Angel Pons | 3ef916f | 2020-04-02 23:49:13 +0200 | [diff] [blame] | 1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
Wim Vervoorn | 8210047 | 2020-01-27 15:47:44 +0100 | [diff] [blame] | 2 | |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 3 | #include <boot_device.h> |
Wim Vervoorn | 46cc24d | 2019-11-14 11:45:03 +0100 | [diff] [blame] | 4 | #include <bootmem.h> |
Bill XIE | 516c0a5 | 2020-02-24 23:08:35 +0800 | [diff] [blame] | 5 | #include <bootmode.h> |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 6 | #include <cbfs.h> |
| 7 | #include <vboot_check.h> |
| 8 | #include <vboot_common.h> |
Joel Kitching | 172ef5f | 2020-02-14 16:08:45 +0800 | [diff] [blame] | 9 | #include <vb2_internals_please_do_not_use.h> |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 10 | |
| 11 | #define RSA_PUBLICKEY_FILE_NAME "vboot_public_key.bin" |
| 12 | |
| 13 | #if CONFIG(VENDORCODE_ELTAN_VBOOT_USE_SHA512) |
| 14 | #define DIGEST_SIZE VB2_SHA512_DIGEST_SIZE |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 15 | #define HASH_ALG VB2_HASH_SHA512 |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 16 | #else |
| 17 | #define DIGEST_SIZE VB2_SHA256_DIGEST_SIZE |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 18 | #define HASH_ALG VB2_HASH_SHA256 |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 19 | #endif |
| 20 | |
| 21 | int verified_boot_check_manifest(void) |
| 22 | { |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 23 | uint8_t *buffer; |
Wim Vervoorn | 8210047 | 2020-01-27 15:47:44 +0100 | [diff] [blame] | 24 | struct vb2_context *ctx; |
| 25 | struct vb2_kernel_preamble *pre; |
| 26 | static struct vb2_shared_data *sd; |
| 27 | size_t size; |
Frans Hendriks | 7023174 | 2020-04-20 13:37:00 +0200 | [diff] [blame] | 28 | uint8_t wb_buffer[3000]; |
Wim Vervoorn | 8210047 | 2020-01-27 15:47:44 +0100 | [diff] [blame] | 29 | |
| 30 | if (vb2api_init(&wb_buffer, sizeof(wb_buffer), &ctx)) { |
| 31 | goto fail; |
| 32 | } |
| 33 | |
| 34 | sd = vb2_get_sd(ctx); |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 35 | |
Julius Werner | 834b3ec | 2020-03-04 16:52:08 -0800 | [diff] [blame^] | 36 | buffer = cbfs_map(RSA_PUBLICKEY_FILE_NAME, &size); |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 37 | if (!buffer || !size) { |
| 38 | printk(BIOS_ERR, "ERROR: Public key not found!\n"); |
| 39 | goto fail; |
| 40 | } |
| 41 | |
| 42 | if ((size != CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_SIZE) || |
Wim Vervoorn | 8210047 | 2020-01-27 15:47:44 +0100 | [diff] [blame] | 43 | (buffer != (void *)CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_LOCATION)) { |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 44 | printk(BIOS_ERR, "ERROR: Illegal public key!\n"); |
| 45 | goto fail; |
| 46 | } |
| 47 | |
Wim Vervoorn | 8210047 | 2020-01-27 15:47:44 +0100 | [diff] [blame] | 48 | /* |
| 49 | * Check if all items will fit into workbuffer: |
| 50 | * vb2_shared data, Public Key, Preamble data |
| 51 | */ |
| 52 | if ((sd->workbuf_used + size + sizeof(struct vb2_kernel_preamble) + |
| 53 | ((CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_ITEMS * DIGEST_SIZE) + (2048/8))) > |
| 54 | sizeof(wb_buffer)) { |
| 55 | printk(BIOS_ERR, "ERROR: Work buffer too small\n"); |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 56 | goto fail; |
| 57 | } |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 58 | |
Wim Vervoorn | 8210047 | 2020-01-27 15:47:44 +0100 | [diff] [blame] | 59 | /* Add public key */ |
