Generate SHA256/SHA384 hash of the signed firmware so that PSP verstage
can pass it to PSP. The PSP will use these hashes to verify the
integrity of those signed firmwares.
BUG=b:203597980
TEST=Build Skyrim BIOS image.
Change-Id: I50d278536ba1eac754eb8a39c4c2e428a2371c44
Signed-off-by: Kangheui Won <khwon@chromium.org>
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/60290
Reviewed-by: Jon Murphy <jpmurphy@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Add support for separating signed firmwares into another CBFS. If
sig_opt flag in AMD/PSPFW file header is 1, it means that the firmware
is signed against AMD chain of trust and will be verified by PSP. If
those firmware binaries are put outside FW_MAIN_[AB], vboot can skip
redundant verification, improving overall verification time.
BUG=b:206909680
TEST=Build amdfwtool. Build Skyrim BIOS image and boot to OS.
Change-Id: I9f3610a7002b2a9c70946b083b0b3be6934200b0
Signed-off-by: Kangheui Won <khwon@chromium.org>
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/59866
Reviewed-by: Jon Murphy <jpmurphy@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Checkpatch script recommends to use __packed instead of
__attribute__((packed)). Currently the build rule for amdfwtool does not
include the required header file with __packed definition. Update the
compiler flag to include the required header file.
BUG=None
TEST=Build amdfwtool.
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Change-Id: I448cbad533608dd5c2bd4f2d827fcc5db5dee5cb
Reviewed-on: https://review.coreboot.org/c/coreboot/+/67384
Reviewed-by: Jon Murphy <jpmurphy@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Add parameters to support adding the location and size of
the PSP NVRAM area to the PSP directory table.
Verified this change on PCO based Bilby platform.
Change-Id: I1664893db6f6dcdc588aeaf9448c2d81390af5fa
Signed-off-by: Ritul Guru <ritul.bits@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/67137
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
changes to reserve space for AMD_BIOS_SIG when
BIOS image is signed with RTMSignature.
Change-Id: Ia832fe83a3e29279c029fefc934c3ef4d335e2ea
Signed-off-by: Ritul Guru <ritul.bits@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/66259
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Consolidate MAX_BIOS_ENTRIES and MAX_PSP_ENTRIES definitions into one
file
Signed-off-by: Altamshali Hirani <al.hirani@amd.corp-partner.google.com>
Change-Id: Ie3c64a1875010e7fb368967283df6baf1cc7ba8d
Reviewed-on: https://review.coreboot.org/c/coreboot/+/62911
Reviewed-by: ritul guru <ritul.bits@gmail.com>
Reviewed-by: Bao Zheng <fishbaozi@gmail.com>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Amdfwtool creates AMD firmware images however there is currently no way
to get information from an existing image. This commit adds amdfwread to
support that functionality. At the moment only reading PSP soft fuse
flags is supported. Example usage: `amdfwread --soft-fuse bios.bin`,
example output: `Soft-fuse:0x400000030000041`.
BUG=b:202397678
TEST=Ran amdfwread and verified that it correctly reads the soft fuse
bits, verified that built AMD FW still boots on DUT
Signed-off-by: Robert Zieba <robertzieba@google.com>
Change-Id: I15fa07c9cad8e4640e9c40e5539b0dab44424850
Reviewed-on: https://review.coreboot.org/c/coreboot/+/62795
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Rob Barnes <robbarnes@google.com>
This binary file is required for use by Trusted Applications that
execute in PSP.
BUG=b:229947314
TEST=Build and boot to OS in Skyrim.
Change-Id: I2d05792cfd98fa9c38f5deef1ac3282625983eeb
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/64040
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
The macro PSP_COMBO is removed and instead use the flag use_combo. As
long as this flag is false, the amdfwtool behaves the same way as the
macro does.
Change-Id: Ief0d78ae1e94b8183d6cf3195935ff9774fee426
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/55455
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Use BHD instead of BDT as the name of cookie macro. Use L2 to make it
clear it is for level 2. The 'BHD2' is misleading, which is going to
be used for combo entry. The definition in psp_verstage is also changed.
Change-Id: Ia10ac5e873dab6db7d66e63773a7c63f504950b2
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/55411
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
AMDFWtool maintains 2 copies of PSP Level2 entries - one in primary slot
A (Type 0x48) and another in backup slot B (Type 0x4A). On boards which
use VBOOT with 2 RW firmware slots, maintaining 2 copies of PSP Level2
entries in each FW slot is redundant and space-consuming. Introduce
option to maintain only one copy of PSP Level2 entries and point to it
from both slots A & B.
BUG=None
TEST=Build and boot to OS in Skyrim. Ensure that only one copy is added
to each FW slot. This achieved a space saving of 1.5 MB in each FW slot.
Before:
apu/amdfw 0x415fc0 raw 3043328 none
After:
apu/amdfw 0x415fc0 raw 1556480 none
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Change-Id: I06eef8e14b9c14db1d02b621c2f7207188d86326
Reviewed-on: https://review.coreboot.org/c/coreboot/+/63509
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
This is for future feature combo, which gets the soc id from fw.cfg in
a loop instead of the command line, and the romsig is not set until
fw.cfg is processed.
