mb/facebook/fbg1701: Add verified boot tables

The vendorcode for verified boot is uploaded, but not used by a mainboard.
Add support to the mainboard for verified boot.

The items to be verifed are placed in board_verified_boot.c

BUG=N/A
TEST=Boot Embedded Linux 4.20 and verify logging on Facebook FBG-1701 rev 0-2

Change-Id: I3ea0a95287977df0dea13e05acedd5406538a6ee
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33463
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Lance Zhao <lance.zhao@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

src/mainboard/facebook/fbg1701/Kconfig

@@ -80,6 +80,10 @@ config FSP1_1_DISPLAY_LOGO
 	bool
 	default n
 
+config VENDORCODE_ELTAN_OEM_MANIFEST_LOC
+	hex "OEM Manifest working dflt"
+	default 0xFFFE9000
+
 config SPI_FLASH_INCLUDE_ALL_DRIVERS
 	bool
 	default n
@@ -96,4 +100,16 @@ config C_ENV_BOOTBLOCK_SIZE
 	hex "C Bootblock Size"
 	default 0x4000
 
+config VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST
+	bool
+	default y
+
+config VENDORCODE_ELTAN_VBOOT_MANIFEST
+	string
+	default "mainboard/facebook/fbg1701/manifest.h"
+
+config VENDORCODE_ELTAN_VBOOT_KEY_LOCATION
+	hex "Key Location working dflt"
+	default 0xFFFF9C00
+
 endif # BOARD_FACEBOOK_FBG1701

src/mainboard/facebook/fbg1701/Makefile.inc

@@ -15,6 +15,13 @@
 ## GNU General Public License for more details.
 ##
 
+ifneq ($(filter y,$(CONFIG_VENDORCODE_ELTAN_VBOOT) $(CONFIG_VENDORCODE_ELTAN_MBOOT)),)
+bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += board_verified_boot.c
+postcar-y += board_verified_boot.c
+ramstage-y += board_verified_boot.c
+romstage-y += board_verified_boot.c
+endif
+
 bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += com_init.c
 
 ramstage-y += gpio.c

src/mainboard/facebook/fbg1701/board_verified_boot.c

@@ -0,0 +1,104 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright (C) 2018-2019 Eltan B.V.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#include "board_verified_boot.h"
+
+#ifdef __BOOTBLOCK__
+/* The items verified by the bootblock, the bootblock will not measure the
+ * items to the TPM
+ */
+const verify_item_t bootblock_verify_list[] = {
+	{ VERIFY_FILE, ROMSTAGE, { { NULL, CBFS_TYPE_STAGE } },
+		HASH_IDX_ROM_STAGE, MBOOT_PCR_INDEX_0 },
+	{ VERIFY_BLOCK, "BootBlock",
+		{ { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1,
+		CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK,
+		MBOOT_PCR_INDEX_0 },
+	{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
+};
+#endif
+
+#if defined(__ROMSTAGE__) || defined(__POSTCAR__)
+/* The FSP is already checked in romstage */
+static const verify_item_t ram_stage_additional_list[] = {
+	{ VERIFY_FILE, OP_ROM_VBT, { { NULL, CBFS_TYPE_RAW } },
+		HASH_IDX_OPROM, MBOOT_PCR_INDEX_2 },
+	{ VERIFY_FILE, "logo.bmp", { { NULL, CBFS_TYPE_RAW } },
+		HASH_IDX_LOGO, MBOOT_PCR_INDEX_2 },
+	{ VERIFY_FILE, "fallback/dsdt.aml", { { NULL, CBFS_TYPE_RAW } },
+		HASH_IDX_DSDT, MBOOT_PCR_INDEX_2 },
+	{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
+	};
+#endif
+
+#ifdef __ROMSTAGE__
+/* The items used by the romstage */
+const verify_item_t romstage_verify_list[] = {
+	{ VERIFY_FILE, ROMSTAGE, { { NULL, CBFS_TYPE_STAGE } },
+		HASH_IDX_ROM_STAGE, MBOOT_PCR_INDEX_0 },
+	{ VERIFY_FILE, MICROCODE, { { NULL, CBFS_TYPE_MICROCODE } },
+		HASH_IDX_MICROCODE, MBOOT_PCR_INDEX_1 },
+	{ VERIFY_FILE, FSP, { { NULL, CBFS_TYPE_FSP } }, HASH_IDX_FSP,
+		MBOOT_PCR_INDEX_1 },
+	{ VERIFY_FILE, "spd.bin", { { NULL, CBFS_TYPE_SPD } },
+		HASH_IDX_SPD0, MBOOT_PCR_INDEX_1 },
+#if CONFIG(POSTCAR_STAGE)
+	{ VERIFY_FILE, POSTCAR, { { NULL, CBFS_TYPE_STAGE } },
+		HASH_IDX_POSTCAR_STAGE, MBOOT_PCR_INDEX_0 },
+#endif
+	{ VERIFY_BLOCK, "BootBlock",
+		{ { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1,
+		CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK,
+		MBOOT_PCR_INDEX_0 },
+	{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
+};
+
+/* The items  used by the ramstage */
+const verify_item_t ramstage_verify_list[] = {
+	{ VERIFY_FILE, RAMSTAGE, { { ram_stage_additional_list,
+		CBFS_TYPE_STAGE } }, HASH_IDX_RAM_STAGE, MBOOT_PCR_INDEX_0 },
+	{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
+};
+#endif
+
+#ifdef __POSTCAR__
+/* POSTSTAGE */
+/* The items used by the postcar stage */
+const verify_item_t postcar_verify_list[] = {
+	{ VERIFY_FILE, RAMSTAGE, { { ram_stage_additional_list,
+		CBFS_TYPE_STAGE } }, HASH_IDX_RAM_STAGE, MBOOT_PCR_INDEX_0 },
+	{ VERIFY_FILE, MICROCODE, { { NULL, CBFS_TYPE_MICROCODE } },
+		HASH_IDX_MICROCODE, MBOOT_PCR_INDEX_1 },
+	{ VERIFY_FILE, FSP, { { NULL, CBFS_TYPE_FSP } }, HASH_IDX_FSP,
+		MBOOT_PCR_INDEX_1 },
+	{ VERIFY_FILE, "spd.bin", { { NULL, CBFS_TYPE_SPD } }, HASH_IDX_SPD0,
+		MBOOT_PCR_INDEX_1 },
+	{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
+};
+#endif
+
+#ifdef __RAMSTAGE__
+/* RAMSTAGE */
+const verify_item_t payload_verify_list[] = {
+	{ VERIFY_FILE, PAYLOAD, { { NULL, CBFS_TYPE_SELF |
+		VERIFIED_BOOT_COPY_BLOCK } }, HASH_IDX_PAYLOAD,
+		MBOOT_PCR_INDEX_3 },
+	{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
+};
+
+const verify_item_t oprom_verify_list[] = {
+	{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
+};
+#endif

