GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add SBOM (Software Bill of Materials) Generation 

Firmware is typically delivered as one large binary image that gets
flashed. Since this final image consists of binaries and data from
a vast number of different people and companies, it's hard to
determine what all the small parts included in it are. The goal of
the software bill of materials (SBOM) is to take a firmware image
and make it easy to find out what it consists of and where those
pieces came from. Basically, this answers the question, who supplied
the code that's running on my system right now? For example, buyers
of a system can use an SBOM to perform an automated vulnerability
check or license analysis, both of which can be used to evaluate
risk in a product. Furthermore, one can quickly check to see if the
firmware is subject to a new vulnerability included in one of the
software parts (with the specified version) of the firmware.
Further reference:
https://web.archive.org/web/20220310104905/https://blogs.gnome.org/hughsie/2022/03/10/firmware-software-bill-of-materials/

- Add Makefile.inc to generate and build coswid tags
- Add templates for most payloads, coreboot, intel-microcode,
  amd-microcode. intel FSP-S/M/T, EC, BIOS_ACM, SINIT_ACM,
  intel ME and compiler (gcc,clang,other)
- Add Kconfig entries to optionally supply a path to CoSWID tags
  instead of using the default CoSWID tags
- Add CBFS entry called SBOM to each build via Makefile.inc
- Add goswid utility tool to generate SBOM data

Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com>
Change-Id: Icb7481d4903f95d200eddbfed7728fbec51819d0
Reviewed-on: https://review.coreboot.org/c/coreboot/+/63639
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Martin Roth <martin.roth@amd.corp-partner.google.com>
This commit is contained in:
Maximilian Brune 2022-04-14 14:54:16 +02:00 committed by Martin Roth
parent 1e71fe107a
commit 1d7a9debf2
30 changed files with 811 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitmodules vendored
View File

@ -61,3 +61,7 @@
path = 3rdparty/stm path = 3rdparty/stm
url = ../STM url = ../STM
branch = stmpe branch = stmpe
[submodule "util/goswid"]
path = util/goswid
url = ../goswid
branch = trunk

1
Makefile.inc
View File

@ -93,6 +93,7 @@ subdirs-y += $(wildcard src/arch/*)
subdirs-y += src/mainboard/$(MAINBOARDDIR) subdirs-y += src/mainboard/$(MAINBOARDDIR)
subdirs-y += src/security subdirs-y += src/security
subdirs-y += payloads payloads/external subdirs-y += payloads payloads/external
subdirs-$(CONFIG_SBOM) += src/sbom
subdirs-y += site-local subdirs-y += site-local
subdirs-y += util/checklist util/testing subdirs-y += util/checklist util/testing

6
configs/config.facebook_fbg1701.sbom Normal file
View File

@ -0,0 +1,6 @@
CONFIG_INCLUDE_COREBOOT_SBOM=y
CONFIG_INCLUDE_PAYLOAD_SBOM=y
CONFIG_INCLUDE_ME_SBOM=y
CONFIG_INCLUDE_MICROCODE_SBOM=y
CONFIG_VENDOR_FACEBOOK=y
CONFIG_BOARD_FACEBOOK_FBG1701=y

6
src/Kconfig
View File

@ -476,6 +476,12 @@ config MINIMAL_PCI_SCANNING
help help
If this option is enabled, coreboot will scan only PCI devices If this option is enabled, coreboot will scan only PCI devices
marked as mandatory in devicetree.cb marked as mandatory in devicetree.cb
menu "Software Bill Of Materials (SBOM)"
source "src/sbom/Kconfig"
endmenu
endmenu endmenu
menu "Mainboard" menu "Mainboard"