| 60 | sd->data_key_offset = sd->workbuf_used; |
| 61 | sd->data_key_size = size; |
| 62 | sd->workbuf_used += sd->data_key_size; |
| 63 | memcpy((void *)((void *)sd + (long)sd->data_key_offset), (uint8_t *)buffer, size); |
| 64 | |
| 65 | /* Fill preamble area */ |
| 66 | sd->preamble_size = sizeof(struct vb2_kernel_preamble); |
| 67 | sd->preamble_offset = sd->data_key_offset + sd->data_key_size; |
| 68 | sd->workbuf_used += sd->preamble_size; |
| 69 | pre = (struct vb2_kernel_preamble *)((void *)sd + (long)sd->preamble_offset); |
| 70 | |
| 71 | pre->flags = VB2_FIRMWARE_PREAMBLE_DISALLOW_HWCRYPTO; |
| 72 | |
| 73 | /* Fill body_signature (vb2_structure). RSA2048 key is used */ |
Julius Werner | 834b3ec | 2020-03-04 16:52:08 -0800 | [diff] [blame^] | 74 | cbfs_map("oemmanifest.bin", &size); |
Wim Vervoorn | 8210047 | 2020-01-27 15:47:44 +0100 | [diff] [blame] | 75 | if (size != ((CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_ITEMS * DIGEST_SIZE) + (2048/8))) { |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 76 | printk(BIOS_ERR, "ERROR: Incorrect manifest size!\n"); |
| 77 | goto fail; |
| 78 | } |
Wim Vervoorn | 8210047 | 2020-01-27 15:47:44 +0100 | [diff] [blame] | 79 | pre->body_signature.data_size = CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_ITEMS * |
| 80 | DIGEST_SIZE; |
| 81 | pre->body_signature.sig_offset = sizeof(struct vb2_signature) + |
| 82 | pre->body_signature.data_size; |
Frans Hendriks | 988a273 | 2020-04-20 13:58:07 +0200 | [diff] [blame] | 83 | pre->body_signature.sig_size = size - pre->body_signature.data_size; |
Wim Vervoorn | 8210047 | 2020-01-27 15:47:44 +0100 | [diff] [blame] | 84 | sd->workbuf_used += size; |
| 85 | memcpy((void *)((void *)&pre->body_signature + (long)sizeof(struct vb2_signature)), |
Wim Vervoorn | 944fdc4 | 2019-10-30 16:46:41 +0100 | [diff] [blame] | 86 | (uint8_t *)CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_LOC, size); |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 87 | |
Wim Vervoorn | 8210047 | 2020-01-27 15:47:44 +0100 | [diff] [blame] | 88 | |
| 89 | if (vb2api_verify_kernel_data(ctx, (void *)CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_LOC, |
| 90 | pre->body_signature.data_size)) |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 91 | goto fail; |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 92 | |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 93 | printk(BIOS_INFO, "%s: Successfully verified hash_table signature.\n", __func__); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 94 | return 0; |
| 95 | |
| 96 | fail: |
Wim Vervoorn | 8210047 | 2020-01-27 15:47:44 +0100 | [diff] [blame] | 97 | die("ERROR: HASH table verification failed!\n"); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 98 | return -1; |
| 99 | } |
| 100 | |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 101 | /* |
| 102 | * |
| 103 | * measure_item |
| 104 | * |
| 105 | * extends the defined pcr using the hash calculated by the verified boot |
| 106 | * routines. |
| 107 | * |
| 108 | * @param[in] pcr PCR to extend |
| 109 | * @param[in] *hashData Pointer to the hash data |
| 110 | * @param[in] hashDataLen Length of the hash data |
| 111 | * @param[in] *event_msg Message to log or display |
| 112 | * @param[in] eventType Event type to use when logging |
| 113 | |
| 114 | * @retval TPM_SUCCESS Operation completed successfully. |
