diff --git a/src/mainboard/intel/galileo/Kconfig b/src/mainboard/intel/galileo/Kconfig index e941448b48..f31ca5e9f7 100644 --- a/src/mainboard/intel/galileo/Kconfig +++ b/src/mainboard/intel/galileo/Kconfig @@ -1,7 +1,7 @@ ## ## This file is part of the coreboot project. ## -## Copyright (C) 2015-2016 Intel Corp. +## Copyright (C) 2015-2017 Intel Corp. ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by @@ -147,4 +147,36 @@ config FSP_DEBUG_ALL FSP_CALLS_AND_STATUS, FSP_HEADER, POSTCAR_CONSOLE and VERIFY_HOBS or FSP 1.1 DISPLAY_FSP_ENTRY_POINTS +config VBOOT_WITH_CRYPTO_SHIELD + bool "Verified boot using the Crypto Shield board" + default n + select COLLECT_TIMESTAMPS + select I2C_TPM + select MAINBOARD_HAS_I2C_TPM_ATMEL + select SEPARATE_VERSTAGE + select VBOOT + select VBOOT_STARTS_IN_BOOTBLOCK + select VBOOT_SOFT_REBOOT_WORKAROUND + select VBOOT_VBNV_CMOS + help + Perform a verified boot using the TPM on the Crypto Shield board. + +config DRIVER_TPM_I2C_ADDR + hex "Address of the I2C TPM chip" + depends on VBOOT_WITH_CRYPTO_SHIELD + default 0x29 + help + I2C address of the TPM chip on the Crypto Shield board. + +config FMDFILE + string "FMAP description file in fmd format" + depends on VBOOT + default "src/mainboard/$(CONFIG_MAINBOARD_DIR)/vboot.fmd" + help + The build system creates a default FMAP from ROM_SIZE and CBFS_SIZE, + but in some cases more complex setups are required. + + When an FMD descriptionn file is specified, the build system uses it + instead of creating a default FMAP file. + endif # BOARD_INTEL_QUARK diff --git a/src/mainboard/intel/galileo/Makefile.inc b/src/mainboard/intel/galileo/Makefile.inc index 16b2b4ac99..f2fda318c0 100644 --- a/src/mainboard/intel/galileo/Makefile.inc +++ b/src/mainboard/intel/galileo/Makefile.inc @@ -20,8 +20,13 @@ endif bootblock-y += gpio.c bootblock-y += reg_access.c +verstage-y += gpio.c +verstage-y += reg_access.c +verstage-$(CONFIG_VBOOT) += vboot.c + romstage-y += gpio.c romstage-y += reg_access.c +romstage-$(CONFIG_VBOOT) += vboot.c postcar-y += gpio.c postcar-y += reg_access.c diff --git a/src/mainboard/intel/galileo/gen1.h b/src/mainboard/intel/galileo/gen1.h index 23b23091d2..524daf8f67 100644 --- a/src/mainboard/intel/galileo/gen1.h +++ b/src/mainboard/intel/galileo/gen1.h @@ -1,7 +1,7 @@ /* * This file is part of the coreboot project. * - * Copyright (C) 2016 Intel Corp. + * Copyright (C) 2016-2017 Intel Corp. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -150,3 +150,29 @@ static const struct reg_script gen1_i2c_0x21_init[] = { REG_SCRIPT_END }; + +static const struct reg_script gen1_tpm_reset_0x20[] = { + /* Reset the TPM using SW_RESET_N_SHLD (GPORT5_BIT1): + * low, output, delay, input + */ + REG_I2C_AND(GEN1_I2C_GPIO_EXP_0x20, GEN1_GPIO_EXP_OUTPUT5, ~BIT1), + REG_I2C_WRITE(GEN1_I2C_GPIO_EXP_0x20, GEN1_GPIO_EXP_PORT_SELECT, 5), + REG_I2C_AND(GEN1_I2C_GPIO_EXP_0x20, GEN1_GPIO_EXP_PORT_DIR, ~BIT1), + TIME_DELAY_USEC(5), + REG_I2C_OR(GEN1_I2C_GPIO_EXP_0x20, GEN1_GPIO_EXP_PORT_DIR, BIT1), + + REG_SCRIPT_END +}; + +static const struct reg_script gen1_tpm_reset_0x21[] = { + /* Reset the TPM using SW_RESET_N_SHLD (GPORT5_BIT1): + * low, output, delay, input + */ + REG_I2C_AND(GEN1_I2C_GPIO_EXP_0x21, GEN1_GPIO_EXP_OUTPUT5, ~BIT1), + REG_I2C_WRITE(GEN1_I2C_GPIO_EXP_0x21, GEN1_GPIO_EXP_PORT_SELECT, 5), + REG_I2C_AND(GEN1_I2C_GPIO_EXP_0x21, GEN1_GPIO_EXP_PORT_DIR, ~BIT1), + TIME_DELAY_USEC(5), + REG_I2C_OR(GEN1_I2C_GPIO_EXP_0x21, GEN1_GPIO_EXP_PORT_DIR, BIT1), + + REG_SCRIPT_END +}; diff --git a/src/mainboard/intel/galileo/gen2.h b/src/mainboard/intel/galileo/gen2.h index 10c832198e..253976e6df 100644 --- a/src/mainboard/intel/galileo/gen2.h +++ b/src/mainboard/intel/galileo/gen2.h @@ -1,7 +1,7 @@ /* * This file is part of the coreboot project. * - * Copyright (C) 2016 Intel Corp. + * Copyright (C) 2016-2017 Intel Corp. