security/tpm: Add option to init TPM in bootblock

When using a hardware assisted root of trust measurement, like Intel
TXT/CBnT, the TPM init needs to happen inside the bootblock to form a
proper chain of trust.

Change-Id: Ifacba5d9ab19b47968b4f2ed5731ded4aac55022
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/51923
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

2 files changed, 3 insertions, 1 deletions

diff --git a/src/drivers/pc80/tpm/Makefile.inc b/src/drivers/pc80/tpm/Makefile.inc
index a16f6afdc4..8b2a864ecb 100644
--- a/src/drivers/pc80/tpm/Makefile.inc
+++ b/src/drivers/pc80/tpm/Makefile.inc
@@ -1,3 +1,4 @@
+bootblock-$(CONFIG_MAINBOARD_HAS_LPC_TPM) += tis.c
 verstage-$(CONFIG_MAINBOARD_HAS_LPC_TPM) += tis.c
 romstage-$(CONFIG_MAINBOARD_HAS_LPC_TPM) += tis.c
 ramstage-$(CONFIG_MAINBOARD_HAS_LPC_TPM) += tis.c
diff --git a/src/drivers/tpm/Kconfig b/src/drivers/tpm/Kconfig
index 128f9bfecd..79b860f89b 100644
--- a/src/drivers/tpm/Kconfig
+++ b/src/drivers/tpm/Kconfig
@@ -1,7 +1,8 @@
 config TPM_INIT_RAMSTAGE
 	bool
 	default y if TPM1 || TPM2
-	depends on !VBOOT && !VENDORCODE_ELTAN_VBOOT && !VENDORCODE_ELTAN_MBOOT
+	depends on !VBOOT && !VENDORCODE_ELTAN_VBOOT && !VENDORCODE_ELTAN_MBOOT \
+		&& !TPM_MEASURED_BOOT_INIT_BOOTBLOCK
 	help
 	  This driver automatically initializes the TPM if vboot is not used.
 	  The TPM driver init is done during the ramstage chip init phase.