Add SBOM (Software Bill of Materials) Generation
Firmware is typically delivered as one large binary image that gets flashed. Since this final image consists of binaries and data from a vast number of different people and companies, it's hard to determine what all the small parts included in it are. The goal of the software bill of materials (SBOM) is to take a firmware image and make it easy to find out what it consists of and where those pieces came from. Basically, this answers the question, who supplied the code that's running on my system right now? For example, buyers of a system can use an SBOM to perform an automated vulnerability check or license analysis, both of which can be used to evaluate risk in a product. Furthermore, one can quickly check to see if the firmware is subject to a new vulnerability included in one of the software parts (with the specified version) of the firmware. Further reference: https://web.archive.org/web/20220310104905/https://blogs.gnome.org/hughsie/2022/03/10/firmware-software-bill-of-materials/ - Add Makefile.inc to generate and build coswid tags - Add templates for most payloads, coreboot, intel-microcode, amd-microcode. intel FSP-S/M/T, EC, BIOS_ACM, SINIT_ACM, intel ME and compiler (gcc,clang,other) - Add Kconfig entries to optionally supply a path to CoSWID tags instead of using the default CoSWID tags - Add CBFS entry called SBOM to each build via Makefile.inc - Add goswid utility tool to generate SBOM data Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com> Change-Id: Icb7481d4903f95d200eddbfed7728fbec51819d0 Reviewed-on: https://review.coreboot.org/c/coreboot/+/63639 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Martin Roth <martin.roth@amd.corp-partner.google.com>
This commit is contained in:
parent
1e71fe107a
commit
1d7a9debf2
|
@ -61,3 +61,7 @@
|
|||
path = 3rdparty/stm
|
||||
url = ../STM
|
||||
branch = stmpe
|
||||
[submodule "util/goswid"]
|
||||
path = util/goswid
|
||||
url = ../goswid
|
||||
branch = trunk
|
||||
|
|
|
@ -93,6 +93,7 @@ subdirs-y += $(wildcard src/arch/*)
|
|||
subdirs-y += src/mainboard/$(MAINBOARDDIR)
|
||||
subdirs-y += src/security
|
||||
subdirs-y += payloads payloads/external
|
||||
subdirs-$(CONFIG_SBOM) += src/sbom
|
||||
|
||||
subdirs-y += site-local
|
||||
subdirs-y += util/checklist util/testing
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
CONFIG_INCLUDE_COREBOOT_SBOM=y
|
||||
CONFIG_INCLUDE_PAYLOAD_SBOM=y
|
||||
CONFIG_INCLUDE_ME_SBOM=y
|
||||
CONFIG_INCLUDE_MICROCODE_SBOM=y
|
||||
CONFIG_VENDOR_FACEBOOK=y
|
||||
CONFIG_BOARD_FACEBOOK_FBG1701=y
|
|
@ -476,6 +476,12 @@ config MINIMAL_PCI_SCANNING
|
|||
help
|
||||
If this option is enabled, coreboot will scan only PCI devices
|
||||
marked as mandatory in devicetree.cb
|
||||
|
||||
menu "Software Bill Of Materials (SBOM)"
|
||||
|
||||
source "src/sbom/Kconfig"
|
||||
|
||||
endmenu
|
||||
endmenu
|
||||
|
||||
menu "Mainboard"
|
||||
|
|
|
@ -0,0 +1,171 @@
|
|||
## SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
config SBOM
|
||||
bool "Include SBOM data for coreboot"
|
||||
default n
|
||||
help
|
||||
Select this option if you want to include a
|
||||
coswid (Concise Software Identification Tag) of coreboot itself
|
||||
into the SBOM (Software Bill of Materials) File in your build
|
||||
|
||||
if SBOM
|
||||
|
||||
config SBOM_COMPILER
|
||||
bool "Include compiler metadata in SBOM"
|
||||
default n
|
||||
help
|
||||
Select this option if you want to include a
|
||||
coswid (Concise Software Identification Tag) of the compiler
|
||||
used to compile coreboot into the SBOM (Software Bill of Materials)
|
||||
File in your build
|
||||
Note: if the system toolchain is used to build coreboot
|
||||
one should check the final SBOM file for the expected results
|
||||
|
||||
config SBOM_PAYLOAD
|
||||
bool "Include payload metadata in SBOM"
|
||||
default n
|
||||
help
|
||||
Select this option if you want to include a
|
||||
coswid (Concise Software Identification Tag) of the payload into
|
||||
the SBOM (Software Bill of Materials) File in your build
|
||||
|
||||
config SBOM_PAYLOAD_GENERATE
|
||||
bool "Auto-generate generic SBOM info for payload"
|
||||
depends on SBOM_PAYLOAD && (PAYLOAD_BOOTBOOT || PAYLOAD_DEPTHCHARGE || PAYLOAD_FILO || PAYLOAD_GRUB2 || PAYLOAD_LINUXBOOT || PAYLOAD_SEABIOS || PAYLOAD_SKIBOOT || PAYLOAD_UBOOT || PAYLOAD_YABITS)
|
||||
default y
|
||||
help
|
||||
Select this option if you want coreboot to generate and include
|
||||
the coswid (Concise Software Identification Tag) instead of supplying
|
||||
it manually. Be aware that this option is only meant to be a
|
||||
transition and suppliers of Software should always prefer to include
|
||||
their own Software descriptions, since ours may be incomplete or
|
||||
straight up wrong.