| 115 | * @retval TPM_E_IOERROR Unexpected device behavior. |
| 116 | */ |
| 117 | static int measure_item(uint32_t pcr, uint8_t *hashData, uint32_t hashDataLen, |
| 118 | int8_t *event_msg, TCG_EVENTTYPE eventType) |
| 119 | { |
| 120 | int status = TPM_SUCCESS; |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 121 | TCG_PCR_EVENT2_HDR tcgEventHdr; |
| 122 | |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 123 | memset(&tcgEventHdr, 0, sizeof(tcgEventHdr)); |
| 124 | tcgEventHdr.pcrIndex = pcr; |
| 125 | tcgEventHdr.eventType = eventType; |
| 126 | if (event_msg) { |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 127 | status = mboot_hash_extend_log(MBOOT_HASH_PROVIDED, hashData, |
| 128 | hashDataLen, &tcgEventHdr, |
| 129 | (uint8_t *)event_msg); |
| 130 | if (status == TPM_SUCCESS) |
| 131 | printk(BIOS_INFO, "%s: Success! %s measured to pcr %d.\n", __func__, |
| 132 | event_msg, pcr); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 133 | } |
| 134 | return status; |
| 135 | } |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 136 | |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 137 | static void verified_boot_check_buffer(const char *name, void *start, size_t size, |
| 138 | uint32_t hash_index, int32_t pcr) |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 139 | { |
| 140 | uint8_t digest[DIGEST_SIZE]; |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 141 | vb2_error_t status; |
| 142 | |
| 143 | printk(BIOS_DEBUG, "%s: %s HASH verification buffer %p size %d\n", __func__, name, |
| 144 | start, (int)size); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 145 | |
| 146 | if (start && size) { |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 147 | |
Frans Hendriks | 988a273 | 2020-04-20 13:58:07 +0200 | [diff] [blame] | 148 | status = vb2_digest_buffer((const uint8_t *)start, size, HASH_ALG, digest, |
| 149 | DIGEST_SIZE); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 150 | if ((CONFIG(VENDORCODE_ELTAN_VBOOT) && memcmp((void *)( |
| 151 | (uint8_t *)CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_LOC + |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 152 | sizeof(digest) * hash_index), digest, sizeof(digest))) || status) { |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 153 | printk(BIOS_DEBUG, "%s: buffer hash\n", __func__); |
| 154 | hexdump(digest, sizeof(digest)); |
| 155 | printk(BIOS_DEBUG, "%s: manifest hash\n", __func__); |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 156 | hexdump((void *)( (uint8_t *)CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_LOC + |
| 157 | sizeof(digest) * hash_index), sizeof(digest)); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 158 | printk(BIOS_EMERG, "%s ", name); |
| 159 | die("HASH verification failed!\n"); |
| 160 | } else { |
Kyösti Mälkki | bf43f9e | 2019-11-05 17:55:15 +0200 | [diff] [blame] | 161 | if (!ENV_BOOTBLOCK && CONFIG(VENDORCODE_ELTAN_MBOOT)) { |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 162 | if (pcr != -1) { |
Wim Vervoorn | ffe4eba | 2019-11-14 11:06:35 +0100 | [diff] [blame] | 163 | printk(BIOS_DEBUG, "%s: measuring %s\n", __func__, |
| 164 | name); |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 165 | if (measure_item(pcr, digest, sizeof(digest), |
| 166 | (int8_t *)name, 0)) |
Wim Vervoorn | 944fdc4 | 2019-10-30 16:46:41 +0100 | [diff] [blame] | 167 | printk(BIOS_DEBUG, "%s: measuring failed!\n", |
| 168 | __func__); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 169 | } |
