From 744c70dcc7f44d63abc34c0d2008df8c61942018 Mon Sep 17 00:00:00 2001 From: Frans Hendriks Date: Wed, 26 Jun 2019 14:57:35 +0200 Subject: mb/facebook/fbg1701: Add verified boot tables The vendorcode for verified boot is uploaded, but not used by a mainboard. Add support to the mainboard for verified boot. The items to be verifed are placed in board_verified_boot.c BUG=N/A TEST=Boot Embedded Linux 4.20 and verify logging on Facebook FBG-1701 rev 0-2 Change-Id: I3ea0a95287977df0dea13e05acedd5406538a6ee Signed-off-by: Frans Hendriks Reviewed-on: https://review.coreboot.org/c/coreboot/+/33463 Reviewed-by: Philipp Deppenwiese Reviewed-by: Lance Zhao Tested-by: build bot (Jenkins) --- src/mainboard/facebook/fbg1701/Kconfig | 16 ++++ src/mainboard/facebook/fbg1701/Makefile.inc | 7 ++ .../facebook/fbg1701/board_verified_boot.c | 104 +++++++++++++++++++++ .../facebook/fbg1701/board_verified_boot.h | 23 +++++ src/mainboard/facebook/fbg1701/manifest.h | 35 +++++++ src/mainboard/facebook/fbg1701/onboard.h | 10 ++ 6 files changed, 195 insertions(+) create mode 100644 src/mainboard/facebook/fbg1701/board_verified_boot.c create mode 100644 src/mainboard/facebook/fbg1701/board_verified_boot.h create mode 100644 src/mainboard/facebook/fbg1701/manifest.h (limited to 'src/mainboard') diff --git a/src/mainboard/facebook/fbg1701/Kconfig b/src/mainboard/facebook/fbg1701/Kconfig index ce90758462..402165d00a 100644 --- a/src/mainboard/facebook/fbg1701/Kconfig +++ b/src/mainboard/facebook/fbg1701/Kconfig @@ -80,6 +80,10 @@ config FSP1_1_DISPLAY_LOGO bool default n +config VENDORCODE_ELTAN_OEM_MANIFEST_LOC + hex "OEM Manifest working dflt" + default 0xFFFE9000 + config SPI_FLASH_INCLUDE_ALL_DRIVERS bool default n @@ -96,4 +100,16 @@ config C_ENV_BOOTBLOCK_SIZE hex "C Bootblock Size" default 0x4000 +config VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST + bool + default y + +config VENDORCODE_ELTAN_VBOOT_MANIFEST + string + default "mainboard/facebook/fbg1701/manifest.h" + +config VENDORCODE_ELTAN_VBOOT_KEY_LOCATION + hex "Key Location working dflt" + default 0xFFFF9C00 + endif # BOARD_FACEBOOK_FBG1701 diff --git a/src/mainboard/facebook/fbg1701/Makefile.inc b/src/mainboard/facebook/fbg1701/Makefile.inc index 07309c564c..c41447004a 100644 --- a/src/mainboard/facebook/fbg1701/Makefile.inc +++ b/src/mainboard/facebook/fbg1701/Makefile.inc @@ -15,6 +15,13 @@ ## GNU General Public License for more details. ## +ifneq ($(filter y,$(CONFIG_VENDORCODE_ELTAN_VBOOT) $(CONFIG_VENDORCODE_ELTAN_MBOOT)),) +bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += board_verified_boot.c +postcar-y += board_verified_boot.c +ramstage-y += board_verified_boot.c +romstage-y += board_verified_boot.c +endif + bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += com_init.c ramstage-y += gpio.c diff --git a/src/mainboard/facebook/fbg1701/board_verified_boot.c b/src/mainboard/facebook/fbg1701/board_verified_boot.c new file mode 100644 index 0000000000..24e70378f9 --- /dev/null +++ b/src/mainboard/facebook/fbg1701/board_verified_boot.c @@ -0,0 +1,104 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018-2019 Eltan B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include "board_verified_boot.h" + +#ifdef __BOOTBLOCK__ +/* The items verified by the bootblock, the bootblock will not measure the + * items to the TPM + */ +const verify_item_t bootblock_verify_list[] = { + { VERIFY_FILE, ROMSTAGE, { { NULL, CBFS_TYPE_STAGE } }, + HASH_IDX_ROM_STAGE, MBOOT_PCR_INDEX_0 }, + { VERIFY_BLOCK, "BootBlock", + { { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1, + CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK, + MBOOT_PCR_INDEX_0 }, + { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } +}; +#endif + +#if defined(__ROMSTAGE__) || defined(__POSTCAR__) +/* The FSP is already checked in romstage */ +static const verify_item_t ram_stage_additional_list[] = { + { VERIFY_FILE, OP_ROM_VBT, { { NULL, CBFS_TYPE_RAW } }, + HASH_IDX_OPROM, MBOOT_PCR_INDEX_2 }, + { VERIFY_FILE, "logo.bmp", { { NULL, CBFS_TYPE_RAW } }, + HASH_IDX_LOGO, MBOOT_PCR_INDEX_2 }, + { VERIFY_FILE, "fallback/dsdt.aml", { { NULL, CBFS_TYPE_RAW } }, + HASH_IDX_DSDT, MBOOT_PCR_INDEX_2 }, + { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } + }; +#endif + +#ifdef __ROMSTAGE__ +/* The items used by the romstage */ +const verify_item_t romstage_verify_list[] = { + { VERIFY_FILE, ROMSTAGE, { { NULL, CBFS_TYPE_STAGE } }, + HASH_IDX_ROM_STAGE, MBOOT_PCR_INDEX_0 }, + { VERIFY_FILE, MICROCODE, { { NULL, CBFS_TYPE_MICROCODE } }, + HASH_IDX_MICROCODE, MBOOT_PCR_INDEX_1 }, + { VERIFY_FILE, FSP, { { NULL, CBFS_TYPE_FSP } }, HASH_IDX_FSP, + MBOOT_PCR_INDEX_1 }, + { VERIFY_FILE, "spd.bin", { { NULL, CBFS_TYPE_SPD } }, + HASH_IDX_SPD0, MBOOT_PCR_INDEX_1 }, +#if CONFIG(POSTCAR_STAGE) + { VERIFY_FILE, POSTCAR, { { NULL, CBFS_TYPE_STAGE } }, + HASH_IDX_POSTCAR_STAGE, MBOOT_PCR_INDEX_0 }, +#endif + { VERIFY_BLOCK, "BootBlock", + { { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1, + CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK, + MBOOT_PCR_INDEX_0 }, + { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } +}; + +/* The items used by the ramstage */ +const verify_item_t ramstage_verify_list[] = { + { VERIFY_FILE, RAMSTAGE, { { ram_stage_additional_list, + CBFS_TYPE_STAGE } }, HASH_IDX_RAM_STAGE, MBOOT_PCR_INDEX_0 }, + { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } +}; +#endif + +#ifdef __POSTCAR__ +/* POSTSTAGE */ +/* The items used by the postcar stage */ +const verify_item_t postcar_verify_list[] = { + { VERIFY_FILE, RAMSTAGE, { { ram_stage_additional_list, + CBFS_TYPE_STAGE } }, HASH_IDX_RAM_STAGE, MBOOT_PCR_INDEX_0 }, + { VERIFY_FILE, MICROCODE, { { NULL, CBFS_TYPE_MICROCODE } }, + HASH_IDX_MICROCODE, MBOOT_PCR_INDEX_1 }, + { VERIFY_FILE, FSP, { { NULL, CBFS_TYPE_FSP } }, HASH_IDX_FSP, + MBOOT_PCR_INDEX_1 }, + { VERIFY_FILE, "spd.bin", { { NULL, CBFS_TYPE_SPD } }, HASH_IDX_SPD0, + MBOOT_PCR_INDEX_1 }, + { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } +}; +#endif + +#ifdef __RAMSTAGE__ +/* RAMSTAGE */ +const verify_item_t payload_verify_list[] = { + { VERIFY_FILE, PAYLOAD, { { NULL, CBFS_TYPE_SELF | + VERIFIED_BOOT_COPY_BLOCK } }, HASH_IDX_PAYLOAD, + MBOOT_PCR_INDEX_3 }, + { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } +}; + +const verify_item_t oprom_verify_list[] = { + { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } +}; +#endif diff --git a/src/mainboard/facebook/fbg1701/board_verified_boot.h b/src/mainboard/facebook/fbg1701/board_verified_boot.h new file mode 100644 index 0000000000..30fcd8b1c2 --- /dev/null +++ b/src/mainboard/facebook/fbg1701/board_verified_boot.h @@ -0,0 +1,23 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018 Eltan B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef BOARD_VERIFIED_BOOT_H +#define BOARD_VERIFIED_BOOT_H + +#include +#include +#include "onboard.h" + +#endif diff --git a/src/mainboard/facebook/fbg1701/manifest.h b/src/mainboard/facebook/fbg1701/manifest.h new file mode 100644 index 0000000000..5a583f47ec --- /dev/null +++ b/src/mainboard/facebook/fbg1701/manifest.h @@ -0,0 +1,35 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018 Eltan B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef __MANIFEST_H__ +#define __MANIFEST_H__ + +/** + * Make sure the index matches the actual order in the manifest generated + * using the HashCb.cmd file + */ +#define HASH_IDX_ROM_STAGE 0 +#define HASH_IDX_RAM_STAGE 1 +#define HASH_IDX_PAYLOAD 2 +#define HASH_IDX_OPROM 3 +#define HASH_IDX_FSP 4 +#define HASH_IDX_MICROCODE 5 +#define HASH_IDX_SPD0 6 +#define HASH_IDX_LOGO 7 +#define HASH_IDX_DSDT 8 +#define HASH_IDX_POSTCAR_STAGE 9 +#define HASH_IDX_BOOTBLOCK 10 /* Should always be the last one */ + +#endif diff --git a/src/mainboard/facebook/fbg1701/onboard.h b/src/mainboard/facebook/fbg1701/onboard.h index d1fd0509a6..330fe0f7d9 100644 --- a/src/mainboard/facebook/fbg1701/onboard.h +++ b/src/mainboard/facebook/fbg1701/onboard.h @@ -33,4 +33,14 @@ #define CPLD_CMD_RESET_DSI_BRIDGE_ACTIVE 0x20 #define CPLD_CMD_RESET_DSI_BRIDGE_INACTIVE 0x00 +/* Define the items to be measured or verified */ +#define FSP (const char *)"fsp.bin" +#define CMOS_LAYOUT (const char *)"cmos_layout.bin" +#define RAMSTAGE (const char *)"fallback/ramstage" +#define ROMSTAGE (const char *)"fallback/romstage" +#define PAYLOAD (const char *)"fallback/payload" +#define POSTCAR (const char *)"fallback/postcar" +#define OP_ROM_VBT (const char *)"vbt.bin" +#define MICROCODE (const char *)"cpu_microcode_blob.bin" + #endif -- cgit v1.2.3