1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 3 #include "board_verified_boot.h" 4 5 /* 6 * The items verified by the bootblock, the bootblock will not measure the 7 * items to the TPM 8 */ 9 const verify_item_t bootblock_verify_list[] = { 10 #if CONFIG(SEPARATE_ROMSTAGE) 11 { VERIFY_FILE, ROMSTAGE, { { NULL, CBFS_TYPE_STAGE } }, 12 HASH_IDX_ROM_STAGE, MBOOT_PCR_INDEX_0 }, 13 #endif 14 { VERIFY_FILE, BOOTBLOCK, { { NULL, CBFS_TYPE_BOOTBLOCK } }, 15 HASH_IDX_BOOTBLOCK, MBOOT_PCR_INDEX_0 }, 16 { VERIFY_FILE, FSP, { { NULL, CBFS_TYPE_FSP } }, HASH_IDX_FSP, 17 MBOOT_PCR_INDEX_1 }, 18 { VERIFY_FILE, "spd.bin", { { NULL, CBFS_TYPE_SPD } }, 19 HASH_IDX_SPD0, MBOOT_PCR_INDEX_1 }, 20 #if CONFIG(VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST) 21 { VERIFY_BLOCK, "PublicKey", 22 { { (void *)CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_LOCATION, 23 CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_SIZE, } }, HASH_IDX_PUBLICKEY, 24 MBOOT_PCR_INDEX_0 }, 25 #endif 26 { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } 27 }; 28 29 /* 30 * The items used by the romstage. Items verified by bootblock are added here to make sure they 31 * are measured 32 */ 33 const verify_item_t romstage_verify_list[] = { 34 { VERIFY_FILE, ROMSTAGE, { { NULL, CBFS_TYPE_STAGE } }, 35 HASH_IDX_ROM_STAGE, MBOOT_PCR_INDEX_0 }, 36 { VERIFY_FILE, MICROCODE, { { NULL, CBFS_TYPE_MICROCODE } }, 37 HASH_IDX_MICROCODE, MBOOT_PCR_INDEX_1 }, 38 { VERIFY_FILE, FSP, { { NULL, CBFS_TYPE_FSP } }, HASH_IDX_FSP, 39 MBOOT_PCR_INDEX_1 }, 40 { VERIFY_FILE, "spd.bin", { { NULL, CBFS_TYPE_SPD } }, 41 HASH_IDX_SPD0, MBOOT_PCR_INDEX_1 }, 42 { VERIFY_FILE, BOOTBLOCK, { { NULL, CBFS_TYPE_BOOTBLOCK } }, 43 HASH_IDX_BOOTBLOCK, MBOOT_PCR_INDEX_0 }, 44 #if CONFIG(VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST) 45 { VERIFY_BLOCK, "PublicKey", 46 { { (void *)CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_LOCATION, 47 CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_SIZE, } }, HASH_IDX_PUBLICKEY, 48 MBOOT_PCR_INDEX_6 }, 49 #endif 50 { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } 51 }; 52 53 /* The items used by the postcar stage */ 54 const verify_item_t postcar_verify_list[] = { 55 { VERIFY_FILE, POSTCAR, { { NULL, CBFS_TYPE_STAGE } }, 56 HASH_IDX_POSTCAR_STAGE, MBOOT_PCR_INDEX_0 }, 57 { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } 58 }; 59 60 /* 61 * The items used by the ramstage. FSP and microcode are already checked in the 62 * romstage verify list 63 */ 64 static const verify_item_t ram_stage_additional_list[] = { 65 #if CONFIG(INCLUDE_CONFIG_FILE) 66 { VERIFY_FILE, "config", { { NULL, CBFS_TYPE_RAW } }, 67 HASH_IDX_CONFIG, MBOOT_PCR_INDEX_0 }, 68 #endif 69 { VERIFY_FILE, OP_ROM_VBT, { { NULL, CBFS_TYPE_RAW } }, 70 HASH_IDX_OPROM, MBOOT_PCR_INDEX_2 }, 71 #if CONFIG(BMP_LOGO) 72 { VERIFY_FILE, "logo.bmp", { { NULL, CBFS_TYPE_RAW } }, 73 HASH_IDX_LOGO, MBOOT_PCR_INDEX_2 }, 74 #endif 75 { VERIFY_FILE, "fallback/dsdt.aml", { { NULL, CBFS_TYPE_RAW } }, 76 HASH_IDX_DSDT, MBOOT_PCR_INDEX_2 }, 77 { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } 78 }; 79 80 const verify_item_t ramstage_verify_list[] = { 81 { VERIFY_FILE, RAMSTAGE, { { ram_stage_additional_list, 82 CBFS_TYPE_STAGE } }, HASH_IDX_RAM_STAGE, MBOOT_PCR_INDEX_0 }, 83 { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } 84 }; 85 86 /* items used by the payload */ 87 const verify_item_t payload_verify_list[] = { 88 { VERIFY_FILE, PAYLOAD, { { NULL, CBFS_TYPE_SELF | 89 VERIFIED_BOOT_COPY_BLOCK } }, HASH_IDX_PAYLOAD, 90 MBOOT_PCR_INDEX_3 }, 91 { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } 92 }; 93 94 /* list of allowed options roms */ 95 const verify_item_t oprom_verify_list[] = { 96 { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } 97 }; 98