security/vboot: Add measured boot mode
* Introduce a measured boot mode into vboot. * Add hook for stage measurements in prog_loader and cbfs. * Implement and hook-up CRTM in vboot and check for suspend. Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Signed-off-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com> Signed-off-by: Werner Zeh <werner.zeh@siemens.com> Reviewed-on: https://review.coreboot.org/c/29547 Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
Philipp Deppenwiese
@ -26,6 +26,7 @@
|
||||
#include <timestamp.h>
|
||||
#include <fmap.h>
|
||||
#include "fmap_config.h"
|
||||
#include <security/vboot/vboot_crtm.h>
|
||||
|
||||
#define ERROR(x...) printk(BIOS_ERR, "CBFS: " x)
|
||||
#define LOG(x...) printk(BIOS_INFO, "CBFS: " x)
|
||||
@ -59,7 +60,12 @@ int cbfs_boot_locate(struct cbfsf *fh, const char *name, uint32_t *type)
|
||||
return -1;
|
||||
}
|
||||
|
||||
return cbfs_locate(fh, &rdev, name, type);
|
||||
int ret = cbfs_locate(fh, &rdev, name, type);
|
||||
if (!ret)
|
||||
if (vboot_measure_cbfs_hook(fh, name))
|
||||
return -1;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
void *cbfs_boot_map_with_leak(const char *name, uint32_t type, size_t *size)
|
||||
@ -79,13 +85,13 @@ void *cbfs_boot_map_with_leak(const char *name, uint32_t type, size_t *size)
|
||||
}
|
||||
|
||||
int cbfs_locate_file_in_region(struct cbfsf *fh, const char *region_name,
|
||||
const char *name, uint32_t *type)
|
||||
const char *name, uint32_t *type)
|
||||
{
|
||||
struct region_device rdev;
|
||||
|
||||
if (fmap_locate_area_as_rdev(region_name, &rdev)) {
|
||||
LOG("%s region not found while looking for %s\n",
|
||||
region_name, name);
|
||||
region_name, name);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -107,7 +113,7 @@ size_t cbfs_load_and_decompress(const struct region_device *rdev, size_t offset,
|
||||
|
||||
case CBFS_COMPRESS_LZ4:
|
||||
if ((ENV_BOOTBLOCK || ENV_VERSTAGE) &&
|
||||
!IS_ENABLED(CONFIG_COMPRESS_PRERAM_STAGES))
|
||||
!IS_ENABLED(CONFIG_COMPRESS_PRERAM_STAGES))
|
||||
return 0;
|
||||
|
||||
/* Load the compressed image to the end of the available memory
|
||||
@ -130,7 +136,7 @@ size_t cbfs_load_and_decompress(const struct region_device *rdev, size_t offset,
|
||||
if (ENV_ROMSTAGE && IS_ENABLED(CONFIG_POSTCAR_STAGE))
|
||||
return 0;
|
||||
if ((ENV_ROMSTAGE || ENV_POSTCAR)
|
||||
&& !IS_ENABLED(CONFIG_COMPRESS_RAMSTAGE))
|
||||
&& !IS_ENABLED(CONFIG_COMPRESS_RAMSTAGE))
|
||||
return 0;
|
||||
void *map = rdev_mmap(rdev, offset, in_size);
|
||||
if (map == NULL)
|
||||
@ -157,9 +163,9 @@ static inline int tohex4(unsigned int c)
|
||||
|
||||
static void tohex16(unsigned int val, char *dest)
|
||||
{
|
||||
dest[0] = tohex4(val>>12);
|
||||
dest[1] = tohex4((val>>8) & 0xf);
|
||||
dest[2] = tohex4((val>>4) & 0xf);
|
||||
dest[0] = tohex4(val >> 12);
|
||||
dest[1] = tohex4((val >> 8) & 0xf);
|
||||
dest[2] = tohex4((val >> 4) & 0xf);
|
||||
dest[3] = tohex4(val & 0xf);
|
||||
}
|
||||
|
||||
@ -167,8 +173,8 @@ void *cbfs_boot_map_optionrom(uint16_t vendor, uint16_t device)
|
||||
{
|
||||
char name[17] = "pciXXXX,XXXX.rom";
|
||||
|
||||
tohex16(vendor, name+3);
|
||||
tohex16(device, name+8);
|
||||
tohex16(vendor, name + 3);
|
||||
tohex16(device, name + 8);
|
||||
|
||||
return cbfs_boot_map_with_leak(name, CBFS_TYPE_OPTIONROM, NULL);
|
||||
}
|
||||
@ -202,8 +208,9 @@ size_t cbfs_boot_load_file(const char *name, void *buf, size_t buf_size,
|
||||
return 0;
|
||||
|
||||
if (cbfsf_decompression_info(&fh, &compression_algo,
|
||||
&decompressed_size) < 0
|
||||
|| decompressed_size > buf_size)
|
||||
&decompressed_size)
|
||||
< 0
|
||||
|| decompressed_size > buf_size)
|
||||
return 0;
|
||||
|
||||
return cbfs_load_and_decompress(&fh.data, 0, region_device_sz(&fh.data),
|
||||
@ -249,7 +256,7 @@ int cbfs_prog_stage_load(struct prog *pstage)
|
||||
/* Hacky way to not load programs over read only media. The stages
|
||||
* that would hit this path initialize themselves. */
|
||||
if (ENV_VERSTAGE && !IS_ENABLED(CONFIG_NO_XIP_EARLY_STAGES) &&
|
||||
IS_ENABLED(CONFIG_BOOT_DEVICE_MEMORY_MAPPED)) {
|
||||
IS_ENABLED(CONFIG_BOOT_DEVICE_MEMORY_MAPPED)) {
|
||||
void *mapping = rdev_mmap(fh, foffset, fsize);
|
||||
rdev_munmap(fh, mapping);
|
||||
if (mapping == load)
|
||||
@ -354,7 +361,7 @@ int cbfs_boot_region_properties(struct cbfs_props *props)
|
||||
continue;
|
||||
|
||||
LOG("'%s' located CBFS at [%zx:%zx)\n",
|
||||
ops->name, props->offset, props->offset + props->size);
|
||||
ops->name, props->offset, props->offset + props->size);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user