6 files changed, 4 insertions, 292 deletions
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index 6e0021d58d..f273265054 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -35,22 +35,6 @@ if VBOOT
 comment "Anti-Rollback Protection disabled because mocking secdata is enabled."
 	depends on VBOOT_MOCK_SECDATA
 
-config VBOOT_MEASURED_BOOT
-	bool "Enable Measured Boot"
-	default n
-	depends on TPM1 || TPM2
-	depends on !VBOOT_RETURN_FROM_VERSTAGE
-	help
-	  Enables measured boot mode in vboot (experimental)
-
-config VBOOT_MEASURED_BOOT_RUNTIME_DATA
-	string "Runtime data whitelist"
-	default ""
-	depends on VBOOT_MEASURED_BOOT
-	help
-	  Runtime data whitelist of cbfs filenames. Needs to be a comma separated
-	  list
-
 config VBOOT_SLOTS_RW_A
 	bool "Firmware RO + RW_A"
 	help
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index e7560dd911..d1cc2da807 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -105,14 +105,6 @@ romstage-y += vboot_common.c
 ramstage-y += vboot_common.c
 postcar-y += vboot_common.c
 
-ifeq ($(CONFIG_VBOOT_MEASURED_BOOT),y)
-bootblock-y += vboot_crtm.c
-verstage-y += vboot_crtm.c
-romstage-y += vboot_crtm.c
-ramstage-y += vboot_crtm.c
-postcar-y += vboot_crtm.c
-endif
-
 bootblock-y += common.c
 verstage-y += vboot_logic.c
 verstage-y += common.c
diff --git a/src/security/vboot/symbols.h b/src/security/vboot/symbols.h
index 778c8ee949..8f6063efac 100644
--- a/src/security/vboot/symbols.h
+++ b/src/security/vboot/symbols.h
@@ -19,6 +19,4 @@
 
 DECLARE_REGION(vboot2_work)
 
