Commit Graph

24 Commits

Author SHA1 Message Date
Philipp Deppenwiese ea7fde7070 security/intel/txt: Add Intel TXT support
Add TXT ramstage driver:
 * Show startup errors
 * Check for TXT reset
 * Check for Secrets-in-memory
 * Add assembly for GETSEC instruction
 * Check platform state if GETSEC instruction is supported
 * Configure TXT memory regions
 * Lock TXT
 * Protect TSEG using DMA protected regions
 * Place SINIT ACM
 * Print information about ACMs

Extend the `security_clear_dram_request()` function:
 * Clear all DRAM if secrets are in memory

Add a config so that the code gets build-tested. Since BIOS and SINIT
ACM binaries are not available, use the STM binary as a placeholder.

Tested on OCP Wedge100s and Facebook Watson
 * Able to enter a Measured Launch Environment using SINIT ACM and TBOOT
 * Secrets in Memory bit is set on ungraceful shutdown
 * Memory is cleared after ungraceful shutdown

Change-Id: Iaf4be7f016cc12d3971e1e1fe171e6665e44c284
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37016
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
(cherry picked from commit 5f9f77672d)
Reviewed-on: https://review.coreboot.org/c/coreboot/+/42712
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Jonathan Zhang <jonzhang@fb.com>
2020-08-10 00:26:35 +00:00
Patrick Georgi 53b549c43d configs: add google/meep cros config as regression test
This config is a slightly stripped configuration of the Chromium OS
configuration used in production. Apparently the bootblock fills up
faster than usual on this device, resulting in address overflows.

Add this config here so we'll notice early in the future.

Change-Id: I3145bba63d32ddb9d00fd98d3cb774bf9ddd69a6
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36923
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2019-11-19 12:56:32 +00:00
Frans Hendriks 76ffa88e1e configs/config.facebook_fbg1701: Add config file
Enable vendorcode measured and verified boot.
Use VBOOT test key for VENDORCODE_ELTAN_VBOOT_KEY_FILE

BUG=N/A
TEST=booting Embedded Linux 4.20 kernel on Facebook FBG1701

Change-Id: Ia2cb3bb873b2d5e7e9031e5b249d86605d8e0945
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34343
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
2019-11-08 09:19:03 +00:00
Elyes HAOUAS 92a7599616 src/Kconfig: Drop unused DEBUG_ACPI
Change-Id: I135f3e6ec5e75df03331c0c46edb0be243af2adb
Signed-off-by: Elyes HAOUAS <ehaouas@noos.fr>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36498
Reviewed-by: Nico Huber <nico.h@gmx.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2019-11-05 14:58:11 +00:00
Arthur Heymans ca64305152 nb/intel/gm45: Build test with VBOOT
Change-Id: I21d20d7c575833ace02b4b8ed9d5c82750b331c7
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36238
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
2019-11-04 11:34:59 +00:00
Patrick Rudolph 0c9d8a4ef5 configs: Build test CONFIG_BOOTSPLASH
Change-Id: I306d107720d51c2b378f739f68c31b8642f7354a
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35615
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2019-09-27 16:20:16 +00:00
Kyösti Mälkki 7cdb047ce7 cpu/x86/smm: Promote smm_memory_map()
Change-Id: I909e9b5fead317928d3513a677cfab25e3c42f64
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34792
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2019-08-15 05:46:59 +00:00
Patrick Rudolph 9c0fe34511 configs: Build test OpenSBI
Build test OpenSBI on qemu-riscv-rv64.

Change-Id: I23b9a1b06987d8d8ebb90655162ba4abce1557fa
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34691
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Hug <philipp@hug.cx>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
2019-08-06 12:04:09 +00:00
Christian Walter 04f995150f configs: Add test-build for up squared with vboot enabled
It would be useful if we have at least one "new" board on which we
actually built vboot, in order to notice if something breaks.

