summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/drivers/intel/ptt/Kconfig1
-rw-r--r--src/security/vboot/Kconfig5
-rw-r--r--src/security/vboot/Makefile.inc5
-rw-r--r--src/security/vboot/antirollback.h7
-rw-r--r--src/security/vboot/secdata_mock.c8
-rw-r--r--src/security/vboot/secdata_tpm.c41
-rw-r--r--src/security/vboot/tpm_common.c58
-rw-r--r--src/security/vboot/tpm_common.h29
-rw-r--r--src/security/vboot/vboot_logic.c5
9 files changed, 103 insertions, 56 deletions
diff --git a/src/drivers/intel/ptt/Kconfig b/src/drivers/intel/ptt/Kconfig
index c013f42c43..fb70f9a02c 100644
--- a/src/drivers/intel/ptt/Kconfig
+++ b/src/drivers/intel/ptt/Kconfig
@@ -1,5 +1,6 @@
config HAVE_INTEL_PTT
bool
default n
+ select VBOOT_MOCK_SECDATA if VBOOT
help
Activate if your platform has Intel Platform Trust Technology like Intel iTPM and you want to use it.
diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig
index ea1f73889a..c5146c61e7 100644
--- a/src/security/vboot/Kconfig
+++ b/src/security/vboot/Kconfig
@@ -26,10 +26,13 @@ config VBOOT
if VBOOT
+comment "Anti-Rollback Protection disabled because mocking secdata is enabled."
+ depends on VBOOT_MOCK_SECDATA
+
config VBOOT_MEASURED_BOOT
bool "Enable Measured Boot"
default n
- depends on !VBOOT_MOCK_SECDATA
+ depends on TPM1 || TPM2
depends on !VBOOT_RETURN_FROM_VERSTAGE
help
Enables measured boot mode in vboot (experimental)
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index 6d195292e2..d554f103d6 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -88,6 +88,11 @@ else
verstage-y += secdata_tpm.c
romstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += secdata_tpm.c
endif
+
+ifneq ($(CONFIG_TPM1)$(CONFIG_TPM2),)
+verstage-y += tpm_common.c
+endif
+
romstage-y += vboot_logic.c
romstage-y += common.c
diff --git a/src/security/vboot/antirollback.h b/src/security/vboot/antirollback.h
index 62d2e20f03..5af923600d 100644
--- a/src/security/vboot/antirollback.h
+++ b/src/security/vboot/antirollback.h
@@ -83,11 +83,4 @@ uint32_t antirollback_write_space_rec_hash(const uint8_t *data, uint32_t size);
/* Lock down recovery hash space in TPM. */
uint32_t antirollback_lock_space_rec_hash(void);
-/* Start of the root of trust */
-uint32_t vboot_setup_tpm(struct vb2_context *ctx);
-
-/* vboot_extend_pcr function for vb2 context */
-uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
- enum vb2_pcr_digest which_digest);
-
#endif /* ANTIROLLBACK_H_ */
diff --git a/src/security/vboot/secdata_mock.c b/src/security/vboot/secdata_mock.c
index 3075d335f6..43206df6b9 100644
--- a/src/security/vboot/secdata_mock.c
+++ b/src/security/vboot/secdata_mock.c
@@ -43,12 +43,6 @@ int vb2ex_tpm_clear_owner(struct vb2_context *ctx)
return VB2_SUCCESS;
}
-uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
- enum vb2_pcr_digest which_digest)
-{
- return VB2_SUCCESS;
-}
-
uint32_t antirollback_read_space_firmware(struct vb2_context *ctx)
{
vb2api_secdata_create(ctx);
@@ -60,7 +54,7 @@ uint32_t antirollback_write_space_firmware(struct vb2_context *ctx)
return VB2_SUCCESS;
}
-uint32_t antirollback_lock_space_firmware()
+uint32_t antirollback_lock_space_firmware(void)
{
return VB2_SUCCESS;
}
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index 39cd6141fd..09c7e72b9b 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -33,6 +33,7 @@
*/
#include <security/vboot/antirollback.h>
+#include <security/vboot/tpm_common.h>
#include <stdlib.h>
#include <string.h>
#include <security/tpm/tspi.h>
@@ -65,31 +66,6 @@
static uint32_t safe_write(uint32_t index, const void *data, uint32_t length);
-uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
- enum vb2_pcr_digest which_digest)
-{
- uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE];
- uint32_t size = sizeof(buffer);
- int rv;
-
- rv = vb2api_get_pcr_digest(ctx, which_digest, buffer, &size);
