From 8d9fbd1e3c309f77ed4d70a76f362361e38217f7 Mon Sep 17 00:00:00 2001
From: Tim Crawford <tcrawford@system76.com>
Date: Tue, 21 Dec 2021 10:32:37 -0700
Subject: [PATCH] models: Enable coreboot measured boot

All the laptops contain a TPM 2.0 chip. Enable the measured boot
security feature by default.

Link: https://doc.coreboot.org/security/vboot/measured_boot.html
Signed-off-by: Tim Crawford <tcrawford@system76.com>
---
 CHANGELOG.md                         | 1 +
 models/addw1/coreboot.config         | 1 +
 models/addw2/coreboot.config         | 1 +
 models/bonw14/coreboot.config        | 1 +
 models/darp5/coreboot.config         | 1 +
 models/darp6/coreboot.config         | 1 +
 models/darp7/coreboot.config         | 1 +
 models/galp2/coreboot.config         | 1 +
 models/galp3-b/coreboot.config       | 1 +
 models/galp3-c/coreboot.config       | 1 +
 models/galp3/coreboot.config         | 1 +
 models/galp4/coreboot.config         | 1 +
 models/galp5/coreboot.config         | 1 +
 models/gaze14_1650/coreboot.config   | 1 +
 models/gaze14_1660ti/coreboot.config | 1 +
 models/gaze15/coreboot.config        | 1 +
 models/gaze16-3050/coreboot.config   | 1 +
 models/gaze16-3060-b/coreboot.config | 1 +
 models/gaze16-3060/coreboot.config   | 1 +
 models/lemp10/coreboot.config        | 1 +
 models/lemp9/coreboot.config         | 1 +
 models/oryp5/coreboot.config         | 1 +
 models/oryp6/coreboot.config         | 1 +
 models/oryp7/coreboot.config         | 1 +
 models/oryp8/coreboot.config         | 1 +
 25 files changed, 25 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7778ca1..422bea0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ date followed by an underscore and a short git revision.
 ## unreleased
 