Change-Id: I16c7867e3f0f4e1f2e6ae3918c30789e39881b85
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34609
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
2019-07-29 18:26:20 +00:00
Kyösti Mälkki 00ec563342 configs/lenovo: Drop DEBUG_SMM_RELOCATION
Not implemented for TSEG.

Change-Id: I279c546a921c0504cafaddcda855bd6ea3de7f8a
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34325
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
2019-07-15 04:49:09 +00:00
Patrick Rudolph 62bc1cb88b mb/lenovo/*: Add support for VBOOT on 8MiB devices
Enable VBOOT support on all devices that have a 8 MiB flash, using a
single RW_MAIN_A partition, allowing the use of tianocore payload in
both RW_MAIN_A and WP_RO.

* Add VBNV section to cmos.layout
* Add FMAP for VBOOT and regular boot
* Select Kconfigs for VBOOT
* Enable VBOOT_SLOTS_RW_A by default

Also build test VBOOT on Lenovo T420.

Tested on Lenovo T520 using Icb7b263ed86551cc53e1db7babccaca6b3ae2fe6.

Change-Id: Icb7b263ed86551cc53e1db7babccaca6b3ae2fe6
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32585
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
2019-05-08 10:31:23 +00:00
Arthur Heymans c58525ee46 configs: Add a target to buildtest the ivybridge mrc.bin bootpath
Change-Id: Iff15e9586cd3e39850d986582b5943cbb8a184a7
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32384
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
2019-04-23 10:18:44 +00:00
Arthur Heymans 06e33226b3 mb/intel/galileo: Drop the FSP1.1 option
This board is EOL and has FSP2.0 support, so drop the older
version.

Change-Id: If5297e87c7a7422e1a129a2d8687fc86a5015a77
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/30946
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
2019-02-11 12:28:52 +00:00
Patrick Georgi e7864ceabc soc/intel/apollolake: Add reset code to postcar stage
Also add a test case for that, a config taken from chromiumos with some
references to binaries dropped that aren't in our blobs repo (eg audio
firmware).

Change-Id: I411c0bacefd9345326f26db4909921dddba28237
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-on: https://review.coreboot.org/29223
Reviewed-by: Martin Roth <martinroth@google.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2018-10-23 07:11:31 +00:00
Piotr Król 1c54985bb0 configs: add sercon port and disable pxe serial console for apu{2,3,4,5}
To avoid mangled characters on serial output from iPXE we have to disable
serial from iPXE console. More to that to have correct serial input we
have to enable SeaBIOS SERCON option with default configuration.

The only limitation of this configs is that apu5 doesn't detect iPXE -
that platform is not for public use so it doesn't affect anyone.

Change-Id: I124705bd691b3c8dcd9a2636b17c019d02732c5a
Signed-off-by: Piotr Król <piotr.krol@3mdeb.com>
Reviewed-on: https://review.coreboot.org/28616
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
2018-09-16 13:04:09 +00:00
Patrick Rudolph 64efbe20bf configs: Build test verbose BDK and FIT payload support
Change-Id: I2075142a0b241222839899e707a1e3d264746432
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/28228
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
2018-08-20 14:34:33 +00:00
Patrick Rudolph 2d22cda32c configs: Add various common non-default mainboards
Build tests:
* Option table
* Static option table
* Verbose debugging code
* Sandy Bridge optional Kconfigs
* TPM debugging code
* Lenovo Bluetooth on Wifi
* Libgfxinit on Sandy Bridge

Change-Id: Ib463f578c97a212d0729aa6f54b7b6fba33e0478
Signed-off-by: Patrick Rudolph <siro@das-labor.org>
Reviewed-on: https://review.coreboot.org/28118
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Martin Roth <martinroth@google.com>
2018-08-17 21:18:41 +00:00
Piotr Król 36c601b17b configs: add PC Engines apu2 sample configuration
Change-Id: Ia131c8aec1235443465bc017e11f59f38bef76db
Signed-off-by: Piotr Król <piotr.krol@3mdeb.com>
Reviewed-on: https://review.coreboot.org/26118
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Martin Roth <martinroth@google.com>
2018-05-19 16:55:56 +00:00
Mariusz Szafranski 94b64431f3 configs: Add intel/harcuvar FSP 2.0 sample configuration
Add Intel Harcuvar CRB FSP 2.0 sample configuration.

