Create an NVRAM counter in TPM 2.0 that survives owner clear and can be
read and written without authorization. This counter allows to seal data
with the TPM that can only be unsealed before the counter was
incremented. It will be used during Chrome OS rollback to securely carry
data across a TPM clear.
Signed-off-by: Miriam Polzer <mpolzer@google.com>
Change-Id: I511dba3b3461713ce20fb2bda9fced0fee6517e1
Reviewed-on: https://review.coreboot.org/c/coreboot/+/59097
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
When fetching antirollback information for the kernel, it is not always
known ahead of time what the current size of the kernel secdata area
is. If the incorrect size is passed, the TPM will return back the
correct size, but at the cost of an extra transaction; when using cr50
over I2C, this can be as much as 20ms. Currently, the first attempt uses
the minimium size (aka version 0 or 0.2), and if another size is used
(which is the case for all modern cr50-based boards, version 1 or 1.0),
then a transaction is wasted on every boot.
Therefore, change the default size sent to the TPM to be the default one
used in the VB2 API instead of the minimum one.
BUG=b:201304784
TEST=verify TPM initialization time drops by ~20ms. Also the Kernel NV
Index is read correctly in the BIOS logs.
src/security/tpm/tss/tcg-2.0/tss.c:231 index 0x1007 return code 0
src/security/tpm/tss/tcg-2.0/tss.c:231 index 0x1008 return code 0
504:finished TPM initialization 99,953 (65,606)
Change-Id: I22d9c0079bb1175f24ff7317d116e79aa5ba08ed
Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/58669
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
This reverts commit adb393bdd6.
This relands commit 6260bf712a.
Reason for revert:
The original CL did not handle some devices correctly.
With the fixes:
* commit 36721a4 (mb/google/brya: Add GPIO_IN_RW to all variants'
early GPIO tables)
* commit 3bfe46c (mb/google/guybrush: Add GPIO EC in RW to early
GPIO tables)
* commit 3a30cf9 (mb/google/guybrush: Build chromeos.c in verstage
This CL also fix the following platforms:
* Change to always trusted: cyan.
* Add to early GPIO table: dedede, eve, fizz, glados, hatch, octopus,
poppy, reef, volteer.
* Add to both Makefile and early GPIO table: zork.
For mb/intel:
* adlrvp: Add support for get_ec_is_trusted().
* glkrvp: Add support for get_ec_is_trusted() with always trusted.
* kblrvp: Add support for get_ec_is_trusted() with always trusted.
* kunimitsu: Add support for get_ec_is_trusted() and initialize it as
early GPIO.
* shadowmountain: Add support for get_ec_is_trusted() and initialize
it as early GPIO.
* tglrvp: Add support for get_ec_is_trusted() with always trusted.
For qemu-q35: Add support for get_ec_is_trusted() with always trusted.
We could attempt another land.
Change-Id: I66b8b99d6e6bf259b18573f9f6010f9254357bf9
Signed-off-by: Hsuan Ting Chen <roccochen@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/58253
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Karthik Ramasubramanian <kramasub@google.com>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
This reverts commit 6260bf712a.
Reason for revert: This CL did not handle Intel GPIO correctly. We need
to add GPIO_EC_IN_RW into early_gpio_table for platforms using Intel
SoC.
Signed-off-by: Hsuan Ting Chen <roccochen@chromium.org>
Change-Id: Iaeb1bf598047160f01e33ad0d9d004cad59e3f75
Reviewed-on: https://review.coreboot.org/c/coreboot/+/57951
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Now that the vb2ex_hwcrypto_* stub functions are included in vboot fwlib
(CL:2353775), we can remove the same stubs from coreboot.
BUG=none
TEST=emerge-brya coreboot
TEST=emerge-cherry coreboot
BRANCH=none
Change-Id: I62bdc647eb3e34c581cc1b8d15e7f271211e6156
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/58095
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
vboot_reference is introducing a new field (ctx) to store the current
boot mode in crrev/c/2944250 (ctx->bootmode), which will be leveraged
in both vboot flow and elog_add_boot_reason in coreboot.
