mb/facebook/fbg1701: Add verified boot tables

The vendorcode for verified boot is uploaded, but not used by a mainboard.
Add support to the mainboard for verified boot.

The items to be verifed are placed in board_verified_boot.c

BUG=N/A
TEST=Boot Embedded Linux 4.20 and verify logging on Facebook FBG-1701 rev 0-2

Change-Id: I3ea0a95287977df0dea13e05acedd5406538a6ee
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33463
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Lance Zhao <lance.zhao@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
Frans Hendriks 2019-06-26 14:57:35 +02:00 committed by Philipp Deppenwiese
parent 72b3c3c838
commit 744c70dcc7
6 changed files with 195 additions and 0 deletions

View File

@ -80,6 +80,10 @@ config FSP1_1_DISPLAY_LOGO
bool bool
default n default n
config VENDORCODE_ELTAN_OEM_MANIFEST_LOC
hex "OEM Manifest working dflt"
default 0xFFFE9000
config SPI_FLASH_INCLUDE_ALL_DRIVERS config SPI_FLASH_INCLUDE_ALL_DRIVERS
bool bool
default n default n
@ -96,4 +100,16 @@ config C_ENV_BOOTBLOCK_SIZE
hex "C Bootblock Size" hex "C Bootblock Size"
default 0x4000 default 0x4000
config VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST
bool
default y
config VENDORCODE_ELTAN_VBOOT_MANIFEST
string
default "mainboard/facebook/fbg1701/manifest.h"
config VENDORCODE_ELTAN_VBOOT_KEY_LOCATION
hex "Key Location working dflt"
default 0xFFFF9C00
endif # BOARD_FACEBOOK_FBG1701 endif # BOARD_FACEBOOK_FBG1701

View File

@ -15,6 +15,13 @@
## GNU General Public License for more details. ## GNU General Public License for more details.
## ##
ifneq ($(filter y,$(CONFIG_VENDORCODE_ELTAN_VBOOT) $(CONFIG_VENDORCODE_ELTAN_MBOOT)),)
bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += board_verified_boot.c
postcar-y += board_verified_boot.c
ramstage-y += board_verified_boot.c
romstage-y += board_verified_boot.c
endif
bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += com_init.c bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += com_init.c
ramstage-y += gpio.c ramstage-y += gpio.c

