summaryrefslogtreecommitdiff
path: root/src/sbom/Kconfig
diff options
context:
space:
mode:
authorMaximilian Brune <code.ivng5@simplelogin.co>2022-04-14 14:54:16 +0200
committerMartin Roth <martin.roth@amd.corp-partner.google.com>2022-08-22 14:48:46 +0000
commit1d7a9debf241f9649a40ebc367204bac0a86a67e (patch)
tree06ca2e46ea3046eef88002fc538212266238c7a9 /src/sbom/Kconfig
parent1e71fe107a001d8947dabd733ce0076fd80bc56f (diff)
Add SBOM (Software Bill of Materials) Generation
Firmware is typically delivered as one large binary image that gets flashed. Since this final image consists of binaries and data from a vast number of different people and companies, it's hard to determine what all the small parts included in it are. The goal of the software bill of materials (SBOM) is to take a firmware image and make it easy to find out what it consists of and where those pieces came from. Basically, this answers the question, who supplied the code that's running on my system right now? For example, buyers of a system can use an SBOM to perform an automated vulnerability check or license analysis, both of which can be used to evaluate risk in a product. Furthermore, one can quickly check to see if the firmware is subject to a new vulnerability included in one of the software parts (with the specified version) of the firmware. Further reference: https://web.archive.org/web/20220310104905/https://blogs.gnome.org/hughsie/2022/03/10/firmware-software-bill-of-materials/ - Add Makefile.inc to generate and build coswid tags - Add templates for most payloads, coreboot, intel-microcode, amd-microcode. intel FSP-S/M/T, EC, BIOS_ACM, SINIT_ACM, intel ME and compiler (gcc,clang,other) - Add Kconfig entries to optionally supply a path to CoSWID tags instead of using the default CoSWID tags - Add CBFS entry called SBOM to each build via Makefile.inc - Add goswid utility tool to generate SBOM data Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com> Change-Id: Icb7481d4903f95d200eddbfed7728fbec51819d0 Reviewed-on: https://review.coreboot.org/c/coreboot/+/63639 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Martin Roth <martin.roth@amd.corp-partner.google.com>
Diffstat (limited to 'src/sbom/Kconfig')
-rw-r--r--src/sbom/Kconfig171
1 files changed, 171 insertions, 0 deletions
diff --git a/src/sbom/Kconfig b/src/sbom/Kconfig
new file mode 100644
index 0000000000..38f5421fd2
--- /dev/null
+++ b/src/sbom/Kconfig
@@ -0,0 +1,171 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+config SBOM
+ bool "Include SBOM data for coreboot"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of coreboot itself
+ into the SBOM (Software Bill of Materials) File in your build
+
+if SBOM
+
+config SBOM_COMPILER
+ bool "Include compiler metadata in SBOM"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the compiler
+ used to compile coreboot into the SBOM (Software Bill of Materials)
+ File in your build
+ Note: if the system toolchain is used to build coreboot
+ one should check the final SBOM file for the expected results
+
+config SBOM_PAYLOAD
+ bool "Include payload metadata in SBOM"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the payload into
+ the SBOM (Software Bill of Materials) File in your build
+
+config SBOM_PAYLOAD_GENERATE
+ bool "Auto-generate generic SBOM info for payload"
+ depends on SBOM_PAYLOAD && (PAYLOAD_BOOTBOOT || PAYLOAD_DEPTHCHARGE || PAYLOAD_FILO || PAYLOAD_GRUB2 || PAYLOAD_LINUXBOOT || PAYLOAD_SEABIOS || PAYLOAD_SKIBOOT || PAYLOAD_UBOOT || PAYLOAD_YABITS)
+ default y
+ help
+ Select this option if you want coreboot to generate and include
+ the coswid (Concise Software Identification Tag) instead of supplying
+ it manually. Be aware that this option is only meant to be a
+ transition and suppliers of Software should always prefer to include
+ their own Software descriptions, since ours may be incomplete or
+ straight up wrong.
+
+config SBOM_PAYLOAD_PATH
+ string "SBOM file path"
+ depends on SBOM_PAYLOAD && !SBOM_PAYLOAD_GENERATE
+ help
+ The path of the .ini file describing the payload
+ Software included in the build
+
+config SBOM_ME
+ bool "Include ME metadata in SBOM"
+ depends on HAVE_ME_BIN
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ ME firmware into the SBOM (Software Bill of Materials)
+ File in your build
+
+config SBOM_ME_GENERATE
+ bool "Auto-generate generic SBOM info for ME firmware"
+ depends on SBOM_ME
+ default y
+ help
+ Select this option if you want coreboot to generate and include
+ the coswid (Concise Software Identification Tag) instead of
+ supplying it manually. Be aware that this option is only meant
+ to be a transition and suppliers of Software should always prefer
+ to include their own Software descriptions, since ours may be
+ incomplete or straight up wrong.
+
+config SBOM_ME_PATH
+ string "Path to sbom.json for the ME firmware"
+ depends on SBOM_ME && !SBOM_ME_GENERATE
+ help
+ The path of the SBOM file (sbom.json file)
+ The path of the .json file describing the Software included in the build
+
+config SBOM_EC
+ bool "Include EC metadata in SBOM"
+ depends on HAVE_EC_BIN
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ EC (Embedded Controller) firmware into the
+ SBOM (Software Bill of Materials) File in your build
+
+config SBOM_EC_PATH
+ string "Path to SBOM file for the EC firmware"
+ depends on SBOM_EC
+ default "src/sbom/generic-ec.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_SINIT_ACM
+ bool "Include SINIT ACM metadata in SBOM"
+ depends on INTEL_TXT_SINITACM_FILE != ""
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ SINIT ACM (Authenticated Code Module) firmware into the
+ SBOM (Software Bill of Materials) File in your build
+
+config SBOM_SINIT_ACM_PATH
+ string "Path to SBOM file for the SINIT AMC firmware"
+ depends on SBOM_SINIT_ACM
+ default "src/sbom/intel-sinit-acm.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_BIOS_ACM
+ bool "Include BIOS ACM metadata in SBOM"
+ depends on INTEL_TXT_BIOSACM_FILE != ""
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ BIOS ACM (Authenticated Code Module) firmware into the
+ SBOM (Software Bill of Materials) File in your build
+
+config SBOM_BIOS_ACM_PATH
+ string "Path to SBOM file for the BIOS AMC firmware"
+ depends on SBOM_SINIT_ACM
+ default "src/sbom/intel-bios-acm.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_MICROCODE
+ bool "Include microcode metadata in SBOM"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ microcode firmware into the SBOM (Software Bill of Materials)
+ File in your build
+
+config SBOM_FSP
+ bool "Include Intel FSP metadata in SBOM"
+ default n
+ depends on (FSP_S_FILE != "" || FSP_M_FILE != "" || FSP_T_FILE != "")
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ FSP firmware into the SBOM (Software Bill of Materials)
+ File in your build
+
+config SBOM_FSP_PATH
+ string "Path to SBOM file for the FSP firmware"
+ depends on SBOM_FSP
+ default "build/sbom/generic-fsp.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_VBOOT
+ bool "Include VBOOT metadata in SBOM"
+ default n
+ depends on VBOOT_LIB
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ VBOOT Software into the SBOM (Software Bill of Materials)
+ File in your build
+
+endif