security/vboot: Decouple measured boot from verified boot

Currently, those who want to use measured boot implemented within vboot should enable verified boot first, along with sections such as GBB and RW slots defined with manually written fmd files, even if they do not actually want to verify anything. As discussed in CB:34977, measured boot should be decoupled from verified boot and make them two fully independent options. Crypto routines necessary for measurement could be reused, and TPM and CRTM init should be done somewhere other than vboot_logic_executed() if verified boot is not enabled. In this revision, only TCPA log is initialized during bootblock. Before TPM gets set up, digests are not measured into tpm immediately, but cached in TCPA log, and measured into determined PCRs right after TPM is up. This change allows those who do not want to use the verified boot scheme implemented by vboot as well as its requirement of a more complex partition scheme designed for chromeos to make use of the measured boot functionality implemented within vboot library to measure the boot process. TODO: Measure MRC Cache somewhere, as MRC Cache has never resided in CBFS any more, so it cannot be covered by tspi_measure_cbfs_hook(). Change-Id: I1fb376b4a8b98baffaee4d574937797bba1f8aee Signed-off-by: Bill XIE <persmule@hardenedlinux.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/35077 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
coreboot · Mar 31, 2020 · c79e96b · c79e96b
1 parent 6b7bbc2
commit c79e96b
Show file tree

Hide file tree

Showing 25 changed files with 219 additions and 187 deletions.
diff --git a/src/arch/x86/car.ld b/src/arch/x86/car.ld
@@ -20,8 +20,8 @@
 	/* Vboot measured boot TCPA log measurements.
 	 * Needs to be transferred until CBMEM is available
 	 */
-#if CONFIG(VBOOT_MEASURED_BOOT)
-	VBOOT2_TPM_LOG(., 2K)
+#if CONFIG(TPM_MEASURED_BOOT)
+	TPM_TCPA_LOG(., 2K)
 #endif
 	/* Stack for CAR stages. Since it persists across all stages that
 	 * use CAR it can be reused. The chipset/SoC is expected to provide

diff --git a/src/include/memlayout.h b/src/include/memlayout.h
@@ -159,9 +159,9 @@
 		STR(vboot2 work buffer size must be equivalent to \
 			VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE! (sz)));
 
-#define VBOOT2_TPM_LOG(addr, size) \
-	REGION(vboot2_tpm_log, addr, size, 16) \
-	_ = ASSERT(size >= 2K, "vboot2 tpm log buffer must be at least 2K!");
+#define TPM_TCPA_LOG(addr, size) \
+	REGION(tpm_tcpa_log, addr, size, 16) \
+	_ = ASSERT(size >= 2K, "tpm tcpa log buffer must be at least 2K!");
 
 #if ENV_VERSTAGE
 	#define VERSTAGE(addr, sz) \

diff --git a/src/include/symbols.h b/src/include/symbols.h
@@ -34,8 +34,11 @@ DECLARE_REGION(preram_cbfs_cache)
 DECLARE_REGION(postram_cbfs_cache)
 DECLARE_REGION(cbfs_cache)
 DECLARE_REGION(fmap_cache)
-DECLARE_REGION(payload)
+DECLARE_REGION(tpm_tcpa_log)
+
+/* Regions for execution units. */
 
+DECLARE_REGION(payload)
 /* "program" always refers to the current execution unit. */
 DECLARE_REGION(program)
 /* _<stage>_size is always the maximum amount allocated in memlayout, whereas

diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c
@@ -13,19 +13,19 @@
  */
 
 #include <assert.h>
-#include <console/console.h>
-#include <string.h>
-#include <stdlib.h>
 #include <boot_device.h>
 #include <cbfs.h>
 #include <commonlib/bsd/compression.h>
+#include <console/console.h>
 #include <endian.h>
+#include <fmap.h>
 #include <lib.h>
+#include <security/tpm/tspi/crtm.h>
+#include <security/vboot/vboot_common.h>
+#include <stdlib.h>
+#include <string.h>
 #include <symbols.h>
 #include <timestamp.h>
-#include <fmap.h>
-#include <security/vboot/vboot_crtm.h>
-#include <security/vboot/vboot_common.h>
 
 #define ERROR(x...) printk(BIOS_ERR, "CBFS: " x)
 #define LOG(x...) printk(BIOS_INFO, "CBFS: " x)
@@ -60,7 +60,7 @@ int cbfs_boot_locate(struct cbfsf *fh, const char *name, uint32_t *type)
 	}
 
 	if (!ret)
-		if (vboot_measure_cbfs_hook(fh, name))
+		if (tspi_measure_cbfs_hook(fh, name))
 			return -1;
 
 	return ret;

diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl2/Kconfig
@@ -9,12 +9,12 @@ config BOARD_SPECIFIC_OPTIONS
 	select MAINBOARD_HAS_TPM2
 	select MAINBOARD_HAS_LPC_TPM
 	select TPM_ON_FAST_SPI
+	select TPM_MEASURED_BOOT
 
 config CBFS_SIZE
 	default 0xb4e000
 
 config VBOOT
-	select VBOOT_MEASURED_BOOT
 	select VBOOT_VBNV_FLASH
 	select VBOOT_NO_BOARD_SUPPORT
 	select GBB_FLAG_DISABLE_LID_SHUTDOWN

diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl4/Kconfig
@@ -9,6 +9,7 @@ config BOARD_SPECIFIC_OPTIONS
 	select MAINBOARD_HAS_LPC_TPM
 	select TPM_ON_FAST_SPI
 	select DRIVERS_I2C_PTN3460
+	select TPM_MEASURED_BOOT
 