171
src/sbom/Kconfig Normal file
View File

@ -0,0 +1,171 @@
## SPDX-License-Identifier: GPL-2.0-only
config SBOM
bool "Include SBOM data for coreboot"
default n
help
Select this option if you want to include a
coswid (Concise Software Identification Tag) of coreboot itself
into the SBOM (Software Bill of Materials) File in your build
if SBOM
config SBOM_COMPILER
bool "Include compiler metadata in SBOM"
default n
help
Select this option if you want to include a
coswid (Concise Software Identification Tag) of the compiler
used to compile coreboot into the SBOM (Software Bill of Materials)
File in your build
Note: if the system toolchain is used to build coreboot
one should check the final SBOM file for the expected results
config SBOM_PAYLOAD
bool "Include payload metadata in SBOM"
default n
help
Select this option if you want to include a
coswid (Concise Software Identification Tag) of the payload into
the SBOM (Software Bill of Materials) File in your build
config SBOM_PAYLOAD_GENERATE
bool "Auto-generate generic SBOM info for payload"
depends on SBOM_PAYLOAD && (PAYLOAD_BOOTBOOT || PAYLOAD_DEPTHCHARGE || PAYLOAD_FILO || PAYLOAD_GRUB2 || PAYLOAD_LINUXBOOT || PAYLOAD_SEABIOS || PAYLOAD_SKIBOOT || PAYLOAD_UBOOT || PAYLOAD_YABITS)
default y
help
Select this option if you want coreboot to generate and include
the coswid (Concise Software Identification Tag) instead of supplying
it manually. Be aware that this option is only meant to be a
transition and suppliers of Software should always prefer to include
their own Software descriptions, since ours may be incomplete or
straight up wrong.
config SBOM_PAYLOAD_PATH
string "SBOM file path"
depends on SBOM_PAYLOAD && !SBOM_PAYLOAD_GENERATE
help
The path of the .ini file describing the payload
Software included in the build
config SBOM_ME
bool "Include ME metadata in SBOM"
depends on HAVE_ME_BIN
default n
help
Select this option if you want to include a
coswid (Concise Software Identification Tag) of the
ME firmware into the SBOM (Software Bill of Materials)
File in your build
config SBOM_ME_GENERATE
bool "Auto-generate generic SBOM info for ME firmware"
depends on SBOM_ME
default y
help
Select this option if you want coreboot to generate and include
the coswid (Concise Software Identification Tag) instead of
supplying it manually. Be aware that this option is only meant
to be a transition and suppliers of Software should always prefer
to include their own Software descriptions, since ours may be
incomplete or straight up wrong.
config SBOM_ME_PATH
string "Path to sbom.json for the ME firmware"
depends on SBOM_ME && !SBOM_ME_GENERATE
help
The path of the SBOM file (sbom.json file)
The path of the .json file describing the Software included in the build
config SBOM_EC
bool "Include EC metadata in SBOM"
depends on HAVE_EC_BIN
default n
help
Select this option if you want to include a
coswid (Concise Software Identification Tag) of the
EC (Embedded Controller) firmware into the
SBOM (Software Bill of Materials) File in your build
config SBOM_EC_PATH
string "Path to SBOM file for the EC firmware"
depends on SBOM_EC
default "src/sbom/generic-ec.json"
help
The path of the SBOM file describing the Software included in the build
File can be a .json, .xml, .cbor, .uswid, or .pc
config SBOM_SINIT_ACM
bool "Include SINIT ACM metadata in SBOM"
depends on INTEL_TXT_SINITACM_FILE != ""
default n
help
Select this option if you want to include a
coswid (Concise Software Identification Tag) of the
SINIT ACM (Authenticated Code Module) firmware into the
SBOM (Software Bill of Materials) File in your build
config SBOM_SINIT_ACM_PATH
string "Path to SBOM file for the SINIT AMC firmware"
depends on SBOM_SINIT_ACM
default "src/sbom/intel-sinit-acm.json"
help
The path of the SBOM file describing the Software included in the build
File can be a .json, .xml, .cbor, .uswid, or .pc
config SBOM_BIOS_ACM
bool "Include BIOS ACM metadata in SBOM"
depends on INTEL_TXT_BIOSACM_FILE != ""
default n
help
Select this option if you want to include a
coswid (Concise Software Identification Tag) of the
BIOS ACM (Authenticated Code Module) firmware into the
SBOM (Software Bill of Materials) File in your build
config SBOM_BIOS_ACM_PATH
string "Path to SBOM file for the BIOS AMC firmware"
depends on SBOM_SINIT_ACM
default "src/sbom/intel-bios-acm.json"
help
The path of the SBOM file describing the Software included in the build
File can be a .json, .xml, .cbor, .uswid, or .pc
config SBOM_MICROCODE
bool "Include microcode metadata in SBOM"
default n
help
Select this option if you want to include a
coswid (Concise Software Identification Tag) of the
microcode firmware into the SBOM (Software Bill of Materials)
File in your build
config SBOM_FSP
bool "Include Intel FSP metadata in SBOM"
default n
depends on (FSP_S_FILE != "" || FSP_M_FILE != "" || FSP_T_FILE != "")
help
Select this option if you want to include a
coswid (Concise Software Identification Tag) of the
FSP firmware into the SBOM (Software Bill of Materials)
File in your build
config SBOM_FSP_PATH
string "Path to SBOM file for the FSP firmware"
depends on SBOM_FSP
default "build/sbom/generic-fsp.json"
help
The path of the SBOM file describing the Software included in the build
File can be a .json, .xml, .cbor, .uswid, or .pc
config SBOM_VBOOT
bool "Include VBOOT metadata in SBOM"
default n
depends on VBOOT_LIB
help
Select this option if you want to include a
coswid (Concise Software Identification Tag) of the
VBOOT Software into the SBOM (Software Bill of Materials)
File in your build
endif