|
||||
|
||||
config SBOM_PAYLOAD_PATH
|
||||
string "SBOM file path"
|
||||
depends on SBOM_PAYLOAD && !SBOM_PAYLOAD_GENERATE
|
||||
help
|
||||
The path of the .ini file describing the payload
|
||||
Software included in the build
|
||||
|
||||
config SBOM_ME
|
||||
bool "Include ME metadata in SBOM"
|
||||
depends on HAVE_ME_BIN
|
||||
default n
|
||||
help
|
||||
Select this option if you want to include a
|
||||
coswid (Concise Software Identification Tag) of the
|
||||
ME firmware into the SBOM (Software Bill of Materials)
|
||||
File in your build
|
||||
|
||||
config SBOM_ME_GENERATE
|
||||
bool "Auto-generate generic SBOM info for ME firmware"
|
||||
depends on SBOM_ME
|
||||
default y
|
||||
help
|
||||
Select this option if you want coreboot to generate and include
|
||||
the coswid (Concise Software Identification Tag) instead of
|
||||
supplying it manually. Be aware that this option is only meant
|
||||
to be a transition and suppliers of Software should always prefer
|
||||
to include their own Software descriptions, since ours may be
|
||||
incomplete or straight up wrong.
|
||||
|
||||
config SBOM_ME_PATH
|
||||
string "Path to sbom.json for the ME firmware"
|
||||
depends on SBOM_ME && !SBOM_ME_GENERATE
|
||||
help
|
||||
The path of the SBOM file (sbom.json file)
|
||||
The path of the .json file describing the Software included in the build
|
||||
|
||||
config SBOM_EC
|
||||
bool "Include EC metadata in SBOM"
|
||||
depends on HAVE_EC_BIN
|
||||
default n
|
||||
help
|
||||
Select this option if you want to include a
|
||||
coswid (Concise Software Identification Tag) of the
|
||||
EC (Embedded Controller) firmware into the
|
||||
SBOM (Software Bill of Materials) File in your build
|
||||
|
||||
config SBOM_EC_PATH
|
||||
string "Path to SBOM file for the EC firmware"
|
||||
depends on SBOM_EC
|
||||
default "src/sbom/generic-ec.json"
|
||||
help
|
||||
The path of the SBOM file describing the Software included in the build
|
||||
File can be a .json, .xml, .cbor, .uswid, or .pc
|
||||
|
||||
config SBOM_SINIT_ACM
|
||||
bool "Include SINIT ACM metadata in SBOM"
|
||||
depends on INTEL_TXT_SINITACM_FILE != ""
|
||||
default n
|
||||
help
|
||||
Select this option if you want to include a
|
||||
coswid (Concise Software Identification Tag) of the
|
||||
SINIT ACM (Authenticated Code Module) firmware into the
|
||||
SBOM (Software Bill of Materials) File in your build
|
||||
|
||||
config SBOM_SINIT_ACM_PATH
|
||||
string "Path to SBOM file for the SINIT AMC firmware"
|
||||
depends on SBOM_SINIT_ACM
|
||||
default "src/sbom/intel-sinit-acm.json"
|
||||
help
|
||||
The path of the SBOM file describing the Software included in the build
|
||||
File can be a .json, .xml, .cbor, .uswid, or .pc
|
||||
|
||||
config SBOM_BIOS_ACM
|
||||
bool "Include BIOS ACM metadata in SBOM"
|
||||
depends on INTEL_TXT_BIOSACM_FILE != ""
|
||||
default n
|
||||
help
|
||||
Select this option if you want to include a
|
||||
coswid (Concise Software Identification Tag) of the
|
||||
BIOS ACM (Authenticated Code Module) firmware into the
|
||||
SBOM (Software Bill of Materials) File in your build
|
||||
|
||||
config SBOM_BIOS_ACM_PATH
|
||||
string "Path to SBOM file for the BIOS AMC firmware"
|
||||
depends on SBOM_SINIT_ACM
|
||||
default "src/sbom/intel-bios-acm.json"
|
||||
help
|
||||
The path of the SBOM file describing the Software included in the build
|
||||
File can be a .json, .xml, .cbor, .uswid, or .pc
