security/tpm/crtm: Add a function to measure the bootblock on SoC level

On platforms where the bootblock is not included in CBFS anymore (because it is part of another firmware section (IFWI or a different CBFS), the CRTM measurement fails. This patch adds a new function to provide a way at SoC level to measure the bootblock. Following patches will add functionality to retrieve the bootblock from the SoC related location and measure it from there. In this way the really executed code will be measured. Change-Id: I6d0da1e95a9588eb5228f63151bb04bfccfcf04b Signed-off-by: Werner Zeh <werner.zeh@siemens.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/64492 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
2022-05-19 09:16:28 +02:00
parent ca29a191d5
commit 5c808e03e2
6 changed files with 34 additions and 1 deletions
--- a/src/security/tpm/tspi/crtm.c
+++ b/src/security/tpm/tspi/crtm.c
@@ -73,7 +73,16 @@ static uint32_t tspi_init_crtm(void)
 			return VB2_ERROR_UNKNOWN;
 		}
 		cbfs_unmap(mapping);
-	} /* else: TODO: Add SoC specific measurement methods. */
+	} else {
+		/* Since none of the above conditions are met let the SOC code measure the
+		 * bootblock. This accomplishes for cases where the bootblock is treated
+		 * in a special way (e.g. part of IFWI or located in a different CBFS). */
+		if (tspi_soc_measure_bootblock(TPM_CRTM_PCR)) {
+			printk(BIOS_INFO,
+			       "TSPI: Couldn't measure bootblock into CRTM on SoC level!\n");
+			return VB2_ERROR_UNKNOWN;
+		}
+	}

 	return VB2_SUCCESS;
 }