From 66f9a09916368bfab09da42ef0beed84a4bb7206 Mon Sep 17 00:00:00 2001 From: Philipp Deppenwiese Date: Thu, 8 Nov 2018 10:59:40 +0100 Subject: security/vboot: Add measured boot mode * Introduce a measured boot mode into vboot. * Add hook for stage measurements in prog_loader and cbfs. * Implement and hook-up CRTM in vboot and check for suspend. Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Signed-off-by: Philipp Deppenwiese Signed-off-by: Werner Zeh Reviewed-on: https://review.coreboot.org/c/29547 Tested-by: build bot (Jenkins) --- src/security/vboot/vboot_crtm.h | 62 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 src/security/vboot/vboot_crtm.h (limited to 'src/security/vboot/vboot_crtm.h') diff --git a/src/security/vboot/vboot_crtm.h b/src/security/vboot/vboot_crtm.h new file mode 100644 index 0000000000..84ee9e63b5 --- /dev/null +++ b/src/security/vboot/vboot_crtm.h @@ -0,0 +1,62 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018 Facebook Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef __SECURITY_VBOOT_CRTM_H__ +#define __SECURITY_VBOOT_CRTM_H__ + +#include +#include +#include +#include + +/* CRTM */ +#define TPM_CRTM_PCR 2 + +/* PCR for measuring data which changes during runtime + * e.g. CMOS, NVRAM... + */ +#define TPM_RUNTIME_DATA_PCR 3 + +/* + * Initializes the Core Root of Trust for Measurements + * in coreboot. The initial code in a chain of trust must measure + * itself. + * + * Summary: + * + Measures bootblock in CBFS or BOOTBLOCK FMAP partition. + * + If vboot starts in romstage, it measures the romstage + * in CBFS. + * + Measure the verstage if it is compiled as separate + * stage. + * + * Takes the current vboot context as parameter for s3 checks. + * returns on success VB2_SUCCESS, else a vboot error. + */ +uint32_t vboot_init_crtm(void); + +#if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT) && \ +!ENV_BOOTBLOCK && !ENV_DECOMPRESSOR && !ENV_SMM) +/* + * Measures cbfs data via hook (cbfs) + * fh is the cbfs file handle to measure + * return 0 if successful, else an error + */ +uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name); + +#else +#define vboot_measure_cbfs_hook(fh, name) 0 +#endif + +#endif /* __VBOOT_VBOOT_CRTM_H__ */ -- cgit v1.2.3