143
src/sbom/Makefile.inc Normal file
View File

@ -0,0 +1,143 @@
## SPDX-License-Identifier: GPL-2.0-only
obj ?= build
src ?= src
build-dir = $(obj)/sbom
src-dir = $(src)/sbom
CONFIG_ME_BIN_PATH := $(call strip_quotes, $(CONFIG_ME_BIN_PATH))
CONFIG_FSP_S_FILE := $(call strip_quotes, $(CONFIG_FSP_S_FILE))
CONFIG_FSP_M_FILE := $(call strip_quotes, $(CONFIG_FSP_M_FILE))
CONFIG_FSP_T_FILE := $(call strip_quotes, $(CONFIG_FSP_T_FILE))
CONFIG_PAYLOAD_FILE := $(call strip_quotes, $(CONFIG_PAYLOAD_FILE))
CONFIG_EC_PATH := $(call strip_quotes, $(CONFIG_EC_PATH))
CONFIG_BIOS_ACM_PATH := $(call strip_quotes, $(CONFIG_BIOS_ACM_PATH))
CONFIG_SINIT_ACM_PATH := $(call strip_quotes, $(CONFIG_SINIT_ACM_PATH))
ifeq ($(CONFIG_SBOM_PAYLOAD_GENERATE), y)
payload-git-dir-$(CONFIG_PAYLOAD_BOOTBOOT) = payloads/external/BOOTBOOT/bootboot
payload-git-dir-$(CONFIG_PAYLOAD_DEPTHCHARGE) = payloads/external/depthcharge/depthcharge
payload-git-dir-$(CONFIG_PAYLOAD_FILO) = payloads/external/FILO/filo
payload-git-dir-$(CONFIG_PAYLOAD_GRUB2) = payloads/external/GRUB2/grub2
payload-git-dir-$(CONFIG_PAYLOAD_LINUXBOOT) = payloads/external/LinuxBoot/linuxboot
payload-git-dir-$(CONFIG_PAYLOAD_SEABIOS) = payloads/external/SeaBIOS/seabios
payload-git-dir-$(CONFIG_PAYLOAD_SKIBOOT) = payloads/external/skiboot/skiboot
#payload-git-dir-$(CONFIG_PAYLOAD_TIANOCORE) = payloads/external/tianocore/
payload-git-dir-$(CONFIG_PAYLOAD_UBOOT) = payloads/external/U-Boot/u-boot
payload-git-dir-$(CONFIG_PAYLOAD_IPXE) = payloads/external/iPXE/ipxe
ifneq ($(payload-git-dir-y),)
# only proceed with payload sbom data, if one of the above payloads were selected (should be guarded by Kconfig as well)
# e.g. payload-git-dir-y=payloads/external/SeaBIOS/seabios -> payload-json-file=$(build-dir)/payload-SeaBIOS.json
payload-swid = $(build-dir)/payload-$(subst /,,$(dir $(patsubst payloads/external/%,%,$(payload-git-dir-y)))).json
payload-swid-template = $(patsubst $(build-dir)/%.json,$(src-dir)/%.json,$(payload-swid))
endif
endif
swid-files-$(CONFIG_SBOM_ME) += $(if $(CONFIG_SBOM_ME_GENERATE), $(build-dir)/intel-me.json, $(CONFIG_SBOM_ME_PATH))
swid-files-$(CONFIG_SBOM_PAYLOAD) += $(if $(CONFIG_SBOM_PAYLOAD_GENERATE), $(payload-swid), $(CONFIG_SBOM_PAYLOAD_PATH))
# TODO think about just using one CoSWID tag for all intel-microcode instead of one for each. maybe put each microcode into files entity of CoSWID tag?
swid-files-$(CONFIG_SBOM_MICROCODE) += $(patsubst 3rdparty/intel-microcode/intel-ucode/%, $(build-dir)/intel-microcode-%.json, $(filter 3rdparty/intel-microcode/intel-ucode/%, $(cpu_microcode_bins)))