In current steps of deciding bootmode, a function vb2ex_ec_trusted
is required. This function checks gpio EC_IN_RW pin and will return
'trusted' only if EC is not in RW. Therefore, we need to implement
similar utilities in coreboot.
We will deprecate vb2ex_ec_trusted and use the flag,
VB2_CONTEXT_EC_TRUSTED, in vboot, vb2api_fw_phase1 and set that flag
in coreboot, verstage_main.
Also add a help function get_ec_is_trusted which needed to be
implemented per mainboard.
BUG=b:177196147, b:181931817
BRANCH=none
TEST=Test on trogdor if manual recovery works
Signed-off-by: Hsuan Ting Chen <roccochen@chromium.org>
Change-Id: I479c8f80e45cc524ba87db4293d19b29bdfa2192
Reviewed-on: https://review.coreboot.org/c/coreboot/+/57048
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Currently, check_boot_mode is called after vb2api_fw_phase1, which
makes verstage_main exit before reaching check_boot_mode if recovery
mode is manually requested. Thus, recovery mode isn't able to test
whether VB2_CONTEXT_EC_TRUSTED is set or not.
This patch makes verstage_main call check_boot_mode before
vb2api_fw_phase1 to fix the issue.
BUG=b:180927027, b:187871195
BRANCH=none
TEST=build
Change-Id: If8524d1513b13fd79320a116a83f6729a820f61f
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/57623
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
It can be nice to update the TPM firmware without having to clear the
TPM owner. However, in order to do so would require platformHierarchy
to be enabled which would leave the kernel antirollback space a bit
vulnerable. To protect the kernel antirollback space from being written
to by the OS, we can use the WriteLock command. In order to do so we
need to add the WRITE_STCLEAR TPM attribute.
This commit adds the WRITE_STCLEAR TPM attribute to the rw antirollback
spaces. This includes the kernel antirollback space along with the MRC
space. When an STCLEAR attribute is set, this indicates that the TPM
object will need to be reloaded after any TPM Startup (CLEAR).
BUG=b:186029006
BRANCH=None
TEST=Build and flash a chromebook with no kernel antirollback space set
up, boot to Chrome OS, run `tpm_manager_client get_space_info
--index=0x1007` and verify that the WRITE_STCLEAR attribute is present.
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Change-Id: I3181b4c18acd908e924ad858b677e891312423fe
Reviewed-on: https://review.coreboot.org/c/coreboot/+/56358
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Add Kconfig option for VBOOT_X86_SHA256_ACCELERATION, which will
use x86-sha extension for SHA256 instead of software implementation.
TEST=Able to call vb2ex_hwcrypto_digest_init() and perform SHA
using HW crypto engine.
Change-Id: Idc8be8711c69f4ebc489cd37cc3749c0b257c610
Signed-off-by: Subrata Banik <subrata.banik@intel.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/55611
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
We are not currently tracking how long it takes to load verstage. The
enum values already exist, they just weren't used.
BUG=b:179092979
TEST=Dump timestamps
501:starting to load verstage 2,280,656 (1)
502:finished loading verstage 2,340,845 (60,189)
Signed-off-by: Raul E Rangel <rrangel@chromium.org>
Change-Id: I2cde58cb8aa796829a4e054e6925e2394973484b
Reviewed-on: https://review.coreboot.org/c/coreboot/+/55370
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
This commit adds support for the Chrome OS Zero-Touch Enrollment related
spaces. For TPM 2.0 devices which don't use Cr50, coreboot will define
the RMA+SN Bits, Board ID, and RMA Bytes counter spaces.
The RMA+SN Bits space is 16 bytes initialized to all 0xFFs.
The Board ID space is 12 bytes initialized to all 0xFFs.
The RMA Bytes counter space is 8 bytes intialized to 0.
