summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitmodules4
-rw-r--r--Makefile.inc1
-rw-r--r--configs/config.facebook_fbg1701.sbom6
-rw-r--r--src/Kconfig6
-rw-r--r--src/sbom/Kconfig171
-rw-r--r--src/sbom/Makefile.inc143
-rw-r--r--src/sbom/TAGS25
-rw-r--r--src/sbom/amd-microcode.json24
-rw-r--r--src/sbom/compiler-clang.json21
-rw-r--r--src/sbom/compiler-gcc.json21
-rw-r--r--src/sbom/compiler-generic.json15
-rw-r--r--src/sbom/coreboot.json25
-rw-r--r--src/sbom/generic-ec.json21
-rw-r--r--src/sbom/generic-fsp.json22
-rw-r--r--src/sbom/intel-bios-acm.json16
-rw-r--r--src/sbom/intel-me.json21
-rw-r--r--src/sbom/intel-microcode.json24
-rw-r--r--src/sbom/intel-sinit-acm.json16
-rw-r--r--src/sbom/payload-BOOTBOOT.json25
-rw-r--r--src/sbom/payload-FILO.json25
-rw-r--r--src/sbom/payload-GRUB2.json25
-rw-r--r--src/sbom/payload-LinuxBoot.json25
-rw-r--r--src/sbom/payload-SeaBIOS.json25
-rw-r--r--src/sbom/payload-U-Boot.json25
-rw-r--r--src/sbom/payload-depthcharge.json25
-rw-r--r--src/sbom/payload-iPXE.json25
-rw-r--r--src/sbom/payload-skiboot.json25
-rw-r--r--src/security/vboot/Makefile.inc3
m---------util/goswid0
-rw-r--r--util/testing/Makefile.inc1
30 files changed, 810 insertions, 1 deletions
diff --git a/.gitmodules b/.gitmodules
index 69aa470ea6..6f62952f43 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -61,3 +61,7 @@
path = 3rdparty/stm
url = ../STM
branch = stmpe
+[submodule "util/goswid"]
+ path = util/goswid
+ url = ../goswid
+ branch = trunk
diff --git a/Makefile.inc b/Makefile.inc
index d2235e0c07..0dd4864e20 100644
--- a/Makefile.inc
+++ b/Makefile.inc
@@ -93,6 +93,7 @@ subdirs-y += $(wildcard src/arch/*)
subdirs-y += src/mainboard/$(MAINBOARDDIR)
subdirs-y += src/security
subdirs-y += payloads payloads/external
+subdirs-$(CONFIG_SBOM) += src/sbom
subdirs-y += site-local
subdirs-y += util/checklist util/testing
diff --git a/configs/config.facebook_fbg1701.sbom b/configs/config.facebook_fbg1701.sbom
new file mode 100644
index 0000000000..e26debb8ec
--- /dev/null
+++ b/configs/config.facebook_fbg1701.sbom
@@ -0,0 +1,6 @@
+CONFIG_INCLUDE_COREBOOT_SBOM=y
+CONFIG_INCLUDE_PAYLOAD_SBOM=y
+CONFIG_INCLUDE_ME_SBOM=y
+CONFIG_INCLUDE_MICROCODE_SBOM=y
+CONFIG_VENDOR_FACEBOOK=y
+CONFIG_BOARD_FACEBOOK_FBG1701=y
diff --git a/src/Kconfig b/src/Kconfig
index bec22a48c5..0d3879ecbf 100644
--- a/src/Kconfig
+++ b/src/Kconfig
@@ -476,6 +476,12 @@ config MINIMAL_PCI_SCANNING
help
If this option is enabled, coreboot will scan only PCI devices
marked as mandatory in devicetree.cb
+
+menu "Software Bill Of Materials (SBOM)"
+
+source "src/sbom/Kconfig"
+
+endmenu
endmenu
menu "Mainboard"
diff --git a/src/sbom/Kconfig b/src/sbom/Kconfig
new file mode 100644
index 0000000000..38f5421fd2
--- /dev/null
+++ b/src/sbom/Kconfig
@@ -0,0 +1,171 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+config SBOM
+ bool "Include SBOM data for coreboot"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of coreboot itself
+ into the SBOM (Software Bill of Materials) File in your build
+
+if SBOM
+
+config SBOM_COMPILER
+ bool "Include compiler metadata in SBOM"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the compiler
+ used to compile coreboot into the SBOM (Software Bill of Materials)
+ File in your build
+ Note: if the system toolchain is used to build coreboot
+ one should check the final SBOM file for the expected results
+
+config SBOM_PAYLOAD