|
||||
|
||||
config SBOM_MICROCODE
|
||||
bool "Include microcode metadata in SBOM"
|
||||
default n
|
||||
help
|
||||
Select this option if you want to include a
|
||||
coswid (Concise Software Identification Tag) of the
|
||||
microcode firmware into the SBOM (Software Bill of Materials)
|
||||
File in your build
|
||||
|
||||
config SBOM_FSP
|
||||
bool "Include Intel FSP metadata in SBOM"
|
||||
default n
|
||||
depends on (FSP_S_FILE != "" || FSP_M_FILE != "" || FSP_T_FILE != "")
|
||||
help
|
||||
Select this option if you want to include a
|
||||
coswid (Concise Software Identification Tag) of the
|
||||
FSP firmware into the SBOM (Software Bill of Materials)
|
||||
File in your build
|
||||
|
||||
config SBOM_FSP_PATH
|
||||
string "Path to SBOM file for the FSP firmware"
|
||||
depends on SBOM_FSP
|
||||
default "build/sbom/generic-fsp.json"
|
||||
help
|
||||
The path of the SBOM file describing the Software included in the build
|
||||
File can be a .json, .xml, .cbor, .uswid, or .pc
|
||||
|
||||
config SBOM_VBOOT
|
||||
bool "Include VBOOT metadata in SBOM"
|
||||
default n
|
||||
depends on VBOOT_LIB
|
||||
help
|
||||
Select this option if you want to include a
|
||||
coswid (Concise Software Identification Tag) of the
|
||||
VBOOT Software into the SBOM (Software Bill of Materials)
|
||||
File in your build
|
||||
|
||||
endif
|
|
@ -0,0 +1,143 @@
|
|||
## SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
obj ?= build
|
||||
src ?= src
|
||||
build-dir = $(obj)/sbom
|
||||
src-dir = $(src)/sbom
|
||||
|
||||
CONFIG_ME_BIN_PATH := $(call strip_quotes, $(CONFIG_ME_BIN_PATH))
|
||||
CONFIG_FSP_S_FILE := $(call strip_quotes, $(CONFIG_FSP_S_FILE))
|
||||
CONFIG_FSP_M_FILE := $(call strip_quotes, $(CONFIG_FSP_M_FILE))
|
||||
CONFIG_FSP_T_FILE := $(call strip_quotes, $(CONFIG_FSP_T_FILE))
|
||||
CONFIG_PAYLOAD_FILE := $(call strip_quotes, $(CONFIG_PAYLOAD_FILE))
|
||||
CONFIG_EC_PATH := $(call strip_quotes, $(CONFIG_EC_PATH))
|
||||
CONFIG_BIOS_ACM_PATH := $(call strip_quotes, $(CONFIG_BIOS_ACM_PATH))
|
||||
CONFIG_SINIT_ACM_PATH := $(call strip_quotes, $(CONFIG_SINIT_ACM_PATH))
|
||||
|
||||
ifeq ($(CONFIG_SBOM_PAYLOAD_GENERATE), y)
|
||||
payload-git-dir-$(CONFIG_PAYLOAD_BOOTBOOT) = payloads/external/BOOTBOOT/bootboot
|
||||
payload-git-dir-$(CONFIG_PAYLOAD_DEPTHCHARGE) = payloads/external/depthcharge/depthcharge
|
||||
payload-git-dir-$(CONFIG_PAYLOAD_FILO) = payloads/external/FILO/filo
|
||||
payload-git-dir-$(CONFIG_PAYLOAD_GRUB2) = payloads/external/GRUB2/grub2
|
||||
payload-git-dir-$(CONFIG_PAYLOAD_LINUXBOOT) = payloads/external/LinuxBoot/linuxboot
|
||||
payload-git-dir-$(CONFIG_PAYLOAD_SEABIOS) = payloads/external/SeaBIOS/seabios
|
||||
payload-git-dir-$(CONFIG_PAYLOAD_SKIBOOT) = payloads/external/skiboot/skiboot
|
||||
#payload-git-dir-$(CONFIG_PAYLOAD_TIANOCORE) = payloads/external/tianocore/
|
||||
payload-git-dir-$(CONFIG_PAYLOAD_UBOOT) = payloads/external/U-Boot/u-boot
|
||||
payload-git-dir-$(CONFIG_PAYLOAD_IPXE) = payloads/external/iPXE/ipxe
|
||||
ifneq ($(payload-git-dir-y),)
|
||||
# only proceed with payload sbom data, if one of the above payloads were selected (should be guarded by Kconfig as well)
|
||||
# e.g. payload-git-dir-y=payloads/external/SeaBIOS/seabios -> payload-json-file=$(build-dir)/payload-SeaBIOS.json
|
||||
payload-swid = $(build-dir)/payload-$(subst /,,$(dir $(patsubst payloads/external/%,%,$(payload-git-dir-y)))).json
|
||||