BUG=b:184676425
BRANCH=None
TEST=Build and flash lalala, verify that the ZTE spaces are created
successfully by undefining the firmware antirollback space in the TPM
such that the TPM undergoes factory initialization in coreboot. Reboot
the DUT. Boot to CrOS and run `tpm_manager_client list_spaces` and
verify that the ZTE spaces are listed. Run `tpm_manager_client
read_space` with the various indices and verify that the sizes and
initial values of the spaces are correct.
TEST=Attempt to undefine the ZTE spaces and verify that it fails due to
the unsatisfiable policy.
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Change-Id: I97e3ae7e18fc9ee9a02afadbbafeb226b41af0eb
Reviewed-on: https://review.coreboot.org/c/coreboot/+/55242
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This patch assings 2 to EC_EFS_BOOT_MODE_TRUSTED_RO to make coreboot
set VB2_CONTEXT_EC_TRUSTED when the GSC reports TRUSTED_RO.
Old GSC doesn't use 2. So, the new BIOS won't mistakenly set
VB2_CONTEXT_EC_TRUSTED.
BUG=b:180927027, b:187871195
BRANCH=none
TEST=build
Change-Id: I11a09d0035a4bd59f80018c647ca17e3318be81e
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/55373
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This patch makes coreboot set VB2_CONTEXT_EC_TRUSTED based on the EC"s
boot mode. Vboot will check VB2_CONTEXT_EC_TRUSTED to determine
whether it can enter recovery mode or not.
BUG=b:180927027, b:187871195
BRANCH=none
TEST=build
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: I9fa09dd7ae5baa1efb4e1ed4f0fe9a6803167c93
Reviewed-on: https://review.coreboot.org/c/coreboot/+/54099
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
The new kernel secdata v1 stores the last read EC hash, and reboots the
device during EC software sync when that hash didn't match the currently
active hash on the EC (this is used with TPM_CR50 to support EC-EFS2 and
pretty much a no-op for other devices). Generally, of course the whole
point of secdata is always that it persists across reboots, but with
MOCK_SECDATA we can't do that. Previously we always happened to somewhat
get away with presenting freshly-reinitialized data for MOCK_SECDATA on
every boot, but with the EC hash feature in secdata v1, that would cause
a reboot loop. The simplest solution is to just pretend we're a secdata
v0 device when using MOCK_SECDATA.
This was encountered on using a firmware built with MOCK_SECDATA but had
EC software sync enabled.
BUG=b:187843114
BRANCH=None
TEST=`USE=mocktpm cros build-ap -b keeby`; Flash keeby device, verify
that DUT does not continuously reboot with EC software sync enabled.
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Change-Id: Id8e81afcddadf27d9eec274f7f85ff1520315aaa
Reviewed-on: https://review.coreboot.org/c/coreboot/+/54304
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
This commit has coreboot create the Chrome OS Firmware Management
Parameters (FWMP) space in the TPM. The space will be defined and the
contents initialized to the defaults.
BUG=b:184677625
BRANCH=None
TEST=emerge-keeby coreboot
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Change-Id: I1f566e00f11046ff9a9891c65660af50fbb83675
Reviewed-on: https://review.coreboot.org/c/coreboot/+/52919
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
The name `set_space()` seems to imply that it's writing to a TPM space
when actually, the function can create a space and write to it. This
commit attempts to make that a bit more clear. Additionally, in order
to use the correct sizes when creating the space, this commit also
refactors the functions slightly to incorporate the vboot context object
such that the correct sizes are used. The various vboot APIs will
return the size of the created object that we can then create the space
with.
BUG=b:184677625
BRANCH=None
TEST=`emerge-keeby coreboot`
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Change-Id: I80a8342c51d7bfaa0cb2eb3fd37240425d5901be
Reviewed-on: https://review.coreboot.org/c/coreboot/+/54308
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
The CBFS mcache size default was eyeballed to what should be "hopefully
enough" for most users, but some recent Chrome OS devices have already
hit the limit. Since most current (and probably all future) x86 chipsets
likely have the CAR space to spare, let's just double the size default
for all supporting chipsets right now so that we hopefully won't run
into these issues again any time soon.