+ bool "Include payload metadata in SBOM"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the payload into
+ the SBOM (Software Bill of Materials) File in your build
+
+config SBOM_PAYLOAD_GENERATE
+ bool "Auto-generate generic SBOM info for payload"
+ depends on SBOM_PAYLOAD && (PAYLOAD_BOOTBOOT || PAYLOAD_DEPTHCHARGE || PAYLOAD_FILO || PAYLOAD_GRUB2 || PAYLOAD_LINUXBOOT || PAYLOAD_SEABIOS || PAYLOAD_SKIBOOT || PAYLOAD_UBOOT || PAYLOAD_YABITS)
+ default y
+ help
+ Select this option if you want coreboot to generate and include
+ the coswid (Concise Software Identification Tag) instead of supplying
+ it manually. Be aware that this option is only meant to be a
+ transition and suppliers of Software should always prefer to include
+ their own Software descriptions, since ours may be incomplete or
+ straight up wrong.
+
+config SBOM_PAYLOAD_PATH
+ string "SBOM file path"
+ depends on SBOM_PAYLOAD && !SBOM_PAYLOAD_GENERATE
+ help
+ The path of the .ini file describing the payload
+ Software included in the build
+
+config SBOM_ME
+ bool "Include ME metadata in SBOM"
+ depends on HAVE_ME_BIN
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ ME firmware into the SBOM (Software Bill of Materials)
+ File in your build
+
+config SBOM_ME_GENERATE
+ bool "Auto-generate generic SBOM info for ME firmware"
+ depends on SBOM_ME
+ default y
+ help
+ Select this option if you want coreboot to generate and include
+ the coswid (Concise Software Identification Tag) instead of
+ supplying it manually. Be aware that this option is only meant
+ to be a transition and suppliers of Software should always prefer
+ to include their own Software descriptions, since ours may be
+ incomplete or straight up wrong.
+
+config SBOM_ME_PATH
+ string "Path to sbom.json for the ME firmware"
+ depends on SBOM_ME && !SBOM_ME_GENERATE
+ help
+ The path of the SBOM file (sbom.json file)
+ The path of the .json file describing the Software included in the build
+
+config SBOM_EC
+ bool "Include EC metadata in SBOM"
+ depends on HAVE_EC_BIN
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ EC (Embedded Controller) firmware into the
+ SBOM (Software Bill of Materials) File in your build
+
+config SBOM_EC_PATH
+ string "Path to SBOM file for the EC firmware"
+ depends on SBOM_EC
+ default "src/sbom/generic-ec.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_SINIT_ACM
+ bool "Include SINIT ACM metadata in SBOM"
+ depends on INTEL_TXT_SINITACM_FILE != ""
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ SINIT ACM (Authenticated Code Module) firmware into the
+ SBOM (Software Bill of Materials) File in your build
+
+config SBOM_SINIT_ACM_PATH
+ string "Path to SBOM file for the SINIT AMC firmware"
+ depends on SBOM_SINIT_ACM
+ default "src/sbom/intel-sinit-acm.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_BIOS_ACM
+ bool "Include BIOS ACM metadata in SBOM"
+ depends on INTEL_TXT_BIOSACM_FILE != ""
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ BIOS ACM (Authenticated Code Module) firmware into the
+ SBOM (Software Bill of Materials) File in your build
+
+config SBOM_BIOS_ACM_PATH
+ string "Path to SBOM file for the BIOS AMC firmware"
+ depends on SBOM_SINIT_ACM
+ default "src/sbom/intel-bios-acm.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_MICROCODE
+ bool "Include microcode metadata in SBOM"
+ default n
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ microcode firmware into the SBOM (Software Bill of Materials)