 - Added support to enable/disable Intel ME via the CMOS option `me_state`
+- Enabled coreboot measured boot
 - Updated Rust toolchain to nightly-2021-06-15
 - Updated coreboot to 4.15
 - Updated EDK2 to edk2-stabke202108
diff --git a/models/addw1/coreboot.config b/models/addw1/coreboot.config
index eaa31d9..7cef0d3 100644
--- a/models/addw1/coreboot.config
+++ b/models/addw1/coreboot.config
@@ -15,6 +15,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/addw2/coreboot.config b/models/addw2/coreboot.config
index cf3dce3..f0d1439 100644
--- a/models/addw2/coreboot.config
+++ b/models/addw2/coreboot.config
@@ -15,6 +15,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/bonw14/coreboot.config b/models/bonw14/coreboot.config
index 7ac0b48..3585342 100644
--- a/models/bonw14/coreboot.config
+++ b/models/bonw14/coreboot.config
@@ -15,6 +15,7 @@ CONFIG_PCIEXP_HOTPLUG_PREFETCH_MEM=0x20000000
 CONFIG_POST_IO=n
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/darp5/coreboot.config b/models/darp5/coreboot.config
index 68845f8..a76ab01 100644
--- a/models/darp5/coreboot.config
+++ b/models/darp5/coreboot.config
@@ -15,6 +15,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/darp6/coreboot.config b/models/darp6/coreboot.config
index cbc3015..a23ca37 100644
--- a/models/darp6/coreboot.config
+++ b/models/darp6/coreboot.config
@@ -15,6 +15,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/darp7/coreboot.config b/models/darp7/coreboot.config
index 9df9eb1..316caf4 100644
--- a/models/darp7/coreboot.config
+++ b/models/darp7/coreboot.config
@@ -16,6 +16,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/galp2/coreboot.config b/models/galp2/coreboot.config
index 8cac548..2cf3e64 100644
--- a/models/galp2/coreboot.config
+++ b/models/galp2/coreboot.config
@@ -14,6 +14,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_ME_CLEANER=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
diff --git a/models/galp3-b/coreboot.config b/models/galp3-b/coreboot.config
index 3e99d6d..84f7621 100644
--- a/models/galp3-b/coreboot.config
+++ b/models/galp3-b/coreboot.config
@@ -14,6 +14,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_ME_CLEANER=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
diff --git a/models/galp3-c/coreboot.config b/models/galp3-c/coreboot.config
index a13e72c..67f9589 100644
--- a/models/galp3-c/coreboot.config
+++ b/models/galp3-c/coreboot.config
@@ -15,6 +15,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/galp3/coreboot.config b/models/galp3/coreboot.config
index 2d2cd9f..4f42c44 100644
--- a/models/galp3/coreboot.config
+++ b/models/galp3/coreboot.config
@@ -14,6 +14,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_ME_CLEANER=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
diff --git a/models/galp4/coreboot.config b/models/galp4/coreboot.config
index cd0860e..7fe4b43 100644
--- a/models/galp4/coreboot.config
+++ b/models/galp4/coreboot.config
@@ -15,6 +15,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/galp5/coreboot.config b/models/galp5/coreboot.config
index 77fee62..1753a65 100644
--- a/models/galp5/coreboot.config
+++ b/models/galp5/coreboot.config
@@ -16,6 +16,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/gaze14_1650/coreboot.config b/models/gaze14_1650/coreboot.config
index 52a929c..0253a4e 100644
--- a/models/gaze14_1650/coreboot.config
+++ b/models/gaze14_1650/coreboot.config
@@ -12,6 +12,7 @@ CONFIG_PAYLOAD_FILE="$(FIRMWARE_OPEN_UEFIPAYLOAD)"
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/gaze14_1660ti/coreboot.config b/models/gaze14_1660ti/coreboot.config
index 52a929c..0253a4e 100644
--- a/models/gaze14_1660ti/coreboot.config
+++ b/models/gaze14_1660ti/coreboot.config
@@ -12,6 +12,7 @@ CONFIG_PAYLOAD_FILE="$(FIRMWARE_OPEN_UEFIPAYLOAD)"
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/gaze15/coreboot.config b/models/gaze15/coreboot.config
index 8449ae9..3f4d91a 100644
--- a/models/gaze15/coreboot.config
+++ b/models/gaze15/coreboot.config
@@ -13,6 +13,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/gaze16-3050/coreboot.config b/models/gaze16-3050/coreboot.config
index c94506e..e2c5780 100644
--- a/models/gaze16-3050/coreboot.config
+++ b/models/gaze16-3050/coreboot.config
@@ -14,6 +14,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/gaze16-3060-b/coreboot.config b/models/gaze16-3060-b/coreboot.config
index 949bd8b..6a671a7 100644
--- a/models/gaze16-3060-b/coreboot.config
+++ b/models/gaze16-3060-b/coreboot.config
@@ -16,6 +16,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/gaze16-3060/coreboot.config b/models/gaze16-3060/coreboot.config
index c5a2d0b..15cc542 100644
--- a/models/gaze16-3060/coreboot.config
+++ b/models/gaze16-3060/coreboot.config
@@ -14,6 +14,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/lemp10/coreboot.config b/models/lemp10/coreboot.config
index b3c8a91..071f8ac 100644
--- a/models/lemp10/coreboot.config
+++ b/models/lemp10/coreboot.config
@@ -16,6 +16,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/lemp9/coreboot.config b/models/lemp9/coreboot.config
index 009dc8c..6af6c08 100644
--- a/models/lemp9/coreboot.config
+++ b/models/lemp9/coreboot.config
@@ -13,6 +13,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/oryp5/coreboot.config b/models/oryp5/coreboot.config
index 1b9184a..dc912e2 100644
--- a/models/oryp5/coreboot.config
+++ b/models/oryp5/coreboot.config
@@ -13,6 +13,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/oryp6/coreboot.config b/models/oryp6/coreboot.config
index af371df..36ec4b1 100644
--- a/models/oryp6/coreboot.config
+++ b/models/oryp6/coreboot.config
@@ -14,6 +14,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/oryp7/coreboot.config b/models/oryp7/coreboot.config
index 9fdf257..4f834ca 100644
--- a/models/oryp7/coreboot.config
+++ b/models/oryp7/coreboot.config
@@ -14,6 +14,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y
diff --git a/models/oryp8/coreboot.config b/models/oryp8/coreboot.config
index 0363eb8..459d5c4 100644
--- a/models/oryp8/coreboot.config
+++ b/models/oryp8/coreboot.config
@@ -17,6 +17,7 @@ CONFIG_POST_IO=n
 CONFIG_RUN_FSP_GOP=y
 CONFIG_SMMSTORE=y
 CONFIG_SMMSTORE_V2=y
+CONFIG_TPM_MEASURED_BOOT=y
 CONFIG_USE_OPTION_TABLE=y
 CONFIG_VALIDATE_INTEL_DESCRIPTOR=y
 #CONFIG_CONSOLE_SYSTEM76_EC=y