The CBFS_MCACHE_RW_PERCENTAGE default for CHROMEOS was set to 25 under
the assumption that Chrome OS images have historically always had a lot
more files in their RO CBFS than the RW (because l10n assets were only
in RO). Unfortunately, this has recently changed with the introduction
of updateable assets. While hopefully not that many boards will need
these, the whole idea is that you won't know whether you need them yet
at the time the RO image is frozen, and mcache layout parameters cannot
be changed in an RW update. So better to use the normal 50/50 split on
Chrome OS devices going forward so we are prepared for the eventuality
of needing RW assets again.
The RW percentage should really also be menuconfig-controllable, because
this is something the user may want to change on the fly depending on
their payload requirements. Move the option to the vboot Kconfigs
because it also kinda belongs there anyway and this makes it fit in
better in menuconfig. (I haven't made the mcache size
menuconfig-controllable because if anyone needs to increase this, they
can just override the default in the chipset Kconfig for everyone using
that chipset, under the assumption that all boards of that chipset have
the same amount of available CAR space and there's no reason not to use
up the available space. This seems more in line with how this would work
on non-x86 platforms that define this directly in their memlayout.ld.)
Also add explicit warnings to both options that they mustn't be changed
in an RW update to an older RO image.
BUG=b:187561710
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I046ae18c9db9a5d682384edde303c07e0be9d790
Reviewed-on: https://review.coreboot.org/c/coreboot/+/54146
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
fspt.bin is run before verstage so it is of no use in RW_A/B.
Change-Id: I6fe29793fa638312c8b275b6fa8662df78b3b2bd
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/52853
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This patch changes the vboot EC sync code to use the new CBFS API. As a
consequence, we have to map the whole EC image file at once (because the
new API doesn't support partial mapping). This should be fine on the
only platform that uses this code (Google_Volteer/_Dedede family)
because they are x86 devices that support direct mapping from flash, but
the code was originally written to more carefully map the file in
smaller steps to be theoretically able to support Arm devices.
EC sync in romstage for devices without memory-mapped flash would be
hard to combine with CBFS verification because there's not enough SRAM
to ever hold the whole file in memory at once, but we can't validate the
file hash until we have loaded the whole file and for performance (or
TOCTOU-safety, if applicable) reasons we wouldn't want to load anything
more than once. The "good" solution for this would be to introduce a
CBFS streaming API can slowly feed chunks of the file into a callback
but in the end still return a "hash valid/invalid" result to the caller.
If use cases like this become pressing in the future, we may have to
implement such an API.
However, for now this code is the only part of coreboot with constraints
like that, it was only ever used on platforms that do support
memory-mapped flash, and due to the new EC-EFS2 model used on more
recent Chrome OS devices we don't currently anticipate this to ever be
needed again. Therefore this patch goes the easier way of just papering
over the problem and punting the work of implementing a more generic
solution until we actually have a real need for it.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I7e263272aef3463f3b2924887d96de9b2607f5e5
Reviewed-on: https://review.coreboot.org/c/coreboot/+/52280
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
RETURN_FROM_VERSTAGE is a somewhat tricky construct that we don't
normally do otherwise in coreboot. While it works remarkably well in
general, new development can lead to unintentional interactions with
confusing results. This patch adds a debug print to the verstage right
before returning to the bootblock so that it's obvious this happens,
because otherwise in some cases the last printout in the verstage is
about some TPM commands which can be misleading when execution hangs
after that point.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I9ca68a32d7a50c95d9a6948d35816fee583611bc
Reviewed-on: https://review.coreboot.org/c/coreboot/+/52086
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
The PCR algorithms used for vboot are frequently causing confusion (e.g.
see CB:35645) because depending on the circumstances sometimes a
(zero-extended) SHA1 value is interpreted as a SHA256, and sometimes a
SHA256 is interpreted as a SHA1. We can't really "fix" anything here
because the resulting digests are hardcoded in many generations of
Chromebooks, but we can document and isolate it better to reduce
confusion. This patch adds an explanatory comment and fixes both
algorithms and size passed into the lower-level TPM APIs to their actual
values (whereas it previously still relied on the TPM 1.2 TSS not
checking the algorithm type, and the TPM 2.0 TSS only using the size
value for the TCPA log and not the actual TPM operation).