+ File in your build
+
+config SBOM_FSP
+ bool "Include Intel FSP metadata in SBOM"
+ default n
+ depends on (FSP_S_FILE != "" || FSP_M_FILE != "" || FSP_T_FILE != "")
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ FSP firmware into the SBOM (Software Bill of Materials)
+ File in your build
+
+config SBOM_FSP_PATH
+ string "Path to SBOM file for the FSP firmware"
+ depends on SBOM_FSP
+ default "build/sbom/generic-fsp.json"
+ help
+ The path of the SBOM file describing the Software included in the build
+ File can be a .json, .xml, .cbor, .uswid, or .pc
+
+config SBOM_VBOOT
+ bool "Include VBOOT metadata in SBOM"
+ default n
+ depends on VBOOT_LIB
+ help
+ Select this option if you want to include a
+ coswid (Concise Software Identification Tag) of the
+ VBOOT Software into the SBOM (Software Bill of Materials)
+ File in your build
+
+endif
diff --git a/src/sbom/Makefile.inc b/src/sbom/Makefile.inc
new file mode 100644
index 0000000000..3c7a8f6d69
--- /dev/null
+++ b/src/sbom/Makefile.inc
@@ -0,0 +1,143 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+obj ?= build
+src ?= src
+build-dir = $(obj)/sbom
+src-dir = $(src)/sbom
+
+CONFIG_ME_BIN_PATH := $(call strip_quotes, $(CONFIG_ME_BIN_PATH))
+CONFIG_FSP_S_FILE := $(call strip_quotes, $(CONFIG_FSP_S_FILE))
+CONFIG_FSP_M_FILE := $(call strip_quotes, $(CONFIG_FSP_M_FILE))
+CONFIG_FSP_T_FILE := $(call strip_quotes, $(CONFIG_FSP_T_FILE))
+CONFIG_PAYLOAD_FILE := $(call strip_quotes, $(CONFIG_PAYLOAD_FILE))
+CONFIG_EC_PATH := $(call strip_quotes, $(CONFIG_EC_PATH))
+CONFIG_BIOS_ACM_PATH := $(call strip_quotes, $(CONFIG_BIOS_ACM_PATH))
+CONFIG_SINIT_ACM_PATH := $(call strip_quotes, $(CONFIG_SINIT_ACM_PATH))
+
+ifeq ($(CONFIG_SBOM_PAYLOAD_GENERATE), y)
+payload-git-dir-$(CONFIG_PAYLOAD_BOOTBOOT) = payloads/external/BOOTBOOT/bootboot
+payload-git-dir-$(CONFIG_PAYLOAD_DEPTHCHARGE) = payloads/external/depthcharge/depthcharge
+payload-git-dir-$(CONFIG_PAYLOAD_FILO) = payloads/external/FILO/filo
+payload-git-dir-$(CONFIG_PAYLOAD_GRUB2) = payloads/external/GRUB2/grub2
+payload-git-dir-$(CONFIG_PAYLOAD_LINUXBOOT) = payloads/external/LinuxBoot/linuxboot
+payload-git-dir-$(CONFIG_PAYLOAD_SEABIOS) = payloads/external/SeaBIOS/seabios
+payload-git-dir-$(CONFIG_PAYLOAD_SKIBOOT) = payloads/external/skiboot/skiboot
+#payload-git-dir-$(CONFIG_PAYLOAD_TIANOCORE) = payloads/external/tianocore/
+payload-git-dir-$(CONFIG_PAYLOAD_UBOOT) = payloads/external/U-Boot/u-boot
+payload-git-dir-$(CONFIG_PAYLOAD_IPXE) = payloads/external/iPXE/ipxe
+ifneq ($(payload-git-dir-y),)
+# only proceed with payload sbom data, if one of the above payloads were selected (should be guarded by Kconfig as well)
+# e.g. payload-git-dir-y=payloads/external/SeaBIOS/seabios -> payload-json-file=$(build-dir)/payload-SeaBIOS.json
+payload-swid = $(build-dir)/payload-$(subst /,,$(dir $(patsubst payloads/external/%,%,$(payload-git-dir-y)))).json
+payload-swid-template = $(patsubst $(build-dir)/%.json,$(src-dir)/%.json,$(payload-swid))
+endif
+endif
+
+swid-files-$(CONFIG_SBOM_ME) += $(if $(CONFIG_SBOM_ME_GENERATE), $(build-dir)/intel-me.json, $(CONFIG_SBOM_ME_PATH))
+swid-files-$(CONFIG_SBOM_PAYLOAD) += $(if $(CONFIG_SBOM_PAYLOAD_GENERATE), $(payload-swid), $(CONFIG_SBOM_PAYLOAD_PATH))
+# TODO think about just using one CoSWID tag for all intel-microcode instead of one for each. maybe put each microcode into files entity of CoSWID tag?
