soc/intel/apollolake: Measure the IBBL, IBB and OBB from the bootblock

Get information about the current Boot Guard implementation, such as whether it's enabled, the profile and if Measured Boot or Verified Boot are required. Then, measure the three individual components of the BIOS. Tested on the StarLite Mk III where all three components were measured successfully: [DEBUG] Boot Guard 2.0: Verified Boot: Enforced [DEBUG] Boot Guard 2.0: Measured Boot: Enforced [DEBUG] TXE Hash: [DEBUG] 0xfef08f5e: ... [DEBUG] 0xfef08f6e: ... [DEBUG] IBBL Hash: [DEBUG] 0xfef08f7e: ... [DEBUG] 0xfef08f8e: ... [DEBUG] IBB Pointer: Present ... [DEBUG] IBB Hash: [DEBUG] 0xfef08f9e: ... [DEBUG] 0xfef08fae: ... Signed-off-by: Sean Rhodes <sean@starlabs.systems> Change-Id: Ia962ae40b411671e82540b19f3b8680529783711 Reviewed-on: https://review.coreboot.org/c/coreboot/+/65444 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Matt DeVillier <matt.devillier@gmail.com>
2022-06-26 22:26:00 +01:00 · 2022-06-26 22:26:00 +01:00 · def945f3ba
commit def945f3ba
parent fbb0738272
1 changed files with 18 additions and 0 deletions
--- a/src/soc/intel/apollolake/bootblock/bootblock.c
+++ b/src/soc/intel/apollolake/bootblock/bootblock.c
@ -15,9 +15,11 @@
 #include <intelblocks/pmclib.h>
 #include <intelblocks/tco.h>
 #include <intelblocks/uart.h>
+#include <soc/iomap.h>
 #include <soc/cpu.h>
 #include <soc/loader.h>
 #include <soc/gpio.h>
+#include <soc/measured_boot.h>
 #include <soc/soc_chip.h>
 #include <soc/systemagent.h>
 #include <soc/pci_devs.h>
@ -42,6 +44,8 @@ static void tpm_enable(void)
 asmlinkage void bootblock_c_entry(uint64_t base_timestamp)
 {
 	pci_devfn_t dev;
+	bool ibb_exists;
+	struct boot_policy_manifest bpm_info;

 	bootblock_systemagent_early_init();

@ -54,6 +58,13 @@ asmlinkage void bootblock_c_entry(uint64_t base_timestamp)
 	pci_write_config16(dev, PCI_COMMAND,
 				PCI_COMMAND_IO | PCI_COMMAND_MASTER);

+	/*
+	 * Check the status of the BPM, and measured the IBB and OBB
+	 * if required. Returns 1 if IBB exists.
+	 */
+	if (CONFIG(IFWI_MEASURED_BOOT))
+		ibb_exists = fetch_pre_rbp_data(&bpm_info);
+
 	enable_rtc_upper_bank();

 	if (CONFIG(IFWI_IBBM_LOAD)) {
@ -61,6 +72,13 @@ asmlinkage void bootblock_c_entry(uint64_t base_timestamp)
 		flush_l1d_to_l2();
 	}

+	/*
+	 * If the IBB exists, measure it after it has been loaded via
+	 * the CSEs RBP.
+	 */
+	if (CONFIG(IFWI_MEASURED_BOOT) && ibb_exists)
+		fetch_post_rbp_data(&bpm_info);
+
 	/* Call lib/bootblock.c main */
 	bootblock_main_with_basetime(base_timestamp);
 }