summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorMaximilian Brune <code.ivng5@simplelogin.co>2022-04-14 14:54:16 +0200
committerMartin Roth <martin.roth@amd.corp-partner.google.com>2022-08-22 14:48:46 +0000
commit1d7a9debf241f9649a40ebc367204bac0a86a67e (patch)
tree06ca2e46ea3046eef88002fc538212266238c7a9 /src
parent1e71fe107a001d8947dabd733ce0076fd80bc56f (diff)
Add SBOM (Software Bill of Materials) Generation
Firmware is typically delivered as one large binary image that gets flashed. Since this final image consists of binaries and data from a vast number of different people and companies, it's hard to determine what all the small parts included in it are. The goal of the software bill of materials (SBOM) is to take a firmware image and make it easy to find out what it consists of and where those pieces came from. Basically, this answers the question, who supplied the code that's running on my system right now? For example, buyers of a system can use an SBOM to perform an automated vulnerability check or license analysis, both of which can be used to evaluate risk in a product. Furthermore, one can quickly check to see if the firmware is subject to a new vulnerability included in one of the software parts (with the specified version) of the firmware. Further reference: https://web.archive.org/web/20220310104905/https://blogs.gnome.org/hughsie/2022/03/10/firmware-software-bill-of-materials/ - Add Makefile.inc to generate and build coswid tags - Add templates for most payloads, coreboot, intel-microcode, amd-microcode. intel FSP-S/M/T, EC, BIOS_ACM, SINIT_ACM, intel ME and compiler (gcc,clang,other) - Add Kconfig entries to optionally supply a path to CoSWID tags instead of using the default CoSWID tags - Add CBFS entry called SBOM to each build via Makefile.inc - Add goswid utility tool to generate SBOM data Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com> Change-Id: Icb7481d4903f95d200eddbfed7728fbec51819d0 Reviewed-on: https://review.coreboot.org/c/coreboot/+/63639 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Martin Roth <martin.roth@amd.corp-partner.google.com>
Diffstat (limited to 'src')
-rw-r--r--src/Kconfig6
-rw-r--r--src/sbom/Kconfig171
-rw-r--r--src/sbom/Makefile.inc143
-rw-r--r--src/sbom/TAGS25
-rw-r--r--src/sbom/amd-microcode.json24
-rw-r--r--src/sbom/compiler-clang.json21
-rw-r--r--src/sbom/compiler-gcc.json21
-rw-r--r--src/sbom/compiler-generic.json15
-rw-r--r--src/sbom/coreboot.json25
-rw-r--r--src/sbom/generic-ec.json21
-rw-r--r--src/sbom/generic-fsp.json22
-rw-r--r--src/sbom/intel-bios-acm.json16
-rw-r--r--src/sbom/intel-me.json21
-rw-r--r--src/sbom/intel-microcode.json24
-rw-r--r--src/sbom/intel-sinit-acm.json16
-rw-r--r--src/sbom/payload-BOOTBOOT.json25
-rw-r--r--src/sbom/payload-FILO.json25
-rw-r--r--src/sbom/payload-GRUB2.json25
-rw-r--r--src/sbom/payload-LinuxBoot.json25
-rw-r--r--src/sbom/payload-SeaBIOS.json25
-rw-r--r--src/sbom/payload-U-Boot.json25
-rw-r--r--src/sbom/payload-depthcharge.json25
-rw-r--r--src/sbom/payload-iPXE.json25
-rw-r--r--src/sbom/payload-skiboot.json25
-rw-r--r--src/security/vboot/Makefile.inc3
25 files changed, 798 insertions, 1 deletions
diff --git a/src/Kconfig b/src/Kconfig
index bec22a48c5..0d3879ecbf 100644
--- a/src/Kconfig
+++ b/src/Kconfig
@@ -476,6 +476,12 @@ config MINIMAL_PCI_SCANNING
help
If this option is enabled, coreboot will scan only PCI devices
marked as mandatory in devicetree.cb
+
+menu "Software Bill Of Materials (SBOM)"
+
+source "src/sbom/Kconfig"
+
+endmenu
endmenu
menu "Mainboard"
diff --git a/src/sbom/Kconfig b/src/sbom/Kconfig
new file mode 100644
index 0000000000..38f5421fd2
--- /dev/null
+++ b/src/sbom/Kconfig