+swid-files-$(CONFIG_SBOM_MICROCODE) += $(patsubst 3rdparty/intel-microcode/intel-ucode/%, $(build-dir)/intel-microcode-%.json, $(filter 3rdparty/intel-microcode/intel-ucode/%, $(cpu_microcode_bins)))
+swid-files-$(CONFIG_SBOM_MICROCODE) += $(patsubst ${FIRMWARE_LOCATION}/UcodePatch_%.bin, $(build-dir)/amd-microcode-%.json, $(filter ${FIRMWARE_LOCATION}/UcodePatch_%.bin, $(cpu_microcode_bins)))
+swid-files-$(CONFIG_SBOM_FSP) += $(CONFIG_SBOM_FSP_PATH)
+swid-files-$(CONFIG_SBOM_EC) += $(CONFIG_SBOM_EC_PATH)
+swid-files-$(CONFIG_SBOM_BIOS_ACM) += $(CONFIG_BIOS_ACM_PATH)
+swid-files-$(CONFIG_SBOM_SINIT_ACM) += $(CONFIG_SINIT_ACM_PATH)
+
+vboot-pkgconfig-files = $(obj)/external/vboot_reference-bootblock/vboot_host.pc $(obj)/external/vboot_reference-romstage/vboot_host.pc $(obj)/external/vboot_reference-ramstage/vboot_host.pc $(obj)/external/vboot_reference-postcar/vboot_host.pc
+swid-files-$(CONFIG_SBOM_VBOOT) += $(vboot-pkgconfig-files)
+$(vboot-pkgconfig-files): $(VBOOT_LIB_bootblock) $(VBOOT_LIB_romstage) $(VBOOT_LIB_ramstage) $(VBOOT_LIB_postcar) # src/security/vboot/Makefile.inc
+
+ifeq ($(CONFIG_SBOM_COMPILER),y)
+ifeq ($(CONFIG_ANY_TOOLCHAIN),y)
+swid-files-compiler = $(build-dir)/compiler-generic.json
+else ifeq ($(CONFIG_COMPILER_GCC),y)
+swid-files-compiler = $(build-dir)/compiler-gcc.json
+else ifeq ($(CONFIG_COMPILER_LLVM_CLANG),y)
+swid-files-compiler = $(build-dir)/compiler-clang.json
+endif
+compiler-toolchain = $(CC_bootblock) $(CC_romstage) $(CC_ramstage) $(CC_postcar) $(CC_verstage) $(LD_bootblock) $(LD_romstage) $(LD_ramstage) $(LD_postcar) $(LD_verstage) $(AS_bootblock) $(AS_romstage) $(AS_ramstage) $(AS_postcar) $(AS_verstage)
+endif
+
+coreboot-licenses = $(foreach license, $(patsubst %.txt, %, $(filter-out retained-copyrights.txt, $(patsubst LICENSES/%, %, $(wildcard LICENSES/*)))), https://spdx.org/licenses/$(license).html)
+
+# only include CBFS SBOM section if there is any data for it
+ifeq ($(CONFIG_SBOM),y)
+cbfs-files-y += sbom
+sbom-file = $(build-dir)/sbom.uswid
+sbom-type = raw
+endif
+
+## Build final SBOM (Software Bill of Materials) file in uswid format
+
+$(build-dir)/sbom.uswid: $(build-dir)/coreboot.json $(swid-files-y) $(swid-files-compiler) | $(build-dir)/goswid $(build-dir)
+ echo " SBOM " $^
+ $(build-dir)/goswid convert -o $@ \
+ --parent $(build-dir)/coreboot.json \
+ $(if $(swid-files-y), --requires $$(echo $(swid-files-y) | tr ' ' ','),) \
+ $(if $(swid-files-compiler), --compiler $(swid-files-compiler),)
+
+# all build files depend on the $(build-dir) directory being created
+$(build-dir):
+ mkdir -p $(build-dir)
+
+$(build-dir)/goswid: | $(build-dir)
+ echo " SBOM building goswid tool"
+ cd util/goswid; \
+ GO111MODULE=on go build -o $(abspath $@) ./cmd/goswid
+
+## Generate all .json files
+
+$(build-dir)/compiler-%.json: $(src-dir)/compiler-%.json | $(build-dir)/goswid
