security/vboot: Decouple measured boot from verified boot

Currently, those who want to use measured boot implemented within
vboot should enable verified boot first, along with sections such
as GBB and RW slots defined with manually written fmd files, even
if they do not actually want to verify anything.

As discussed in CB:34977, measured boot should be decoupled from
verified boot and make them two fully independent options. Crypto
routines necessary for measurement could be reused, and TPM and CRTM
init should be done somewhere other than vboot_logic_executed() if
verified boot is not enabled.

In this revision, only TCPA log is initialized during bootblock.
Before TPM gets set up, digests are not measured into tpm immediately,
but cached in TCPA log, and measured into determined PCRs right after
TPM is up.

This change allows those who do not want to use the verified boot
scheme implemented by vboot as well as its requirement of a more
complex partition scheme designed for chromeos to make use of the
measured boot functionality implemented within vboot library to
measure the boot process.

TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in
CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook().

Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee
Signed-off-by: Bill XIE <persmule@hardenedlinux.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35077
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>

6 files changed, 4 insertions, 292 deletions

diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index 6e0021d58d..f273265054 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -35,22 +35,6 @@ if VBOOT
 comment "Anti-Rollback Protection disabled because mocking secdata is enabled."
 	depends on VBOOT_MOCK_SECDATA
 
-config VBOOT_MEASURED_BOOT
-	bool "Enable Measured Boot"
-	default n
-	depends on TPM1 || TPM2
-	depends on !VBOOT_RETURN_FROM_VERSTAGE
-	help
-	  Enables measured boot mode in vboot (experimental)
-
-config VBOOT_MEASURED_BOOT_RUNTIME_DATA
-	string "Runtime data whitelist"
-	default ""
-	depends on VBOOT_MEASURED_BOOT
-	help
-	  Runtime data whitelist of cbfs filenames. Needs to be a comma separated
-	  list
-
 config VBOOT_SLOTS_RW_A
 	bool "Firmware RO + RW_A"
 	help
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index e7560dd911..d1cc2da807 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -105,14 +105,6 @@ romstage-y += vboot_common.c
 ramstage-y += vboot_common.c
 postcar-y += vboot_common.c
 
-ifeq ($(CONFIG_VBOOT_MEASURED_BOOT),y)
-bootblock-y += vboot_crtm.c
-verstage-y += vboot_crtm.c
-romstage-y += vboot_crtm.c
-ramstage-y += vboot_crtm.c
-postcar-y += vboot_crtm.c
-endif
-
 bootblock-y += common.c
 verstage-y += vboot_logic.c
 verstage-y += common.c
diff --git a/src/security/vboot/symbols.h b/src/security/vboot/symbols.h
index 778c8ee949..8f6063efac 100644
--- a/src/security/vboot/symbols.h
+++ b/src/security/vboot/symbols.h
@@ -19,6 +19,4 @@
 
 DECLARE_REGION(vboot2_work)
 
