security/tpm: Include mrc.bin in CRTM if present

mrc.bin, on platforms where it is present, is code executed on CPU, so it should be considered a part of CRTM. cbfs_locate_file_in_region() is hooked to measurement here too, since mrc.bin is loaded with it, and CBFS_TYPE_MRC (the type of mrc.bin) is measured to TPM_CRTM_PCR rather than TPM_RUNTIME_DATA_PCR. TODO: I have heard that SMM is too resource-limited to link with vboot library, so currently tspi_measure_cbfs_hook() is masked in SMM. Please correct me if I am wrong. Change-Id: Ib4c3cf47b919864056baf725001ca8a4aaafa110 Signed-off-by: Bill XIE <persmule@hardenedlinux.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/38858 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
2020-02-13 11:11:35 +08:00
parent ea861ce831
commit bad08c2c29
3 changed files with 16 additions and 5 deletions
--- a/src/security/tpm/tspi/crtm.c
+++ b/src/security/tpm/tspi/crtm.c
@@ -133,10 +133,14 @@ uint32_t tspi_measure_cbfs_hook(struct cbfsf *fh, const char *name)
 	cbfs_file_data(&rdev, fh);

 	switch (cbfs_type) {
-	case CBFS_TYPE_MRC:
 	case CBFS_TYPE_MRC_CACHE:
 		pcr_index = TPM_RUNTIME_DATA_PCR;
 		break;
+	/*
+	 * mrc.bin is code executed on CPU, so it
+	 * should not be considered runtime data
+	 */
+	case CBFS_TYPE_MRC:
 	case CBFS_TYPE_STAGE:
 	case CBFS_TYPE_SELF:
 	case CBFS_TYPE_FIT: