coreboot-kgpe-d16/Documentation/vendorcode/eltan/security.md

# Eltan Security

## Security
This code enables measured boot and verified boot support.
Verified boot is available in coreboot, but based on ChromeOS. This vendorcode
uses a small encryption library and leave much more space in flash for the
payload.

## Hashing Library
The library suppports SHA-1, SHA-256 and SHA-512. The required routines of
`3rdparty/vboot/firmware/2lib` are used.

## Measured boot
measured boot support will use TPM2 device if available. The items specified
in `mb_log_list[]` will be measured.

## Verified boot
verified boot support will use TPM2 device if available. The items specified
in the next table will be verified:
* `bootblock_verify_list[]`
* `verify_item_t romstage_verify_list[]`
* `ram_stage_additional_list[]`
* `ramstage_verify_list[]`
* `payload_verify_list[]`
* `oprom_verify_list[]`

## Enabling support

* Measured boot can be enabled using **CONFIG_MBOOT**
* Create mb_log_list table with list of item to measure
* Create tables bootblock_verify_list[], verify_item_t romstage_verify_list[],
  ram_stage_additional_list[], ramstage_verify_list[], payload_verify_list[],
  oprom_verify_list[]
* Verified boot can be enabled using **CONFIG_VERIFIED_BOOT**
* Added Kconfig values for verbose console output

## Debugging

You can enable verbose console output in *menuconfig*.
vendorcode/eltan: Add vendor code for measured and verified boot This patch contains the general files for the vendorcode/eltan that has been uploaded recently: - Add eltan directory to vendorcode. - Add documentation about the support in the vendorcode directories. - Add the Makefile.inc and Kconfig for the vendorcode/eltan and vendorcode/eltan/security. BUG=N/A TEST=Created verified binary and verify logging on Portwell PQ-M107 Change-Id: Ic1d5a21d40b6a31886777e8e9fe7b28c860f1a80 Signed-off-by: Frans Hendriks <fhendriks@eltan.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/30218 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com> 2019-04-05 10:00:18 +02:00			`# Eltan Security`

			`## Security`
			`This code enables measured boot and verified boot support.`
			`Verified boot is available in coreboot, but based on ChromeOS. This vendorcode`
			`uses a small encryption library and leave much more space in flash for the`
			`payload.`

			`## Hashing Library`
			`The library suppports SHA-1, SHA-256 and SHA-512. The required routines of`
			`3rdparty/vboot/firmware/2lib` are used.

			`## Measured boot`
			`measured boot support will use TPM2 device if available. The items specified`
			in `mb_log_list[]` will be measured.

			`## Verified boot`
			`verified boot support will use TPM2 device if available. The items specified`
			`in the next table will be verified:`
			* `bootblock_verify_list[]`
			* `verify_item_t romstage_verify_list[]`
			* `ram_stage_additional_list[]`
			* `ramstage_verify_list[]`
			* `payload_verify_list[]`
			* `oprom_verify_list[]`

			`## Enabling support`

			`* Measured boot can be enabled using CONFIG_MBOOT`
			`* Create mb_log_list table with list of item to measure`
			`* Create tables bootblock_verify_list[], verify_item_t romstage_verify_list[],`
			`ram_stage_additional_list[], ramstage_verify_list[], payload_verify_list[],`
			`oprom_verify_list[]`
			`* Verified boot can be enabled using CONFIG_VERIFIED_BOOT`
			`* Added Kconfig values for verbose console output`

			`## Debugging`

			`You can enable verbose console output in menuconfig.`