Going forwards, vb2ex_commit_data will be used to flush both
nvdata and secdata.
The patch that is circularly dependent on this lies between a patch that
makes vboot no longer build and the patch that fixes that, so we have to
pull the whole thing in at once to sort out the mess.
Updating from commit id 1c4dbaa0:
2019-11-18 Julius Werner Makefile: Fix typo for MOCK_TPM
to commit id 695c56dc:
2019-12-04 Julius Werner Makefile: Make loop unrolling fully
controllable by the caller
BUG=b:124141368, chromium:1006689
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: Ia2612da0df101cd3c46151dbce728633a39fada1
Signed-off-by: Joel Kitching <kitching@google.com>
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37315
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Since struct vb2_shared_data already contains workbuf_size and
vboot_workbuf_size is never used in depthcharge, remove it from struct
sysinfo_t. In addition, remove lb_vboot_workbuf() and add
CBMEM_ID_VBOOT_WORKBUF pointer to coreboot table with
add_cbmem_pointers(). Parsing of coreboot table in libpayload is
modified accordingly.
BRANCH=none
BUG=chromium:1021452
TEST=emerge-nami coreboot libpayload depthcharge; Akali booted correctly
Change-Id: I890df3ff93fa44ed6d3f9ad05f9c6e49780a8ecb
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37234
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Joel Kitching <kitching@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
After CB:36808, CB:36844 and CB:36845, all fields except buffer_offset
were removed from struct vboot_working_data. Since buffer_offset is used
to record the offset of the workbuf relative to the whole structure, it
is no longer needed.
This patch removes the structure, and renames vboot_get_working_data()
to vboot_get_workbuf().
BRANCH=none
BUG=chromium:1021452
TEST=emerge-nami coreboot
Change-Id: I304a5e4236f13b1aecd64b88ca5c8fbc1526e592
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37231
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Joel Kitching <kitching@google.com>
With the persistent vboot context coreboot no longer needs to read GBB
flags from flash itself -- it can just ask vboot for the cached result.
This patch removes the existing GBB code and provides gbb_is_flag_set()
(with a slightly better namespaced name) as a static inline instead.
Change-Id: Ibc3ed0f3fbeb53d630925d47df4dc474b0ed07ee
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37261
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Joel Kitching <kitching@google.com>
This macro is already defined in commonlib/helpers.h
Change-Id: I1fce2936757b13807e254f4a844f583b938bf349
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37181
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: HAOUAS Elyes <ehaouas@noos.fr>
Reviewed-by: Alex James <theracermaster@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
The romcc bootblock will be deprecated soon and most platforms use
C_ENVIRONMENT_BOOTBLOCK already. This patch drops the
CONFIG_C_ENVIRONMENT_BOOTBLOCK symbol and adds CONFIG_ROMCC_BOOTBLOCK
where needed.
Change-Id: I773a76aade623303b7cd95ebe9b0411e5a7ecbaf
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37154
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: HAOUAS Elyes <ehaouas@noos.fr>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-by: Michał Żygowski <michal.zygowski@3mdeb.com>
All cases of testing for __PRE_RAM__ have been converted
to equivalent ENV_xxx definitions from <rules.h>.
Change-Id: Ib6cd598f17109cc1072818cebe4791f7410c3428
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/37075
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
No platform is using this.
Change-Id: I3ea6df4d9ce9043755f319f699adc189d754df1f
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36985
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-by: David Hendricks <david.hendricks@gmail.com>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
Relocatable ramstage, postcar stage and C_ENVIRONMENT_BOOTBLOCK are
now mandatory features, which this platform lacks.
Change-Id: I8b6502b0894f9e2b8b1334871d7b6cde65cba7d4
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36984
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-by: David Hendricks <david.hendricks@gmail.com>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
Currently, depthcharge and coreboot are using two different vboot libraries.
coreboot is using "fwlib20", while depthcharge uses "fwlib". The only
difference between the two libraries is the inclusion of vboot1-only
compilation units in fwlib, which are now deprecated. Therefore, coreboot
may as well use fwlib too. Vboot is expected to converge on a single firmware
library soon.
BUG=none
BRANCH=none
TEST=compiles and runs verstage correctly
Change-Id: I905b781c3596965ec7ef45a2a7eafe15fdd4d9cc
Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36341
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Add 4 new timestamps to the EC software sync flow:
1) Beginning of EC software sync
2) EC finished calculating Vboot hash
3) EC is no longer requesting power limiting
4) End of EC software sync
BUG=none
BRANCH=none
TEST=verified timestamps show up in cbmem log
Change-Id: I6e5703c146b5ec27d01700fdb39cb3d2092ea8a8
Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36209
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Use the new functions introduced into the EC driver to support
performing EC software sync via vboot callbacks.
NOTE: This patch assumes that the EC image is added to CBFS
uncompressed. Streaming decompression of the image will be added in a
future patch.
Also adds a new Kconfig option VBOOT_EARLY_EC_SYNC. The new Kconfig
option compiles EC software sync into romstage, dependent upon having a
CrOS EC.
BUG=b:112198832
BRANCH=none
TEST=Successful EC software sync
Change-Id: I9b1458a45ab3ed5623af50f78036c4f88461b226
Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36208
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Drop struct cbfs_props and replace with struct region_device object.
The goal of the cbfs locator APIs are to determine the correct region
device to find the cbfs files. Therefore, start directly using struct
region_device in the cbfs location paths. Update the users of the API
and leverage the default boot region device implementation for
apollolake.
Change-Id: I0158a095cc64c9900d8738f8ffd45ae4040575ea
Signed-off-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36939
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Since we already have pre-RAM cache for FMAP (CB:36657), calling
load_firmware() multiple times is no longer a problem. This patch
replaces vboot_get_selected_region() usage with vboot_locate_firmware(),
which locates the firmware by reading from the CBMEM cache.
In addition, returning false from vboot_is_slot_selected() implies the
recovery path was requested, i.e., vb2_shared_data.recovery_reason was
set. Therefore, we simply remove the vboot_is_slot_selected() check from
vboot_check_recovery_request().
BRANCH=none
BUG=chromium:1021452
TEST=emerge-kukui coreboot
Change-Id: I27cb1a2175beb189053fc3e44b17b60aba474bb0
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36845
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Since buffer_size is no longer used, remove it from struct
vboot_working_data.