@@ -0,0 +1,171 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+config SBOM
+ bool "Include SBOM data for coreboot"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of coreboot itself
+ into the SBOM (Software Bill of Materials) File in your build
+
+if SBOM
+
+config SBOM_COMPILER
+ bool "Include compiler metadata in SBOM"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the compiler
+ used to compile coreboot into the SBOM (Software Bill of Materials)
+ File in your build
+ Note: if the system toolchain is used to build coreboot
+ one should check the final SBOM file for the expected results
+
+config SBOM_PAYLOAD
+ bool "Include payload metadata in SBOM"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the payload into
+ the SBOM (Software Bill of Materials) File in your build
+
+config SBOM_PAYLOAD_GENERATE
+ bool "Auto-generate generic SBOM info for payload"
+ depends on SBOM_PAYLOAD && (PAYLOAD_BOOTBOOT || PAYLOAD_DEPTHCHARGE || PAYLOAD_FILO || PAYLOAD_GRUB2 || PAYLOAD_LINUXBOOT || PAYLOAD_SEABIOS || PAYLOAD_SKIBOOT || PAYLOAD_UBOOT || PAYLOAD_YABITS)
+ default y
+ help
+ Select this option if you want coreboot to generate and include
+ the coswid (Concise Software Identification Tag) instead of supplying
+ it manually. Be aware that this option is only meant to be a
+ transition and suppliers of Software should always prefer to include
+ their own Software descriptions, since ours may be incomplete or
+ straight up wrong.
+
+config SBOM_PAYLOAD_PATH
+ string "SBOM file path"
+ depends on SBOM_PAYLOAD && !SBOM_PAYLOAD_GENERATE
+ help
+ The path of the .ini file describing the payload
+ Software included in the build
+
+config SBOM_ME
+ bool "Include ME metadata in SBOM"
+ depends on HAVE_ME_BIN
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ ME firmware into the SBOM (Software Bill of Materials)
+ File in your build
+
+config SBOM_ME_GENERATE
+ bool "Auto-generate generic SBOM info for ME firmware"
+ depends on SBOM_ME
+ default y
+ help
+ Select this option if you want coreboot to generate and include
+ the coswid (Concise Software Identification Tag) instead of
+ supplying it manually. Be aware that this option is only meant
+ to be a transition and suppliers of Software should always prefer
+ to include their own Software descriptions, since ours may be
+ incomplete or straight up wrong.
+
+config SBOM_ME_PATH
+ string "Path to sbom.json for the ME firmware"
+ depends on SBOM_ME && !SBOM_ME_GENERATE
+ help
+ The path of the SBOM file (sbom.json file)
+ The path of the .json file describing the Software included in the build
+
+config SBOM_EC
+ bool "Include EC metadata in SBOM"
+ depends on HAVE_EC_BIN
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ EC (Embedded Controller) firmware into the
+ SBOM (Software Bill of Materials) File in your build
+
+config SBOM_EC_PATH
+ string "Path to SBOM file for the EC firmware"
+ depends on SBOM_EC
+ default "src/sbom/generic-ec.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_SINIT_ACM
+ bool "Include SINIT ACM metadata in SBOM"
+ depends on INTEL_TXT_SINITACM_FILE != ""
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ SINIT ACM (Authenticated Code Module) firmware into the
+ SBOM (Software Bill of Materials) File in your build
+
+config SBOM_SINIT_ACM_PATH
+ string "Path to SBOM file for the SINIT AMC firmware"
+ depends on SBOM_SINIT_ACM
+ default "src/sbom/intel-sinit-acm.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_BIOS_ACM
+ bool "Include BIOS ACM metadata in SBOM"
+ depends on INTEL_TXT_BIOSACM_FILE != ""
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ BIOS ACM (Authenticated Code Module) firmware into the
