diff options
| author | Jaymes Wilks <mjwilks@us.ibm.com> | 2017-05-16 16:35:59 -0500 |
|---|---|---|
| committer | William G. Hoffa <wghoffa@us.ibm.com> | 2017-05-25 11:40:12 -0400 |
| commit | 4d9e5a4a231d2a4a14231bc5a01d4590cb88d96d (patch) | |
| tree | a6b574ee596fd12bc5c0ba3e9bf750fc6f46e2eb /src/usr/secureboot/trusted/base | |
| parent | b0ebbd785a2357f2be093178c92bc9b59cd3530b (diff) | |
| download | talos-hostboot-4d9e5a4a231d2a4a14231bc5a01d4590cb88d96d.tar.gz talos-hostboot-4d9e5a4a231d2a4a14231bc5a01d4590cb88d96d.zip | |
Fix up Event Types for PCR Extend
Trusted Boot will now use correct event types when performing PCR
extend for PNOR sections that are meant to establish a core root of
trust.
Change-Id: I3cb62e2899083c898e1af6a2031cc8a0a365015e
RTC:172332
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40601
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Christopher J. Engel <cjengel@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Timothy R. Block <block@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
Diffstat (limited to 'src/usr/secureboot/trusted/base')
| -rw-r--r-- | src/usr/secureboot/trusted/base/trustedboot_base.C | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/src/usr/secureboot/trusted/base/trustedboot_base.C b/src/usr/secureboot/trusted/base/trustedboot_base.C index 4d2815862..f8bee162b 100644 --- a/src/usr/secureboot/trusted/base/trustedboot_base.C +++ b/src/usr/secureboot/trusted/base/trustedboot_base.C @@ -49,6 +49,7 @@ #include "../trustedboot.H" #include "../trustedbootCmds.H" #include "../trustedbootUtils.H" +#include "../../pnor/pnor_utils.H" #include "trustedbootMsg.H" // ---------------------------------------------- @@ -331,11 +332,17 @@ errlHndl_t extendPnorSectionHash( TPM_Pcr pnorHashPcr = PCR_0; EventTypes swKeyHashEventType = TRUSTEDBOOT::EV_PLATFORM_CONFIG_FLAGS; + EventTypes pnorHashEventType = TRUSTEDBOOT::EV_POST_CODE; // PAYLOAD is the only section that needs its hash extended to PCR_4 if (i_sec == PNOR::PAYLOAD) { pnorHashPcr = PCR_4; swKeyHashEventType = TRUSTEDBOOT::EV_COMPACT_HASH; + pnorHashEventType = TRUSTEDBOOT::EV_COMPACT_HASH; + } + else if(PNOR::isCoreRootOfTrustSection(i_sec)) + { + pnorHashEventType = TRUSTEDBOOT::EV_S_CRTM_CONTENTS; } // Extend swKeyHash to the next PCR after the hash extension PCR. const TPM_Pcr swKeyHashPcr = static_cast<TPM_Pcr>(pnorHashPcr + 1); @@ -343,10 +350,8 @@ errlHndl_t extendPnorSectionHash( if (SECUREBOOT::enabled()) { // If secureboot is enabled, use protected hash in header - /// @todo RTC 172332 Update log type based on what is being extended - /// EV_POST_CODE or EV_S_CRTM_CONTENTS or EV_COMPACT_HASH pError = TRUSTEDBOOT::pcrExtend(pnorHashPcr, - TRUSTEDBOOT::EV_POST_CODE, + pnorHashEventType, reinterpret_cast<const uint8_t*>(i_conHdr.payloadTextHash()), sizeof(SHA512_t), sectionInfo.name); @@ -375,14 +380,13 @@ errlHndl_t extendPnorSectionHash( else { // If secureboot is not enabled, measure protected section - /// @todo RTC 172332 Update log type based on what is being extended - /// EV_POST_CODE or EV_S_CRTM_CONTENTS or EV_COMPACT_HASH SHA512_t hash = {0}; SECUREBOOT::hashBlob(i_vaddr, protectedSize, hash); pError = TRUSTEDBOOT::pcrExtend(pnorHashPcr, - TRUSTEDBOOT::EV_POST_CODE, - hash, sizeof(SHA512_t), - sectionInfo.name); + pnorHashEventType, + hash, + sizeof(SHA512_t), + sectionInfo.name); if (pError) { TRACFCOMP(g_trac_trustedboot, ERR_MRK " Failed in call to " |