BRANCH=none
BUG=chromium:1021452
TEST=emerge-kukui coreboot
Change-Id: Ie770e89b4a45e0ec703d5bbb8fb6a298ce915056
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36844
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
This patch moves the traditional POSIX stdbool.h definitions out from
stdint.h into their own file. This helps for using these definitions in
commonlib code which may be compiled in different environments. For
coreboot everything should chain-include this stuff via types.h anyway
so nothing should change.
Change-Id: Ic8d52be80b64d8e9564f3aee8975cb25e4c187f5
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36837
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
In order to always show the bootlogo very early in coreboot we need the
option to always enable the display when VBOOT is enabled.
To do this a config option is added to make sure this functionality can
be provided without interfering with systems that require the standard
VBOOT display handing.
BUG=N/A
TEST=tested on facebook fbg1701.
Change-Id: I3ffaac85d2082717bb9608d536f7cec66a583789
Signed-off-by: Wim Vervoorn <wvervoorn@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36547
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-by: Nico Huber <nico.h@gmx.de>
vboot_possibly_executed previously provided some better
compile-time code elimination, before CB:32716 made
vboot_logic_executed capable of that directly.
BUG=b:124141368,
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: If5ca8f03c51e1ced20e1215b1cfdde54da3d001f
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36863
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
The comment in the source referred to an earlier approach, so update
it to match current reality.
Change-Id: I9a23ec0a719fb623cfd465c397ef7ef16550b93c
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36862
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Joel Kitching <kitching@google.com>
Since now we have persistent context, the usage of the flags can be
replaced with vb2_context.flags.
BRANCH=none
BUG=chromium:1021452
TEST=emerge-kukui coreboot
Change-Id: I8e5757a8cc09712c3acde9cbaab910b7498681b4
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36808
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
vb2_context object is now stored on the workbuf as part of
vb2_shared_data. Use vboot's new API functions vb2api_init
and vb2api_relocate to create and move the workbuf.
BUG=b:124141368, chromium:994060
TEST=Build locally
BRANCH=none
Change-Id: I051be1e47bf79b15a1689d49a5d4c031e9363dfa
Signed-off-by: Joel Kitching <kitching@google.com>
Also-Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/coreboot/+/1902339
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36300
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
Reviewed-by: Maulik V Vaghela <maulik.v.vaghela@intel.com>
An empty submenu Intel is displayed in security menu when INTEL_TXT is
disabled.
Enable submenu Intel only when INTEL_TXT is enabled.
BUG=N/A
TEST=build
Change-Id: Iff1d84ff60a15259b60c6205a63a27ecb26346a3
Signed-off-by: Wim Vervoorn <wvervoorn@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36852
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
In some case where the flash space is limited or when a large payload such as LinuxBoot
is used, the RO region may not be large enough to contain all components that would
normally be added.
This patch adds the possibility to add specific components to the RW regions only in
the same way as the RO_ONLY_SUPPORT does for the RO region.
Please note: this applies only to the items that would normally be added to all regions.
If the payload is directed to the RW region only, a recovery payload needs to be added
to the RO region manually.
BUG=N/A
TEST=build
Change-Id: Ie0df9b5dfc6df4f24efc5582a1aec9ecfb48c44d
Signed-off-by: Wim Vervoorn <wvervoorn@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36544
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-by: Frans Hendriks <fhendriks@eltan.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
With this change cbfs_boot_locate will check the RO (COREBOOT) region if
a file can not be found in the active RW region. By doing so it is not
required to duplicate static files that are not intended to be updated
to the RW regions.
The coreboot image can still be updated by adding the file to the RW
region.
This change is intended to support VBOOT on systems with a small flash
device.
BUG=N/A
TEST=tested on facebook fbg1701
Change-Id: I81ceaf927280cef9a3f09621c796c451e9115211
Signed-off-by: Wim Vervoorn <wvervoorn@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36545
Reviewed-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
When prog_locate() is called in the stage VBOOT is starting from and the
image to be loaded is not the target image vboot_prepare() may be called
too early.
To prevent this vboot_prepare() is removed from the vboot_locator
structure. This allows more control over the start of the vboot logic.
To clarify the change the vboot_prepare() has been renamed to
vboot_run_logic() and calls to initialize vboot have been added at the
following places:
postcar_loader: when VBOOT starts in ROMSTAGE
romstage_loader: when VBOOT starts in BOOTBLOCK
ramstage_loader: when VBOOT starts in ROMSTAGE
BUG=N/A
TEST=tested on facebook fbg1701
Change-Id: Id5e8fd78458c09dd3896bfd142bd49c2c3d686df
Signed-off-by: Wim Vervoorn <wvervoorn@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36543
Reviewed-by: Frans Hendriks <fhendriks@eltan.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Fix compiler warning by adding an additional check for the fastpath
memset.
Change-Id: I9a80438995bafe7e436f3fe2180b8c9574eeff23
Signed-off-by: Patrick Rudolph <siro@das-labor.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35682
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
* Add cbfsoption --ibb to mark files as IBB
* Will be used by "Legacy FIT TXT" boot
Change-Id: I83313f035e7fb7e1eb484b323862522e28cb73d4
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31497
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
There are use cases where TPM has already been set up in a previous
stage, e.g. TXT or when a CPU reset without a platform reset happens.
If this is the case the TPM startup will return a
INVALID_POSTINIT (return code 0x26). This adds a Kconfig to allow
platforms to disregard that return code.
Change-Id: I238b30866f78608c414de877b05a73cf8fdb9bbd
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36027
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Required for new VB2_ASSERT and VB2_DIE macros in vboot code.
(See chromium:972956.)
BUG=b:124141368, chromium:1005700
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I61a1036ccab80862d6eb12f9f72286f29e8478cf
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36035
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
The HWID in vboot GBB is an identifier for machine model. On Chrome OS,
that should be provisioned in manufacturing process (by collecting real
hardware information), and will be checked in system startup.
For bring up developers, they usually prefer to generate a test-only
string for HWID. However that format was not well documented and cause
problems. Further more, most Chromebooks are using HWID v3+ today while
the test-only HWID is usually v2. Non-Chrome OS developers may also
prefer their own format.
To simplify development process, the GBB_CONFIG now defaults to empty
string, and will be replaced by a board-specific test-only v2 HWID
automatically. Developers can still override that in mainboard Kconfig
if they prefer v3 or other arbitrary format.
BUG=b:140067412
TEST=Built 'kukui' successfully. Removed kukui GBB config and built
again, still seeing correct test HWID.
Change-Id: I0cda17a374641589291ec8dfb1d66c553f7cbf35
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35634
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
With the support of various algorithms and banks in tlcl_extend(),
digest_algo parameter of tpm_extend_pcr() started defining the target
PCR bank in TPM2 case.