+ SBOM (Software Bill of Materials) File in your build
+
+config SBOM_BIOS_ACM_PATH
+ string "Path to SBOM file for the BIOS AMC firmware"
+ depends on SBOM_SINIT_ACM
+ default "src/sbom/intel-bios-acm.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_MICROCODE
+ bool "Include microcode metadata in SBOM"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ microcode firmware into the SBOM (Software Bill of Materials)
+ File in your build
+
+config SBOM_FSP
+ bool "Include Intel FSP metadata in SBOM"
+ default n
+ depends on (FSP_S_FILE != "" || FSP_M_FILE != "" || FSP_T_FILE != "")
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ FSP firmware into the SBOM (Software Bill of Materials)
+ File in your build
+
+config SBOM_FSP_PATH
+ string "Path to SBOM file for the FSP firmware"
+ depends on SBOM_FSP
+ default "build/sbom/generic-fsp.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_VBOOT
+ bool "Include VBOOT metadata in SBOM"
+ default n
+ depends on VBOOT_LIB
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ VBOOT Software into the SBOM (Software Bill of Materials)
+ File in your build
+
+endif
diff --git a/src/sbom/Makefile.inc b/src/sbom/Makefile.inc
new file mode 100644
index 0000000000..3c7a8f6d69
--- /dev/null
+++ b/src/sbom/Makefile.inc
@@ -0,0 +1,143 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+obj ?= build
+src ?= src
+build-dir = $(obj)/sbom
+src-dir = $(src)/sbom
+
+CONFIG_ME_BIN_PATH := $(call strip_quotes, $(CONFIG_ME_BIN_PATH))
+CONFIG_FSP_S_FILE := $(call strip_quotes, $(CONFIG_FSP_S_FILE))
+CONFIG_FSP_M_FILE := $(call strip_quotes, $(CONFIG_FSP_M_FILE))
+CONFIG_FSP_T_FILE := $(call strip_quotes, $(CONFIG_FSP_T_FILE))
+CONFIG_PAYLOAD_FILE := $(call strip_quotes, $(CONFIG_PAYLOAD_FILE))
+CONFIG_EC_PATH := $(call strip_quotes, $(CONFIG_EC_PATH))
+CONFIG_BIOS_ACM_PATH := $(call strip_quotes, $(CONFIG_BIOS_ACM_PATH))
+CONFIG_SINIT_ACM_PATH := $(call strip_quotes, $(CONFIG_SINIT_ACM_PATH))
+
+ifeq ($(CONFIG_SBOM_PAYLOAD_GENERATE), y)
+payload-git-dir-$(CONFIG_PAYLOAD_BOOTBOOT) = payloads/external/BOOTBOOT/bootboot
+payload-git-dir-$(CONFIG_PAYLOAD_DEPTHCHARGE) = payloads/external/depthcharge/depthcharge
+payload-git-dir-$(CONFIG_PAYLOAD_FILO) = payloads/external/FILO/filo
+payload-git-dir-$(CONFIG_PAYLOAD_GRUB2) = payloads/external/GRUB2/grub2
+payload-git-dir-$(CONFIG_PAYLOAD_LINUXBOOT) = payloads/external/LinuxBoot/linuxboot
+payload-git-dir-$(CONFIG_PAYLOAD_SEABIOS) = payloads/external/SeaBIOS/seabios
+payload-git-dir-$(CONFIG_PAYLOAD_SKIBOOT) = payloads/external/skiboot/skiboot
+#payload-git-dir-$(CONFIG_PAYLOAD_TIANOCORE) = payloads/external/tianocore/
+payload-git-dir-$(CONFIG_PAYLOAD_UBOOT) = payloads/external/U-Boot/u-boot
+payload-git-dir-$(CONFIG_PAYLOAD_IPXE) = payloads/external/iPXE/ipxe
+ifneq ($(payload-git-dir-y),)
+# only proceed with payload sbom data, if one of the above payloads were selected (should be guarded by Kconfig as well)
+# e.g. payload-git-dir-y=payloads/external/SeaBIOS/seabios -> payload-json-file=$(build-dir)/payload-SeaBIOS.json
+payload-swid = $(build-dir)/payload-$(subst /,,$(dir $(patsubst payloads/external/%,%,$(payload-git-dir-y)))).json
+payload-swid-template = $(patsubst $(build-dir)/%.json,$(src-dir)/%.json,$(payload-swid))
+endif
+endif
+
+swid-files-$(CONFIG_SBOM_ME) += $(if $(CONFIG_SBOM_ME_GENERATE), $(build-dir)/intel-me.json, $(CONFIG_SBOM_ME_PATH))
+swid-files-$(CONFIG_SBOM_PAYLOAD) += $(if $(CONFIG_SBOM_PAYLOAD_GENERATE), $(payload-swid), $(CONFIG_SBOM_PAYLOAD_PATH))
+# TODO think about just using one CoSWID tag for all intel-microcode instead of one for each. maybe put each microcode into files entity of CoSWID tag?