-DECLARE_REGION(vboot2_tpm_log)
-
 #endif /* __VBOOT_SYMBOLS_H__ */
diff --git a/src/security/vboot/vboot_crtm.c b/src/security/vboot/vboot_crtm.c
deleted file mode 100644
index 40b56ed881..0000000000
--- a/src/security/vboot/vboot_crtm.c
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- * This file is part of the coreboot project.
- *
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; version 2 of the License.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- */
-
-#include <console/console.h>
-#include <fmap.h>
-#include <cbfs.h>
-#include <security/vboot/vboot_crtm.h>
-#include <security/vboot/misc.h>
-#include <string.h>
-
-/*
- * This functions sets the TCPA log namespace
- * for the cbfs file (region) lookup.
- */
-static int create_tcpa_metadata(const struct region_device *rdev,
-		const char *cbfs_name, char log_string[TCPA_PCR_HASH_NAME])
-{
-	int i;
-	struct region_device fmap;
-	static const char *fmap_cbfs_names[] = {
-	"COREBOOT",
-	"FW_MAIN_A",
-	"FW_MAIN_B",
-	"RW_LEGACY"};
-
-	for (i = 0; i < ARRAY_SIZE(fmap_cbfs_names); i++) {
-		if (fmap_locate_area_as_rdev(fmap_cbfs_names[i], &fmap) == 0) {
-			if (region_is_subregion(region_device_region(&fmap),
-				region_device_region(rdev))) {
-				snprintf(log_string, TCPA_PCR_HASH_NAME,
-					"FMAP: %s CBFS: %s",
-					fmap_cbfs_names[i], cbfs_name);
-				return 0;
-			}
-		}
-	}
-
-	return -1;
-}
-
-uint32_t vboot_init_crtm(void)
-{
-	struct prog bootblock = PROG_INIT(PROG_BOOTBLOCK, "bootblock");
-	struct prog verstage =
-		PROG_INIT(PROG_VERSTAGE, CONFIG_CBFS_PREFIX "/verstage");
-	struct prog romstage =
-		PROG_INIT(PROG_ROMSTAGE, CONFIG_CBFS_PREFIX "/romstage");
-	char tcpa_metadata[TCPA_PCR_HASH_NAME];
-
-	/* Initialize TCPE PRERAM log. */
-	tcpa_preram_log_clear();
-
-	/* measure bootblock from RO */
-	struct cbfsf bootblock_data;
-	struct region_device bootblock_fmap;
-	if (fmap_locate_area_as_rdev("BOOTBLOCK", &bootblock_fmap) == 0) {
-		if (tpm_measure_region(&bootblock_fmap,
-				       TPM_CRTM_PCR,
-				       "FMAP: BOOTBLOCK"))
-			return VB2_ERROR_UNKNOWN;
-	} else {
-		if (cbfs_boot_locate(&bootblock_data,
-			prog_name(&bootblock), NULL) == 0) {
-			cbfs_file_data(prog_rdev(&bootblock), &bootblock_data);
-
-			if (create_tcpa_metadata(prog_rdev(&bootblock),
-				prog_name(&bootblock), tcpa_metadata) < 0)
-				return VB2_ERROR_UNKNOWN;
-
-			if (tpm_measure_region(prog_rdev(&bootblock),
-					TPM_CRTM_PCR,
-					tcpa_metadata))
-				return VB2_ERROR_UNKNOWN;
-		} else {
-			printk(BIOS_INFO,
-			       "VBOOT: Couldn't measure bootblock into CRTM!\n");
-			return VB2_ERROR_UNKNOWN;
-		}
-	}
-
-	if (CONFIG(VBOOT_STARTS_IN_ROMSTAGE)) {
-		struct cbfsf romstage_data;
-		/* measure romstage from RO */
-		if (cbfs_boot_locate(&romstage_data,
-			prog_name(&romstage), NULL) == 0) {
-			cbfs_file_data(prog_rdev(&romstage), &romstage_data);
-
-			if (create_tcpa_metadata(prog_rdev(&romstage),
-				prog_name(&romstage), tcpa_metadata) < 0)
-				return VB2_ERROR_UNKNOWN;
-
-			if (tpm_measure_region(prog_rdev(&romstage),
-				TPM_CRTM_PCR,
-				tcpa_metadata))
-				return VB2_ERROR_UNKNOWN;
-		} else {
-			printk(BIOS_INFO,
-			       "VBOOT: Couldn't measure %s into CRTM!\n",
-			       CONFIG_CBFS_PREFIX "/romstage");
-			return VB2_ERROR_UNKNOWN;
-		}
-	}
-
-	if (CONFIG(VBOOT_SEPARATE_VERSTAGE)) {
-		struct cbfsf verstage_data;
-		/* measure verstage from RO */
-		if (cbfs_boot_locate(&verstage_data,
-			prog_name(&verstage), NULL) == 0) {
-			cbfs_file_data(prog_rdev(&verstage), &verstage_data);
-
-			if (create_tcpa_metadata(prog_rdev(&verstage),
-				prog_name(&verstage), tcpa_metadata) < 0)
-				return VB2_ERROR_UNKNOWN;
-
-			if (tpm_measure_region(prog_rdev(&verstage),
-				TPM_CRTM_PCR,
-				tcpa_metadata))
-				return VB2_ERROR_UNKNOWN;
-		} else {
-			printk(BIOS_INFO,
-			       "VBOOT: Couldn't measure %s into CRTM!\n",
-			       CONFIG_CBFS_PREFIX "/verstage");
-			return VB2_ERROR_UNKNOWN;
-		}
-	}
