diff options
| author | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2018-11-08 10:59:40 +0100 |
|---|---|---|
| committer | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2019-02-25 22:29:16 +0000 |
| commit | 66f9a09916368bfab09da42ef0beed84a4bb7206 (patch) | |
| tree | 57ab1cd5851055c117db7fee991d03207b28c69d /src/security/vboot/vboot_crtm.h | |
| parent | bacd57dfaf7b4c5d3bc5400dbd82b896d0ed23cc (diff) | |
| download | coreboot-66f9a09916368bfab09da42ef0beed84a4bb7206.tar.xz | |
security/vboot: Add measured boot mode
* Introduce a measured boot mode into vboot.
* Add hook for stage measurements in prog_loader and cbfs.
* Implement and hook-up CRTM in vboot and check for suspend.
Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e
Signed-off-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/c/29547
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'src/security/vboot/vboot_crtm.h')
| -rw-r--r-- | src/security/vboot/vboot_crtm.h | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/src/security/vboot/vboot_crtm.h b/src/security/vboot/vboot_crtm.h new file mode 100644 index 0000000000..84ee9e63b5 --- /dev/null +++ b/src/security/vboot/vboot_crtm.h @@ -0,0 +1,62 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018 Facebook Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef __SECURITY_VBOOT_CRTM_H__ +#define __SECURITY_VBOOT_CRTM_H__ + +#include <program_loading.h> +#include <security/tpm/tspi.h> +#include <types.h> +#include <cbfs.h> + +/* CRTM */ +#define TPM_CRTM_PCR 2 + +/* PCR for measuring data which changes during runtime + * e.g. CMOS, NVRAM... + */ +#define TPM_RUNTIME_DATA_PCR 3 + +/* + * Initializes the Core Root of Trust for Measurements + * in coreboot. The initial code in a chain of trust must measure + * itself. + * + * Summary: + * + Measures bootblock in CBFS or BOOTBLOCK FMAP partition. + * + If vboot starts in romstage, it measures the romstage + * in CBFS. + * + Measure the verstage if it is compiled as separate + * stage. + * + * Takes the current vboot context as parameter for s3 checks. + * returns on success VB2_SUCCESS, else a vboot error. + */ +uint32_t vboot_init_crtm(void); + +#if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT) && \ +!ENV_BOOTBLOCK && !ENV_DECOMPRESSOR && !ENV_SMM) +/* + * Measures cbfs data via hook (cbfs) + * fh is the cbfs file handle to measure + * return 0 if successful, else an error + */ +uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name); + +#else +#define vboot_measure_cbfs_hook(fh, name) 0 +#endif + +#endif /* __VBOOT_VBOOT_CRTM_H__ */ |