diff options
author | Frans Hendriks <fhendriks@eltan.com> | 2019-07-26 07:59:05 +0200 |
---|---|---|
committer | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2019-10-04 13:37:03 +0000 |
commit | 72b3c3c8383e4cef6e112d9fd2c990aaab1525b7 (patch) | |
tree | 3f57b7974dfcb5ce7fe23936a67c91a2b51547a9 /src/vendorcode/eltan/security/verified_boot/vboot_check.h | |
parent | 7c82dbcc51657806bf2117b214a490bca8eec2f8 (diff) |
vendorcode/eltan/security/verified_boot: Add verified boot support
Create verified boot support, which includes verifiication of bootblock.
This feature use the vendorcode/eltan/security/lib.
cbfs_locator is used to init the verified boot support.
vendor_secure_prepare() and vendor_secure_locate() are used to preform the
required action in each stage.
The next lists will be used for verification:
* bootblock_verify_list
* postcar_verify_list
* romstage_verify_list
* ramstage_verify_list
BUG=N/A
TEST=Created binary and verify logging on Facebook FBG-1701
Change-Id: If6c1423b0b4a309cefb7fe7a29d5100ba289e0b4
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/30835
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Lance Zhao <lance.zhao@gmail.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Diffstat (limited to 'src/vendorcode/eltan/security/verified_boot/vboot_check.h')
-rw-r--r-- | src/vendorcode/eltan/security/verified_boot/vboot_check.h | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/src/vendorcode/eltan/security/verified_boot/vboot_check.h b/src/vendorcode/eltan/security/verified_boot/vboot_check.h new file mode 100644 index 0000000000..22f1edf948 --- /dev/null +++ b/src/vendorcode/eltan/security/verified_boot/vboot_check.h @@ -0,0 +1,78 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2016 Intel Corp. + * Copyright (C) 2017-2019 Eltan B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef VBOOT_CHECK_H +#define VBOOT_CHECK_H + +#include <cbfs.h> +#include <device/device.h> +#include <device/pci.h> +#include <lib.h> +#include CONFIG_VENDORCODE_ELTAN_VBOOT_MANIFEST +#include <console/console.h> +#include <cb_sha.h> +#include <string.h> +#include <program_loading.h> +#include <mboot.h> + +#define VERIFIED_BOOT_COPY_BLOCK 0x80000000 +/* These method verifies the SHA256 hash over the 'named' CBFS component. + * 'type' denotes the type of CBFS component i.e. stage, payload or fsp. + */ +#ifdef __BOOTBLOCK__ +void verified_boot_bootblock_check(void); +#endif +#ifdef __ROMSTAGE__ +void verified_boot_early_check(void); +#endif + +int verified_boot_check_manifest(void); + +void verified_boot_check_cbfsfile(const char *name, uint32_t type, + uint32_t hash_index, void **buffer, uint32_t *filesize, int32_t pcr); + +typedef enum { + VERIFY_TERMINATOR = 0, + VERIFY_FILE, + VERIFY_BLOCK, + VERIFY_OPROM + +} verify_type; + +typedef struct { + verify_type type; + const char *name; + union { + struct { + const void *related_items; + uint32_t cbfs_type; + } file; + struct { + const void *start; + uint32_t size; + } block; + struct { + const void *related_items; + uint32_t viddev; + } oprom; + } data; + uint32_t hash_index; + int32_t pcr; +} verify_item_t; + +void process_verify_list(const verify_item_t list[]); + +#endif //VBOOT_CHECK_H |