+swid-files-$(CONFIG_SBOM_MICROCODE) += $(patsubst 3rdparty/intel-microcode/intel-ucode/%, $(build-dir)/intel-microcode-%.json, $(filter 3rdparty/intel-microcode/intel-ucode/%, $(cpu_microcode_bins)))
+swid-files-$(CONFIG_SBOM_MICROCODE) += $(patsubst ${FIRMWARE_LOCATION}/UcodePatch_%.bin, $(build-dir)/amd-microcode-%.json, $(filter ${FIRMWARE_LOCATION}/UcodePatch_%.bin, $(cpu_microcode_bins)))
+swid-files-$(CONFIG_SBOM_FSP) += $(CONFIG_SBOM_FSP_PATH)
+swid-files-$(CONFIG_SBOM_EC) += $(CONFIG_SBOM_EC_PATH)
+swid-files-$(CONFIG_SBOM_BIOS_ACM) += $(CONFIG_BIOS_ACM_PATH)
+swid-files-$(CONFIG_SBOM_SINIT_ACM) += $(CONFIG_SINIT_ACM_PATH)
+
+vboot-pkgconfig-files = $(obj)/external/vboot_reference-bootblock/vboot_host.pc $(obj)/external/vboot_reference-romstage/vboot_host.pc $(obj)/external/vboot_reference-ramstage/vboot_host.pc $(obj)/external/vboot_reference-postcar/vboot_host.pc
+swid-files-$(CONFIG_SBOM_VBOOT) += $(vboot-pkgconfig-files)
+$(vboot-pkgconfig-files): $(VBOOT_LIB_bootblock) $(VBOOT_LIB_romstage) $(VBOOT_LIB_ramstage) $(VBOOT_LIB_postcar) # src/security/vboot/Makefile.inc
+
+ifeq ($(CONFIG_SBOM_COMPILER),y)
+ifeq ($(CONFIG_ANY_TOOLCHAIN),y)
+swid-files-compiler = $(build-dir)/compiler-generic.json
+else ifeq ($(CONFIG_COMPILER_GCC),y)
+swid-files-compiler = $(build-dir)/compiler-gcc.json
+else ifeq ($(CONFIG_COMPILER_LLVM_CLANG),y)
+swid-files-compiler = $(build-dir)/compiler-clang.json
+endif
+compiler-toolchain = $(CC_bootblock) $(CC_romstage) $(CC_ramstage) $(CC_postcar) $(CC_verstage) $(LD_bootblock) $(LD_romstage) $(LD_ramstage) $(LD_postcar) $(LD_verstage) $(AS_bootblock) $(AS_romstage) $(AS_ramstage) $(AS_postcar) $(AS_verstage)
+endif
+
+coreboot-licenses = $(foreach license, $(patsubst %.txt, %, $(filter-out retained-copyrights.txt, $(patsubst LICENSES/%, %, $(wildcard LICENSES/*)))), https://spdx.org/licenses/$(license).html)
+
+# only include CBFS SBOM section if there is any data for it
+ifeq ($(CONFIG_SBOM),y)
+cbfs-files-y += sbom
+sbom-file = $(build-dir)/sbom.uswid
+sbom-type = raw
+endif
+
+## Build final SBOM (Software Bill of Materials) file in uswid format
+
+$(build-dir)/sbom.uswid: $(build-dir)/coreboot.json $(swid-files-y) $(swid-files-compiler) | $(build-dir)/goswid $(build-dir)
+ echo " SBOM " $^
+ $(build-dir)/goswid convert -o $@ \
+ --parent $(build-dir)/coreboot.json \
+ $(if $(swid-files-y), --requires $$(echo $(swid-files-y) | tr ' ' ','),) \
+ $(if $(swid-files-compiler), --compiler $(swid-files-compiler),)
+
+# all build files depend on the $(build-dir) directory being created
+$(build-dir):
+ mkdir -p $(build-dir)
+
+$(build-dir)/goswid: | $(build-dir)
+ echo " SBOM building goswid tool"
+ cd util/goswid; \
+ GO111MODULE=on go build -o $(abspath $@) ./cmd/goswid
+
+## Generate all .json files
+
+$(build-dir)/compiler-%.json: $(src-dir)/compiler-%.json | $(build-dir)/goswid
