sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security/vboot: Add new TPM NVRAM index MRC_RW_HASH_NV_INDEX

Browse Source 
Add new index for MRC_CACHE data in RW.  Also update antirollback
functions to handle this new index where necessary.

BUG=b:150502246
BRANCH=None
TEST=make sure memory training still works on nami

Change-Id: I2de3c23aa56d3b576ca54dbd85c75e5b80199560
Signed-off-by: Shelley Chen <shchen@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46511
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
This commit is contained in:
Shelley Chen
2020-10-16 13:37:09 -07:00
committed by Julius Werner
parent a79803cf29
commit df0481e9e1
2 changed files with 40 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/security/vboot/secdata_tpm.c
View File

@@ -164,9 +164,14 @@ static uint32_t set_kernel_space(const void *kernel_blob)
static uint32_t set_mrc_hash_space(uint32_t index, const uint8_t *data)
{
return set_space("MRC Hash", index, data, HASH_NV_SIZE,
ro_space_attributes, pcr0_unchanged_policy,
sizeof(pcr0_unchanged_policy));
if (index == MRC_REC_HASH_NV_INDEX) {
return set_space("RO MRC Hash", index, data, HASH_NV_SIZE,
ro_space_attributes, pcr0_unchanged_policy,
sizeof(pcr0_unchanged_policy));
} else {
return set_space("RW MRC Hash", index, data, HASH_NV_SIZE,
rw_space_attributes, NULL, 0);
}
}
static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
@@ -183,6 +188,13 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
*/
RETURN_ON_FAILURE(set_kernel_space(ctx->secdata_kernel));
/*
* Define and set rec hash space, if available. No need to
* create the RW hash space because we will definitely boot
* once in normal mode before shipping, meaning that the space
* will get created with correct permissions while still in in
* our hands.
*/
if (CONFIG(VBOOT_HAS_REC_HASH_SPACE))
RETURN_ON_FAILURE(set_mrc_hash_space(MRC_REC_HASH_NV_INDEX, mrc_hash_data));
@@ -304,7 +316,13 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
ctx->secdata_firmware,
VB2_SECDATA_FIRMWARE_SIZE));
/* Define and set rec hash space, if available. */
/*
* Define and set rec hash space, if available. No need to
* create the RW hash space because we will definitely boot
* once in normal mode before shipping, meaning that the space
* will get created with correct permissions while still in in
* our hands.
*/
if (CONFIG(VBOOT_HAS_REC_HASH_SPACE))
RETURN_ON_FAILURE(set_mrc_hash_space(MRC_REC_HASH_NV_INDEX, mrc_hash_data));