swid-files-$(CONFIG_SBOM_MICROCODE) += $(patsubst ${FIRMWARE_LOCATION}/UcodePatch_%.bin, $(build-dir)/amd-microcode-%.json, $(filter ${FIRMWARE_LOCATION}/UcodePatch_%.bin, $(cpu_microcode_bins)))
swid-files-$(CONFIG_SBOM_FSP) += $(CONFIG_SBOM_FSP_PATH)
swid-files-$(CONFIG_SBOM_EC) += $(CONFIG_SBOM_EC_PATH)
swid-files-$(CONFIG_SBOM_BIOS_ACM) += $(CONFIG_BIOS_ACM_PATH)
swid-files-$(CONFIG_SBOM_SINIT_ACM) += $(CONFIG_SINIT_ACM_PATH)
vboot-pkgconfig-files = $(obj)/external/vboot_reference-bootblock/vboot_host.pc $(obj)/external/vboot_reference-romstage/vboot_host.pc $(obj)/external/vboot_reference-ramstage/vboot_host.pc $(obj)/external/vboot_reference-postcar/vboot_host.pc
swid-files-$(CONFIG_SBOM_VBOOT) += $(vboot-pkgconfig-files)
$(vboot-pkgconfig-files): $(VBOOT_LIB_bootblock) $(VBOOT_LIB_romstage) $(VBOOT_LIB_ramstage) $(VBOOT_LIB_postcar) # src/security/vboot/Makefile.inc
ifeq ($(CONFIG_SBOM_COMPILER),y)
ifeq ($(CONFIG_ANY_TOOLCHAIN),y)
swid-files-compiler = $(build-dir)/compiler-generic.json
else ifeq ($(CONFIG_COMPILER_GCC),y)
swid-files-compiler = $(build-dir)/compiler-gcc.json
else ifeq ($(CONFIG_COMPILER_LLVM_CLANG),y)
swid-files-compiler = $(build-dir)/compiler-clang.json
endif
compiler-toolchain = $(CC_bootblock) $(CC_romstage) $(CC_ramstage) $(CC_postcar) $(CC_verstage) $(LD_bootblock) $(LD_romstage) $(LD_ramstage) $(LD_postcar) $(LD_verstage) $(AS_bootblock) $(AS_romstage) $(AS_ramstage) $(AS_postcar) $(AS_verstage)
endif
coreboot-licenses = $(foreach license, $(patsubst %.txt, %, $(filter-out retained-copyrights.txt, $(patsubst LICENSES/%, %, $(wildcard LICENSES/*)))), https://spdx.org/licenses/$(license).html)
# only include CBFS SBOM section if there is any data for it
ifeq ($(CONFIG_SBOM),y)
cbfs-files-y += sbom
sbom-file = $(build-dir)/sbom.uswid
sbom-type = raw
endif
## Build final SBOM (Software Bill of Materials) file in uswid format
$(build-dir)/sbom.uswid: $(build-dir)/coreboot.json $(swid-files-y) $(swid-files-compiler) | $(build-dir)/goswid $(build-dir)
echo " SBOM " $^
$(build-dir)/goswid convert -o $@ \
--parent $(build-dir)/coreboot.json \
$(if $(swid-files-y), --requires $$(echo $(swid-files-y) | tr ' ' ','),) \
$(if $(swid-files-compiler), --compiler $(swid-files-compiler),)
# all build files depend on the $(build-dir) directory being created
$(build-dir):
mkdir -p $(build-dir)
$(build-dir)/goswid: | $(build-dir)
echo " SBOM building goswid tool"
cd util/goswid; \
GO111MODULE=on go build -o $(abspath $@) ./cmd/goswid