| 170 | } |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 171 | if (CONFIG(VENDORCODE_ELTAN_VBOOT)) |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 172 | printk(BIOS_DEBUG, "%s HASH verification success\n", name); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 173 | } |
| 174 | } else { |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 175 | printk(BIOS_EMERG, "Invalid buffer\n"); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 176 | die("HASH verification failed!\n"); |
| 177 | } |
| 178 | } |
| 179 | |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 180 | void verified_boot_check_cbfsfile(const char *name, uint32_t type, uint32_t hash_index, |
| 181 | void **buffer, uint32_t *filesize, int32_t pcr) |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 182 | { |
| 183 | void *start; |
| 184 | size_t size; |
| 185 | |
Julius Werner | 834b3ec | 2020-03-04 16:52:08 -0800 | [diff] [blame^] | 186 | start = cbfs_map(name, &size); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 187 | if (start && size) { |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 188 | /* Speed up processing by copying the file content to memory first */ |
Wim Vervoorn | 46cc24d | 2019-11-14 11:45:03 +0100 | [diff] [blame] | 189 | if (!ENV_ROMSTAGE_OR_BEFORE && (type & VERIFIED_BOOT_COPY_BLOCK)) { |
| 190 | |
| 191 | if ((buffer) && (*buffer) && (*filesize >= size) && |
| 192 | ((uint32_t) start > (uint32_t)(~(CONFIG_CBFS_SIZE-1)))) { |
| 193 | |
| 194 | /* Use the buffer passed in if possible */ |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 195 | printk(BIOS_DEBUG, "%s: move buffer to memory\n", __func__); |
Wim Vervoorn | 46cc24d | 2019-11-14 11:45:03 +0100 | [diff] [blame] | 196 | /* Move the file to memory buffer passed in */ |
| 197 | memcpy(*buffer, start, size); |
| 198 | start = *buffer; |
| 199 | printk(BIOS_DEBUG, "%s: done\n", __func__); |
| 200 | |
| 201 | } else if (ENV_RAMSTAGE) { |
| 202 | /* Try to allocate a buffer from boot_mem */ |
| 203 | void *local_buffer = bootmem_allocate_buffer(size); |
| 204 | |
| 205 | if (local_buffer) { |
| 206 | |
| 207 | /* Use the allocated buffer */ |
| 208 | printk(BIOS_DEBUG, "%s: move file to memory\n", |
| 209 | __func__); |
| 210 | memcpy(local_buffer, start, size); |
| 211 | start = local_buffer; |
| 212 | printk(BIOS_DEBUG, "%s: done\n", __func__); |
| 213 | } |
| 214 | } |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 215 | } |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 216 | verified_boot_check_buffer(name, start, size, hash_index, pcr); |
| 217 | } else { |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 218 | printk(BIOS_EMERG, "CBFS Failed to get file content for %s\n", name); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 219 | die("HASH verification failed!\n"); |
| 220 | } |
| 221 | if (buffer) |
| 222 | *buffer = start; |
| 223 | if (filesize) |
| 224 | *filesize = size; |
| 225 | } |
| 226 | |
| 227 | void process_verify_list(const verify_item_t list[]) |
| 228 | { |
| 229 | int i = 0; |
| 230 | |
| 231 | while (list[i].type != VERIFY_TERMINATOR) { |
| 232 | switch (list[i].type) { |
| 233 | case VERIFY_FILE: |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 234 | verified_boot_check_cbfsfile(list[i].name, list[i].data.file.cbfs_type, |
| 235 | list[i].hash_index, NULL, NULL, list[i].pcr); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 236 | if (list[i].data.file.related_items) { |
