uint32_t tspi_init_crtm(void) struct region_device fmap; if (fmap_locate_area_as_rdev("FMAP", &fmap) == 0) { - if (tpm_measure_region(&fmap, TPM_CRTM_PCR, "FMAP: FMAP")) { + if (tpm_measure_region(&fmap, CONFIG_PCR_SRTM, "FMAP: FMAP")) { printk(BIOS_ERR, "TSPI: Couldn't measure FMAP into CRTM!\n"); return VB2_ERROR_UNKNOWN; @@ -60,7 +60,7 @@ static uint32_t tspi_init_crtm(void) struct region_device bootblock_fmap; if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) { if (tpm_measure_region(&bootblock_fmap, - TPM_CRTM_PCR, + CONFIG_PCR_SRTM, "FMAP: BOOTBLOCK")) return VB2_ERROR_UNKNOWN; } @@ -79,7 +79,7 @@ static uint32_t tspi_init_crtm(void) /* Since none of the above conditions are met let the SOC code measure the * bootblock. This accomplishes for cases where the bootblock is treated * in a special way (e.g. part of IFWI or located in a different CBFS). */ - if (tspi_soc_measure_bootblock(TPM_CRTM_PCR)) { + if (tspi_soc_measure_bootblock(CONFIG_PCR_SRTM)) { printk(BIOS_INFO, "TSPI: Couldn't measure bootblock into CRTM on SoC level!\n"); return VB2_ERROR_UNKNOWN; @@ -124,7 +124,7 @@ uint32_t tspi_cbfs_measurement(const char *name, uint32_t type, const struct vb2 switch (type) { case CBFS_TYPE_MRC_CACHE: - pcr_index = TPM_RUNTIME_DATA_PCR; + pcr_index = CONFIG_PCR_RUNTIME_DATA; break; /* * mrc.bin is code executed on CPU, so it @@ -134,13 +134,13 @@ uint32_t tspi_cbfs_measurement(const char *name, uint32_t type, const struct vb2 case CBFS_TYPE_STAGE: case CBFS_TYPE_SELF: case CBFS_TYPE_FIT_PAYLOAD: - pcr_index = TPM_CRTM_PCR; + pcr_index = CONFIG_PCR_SRTM; break; default: if (is_runtime_data(name)) - pcr_index = TPM_RUNTIME_DATA_PCR; + pcr_index = CONFIG_PCR_RUNTIME_DATA; else - pcr_index = TPM_CRTM_PCR; + pcr_index = CONFIG_PCR_SRTM; break; } diff --git a/src/security/tpm/tspi/crtm.h b/src/security/tpm/tspi/crtm.h index ffa4867594..2bc1d1fad9 100644 --- a/src/security/tpm/tspi/crtm.h +++ b/src/security/tpm/tspi/crtm.h @@ -8,14 +8,6 @@ #include #include -/* CRTM */ -#define TPM_CRTM_PCR 2 - -/* PCR for measuring data which changes during runtime - * e.g. CMOS, NVRAM... - */ -#define TPM_RUNTIME_DATA_PCR 3 - #if CONFIG(TPM_LOG_CB) && CONFIG(TPM1) # define TPM_MEASURE_ALGO VB2_HASH_SHA1 #elif CONFIG(TPM_LOG_CB) && CONFIG(TPM2) -- cgit v1.2.3