mainboard/intel/galileo: Add vboot support

Add the necessary files and changes to support vboot. TEST=Build and run on Galileo Gen2 with a SparkFun CryptoShield 1. Obtain and install a SparkFun CryptoShield. https://www.sparkfun.com/products/13183 2. Edit src/mainboard/intel/galileo/Kconfig to select VBOOT_WITH_CRYPTO_SHIELD 3. Use make menuconfig to update the config values and select a payload that will fit. I used SeaBIOS which does not boot. 4. Build coreboot 5. Use the command file below to generate the signed coreboot image. 6. Flash build/coreboot.rom onto the Galileo board 7. The test is successful if verstage detects that it needs recovery after Phase 1. This is expected because the image does not contain the GBB section. 8. Flash build/coreboot.signed.bin onto the Galileo board 9. The test is successful if verstage reaches Phase 4 and selects SLOT A to load the rest of the files. #!/bin/sh # # The necessary tools were built and installed using the following commands: # # pushd 3rdparty/vboot # make # sudo make install # popd # # The keys were made using the following command # # 3rdparty/vboot/scripts/keygeneration/create_new_keys.sh \ # --4k --4k-root --output $PWD/keys # # # Create the GBB area blob # gbb_utility -c 0x100,0x1000,0x7ce80,0x1000 gbb.blob # # Add the empty GBB to the coreboot.rom image # dd conv=fdatasync ibs=4096 obs=4096 count=1553 \ if=build/coreboot.rom of=build/coreboot.signed.rom dd conv=fdatasync obs=4096 obs=4096 seek=1553 if=gbb.blob \ of=build/coreboot.signed.rom dd conv=fdatasync ibs=4096 obs=4096 skip=1680 seek=1680 \ count=368 if=build/coreboot.rom of=build/coreboot.signed.rom # # Add the keys and HWID to the GBB # gbb_utility \ --set --hwid='Galileo' \ -r $PWD/keys/recovery_key.vbpubk \ -k $PWD/keys/root_key.vbpubk \ build/coreboot.signed.rom # # Sign the firmware with the keys # 3rdparty/vboot/scripts/image_signing/sign_firmware.sh \ build/coreboot.signed.rom \ $PWD/keys \ build/coreboot.signed.rom Change-Id: I96170412e7bbc2b9c747ff5e2c845f29220353ed Signed-off-by: Lee Leahy <leroy.p.leahy@intel.com> Reviewed-on: https://review.coreboot.org/18041 Tested-by: Martin Roth <martinroth@google.com> Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-01-04 08:34:01 -08:00 · 2017-01-04 08:34:01 -08:00 · a50ced2eba
parent 1e24bf3f71
commit a50ced2eba
6 changed files with 240 additions and 3 deletions
--- a/src/mainboard/intel/galileo/Kconfig
+++ b/src/mainboard/intel/galileo/Kconfig
@ -1,7 +1,7 @@
 ##
 ## This file is part of the coreboot project.
 ##
-## Copyright (C) 2015-2016 Intel Corp.
+## Copyright (C) 2015-2017 Intel Corp.
 ##
 ## This program is free software; you can redistribute it and/or modify
 ## it under the terms of the GNU General Public License as published by
@ -147,4 +147,35 @@ config FSP_DEBUG_ALL
 	  FSP_CALLS_AND_STATUS, FSP_HEADER, POSTCAR_CONSOLE and VERIFY_HOBS
 	  or FSP 1.1 DISPLAY_FSP_ENTRY_POINTS
 config VBOOT_WITH_CRYPTO_SHIELD
 	bool "Verified boot using the Crypto Shield board"
 	default n
 	select I2C_TPM
 	select MAINBOARD_HAS_I2C_TPM_ATMEL
 	select SEPARATE_VERSTAGE
 	select VBOOT
 	select VBOOT_STARTS_IN_BOOTBLOCK
 	select VBOOT_SOFT_REBOOT_WORKAROUND
 	select VBOOT_VBNV_CMOS
 	help
 	  Perform a verified boot using the TPM on the Crypto Shield board.
 config DRIVER_TPM_I2C_ADDR
 	hex "Address of the I2C TPM chip"
 	depends on VBOOT_WITH_CRYPTO_SHIELD
 	default 0x29
 	help
 	  I2C address of the TPM chip on the Crypto Shield board.
 config FMDFILE
 	string "FMAP description file in fmd format"
 	depends on VBOOT
 	default "src/mainboard/$(CONFIG_MAINBOARD_DIR)/vboot.fmd"
 	help
 	  The build system creates a default FMAP from ROM_SIZE and CBFS_SIZE,
 	  but in some cases more complex setups are required.
