diff options
Diffstat (limited to 'src/usr/secureboot')
-rw-r--r-- | src/usr/secureboot/trusted/base/trustedboot_base.C | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/src/usr/secureboot/trusted/base/trustedboot_base.C b/src/usr/secureboot/trusted/base/trustedboot_base.C index 4d2815862..f8bee162b 100644 --- a/src/usr/secureboot/trusted/base/trustedboot_base.C +++ b/src/usr/secureboot/trusted/base/trustedboot_base.C @@ -49,6 +49,7 @@ #include "../trustedboot.H" #include "../trustedbootCmds.H" #include "../trustedbootUtils.H" +#include "../../pnor/pnor_utils.H" #include "trustedbootMsg.H" // ---------------------------------------------- @@ -331,11 +332,17 @@ errlHndl_t extendPnorSectionHash( TPM_Pcr pnorHashPcr = PCR_0; EventTypes swKeyHashEventType = TRUSTEDBOOT::EV_PLATFORM_CONFIG_FLAGS; + EventTypes pnorHashEventType = TRUSTEDBOOT::EV_POST_CODE; // PAYLOAD is the only section that needs its hash extended to PCR_4 if (i_sec == PNOR::PAYLOAD) { pnorHashPcr = PCR_4; swKeyHashEventType = TRUSTEDBOOT::EV_COMPACT_HASH; + pnorHashEventType = TRUSTEDBOOT::EV_COMPACT_HASH; + } + else if(PNOR::isCoreRootOfTrustSection(i_sec)) + { + pnorHashEventType = TRUSTEDBOOT::EV_S_CRTM_CONTENTS; } // Extend swKeyHash to the next PCR after the hash extension PCR. const TPM_Pcr swKeyHashPcr = static_cast<TPM_Pcr>(pnorHashPcr + 1); @@ -343,10 +350,8 @@ errlHndl_t extendPnorSectionHash( if (SECUREBOOT::enabled()) { // If secureboot is enabled, use protected hash in header - /// @todo RTC 172332 Update log type based on what is being extended - /// EV_POST_CODE or EV_S_CRTM_CONTENTS or EV_COMPACT_HASH pError = TRUSTEDBOOT::pcrExtend(pnorHashPcr, - TRUSTEDBOOT::EV_POST_CODE, + pnorHashEventType, reinterpret_cast<const uint8_t*>(i_conHdr.payloadTextHash()), sizeof(SHA512_t), sectionInfo.name); @@ -375,14 +380,13 @@ errlHndl_t extendPnorSectionHash( else { // If secureboot is not enabled, measure protected section - /// @todo RTC 172332 Update log type based on what is being extended - /// EV_POST_CODE or EV_S_CRTM_CONTENTS or EV_COMPACT_HASH SHA512_t hash = {0}; SECUREBOOT::hashBlob(i_vaddr, protectedSize, hash); pError = TRUSTEDBOOT::pcrExtend(pnorHashPcr, - TRUSTEDBOOT::EV_POST_CODE, - hash, sizeof(SHA512_t), - sectionInfo.name); + pnorHashEventType, + hash, + sizeof(SHA512_t), + sectionInfo.name); if (pError) { TRACFCOMP(g_trac_trustedboot, ERR_MRK " Failed in call to " |