payload-swid-template = $(patsubst $(build-dir)/%.json,$(src-dir)/%.json,$(payload-swid))
|
||||
endif
|
||||
endif
|
||||
|
||||
swid-files-$(CONFIG_SBOM_ME) += $(if $(CONFIG_SBOM_ME_GENERATE), $(build-dir)/intel-me.json, $(CONFIG_SBOM_ME_PATH))
|
||||
swid-files-$(CONFIG_SBOM_PAYLOAD) += $(if $(CONFIG_SBOM_PAYLOAD_GENERATE), $(payload-swid), $(CONFIG_SBOM_PAYLOAD_PATH))
|
||||
# TODO think about just using one CoSWID tag for all intel-microcode instead of one for each. maybe put each microcode into files entity of CoSWID tag?
|
||||
swid-files-$(CONFIG_SBOM_MICROCODE) += $(patsubst 3rdparty/intel-microcode/intel-ucode/%, $(build-dir)/intel-microcode-%.json, $(filter 3rdparty/intel-microcode/intel-ucode/%, $(cpu_microcode_bins)))
|
||||
swid-files-$(CONFIG_SBOM_MICROCODE) += $(patsubst ${FIRMWARE_LOCATION}/UcodePatch_%.bin, $(build-dir)/amd-microcode-%.json, $(filter ${FIRMWARE_LOCATION}/UcodePatch_%.bin, $(cpu_microcode_bins)))
|
||||
swid-files-$(CONFIG_SBOM_FSP) += $(CONFIG_SBOM_FSP_PATH)
|
||||
swid-files-$(CONFIG_SBOM_EC) += $(CONFIG_SBOM_EC_PATH)
|
||||
swid-files-$(CONFIG_SBOM_BIOS_ACM) += $(CONFIG_BIOS_ACM_PATH)
|
||||
swid-files-$(CONFIG_SBOM_SINIT_ACM) += $(CONFIG_SINIT_ACM_PATH)
|
||||
|
||||
vboot-pkgconfig-files = $(obj)/external/vboot_reference-bootblock/vboot_host.pc $(obj)/external/vboot_reference-romstage/vboot_host.pc $(obj)/external/vboot_reference-ramstage/vboot_host.pc $(obj)/external/vboot_reference-postcar/vboot_host.pc
|
||||
swid-files-$(CONFIG_SBOM_VBOOT) += $(vboot-pkgconfig-files)
|
||||
$(vboot-pkgconfig-files): $(VBOOT_LIB_bootblock) $(VBOOT_LIB_romstage) $(VBOOT_LIB_ramstage) $(VBOOT_LIB_postcar) # src/security/vboot/Makefile.inc
|
||||
|
||||
ifeq ($(CONFIG_SBOM_COMPILER),y)
|
||||
ifeq ($(CONFIG_ANY_TOOLCHAIN),y)
|
||||
swid-files-compiler = $(build-dir)/compiler-generic.json
|
||||
else ifeq ($(CONFIG_COMPILER_GCC),y)
|
||||
swid-files-compiler = $(build-dir)/compiler-gcc.json
|
||||
else ifeq ($(CONFIG_COMPILER_LLVM_CLANG),y)
|
||||
swid-files-compiler = $(build-dir)/compiler-clang.json
|
||||
endif
|
||||
compiler-toolchain = $(CC_bootblock) $(CC_romstage) $(CC_ramstage) $(CC_postcar) $(CC_verstage) $(LD_bootblock) $(LD_romstage) $(LD_ramstage) $(LD_postcar) $(LD_verstage) $(AS_bootblock) $(AS_romstage) $(AS_ramstage) $(AS_postcar) $(AS_verstage)
|
||||
endif
|
||||
|
||||
coreboot-licenses = $(foreach license, $(patsubst %.txt, %, $(filter-out retained-copyrights.txt, $(patsubst LICENSES/%, %, $(wildcard LICENSES/*)))), https://spdx.org/licenses/$(license).html)
|
||||
|
||||
# only include CBFS SBOM section if there is any data for it
|
||||
ifeq ($(CONFIG_SBOM),y)
|
||||
cbfs-files-y += sbom
|
||||
sbom-file = $(build-dir)/sbom.uswid
|
||||
sbom-type = raw
|
||||
endif
|
||||
|
||||
## Build final SBOM (Software Bill of Materials) file in uswid format
|
||||
|
||||
$(build-dir)/sbom.uswid: $(build-dir)/coreboot.json $(swid-files-y) $(swid-files-compiler) | $(build-dir)/goswid $(build-dir)
|
||||
echo " SBOM " $^
|
||||
$(build-dir)/goswid convert -o $@ \
|
||||
--parent $(build-dir)/coreboot.json \
|
||||
$(if $(swid-files-y), --requires $$(echo $(swid-files-y) | tr ' ' ','),) \
|
||||
$(if $(swid-files-compiler), --compiler $(swid-files-compiler),)
|
||||
|
||||
# all build files depend on the $(build-dir) directory being created
|
||||
$(build-dir):
|
||||
mkdir -p $(build-dir)
|
||||
|
||||
$(build-dir)/goswid: | $(build-dir)
|
||||
echo " SBOM building goswid tool"
|
||||