The OS expects coreboot to extend the SHA256 bank of BOOT_MODE_PCR.
The value that the OS expects coreboot to extend into BOOT_MODE_PCR
is the SHA1 digest of mode bits extended to the length of SHA256 digest
by appending zero bytes.
Thus the correct value for digest_algo passed into tpm_extend_pcr() for
BOOT_MODE_PCR is TPM_ALG_SHA256.
This didn't matter until adding the support for multiple digest introduced
by patches like https://review.coreboot.org/c/coreboot/+/33252, as
tlcl_extend always used SHA256 bank before.
Change-Id: I834fec24023cd10344cc359117f00fc80c61b80c
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35476
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This reverts commit fdb9805d68.
CB:33252 wasn't reviewed by a TPM maintainer and breaks abstraction
layers (pulling TSS-details into TSPI, completely changing
interpretation of the arguments to tlcl_extend() based on TSS version).
It's also not clear why it was implemented the way it was (should have
been much easier and cleaner ways to achieve the same thing).
Since the author is not reacting, let's revert it for now. It can be
cleaned up and resubmitted later. (Not reverting the header changes
since those are not objectionable, and there are later patches dependent
on it.)
Change-Id: Ice44f55c75a0acc07794fe41c757a7bca75406eb
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35351
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
TPMU_HA is a union of all the different hash digests, and so
sizeof(TPMU_HA) evaluates to 64 (the size of the largest one). This will
lead to out-of-bounds writes when copying smaller digests, so use the
specific digest size for each algorithm.
Change-Id: Ic9101f157d5a19836b200ecd99f060de552498d2
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 14049{49,50,51,52,53,54,55,56,57,58,60,61,62}
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35287
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
To support multi digists the tlcl_extend() for TPM2 expects
TPML_DIGEST_VALUE pointer as input argument.
BUG=N/A
TEST=Build binary and verified logging on Facebook FBG-1701
Change-Id: I8d86c41c23e4e93a84e0527d7cddcfd30d5d8394
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33252
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Lance Zhao <lance.zhao@gmail.com>
mashal_TPMT_HA() uses size of SHA-256 hash.
Use tlcll_get_hash_size_from_algo() to determince the hash size.
BUG=N/A
TEST=Build binary and verified logging on Facebook FBG-1701
Change-Id: I739260e13e9cd10a61d52e13e8741b12ec868d7f
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33251
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Lance Zhao <lance.zhao@gmail.com>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Fastboot support in vboot_reference is unused, unmaintained, and
produces compile errors when enabled. Since there is no current
or planned use cases for fastboot, remove it.
BUG=b:124141368, chromium:995172
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I06ea816ffb910163ec2c3c456b3c09408c806d0b
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35002
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
* Add Kconfig to enable TXT
* Add possibility to add BIOS and SINIT ACMs
* Set default BIOS ACM alignment
* Increase FIT space if TXT is enabled
The following commits depend on the basic Kconfig infrastructure.
Intel TXT isn't supported until all following commits are merged.
Change-Id: I5f0f956d2b7ba43d4e7e0062803c6d8ba569a052
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34585
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: David Hendricks <david.hendricks@gmail.com>
These are required to cover the absensce of .data and
.bss sections in some programs, most notably ARCH_X86
in execute-in-place with cache-as-ram.
Change-Id: I80485ebac94b88c5864a949b17ad1dccdfda6a40
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/35003
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
To make explicit when vboot2 error codes should be returned,
use the new vb2_error_t type on all functions which return
VB2_ERROR_* constants.
Additionally, add required vboot submodule commit id e6700f4c:
2019-07-31 14:12:30 +0800 - (vboot: update vboot2 functions to use new vb2_error_t)
NOTE: This patch was merged separately on the Chromium tree:
https://chromium-review.googlesource.com/c/1728499
BUG=b:124141368, chromium:988410
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I804c2b407e496d0c8eb9833be629b7c40118415c
Signed-off-by: Joel Kitching <kitching@google.com>
Cq-Depend: chromium:1728292
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34860
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Previously, the initial value for secdatak was embedded
in secdata_tpm.c as a uint8_t array. Switch to using
vb2api_secdatak_create instead, and write the value in
ctx->secdatak.
Remove an unnecessary call to vb2api_secdata_create in
_factory_initialize_tpm.
BUG=b:124141368, chromium:972956
TEST=make clean && make test-abuild
BRANCH=none
TEST=Check that size and value of initial secdatak
has not changed. Apply the patch below and
check for this output:
_factory_initialize_tpm():266: _factory_initialize_tpm: secdatak sizes are identical? 1
_factory_initialize_tpm():269: _factory_initialize_tpm: secdatak values are identical? 1
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index ff62185107..c1818b482f 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -148,6 +148,18 @@ static uint32_t write_secdata(uint32_t index,
return TPM_E_CORRUPTED_STATE;
}
+/*
+ * This is derived from rollback_index.h of vboot_reference. see struct
+ * RollbackSpaceKernel for details.
+ */
+static const uint8_t secdata_kernel[] = {
+ 0x02,
+ 0x4C, 0x57, 0x52, 0x47,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00,
+ 0xE8,
+};
+
/*
* This is used to initialize the TPM space for recovery hash after defining
* it. Since there is no data available to calculate hash at the point where TPM
@@ -250,6 +262,11 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
* indication that TPM factory initialization was successfully
* completed.
*/
+ VBDEBUG("%s: secdatak sizes are identical? %d\n", __func__,
+ sizeof(secdata_kernel) == sizeof(ctx->secdatak));
+ VBDEBUG("%s: secdatak values are identical? %d\n", __func__,
+ memcmp(secdata_kernel, ctx->secdatak,
+ sizeof(secdata_kernel)) == 0);
RETURN_ON_FAILURE(set_kernel_space(ctx->secdatak));
if (CONFIG(VBOOT_HAS_REC_HASH_SPACE))
@@ -452,7 +469,7 @@ uint32_t antirollback_read_space_firmware(struct vb2_context *ctx)
/* Read the firmware space. */
rv = read_space_firmware(ctx);
- if (rv == TPM_E_BADINDEX) {
+ if (true) {
/*
* This seems the first time we've run. Initialize the TPM.
