diff options
| -rw-r--r-- | src/sbom/Kconfig | 20 | ||||
| -rw-r--r-- | src/sbom/Makefile.inc | 36 |
2 files changed, 39 insertions, 17 deletions
diff --git a/src/sbom/Kconfig b/src/sbom/Kconfig index 38f5421fd2..ed83c1e599 100644 --- a/src/sbom/Kconfig +++ b/src/sbom/Kconfig @@ -21,6 +21,16 @@ config SBOM_COMPILER Note: if the system toolchain is used to build coreboot one should check the final SBOM file for the expected results +config SBOM_COMPILER_PATH + string "Path to SBOM file for the compiler" + depends on SBOM_COMPILER + default "build/sbom/compiler-gcc.json" if COMPILER_GCC + default "build/sbom/compiler-clang.json" if COMPILER_LLVM_CLANG + default "build/sbom/compiler-generic.json" if ANY_TOOLCHAIN + help + The path of the SBOM file describing the Software included in the build + File can be a .json, .xml, .cbor, .uswid, or .pc + config SBOM_PAYLOAD bool "Include payload metadata in SBOM" default n @@ -42,11 +52,11 @@ config SBOM_PAYLOAD_GENERATE straight up wrong. config SBOM_PAYLOAD_PATH - string "SBOM file path" + string "Path to SBOM file for the payload" depends on SBOM_PAYLOAD && !SBOM_PAYLOAD_GENERATE help - The path of the .ini file describing the payload - Software included in the build + The path of the SBOM file describing the Software included in the build + File can be a .json, .xml, .cbor, .uswid, or .pc config SBOM_ME bool "Include ME metadata in SBOM" @@ -74,8 +84,8 @@ config SBOM_ME_PATH string "Path to sbom.json for the ME firmware" depends on SBOM_ME && !SBOM_ME_GENERATE help - The path of the SBOM file (sbom.json file) - The path of the .json file describing the Software included in the build + The path of the SBOM file describing the Software included in the build + File can be a .json, .xml, .cbor, .uswid, or .pc config SBOM_EC bool "Include EC metadata in SBOM" diff --git a/src/sbom/Makefile.inc b/src/sbom/Makefile.inc index 905bae5bab..b99420e44d 100644 --- a/src/sbom/Makefile.inc +++ b/src/sbom/Makefile.inc @@ -5,19 +5,30 @@ src ?= src build-dir = $(obj)/sbom src-dir = $(src)/sbom +# Strip quotes from binary paths and SBOM file paths. Each binary path should have a +# corresponding SBOM file path, but not every SBOM file path needs a binary path. That +# is because binary files are only needed if they are used to extract information from +# them which in turn can be included in the SBOM files (like version or config stuff). +# But for some Software there are only SBOM files, which basically tell the most generic +# information about that piece of Software. Ideally one would not need the binary files +# at all, because extacting information out of mostly unknown binary blobs is a pain. CONFIG_ME_BIN_PATH := $(call strip_quotes, $(CONFIG_ME_BIN_PATH)) +CONFIG_SBOM_ME_PATH := $(call strip_quotes, $(CONFIG_SBOM_ME_PATH)) CONFIG_FSP_S_FILE := $(call strip_quotes, $(CONFIG_FSP_S_FILE)) CONFIG_FSP_M_FILE := $(call strip_quotes, $(CONFIG_FSP_M_FILE)) CONFIG_FSP_T_FILE := $(call strip_quotes, $(CONFIG_FSP_T_FILE)) +CONFIG_SBOM_FSP_PATH := $(call strip_quotes, $(CONFIG_SBOM_FSP_PATH)) CONFIG_PAYLOAD_FILE := $(call strip_quotes, $(CONFIG_PAYLOAD_FILE)) +CONFIG_SBOM_PAYLOAD_PATH := $(call strip_quotes, $(CONFIG_SBOM_PAYLOAD_PATH)) CONFIG_EC_PATH := $(call strip_quotes, $(CONFIG_EC_PATH)) -CONFIG_BIOS_ACM_PATH := $(call strip_quotes, $(CONFIG_BIOS_ACM_PATH)) -CONFIG_SINIT_ACM_PATH := $(call strip_quotes, $(CONFIG_SINIT_ACM_PATH)) -CONFIG_SBOM_FSP_PATH := $(call strip_quotes, $(CONFIG_SBOM_FSP_PATH)) CONFIG_SBOM_EC_PATH := $(call strip_quotes, $(CONFIG_SBOM_EC_PATH)) -CONFIG_SBOM_ME_PATH := $(call strip_quotes, $(CONFIG_SBOM_ME_PATH)) -CONFIG_SBOM_PAYLOAD_PATH := $(call strip_quotes, $(CONFIG_SBOM_PAYLOAD_PATH)) +CONFIG_SBOM_BIOS_ACM_PATH := $(call strip_quotes, $(CONFIG_SBOM_BIOS_ACM_PATH)) +CONFIG_SBOM_SINIT_ACM_PATH := $(call strip_quotes, $(CONFIG_SBOM_SINIT_ACM_PATH)) +CONFIG_SBOM_COMPILER_PATH := $(call strip_quotes, $(CONFIG_SBOM_COMPILER_PATH)) +# Select the correct payload directory for the used payload. Ideally we could just make this +# a one-liner, but since the payload is generated externally (with an extra make command), we +# have to hard code the paths here. ifeq ($(CONFIG_SBOM_PAYLOAD_GENERATE), y) payload-git-dir-$(CONFIG_PAYLOAD_BOOTBOOT) = payloads/external/BOOTBOOT/bootboot payload-git-dir-$(CONFIG_PAYLOAD_DEPTHCHARGE) = payloads/external/depthcharge/depthcharge @@ -37,6 +48,11 @@ payload-swid-template = $(patsubst $(build-dir)/%.json,$(src-dir)/%.json,$(paylo endif endif +# Add all SBOM files into the swid-files-y target. This target contains all +# .json, .ini, .uswid, .xml, .pc SBOM files that are later merged into one uSWID SBOM file. +# Some of these have an option that this Makefile generates/extracts some information from +# binary files in order to give more complete/detailed information inside the SBOM file. +# These files are either in src/sbom/ or build/sbom (if they are generated). swid-files-$(CONFIG_SBOM_ME) += $(if $(CONFIG_SBOM_ME_GENERATE), $(build-dir)/intel-me.json, $(CONFIG_SBOM_ME_PATH)) swid-files-$(CONFIG_SBOM_PAYLOAD) += $(if $(CONFIG_SBOM_PAYLOAD_GENERATE), $(payload-swid), $(CONFIG_SBOM_PAYLOAD_PATH)) # TODO think about just using one CoSWID tag for all intel-microcode instead of one for each. maybe put each microcode into files entity of CoSWID tag? @@ -52,16 +68,12 @@ swid-files-$(CONFIG_SBOM_VBOOT) += $(vboot-pkgconfig-files) $(vboot-pkgconfig-files): $(VBOOT_LIB_bootblock) $(VBOOT_LIB_romstage) $(VBOOT_LIB_ramstage) $(VBOOT_LIB_postcar) # src/security/vboot/Makefile.inc ifeq ($(CONFIG_SBOM_COMPILER),y) -ifeq ($(CONFIG_ANY_TOOLCHAIN),y) -swid-files-compiler = $(build-dir)/compiler-generic.json -else ifeq ($(CONFIG_COMPILER_GCC),y) -swid-files-compiler = $(build-dir)/compiler-gcc.json -else ifeq ($(CONFIG_COMPILER_LLVM_CLANG),y) -swid-files-compiler = $(build-dir)/compiler-clang.json -endif compiler-toolchain = $(CC_bootblock) $(CC_romstage) $(CC_ramstage) $(CC_postcar) $(CC_verstage) $(LD_bootblock) $(LD_romstage) $(LD_ramstage) $(LD_postcar) $(LD_verstage) $(AS_bootblock) $(AS_romstage) $(AS_ramstage) $(AS_postcar) $(AS_verstage) +swid-files-compiler = $(CONFIG_SBOM_COMPILER_PATH) endif +# include all licenses used in coreboot. Ideally we would only include the licenses, +# which are used in this build coreboot-licenses = $(foreach license, $(patsubst %.txt, %, $(filter-out retained-copyrights.txt, $(patsubst LICENSES/%, %, $(wildcard LICENSES/*)))), https://spdx.org/licenses/$(license).html) # only include CBFS SBOM section if there is any data for it |