## Generate all .json files
$(build-dir)/compiler-%.json: $(src-dir)/compiler-%.json | $(build-dir)/goswid
cp $< $@
for tool in $$(echo $(compiler-toolchain) | tr ' ' '\n' | sort | uniq); do \
version=$$($$tool --version 2>&1 | head -n 1 | grep -Eo '([0-9]+\.[0-9]+\.*[0-9]*)'); \
$(build-dir)/goswid add-payload-file -o $@ -i $@ --name $$(basename $$tool) --version $$version; \
done
$(build-dir)/coreboot.json: $(src-dir)/coreboot.json .git/HEAD | $(build-dir)/goswid
cp $< $@
git_tree_hash=$$(git log -n 1 --format=%T);\
git_comm_hash=$$(git log -n 1 --format=%H);\
sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@;\
$(build-dir)/goswid add-license -o $@ -i $@ $(coreboot-licenses)
$(build-dir)/intel-me.json: $(src-dir)/intel-me.json $(CONFIG_ME_BIN_PATH) | $(build-dir)
cp $< $@
#TODO put more Intel Management Engine metadata in sbom file
$(build-dir)/generic-fsp.json: $(src-dir)/generic-fsp.json $(CONFIG_FSP_S_FILE) $(CONFIG_FSP_T_FILE) $(CONFIG_FSP_M_FILE) | $(build-dir)/goswid
cp $(src-dir)/generic-fsp.json $@
ifneq ($(CONFIG_FSP_S_FILE),)
echo " SBOM Adding FSP-S"
$(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-S"
endif
ifneq ($(CONFIG_FSP_T_FILE),)
echo " SBOM Adding FSP-T"
$(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-T"
endif
ifneq ($(CONFIG_FSP_M_FILE),)
echo " SBOM Adding FSP-M"
$(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-M"
endif
$(build-dir)/intel-microcode-%.json: $(src-dir)/intel-microcode.json 3rdparty/intel-microcode/intel-ucode/% | $(build-dir) $(build-dir)/goswid
cp $< $@
year=$$(hexdump --skip 8 --length 2 --format '"%04x"' $(word 2,$^));\
day=$$(hexdump --skip 10 --length 1 --format '"%02x"' $(word 2,$^));\
month=$$(hexdump --skip 11 --length 1 --format '"%02x"' $(word 2,$^));\
sed -i "s/<software_version>/$$year-$$month-$$day/" $@
#TODO add cpuid (processor family, model, stepping) as extra attribute
$(build-dir)/amd-microcode-%.json: $(src-dir)/amd-microcode.json ${FIRMWARE_LOCATION}/UcodePatch_%.bin | $(build-dir) $(build-dir)/goswid
cp $< $@
year=$$(hexdump --skip 0 --length 2 --format '"%04x"' $(word 2,$^));\
day=$$(hexdump --skip 2 --length 1 --format '"%02x"' $(word 2,$^));\
month=$$(hexdump --skip 3 --length 1 --format '"%02x"' $(word 2,$^));\
sed -i "s/<software_version>/$$year-$$month-$$day/" $@
$(payload-swid): $(payload-swid-template) $(CONFIG_PAYLOAD_FILE) | $(build-dir)
cp $< $@;\
git_tree_hash=$$(git --git-dir $(payload-git-dir-y)/.git log -n 1 --format=%T);\
git_comm_hash=$$(git --git-dir $(payload-git-dir-y)/.git log -n 1 --format=%H);\
sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@;