*/
Change-Id: I74261453df6cc55ef3f38d8fb922bcc604084c0a
Signed-off-by: Joel Kitching <kitching@google.com>
Cq-Depend: chromium:1652874, chromium:1655049
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33386
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Add support for Intel PTT. For supporting Intel PTT we need to disable
read and write access to the TPM NVRAM during the bootblock. TPM NVRAM
will only be available once the DRAM is initialized. To circumvent this,
we mock secdata if HAVE_INTEL_PTT is set. The underlying problem is,
that the iTPM only supports a stripped down instruction set while the
Intel ME is not fully booted up. Details can be found in Intel document
number 571993 - Paragraph 2.10.
Change-Id: I08c9a839f53f96506be5fb68f7c1ed5bf6692505
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34510
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Add the Command Response Buffer which is defined in the TPM 2.0 Specs.
CRB can be specified with MAINBOARD_HAS_CRB_TPM, even though it is
actually SoC/SB specific.
Change-Id: I477e45963fe3cdbc02cda9ae99c19142747e4b46
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34106
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
This reverts commit 598af2e2c2.
Reason for revert: This commit breaks every board with VBOOT enabled
if the platform is apollolake, broadwell, skylake, baswell, baytrails
or icelake. The reason is, that the SoC selects
VBOOT_MUST_REQUEST_DISPLAY by default, and this has a dependency now
on VBOOT_MAY_SKIP_DISPLAY_INIT. This will only be auto-selected if
it is a CHROMEOS platform.
Change-Id: I3872d9aa993326ded135d8a5d950d5b1b1eddf34
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34308
Reviewed-by: Nico Huber <nico.h@gmx.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
vboot_handoff is no longer used in coreboot, and is not
needed in CBMEM or cbtable.
BUG=b:124141368, b:124192753
TEST=make clean && make runtests
BRANCH=none
Change-Id: I782d53f969dc9ae2775e3060371d06e7bf8e1af6
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33536
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-by: Martin Roth <martinroth@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Add function tlcl_getcapability() to return TPM2 capability.
To support TPM2 capability TPM_CAP_PCRS handling is added to
unmarshal_get_capability().
BUG=N/A
TEST=Build binary and verified logging on Facebook FBG-1701
Change-Id: I85e1bd2822aa6e7fd95ff2b9faa25cf183e6de37
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/30826
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
This config option, when set, will allow the platform to skip display
initialization in normal (non-developer, non-recovery) mode. This allows
platforms that do not implement firmware UI in normal mode to skip the
display init in firmware.
TEST=Set option CONFIG_VBOOT and clear CONFIG_VBOOT_MAY_SKIP_DISPLAY_INIT
and the display should initialize in ramstage when platform boots. Set
CONFIG_VBOOT and set CONFIG_VBOOT_MAY_SKIP_DISPLAY_INIT and the display
initialization should be skipped in coreboot.
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Change-Id: Icadad6da34dcb817af02868e89a94ea62dbfa7b3
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33844
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
When we added CONFIG_VBOOT_MIGRATE_WORKING_DATA, the idea was that on
some Arm platforms the original working data buffer was in SRAM, which
stays accessbile for the whole runtime of the system. There is no reason
to migrate it into CBMEM on those platforms because ramstage and the
payload could continue to access it in SRAM.
Now that we've had a couple of months of experience with this option, we
found that most of our Arm platforms have some issue that requires
migrating anyway, because BL31 often claims SRAM for itself and makes it
inaccessible to the payload. On the remaining platforms, accessing SRAM
from the payload is possible but still an issue, because libpayload
doesn't have enough memory layout information to set up proper page
tables for it, so we're accessing it uncached and at risk of alignment
errors.
Rather than having to figure out how to map the right SRAM range for
every platform in the payload, let's just get rid of the option.
memcpy()ing 12KB isn't worth this much hassle.
Change-Id: I1b94e01c998f723c8950be4d12cc8f02b363a1bf
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33952
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Joel Kitching <kitching@google.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
* Add architecture independend way of clearing all DRAM
* Implemented in ramstage as MTRRs need to be set to speed up
clearing. Takes up to 15 seconds per GiB otherwise.
* Use memset_pae on x86
* Add quirks for FSP1.0
Tested on P8H61M-Pro:
* Clears 4GiB in less than 1 second
Tested on wedge100s:
* Clears 8GiB in 2 seconds
Change-Id: Idaadb8fb438e5b95557c0f65a14534e8762fde20
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31550
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
No message is reported in tlcl_lib_init() when tis_init() or tis_open()
returned an error value.
Add debug string.
BUG=N/A
TEST=Build binary and verified logging on Facebook FBG-1701
Change-Id: I522e488ddd3a1bd94a1a8c8470c757bd79c6d5c5
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33415
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Add files to introduce a memory clearing framework.
Introduce Kconfig PLATFORM_HAS_DRAM_CLEAR that is to be selected by
platforms, that are able to clear all DRAM.
Introduce Kconfig SECURITY_CLEAR_DRAM_ON_REGULAR_BOOT that is user
selectable to always clear DRAM on non S3 boot.
The function security_clear_dram_request tells the calling platform when
to wipe all DRAM. Will be extended by TEE frameworks.
Add Documentation for the new security API.
Change-Id: Ifba25bfdd1057049f5cbae8968501bd9be487110
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31548
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Depthcharge no longer reads this data structure, and uses
the vboot workbuf in vboot_working_data instead.
Since vboot2 downstream migration is not yet completed, the
vboot2 -> vboot1 migration code is still required, but has
been relocated to depthcharge.
BUG=b:124141368, b:124192753
TEST=make clean && make runtests
BRANCH=none
Change-Id: I769abbff79695b38d11fb6a93c2b42f64d4bafde
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33535
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
tss_marshaling.c and tss.c depends on VBOOT for postcar.
Eltan vendorcode used function in these file, but has VBOOT disabled.
Remove depency of VBOOT for postcar fo tss/tcg-2.0/tss-marshaling.c and
tss/tcg-2.0/tss.c
BUG=N/A
TEST=Created binary and verify logging on Facebook FBG-1701
Change-Id: I195c79283abf403208f406518372bf52289772ed
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33444
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Logging and clearing the recovery mode switch doesn't have
anything to do with vboot_handoff. Move it to the main verstage
logic file.
BUG=b:124141368, b:124192753
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I2e74f3893463e43fe5fad4a8df8036560f34e0db
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33534
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
These functions are no longer used and may be removed:
* vboot_handoff_check_recovery_flag
* vboot_get_handoff_flag
BUG=b:124141368, b:124192753
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: Ie05652ef1288eef74bd2e7e8bea79fd29d523859
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33533
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Two functions retrieve vboot recovery_reason:
* vboot_handoff_get_recovery_reason
* vboot_get_recovery_reason_shared_data
Previously, when CBMEM comes online, a vboot_handoff data
structure is created, and depending on the architecture,
coreboot may eventually lose access to vboot_working_data.
