GNUBoot/coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

src/sbom: Add code documentation + fix misspelling

Browse source 
Functionality wise nothing changed, except that the first misspellings
caused SBOM_BIOS_ACM_PATH and SBOM_SINIT_ACM_PATH to not work before.

- Fix misspelling of CONFIG_BIOS_ACM_PATH  -> CONFIG_SBOM_BIOS_ACM_PATH
- Fix misspelling of CONFIG_SINIT_ACM_PATH -> CONFIG_SBOM_SINIT_ACM_PATH
- Put SBOM_COMPILER_ handling into Kconfig instead of Makefile
- Reorder CONFIG_ paths (for readablity)
- Add in code comments (for readablity)

Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com>
Change-Id: If67bc3bd0d330b9b5f083edc4d1697e92ace1ea0
Reviewed-on: https://review.coreboot.org/c/coreboot/+/72379
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Elyes Haouas <ehaouas@noos.fr>
This commit is contained in:
Maximilian Brune 2023-01-21 20:31:05 +01:00 committed by Felix Held
parent dbbcc578c3
commit e6cd4d242b
2 changed files with 40 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
src/sbom/Kconfig
View file

@ -21,6 +21,16 @@ config SBOM_COMPILER
Note: if the system toolchain is used to build coreboot Note: if the system toolchain is used to build coreboot
one should check the final SBOM file for the expected results one should check the final SBOM file for the expected results
config SBOM_COMPILER_PATH
string "Path to SBOM file for the compiler"
depends on SBOM_COMPILER
default "build/sbom/compiler-gcc.json" if COMPILER_GCC
default "build/sbom/compiler-clang.json" if COMPILER_LLVM_CLANG
default "build/sbom/compiler-generic.json" if ANY_TOOLCHAIN
help
The path of the SBOM file describing the Software included in the build
File can be a .json, .xml, .cbor, .uswid, or .pc
config SBOM_PAYLOAD config SBOM_PAYLOAD
bool "Include payload metadata in SBOM" bool "Include payload metadata in SBOM"
default n default n
@ -42,11 +52,11 @@ config SBOM_PAYLOAD_GENERATE
straight up wrong. straight up wrong.
config SBOM_PAYLOAD_PATH config SBOM_PAYLOAD_PATH
string "SBOM file path" string "Path to SBOM file for the payload"
depends on SBOM_PAYLOAD && !SBOM_PAYLOAD_GENERATE depends on SBOM_PAYLOAD && !SBOM_PAYLOAD_GENERATE
help help
The path of the .ini file describing the payload The path of the SBOM file describing the Software included in the build
Software included in the build File can be a .json, .xml, .cbor, .uswid, or .pc
config SBOM_ME config SBOM_ME
bool "Include ME metadata in SBOM" bool "Include ME metadata in SBOM"
@ -74,8 +84,8 @@ config SBOM_ME_PATH
string "Path to sbom.json for the ME firmware" string "Path to sbom.json for the ME firmware"
depends on SBOM_ME && !SBOM_ME_GENERATE depends on SBOM_ME && !SBOM_ME_GENERATE
help help
The path of the SBOM file (sbom.json file) The path of the SBOM file describing the Software included in the build
The path of the .json file describing the Software included in the build File can be a .json, .xml, .cbor, .uswid, or .pc
config SBOM_EC config SBOM_EC
bool "Include EC metadata in SBOM" bool "Include EC metadata in SBOM"