+ cp $< $@
+ for tool in $$(echo $(compiler-toolchain) | tr ' ' '\n' | sort | uniq); do \
+ version=$$($$tool --version 2>&1 | head -n 1 | grep -Eo '([0-9]+\.[0-9]+\.*[0-9]*)'); \
+ $(build-dir)/goswid add-payload-file -o $@ -i $@ --name $$(basename $$tool) --version $$version; \
+ done
+
+$(build-dir)/coreboot.json: $(src-dir)/coreboot.json .git/HEAD | $(build-dir)/goswid
+ cp $< $@
+ git_tree_hash=$$(git log -n 1 --format=%T);\
+ git_comm_hash=$$(git log -n 1 --format=%H);\
+ sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@;\
+ $(build-dir)/goswid add-license -o $@ -i $@ $(coreboot-licenses)
+
+$(build-dir)/intel-me.json: $(src-dir)/intel-me.json $(CONFIG_ME_BIN_PATH) | $(build-dir)
+ cp $< $@
+ #TODO put more Intel Management Engine metadata in sbom file
+
+
+$(build-dir)/generic-fsp.json: $(src-dir)/generic-fsp.json $(CONFIG_FSP_S_FILE) $(CONFIG_FSP_T_FILE) $(CONFIG_FSP_M_FILE) | $(build-dir)/goswid
+ cp $(src-dir)/generic-fsp.json $@
+ifneq ($(CONFIG_FSP_S_FILE),)
+ echo " SBOM Adding FSP-S"
+ $(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-S"
+endif
+ifneq ($(CONFIG_FSP_T_FILE),)
+ echo " SBOM Adding FSP-T"
+ $(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-T"
+endif
+ifneq ($(CONFIG_FSP_M_FILE),)
+ echo " SBOM Adding FSP-M"
+ $(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-M"
+endif
+
+$(build-dir)/intel-microcode-%.json: $(src-dir)/intel-microcode.json 3rdparty/intel-microcode/intel-ucode/% | $(build-dir) $(build-dir)/goswid
+ cp $< $@
+ year=$$(hexdump --skip 8 --length 2 --format '"%04x"' $(word 2,$^));\
+ day=$$(hexdump --skip 10 --length 1 --format '"%02x"' $(word 2,$^));\
+ month=$$(hexdump --skip 11 --length 1 --format '"%02x"' $(word 2,$^));\
+ sed -i "s/<software_version>/$$year-$$month-$$day/" $@
+ #TODO add cpuid (processor family, model, stepping) as extra attribute
+
+$(build-dir)/amd-microcode-%.json: $(src-dir)/amd-microcode.json ${FIRMWARE_LOCATION}/UcodePatch_%.bin | $(build-dir) $(build-dir)/goswid
+ cp $< $@
+ year=$$(hexdump --skip 0 --length 2 --format '"%04x"' $(word 2,$^));\
+ day=$$(hexdump --skip 2 --length 1 --format '"%02x"' $(word 2,$^));\
+ month=$$(hexdump --skip 3 --length 1 --format '"%02x"' $(word 2,$^));\
+ sed -i "s/<software_version>/$$year-$$month-$$day/" $@
+
+$(payload-swid): $(payload-swid-template) $(CONFIG_PAYLOAD_FILE) | $(build-dir)
+ cp $< $@;\
+ git_tree_hash=$$(git --git-dir $(payload-git-dir-y)/.git log -n 1 --format=%T);\
+ git_comm_hash=$$(git --git-dir $(payload-git-dir-y)/.git log -n 1 --format=%H);\
+ sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@;
diff --git a/src/sbom/TAGS b/src/sbom/TAGS
new file mode 100644
index 0000000000..dec4859d0b
--- /dev/null
+++ b/src/sbom/TAGS
@@ -0,0 +1,25 @@
+tag-ids were generated as follows. Note that tag-ids are currently only unique inside the SBOM itself, not globally.