| 237 | printk(BIOS_SPEW, "process related items\n"); |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 238 | process_verify_list( |
| 239 | (verify_item_t *)list[i].data.file.related_items); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 240 | } |
| 241 | break; |
| 242 | case VERIFY_BLOCK: |
| 243 | verified_boot_check_buffer(list[i].name, |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 244 | (void *)list[i].data.block.start, |
| 245 | list[i].data.block.size, |
| 246 | list[i].hash_index, list[i].pcr); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 247 | break; |
| 248 | default: |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 249 | printk(BIOS_EMERG, "INVALID TYPE IN VERIFY LIST 0x%x\n", list[i].type); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 250 | die("HASH verification failed!\n"); |
| 251 | } |
| 252 | i++; |
| 253 | } |
| 254 | } |
Kyösti Mälkki | ed8eaab | 2019-11-05 17:12:42 +0200 | [diff] [blame] | 255 | |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 256 | /* |
| 257 | * BOOTBLOCK |
| 258 | */ |
| 259 | |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 260 | void verified_boot_bootblock_check(void) |
| 261 | { |
| 262 | printk(BIOS_SPEW, "%s: processing bootblock items\n", __func__); |
| 263 | |
| 264 | if (CONFIG(VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST)) { |
| 265 | printk(BIOS_SPEW, "%s: check the manifest\n", __func__); |
| 266 | if (verified_boot_check_manifest() != 0) |
| 267 | die("invalid manifest"); |
| 268 | } |
| 269 | printk(BIOS_SPEW, "%s: process bootblock verify list\n", __func__); |
| 270 | process_verify_list(bootblock_verify_list); |
| 271 | } |
| 272 | |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 273 | /* |
| 274 | * ROMSTAGE |
| 275 | */ |
| 276 | |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 277 | void verified_boot_early_check(void) |
| 278 | { |
| 279 | printk(BIOS_SPEW, "%s: processing early items\n", __func__); |
| 280 | |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 281 | if (CONFIG(VENDORCODE_ELTAN_MBOOT)) { |
| 282 | printk(BIOS_DEBUG, "mb_measure returned 0x%x\n", |
Bill XIE | 516c0a5 | 2020-02-24 23:08:35 +0800 | [diff] [blame] | 283 | mb_measure(platform_is_resuming())); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 284 | } |
| 285 | |
| 286 | printk(BIOS_SPEW, "%s: process early verify list\n", __func__); |
| 287 | process_verify_list(romstage_verify_list); |
| 288 | } |
| 289 | |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 290 | /* |
| 291 | * RAM STAGE |
| 292 | */ |
| 293 | |
| 294 | static int process_oprom_list(const verify_item_t list[], |
| 295 | struct rom_header *rom_header) |
| 296 | { |
| 297 | int i = 0; |
| 298 | struct pci_data *rom_data; |
| 299 | uint32_t viddevid = 0; |
| 300 | |
| 301 | if (le32_to_cpu(rom_header->signature) != PCI_ROM_HDR) { |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 302 | printk(BIOS_ERR, "Incorrect expansion ROM header signature %04x DONT START\n", |
| 303 | le32_to_cpu(rom_header->signature)); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 304 | return 0; |
| 305 | } |
| 306 | |
| 307 | rom_data = (((void *)rom_header) + le32_to_cpu(rom_header->data)); |
| 308 | |
| 309 | viddevid |= (rom_data->vendor << 16); |
| 310 | viddevid |= rom_data->device; |
| 311 | |
| 312 | while (list[i].type != VERIFY_TERMINATOR) { |
| 313 | switch (list[i].type) { |