-
-	return VB2_SUCCESS;
-}
-
-static bool is_runtime_data(const char *name)
-{
-	const char *whitelist = CONFIG_VBOOT_MEASURED_BOOT_RUNTIME_DATA;
-	size_t whitelist_len = sizeof(CONFIG_VBOOT_MEASURED_BOOT_RUNTIME_DATA) - 1;
-	size_t name_len = strlen(name);
-	int i;
-
-	if (!whitelist_len || !name_len)
-		return false;
-
-	for (i = 0; (i + name_len) <= whitelist_len; i++) {
-		if (!strcmp(whitelist + i, name))
-			return true;
-	}
-
-	return false;
-}
-
-uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name)
-{
-	uint32_t pcr_index;
-	uint32_t cbfs_type;
-	struct region_device rdev;
-	char tcpa_metadata[TCPA_PCR_HASH_NAME];
-
-	if (!vboot_logic_executed())
-		return 0;
-
-	cbfsf_file_type(fh, &cbfs_type);
-	cbfs_file_data(&rdev, fh);
-
-	switch (cbfs_type) {
-	case CBFS_TYPE_MRC:
-	case CBFS_TYPE_MRC_CACHE:
-		pcr_index = TPM_RUNTIME_DATA_PCR;
-		break;
-	case CBFS_TYPE_STAGE:
-	case CBFS_TYPE_SELF:
-	case CBFS_TYPE_FIT:
-		pcr_index = TPM_CRTM_PCR;
-		break;
-	default:
-		if (is_runtime_data(name))
-			pcr_index = TPM_RUNTIME_DATA_PCR;
-		else
-			pcr_index = TPM_CRTM_PCR;
-		break;
-	}
-
-	if (create_tcpa_metadata(&rdev, name, tcpa_metadata) < 0)
-		return VB2_ERROR_UNKNOWN;
-
-	return tpm_measure_region(&rdev, pcr_index, tcpa_metadata);
-}
diff --git a/src/security/vboot/vboot_crtm.h b/src/security/vboot/vboot_crtm.h
deleted file mode 100644
index ba3dd45abe..0000000000
--- a/src/security/vboot/vboot_crtm.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * This file is part of the coreboot project.
- *
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; version 2 of the License.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- */
-
-#ifndef __SECURITY_VBOOT_CRTM_H__
-#define __SECURITY_VBOOT_CRTM_H__
-
-#include <commonlib/cbfs.h>
-#include <program_loading.h>
-#include <security/tpm/tspi.h>
-#include <types.h>
-
-/* CRTM */
-#define TPM_CRTM_PCR 2
-
-/* PCR for measuring data which changes during runtime
- * e.g. CMOS, NVRAM...
- */
-#define TPM_RUNTIME_DATA_PCR 3
-
-/*
- * Initializes the Core Root of Trust for Measurements
- * in coreboot. The initial code in a chain of trust must measure
- * itself.
- *
- * Summary:
- *  + Measures bootblock in CBFS or BOOTBLOCK FMAP partition.
- *  + If vboot starts in romstage, it measures the romstage
- *    in CBFS.
- *  + Measure the verstage if it is compiled as separate
- *    stage.
- *
- * Takes the current vboot context as parameter for s3 checks.
- * returns on success VB2_SUCCESS, else a vboot error.
- */
-uint32_t vboot_init_crtm(void);
-
-#if CONFIG(VBOOT_MEASURED_BOOT)
-/*
- * Measures cbfs data via hook (cbfs)
- * fh is the cbfs file handle to measure
- * return 0 if successful, else an error
- */
-uint32_t vboot_measure_cbfs_hook(struct cbfsf *fh, const char *name);
-
-#else
-#define vboot_measure_cbfs_hook(fh, name) 0
-#endif
-
-#endif /* __VBOOT_VBOOT_CRTM_H__ */
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index b72df9650b..80f7aaa86b 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@@ -17,13 +17,13 @@
 #include <bootmode.h>
 #include <cbmem.h>
 #include <fmap.h>
-#include <string.h>
-#include <timestamp.h>
-#include <vb2_api.h>
+#include <security/tpm/tspi/crtm.h>
 #include <security/vboot/misc.h>
 #include <security/vboot/vbnv.h>
-#include <security/vboot/vboot_crtm.h>
 #include <security/vboot/tpm_common.h>
+#include <string.h>
+#include <timestamp.h>
+#include <vb2_api.h>
 
 #include "antirollback.h"
 
@@ -283,14 +283,6 @@ void verstage_main(void)
 		antirollback_read_space_firmware(ctx);
 	timestamp_add_now(TS_END_TPMINIT);
 
-	/* Enable measured boot mode */
-	if (CONFIG(VBOOT_MEASURED_BOOT) &&
-		!(ctx->flags & VB2_CONTEXT_S3_RESUME)) {
-		if (vboot_init_crtm() != VB2_SUCCESS)
-			die_with_post_code(POST_INVALID_ROM,
-				"Initializing measured boot mode failed!");
-	}
-
 	if (get_recovery_mode_switch()) {
 		ctx->flags |= VB2_CONTEXT_FORCE_RECOVERY_MODE;
 		if (CONFIG(VBOOT_DISABLE_DEV_ON_RECOVERY))