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Ib0b6ecb8c7e9a405ae966f1049158f1d3820f7e2
Reviewed-on: https://review.coreboot.org/c/coreboot/+/51720
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
With CBnT a digest needs to be made of the IBB, Initial BootBlock, in
this case the bootblock. After that a pointer to the BPM, Boot Policy
Manifest, containing the IBB digest needs to be added to the FIT
table.
If the fit table is inside the IBB, updating it with a pointer to the
BPM, would make the digest invalid.
The proper solution is to move the FIT table out of the bootblock.
The FIT table itself does not need to be covered by the digest as it
just contains pointers to structures that can by verified by the
hardware itself, such as microcode and ACMs (Authenticated Code
Modules).
Change-Id: I352e11d5f7717147a877be16a87e9ae35ae14856
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/50926
Reviewed-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This patch removes the prog_locate() step for stages and rmodules.
Instead, the stage and rmodule loading functions will now perform the
locate step directly together with the actual loading. The long-term
goal of this is to eliminate prog_locate() (and the rdev member in
struct prog that it fills) completely in order to make CBFS verification
code safer and its security guarantees easier to follow. prog_locate()
is the main remaining use case where a raw rdev of CBFS file data
"leaks" out of cbfs.c into other code, and that other code needs to
manually make sure that the contents of the rdev get verified during
loading. By eliminating this step and moving all code that directly
deals with file data into cbfs.c, we can concentrate the code that needs
to worry about file data hashing (and needs access to cbfs_private.h
APIs) into one file, making it easier to keep track of and reason about.
This patch is the first step of this move, later patches will do the
same for SELFs and other program types.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Ia600e55f77c2549a00e2606f09befc1f92594a3a
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49335
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This change allows VBOOT to build when the mainboard hasn't implemented
any of the VBOOT functions yet.
Signed-off-by: Raul E Rangel <rrangel@chromium.org>
Change-Id: I42ca8f0dba9fd4a868bc7b636e4ed04cbf8dfab0
Reviewed-on: https://review.coreboot.org/c/coreboot/+/50341
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This change adds the missing `GBB_FLAG_ENABLE_UDC` as a config in
vboot/Kconfig (just like the other GBB flags) and uses its value to
configure GBB_FLAGS Makefile variable. This is done to allow the
mainboard to configure GBB flags by selecting appropriate configs in
Kconfig.
Signed-off-by: Eric Lai <ericr_lai@compal.corp-partner.google.com>
Change-Id: I6b397713d643cf9461294e6928596dc847ace6bd
Reviewed-on: https://review.coreboot.org/c/coreboot/+/50110
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This patch adds the first stage of the new CONFIG_CBFS_VERIFICATION
feature. It's not useful to end-users in this stage so it cannot be
selected in menuconfig (and should not be used other than for
development) yet. With this patch coreboot can verify the metadata hash
of the RO CBFS when it starts booting, but it does not verify individual
files yet. Likewise, verifying RW CBFSes with vboot is not yet
supported.
Verification is bootstrapped from a "metadata hash anchor" structure
that is embedded in the bootblock code and marked by a unique magic
number. This anchor contains both the CBFS metadata hash and a separate
hash for the FMAP which is required to find the primary CBFS. Both are
verified on first use in the bootblock (and halt the system on failure).
