GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security/vboot: Simplify image signing 

futility now supports image truncation and signing of whole images with
a single command invocation. Use it for vboot-enabled coreboot images.

TEST=Build and run coreboot on google/volteer

Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Change-Id: I49eb7e977b635ccb9f6c1b76e53c36e82be1d795
Reviewed-on: https://review.coreboot.org/c/coreboot/+/66127
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
This commit is contained in:
Jakub Czapiga 2022-07-25 14:24:06 +02:00 committed by Martin L Roth
parent ae157d38e3
commit 190afda543
1 changed files with 13 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
src/security/vboot/Makefile.inc
View File

@ -344,39 +344,21 @@ files_added:: $(FUTILITY)
$(obj)/coreboot.rom $(obj)/coreboot.rom
endif endif
# Extract FW_MAIN_? region and minimize it if the last file is empty, so it ifneq (,$(filter y,$(CONFIG_VBOOT_SLOTS_RW_A) $(CONFIG_VBOOT_SLOTS_RW_AB)))
# doesn't contain this empty file (that can have a significant size), files_added:: $(obj)/coreboot.rom $(FUTILITY) $(CBFSTOOL)
# improving a lot on hash times due to a smaller amount of data loaded from CBFSTOOL="$(CBFSTOOL)" \
# firmware storage. $(FUTILITY) sign \
# When passing the minimized image to vbutil_firmware, its length is recorded
# in the keyblock, and coreboot's vboot code clips the region_device to match,
# which prevents any potential extension attacks.
$(obj)/FW_MAIN_%.bin: $(obj)/coreboot.rom
$(CBFSTOOL) $< truncate -r $(basename $(notdir $@)) > $@.tmp.size
$(CBFSTOOL) $< read -r $(basename $(notdir $@)) -f $@.tmp
head -c $$( printf "%d" $$(cat $@.tmp.size)) $@.tmp > $@.tmp2
mv $@.tmp2 $@
rm -f $@.tmp $@.tmp.size
$(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY)
$(FUTILITY) vbutil_firmware \
--vblock $@ \
--keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \
--signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \ --signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \
--version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \ --keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \
--fv $< \
--kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \ --kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \
--flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) --version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \
--flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) \
ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y) $(obj)/coreboot.rom
files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin if [ "$(CONFIG_VBOOT_SLOTS_RW_AB)" = 'y' ]; then \
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin printf " FLASHMAP Layout generated for RO, A and B partition.\n"; \
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin elif [ "$(CONFIG_VBOOT_SLOTS_RW_A)" = 'y' ]; then \
@printf " FLASHMAP Layout generated for RO, A and B partition.\n" printf " FLASHMAP Layout generated for RO and A partition.\n"; \
else ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y) fi
files_added:: $(obj)/VBLOCK_A.bin
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
@printf " FLASHMAP Layout generated for RO and A partition.\n"
else else
files_added:: files_added::
@printf " FLASHMAP Layout generated for RO partition only.\n" @printf " FLASHMAP Layout generated for RO partition only.\n"