38
src/sbom/Makefile.inc
View file

@ -5,19 +5,30 @@ src ?= src
build-dir = $(obj)/sbom build-dir = $(obj)/sbom
src-dir = $(src)/sbom src-dir = $(src)/sbom
# Strip quotes from binary paths and SBOM file paths. Each binary path should have a
# corresponding SBOM file path, but not every SBOM file path needs a binary path. That
# is because binary files are only needed if they are used to extract information from
# them which in turn can be included in the SBOM files (like version or config stuff).
# But for some Software there are only SBOM files, which basically tell the most generic
# information about that piece of Software. Ideally one would not need the binary files
# at all, because extacting information out of mostly unknown binary blobs is a pain.
CONFIG_ME_BIN_PATH := $(call strip_quotes, $(CONFIG_ME_BIN_PATH)) CONFIG_ME_BIN_PATH := $(call strip_quotes, $(CONFIG_ME_BIN_PATH))
CONFIG_SBOM_ME_PATH := $(call strip_quotes, $(CONFIG_SBOM_ME_PATH))
CONFIG_FSP_S_FILE := $(call strip_quotes, $(CONFIG_FSP_S_FILE)) CONFIG_FSP_S_FILE := $(call strip_quotes, $(CONFIG_FSP_S_FILE))
CONFIG_FSP_M_FILE := $(call strip_quotes, $(CONFIG_FSP_M_FILE)) CONFIG_FSP_M_FILE := $(call strip_quotes, $(CONFIG_FSP_M_FILE))
CONFIG_FSP_T_FILE := $(call strip_quotes, $(CONFIG_FSP_T_FILE)) CONFIG_FSP_T_FILE := $(call strip_quotes, $(CONFIG_FSP_T_FILE))
CONFIG_PAYLOAD_FILE := $(call strip_quotes, $(CONFIG_PAYLOAD_FILE))
CONFIG_EC_PATH := $(call strip_quotes, $(CONFIG_EC_PATH))
CONFIG_BIOS_ACM_PATH := $(call strip_quotes, $(CONFIG_BIOS_ACM_PATH))
CONFIG_SINIT_ACM_PATH := $(call strip_quotes, $(CONFIG_SINIT_ACM_PATH))
CONFIG_SBOM_FSP_PATH := $(call strip_quotes, $(CONFIG_SBOM_FSP_PATH)) CONFIG_SBOM_FSP_PATH := $(call strip_quotes, $(CONFIG_SBOM_FSP_PATH))
CONFIG_SBOM_EC_PATH := $(call strip_quotes, $(CONFIG_SBOM_EC_PATH)) CONFIG_PAYLOAD_FILE := $(call strip_quotes, $(CONFIG_PAYLOAD_FILE))
CONFIG_SBOM_ME_PATH := $(call strip_quotes, $(CONFIG_SBOM_ME_PATH))
CONFIG_SBOM_PAYLOAD_PATH := $(call strip_quotes, $(CONFIG_SBOM_PAYLOAD_PATH)) CONFIG_SBOM_PAYLOAD_PATH := $(call strip_quotes, $(CONFIG_SBOM_PAYLOAD_PATH))
CONFIG_EC_PATH := $(call strip_quotes, $(CONFIG_EC_PATH))
CONFIG_SBOM_EC_PATH := $(call strip_quotes, $(CONFIG_SBOM_EC_PATH))
CONFIG_SBOM_BIOS_ACM_PATH := $(call strip_quotes, $(CONFIG_SBOM_BIOS_ACM_PATH))
CONFIG_SBOM_SINIT_ACM_PATH := $(call strip_quotes, $(CONFIG_SBOM_SINIT_ACM_PATH))
CONFIG_SBOM_COMPILER_PATH := $(call strip_quotes, $(CONFIG_SBOM_COMPILER_PATH))
# Select the correct payload directory for the used payload. Ideally we could just make this
# a one-liner, but since the payload is generated externally (with an extra make command), we
# have to hard code the paths here.
ifeq ($(CONFIG_SBOM_PAYLOAD_GENERATE), y) ifeq ($(CONFIG_SBOM_PAYLOAD_GENERATE), y)
payload-git-dir-$(CONFIG_PAYLOAD_BOOTBOOT) = payloads/external/BOOTBOOT/bootboot payload-git-dir-$(CONFIG_PAYLOAD_BOOTBOOT) = payloads/external/BOOTBOOT/bootboot
payload-git-dir-$(CONFIG_PAYLOAD_DEPTHCHARGE) = payloads/external/depthcharge/depthcharge payload-git-dir-$(CONFIG_PAYLOAD_DEPTHCHARGE) = payloads/external/depthcharge/depthcharge
@ -37,6 +48,11 @@ payload-swid-template = $(patsubst $(build-dir)/%.json,$(src-dir)/%.json,$(paylo