25
src/sbom/TAGS Normal file
View File

@ -0,0 +1,25 @@
tag-ids were generated as follows. Note that tag-ids are currently only unique inside the SBOM itself, not globally.
payload-BOOTBOOT: uuidgen --name bootboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
payload-depthcharge: uuidgen --name depthcharge --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
payload-FILO: uuidgen --name filo --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
payload-GRUB2: uuidgen --name grub2 --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
payload-iPXE: uuidgen --name iPXE --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
payload-LinuxBoot: uuidgen --name linuxboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
payload-SeaBIOS: uuidgen --name seabios --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
payload-skiboot: uuidgen --name skiboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
payload-U-Boot: uuidgen --name uboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
payload-Yabits: uuidgen --name yabits --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
coreboot: uuidgen --name coreboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
generic-ec: uuidgen --name generic-ec --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
intel-me: uuidgen --name intel-me --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
intel-bios-acm: uuidgen --name intel-bios-acm --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
intel-sinit-acm: uuidgen --name intel-sinit-acm --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
intel-fsp-s: uuidgen --name intel-fsp-s --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
intel-fsp-m: uuidgen --name intel-fsp-m --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
intel-fsp-t: uuidgen --name intel-fsp-t --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
intel-fsp: uuidgen --name intel-fsp --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
intel-mircocode: uuidgen --name intel-microcode --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
amd-mircocode: uuidgen --name amd-microcode --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
compiler-gcc: uuidgen --name compiler-gcc --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
compiler-clang: uuidgen --name compiler-clang --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
compiler-generic: uuidgen --name compiler-generic --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1

24
src/sbom/amd-microcode.json Normal file
View File

@ -0,0 +1,24 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "082d7533-575e-5914-a599-728f636b8f78",
"tag-version": 0,
"software-name": "AMD-Microcode",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"persistent-id": "com.amd.microcode",
"summary": "Micrcode Updates for AMD Processors"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

21
src/sbom/compiler-clang.json Normal file
View File

@ -0,0 +1,21 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "56ed2b98-6b90-574f-aa1d-11579df90e25",
"tag-version": 0,
"software-name": "clang",
"software-meta": [
{
"persistent-id": "org.llvm.clang"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

21
src/sbom/compiler-gcc.json Normal file
View File

@ -0,0 +1,21 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "8e0d0fd3-1116-50ad-ba5f-599c8117c42b",
"tag-version": 0,
"software-name": "GCC",
"software-meta": [
{
"persistent-id": "org.gnu.gcc"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

15
src/sbom/compiler-generic.json Normal file
View File

@ -0,0 +1,15 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "a79cee21-97a6-53e5-8e41-65b084a7b90e",
"tag-version": 0,
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

25
src/sbom/coreboot.json Normal file
View File

@ -0,0 +1,25 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "a9032c9d-2aaa-5a25-a0e6-6d865b24e6d2",
"tag-version": 0,
"software-name": "coreboot",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"colloquial-version": "<colloquial_version>",
"persistent-id": "org.coreboot.rocks",
"summary": "coreboot is a project to develop open source boot firmware for various architectures"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

21
src/sbom/generic-ec.json Normal file
View File

@ -0,0 +1,21 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "cb643972-4544-525e-a25e-31651fe9fcbe",
"tag-version": 0,
"software-name": "Embedded Controller Firmware",
"software-meta": [
{
"summary": "The Embedded Controller is a microcontroller which handles various tasks such as power management and keyboard control"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