After implementing vboot_working_data CBMEM migration,
vboot_working_data is always guaranteed to be accessible.
vboot_get_recovery_reason_shared_data is corrected to also
allow accessing vboot_working_data in ramstage and postcar.
Now, vboot_handoff_get_recovery reason returning a valid recovery
reason implies that vboot_get_recovery_reason_shared_data should
*also* return a valid recovery reason. Thus we may remove the
former.
BUG=b:124141368, b:124192753
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: Iac216dc968dd155d9d4f8bd0f2dfd5034762f9a0
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33532
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Recovery path should finalize work context, and trim
vboot_working_data buffer_size. Otherwise, depthcharge ingests
the full 12 KB workbuf in recovery path.
BUG=chromium:972528, b:134893812
TEST=Build with vboot_reference CL:1584488. Check that USB disks
are properly verified in recovery path.
BRANCH=none
Change-Id: Icf2600d2eb5d846a26aec35a153946dd2f7f128c
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33358
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Add a new post code, POST_INVALID_ROM, used when coreboot fails to
locate or validate a resource that is stored in ROM.
BUG=b:124401932
BRANCH=sarien
TEST=build coreboot for sarien and arcada platforms
Change-Id: Ie6de6590595d8fcdc57ad156237fffa03d5ead38
Signed-off-by: Keith Short <keithshort@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32770
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
vboot_measure_cbfs_hook() is included when CONFIG_VBOOT_MEASURED_BOOT
is enabled, but this function is defined as 0 in vboot_crtm.h using ENV_
Remove ENV_ for vboot_measure_cbfs_hook() function definition.
This function is added to bootblock stage also.
BUG=NA
TEST=Build Google Banon and Google Cyan
Change-Id: Ic62c18db09c119dfb85340a6b7f36bfd148aaa45
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32532
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Save whether or not vboot has selected developer mode as a flag
in vboot_working_data. Other coreboot code may access this flag
without needing to consult vboot_handoff (which is in the process
of being deprecated).
BUG=b:124141368, b:124192753
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: Ieb6ac4937c943aea78ddc762595a05387d2b8114
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32843
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
As of CL:1605641, vboot2 code should be used for setting and
checking display init state. Remove all vboot1 OPROM-related
code, and use the vboot2 display init code which has already
been added in previous commits.
coreboot should not be reading vboot NVRAM flags directly.
Remove the function vboot_wants_oprom(), and instead rely on
display_init_required(), which uses the
VBOOT_WD_FLAG_DISPLAY_INIT value stored in
vboot_working_data.flags, initialized during verstage.
Note that this means in the case of CONFIG_VBOOT=y, the return
value of display_init_required() can only be trusted after
verstage has been executed. This should not be a problem
assuming that all display initialization occurs in ramstage.
BUG=b:124141368, b:124192753, chromium:948529
TEST=Build locally
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: Ic8f9dc5a3c7f1546a8fed82bde02be4d04568f8d
Signed-off-by: Joel Kitching <kitching@google.com>
Cq-Depend: chromium:1605641, chromium:1605525
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32723
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Verified Boot OPROM code is being refactored. OPROM is being
generalized into "display initialization". As such, the NVRAM
request flag is being renamed from OPROM_NEEDED to
DISPLAY_REQUEST.
BUG=b:124141368, b:124192753, chromium:948529
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I74374abf7d1deb594c073f7a4a76c9de46092143
Signed-off-by: Joel Kitching <kitching@google.com>
Cq-Depend: chromium:1605640
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32720
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Julius Werner <jwerner@chromium.org>
This patch moves vboot_logic_executed() (and its dependencies) into a
header and turns it into a static inline function. The function is used
to guard larger amounts of code in several places, so this should allow
us to save some more space through compile-time elimination (and also
makes it easier to avoid undefined reference issues in some cases).
Change-Id: I193f608882cbfe07dc91ee90d02fafbd67a3c324
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32716
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Frans Hendriks <fhendriks@eltan.com>
This patch adds another check to vboot_logic_executed() to make sure we
only do a runtime check for verstage_should_load() if
CONFIG_VBOOT_RETURN_FROM_VERSTAGE is enabled. That's the only case where
the stage that's loading the verstage can execute after verification has
run (because the verstage will return to it when it's done). In the
other case, the stage that loads verstage really just loads it and will
never do anything again after hand-off, so it's guaranteed to always
execute before verification.
This change may allow extra dead-code elimination in some cases.
Change-Id: I7019b6f7b0acfbf0a8173914b53364751b08f2cf
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32714
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Should include vb2_sha.h header when SHA library functions or
constants are required. This replaces NEED_VB2_SHA_LIBRARY.
BUG=b:124141368, chromium:956474
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I9f32174dbf3de05fbe5279cb8017888757abf368
Signed-off-by: Joel Kitching <kitching@google.com>
Cq-Depend: chromium:1583820
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32454
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Input: tell vb2api_fw_phase1 if display unconditionally available
Output: vb2api_fw_phase1 may request coreboot to initialize
display, if needed based on some internal request
Move setting the VBOOT_FLAG_DISPLAY_REQUESTED flag into
verstage_main.
BUG=b:124141368, b:124192753, chromium:948529
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I81c82c46303564b63b8a32e7f80beb9d891a4628
Cq-Depend: chromium:1564232
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32324
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
The VbInitParams struct will be deprecated. Remove its
use in preparation.
Additionally, remove use of the flag
VB_INIT_OUT_ENABLE_USB_STORAGE, which is no longer used
downstream since vboot_reference CL:347257.
BUG=b:124141368, chromium:960226
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: Ibe02cb6ba639de0d7cbdf79fc4dbf49044c92278
Signed-off-by: Joel Kitching <kitching@google.com>
Cq-Depend: chromium:1583943
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32664
Reviewed-by: Furquan Shaikh <furquan@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Remove use of deprecated GoogleBinaryBlockHeader struct, and
replace with vb2_gbb_header.
BUG=b:124141368, chromium:954774
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: Iee3bd877cb1791a689efdeabda324f43f7d0c6f2
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32455
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
The name OPROM is somewhat inaccurate, since other steps to bring
up display and graphics are needed depending on mainboard/SoC.
