vendorcode/eltan/security/verified_boot: Add verified boot support

Create verified boot support, which includes verifiication of bootblock.
This feature use the vendorcode/eltan/security/lib.

cbfs_locator is used to init the verified boot support.
vendor_secure_prepare() and vendor_secure_locate() are used to preform the
required action in each stage.

The next lists will be used for verification:
 * bootblock_verify_list
 * postcar_verify_list
 * romstage_verify_list
 * ramstage_verify_list

BUG=N/A
TEST=Created binary and verify logging on Facebook FBG-1701

Change-Id: If6c1423b0b4a309cefb7fe7a29d5100ba289e0b4
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/30835
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Lance Zhao <lance.zhao@gmail.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>

1 files changed, 78 insertions, 0 deletions

diff --git a/src/vendorcode/eltan/security/verified_boot/vboot_check.h b/src/vendorcode/eltan/security/verified_boot/vboot_check.h
new file mode 100644
index 0000000000..22f1edf948
--- /dev/null
+++ b/src/vendorcode/eltan/security/verified_boot/vboot_check.h
@@ -0,0 +1,78 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright (C) 2016 Intel Corp.
+ * Copyright (C) 2017-2019 Eltan B.V.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef VBOOT_CHECK_H
+#define VBOOT_CHECK_H
+
+#include <cbfs.h>
+#include <device/device.h>
+#include <device/pci.h>
+#include <lib.h>
+#include CONFIG_VENDORCODE_ELTAN_VBOOT_MANIFEST
+#include <console/console.h>
+#include <cb_sha.h>
+#include <string.h>
+#include <program_loading.h>
+#include <mboot.h>
+
+#define VERIFIED_BOOT_COPY_BLOCK	0x80000000
+/* These method verifies the SHA256 hash over the 'named' CBFS component.
+ * 'type' denotes the type of CBFS component i.e. stage, payload or fsp.
+ */
+#ifdef __BOOTBLOCK__
+void verified_boot_bootblock_check(void);
+#endif
+#ifdef __ROMSTAGE__
+void verified_boot_early_check(void);
+#endif
+
+int verified_boot_check_manifest(void);
+
+void verified_boot_check_cbfsfile(const char *name, uint32_t type,
+	uint32_t hash_index, void **buffer, uint32_t *filesize, int32_t pcr);
+
+typedef enum {
+	VERIFY_TERMINATOR = 0,
+	VERIFY_FILE,
+	VERIFY_BLOCK,
+	VERIFY_OPROM
+
+} verify_type;
+
+typedef struct {
+	verify_type type;
+	const char *name;
+	union {
+		struct {
+			const void *related_items;
+			uint32_t cbfs_type;
+		} file;
+		struct {
+			const void *start;
+			uint32_t size;
+		} block;
+		struct {
+			const void *related_items;
+			uint32_t viddev;
+		} oprom;
+	} data;
+	uint32_t hash_index;
+	int32_t pcr;
+} verify_item_t;
+
+void process_verify_list(const verify_item_t list[]);
+
+#endif //VBOOT_CHECK_H