cd util/goswid; \
|
||||
GO111MODULE=on go build -o $(abspath $@) ./cmd/goswid
|
||||
|
||||
## Generate all .json files
|
||||
|
||||
$(build-dir)/compiler-%.json: $(src-dir)/compiler-%.json | $(build-dir)/goswid
|
||||
cp $< $@
|
||||
for tool in $$(echo $(compiler-toolchain) | tr ' ' '\n' | sort | uniq); do \
|
||||
version=$$($$tool --version 2>&1 | head -n 1 | grep -Eo '([0-9]+\.[0-9]+\.*[0-9]*)'); \
|
||||
$(build-dir)/goswid add-payload-file -o $@ -i $@ --name $$(basename $$tool) --version $$version; \
|
||||
done
|
||||
|
||||
$(build-dir)/coreboot.json: $(src-dir)/coreboot.json .git/HEAD | $(build-dir)/goswid
|
||||
cp $< $@
|
||||
git_tree_hash=$$(git log -n 1 --format=%T);\
|
||||
git_comm_hash=$$(git log -n 1 --format=%H);\
|
||||
sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@;\
|
||||
$(build-dir)/goswid add-license -o $@ -i $@ $(coreboot-licenses)
|
||||
|
||||
$(build-dir)/intel-me.json: $(src-dir)/intel-me.json $(CONFIG_ME_BIN_PATH) | $(build-dir)
|
||||
cp $< $@
|
||||
#TODO put more Intel Management Engine metadata in sbom file
|
||||
|
||||
|
||||
$(build-dir)/generic-fsp.json: $(src-dir)/generic-fsp.json $(CONFIG_FSP_S_FILE) $(CONFIG_FSP_T_FILE) $(CONFIG_FSP_M_FILE) | $(build-dir)/goswid
|
||||
cp $(src-dir)/generic-fsp.json $@
|
||||
ifneq ($(CONFIG_FSP_S_FILE),)
|
||||
echo " SBOM Adding FSP-S"
|
||||
$(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-S"
|
||||
endif
|
||||
ifneq ($(CONFIG_FSP_T_FILE),)
|
||||
echo " SBOM Adding FSP-T"
|
||||
$(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-T"
|
||||
endif
|
||||
ifneq ($(CONFIG_FSP_M_FILE),)
|
||||
echo " SBOM Adding FSP-M"
|
||||
$(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-M"
|
||||
endif
|
||||
|
||||
$(build-dir)/intel-microcode-%.json: $(src-dir)/intel-microcode.json 3rdparty/intel-microcode/intel-ucode/% | $(build-dir) $(build-dir)/goswid
|
||||
cp $< $@
|
||||
year=$$(hexdump --skip 8 --length 2 --format '"%04x"' $(word 2,$^));\
|
||||
day=$$(hexdump --skip 10 --length 1 --format '"%02x"' $(word 2,$^));\
|
||||
month=$$(hexdump --skip 11 --length 1 --format '"%02x"' $(word 2,$^));\
|
||||
sed -i "s/<software_version>/$$year-$$month-$$day/" $@
|
||||
#TODO add cpuid (processor family, model, stepping) as extra attribute
|
||||
|
||||
$(build-dir)/amd-microcode-%.json: $(src-dir)/amd-microcode.json ${FIRMWARE_LOCATION}/UcodePatch_%.bin | $(build-dir) $(build-dir)/goswid
|
||||
cp $< $@
|
||||
year=$$(hexdump --skip 0 --length 2 --format '"%04x"' $(word 2,$^));\
|
||||
day=$$(hexdump --skip 2 --length 1 --format '"%02x"' $(word 2,$^));\
|
||||
month=$$(hexdump --skip 3 --length 1 --format '"%02x"' $(word 2,$^));\
|
||||
sed -i "s/<software_version>/$$year-$$month-$$day/" $@
|
||||
|
||||
$(payload-swid): $(payload-swid-template) $(CONFIG_PAYLOAD_FILE) | $(build-dir)
|
||||
cp $< $@;\
|
||||
git_tree_hash=$$(git --git-dir $(payload-git-dir-y)/.git log -n 1 --format=%T);\
|
||||
git_comm_hash=$$(git --git-dir $(payload-git-dir-y)/.git log -n 1 --format=%H);\
|
||||
sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@;
|
|
@ -0,0 +1,25 @@
|
|||
tag-ids were generated as follows. Note that tag-ids are currently only unique inside the SBOM itself, not globally.
|
||||
payload-BOOTBOOT: uuidgen --name bootboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
payload-depthcharge: uuidgen --name depthcharge --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
