From 4d9e5a4a231d2a4a14231bc5a01d4590cb88d96d Mon Sep 17 00:00:00 2001
From: Jaymes Wilks <mjwilks@us.ibm.com>
Date: Tue, 16 May 2017 16:35:59 -0500
Subject: Fix up Event Types for PCR Extend

Trusted Boot will now use correct event types when performing PCR
extend for PNOR sections that are meant to establish a core root of
trust.

Change-Id: I3cb62e2899083c898e1af6a2031cc8a0a365015e
RTC:172332
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/40601
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Reviewed-by: Christopher J. Engel <cjengel@us.ibm.com>
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Reviewed-by: Timothy R. Block <block@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>
---
 src/usr/secureboot/trusted/base/trustedboot_base.C | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

(limited to 'src/usr/secureboot/trusted/base')

diff --git a/src/usr/secureboot/trusted/base/trustedboot_base.C b/src/usr/secureboot/trusted/base/trustedboot_base.C
index 4d2815862..f8bee162b 100644
--- a/src/usr/secureboot/trusted/base/trustedboot_base.C
+++ b/src/usr/secureboot/trusted/base/trustedboot_base.C
@@ -49,6 +49,7 @@
 #include "../trustedboot.H"
 #include "../trustedbootCmds.H"
 #include "../trustedbootUtils.H"
+#include "../../pnor/pnor_utils.H"
 #include "trustedbootMsg.H"
 
 // ----------------------------------------------
@@ -331,11 +332,17 @@ errlHndl_t extendPnorSectionHash(
 
     TPM_Pcr pnorHashPcr = PCR_0;
     EventTypes swKeyHashEventType = TRUSTEDBOOT::EV_PLATFORM_CONFIG_FLAGS;
+    EventTypes pnorHashEventType = TRUSTEDBOOT::EV_POST_CODE;
     // PAYLOAD is the only section that needs its hash extended to PCR_4
     if (i_sec == PNOR::PAYLOAD)
     {
         pnorHashPcr = PCR_4;
         swKeyHashEventType = TRUSTEDBOOT::EV_COMPACT_HASH;
+        pnorHashEventType = TRUSTEDBOOT::EV_COMPACT_HASH;
+    }
+    else if(PNOR::isCoreRootOfTrustSection(i_sec))
+    {
+        pnorHashEventType = TRUSTEDBOOT::EV_S_CRTM_CONTENTS;
     }
     // Extend swKeyHash to the next PCR after the hash extension PCR.
     const TPM_Pcr swKeyHashPcr = static_cast<TPM_Pcr>(pnorHashPcr + 1);
@@ -343,10 +350,8 @@ errlHndl_t extendPnorSectionHash(
     if (SECUREBOOT::enabled())
     {
         // If secureboot is enabled, use protected hash in header
-        /// @todo RTC 172332 Update log type based on what is being extended
-        /// EV_POST_CODE or EV_S_CRTM_CONTENTS or EV_COMPACT_HASH
         pError = TRUSTEDBOOT::pcrExtend(pnorHashPcr,
-              TRUSTEDBOOT::EV_POST_CODE,
+              pnorHashEventType,
               reinterpret_cast<const uint8_t*>(i_conHdr.payloadTextHash()),
               sizeof(SHA512_t),
               sectionInfo.name);
@@ -375,14 +380,13 @@ errlHndl_t extendPnorSectionHash(
     else
     {
         // If secureboot is not enabled, measure protected section
-        /// @todo RTC 172332 Update log type based on what is being extended
-        /// EV_POST_CODE or EV_S_CRTM_CONTENTS or EV_COMPACT_HASH
         SHA512_t hash = {0};
         SECUREBOOT::hashBlob(i_vaddr, protectedSize, hash);
         pError = TRUSTEDBOOT::pcrExtend(pnorHashPcr,
-                                        TRUSTEDBOOT::EV_POST_CODE,
-                                        hash, sizeof(SHA512_t),
-                                        sectionInfo.name);
+                pnorHashEventType,
+                hash,
+                sizeof(SHA512_t),
+                sectionInfo.name);
         if (pError)
         {
             TRACFCOMP(g_trac_trustedboot, ERR_MRK " Failed in call to "
-- 
cgit v1.2.1