+payload-BOOTBOOT: uuidgen --name bootboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-depthcharge: uuidgen --name depthcharge --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-FILO: uuidgen --name filo --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-GRUB2: uuidgen --name grub2 --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-iPXE: uuidgen --name iPXE --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-LinuxBoot: uuidgen --name linuxboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-SeaBIOS: uuidgen --name seabios --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-skiboot: uuidgen --name skiboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-U-Boot: uuidgen --name uboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+payload-Yabits: uuidgen --name yabits --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+coreboot: uuidgen --name coreboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+generic-ec: uuidgen --name generic-ec --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-me: uuidgen --name intel-me --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-bios-acm: uuidgen --name intel-bios-acm --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-sinit-acm: uuidgen --name intel-sinit-acm --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-fsp-s: uuidgen --name intel-fsp-s --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-fsp-m: uuidgen --name intel-fsp-m --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-fsp-t: uuidgen --name intel-fsp-t --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-fsp: uuidgen --name intel-fsp --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+intel-mircocode: uuidgen --name intel-microcode --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+amd-mircocode: uuidgen --name amd-microcode --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+compiler-gcc: uuidgen --name compiler-gcc --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+compiler-clang: uuidgen --name compiler-clang --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
+compiler-generic: uuidgen --name compiler-generic --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
diff --git a/src/sbom/amd-microcode.json b/src/sbom/amd-microcode.json
new file mode 100644
index 0000000000..269157d590
--- /dev/null
+++ b/src/sbom/amd-microcode.json
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "082d7533-575e-5914-a599-728f636b8f78",
+ "tag-version": 0,
+ "software-name": "AMD-Microcode",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "persistent-id": "com.amd.microcode",
+ "summary": "Micrcode Updates for AMD Processors"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/compiler-clang.json b/src/sbom/compiler-clang.json
new file mode 100644
index 0000000000..cd21cea70c
--- /dev/null
+++ b/src/sbom/compiler-clang.json
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "56ed2b98-6b90-574f-aa1d-11579df90e25",
+ "tag-version": 0,
+ "software-name": "clang",
+ "software-meta": [
+ {
+ "persistent-id": "org.llvm.clang"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/compiler-gcc.json b/src/sbom/compiler-gcc.json
new file mode 100644
index 0000000000..ba1938daf7
--- /dev/null
+++ b/src/sbom/compiler-gcc.json
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "8e0d0fd3-1116-50ad-ba5f-599c8117c42b",
+ "tag-version": 0,
+ "software-name": "GCC",
+ "software-meta": [
+ {
+ "persistent-id": "org.gnu.gcc"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/compiler-generic.json b/src/sbom/compiler-generic.json
new file mode 100644
index 0000000000..6779460dcb
--- /dev/null
+++ b/src/sbom/compiler-generic.json
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "a79cee21-97a6-53e5-8e41-65b084a7b90e",
+ "tag-version": 0,
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/coreboot.json b/src/sbom/coreboot.json
new file mode 100644
index 0000000000..50a33a7483
--- /dev/null
+++ b/src/sbom/coreboot.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "a9032c9d-2aaa-5a25-a0e6-6d865b24e6d2",
+ "tag-version": 0,
+ "software-name": "coreboot",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.coreboot.rocks",
+ "summary": "coreboot is a project to develop open source boot firmware for various architectures"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/generic-ec.json b/src/sbom/generic-ec.json
new file mode 100644
index 0000000000..11a1660311
--- /dev/null
+++ b/src/sbom/generic-ec.json