+ cp $< $@
+ for tool in $$(echo $(compiler-toolchain) | tr ' ' '\n' | sort | uniq); do \
+ version=$$($$tool --version 2>&1 | head -n 1 | grep -Eo '([0-9]+\.[0-9]+\.*[0-9]*)'); \
+ $(build-dir)/goswid add-payload-file -o $@ -i $@ --name $$(basename $$tool) --version $$version; \
+ done
+
+$(build-dir)/coreboot.json: $(src-dir)/coreboot.json .git/HEAD | $(build-dir)/goswid
+ cp $< $@
+ git_tree_hash=$$(git log -n 1 --format=%T);\
+ git_comm_hash=$$(git log -n 1 --format=%H);\
+ sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@;\
+ $(build-dir)/goswid add-license -o $@ -i $@ $(coreboot-licenses)
+
+$(build-dir)/intel-me.json: $(src-dir)/intel-me.json $(CONFIG_ME_BIN_PATH) | $(build-dir)
+ cp $< $@
+ #TODO put more Intel Management Engine metadata in sbom file
+
+
+$(build-dir)/generic-fsp.json: $(src-dir)/generic-fsp.json $(CONFIG_FSP_S_FILE) $(CONFIG_FSP_T_FILE) $(CONFIG_FSP_M_FILE) | $(build-dir)/goswid
+ cp $(src-dir)/generic-fsp.json $@
+ifneq ($(CONFIG_FSP_S_FILE),)
+ echo " SBOM Adding FSP-S"
+ $(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-S"
+endif
+ifneq ($(CONFIG_FSP_T_FILE),)
+ echo " SBOM Adding FSP-T"
+ $(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-T"
+endif
+ifneq ($(CONFIG_FSP_M_FILE),)
+ echo " SBOM Adding FSP-M"
+ $(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-M"
+endif
+
+$(build-dir)/intel-microcode-%.json: $(src-dir)/intel-microcode.json 3rdparty/intel-microcode/intel-ucode/% | $(build-dir) $(build-dir)/goswid
+ cp $< $@
+ year=$$(hexdump --skip 8 --length 2 --format '"%04x"' $(word 2,$^));\
+ day=$$(hexdump --skip 10 --length 1 --format '"%02x"' $(word 2,$^));\
+ month=$$(hexdump --skip 11 --length 1 --format '"%02x"' $(word 2,$^));\
+ sed -i "s/<software_version>/$$year-$$month-$$day/" $@
+ #TODO add cpuid (processor family, model, stepping) as extra attribute
+
+$(build-dir)/amd-microcode-%.json: $(src-dir)/amd-microcode.json ${FIRMWARE_LOCATION}/UcodePatch_%.bin | $(build-dir) $(build-dir)/goswid
+ cp $< $@
+ year=$$(hexdump --skip 0 --length 2 --format '"%04x"' $(word 2,$^));\
+ day=$$(hexdump --skip 2 --length 1 --format '"%02x"' $(word 2,$^));\
+ month=$$(hexdump --skip 3 --length 1 --format '"%02x"' $(word 2,$^));\
+ sed -i "s/<software_version>/$$year-$$month-$$day/" $@
+
+$(payload-swid): $(payload-swid-template) $(CONFIG_PAYLOAD_FILE) | $(build-dir)
+ cp $< $@;\
+ git_tree_hash=$$(git --git-dir $(payload-git-dir-y)/.git log -n 1 --format=%T);\
+ git_comm_hash=$$(git --git-dir $(payload-git-dir-y)/.git log -n 1 --format=%H);\
+ sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@;
diff --git a/src/sbom/TAGS b/src/sbom/TAGS
new file mode 100644
index 0000000000..dec4859d0b
--- /dev/null
+++ b/src/sbom/TAGS
@@ -0,0 +1,25 @@
+tag-ids were generated as follows. Note that tag-ids are currently only unique inside the SBOM itself, not globally.