 	  When an FMD descriptionn file is specified, the build system uses it
 	  instead of creating a default FMAP file.
 endif # BOARD_INTEL_QUARK
--- a/src/mainboard/intel/galileo/Makefile.inc
+++ b/src/mainboard/intel/galileo/Makefile.inc
@ -20,8 +20,13 @@ endif
 bootblock-y += gpio.c
 bootblock-y += reg_access.c
 verstage-y += gpio.c
 verstage-y += reg_access.c
 verstage-$(CONFIG_VBOOT) += vboot.c
 romstage-y += gpio.c
 romstage-y += reg_access.c
 romstage-$(CONFIG_VBOOT) += vboot.c
 postcar-y += gpio.c
 postcar-y += reg_access.c
--- a/src/mainboard/intel/galileo/gen1.h
+++ b/src/mainboard/intel/galileo/gen1.h
@ -1,7 +1,7 @@
 /*
 * This file is part of the coreboot project.
 *
- * Copyright (C) 2016 Intel Corp.
+ * Copyright (C) 2016-2017 Intel Corp.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -150,3 +150,29 @@ static const struct reg_script gen1_i2c_0x21_init[] = {
 	REG_SCRIPT_END
 };
 static const struct reg_script gen1_tpm_reset_0x20[] = {
 	/* Reset the TPM using SW_RESET_N_SHLD (GPORT5_BIT1):
 	 * low, output, delay, input
 	 */
 	REG_I2C_AND(GEN1_I2C_GPIO_EXP_0x20, GEN1_GPIO_EXP_OUTPUT5, ~BIT1),
 	REG_I2C_WRITE(GEN1_I2C_GPIO_EXP_0x20, GEN1_GPIO_EXP_PORT_SELECT, 5),
 	REG_I2C_AND(GEN1_I2C_GPIO_EXP_0x20, GEN1_GPIO_EXP_PORT_DIR, ~BIT1),
 	TIME_DELAY_USEC(5),
 	REG_I2C_OR(GEN1_I2C_GPIO_EXP_0x20, GEN1_GPIO_EXP_PORT_DIR, BIT1),
 	REG_SCRIPT_END
 };
 static const struct reg_script gen1_tpm_reset_0x21[] = {
 	/* Reset the TPM using SW_RESET_N_SHLD (GPORT5_BIT1):
 	 * low, output, delay, input
 	 */
 	REG_I2C_AND(GEN1_I2C_GPIO_EXP_0x21, GEN1_GPIO_EXP_OUTPUT5, ~BIT1),
 	REG_I2C_WRITE(GEN1_I2C_GPIO_EXP_0x21, GEN1_GPIO_EXP_PORT_SELECT, 5),
 	REG_I2C_AND(GEN1_I2C_GPIO_EXP_0x21, GEN1_GPIO_EXP_PORT_DIR, ~BIT1),
 	TIME_DELAY_USEC(5),
 	REG_I2C_OR(GEN1_I2C_GPIO_EXP_0x21, GEN1_GPIO_EXP_PORT_DIR, BIT1),
 	REG_SCRIPT_END
 };
--- a/src/mainboard/intel/galileo/gen2.h
+++ b/src/mainboard/intel/galileo/gen2.h
@ -1,7 +1,7 @@
 /*
 * This file is part of the coreboot project.
 *
- * Copyright (C) 2016 Intel Corp.
+ * Copyright (C) 2016-2017 Intel Corp.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -98,3 +98,15 @@ static const struct reg_script gen2_i2c_init[] = {
 	REG_SCRIPT_END
 };
 static const struct reg_script gen2_tpm_reset[] = {
 	/* Reset the TPM using SW_RESET_N_SHLD (EXP1 P1.7):
 	 * low, output, delay, input
 	 */
 	REG_I2C_AND(GEN2_I2C_GPIO_EXP1, GEN2_GPIO_EXP_OUTPUT1, ~BIT7),
 	REG_I2C_AND(GEN2_I2C_GPIO_EXP1, GEN2_GPIO_EXP_CONFIG1, ~BIT7),
 	TIME_DELAY_USEC(5),
 	REG_I2C_OR(GEN2_I2C_GPIO_EXP1, GEN2_GPIO_EXP_CONFIG1, BIT7),
 	REG_SCRIPT_END
 };
--- a/src/mainboard/intel/galileo/vboot.c
+++ b/src/mainboard/intel/galileo/vboot.c
@ -0,0 +1,111 @@
 /*
 * Copyright (C) 2016-2017 Intel Corporation
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation; either version 2 of
 * the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but without any warranty; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 */
 #include <assert.h>
 #include <bootmode.h>
 #include <console/console.h>
 #include <delay.h>
 #include <device/i2c.h>
 #include <lib.h>
 #include <soc/i2c.h>
 #include <soc/reg_access.h>
 #include "reg_access.h"
 #include "gen1.h"