22
src/sbom/generic-fsp.json Normal file
View File

@ -0,0 +1,22 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "719e6299-4355-5beb-b182-9cf47928515a",
"tag-version": 0,
"software-name": "Firmware Support Package",
"software-meta": [
{
"product": "Firmware Support Package",
"summary": "Firmware Support Package is a binary which exports an API implementing memory and silicon initialization (e.g. Intel FSP or AMD AGESA)"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

16
src/sbom/intel-bios-acm.json Normal file
View File

@ -0,0 +1,16 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "2de383e0-1721-5369-8511-e3d07743b09a",
"tag-version": 0,
"software-name": "Intel BIOS ACM",
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

21
src/sbom/intel-me.json Normal file
View File

@ -0,0 +1,21 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "9579af2b-39d8-59f1-ac5a-5b1fd4c03bd0",
"tag-version": 0,
"software-name": "Intel Management Engine",
"software-meta": [
{
"persistent-id": "com.intel.me"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

24
src/sbom/intel-microcode.json Normal file
View File

@ -0,0 +1,24 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "23edb84c-5d68-544e-b389-8a67f6c80247",
"tag-version": 0,
"software-name": "Intel-Microcode",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"persistent-id": "com.intel.microcode",
"summary": "Micrcode Updates for Intel Processors"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

16
src/sbom/intel-sinit-acm.json Normal file
View File

@ -0,0 +1,16 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "231b1f39-28c2-596a-a33e-3d2d6570888f",
"tag-version": 0,
"software-name": "Intel SINIT ACM",
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

25
src/sbom/payload-BOOTBOOT.json Normal file
View File

@ -0,0 +1,25 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "978ba556-e0f4-592d-9a70-413138653155",
"tag-version": 0,
"software-name": "BOOTBOOT",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"colloquial-version": "<colloquial_version>",
"persistent-id": "",
"summary": "BOOTBOOT multi platform micro-kernel loader"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

25
src/sbom/payload-FILO.json Normal file
View File

@ -0,0 +1,25 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "047d005b-bb24-58d6-a7cc-76ace2e2759e",
"tag-version": 0,
"software-name": "FILO",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"colloquial-version": "<colloquial_version>",
"persistent-id": "org.filo",
"summary": "FILO is a bootloader which loads boot images from a local filesystem, without help from legacy BIOS services"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

25
src/sbom/payload-GRUB2.json Normal file
View File

@ -0,0 +1,25 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "0e801aae-699e-5674-94a0-9259afb7d12f",
"tag-version": 0,
"software-name": "GRUB2",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"colloquial-version": "<colloquial_version>",
"persistent-id": "org.grub",
"summary": "GNU GRUB is a boot loader, which can load a wide variety of free and proprietary operating systems with chain-loading"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

25
src/sbom/payload-LinuxBoot.json Normal file
View File

@ -0,0 +1,25 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "792c4921-cb02-54ac-8b61-c359336f3600",
"tag-version": 0,
"software-name": "LinuxBoot",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"colloquial-version": "<colloquial_version>",
"persistent-id": "org.linuxboot",
"summary": "LinuxBoot is a firmware for modern servers that replaces specific firmware functionality like the UEFI DXE phase with a Linux kernel and runtime"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

25
src/sbom/payload-SeaBIOS.json Normal file
View File

@ -0,0 +1,25 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "e5a249ad-04bb-5b63-a587-ceb7b0e331c9",
"tag-version": 0,
"software-name": "Seabios",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"colloquial-version": "<colloquial_version>",
"persistent-id": "org.seabios",
"summary": "SeaBIOS is an open-source legacy BIOS implementation which can be used as a coreboot payload. It implements the standard BIOS calling interfaces that a typical x86 proprietary BIOS implements"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

25
src/sbom/payload-U-Boot.json Normal file
View File

@ -0,0 +1,25 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "b714bb4f-c590-5bb7-af60-65374ecd097d",
"tag-version": 0,
"software-name": "U-Boot",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"colloquial-version": "<colloquial_version>",
"persistent-id": "org.u-boot",
"summary": "Das U-Boot (subtitled 'the Universal Boot Loader') is an open-source, primary boot loader used in embedded devices to package the instructions to boot the device's operating system kernel"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