| 314 | case VERIFY_OPROM: |
| 315 | if (viddevid == list[i].data.oprom.viddev) { |
| 316 | verified_boot_check_buffer(list[i].name, |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 317 | (void *)rom_header, |
| 318 | rom_header->size * 512, |
| 319 | list[i].hash_index, list[i].pcr); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 320 | if (list[i].data.oprom.related_items) { |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 321 | printk(BIOS_SPEW, "%s: process related items\n", |
| 322 | __func__); |
| 323 | process_verify_list( |
| 324 | (verify_item_t *)list[i].data.oprom.related_items); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 325 | } |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 326 | printk(BIOS_SPEW, "%s: option rom can be started\n", __func__); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 327 | return 1; |
| 328 | } |
| 329 | break; |
| 330 | default: |
Wim Vervoorn | ac4896f | 2019-10-30 15:55:21 +0100 | [diff] [blame] | 331 | printk(BIOS_EMERG, "%s: INVALID TYPE IN OPTION ROM LIST 0x%x\n", |
| 332 | __func__, list[i].type); |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 333 | die("HASH verification failed!\n"); |
| 334 | } |
| 335 | i++; |
| 336 | } |
| 337 | printk(BIOS_ERR, "%s: option rom not in list DONT START\n", __func__); |
| 338 | return 0; |
| 339 | } |
| 340 | |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 341 | int verified_boot_should_run_oprom(struct rom_header *rom_header) |
| 342 | { |
| 343 | return process_oprom_list(oprom_verify_list, rom_header); |
| 344 | } |
| 345 | |
Wim Vervoorn | e05dc17 | 2019-11-14 09:50:59 +0100 | [diff] [blame] | 346 | int prog_locate_hook(struct prog *prog) |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 347 | { |
Wim Vervoorn | f4a3047 | 2019-11-14 10:03:25 +0100 | [diff] [blame] | 348 | if (ENV_BOOTBLOCK) |
Kyösti Mälkki | ed8eaab | 2019-11-05 17:12:42 +0200 | [diff] [blame] | 349 | verified_boot_bootblock_check(); |
Kyösti Mälkki | ed8eaab | 2019-11-05 17:12:42 +0200 | [diff] [blame] | 350 | |
| 351 | if (ENV_ROMSTAGE) { |
Wim Vervoorn | f4a3047 | 2019-11-14 10:03:25 +0100 | [diff] [blame] | 352 | if (prog->type == PROG_REFCODE) |
Kyösti Mälkki | ed8eaab | 2019-11-05 17:12:42 +0200 | [diff] [blame] | 353 | verified_boot_early_check(); |
Wim Vervoorn | f4a3047 | 2019-11-14 10:03:25 +0100 | [diff] [blame] | 354 | |
| 355 | if (CONFIG(POSTCAR_STAGE) && prog->type == PROG_POSTCAR) |
| 356 | process_verify_list(postcar_verify_list); |
| 357 | |
| 358 | if (!CONFIG(POSTCAR_STAGE) && prog->type == PROG_RAMSTAGE) |
| 359 | process_verify_list(ramstage_verify_list); |
Kyösti Mälkki | ed8eaab | 2019-11-05 17:12:42 +0200 | [diff] [blame] | 360 | } |
| 361 | |
Wim Vervoorn | f4a3047 | 2019-11-14 10:03:25 +0100 | [diff] [blame] | 362 | if (ENV_POSTCAR && prog->type == PROG_RAMSTAGE) |
| 363 | process_verify_list(ramstage_verify_list); |
Kyösti Mälkki | ed8eaab | 2019-11-05 17:12:42 +0200 | [diff] [blame] | 364 | |
Wim Vervoorn | f4a3047 | 2019-11-14 10:03:25 +0100 | [diff] [blame] | 365 | if (ENV_RAMSTAGE && prog->type == PROG_PAYLOAD) |
Kyösti Mälkki | ed8eaab | 2019-11-05 17:12:42 +0200 | [diff] [blame] | 366 | process_verify_list(payload_verify_list); |
Wim Vervoorn | f4a3047 | 2019-11-14 10:03:25 +0100 | [diff] [blame] | 367 | |
Wim Vervoorn | e05dc17 | 2019-11-14 09:50:59 +0100 | [diff] [blame] | 368 | return 0; |
Frans Hendriks | 72b3c3c | 2019-07-26 07:59:05 +0200 | [diff] [blame] | 369 | } |