summaryrefslogtreecommitdiff
path: root/src/security
diff options
context:
space:
mode:
authorBill XIE <persmule@hardenedlinux.org>2020-02-13 11:11:35 +0800
committerPhilipp Deppenwiese <zaolin.daisuki@gmail.com>2020-03-31 10:37:38 +0000
commitbad08c2c29210530e584436a562a1c03a68eb693 (patch)
tree3a31836bb0e512010bf9a196120f200f8071e752 /src/security
parentea861ce83118217f1f639cd696dbdb8de87f8ccf (diff)
downloadcoreboot-bad08c2c29210530e584436a562a1c03a68eb693.tar.xz
security/tpm: Include mrc.bin in CRTM if present
mrc.bin, on platforms where it is present, is code executed on CPU, so it should be considered a part of CRTM. cbfs_locate_file_in_region() is hooked to measurement here too, since mrc.bin is loaded with it, and CBFS_TYPE_MRC (the type of mrc.bin) is measured to TPM_CRTM_PCR rather than TPM_RUNTIME_DATA_PCR. TODO: I have heard that SMM is too resource-limited to link with vboot library, so currently tspi_measure_cbfs_hook() is masked in SMM. Please correct me if I am wrong. Change-Id: Ib4c3cf47b919864056baf725001ca8a4aaafa110 Signed-off-by: Bill XIE <persmule@hardenedlinux.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/38858 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
Diffstat (limited to 'src/security')
-rw-r--r--src/security/tpm/tspi/crtm.c6
-rw-r--r--src/security/tpm/tspi/crtm.h2
2 files changed, 6 insertions, 2 deletions
diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c
index dc7d7d21f0..304cea38e9 100644
--- a/src/security/tpm/tspi/crtm.c
+++ b/src/security/tpm/tspi/crtm.c
@@ -133,10 +133,14 @@ uint32_t tspi_measure_cbfs_hook(struct cbfsf *fh, const char *name)
cbfs_file_data(&rdev, fh);
switch (cbfs_type) {
- case CBFS_TYPE_MRC:
case CBFS_TYPE_MRC_CACHE:
pcr_index = TPM_RUNTIME_DATA_PCR;
break;
+ /*
+ * mrc.bin is code executed on CPU, so it
+ * should not be considered runtime data
+ */
+ case CBFS_TYPE_MRC:
case CBFS_TYPE_STAGE:
case CBFS_TYPE_SELF:
case CBFS_TYPE_FIT:
diff --git a/src/security/tpm/tspi/crtm.h b/src/security/tpm/tspi/crtm.h
index dfd91e1c0e..eb624951ca 100644
--- a/src/security/tpm/tspi/crtm.h
+++ b/src/security/tpm/tspi/crtm.h
@@ -50,7 +50,7 @@ uint32_t tspi_init_crtm(void);
*/
int tspi_measure_cache_to_pcr(void);
-#if CONFIG(TPM_MEASURED_BOOT)
+#if !ENV_SMM && CONFIG(TPM_MEASURED_BOOT)
/*
* Measures cbfs data via hook (cbfs)
* fh is the cbfs file handle to measure