View File

@ -0,0 +1,104 @@
/*
* This file is part of the coreboot project.
*
* Copyright (C) 2018-2019 Eltan B.V.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*/
#include "board_verified_boot.h"
#ifdef __BOOTBLOCK__
/* The items verified by the bootblock, the bootblock will not measure the
* items to the TPM
*/
const verify_item_t bootblock_verify_list[] = {
{ VERIFY_FILE, ROMSTAGE, { { NULL, CBFS_TYPE_STAGE } },
HASH_IDX_ROM_STAGE, MBOOT_PCR_INDEX_0 },
{ VERIFY_BLOCK, "BootBlock",
{ { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1,
CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK,
MBOOT_PCR_INDEX_0 },
{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
};
#endif
#if defined(__ROMSTAGE__) || defined(__POSTCAR__)
/* The FSP is already checked in romstage */
static const verify_item_t ram_stage_additional_list[] = {
{ VERIFY_FILE, OP_ROM_VBT, { { NULL, CBFS_TYPE_RAW } },
HASH_IDX_OPROM, MBOOT_PCR_INDEX_2 },
{ VERIFY_FILE, "logo.bmp", { { NULL, CBFS_TYPE_RAW } },
HASH_IDX_LOGO, MBOOT_PCR_INDEX_2 },
{ VERIFY_FILE, "fallback/dsdt.aml", { { NULL, CBFS_TYPE_RAW } },
HASH_IDX_DSDT, MBOOT_PCR_INDEX_2 },
{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
};
#endif
#ifdef __ROMSTAGE__
/* The items used by the romstage */
const verify_item_t romstage_verify_list[] = {
{ VERIFY_FILE, ROMSTAGE, { { NULL, CBFS_TYPE_STAGE } },
HASH_IDX_ROM_STAGE, MBOOT_PCR_INDEX_0 },
{ VERIFY_FILE, MICROCODE, { { NULL, CBFS_TYPE_MICROCODE } },
HASH_IDX_MICROCODE, MBOOT_PCR_INDEX_1 },
{ VERIFY_FILE, FSP, { { NULL, CBFS_TYPE_FSP } }, HASH_IDX_FSP,
MBOOT_PCR_INDEX_1 },
{ VERIFY_FILE, "spd.bin", { { NULL, CBFS_TYPE_SPD } },
HASH_IDX_SPD0, MBOOT_PCR_INDEX_1 },
#if CONFIG(POSTCAR_STAGE)
{ VERIFY_FILE, POSTCAR, { { NULL, CBFS_TYPE_STAGE } },
HASH_IDX_POSTCAR_STAGE, MBOOT_PCR_INDEX_0 },
#endif
{ VERIFY_BLOCK, "BootBlock",
{ { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1,
CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK,
MBOOT_PCR_INDEX_0 },
{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
};
/* The items used by the ramstage */
const verify_item_t ramstage_verify_list[] = {
{ VERIFY_FILE, RAMSTAGE, { { ram_stage_additional_list,
CBFS_TYPE_STAGE } }, HASH_IDX_RAM_STAGE, MBOOT_PCR_INDEX_0 },
{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
};
#endif
#ifdef __POSTCAR__
/* POSTSTAGE */
/* The items used by the postcar stage */
const verify_item_t postcar_verify_list[] = {
{ VERIFY_FILE, RAMSTAGE, { { ram_stage_additional_list,
CBFS_TYPE_STAGE } }, HASH_IDX_RAM_STAGE, MBOOT_PCR_INDEX_0 },
{ VERIFY_FILE, MICROCODE, { { NULL, CBFS_TYPE_MICROCODE } },
HASH_IDX_MICROCODE, MBOOT_PCR_INDEX_1 },
{ VERIFY_FILE, FSP, { { NULL, CBFS_TYPE_FSP } }, HASH_IDX_FSP,
MBOOT_PCR_INDEX_1 },
{ VERIFY_FILE, "spd.bin", { { NULL, CBFS_TYPE_SPD } }, HASH_IDX_SPD0,
MBOOT_PCR_INDEX_1 },
{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
};
#endif
#ifdef __RAMSTAGE__
/* RAMSTAGE */
const verify_item_t payload_verify_list[] = {
{ VERIFY_FILE, PAYLOAD, { { NULL, CBFS_TYPE_SELF |
VERIFIED_BOOT_COPY_BLOCK } }, HASH_IDX_PAYLOAD,
MBOOT_PCR_INDEX_3 },
{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
};
const verify_item_t oprom_verify_list[] = {
{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
};
#endif

View File

@ -0,0 +1,23 @@
/*
* This file is part of the coreboot project.
*
* Copyright (C) 2018 Eltan B.V.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*/
#ifndef BOARD_VERIFIED_BOOT_H
#define BOARD_VERIFIED_BOOT_H
#include <soc/romstage.h>
#include <vboot_check.h>
#include "onboard.h"
#endif

View File

@ -0,0 +1,35 @@
/*
* This file is part of the coreboot project.
*
* Copyright (C) 2018 Eltan B.V.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*/
#ifndef __MANIFEST_H__
#define __MANIFEST_H__
/**
* Make sure the index matches the actual order in the manifest generated
* using the HashCb.cmd file
*/
#define HASH_IDX_ROM_STAGE 0
#define HASH_IDX_RAM_STAGE 1
#define HASH_IDX_PAYLOAD 2
#define HASH_IDX_OPROM 3
#define HASH_IDX_FSP 4
#define HASH_IDX_MICROCODE 5
#define HASH_IDX_SPD0 6
#define HASH_IDX_LOGO 7
#define HASH_IDX_DSDT 8
#define HASH_IDX_POSTCAR_STAGE 9
#define HASH_IDX_BOOTBLOCK 10 /* Should always be the last one */
#endif

View File

@ -33,4 +33,14 @@
#define CPLD_CMD_RESET_DSI_BRIDGE_ACTIVE 0x20 #define CPLD_CMD_RESET_DSI_BRIDGE_ACTIVE 0x20
#define CPLD_CMD_RESET_DSI_BRIDGE_INACTIVE 0x00 #define CPLD_CMD_RESET_DSI_BRIDGE_INACTIVE 0x00
/* Define the items to be measured or verified */
#define FSP (const char *)"fsp.bin"
#define CMOS_LAYOUT (const char *)"cmos_layout.bin"
#define RAMSTAGE (const char *)"fallback/ramstage"
#define ROMSTAGE (const char *)"fallback/romstage"
#define PAYLOAD (const char *)"fallback/payload"
#define POSTCAR (const char *)"fallback/postcar"
#define OP_ROM_VBT (const char *)"vbt.bin"
#define MICROCODE (const char *)"cpu_microcode_blob.bin"
#endif #endif