+payload-BOOTBOOT: uuidgen --name bootboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-depthcharge: uuidgen --name depthcharge --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-FILO: uuidgen --name filo --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-GRUB2: uuidgen --name grub2 --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-iPXE: uuidgen --name iPXE --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-LinuxBoot: uuidgen --name linuxboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-SeaBIOS: uuidgen --name seabios --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-skiboot: uuidgen --name skiboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-U-Boot: uuidgen --name uboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-Yabits: uuidgen --name yabits --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+coreboot: uuidgen --name coreboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+generic-ec: uuidgen --name generic-ec --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-me: uuidgen --name intel-me --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-bios-acm: uuidgen --name intel-bios-acm --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-sinit-acm: uuidgen --name intel-sinit-acm --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-fsp-s: uuidgen --name intel-fsp-s --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-fsp-m: uuidgen --name intel-fsp-m --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-fsp-t: uuidgen --name intel-fsp-t --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-fsp: uuidgen --name intel-fsp --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-mircocode: uuidgen --name intel-microcode --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+amd-mircocode: uuidgen --name amd-microcode --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+compiler-gcc: uuidgen --name compiler-gcc --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+compiler-clang: uuidgen --name compiler-clang --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+compiler-generic: uuidgen --name compiler-generic --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
diff --git a/src/sbom/amd-microcode.json b/src/sbom/amd-microcode.json
new file mode 100644
index 0000000000..269157d590
--- /dev/null
+++ b/src/sbom/amd-microcode.json
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "082d7533-575e-5914-a599-728f636b8f78",
+ "tag-version": 0,
+ "software-name": "AMD-Microcode",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "persistent-id": "com.amd.microcode",
+ "summary": "Micrcode Updates for AMD Processors"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/compiler-clang.json b/src/sbom/compiler-clang.json
new file mode 100644
index 0000000000..cd21cea70c
--- /dev/null
+++ b/src/sbom/compiler-clang.json
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "56ed2b98-6b90-574f-aa1d-11579df90e25",
+ "tag-version": 0,
+ "software-name": "clang",
+ "software-meta": [
+ {
+ "persistent-id": "org.llvm.clang"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/compiler-gcc.json b/src/sbom/compiler-gcc.json
new file mode 100644
index 0000000000..ba1938daf7
--- /dev/null
+++ b/src/sbom/compiler-gcc.json
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "8e0d0fd3-1116-50ad-ba5f-599c8117c42b",
+ "tag-version": 0,
+ "software-name": "GCC",
+ "software-meta": [
+ {
+ "persistent-id": "org.gnu.gcc"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/compiler-generic.json b/src/sbom/compiler-generic.json
new file mode 100644
index 0000000000..6779460dcb
--- /dev/null
+++ b/src/sbom/compiler-generic.json
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "a79cee21-97a6-53e5-8e41-65b084a7b90e",
+ "tag-version": 0,
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/coreboot.json b/src/sbom/coreboot.json
new file mode 100644
index 0000000000..50a33a7483
--- /dev/null
+++ b/src/sbom/coreboot.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "a9032c9d-2aaa-5a25-a0e6-6d865b24e6d2",
+ "tag-version": 0,
+ "software-name": "coreboot",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.coreboot.rocks",