 config UART_FOR_CONSOLE
 	default 1
@@ -17,7 +18,6 @@ config CBFS_SIZE
 	default 0xb4e000
 
 config VBOOT
-	select VBOOT_MEASURED_BOOT
 	select VBOOT_VBNV_FLASH
 	select VBOOT_NO_BOARD_SUPPORT
 	select GBB_FLAG_DISABLE_LID_SHUTDOWN

diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl5/Kconfig
@@ -12,12 +12,12 @@ config BOARD_SPECIFIC_OPTIONS
 	select MAINBOARD_HAS_LPC_TPM
 	select TPM_ON_FAST_SPI
 	select DRIVERS_I2C_PTN3460
+	select TPM_MEASURED_BOOT
 
 config CBFS_SIZE
 	default 0xb4e000
 
 config VBOOT
-	select VBOOT_MEASURED_BOOT
 	select VBOOT_VBNV_FLASH
 	select VBOOT_NO_BOARD_SUPPORT
 	select GBB_FLAG_DISABLE_LID_SHUTDOWN

diff --git a/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig b/src/mainboard/siemens/mc_apl1/variants/mc_apl6/Kconfig
@@ -11,9 +11,9 @@ config BOARD_SPECIFIC_OPTIONS
 	select MAINBOARD_HAS_TPM2
 	select MAINBOARD_HAS_LPC_TPM
 	select TPM_ON_FAST_SPI
+	select TPM_MEASURED_BOOT
 
 config VBOOT
-	select VBOOT_MEASURED_BOOT
 	select VBOOT_VBNV_FLASH
 	select VBOOT_NO_BOARD_SUPPORT
 	select GBB_FLAG_DISABLE_LID_SHUTDOWN

diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
@@ -100,4 +100,21 @@ config TPM_STARTUP_IGNORE_POSTINIT
 	  or VBOOT on the Intel Arrandale processor, which issues a
 	  CPU-only reset during the romstage.
 
+config TPM_MEASURED_BOOT
+	bool "Enable Measured Boot"
+	default n
+	select VBOOT_LIB
+	depends on TPM1 || TPM2
+	depends on !VBOOT_RETURN_FROM_VERSTAGE
+	help
+	  Enables measured boot (experimental)
+
+config TPM_MEASURED_BOOT_RUNTIME_DATA
+	string "Runtime data whitelist"
+	default ""
+	depends on TPM_MEASURED_BOOT
+	help
+	  Runtime data whitelist of cbfs filenames. Needs to be a
+	  comma separated list
+
 endmenu # Trusted Platform Module (tpm)
diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc
@@ -6,22 +6,17 @@ ifeq ($(CONFIG_TPM1),y)
 
 ramstage-y += tss/tcg-1.2/tss.c
 romstage-y += tss/tcg-1.2/tss.c
-
-verstage-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c
-postcar-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c
+bootblock-y += tss/tcg-1.2/tss.c
+verstage-y += tss/tcg-1.2/tss.c
+postcar-y += tss/tcg-1.2/tss.c
 
 ## TSPI
 
 ramstage-y += tspi/tspi.c
 romstage-y += tspi/tspi.c
-
-verstage-$(CONFIG_VBOOT) += tspi/tspi.c
-postcar-$(CONFIG_VBOOT) += tspi/tspi.c
-
-ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
+bootblock-y += tspi/tspi.c
+verstage-y += tspi/tspi.c
+postcar-y += tspi/tspi.c
 
 endif # CONFIG_TPM1
 
@@ -39,17 +34,31 @@ verstage-$(CONFIG_VBOOT) += tss/tcg-2.0/tss.c
 postcar-y += tss/tcg-2.0/tss_marshaling.c
 postcar-y += tss/tcg-2.0/tss.c
 
+bootblock-y += tss/tcg-2.0/tss_marshaling.c
+bootblock-y += tss/tcg-2.0/tss.c
+
 ## TSPI
 
 ramstage-y += tspi/tspi.c
 romstage-y += tspi/tspi.c
-
+bootblock-y += tspi/tspi.c
 verstage-$(CONFIG_VBOOT) += tspi/tspi.c
-postcar-$(CONFIG_VBOOT) += tspi/tspi.c
-
-ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
-postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c
+postcar-y += tspi/tspi.c
 
 endif # CONFIG_TPM2
+
+ifeq ($(CONFIG_TPM_MEASURED_BOOT),y)
+
+bootblock-y += tspi/crtm.c
+verstage-y += tspi/crtm.c
+romstage-y += tspi/crtm.c
+ramstage-y += tspi/crtm.c
+postcar-y += tspi/crtm.c
+
+ramstage-y += tspi/log.c
+romstage-y += tspi/log.c
+verstage-y += tspi/log.c
+postcar-y += tspi/log.c
+bootblock-y += tspi/log.c
+
+endif # CONFIG_TPM_MEASURED_BOOT
diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h
@@ -23,6 +23,12 @@
 #define TPM_PCR_MAX_LEN 64
 #define HASH_DATA_CHUNK_SIZE 1024
 
+/**
+ * Get the pointer to the single instance of global
+ * tcpa log data, and initialize it when necessary
+ */
+struct tcpa_table *tcpa_log_init(void);
+
 /**
  * Clears the pre-RAM tcpa log data and initializes
  * any content with default values
@@ -47,6 +53,7 @@ void tcpa_log_add_table_entry(const char *name, const uint32_t pcr,
  */
 void tcpa_log_dump(void *unused);
 
+
 /**
  * Ask vboot for a digest and extend a TPM PCR with it.
  * @param pcr sets the pcr index