From 7c82dbcc51657806bf2117b214a490bca8eec2f8 Mon Sep 17 00:00:00 2001
From: Frans Hendriks <fhendriks@eltan.com>
Date: Thu, 1 Aug 2019 15:25:19 +0200
Subject: vendorcode/eltan/security/mboot: Add measured boot support

Create measured boot.
This feature uses the vendorcode/eltan/security/lib.
Measure boot can work with and without Verified boot enabled.

The function mb_measure() is starting point for the support. This
function will be called by the common Verified boot code.

BUG=N/A
TEST=Created binary and verify logging on Facebook FBG-1701

Change-Id: I7f880a17e240515dd42d57383b5ddddf576985b0
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/30833
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
---
 src/vendorcode/eltan/security/mboot/mboot.h | 131 ++++++++++++++++++++++++++++
 1 file changed, 131 insertions(+)
 create mode 100644 src/vendorcode/eltan/security/mboot/mboot.h

(limited to 'src/vendorcode/eltan/security/mboot/mboot.h')

diff --git a/src/vendorcode/eltan/security/mboot/mboot.h b/src/vendorcode/eltan/security/mboot/mboot.h
new file mode 100644
index 0000000000..96375aba5b
--- /dev/null
+++ b/src/vendorcode/eltan/security/mboot/mboot.h
@@ -0,0 +1,131 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright (C) 2015 Intel Corporation
+ * Copyright (C) 2018-2019 Eltan B.V.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef MBOOT_H
+#define MBOOT_H
+
+#include <arch/io.h>
+#include <arch/acpi.h>
+#include <string.h>
+#include <cb_sha.h>
+#include <console/console.h>
+#include <cbfs.h>
+#include <lib.h>
+#include <boot/coreboot_tables.h>
+#include <security/tpm/tss/tcg-2.0/tss_structures.h>
+#include <security/tpm/tss.h>
+#include <swab.h>
+
+/* TPM2 interface */
+#define EFI_TPM2_ACPI_TABLE_START_METHOD_TIS	6
+#define TPM_SHA1_160_HASH_LEN	0x14
+
+/* Part 2, section 5.4: TPM_DIGEST */
+
+/* Index to a PCR register */
+typedef uint32_t TPM_PCRINDEX;
+typedef uint32_t TCG_EVENTTYPE;
+typedef TPM_PCRINDEX TCG_PCRINDEX;
+typedef int8_t TCG_DIGEST;
+
+/* TCG_PCR_EVENT_HDR */
+typedef struct {
+	TCG_PCRINDEX pcrIndex;
+	TCG_EVENTTYPE eventType;
+	TCG_DIGEST digest[TPM_SHA1_160_HASH_LEN];
+	uint32_t eventSize;
+} __packed TCG_PCR_EVENT_HDR;
+
+/* TCG_PCR_EVENT2_HDR */
+typedef struct {
+	TCG_PCRINDEX pcrIndex;
+	TCG_EVENTTYPE eventType;
+	TPML_DIGEST_VALUES digest;
+	uint32_t eventSize;
+} __packed TCG_PCR_EVENT2_HDR;
+
+typedef uint32_t EFI_TCG2_EVENT_ALGORITHM_BITMAP;
+
+#define EFI_TCG2_BOOT_HASH_ALG_SHA1	0x00000001
+#define EFI_TCG2_BOOT_HASH_ALG_SHA256	0x00000002
+#define EFI_TCG2_BOOT_HASH_ALG_SHA384	0x00000004
+#define EFI_TCG2_BOOT_HASH_ALG_SHA512	0x00000008
+#define EFI_TCG2_BOOT_HASH_ALG_SM3_256	0x00000010
+
+/* Standard event types */
+#define EV_POST_CODE		((TCG_EVENTTYPE) 0x00000001)
+#define EV_NO_ACTION		((TCG_EVENTTYPE) 0x00000003)
+#define EV_SEPARATOR		((TCG_EVENTTYPE) 0x00000004)
+#define EV_S_CRTM_CONTENTS	((TCG_EVENTTYPE) 0x00000007)
+#define EV_S_CRTM_VERSION	((TCG_EVENTTYPE) 0x00000008)
+#define EV_CPU_MICROCODE	((TCG_EVENTTYPE) 0x00000009)
+#define EV_TABLE_OF_DEVICES	((TCG_EVENTTYPE) 0x0000000B)
+
+#define MBOOT_PCR_INDEX_0	0x0
+#define MBOOT_PCR_INDEX_1	0x1
+#define MBOOT_PCR_INDEX_2	0x2
+#define MBOOT_PCR_INDEX_3	0x3
+#define MBOOT_PCR_INDEX_4	0x4
+#define MBOOT_PCR_INDEX_5	0x5
+#define MBOOT_PCR_INDEX_6	0x6
+#define MBOOT_PCR_INDEX_7	0x7
+
+/*
+ * used to indicate a hash is provide so there is no need to perform the
+ * measurement
+ */
+#define MBOOT_HASH_PROVIDED (0x00000001)
+
+
+int is_zero_buffer(void *buffer, unsigned int size);
+
+int mboot_hash_extend_log(EFI_TCG2_EVENT_ALGORITHM_BITMAP activePcr,
+	uint64_t flags, uint8_t *hashData, uint32_t hashDataLen,
+	TCG_PCR_EVENT2_HDR *newEventHdr, uint8_t *eventLog, uint8_t invalid);
+
+void mboot_print_buffer(uint8_t *buffer, uint32_t bufferSize);
+
+int mb_crtm(EFI_TCG2_EVENT_ALGORITHM_BITMAP activePcr);
+
+typedef struct {
+	const char *cbfs_name;
+	uint32_t cbfs_type;
+	uint32_t pcr;
+	TCG_EVENTTYPE eventType;
+	const char *event_msg;
+} mboot_measure_item_t;
+
+int mb_measure_log_worker(EFI_TCG2_EVENT_ALGORITHM_BITMAP activePcr,
+		const char *name, uint32_t type, uint32_t pcr,
+		TCG_EVENTTYPE eventType, const char *event_msg);
+
+int mb_measure_log_start(void);
+void invalidate_pcrs(void);
+
+EFI_TCG2_EVENT_ALGORITHM_BITMAP tpm2_get_active_pcrs(void);
+
+int tpm2_get_capability_pcrs(TPML_PCR_SELECTION *Pcrs);
+
+int mb_measure(int wake_from_s3);
+int mb_entry(int wake_from_s3);
+
+int log_efi_specid_event(EFI_TCG2_EVENT_ALGORITHM_BITMAP ActivePcrs);
+int log_event_tcg_20_format(TCG_PCR_EVENT2_HDR *EventHdr, uint8_t *EventLog);
+int log_event_tcg_12_format(TCG_PCR_EVENT2_HDR *EventHdr, uint8_t *EventLog);
+
+int get_intel_me_hash(uint8_t *hash);
+
+#endif /* MBOOT_H */
-- 
cgit v1.2.3