endif endif
endif endif
# Add all SBOM files into the swid-files-y target. This target contains all
# .json, .ini, .uswid, .xml, .pc SBOM files that are later merged into one uSWID SBOM file.
# Some of these have an option that this Makefile generates/extracts some information from
# binary files in order to give more complete/detailed information inside the SBOM file.
# These files are either in src/sbom/ or build/sbom (if they are generated).
swid-files-$(CONFIG_SBOM_ME) += $(if $(CONFIG_SBOM_ME_GENERATE), $(build-dir)/intel-me.json, $(CONFIG_SBOM_ME_PATH)) swid-files-$(CONFIG_SBOM_ME) += $(if $(CONFIG_SBOM_ME_GENERATE), $(build-dir)/intel-me.json, $(CONFIG_SBOM_ME_PATH))
swid-files-$(CONFIG_SBOM_PAYLOAD) += $(if $(CONFIG_SBOM_PAYLOAD_GENERATE), $(payload-swid), $(CONFIG_SBOM_PAYLOAD_PATH)) swid-files-$(CONFIG_SBOM_PAYLOAD) += $(if $(CONFIG_SBOM_PAYLOAD_GENERATE), $(payload-swid), $(CONFIG_SBOM_PAYLOAD_PATH))
# TODO think about just using one CoSWID tag for all intel-microcode instead of one for each. maybe put each microcode into files entity of CoSWID tag? # TODO think about just using one CoSWID tag for all intel-microcode instead of one for each. maybe put each microcode into files entity of CoSWID tag?
@ -52,16 +68,12 @@ swid-files-$(CONFIG_SBOM_VBOOT) += $(vboot-pkgconfig-files)
$(vboot-pkgconfig-files): $(VBOOT_LIB_bootblock) $(VBOOT_LIB_romstage) $(VBOOT_LIB_ramstage) $(VBOOT_LIB_postcar) # src/security/vboot/Makefile.inc $(vboot-pkgconfig-files): $(VBOOT_LIB_bootblock) $(VBOOT_LIB_romstage) $(VBOOT_LIB_ramstage) $(VBOOT_LIB_postcar) # src/security/vboot/Makefile.inc
ifeq ($(CONFIG_SBOM_COMPILER),y) ifeq ($(CONFIG_SBOM_COMPILER),y)
ifeq ($(CONFIG_ANY_TOOLCHAIN),y)
swid-files-compiler = $(build-dir)/compiler-generic.json
else ifeq ($(CONFIG_COMPILER_GCC),y)
swid-files-compiler = $(build-dir)/compiler-gcc.json
else ifeq ($(CONFIG_COMPILER_LLVM_CLANG),y)
swid-files-compiler = $(build-dir)/compiler-clang.json
endif
compiler-toolchain = $(CC_bootblock) $(CC_romstage) $(CC_ramstage) $(CC_postcar) $(CC_verstage) $(LD_bootblock) $(LD_romstage) $(LD_ramstage) $(LD_postcar) $(LD_verstage) $(AS_bootblock) $(AS_romstage) $(AS_ramstage) $(AS_postcar) $(AS_verstage) compiler-toolchain = $(CC_bootblock) $(CC_romstage) $(CC_ramstage) $(CC_postcar) $(CC_verstage) $(LD_bootblock) $(LD_romstage) $(LD_ramstage) $(LD_postcar) $(LD_verstage) $(AS_bootblock) $(AS_romstage) $(AS_ramstage) $(AS_postcar) $(AS_verstage)
swid-files-compiler = $(CONFIG_SBOM_COMPILER_PATH)
endif endif
# include all licenses used in coreboot. Ideally we would only include the licenses,
# which are used in this build
coreboot-licenses = $(foreach license, $(patsubst %.txt, %, $(filter-out retained-copyrights.txt, $(patsubst LICENSES/%, %, $(wildcard LICENSES/*)))), https://spdx.org/licenses/$(license).html) coreboot-licenses = $(foreach license, $(patsubst %.txt, %, $(filter-out retained-copyrights.txt, $(patsubst LICENSES/%, %, $(wildcard LICENSES/*)))), https://spdx.org/licenses/$(license).html)
# only include CBFS SBOM section if there is any data for it # only include CBFS SBOM section if there is any data for it