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "cb643972-4544-525e-a25e-31651fe9fcbe",
+ "tag-version": 0,
+ "software-name": "Embedded Controller Firmware",
+ "software-meta": [
+ {
+ "summary": "The Embedded Controller is a microcontroller which handles various tasks such as power management and keyboard control"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/generic-fsp.json b/src/sbom/generic-fsp.json
new file mode 100644
index 0000000000..52ec447c8d
--- /dev/null
+++ b/src/sbom/generic-fsp.json
@@ -0,0 +1,22 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "719e6299-4355-5beb-b182-9cf47928515a",
+ "tag-version": 0,
+ "software-name": "Firmware Support Package",
+ "software-meta": [
+ {
+ "product": "Firmware Support Package",
+ "summary": "Firmware Support Package is a binary which exports an API implementing memory and silicon initialization (e.g. Intel FSP or AMD AGESA)"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/intel-bios-acm.json b/src/sbom/intel-bios-acm.json
new file mode 100644
index 0000000000..d980d032ec
--- /dev/null
+++ b/src/sbom/intel-bios-acm.json
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "2de383e0-1721-5369-8511-e3d07743b09a",
+ "tag-version": 0,
+ "software-name": "Intel BIOS ACM",
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/intel-me.json b/src/sbom/intel-me.json
new file mode 100644
index 0000000000..9eeec613d8
--- /dev/null
+++ b/src/sbom/intel-me.json
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "9579af2b-39d8-59f1-ac5a-5b1fd4c03bd0",
+ "tag-version": 0,
+ "software-name": "Intel Management Engine",
+ "software-meta": [
+ {
+ "persistent-id": "com.intel.me"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/intel-microcode.json b/src/sbom/intel-microcode.json
new file mode 100644
index 0000000000..3ee8eb4d58
--- /dev/null
+++ b/src/sbom/intel-microcode.json
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "23edb84c-5d68-544e-b389-8a67f6c80247",
+ "tag-version": 0,
+ "software-name": "Intel-Microcode",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "persistent-id": "com.intel.microcode",
+ "summary": "Micrcode Updates for Intel Processors"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/intel-sinit-acm.json b/src/sbom/intel-sinit-acm.json
new file mode 100644
index 0000000000..92e0b4d3ce
--- /dev/null
+++ b/src/sbom/intel-sinit-acm.json
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "231b1f39-28c2-596a-a33e-3d2d6570888f",
+ "tag-version": 0,
+ "software-name": "Intel SINIT ACM",
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-BOOTBOOT.json b/src/sbom/payload-BOOTBOOT.json
new file mode 100644
index 0000000000..e8942e1991
--- /dev/null
+++ b/src/sbom/payload-BOOTBOOT.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "978ba556-e0f4-592d-9a70-413138653155",
+ "tag-version": 0,
+ "software-name": "BOOTBOOT",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "",
+ "summary": "BOOTBOOT multi platform micro-kernel loader"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-FILO.json b/src/sbom/payload-FILO.json
new file mode 100644
index 0000000000..63827de24c
--- /dev/null
+++ b/src/sbom/payload-FILO.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "047d005b-bb24-58d6-a7cc-76ace2e2759e",
+ "tag-version": 0,
+ "software-name": "FILO",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.filo",
+ "summary": "FILO is a bootloader which loads boot images from a local filesystem, without help from legacy BIOS services"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-GRUB2.json b/src/sbom/payload-GRUB2.json
new file mode 100644
index 0000000000..05d101ab06
--- /dev/null
+++ b/src/sbom/payload-GRUB2.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "0e801aae-699e-5674-94a0-9259afb7d12f",
+ "tag-version": 0,
+ "software-name": "GRUB2",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.grub",
+ "summary": "GNU GRUB is a boot loader, which can load a wide variety of free and proprietary operating systems with chain-loading"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-LinuxBoot.json b/src/sbom/payload-LinuxBoot.json
new file mode 100644
index 0000000000..1a7ecaf0ba
--- /dev/null
+++ b/src/sbom/payload-LinuxBoot.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "792c4921-cb02-54ac-8b61-c359336f3600",
+ "tag-version": 0,
+ "software-name": "LinuxBoot",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.linuxboot",
