mrc_cache: Add config MRC_SAVE_HASH_IN_TPM

Use this config to specify whether we want to save a hash of the MRC_CACHE in the TPM NVRAM space. Replace all uses of FSP2_0_USES_TPM_MRC_HASH with MRC_SAVE_HASH_IN_TPM and remove the FSP2_0_USES_TPM_MRC_HASH config. Note that TPM1 platforms will not select MRC_SAVE_HASH_IN_TPM as none of them use FSP2.0 and have recovery MRC_CACHE. BUG=b:150502246 BRANCH=None TEST=emerge-nami coreboot chromeos-bootimage Change-Id: Ic5ffcdba27cb1f09c39c3835029c8d9cc3453af1 Signed-off-by: Shelley Chen <shchen@google.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/46509 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Furquan Shaikh <furquan@google.com>
2020-10-16 12:20:16 -07:00
parent 9eabeb53ab
commit 9f8ac64bae
5 changed files with 14 additions and 22 deletions
--- a/src/drivers/mrc_cache/Kconfig
+++ b/src/drivers/mrc_cache/Kconfig
@@ -49,4 +49,12 @@ config MRC_STASH_TO_CBMEM
 	  that need to write back the MRC data in late ramstage boot
 	  states (MRC_WRITE_NV_LATE).

+config MRC_SAVE_HASH_IN_TPM
+	bool "Save a hash of the MRC_CACHE data in TPM NVRAM"
+	depends on VBOOT_STARTS_IN_BOOTBLOCK && TPM2 && !TPM1
+	default y
+	help
+	  Store a hash of the MRC_CACHE training data in a TPM NVRAM
+	  space to ensure that it cannot be tampered with.
+
 endif # CACHE_MRC_SETTINGS