+ "summary": "coreboot is a project to develop open source boot firmware for various architectures"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/generic-ec.json b/src/sbom/generic-ec.json
new file mode 100644
index 0000000000..11a1660311
--- /dev/null
+++ b/src/sbom/generic-ec.json
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "cb643972-4544-525e-a25e-31651fe9fcbe",
+ "tag-version": 0,
+ "software-name": "Embedded Controller Firmware",
+ "software-meta": [
+ {
+ "summary": "The Embedded Controller is a microcontroller which handles various tasks such as power management and keyboard control"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/generic-fsp.json b/src/sbom/generic-fsp.json
new file mode 100644
index 0000000000..52ec447c8d
--- /dev/null
+++ b/src/sbom/generic-fsp.json
@@ -0,0 +1,22 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "719e6299-4355-5beb-b182-9cf47928515a",
+ "tag-version": 0,
+ "software-name": "Firmware Support Package",
+ "software-meta": [
+ {
+ "product": "Firmware Support Package",
+ "summary": "Firmware Support Package is a binary which exports an API implementing memory and silicon initialization (e.g. Intel FSP or AMD AGESA)"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/intel-bios-acm.json b/src/sbom/intel-bios-acm.json
new file mode 100644
index 0000000000..d980d032ec
--- /dev/null
+++ b/src/sbom/intel-bios-acm.json
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "2de383e0-1721-5369-8511-e3d07743b09a",
+ "tag-version": 0,
+ "software-name": "Intel BIOS ACM",
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/intel-me.json b/src/sbom/intel-me.json
new file mode 100644
index 0000000000..9eeec613d8
--- /dev/null
+++ b/src/sbom/intel-me.json
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "9579af2b-39d8-59f1-ac5a-5b1fd4c03bd0",
+ "tag-version": 0,
+ "software-name": "Intel Management Engine",
+ "software-meta": [
+ {
+ "persistent-id": "com.intel.me"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/intel-microcode.json b/src/sbom/intel-microcode.json
new file mode 100644
index 0000000000..3ee8eb4d58
--- /dev/null
+++ b/src/sbom/intel-microcode.json
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "23edb84c-5d68-544e-b389-8a67f6c80247",
+ "tag-version": 0,
+ "software-name": "Intel-Microcode",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "persistent-id": "com.intel.microcode",
+ "summary": "Micrcode Updates for Intel Processors"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/intel-sinit-acm.json b/src/sbom/intel-sinit-acm.json
new file mode 100644
index 0000000000..92e0b4d3ce
--- /dev/null
+++ b/src/sbom/intel-sinit-acm.json
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "231b1f39-28c2-596a-a33e-3d2d6570888f",
+ "tag-version": 0,
+ "software-name": "Intel SINIT ACM",
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-BOOTBOOT.json b/src/sbom/payload-BOOTBOOT.json
new file mode 100644
index 0000000000..e8942e1991
--- /dev/null
+++ b/src/sbom/payload-BOOTBOOT.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "978ba556-e0f4-592d-9a70-413138653155",
+ "tag-version": 0,
+ "software-name": "BOOTBOOT",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "",
+ "summary": "BOOTBOOT multi platform micro-kernel loader"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-FILO.json b/src/sbom/payload-FILO.json
new file mode 100644
index 0000000000..63827de24c
--- /dev/null
+++ b/src/sbom/payload-FILO.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "047d005b-bb24-58d6-a7cc-76ace2e2759e",
+ "tag-version": 0,
+ "software-name": "FILO",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.filo",
+ "summary": "FILO is a bootloader which loads boot images from a local filesystem, without help from legacy BIOS services"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-GRUB2.json b/src/sbom/payload-GRUB2.json
new file mode 100644
index 0000000000..05d101ab06
--- /dev/null
+++ b/src/sbom/payload-GRUB2.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "0e801aae-699e-5674-94a0-9259afb7d12f",
+ "tag-version": 0,