This patch cleans up OPROM code nomenclature, and works towards
the goal of deprecating vboot1:
* Rename CONFIG_VBOOT_OPROM_MATTERS to
CONFIG_VBOOT_MUST_REQUEST_DISPLAY and clarify Kconfig
description
* Remove function vboot_handoff_skip_display_init
* Remove use of the VbInit oflag VB_INIT_OUT_ENABLE_DISPLAY
* Add |flags| field to vboot_working_data struct
* Create VBOOT_FLAG_DISPLAY_REQUESTED and set in vboot_handoff
BUG=b:124141368, b:124192753, chromium:948529
TEST=make clean && make test-abuild
TEST=build and flash eve device; attempt loading dev/rec modes
BRANCH=none
Change-Id: Idf111a533c3953448b4b9084885a9a65a2432a8b
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32262
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
NEED_VB20_INTERNALS should always be specified when peeking
into vboot internal data structures.
BUG=b:124141368, chromium:956474
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I5a47a28350fd5a68efeff0d06ca150c1ae145412
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32452
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Modify the POWER_OFF_ON_CR50_UPDATE Kconfig option so that specific
mainboard implementations can disable the option.
BUG=b:126632503
BRANCH=none
TEST=Build coreboot on sarien/arcada.
TEST=Perform Cr50 firmware update on Sarien, confirm the platform boots
normally after sending TURN_UPDATE_ON to the Cr50.
Change-Id: I3beefaae21de61e53ae232dbdc8ea9dbb2c78cd5
Signed-off-by: Keith Short <keithshort@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32435
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
The value of "write protect" GPIO shall be read in depthcharge,
and the flag shall be set there instead.
BUG=b:124141368, b:124192753, chromium:1556855
TEST=Build locally
CQ-DEPEND=CL:1556855
BRANCH=none
Change-Id: I4d24a057b1385244a836a67c565ee6726a894fdc
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32234
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
This option is duplicated in depthcharge:
https://crrev.com/c/1545144
BUG=b:124141368, b:124192753, chromium:943150
TEST=make clean && make test-abuild
CQ-DEPEND=CL:1545144
BRANCH=none
Change-Id: I48e20ad21cdcb948a23387d3e5fcf142723b0c82
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32135
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
This patch enables CONFIG_VBOOT_OPROM_MATTERS in a few more cases where
I think(?) it should be. Haswell, Broadwell and Baytrail Chromebooks
have this enabled in their old depthcharge firmware branches -- we
presumably just forgot to move it over when vboot2 migrated the option
to coreboot. Braswell didn't, but it seems like this requirement was
added when it was migrated to FSP 1.1...? (Not very sure about that one,
but it does call load_vbt() right now which executes things based on
display_init_required().) Additionally, it seems to make sense to enable
it whenever the user explicitly selects VGA_ROM_RUN in menuconfig (like
one of the Intel defconfigs does).
Once we have all this, one could take a step back and ask whether this
option still makes sense at all anymore. It's enabled for almost all
devices (that work with vboot at all), it will presumably be enabled for
all future devices, and it seems that most devices that don't enable it
use libgfxinit, which as far as I can tell isn't gated on
display_init_required() but probably should be. Realistically, whatever
kind of display init a board needs to do (native or option ROM), it's
probably expensive enough that it's worth skipping on a normal mode
vboot boot, and we'd want to have this enabled by default on everything
except boards that actually don't have a display. So maybe we should
flip it around to CONFIG_VBOOT_OPROM_DOESNT_MATTER, but doing that would
probably lead to nobody ever selecting it at all.
Not sure what the best solution there is yet, but I think this patch
at least moves things in the more correct direction.
Change-Id: Id96a88296ddb9cfbb58ea67d93e1638d95570e2c
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32114
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
As part of chromium:942901, physical dev switch functionality
is being deprecated.
This flag is no longer read after CL:1526070, and thus
does not need to be set here.
coreboot's vboot subrepository needs to be updated to include
CL:1526070 before this CL can be merged.
BUG=b:124141368, b:124192753, chromium:942901
TEST=Build and deploy to eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=make clean && make test-abuild
CQ-DEPEND=CL:1526070
BRANCH=none
Change-Id: Ie5849f9e0fcb8e4e6d35d542a141bf635e751af4
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31952
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Currently only two devices make use of physical dev switch:
stumpy, lumpy
Deprecate this switch. If these devices are flashed to ToT,
they may still make use of virtual dev switch, activated
via recovery screen.
BUG=b:124141368, b:124192753, chromium:942901
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I87ec0db6148c1727b95475d94e3e3f6e7ec83193
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31943
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This option has been relocated to depthcharge:
https://crrev.com/c/1524806
BUG=b:124141368, b:124192753
TEST=Build and deploy to eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
TEST=make clean && make test-abuild
CQ-DEPEND=CL:1524806
BRANCH=none
Change-Id: Ib4a83af2ba143577a064fc0d72c9bc318db56adc
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31909
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Previously, the size of memory made for vboot_working_data
through the macro VBOOT2_WORK was always specified in each
individual memlayout file. However, there is effectively no
reason to provide this customizability -- the workbuf size
required for verifying firmware has never been more than 12K.
(This could potentially increase in the future if key sizes
or algorithms are changed, but this could be applied globally
rather than for each individual platform.)
This CL binds the VBOOT2_WORK macro to directly use the
VB2_WORKBUF_RECOMMENDED_DATA_SIZE constant as defined by vboot
API. Since the constant needs to be used in a linker script, we
may not include the full vboot API, and must instead directly
include the vb2_constants.h header.
BUG=b:124141368, b:124192753
TEST=Build locally for eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
TEST=make clean && make test-abuild
BRANCH=none
CQ-DEPEND=CL:1504490
Change-Id: Id71a8ab2401efcc0194d48c8af9017fc90513cb8
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31474
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Drop 'include <string.h>' when it is not used and
add it when it is missing.
Also extra lines removed, or added just before local includes.
Change-Id: Iccac4dbaa2dd4144fc347af36ecfc9747da3de20
Signed-off-by: Elyes HAOUAS <ehaouas@noos.fr>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31966
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Create a new cbtable entry called VBOOT_WORKBUF for
storing a pointer to the vboot workbuf within the
vboot_working_data structure.
BUG=b:124141368, b:124192753
TEST=Build and deploy to eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
BRANCH=none
Change-Id: Id68f43c282939d9e1b419e927a14fe8baa290d91
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31887
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Symbols prefixed with vb2_ should be reserved for internal
vboot library use.
Anything outside of that may choose some other prefix.