- if (rv != VB2_SUCCESS)
- return rv;
- if (size < TPM_PCR_MINIMUM_DIGEST_SIZE)
- return VB2_ERROR_UNKNOWN;
-
- switch (which_digest) {
- case BOOT_MODE_PCR:
- return tpm_extend_pcr(pcr, VB2_HASH_SHA1, buffer, size,
- TPM_PCR_GBB_FLAGS_NAME);
- case HWID_DIGEST_PCR:
- return tpm_extend_pcr(pcr, VB2_HASH_SHA256, buffer,
- size, TPM_PCR_GBB_HWID_NAME);
- default:
- return VB2_ERROR_UNKNOWN;
- }
-}
-
static uint32_t read_space_firmware(struct vb2_context *ctx)
{
int attempts = 3;
@@ -443,25 +419,10 @@ static uint32_t factory_initialize_tpm(struct vb2_context *ctx)
return TPM_SUCCESS;
}
-uint32_t vboot_setup_tpm(struct vb2_context *ctx)
-{
- uint32_t result;
-
- result = tpm_setup(ctx->flags & VB2_CONTEXT_S3_RESUME);
- if (result == TPM_E_MUST_REBOOT)
- ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT;
-
- return result;
-}
-
uint32_t antirollback_read_space_firmware(struct vb2_context *ctx)
{
uint32_t rv;
- rv = vboot_setup_tpm(ctx);
- if (rv)
- return rv;
-
/* Read the firmware space. */
rv = read_space_firmware(ctx);
if (rv == TPM_E_BADINDEX) {
diff --git a/src/security/vboot/tpm_common.c b/src/security/vboot/tpm_common.c
new file mode 100644
index 0000000000..1a07ef6def
--- /dev/null
+++ b/src/security/vboot/tpm_common.c
@@ -0,0 +1,58 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+
+#include <security/tpm/tspi.h>
+#include <vb2_api.h>
+#include <security/vboot/tpm_common.h>
+
+#define TPM_PCR_BOOT_MODE "VBOOT: boot mode"
+#define TPM_PCR_GBB_HWID_NAME "VBOOT: GBB HWID"
+
+uint32_t vboot_setup_tpm(struct vb2_context *ctx)
+{
+ uint32_t result;
+
+ result = tpm_setup(ctx->flags & VB2_CONTEXT_S3_RESUME);
+ if (result == TPM_E_MUST_REBOOT)
+ ctx->flags |= VB2_CONTEXT_SECDATA_WANTS_REBOOT;
+
+ return result;
+}
+
+uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
+ enum vb2_pcr_digest which_digest)
+{
+ uint8_t buffer[VB2_PCR_DIGEST_RECOMMENDED_SIZE];
+ uint32_t size = sizeof(buffer);
+ int rv;
+
+ rv = vb2api_get_pcr_digest(ctx, which_digest, buffer, &size);
+ if (rv != VB2_SUCCESS)
+ return rv;
+ if (size < TPM_PCR_MINIMUM_DIGEST_SIZE)
+ return VB2_ERROR_UNKNOWN;
+
+ switch (which_digest) {
+ /* SHA1 of (devmode|recmode|keyblock) bits */
+ case BOOT_MODE_PCR:
+ return tpm_extend_pcr(pcr, VB2_HASH_SHA1, buffer, size,
+ TPM_PCR_BOOT_MODE);
+ /* SHA256 of HWID */
+ case HWID_DIGEST_PCR:
+ return tpm_extend_pcr(pcr, VB2_HASH_SHA256, buffer,
+ size, TPM_PCR_GBB_HWID_NAME);
+ default:
+ return VB2_ERROR_UNKNOWN;
+ }
+}
diff --git a/src/security/vboot/tpm_common.h b/src/security/vboot/tpm_common.h
new file mode 100644
index 0000000000..6bb32bbf1d
--- /dev/null
+++ b/src/security/vboot/tpm_common.h
@@ -0,0 +1,29 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#if CONFIG(TPM1) || CONFIG(TPM2)
+
+/* Start of the root of trust */
+uint32_t vboot_setup_tpm(struct vb2_context *ctx);
+
+/* vboot_extend_pcr function for vb2 context */
+uint32_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
+ enum vb2_pcr_digest which_digest);
+
+#else
+
+#define vboot_setup_tpm(ctx) 0
+
+#define vboot_extend_pcr(ctx, pcr, which_digest) 0
+
+#endif
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index 2468f5f19e..c61d6bec33 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@@ -25,6 +25,7 @@
#include <security/vboot/misc.h>
#include <security/vboot/vbnv.h>
#include <security/vboot/vboot_crtm.h>
+#include <security/vboot/tpm_common.h>
#include "antirollback.h"
@@ -334,7 +335,9 @@ void verstage_main(void)
* check the return value here because vb2api_fw_phase1 will catch
* invalid secdata and tell us what to do (=reboot). */
timestamp_add_now(TS_START_TPMINIT);
- antirollback_read_space_firmware(&ctx);
+ rv = vboot_setup_tpm(&ctx);
+ if (rv)
+ antirollback_read_space_firmware(&ctx);
timestamp_add_now(TS_END_TPMINIT);
/* Enable measured boot mode */