+ "software-name": "GRUB2",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.grub",
+ "summary": "GNU GRUB is a boot loader, which can load a wide variety of free and proprietary operating systems with chain-loading"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-LinuxBoot.json b/src/sbom/payload-LinuxBoot.json
new file mode 100644
index 0000000000..1a7ecaf0ba
--- /dev/null
+++ b/src/sbom/payload-LinuxBoot.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "792c4921-cb02-54ac-8b61-c359336f3600",
+ "tag-version": 0,
+ "software-name": "LinuxBoot",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.linuxboot",
+ "summary": "LinuxBoot is a firmware for modern servers that replaces specific firmware functionality like the UEFI DXE phase with a Linux kernel and runtime"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-SeaBIOS.json b/src/sbom/payload-SeaBIOS.json
new file mode 100644
index 0000000000..e46ef459f4
--- /dev/null
+++ b/src/sbom/payload-SeaBIOS.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "e5a249ad-04bb-5b63-a587-ceb7b0e331c9",
+ "tag-version": 0,
+ "software-name": "Seabios",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.seabios",
+ "summary": "SeaBIOS is an open-source legacy BIOS implementation which can be used as a coreboot payload. It implements the standard BIOS calling interfaces that a typical x86 proprietary BIOS implements"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-U-Boot.json b/src/sbom/payload-U-Boot.json
new file mode 100644
index 0000000000..840ab6fe84
--- /dev/null
+++ b/src/sbom/payload-U-Boot.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "b714bb4f-c590-5bb7-af60-65374ecd097d",
+ "tag-version": 0,
+ "software-name": "U-Boot",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.u-boot",
+ "summary": "Das U-Boot (subtitled 'the Universal Boot Loader') is an open-source, primary boot loader used in embedded devices to package the instructions to boot the device's operating system kernel"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-depthcharge.json b/src/sbom/payload-depthcharge.json
new file mode 100644
index 0000000000..4d133687d8
--- /dev/null
+++ b/src/sbom/payload-depthcharge.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "a8c6b076-e3c2-5a8f-91c9-151aa7bd3284",
+ "tag-version": 0,
+ "software-name": "depthcharge",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.depthcharge",
+ "summary": "Depthcharge is a payload used by google to load and verify the Linux Kernel, run recovery mode, or boot to alternate payloads on ChromeOS devices"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-iPXE.json b/src/sbom/payload-iPXE.json
new file mode 100644
index 0000000000..8fdc1f31c2
--- /dev/null
+++ b/src/sbom/payload-iPXE.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "5f700e15-4845-57b5-a4bb-44e698ce4947",
+ "tag-version": 0,
+ "software-name": "iPXE",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.ipxe",
+ "summary": "iPXE is an open source network boot firmware. It provides a full PXE implementation enhanced with additional features"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-skiboot.json b/src/sbom/payload-skiboot.json
new file mode 100644
index 0000000000..21ce91b4e4
--- /dev/null
+++ b/src/sbom/payload-skiboot.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "239e03d9-06b0-5ed0-a409-3c32f7f2ee2a",
+ "tag-version": 0,
+ "software-name": "skiboot",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.skiboot",
+ "summary": "Skiboot is boot and runtime firmware for OpenPOWER systems. It’s loaded by earlier boot firmware (typically Hostboot). Along with loading the bootloader, it provides some runtime services to the OS (typically Linux)"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index 252a91efe5..faa79cb183 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -32,7 +32,8 @@ $$(VBOOT_LIB_$(1)): $(obj)/config.h
$(MAKE) -C $(VBOOT_SOURCE) \
BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \
V=$(V) \
- fwlib
+ fwlib \
+ $(if $(CONFIG_INCLUDE_VBOOT_SBOM),$$(abspath $$(dir $$(VBOOT_LIB_$(1))))/vboot_host.pc)
$(1)-srcs += $$(VBOOT_LIB_$(1))