payload-FILO: uuidgen --name filo --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
payload-GRUB2: uuidgen --name grub2 --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
payload-iPXE: uuidgen --name iPXE --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
payload-LinuxBoot: uuidgen --name linuxboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
payload-SeaBIOS: uuidgen --name seabios --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
payload-skiboot: uuidgen --name skiboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
payload-U-Boot: uuidgen --name uboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
payload-Yabits: uuidgen --name yabits --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
coreboot: uuidgen --name coreboot --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
generic-ec: uuidgen --name generic-ec --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
intel-me: uuidgen --name intel-me --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
intel-bios-acm: uuidgen --name intel-bios-acm --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
intel-sinit-acm: uuidgen --name intel-sinit-acm --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
intel-fsp-s: uuidgen --name intel-fsp-s --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
intel-fsp-m: uuidgen --name intel-fsp-m --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
intel-fsp-t: uuidgen --name intel-fsp-t --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
intel-fsp: uuidgen --name intel-fsp --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
intel-mircocode: uuidgen --name intel-microcode --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
amd-mircocode: uuidgen --name amd-microcode --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
compiler-gcc: uuidgen --name compiler-gcc --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
compiler-clang: uuidgen --name compiler-clang --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
||||
compiler-generic: uuidgen --name compiler-generic --namespace "6ba7b810-9dad-11d1-80b4-00c04fd430c8" --sha1
|
|
@ -0,0 +1,24 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "082d7533-575e-5914-a599-728f636b8f78",
|
||||
"tag-version": 0,
|
||||
"software-name": "AMD-Microcode",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"persistent-id": "com.amd.microcode",
|
||||
"summary": "Micrcode Updates for AMD Processors"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "56ed2b98-6b90-574f-aa1d-11579df90e25",
|
||||
"tag-version": 0,
|
||||
"software-name": "clang",
|
||||
"software-meta": [
|
||||
{
|
||||
"persistent-id": "org.llvm.clang"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "8e0d0fd3-1116-50ad-ba5f-599c8117c42b",
|
||||
"tag-version": 0,
|
||||
"software-name": "GCC",
|
||||
"software-meta": [
|
||||
{
|
||||
"persistent-id": "org.gnu.gcc"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,15 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "a79cee21-97a6-53e5-8e41-65b084a7b90e",
|
||||
"tag-version": 0,
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "a9032c9d-2aaa-5a25-a0e6-6d865b24e6d2",
|
||||
"tag-version": 0,
|
||||
"software-name": "coreboot",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"colloquial-version": "<colloquial_version>",
|
||||
"persistent-id": "org.coreboot.rocks",
|
||||
"summary": "coreboot is a project to develop open source boot firmware for various architectures"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "cb643972-4544-525e-a25e-31651fe9fcbe",