-DECLARE_REGION(vboot2_tpm_log)
-
 #endif /* __VBOOT_SYMBOLS_H__ */
diff --git a/src/security/vboot/vboot_crtm.c b/src/security/vboot/vboot_crtm.c
deleted file mode 100644
index 40b56ed881..0000000000
--- a/src/security/vboot/vboot_crtm.c
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- * This file is part of the coreboot project.
- *
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; version 2 of the License.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- */
-
-#include <console/console.h>
-#include <fmap.h>
-#include <cbfs.h>
-#include <security/vboot/vboot_crtm.h>
-#include <security/vboot/misc.h>
-#include <string.h>
-
-/*
- * This functions sets the TCPA log namespace
- * for the cbfs file (region) lookup.
- */
-static int create_tcpa_metadata(const struct region_device *rdev,
-		const char *cbfs_name, char log_string[TCPA_PCR_HASH_NAME])
-{
-	int i;
-	struct region_device fmap;
-	static const char *fmap_cbfs_names[] = {
-	"COREBOOT",
-	"FW_MAIN_A",
-	"FW_MAIN_B",
-	"RW_LEGACY"};
-
-	for (i = 0; i < ARRAY_SIZE(fmap_cbfs_names); i++) {
-		if (fmap_locate_area_as_rdev(fmap_cbfs_names[i], &fmap) == 0) {
-			if (region_is_subregion(region_device_region(&fmap),
-				region_device_region(rdev))) {
-				snprintf(log_string, TCPA_PCR_HASH_NAME,
-					"FMAP: %s CBFS: %s",
-					fmap_cbfs_names[i], cbfs_name);
-				return 0;
-			}
-		}
-	}
-
-	return -1;
-}
-
-uint32_t vboot_init_crtm(void)
-{
-	struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock");
-	struct prog verstage =
-		PROG_INIT(PROG_VERSTAGE, CONFIG_CBFS_PREFIX "/verstage");
-	struct prog romstage =
-		PROG_INIT(PROG_ROMSTAGE, CONFIG_CBFS_PREFIX "/romstage");
-	char tcpa_metadata[TCPA_PCR_HASH_NAME];
-
-	/* Initialize TCPE PRERAM log. */
-	tcpa_preram_log_clear();
-
-	/* measure bootblock from RO */
-	struct cbfsf bootblock_data;
-	struct region_device bootblock_fmap;
-	if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) {
-		if (tpm_measure_region(&bootblock_fmap,
-				       TPM_CRTM_PCR,
-				       "FMAP: BOOTBLOCK"))
-			return VB2_ERROR_UNKNOWN;
-	} else {
-		if (cbfs_boot_locate(&bootblock_data,
-			prog_name(&bootblock), NULL) == 0) {
-			cbfs_file_data(prog_rdev(&bootblock), &bootblock_data);
-
-			if (create_tcpa_metadata(prog_rdev(&bootblock),
-				prog_name(&bootblock), tcpa_metadata) < 0)
-				return VB2_ERROR_UNKNOWN;
-
-			if (tpm_measure_region(prog_rdev(&bootblock),
-					TPM_CRTM_PCR,
-					tcpa_metadata))
-				return VB2_ERROR_UNKNOWN;
-		} else {
-			printk(BIOS_INFO,
-			       "VBOOT: Couldn't measure bootblock into CRTM!\n");
-			return VB2_ERROR_UNKNOWN;
-		}
-	}
-
-	if (CONFIG(VBOOT_STARTS_IN_ROMSTAGE)) {
-		struct cbfsf romstage_data;
-		/* measure romstage from RO */
-		if (cbfs_boot_locate(&romstage_data,
-			prog_name(&romstage), NULL) == 0) {
-			cbfs_file_data(prog_rdev(&romstage), &romstage_data);
-
-			if (create_tcpa_metadata(prog_rdev(&romstage),
-				prog_name(&romstage), tcpa_metadata) < 0)
-				return VB2_ERROR_UNKNOWN;
-
-			if (tpm_measure_region(prog_rdev(&romstage),
-				TPM_CRTM_PCR,
-				tcpa_metadata))
-				return VB2_ERROR_UNKNOWN;
-		} else {
-			printk(BIOS_INFO,
-			       "VBOOT: Couldn't measure %s into CRTM!\n",
-			       CONFIG_CBFS_PREFIX "/romstage");
-			return VB2_ERROR_UNKNOWN;
-		}
-	}
-
-	if (CONFIG(VBOOT_SEPARATE_VERSTAGE)) {
-		struct cbfsf verstage_data;
-		/* measure verstage from RO */
-		if (cbfs_boot_locate(&verstage_data,
-			prog_name(&verstage), NULL) == 0) {
-			cbfs_file_data(prog_rdev(&verstage), &verstage_data);
-
-			if (create_tcpa_metadata(prog_rdev(&verstage),
-				prog_name(&verstage), tcpa_metadata) < 0)
-				return VB2_ERROR_UNKNOWN;
-
-			if (tpm_measure_region(prog_rdev(&verstage),
-				TPM_CRTM_PCR,
-				tcpa_metadata))
-				return VB2_ERROR_UNKNOWN;
-		} else {
-			printk(BIOS_INFO,
-			       "VBOOT: Couldn't measure %s into CRTM!\n",
-			       CONFIG_CBFS_PREFIX "/verstage");
-			return VB2_ERROR_UNKNOWN;
-		}
-	}