Here, we choose vboot_ instead.
Also, add some documentation to security/vboot/misc.h,
which provides headers for a number of different C files.
BUG=b:124141368
TEST=Build and deploy to eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I5d9154fd2d5df25ee254bd5ce4a173afaa6588be
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31886
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
For platforms that do not employ VBOOT_STARTS_IN_ROMSTAGE,
vboot verification occurs before CBMEM is brought online.
In order to make vboot data structures available downstream,
copy vb2_working_data from CAR/SRAM into CBMEM when CBMEM
comes online. Create VBOOT_MIGRATE_WORKING_DATA config
option to toggle this functionality.
BUG=b:124141368, b:124192753
TEST=Built and deployed on eve with STARTS_IN_BOOTBLOCK
TEST=Built and deployed on eve with STARTS_IN_ROMSTAGE
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
BRANCH=none
Change-Id: I62c11268a83927bc00ae9bd93b1b31363b38e8cf
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31329
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
This patch is a raw application of
find src/ -type f | xargs sed -i -e 's/IS_ENABLED\s*(CONFIG_/CONFIG(/g'
Change-Id: I6262d6d5c23cabe23c242b4f38d446b74fe16b88
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31774
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Rename VB2_DISABLE_DEVELOPER_MODE to VB2_CONTEXT_DISABLE_DEVELOPER_MODE.
See CL in CQ-DEPEND for details.
BUG=b:124141368
TEST=Build locally
CQ-DEPEND=CL:1460645
BRANCH=none
Change-Id: Ib9754425dc2f346e8edac584c4d076d13ae31d2d
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31298
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Rename VB2_SD_DEV_MODE_ENABLED to VB2_SD_FLAG_DEV_MODE_ENABLED.
See CL in CQ-DEPEND for details.
BUG=b:124141368
TEST=Build locally
CQ-DEPEND=CL:1460644
BRANCH=none
Change-Id: I298cd3a5026055e439de1ce409e61f1feb24369b
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31297
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Until now the TCPA log wasn't working correctly.
* Refactor TCPA log code.
* Add TCPA log dump fucntion.
* Make TCPA log available in bootblock.
* Fix TCPA log formatting.
* Add x86 and Cavium memory for early log.
Change-Id: Ic93133531b84318f48940d34bded48cbae739c44
Signed-off-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/29563
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
* Introduce a measured boot mode into vboot.
* Add hook for stage measurements in prog_loader and cbfs.
* Implement and hook-up CRTM in vboot and check for suspend.
Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e
Signed-off-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/c/29547
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Fix up the logic of when to include VBOOT2_WORK symbols on x86,
which are only needed when VBOOT_STARTS_IN_BOOTBLOCK is enabled.
Also correct the value of the __PRE_RAM__ macro in the case that
VBOOT_STARTS_IN_ROMSTAGE is selected. In this case, DRAM is
already up and verstage should not be considered pre-ram.
BUG=b:124141368, b:124192753
TEST=Build locally for eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: Ie51e8f93b99ab230f3caeede2a33ec8b443e3d7a
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/31541
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
When <symbols.h> was first introduced, it only declared a handful of
regions and we didn't expect that too many architectures and platforms
would need to add their own later. However, our amount of platforms has
greatly expanded since, and with them the need for more special memory
regions. The amount of code duplication is starting to get unsightly,
and platforms keep defining their own <soc/symbols.h> files that need
this as well.
This patch adds another macro to cut down the definition boilerplate.
Unfortunately, macros cannot define other macros when they're called, so
referring to region sizes as _name_size doesn't work anymore. This patch
replaces the scheme with REGION_SIZE(name).
Not touching the regions in the x86-specific <arch/symbols.h> yet since
they don't follow the standard _region/_eregion naming scheme. They can
be converted later if desired.
Change-Id: I44727d77d1de75882c72a94f29bd7e2c27741dd8
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/31539
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Under some scenarios the key ladder on the Cr50 can get disabled. If
this state is detected, trigger a reboot of the Cr50 to restore full
TPM functionality.
BUG=b:121463033
BRANCH=none
TEST=Built coreboot on sarien and grunt platforms.
TEST=Ran 'gsctool -a -m disable' and reboot. Verified coreboot sends
VENDOR_CC_IMMEDIATE_RESET command to Cr50 and that the Cr50 resets and
then the platform boots normally.
TEST=Performed Cr50 rollback to 0.0.22 which does not support the
VENDOR_CC_TPM_MODE command, confirmed that platform boots normally and
the coreboot log captures the unsupported command.
Tested-by: Keith Short <keithshort@chromium.org>
Change-Id: I70e012efaf1079d43890e909bc6b5015bef6835a
Signed-off-by: Keith Short <keithshort@chromium.org>
Reviewed-on: https://review.coreboot.org/c/31260
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
In some cases (e.g. Arm architecture variants), include paths are stuck
into <stage>-generic-ccopts rather than CPPFLAGS_<stage> (in fact, the
whole redundancy between these two is kinda stupid and we should
probably eliminate the latter, but I don't want to get into that right
now). This patch makes sure those paths are also correctly translated
when invoking $(MAKE) for vboot.
Change-Id: I37f09b88e555567590664e0e6fac23c34fd887df
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/31084
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
On the Sarien/Arcada platforms, the EC is not trusted to provide
the state of the ESC+REFRESH+PWR recovery combination. On these
platforms the Cr50 latches the state of REFRESH+PWR for use as the
recovery mode key combination.
BUG=b:122715254
BRANCH=none
TEST=Verify recovery mode screen shown after pressing REFRESH+PWR
Signed-off-by: Keith Short <keithshort@chromium.org>
Change-Id: Ie3ce519956f916023c8c52f1d11fa93331f52f3c
Reviewed-on: https://review.coreboot.org/c/30929
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
When an untrusted OS is running, we would like to use the Cr50
vendor-specific VENDOR_CC_TPM_MODE command to disable TPM.
Before doing this, we should save TPM state. Implement
tlcl_save_state for this purpose.
This needs to live in coreboot codebase since on S3 resume path,
depthcharge is not reached.
Implement the function in both tcg-1.2 and tcg-2.0 for
completeness.
BUG=b:70681930,b:118202153
TEST=hack a call to tlcl_save_state into coreboot on S3 resume
verify in AP console that it is called
Signed-off-by: Joel Kitching <kitching@google.com>
Change-Id: I8b51ca68456fc9b655e4dc2d0958b7c040d50510
Reviewed-on: https://review.coreboot.org/c/29646
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
The coming feature "measured boot" relies on VB2_LIB in romstage. In the
case where there is no separate verstage, compile the library just for
romstage as it will then be shared across verstage and romstage code. If
there is a separate verstage, compile the library separately for
verstage and romstage.