Change-Id: Id50311034b46aa1791dcc10b107de4af6c86b927
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/63344
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
It is more reasonable than getting the value from memset.
For the reserved bits, keep them as they were for old SOCs.
Change-Id: I65caa11e835d2ff52bec4b8904057bbced434891
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/63319
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Image Slot Header (ISH) is a new feature.
The rom layout for A/B recovery with ISH:
EFS -> PSP L1 0x48 -> ISH A -> PSP L2 A -> BIOS L2 A
0x4A -> ISH B -> PSP L2 B -> BIOS L2 B
The newer 55758 will updated about the boot priority and update retry
in ISH header.
Change-Id: Ib0690cde1dce949514c7aacebe13096b7814ceff
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/57747
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Compared to Cezanne, the Sabrina SoC has a 3 additional PSP firmware
table entries, so add those as a preparation for Sabrina support.
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Signed-off-by: Felix Held <felix-coreboot@felixheld.de>
Change-Id: Iaa5aacd53b3c7637f6d5e94b1a8d92bba57ddb9d
Reviewed-on: https://review.coreboot.org/c/coreboot/+/63120
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
The rom layout for A/B recovery:
EFS -> PSP L1 0x48 -> PSP L2 A -> BIOS L2 A
0x4A -> PSP L2 B -> BIOS L2 B
The coreboot doesn't implement the AMD's A/B recovery. This is only
for the ROM layout. To save some flash space, the entire B section can
be eliminated.
To enable A/B recovery in PSP layout, add "--recovery-ab" to
amdfwtool.
TEST=Majolica(Cezanne)
Change-Id: I27f5d3476f648fcecafb8d258ccb6cfad4f50036
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/56773
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
For the generic board which uses Cezanne, we use the generic SPL
table. For the Guybrush Chromebook, we need to use a customized SPL
file.
BUG=b:216096562
Change-Id: I385b0fe13cb78a053c07127ec3ea1c61dc42c7e4
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/61836
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
SPL: Security Patch Level
The data in SPL is used for FW anti-rollback, preventing rollback of
platform level firmware to older version that are deemed vulnerable
from a security point of view.
BUG=b:216096562
Change-Id: I4665f2372ccd599ab835c8784da08cde5558a795
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/61426
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
Address Mode 0: Physical Address, bit 63~56: 0x00
Address Mode 1: Relative Address to entire BIOS image, bit 63~56: 0x40
Address Mode 2: Relative Address to PSP/BIOS directory, bit 63~56: 0x80
Address Mode 3: Relative Address to slot N, bit 63~56: 0xC0
It is the expanding mode for simple relative address mode, for which
address_mode equals 1.
Only mode 2 is added. We need to record current table base address and
calculate the offset. The ctx.current_table is zero outside the
table. When it goes into the function to integrate the table, it
should backup the old value and get current table base. Before it goes
out the function, it should restore the value.
If the table address mode is 2, the address in each entry should be
also add address mode information. If not, the address mode in entry
is meanless.
The old mode 0,1 should be back compatible.
Change-Id: I29a03f4381cd0507e2b2e3b359111e3375a73de1
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/59308
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
For combo layout, this is for combo header.
For non-combo layout, this is for PSP directory.
Change-Id: Ie7b5aec6b511ad61972908d1d22a13aeb7dd73a9
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/58557
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
The element at offset 0x14 in the embedded_firmware struct is the
pointer to the combo PSP directory header, so rename it from comboable
to combo_psp_directory to clarify that this is not a flag, but a pointer
to a data structure. Also rename psp_entry to psp_directory since it
points to the PSP directory table.
Signed-off-by: Felix Held <felix-coreboot@felixheld.de>
Change-Id: Ic6149c17ae813f4dcea71c308054849a1a2e4394
Reviewed-on: https://review.coreboot.org/c/coreboot/+/58419
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
Reviewed-by: Kangheui Won <khwon@chromium.org>
This change can make the code be more flexible. And later we will use
amd_cb_config to transfer parameters.
Change-Id: Ic726aa9fc5f67803210af71d3e9cf2438b7e2a9b
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/57062
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
EFS: Embedded Firmware Structure
These structs and macros are defined in PSP specs(#55758).
They are supposed to be used by all C sources.
Change-Id: I8c7ed9fa626b249b4aa48544316a941dc2625c60
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/54942
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Marshall Dawson <marshalldawson3rd@gmail.com>
Add the stdint.h header, and drop the GLIBC section from amdfwtool.h to build this tool on FreeBSD as well as Linux.
Signed-off-by: Idwer Vollering <vidwer@gmail.com>
Change-Id: I295fd308b0f5e2902931f02c9455823a614976de
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48977
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
To verify the consistency, see if timeless builds with and without
this patch result in identical coreboot.rom files.
BUG=b:154032833
TEST=Build & boot on mandolin
Change-Id: Icae73d0730106aab687486e555ba947796e5e757
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/42859
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nikolai Vyssotski <nikolai.vyssotski@amd.corp-partner.google.com>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Kangheui Won