|
||||
"tag-version": 0,
|
||||
"software-name": "Embedded Controller Firmware",
|
||||
"software-meta": [
|
||||
{
|
||||
"summary": "The Embedded Controller is a microcontroller which handles various tasks such as power management and keyboard control"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "719e6299-4355-5beb-b182-9cf47928515a",
|
||||
"tag-version": 0,
|
||||
"software-name": "Firmware Support Package",
|
||||
"software-meta": [
|
||||
{
|
||||
"product": "Firmware Support Package",
|
||||
"summary": "Firmware Support Package is a binary which exports an API implementing memory and silicon initialization (e.g. Intel FSP or AMD AGESA)"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "2de383e0-1721-5369-8511-e3d07743b09a",
|
||||
"tag-version": 0,
|
||||
"software-name": "Intel BIOS ACM",
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "9579af2b-39d8-59f1-ac5a-5b1fd4c03bd0",
|
||||
"tag-version": 0,
|
||||
"software-name": "Intel Management Engine",
|
||||
"software-meta": [
|
||||
{
|
||||
"persistent-id": "com.intel.me"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "23edb84c-5d68-544e-b389-8a67f6c80247",
|
||||
"tag-version": 0,
|
||||
"software-name": "Intel-Microcode",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"persistent-id": "com.intel.microcode",
|
||||
"summary": "Micrcode Updates for Intel Processors"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "231b1f39-28c2-596a-a33e-3d2d6570888f",
|
||||
"tag-version": 0,
|
||||
"software-name": "Intel SINIT ACM",
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "978ba556-e0f4-592d-9a70-413138653155",
|
||||
"tag-version": 0,
|
||||
"software-name": "BOOTBOOT",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"colloquial-version": "<colloquial_version>",
|
||||
"persistent-id": "",
|
||||
"summary": "BOOTBOOT multi platform micro-kernel loader"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "047d005b-bb24-58d6-a7cc-76ace2e2759e",
|
||||
"tag-version": 0,
|
||||
"software-name": "FILO",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"colloquial-version": "<colloquial_version>",
|
||||
"persistent-id": "org.filo",
|
||||
"summary": "FILO is a bootloader which loads boot images from a local filesystem, without help from legacy BIOS services"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "0e801aae-699e-5674-94a0-9259afb7d12f",
|
||||
"tag-version": 0,
|
||||
"software-name": "GRUB2",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"colloquial-version": "<colloquial_version>",
|
||||
"persistent-id": "org.grub",
|
||||
"summary": "GNU GRUB is a boot loader, which can load a wide variety of free and proprietary operating systems with chain-loading"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "792c4921-cb02-54ac-8b61-c359336f3600",
|
||||
"tag-version": 0,
|
||||
"software-name": "LinuxBoot",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"colloquial-version": "<colloquial_version>",
|
||||
"persistent-id": "org.linuxboot",
|
||||
"summary": "LinuxBoot is a firmware for modern servers that replaces specific firmware functionality like the UEFI DXE phase with a Linux kernel and runtime"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "e5a249ad-04bb-5b63-a587-ceb7b0e331c9",
|
||||
"tag-version": 0,
|
||||
"software-name": "Seabios",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"colloquial-version": "<colloquial_version>",
|