Change-Id: I60ec6921eca17a910cd1b9f8b0b86a1a1bf9bbea
Signed-off-by: Mariusz Szafranski <mariuszx.szafranski@intel.com>
Reviewed-on: https://review.coreboot.org/21693
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: FEI WANG <wangfei.jimei@gmail.com>
Reviewed-by: Martin Roth <martinroth@google.com>
2017-10-04 02:56:33 +00:00
Lee Leahy 0cae6e9e5d configs: Add intel/galileo test configurations
Add Quark/Galileo configurations to build various test code:

* Galileo Gen1
* Galileo Gen2
* Galileo Gen2 + Quark debugging code
* Galileo Gen2 + FSP 1.1 debugging code
* Galileo Gen2 + FSP 2.0 debugging code
* Galileo Gen2 + SD debugging code
* Galileo Gen2 + vboot

TEST=Build for Galileo Gen1/Gen2

Change-Id: I04358fd9f6a0958b10dad3e01690b0d47e738684
Signed-off-by: Lee Leahy <Leroy.P.Leahy@intel.com>
Reviewed-on: https://review.coreboot.org/20272
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Martin Roth <martinroth@google.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
2017-06-20 18:10:47 +02:00
Nico Huber 6d8266b91d Kconfig: Add choice of framebuffer mode
Rename `FRAMEBUFFER_KEEP_VESA_MODE` to `LINEAR_FRAMEBUFFER` and put
it together with new `VGA_TEXT_FRAMEBUFFER` into a choice. There are
two versions of `LINEAR_FRAMEBUFFER` that differ only in the prompt
and help text (one for `HAVE_VBE_LINEAR_FRAMEBUFFER` and one for
`HAVE_LINEAR_FRAMEBUFFER`). Due to `kconfig_lint` we have to model
that with additional symbols.

Change-Id: I9144351491a14d9bb5e650c14933b646bc83fab0
Signed-off-by: Nico Huber <nico.h@gmx.de>
Reviewed-on: https://review.coreboot.org/19804
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
2017-06-04 18:47:19 +02:00
Philipp Deppenwiese 5c765ceff9 configs/builder: Remove pre-defined VGA bios file
Removes the pre-defined VGA bios file and id because
the build system includes every vgabios.

Also make the VGA output primary by default

Change-Id: I87d52ef2d1e151c6e54beba64316fe9043668158
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/18181
Reviewed-by: Martin Roth <martinroth@google.com>
Tested-by: build bot (Jenkins)
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
2017-01-20 17:37:19 +01:00
Philipp Deppenwiese 96326d3aef configs/builder: Add Sandy/Ivy Bridge Thinkpad configurations
The coreboot builder makes use of the pre defined configuration
files by executing abuild with -d option. These configuration
files contain a basic configuration.

Change-Id: I41470fe7aaa0fdae545ad9d702326a202d0d2312
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/18161
Tested-by: build bot (Jenkins)
Reviewed-by: Martin Roth <martinroth@google.com>
2017-01-18 17:46:23 +01:00
Martin Roth 7a128cb9c3 configs: Add some sample default configuration files
Test some config options that don't typically get tested.

Change-Id: Ie05c99411c8ce6462a6f5502b086ee2b72a4324b
Signed-off-by: Martin Roth <martinroth@google.com>
Reviewed-on: https://review.coreboot.org/17591
Tested-by: build bot (Jenkins)
Reviewed-by: Nico Huber <nico.h@gmx.de>
2016-12-09 00:34:50 +01:00