+ "summary": "LinuxBoot is a firmware for modern servers that replaces specific firmware functionality like the UEFI DXE phase with a Linux kernel and runtime"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-SeaBIOS.json b/src/sbom/payload-SeaBIOS.json
new file mode 100644
index 0000000000..e46ef459f4
--- /dev/null
+++ b/src/sbom/payload-SeaBIOS.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "e5a249ad-04bb-5b63-a587-ceb7b0e331c9",
+ "tag-version": 0,
+ "software-name": "Seabios",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.seabios",
+ "summary": "SeaBIOS is an open-source legacy BIOS implementation which can be used as a coreboot payload. It implements the standard BIOS calling interfaces that a typical x86 proprietary BIOS implements"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-U-Boot.json b/src/sbom/payload-U-Boot.json
new file mode 100644
index 0000000000..840ab6fe84
--- /dev/null
+++ b/src/sbom/payload-U-Boot.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "b714bb4f-c590-5bb7-af60-65374ecd097d",
+ "tag-version": 0,
+ "software-name": "U-Boot",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.u-boot",
+ "summary": "Das U-Boot (subtitled 'the Universal Boot Loader') is an open-source, primary boot loader used in embedded devices to package the instructions to boot the device's operating system kernel"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-depthcharge.json b/src/sbom/payload-depthcharge.json
new file mode 100644
index 0000000000..4d133687d8
--- /dev/null
+++ b/src/sbom/payload-depthcharge.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "a8c6b076-e3c2-5a8f-91c9-151aa7bd3284",
+ "tag-version": 0,
+ "software-name": "depthcharge",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.depthcharge",
+ "summary": "Depthcharge is a payload used by google to load and verify the Linux Kernel, run recovery mode, or boot to alternate payloads on ChromeOS devices"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-iPXE.json b/src/sbom/payload-iPXE.json
new file mode 100644
index 0000000000..8fdc1f31c2
--- /dev/null
+++ b/src/sbom/payload-iPXE.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "5f700e15-4845-57b5-a4bb-44e698ce4947",
+ "tag-version": 0,
+ "software-name": "iPXE",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.ipxe",
+ "summary": "iPXE is an open source network boot firmware. It provides a full PXE implementation enhanced with additional features"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/sbom/payload-skiboot.json b/src/sbom/payload-skiboot.json
new file mode 100644
index 0000000000..21ce91b4e4
--- /dev/null
+++ b/src/sbom/payload-skiboot.json
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+{
+ "lang": "en-US",
+ "tag-id": "239e03d9-06b0-5ed0-a409-3c32f7f2ee2a",
+ "tag-version": 0,
+ "software-name": "skiboot",
+ "software-version": "<software_version>",
+ "version-scheme": "alphanumeric",
+ "software-meta": [
+ {
+ "colloquial-version": "<colloquial_version>",
+ "persistent-id": "org.skiboot",
+ "summary": "Skiboot is boot and runtime firmware for OpenPOWER systems. It’s loaded by earlier boot firmware (typically Hostboot). Along with loading the bootloader, it provides some runtime services to the OS (typically Linux)"
+ }
+ ],
+ "entity": [
+ {
+ "entity-name": "coreboot",
+ "reg-id": "coreboot.org",
+ "role": [
+ "tagCreator"
+ ]
+ }
+ ]
+}
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index 252a91efe5..faa79cb183 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -32,7 +32,8 @@ $$(VBOOT_LIB_$(1)): $(obj)/config.h
$(MAKE) -C $(VBOOT_SOURCE) \
BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \
V=$(V) \
- fwlib
+ fwlib \
+ $(if $(CONFIG_INCLUDE_VBOOT_SBOM),$$(abspath $$(dir $$(VBOOT_LIB_$(1))))/vboot_host.pc)
$(1)-srcs += $$(VBOOT_LIB_$(1))
diff --git a/util/goswid b/util/goswid
new file mode 160000
+Subproject bdd55e42029b8ef734abfd56efe789d41996bfd
diff --git a/util/testing/Makefile.inc b/util/testing/Makefile.inc
index 5c9e4d85a9..df6a25ef94 100644
--- a/util/testing/Makefile.inc
+++ b/util/testing/Makefile.inc
@@ -93,6 +93,7 @@ endif
exit 1; \
fi
cd 3rdparty/intel-sec-tools/ ; go mod vendor
+ cd util/goswid ; go mod vendor
util/abuild/abuild -o $(COREBOOT_BUILD_DIR)/chromeos $(ABUILD_OPTIONS) -x -X $(top)/abuild-chromeos.xml
util/abuild/abuild -o $(COREBOOT_BUILD_DIR)/default $(ABUILD_OPTIONS)
$(foreach tool, $(TOOLLIST), $(MAKE) CPUS=$(CPUS) V=$(V) Q=$(Q) BLD_DIR="util/$(tool)" BLD="$(tool)" MFLAGS= MAKEFLAGS= MAKETARGET= junit.xml; )