||||
"persistent-id": "org.seabios",
|
||||
"summary": "SeaBIOS is an open-source legacy BIOS implementation which can be used as a coreboot payload. It implements the standard BIOS calling interfaces that a typical x86 proprietary BIOS implements"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "b714bb4f-c590-5bb7-af60-65374ecd097d",
|
||||
"tag-version": 0,
|
||||
"software-name": "U-Boot",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"colloquial-version": "<colloquial_version>",
|
||||
"persistent-id": "org.u-boot",
|
||||
"summary": "Das U-Boot (subtitled 'the Universal Boot Loader') is an open-source, primary boot loader used in embedded devices to package the instructions to boot the device's operating system kernel"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "a8c6b076-e3c2-5a8f-91c9-151aa7bd3284",
|
||||
"tag-version": 0,
|
||||
"software-name": "depthcharge",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"colloquial-version": "<colloquial_version>",
|
||||
"persistent-id": "org.depthcharge",
|
||||
"summary": "Depthcharge is a payload used by google to load and verify the Linux Kernel, run recovery mode, or boot to alternate payloads on ChromeOS devices"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "5f700e15-4845-57b5-a4bb-44e698ce4947",
|
||||
"tag-version": 0,
|
||||
"software-name": "iPXE",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"colloquial-version": "<colloquial_version>",
|
||||
"persistent-id": "org.ipxe",
|
||||
"summary": "iPXE is an open source network boot firmware. It provides a full PXE implementation enhanced with additional features"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0-only */
|
||||
{
|
||||
"lang": "en-US",
|
||||
"tag-id": "239e03d9-06b0-5ed0-a409-3c32f7f2ee2a",
|
||||
"tag-version": 0,
|
||||
"software-name": "skiboot",
|
||||
"software-version": "<software_version>",
|
||||
"version-scheme": "alphanumeric",
|
||||
"software-meta": [
|
||||
{
|
||||
"colloquial-version": "<colloquial_version>",
|
||||
"persistent-id": "org.skiboot",
|
||||
"summary": "Skiboot is boot and runtime firmware for OpenPOWER systems. It’s loaded by earlier boot firmware (typically Hostboot). Along with loading the bootloader, it provides some runtime services to the OS (typically Linux)"
|
||||
}
|
||||
],
|
||||
"entity": [
|
||||
{
|
||||
"entity-name": "coreboot",
|
||||
"reg-id": "coreboot.org",
|
||||
"role": [
|
||||
"tagCreator"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -32,7 +32,8 @@ $$(VBOOT_LIB_$(1)): $(obj)/config.h
|
|||
$(MAKE) -C $(VBOOT_SOURCE) \
|
||||
BUILD=$$(abspath $$(dir $$(VBOOT_LIB_$(1)))) \
|
||||
V=$(V) \
|
||||
fwlib
|
||||
fwlib \
|
||||
$(if $(CONFIG_INCLUDE_VBOOT_SBOM),$$(abspath $$(dir $$(VBOOT_LIB_$(1))))/vboot_host.pc)
|
||||
|
||||
$(1)-srcs += $$(VBOOT_LIB_$(1))
|
||||
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
Subproject commit bdd55e42029b8ef734abfd56efe789d41996bfd4
|
|
@ -93,6 +93,7 @@ endif
|
|||
exit 1; \
|
||||
fi
|
||||
cd 3rdparty/intel-sec-tools/ ; go mod vendor
|
||||
cd util/goswid ; go mod vendor
|
||||
util/abuild/abuild -o $(COREBOOT_BUILD_DIR)/chromeos $(ABUILD_OPTIONS) -x -X $(top)/abuild-chromeos.xml
|
||||
util/abuild/abuild -o $(COREBOOT_BUILD_DIR)/default $(ABUILD_OPTIONS)
|
||||
$(foreach tool, $(TOOLLIST), $(MAKE) CPUS=$(CPUS) V=$(V) Q=$(Q) BLD_DIR="util/$(tool)" BLD="$(tool)" MFLAGS= MAKEFLAGS= MAKETARGET= junit.xml; )
|
||||
|
|
Loading…
Reference in New Issue