The CONFIG_TOCTOU_SAFETY option is also added for illustrative purposes
to show some paths that need to be different when full protection
against TOCTOU (time-of-check vs. time-of-use) attacks is desired. For
normal verification it is sufficient to check the FMAP and the CBFS
metadata hash only once in the bootblock -- for TOCTOU verification we
do the same, but we need to be extra careful that we do not re-read the
FMAP or any CBFS metadata in later stages. This is mostly achieved by
depending on the CBFS metadata cache and FMAP cache features, but we
allow for one edge case in case the RW CBFS metadata cache overflows
(which may happen during an RW update and could otherwise no longer be
fixed because mcache size is defined by RO code). This code is added to
demonstrate design intent but won't really matter until RW CBFS
verification can be supported.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I8930434de55eb938b042fdada9aa90218c0b5a34
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41120
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
This patch renames cbfs_boot_map_with_leak() and cbfs_boot_load_file()
to cbfs_map() and cbfs_load() respectively. This is supposed to be the
start of a new, better organized CBFS API where the most common
operations have the most simple and straight-forward names. Less
commonly used variants of these operations (e.g. cbfs_ro_load() or
cbfs_region_load()) can be introduced later. It seems unnecessary to
keep carrying around "boot" in the names of most CBFS APIs if the vast
majority of accesses go to the boot CBFS (instead, more unusual
operations should have longer names that describe how they diverge from
the common ones).
cbfs_map() is paired with a new cbfs_unmap() to allow callers to cleanly
reap mappings when desired. A few new cbfs_unmap() calls are added to
generic code where it makes sense, but it seems unnecessary to introduce
this everywhere in platform or architecture specific code where the boot
medium is known to be memory-mapped anyway. In fact, even for
non-memory-mapped platforms, sometimes leaking a mapping to the CBFS
cache is a much cleaner solution than jumping through hoops to provide
some other storage for some long-lived file object, and it shouldn't be
outright forbidden when it makes sense.
Additionally, remove the type arguments from these function signatures.
The goal is to eventually remove type arguments for lookup from the
whole CBFS API. Filenames already uniquely identify CBFS files. The type
field is just informational, and there should be APIs to allow callers
to check it when desired, but it's not clear what we gain from forcing
this as a parameter into every single CBFS access when the vast majority
of the time it provides no additional value and is just clutter.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Ib24325400815a9c3d25f66c61829a24a239bb88e
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39304
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Wim Vervoorn <wvervoorn@eltan.com>
Reviewed-by: Mariusz Szafrański <mariuszx.szafranski@intel.com>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This patch adds a new CBFS "mcache" (metadata cache) -- a memory buffer
that stores the headers of all CBFS files. Similar to the existing FMAP
cache, this cache should reduce the amount of SPI accesses we need to do
every boot: rather than having to re-read all CBFS headers from SPI
flash every time we're looking for a file, we can just walk the same
list in this in-memory copy and finally use it to directly access the
flash at the right position for the file data.
This patch adds the code to support the cache but doesn't enable it on
any platform. The next one will turn it on by default.
Change-Id: I5b1084bfdad1c6ab0ee1b143ed8dd796827f4c65
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/38423
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This function is no longer required to be implemented since
EC/AUXFW sync was decoupled from vboot UI. (See CL:2087016.)
BUG=b:172343019
TEST=Compile locally
BRANCH=none
Signed-off-by: Joel Kitching <kitching@google.com>
Change-Id: I43e8160a4766a38c4fa14bcf4495fc719fbcd6c2
Reviewed-on: https://review.coreboot.org/c/coreboot/+/47233
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Generally, this size probably doesn't matter very much, but in the
case of picasso's psp_verstage, the hash is being calculated by
hardware using relatively expensive system calls. By increasing the
block size, we can save roughly 140ms of boot and resume time.
TEST=Build & boot see that boot time has decreased.
BRANCH=Zork
BUG=b:169217270 - Zork: SHA calculation in vboot takes too long
Signed-off-by: Martin Roth <martinroth@chromium.org>
Change-Id: I68eecbbdfadcbf14288dc6e849397724fb66e0b2
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46901
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Kangheui Won <khwon@chromium.org>
This CL fixes the policy digest that restricts deleting the nvmem spaces
to specific PCR0 states.
BRANCH=none
BUG=b:140958855
TEST=verified that nvmem spaces created with this digest can be deleted
in the intended states, and cannot be deleted in other states
(test details for ChromeOS - in BUG comments).