 #include "gen2.h"
 #include <spi_flash.h>
 #include <vboot/vboot_common.h>
 int clear_recovery_mode_switch(void)
 {
 	/* Nothing to do */
 	return 0;
 }
 int get_developer_mode_switch(void)
 {
 	return 0;
 }
 int get_recovery_mode_switch(void)
 {
 	return 0;
 }
 int get_sw_write_protect_state(void)
 {
 	/* Not write protected */
 	return 0;
 }
 int get_write_protect_state(void)
 {
 	/* Not write protected */
 	return 0;
 }
 void log_recovery_mode_switch(void)
 {
 }
 void verstage_mainboard_init(void)
 {
 	const struct reg_script *script;
 	/* Crypto Shield I2C Addresses:
 	 *
 	 * 0x29: AT97S3204T - TPM 1.2
 	 * 0x50: ATAES132 - AES-128
 	 * 0x60: ATECC108 - Elliptical Curve
 	 * 0x64: ATSHA204 - SHA-256
 	 * 0x68: DS3231M - RTC
 	 */
 	/* Determine the correct script for the board */
 	if (IS_ENABLED(CONFIG_GALILEO_GEN2))
 		script = gen2_i2c_init;
 	else
 		/* Determine which I2C address is in use */
 		script = (reg_legacy_gpio_read (R_QNC_GPIO_RGLVL_RESUME_WELL)
 			& GALILEO_DETERMINE_IOEXP_SLA_RESUMEWELL_GPIO)
 			? gen1_i2c_0x20_init : gen1_i2c_0x21_init;
 	/* Direct the I2C SDA and SCL signals to the Arduino connector */
 	reg_script_run(script);
 }
 void __attribute__((weak)) vboot_platform_prepare_reboot(void)
 {
 	const struct reg_script *script;
 	/* Crypto Shield I2C Addresses:
 	 *
 	 * 0x29: AT97S3204T - TPM 1.2
 	 * 0x50: ATAES132 - AES-128
 	 * 0x60: ATECC108 - Elliptical Curve
 	 * 0x64: ATSHA204 - SHA-256
 	 * 0x68: DS3231M - RTC
 	 */
 	/* Determine the correct script for the board */
 	if (IS_ENABLED(CONFIG_GALILEO_GEN2))
 		script = gen2_tpm_reset;
 	else
 		/* Determine which I2C address is in use */
 		script = (reg_legacy_gpio_read (R_QNC_GPIO_RGLVL_RESUME_WELL)
 			& GALILEO_DETERMINE_IOEXP_SLA_RESUMEWELL_GPIO)
 			? gen1_tpm_reset_0x20 : gen1_tpm_reset_0x21;
 	/* Reset the TPM */
 	reg_script_run(script);
 }
--- a/src/mainboard/intel/galileo/vboot.fmd
+++ b/src/mainboard/intel/galileo/vboot.fmd
@ -0,0 +1,52 @@
 #
 # Copyright (C) 2016-2017 Intel Corporation
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License as
 # published by the Free Software Foundation; either version 2 of
 # the License, or (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but without any warranty; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 FLASH@0xff800000 0x800000 {
 	SI_ALL@0x0 0x200000 {
 		SI_DESC@0x0 0x1000
 		SI_ME@0x1000 0x1ff000
 	}
 	SI_BIOS@0x200000 0x600000 {
 		RW_SECTION_A@0x0 0xf0000 {
 			VBLOCK_A@0x0 0x10000
 			FW_MAIN_A(CBFS)@0x10000 0xdffc0
 			RW_FWID_A@0xeffc0 0x40
 		}
 		RW_SECTION_B@0xf0000 0xf0000 {
 			VBLOCK_B@0x0 0x10000
 			FW_MAIN_B(CBFS)@0x10000 0xdffc0
 			RW_FWID_B@0xeffc0 0x40
 		}
 		RW_MRC_CACHE@0x1e0000 0x10000
 		RW_ELOG@0x1f0000 0x4000
 		RW_SHARED@0x1f4000 0x4000 {
 			SHARED_DATA@0x0 0x2000
 			VBLOCK_DEV@0x2000 0x2000
 		}
 		RW_VPD@0x1f8000 0x2000
 		RW_NVRAM@0x1fa000 0x6000
 		RW_LEGACY(CBFS)@0x200000 0x200000
 		WP_RO@0x400000 0x200000 {
 			RO_VPD@0x0 0x4000
 			RO_UNUSED@0x4000 0xc000
 			RO_SECTION@0x10000 0x1f0000 {
 				FMAP@0x0 0x800
 				RO_FRID@0x800 0x40
 				RO_FRID_PAD@0x840 0x7c0
 				GBB@0x1000 0x7f000
 				COREBOOT(CBFS)@0x80000 0x170000
 			}
 		}
 	}
 }