-
-	return VB2_SUCCESS;
-}
-
-static bool is_runtime_data(const char *name)
-{
-	const char *whitelist = CONFIG_VBOOT_MEASURED_BOOT_RUNTIME_DATA;
-	size_t whitelist_len = sizeof(CONFIG_VBOOT_MEASURED_BOOT_RUNTIME_DATA) - 1;
-	size_t name_len = strlen(name);
-	int i;
-
-	if (!whitelist_len || !name_len)
-		return false;
-
-	for (i = 0; (i + name_len) <= whitelist_len; i++) {
-		if (!strcmp(whitelist + i, name))
-			return true;
-	}
-
-	return false;
-}
-
-uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name)
-{
-	uint32_t pcr_index;
-	uint32_t cbfs_type;
-	struct region_device rdev;
-	char tcpa_metadata[TCPA_PCR_HASH_NAME];
-
-	if (!vboot_logic_executed())
-		return 0;
-
-	cbfsf_file_type(fh, &cbfs_type);
-	cbfs_file_data(&rdev, fh);
-
-	switch (cbfs_type) {
-	case CBFS_TYPE_MRC:
-	case CBFS_TYPE_MRC_CACHE:
-		pcr_index = TPM_RUNTIME_DATA_PCR;
-		break;
-	case CBFS_TYPE_STAGE:
-	case CBFS_TYPE_SELF:
-	case CBFS_TYPE_FIT:
-		pcr_index = TPM_CRTM_PCR;
-		break;
-	default:
-		if (is_runtime_data(name))
-			pcr_index = TPM_RUNTIME_DATA_PCR;
-		else
-			pcr_index = TPM_CRTM_PCR;
-		break;
-	}
-
-	if (create_tcpa_metadata(&rdev, name, tcpa_metadata) < 0)
-		return VB2_ERROR_UNKNOWN;
-
-	return tpm_measure_region(&rdev, pcr_index, tcpa_metadata);
-}
diff --git a/src/security/vboot/vboot_crtm.h b/src/security/vboot/vboot_crtm.h
deleted file mode 100644
index ba3dd45abe..0000000000
--- a/src/security/vboot/vboot_crtm.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * This file is part of the coreboot project.
- *
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; version 2 of the License.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- */
-
-#ifndef __SECURITY_VBOOT_CRTM_H__
-#define __SECURITY_VBOOT_CRTM_H__
-
-#include <commonlib/cbfs.h>
-#include <program_loading.h>
-#include <security/tpm/tspi.h>
-#include <types.h>
-
-/* CRTM */
-#define TPM_CRTM_PCR 2
-
-/* PCR for measuring data which changes during runtime
- * e.g. CMOS, NVRAM...
- */
-#define TPM_RUNTIME_DATA_PCR 3
-
-/*
- * Initializes the Core Root of Trust for Measurements
- * in coreboot. The initial code in a chain of trust must measure
- * itself.
- *
- * Summary:
- *  + Measures bootblock in CBFS or BOOTBLOCK FMAP partition.
- *  + If vboot starts in romstage, it measures the romstage
- *    in CBFS.
- *  + Measure the verstage if it is compiled as separate
- *    stage.
- *
- * Takes the current vboot context as parameter for s3 checks.
- * returns on success VB2_SUCCESS, else a vboot error.
- */
-uint32_t vboot_init_crtm(void);
-
-#if CONFIG(VBOOT_MEASURED_BOOT)
-/*
- * Measures cbfs data via hook (cbfs)
- * fh is the cbfs file handle to measure
- * return 0 if successful, else an error
- */
-uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name);
-
-#else
-#define vboot_measure_cbfs_hook(fh, name) 0
-#endif
-
-#endif /* __VBOOT_VBOOT_CRTM_H__ */
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index b72df9650b..80f7aaa86b 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@@ -17,13 +17,13 @@
 #include <bootmode.h>
 #include <cbmem.h>
 #include <fmap.h>
-#include <string.h>
-#include <timestamp.h>
-#include <vb2_api.h>
+#include <security/tpm/tspi/crtm.h>
 #include <security/vboot/misc.h>
 #include <security/vboot/vbnv.h>
-#include <security/vboot/vboot_crtm.h>
 #include <security/vboot/tpm_common.h>
+#include <string.h>
+#include <timestamp.h>
+#include <vb2_api.h>
 
 #include "antirollback.h"
 
@@ -283,14 +283,6 @@ void verstage_main(void)
 		antirollback_read_space_firmware(ctx);
 	timestamp_add_now(TS_END_TPMINIT);
 
-	/* Enable measured boot mode */
-	if (CONFIG(VBOOT_MEASURED_BOOT) &&
-		!(ctx->flags & VB2_CONTEXT_S3_RESUME)) {
-		if (vboot_init_crtm() != VB2_SUCCESS)
-			die_with_post_code(POST_INVALID_ROM,
-				"Initializing measured boot mode failed!");
-	}
-
 	if (get_recovery_mode_switch()) {
 		ctx->flags |= VB2_CONTEXT_FORCE_RECOVERY_MODE;
 		if (CONFIG(VBOOT_DISABLE_DEV_ON_RECOVERY))