25
src/sbom/payload-depthcharge.json Normal file
View File

@ -0,0 +1,25 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "a8c6b076-e3c2-5a8f-91c9-151aa7bd3284",
"tag-version": 0,
"software-name": "depthcharge",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"colloquial-version": "<colloquial_version>",
"persistent-id": "org.depthcharge",
"summary": "Depthcharge is a payload used by google to load and verify the Linux Kernel, run recovery mode, or boot to alternate payloads on ChromeOS devices"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

25
src/sbom/payload-iPXE.json Normal file
View File

@ -0,0 +1,25 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "5f700e15-4845-57b5-a4bb-44e698ce4947",
"tag-version": 0,
"software-name": "iPXE",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"colloquial-version": "<colloquial_version>",
"persistent-id": "org.ipxe",
"summary": "iPXE is an open source network boot firmware. It provides a full PXE implementation enhanced with additional features"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

25
src/sbom/payload-skiboot.json Normal file
View File

@ -0,0 +1,25 @@
/* SPDX-License-Identifier: GPL-2.0-only */
{
"lang": "en-US",
"tag-id": "239e03d9-06b0-5ed0-a409-3c32f7f2ee2a",
"tag-version": 0,
"software-name": "skiboot",
"software-version": "<software_version>",
"version-scheme": "alphanumeric",
"software-meta": [
{
"colloquial-version": "<colloquial_version>",
"persistent-id": "org.skiboot",
"summary": "Skiboot is boot and runtime firmware for OpenPOWER systems. Its loaded by earlier boot firmware (typically Hostboot). Along with loading the bootloader, it provides some runtime services to the OS (typically Linux)"
}
],
"entity": [
{
"entity-name": "coreboot",
"reg-id": "coreboot.org",
"role": [
"tagCreator"
]
}
]
}

3
src/security/vboot/Makefile.inc
View File

@ -32,7 +32,8 @@ $$(VBOOT_LIB_$(1)): $(obj)/config.h
$(MAKE) -C $(VBOOT_SOURCE) \ $(MAKE) -C $(VBOOT_SOURCE) \
BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \ BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \
V=$(V) \ V=$(V) \
fwlib fwlib \
$(if $(CONFIG_INCLUDE_VBOOT_SBOM),$$(abspath $$(dir $$(VBOOT_LIB_$(1))))/vboot_host.pc)
$(1)-srcs += $$(VBOOT_LIB_$(1)) $(1)-srcs += $$(VBOOT_LIB_$(1))

1
util/goswid Submodule

@ -0,0 +1 @@
Subproject commit bdd55e42029b8ef734abfd56efe789d41996bfd4

1
util/testing/Makefile.inc
View File

@ -93,6 +93,7 @@ endif
exit 1; \ exit 1; \
fi fi
cd 3rdparty/intel-sec-tools/ ; go mod vendor cd 3rdparty/intel-sec-tools/ ; go mod vendor
cd util/goswid ; go mod vendor
util/abuild/abuild -o $(COREBOOT_BUILD_DIR)/chromeos $(ABUILD_OPTIONS) -x -X $(top)/abuild-chromeos.xml util/abuild/abuild -o $(COREBOOT_BUILD_DIR)/chromeos $(ABUILD_OPTIONS) -x -X $(top)/abuild-chromeos.xml
util/abuild/abuild -o $(COREBOOT_BUILD_DIR)/default $(ABUILD_OPTIONS) util/abuild/abuild -o $(COREBOOT_BUILD_DIR)/default $(ABUILD_OPTIONS)
$(foreach tool, $(TOOLLIST), $(MAKE) CPUS=$(CPUS) V=$(V) Q=$(Q) BLD_DIR="util/$(tool)" BLD="$(tool)" MFLAGS= MAKEFLAGS= MAKETARGET= junit.xml; ) $(foreach tool, $(TOOLLIST), $(MAKE) CPUS=$(CPUS) V=$(V) Q=$(Q) BLD_DIR="util/$(tool)" BLD="$(tool)" MFLAGS= MAKEFLAGS= MAKETARGET= junit.xml; )