From 6d88a5d5886d4e66bd16b4f59f9ebbfbd1758740 Mon Sep 17 00:00:00 2001
From: Joel Kitching <kitching@google.com>
Date: Fri, 12 Oct 2018 15:23:31 +0800
Subject: vboot: do not extend PCRs on resume from S3

BUG=b:114018226,chromium:873099
TEST=compile coreboot

Change-Id: I6840c45604535089fa8410f03c69702bec91218f
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/28750
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
---
 src/security/vboot/vboot_logic.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

(limited to 'src/security')

diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index 2fc20fabd4..f3a6b415b8 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@@ -393,15 +393,19 @@ void verstage_main(void)
 		vboot_reboot();
 	}
 
-	timestamp_add_now(TS_START_TPMPCR);
-	rv = extend_pcrs(&ctx);
-	if (rv) {
-		printk(BIOS_WARNING, "Failed to extend TPM PCRs (%#x)\n", rv);
-		vb2api_fail(&ctx, VB2_RECOVERY_RO_TPM_U_ERROR, rv);
-		save_if_needed(&ctx);
-		vboot_reboot();
+	/* Only extend PCRs once on boot. */
+	if (!(ctx.flags & VB2_CONTEXT_S3_RESUME)) {
+		timestamp_add_now(TS_START_TPMPCR);
+		rv = extend_pcrs(&ctx);
+		if (rv) {
+			printk(BIOS_WARNING,
+			       "Failed to extend TPM PCRs (%#x)\n", rv);
+			vb2api_fail(&ctx, VB2_RECOVERY_RO_TPM_U_ERROR, rv);
+			save_if_needed(&ctx);
+			vboot_reboot();
+		}
+		timestamp_add_now(TS_END_TPMPCR);
 	}
-	timestamp_add_now(TS_END_TPMPCR);
 
 	/* Lock TPM */
 
-- 
cgit v1.2.3