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -98,3 +98,15 @@ static const struct reg_script gen2_i2c_init[] = { REG_SCRIPT_END }; + +static const struct reg_script gen2_tpm_reset[] = { + /* Reset the TPM using SW_RESET_N_SHLD (EXP1 P1.7): + * low, output, delay, input + */ + REG_I2C_AND(GEN2_I2C_GPIO_EXP1, GEN2_GPIO_EXP_OUTPUT1, ~BIT7), + REG_I2C_AND(GEN2_I2C_GPIO_EXP1, GEN2_GPIO_EXP_CONFIG1, ~BIT7), + TIME_DELAY_USEC(5), + REG_I2C_OR(GEN2_I2C_GPIO_EXP1, GEN2_GPIO_EXP_CONFIG1, BIT7), + + REG_SCRIPT_END +}; diff --git a/src/mainboard/intel/galileo/vboot.c b/src/mainboard/intel/galileo/vboot.c new file mode 100644 index 0000000000..cc8831eaeb --- /dev/null +++ b/src/mainboard/intel/galileo/vboot.c @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2016-2017 Intel Corporation + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but without any warranty; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include "reg_access.h" +#include "gen1.h" +#include "gen2.h" +#include +#include + +int clear_recovery_mode_switch(void) +{ + /* Nothing to do */ + return 0; +} + +int get_developer_mode_switch(void) +{ + return 0; +} + +int get_recovery_mode_switch(void) +{ + return 0; +} + +int get_sw_write_protect_state(void) +{ + /* Not write protected */ + return 0; +} + +int get_write_protect_state(void) +{ + /* Not write protected */ + return 0; +} + +void log_recovery_mode_switch(void) +{ +} + +void verstage_mainboard_init(void) +{ + const struct reg_script *script; + + /* Crypto Shield I2C Addresses: + * + * 0x29: AT97S3204T - TPM 1.2 + * 0x50: ATAES132 - AES-128 + * 0x60: ATECC108 - Elliptical Curve + * 0x64: ATSHA204 - SHA-256 + * 0x68: DS3231M - RTC + */ + + /* Determine the correct script for the board */ + if (IS_ENABLED(CONFIG_GALILEO_GEN2)) + script = gen2_i2c_init; + else + /* Determine which I2C address is in use */ + script = (reg_legacy_gpio_read (R_QNC_GPIO_RGLVL_RESUME_WELL) + & GALILEO_DETERMINE_IOEXP_SLA_RESUMEWELL_GPIO) + ? gen1_i2c_0x20_init : gen1_i2c_0x21_init; + + /* Direct the I2C SDA and SCL signals to the Arduino connector */ + reg_script_run(script); +} + +void __attribute__((weak)) vboot_platform_prepare_reboot(void) +{ + const struct reg_script *script; + + /* Crypto Shield I2C Addresses: + * + * 0x29: AT97S3204T - TPM 1.2 + * 0x50: ATAES132 - AES-128 + * 0x60: ATECC108 - Elliptical Curve + * 0x64: ATSHA204 - SHA-256 + * 0x68: DS3231M - RTC + */ + + /* Determine the correct script for the board */ + if (IS_ENABLED(CONFIG_GALILEO_GEN2)) + script = gen2_tpm_reset; + else + /* Determine which I2C address is in use */ + script = (reg_legacy_gpio_read (R_QNC_GPIO_RGLVL_RESUME_WELL) + & GALILEO_DETERMINE_IOEXP_SLA_RESUMEWELL_GPIO) + ? gen1_tpm_reset_0x20 : gen1_tpm_reset_0x21; + + /* Reset the TPM */ + reg_script_run(script); +} diff --git a/src/mainboard/intel/galileo/vboot.fmd b/src/mainboard/intel/galileo/vboot.fmd new file mode 100644 index 0000000000..55e41e56aa --- /dev/null +++ b/src/mainboard/intel/galileo/vboot.fmd @@ -0,0 +1,52 @@ +# +# Copyright (C) 2016-2017 Intel Corporation +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but without any warranty; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +FLASH@0xff800000 0x800000 { + SI_ALL@0x0 0x200000 { + SI_DESC@0x0 0x1000 + SI_ME@0x1000 0x1ff000 + } + SI_BIOS@0x200000 0x600000 { + RW_SECTION_A@0x0 0xf0000 { + VBLOCK_A@0x0 0x10000 + FW_MAIN_A(CBFS)@0x10000 0xdffc0 + RW_FWID_A@0xeffc0 0x40 + } + RW_SECTION_B@0xf0000 0xf0000 { + VBLOCK_B@0x0 0x10000 + FW_MAIN_B(CBFS)@0x10000 0xdffc0 + RW_FWID_B@0xeffc0 0x40 + } + RW_MRC_CACHE@0x1e0000 0x10000 + RW_ELOG@0x1f0000 0x4000 + RW_SHARED@0x1f4000 0x4000 { + SHARED_DATA@0x0 0x2000 + VBLOCK_DEV@0x2000 0x2000 + } + RW_VPD@0x1f8000 0x2000 + RW_NVRAM@0x1fa000 0x6000 + RW_LEGACY(CBFS)@0x200000 0x200000 + WP_RO@0x400000 0x200000 { + RO_VPD@0x0 0x4000 + RO_UNUSED@0x4000 0xc000 + RO_SECTION@0x10000 0x1f0000 { + FMAP@0x0 0x800 + RO_FRID@0x800 0x40 + RO_FRID_PAD@0x840 0x7c0 + GBB@0x1000 0x7f000 + COREBOOT(CBFS)@0x80000 0x170000 + } + } + } +}