src/mainboard/facebook/fbg1701/board_verified_boot.h

@@ -0,0 +1,23 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright (C) 2018 Eltan B.V.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef BOARD_VERIFIED_BOOT_H
+#define BOARD_VERIFIED_BOOT_H
+
+#include <soc/romstage.h>
+#include <vboot_check.h>
+#include "onboard.h"
+
+#endif

src/mainboard/facebook/fbg1701/manifest.h

@@ -0,0 +1,35 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright (C) 2018 Eltan B.V.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef __MANIFEST_H__
+#define __MANIFEST_H__
+
+/**
+ * Make sure the index matches the actual order in the manifest generated
+ * using the HashCb.cmd file
+ */
+#define HASH_IDX_ROM_STAGE	0
+#define HASH_IDX_RAM_STAGE	1
+#define HASH_IDX_PAYLOAD	2
+#define HASH_IDX_OPROM		3
+#define HASH_IDX_FSP		4
+#define HASH_IDX_MICROCODE	5
+#define HASH_IDX_SPD0		6
+#define HASH_IDX_LOGO		7
+#define HASH_IDX_DSDT		8
+#define HASH_IDX_POSTCAR_STAGE	9
+#define HASH_IDX_BOOTBLOCK	10 /* Should always be the last one */
+
+#endif

src/mainboard/facebook/fbg1701/onboard.h

@@ -33,4 +33,14 @@
 #define CPLD_CMD_RESET_DSI_BRIDGE_ACTIVE 0x20
 #define CPLD_CMD_RESET_DSI_BRIDGE_INACTIVE 0x00
 
+/* Define the items to be measured or verified */
+#define FSP		(const char *)"fsp.bin"
+#define CMOS_LAYOUT	(const char *)"cmos_layout.bin"
+#define RAMSTAGE	(const char *)"fallback/ramstage"
+#define ROMSTAGE	(const char *)"fallback/romstage"
+#define PAYLOAD		(const char *)"fallback/payload"
+#define POSTCAR		(const char *)"fallback/postcar"
+#define OP_ROM_VBT	(const char *)"vbt.bin"
+#define MICROCODE	(const char *)"cpu_microcode_blob.bin"
+
 #endif