Change-Id: I3cb7d644fdebda71cec3ae36de1dc76387e61ea7
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46772
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
SMM does not have access to CBMEM and therefore cannot access any
persistent state like the vboot context. This makes it impossible to
query vboot state like the developer mode switch or the currently active
RW CBFS. However some code (namely the PC80 option table) does CBFS
accesses in SMM. This is currently worked around by directly using
cbfs_locate_file_in_region() with the COREBOOT region. By disabling
vboot functions explicitly in SMM, we can get rid of that and use normal
CBFS APIs in this code.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I4b1baa73681fc138771ad8384d12c0a04b605377
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46645
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Since MRC_SAVE_HASH_IN_TPM depends on TPM2, we can now remove the tpm
1.2 versions of functions that deal with mrc hash in the tpm as it
will not be used by tpm 1.2 boards. Also move all antirollback
functions that deal with mrc hash in the tpm under CONFIG(TPM2).
BUG=b:150502246
BRANCH=None
TEST=make sure boards are still compiling on coreboot Jenkins
Change-Id: I446dde36ce2233fc40687892da1fb515ce35b82b
Signed-off-by: Shelley Chen <shchen@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46615
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Pull selection of tpm hash index logic into cache_region struct. This
CL also enables the storing of the MRC hash into the TPM NVRAM space
for both recovery and non-recovery cases. This will affect all
platforms with TPM2 enabled and use the MRC_CACHE driver.
BUG=b:150502246
BRANCH=None
TEST=make sure memory training still works on nami and lazor
Change-Id: I1a744d6f40f062ca3aab6157b3747e6c1f6977f9
Signed-off-by: Shelley Chen <shchen@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46514
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Add new index for MRC_CACHE data in RW. Also update antirollback
functions to handle this new index where necessary.
BUG=b:150502246
BRANCH=None
TEST=make sure memory training still works on nami
Change-Id: I2de3c23aa56d3b576ca54dbd85c75e5b80199560
Signed-off-by: Shelley Chen <shchen@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46511
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
We need to extend the functionality of the mrc_cache hash functions to
work for both recovery and normal mrc_cache data. Updating the API of
these functions to pass in an index to identify the hash indices for
recovery and normal mode.
BUG=b:150502246
BRANCH=None
TEST=make sure memory training still works on nami
Change-Id: I9c0bb25eafc731ca9c7a95113ab940f55997fc0f
Signed-off-by: Shelley Chen <shchen@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46432
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
This CL would remove these calls from fsp 2.0. Platforms that select
MRC_STASH_TO_CBMEM, updating the TPM NVRAM space is moved from
romstage (when data stashed to CBMEM) to ramstage (when data is
written back to SPI flash.
BUG=b:150502246
BRANCH=None
TEST=make sure memory training still works on nami
Change-Id: I3088ca6927c7dbc65386c13e868afa0462086937
Signed-off-by: Shelley Chen <shchen@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46510
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Use this config to specify whether we want to save a hash of the
MRC_CACHE in the TPM NVRAM space. Replace all uses of
FSP2_0_USES_TPM_MRC_HASH with MRC_SAVE_HASH_IN_TPM and remove the
FSP2_0_USES_TPM_MRC_HASH config. Note that TPM1 platforms will not
select MRC_SAVE_HASH_IN_TPM as none of them use FSP2.0 and have
recovery MRC_CACHE.
BUG=b:150502246
BRANCH=None
TEST=emerge-nami coreboot chromeos-bootimage
Change-Id: Ic5ffcdba27cb1f09c39c3835029c8d9cc3453af1
Signed-off-by: Shelley Chen <shchen@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46509
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
As ongoing work for generalizing mrc_cache to be used by all
platforms, we are pulling it out from fsp 2.0 and renaming it as
mrc_cache_hash_tpm.h in security/vboot.
BUG=b:150502246
BRANCH=None
TEST=emerge-nami coreboot chromeos-bootimage
Change-Id: I5a204bc3342a3462f177c3ed6b8443e31816091c
Signed-off-by: Shelley Chen <shchen@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46508
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