Change-Id: I8126c21b8fbe8dd65d95af49cbe2ad776b8ef605
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/c/29827
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Make the firmware slot configuration in VBOOT selectable. The following
three modes are available:
-RO only
-RO + RW_A
-RO + RW_A + RW_B
The mode "RO only" is the lowest mode with no safety during update.
You can select either RW_A or RW_AB via Kconfig which will add the
selected parttions to the final image.
Change-Id: I278fc060522b13048b00090b8e5261c14496f56e
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/27714
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
VB2_LIB will be used across all stages to hash data. Add it to postcar
stage sources so that it is compiled if postcar exists. In this way the
new function tpm_measure_region() introduced in commit
61322d7 (security/tpm: Add function to measure a region device)
can be used in every stage.
Change-Id: I933d33b0188d1b123bb4735722b6086e7786624f
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/29465
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Add a new function which can hash a given region device and extend a PCR
in the TPM with the result. The needed SHA algorithms are included from
3rdparty/vboot and thus not duplicated in the coreboot tree.
For now VB2_LIB is not usable in postcar stage. Follow-up commits will
add the ability to use the lib in postcar as well. Once this feature is
ready, the library will be included in postcar stage to make this
function available in every stage.
Change-Id: I126cc3500fd039d63743db78002a04d201ab18aa
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/29234
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
When used more widely across the tree, we don't want to have
to worry if all its users are on the same architecture
(eg. aarch32 vs aarch64), so just build their own library for
each stage.
Change-Id: Ib6807ff73c2713f3b23f43055325b2c40ff1a17d
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-on: https://review.coreboot.org/29253
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
- should not check VBOOT_STARTS_IN_BOOTBLOCK to set context flag
- implement vboot_platform_is_resuming on platforms missing it
- add ACPI_INTEL_HARDWARE_SLEEP_VALUES to two intel southbridges
[ originally https://review.coreboot.org/c/coreboot/+/28750 ]
BUG=b:114018226
TEST=compile coreboot
Change-Id: I1ef0bcdfd01746198f8140f49698b58065d820b9
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/29060
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Change TSS layer tlcl_send_startup() to expose TPM_RC_INITIALIZE,
which gets mapped to TPM_E_INVALID_POSTINIT. The return value
is exposed to TSPI layer tpm_setup(), and dealt with as follows:
- Regular startup: TPM_E_INVALID_POSTINIT should count as failure.
- S3 resume: TPM_E_INVALID_POSTINIT can be assumed to mean that
TPM maintains power during S3, and is already initialized.
Also, correct an error where |response| could be erroneously accessed
when it is set to NULL.
BUG=b:114018226
TEST=compile coreboot
Change-Id: Ib0c3750386ae04279401c1dc318c5019d39f5ecf
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/29063
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
board_reset() replaces the existing common reset API. There is no common
distinction between reset types across platforms, hence, common code
could never decide which one to call.
Currently only hard_reset() is used by common code. We replace these
calls and provide a fall-back to the current hard_reset() implemen-
tation. The fall-back will be removed along with hard_reset() after the
transition of all boards.
Change-Id: I274a8cee9cb38226b5a0bdff6a847c74ef0b3128
Signed-off-by: Nico Huber <nico.h@gmx.de>
Reviewed-on: https://review.coreboot.org/29047
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Introduce two helper functions for more readable code.
Use epilogue function instead of goto for error handling.
BUG=None
TEST=None
Change-Id: Ibea44880683a301e82ee2ba049003c36fcb44eba
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/29026
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
More platforms are not able to hibernate under certain circumstances,
such as when AC is plugged. This original path was conservatively put in
to prevent potential damage when cr50-update-caused asynchronous resets
occur. Julius' compelling argument that async resets from recovery mode
requests should have enough coverage of the design over the course of
project development. Remove the hibernate path and assume all is well
going forward.
Change-Id: I37121e75ff4e6abcb41d8534a1eccf0788ce2ea2
Signed-off-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-on: https://review.coreboot.org/29076
Reviewed-by: Justin TerAvest <teravest@chromium.org>
Reviewed-by: Jett Rink <jettrink@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Its spreading copies got out of sync. And as it is not a standard header
but used in commonlib code, it belongs into commonlib. While we are at
it, always include it via GCC's `-include` switch.
Some Windows and BSD quirk handling went into the util copies. We always
guard from redefinitions now to prevent further issues.
Change-Id: I850414e6db1d799dce71ff2dc044e6a000ad2552
Signed-off-by: Nico Huber <nico.h@gmx.de>
Reviewed-on: https://review.coreboot.org/28927
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
* Fix ACPI resume path compilation for TPM ramstage
driver
* Move enabling of the TPM prior activation and remove
reboot return status from TPM enable.
More information can be found via the TCG
specification v1.2
Tested=Elgon
Change-Id: Ided110e0c1889b302e29acac6d8d2341f97eb10b
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/28085
Reviewed-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This patch allows boards to disable turning off EC on cr50 update.
If CR50 resets the whole system, an EC reset is not required.
BUG=b:112604277
BRANCH=none
TEST=gsctool -a -u /media/removable/cr50.bin && reboot
Verify EC reboots. AP prints 'Waiting for CR50 reset to pick up update'
then reboots.
Change-Id: I60a7aa50a549e7a5a1a114245fbf7b9646d813bb
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://review.coreboot.org/28110
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
The make `file` command is apparently a v4.2 feature only. Replace it
with a shell cat.
BUG=none
TEST=verified fwid.region was created correctly
Change-Id: I5e32a521ad3e6759853f0cde2e4c4db6e564d3be
Signed-off-by: Raul E Rangel <rrangel@chromium.org>
Reviewed-on: https://review.coreboot.org/27990
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Julius Werner <jwerner@chromium.org>
In procedure tpm_unmarshal_response(), variable "rc" is used early to
decide if it should return NULL. Later however, the code proceeds to its
end even if one subroutine reports error. If "rc" is not 0, report that
there was a partial error in the procedure.
BUG=b:112253891
TEST=Build and boot grunt.
Change-Id: I7575bc75104fd97f138224aa57561e68f6548e58
Signed-off-by: Richard Spiegel <richard.spiegel@silverbackltd.com>
Reviewed-on: https://review.coreboot.org/27931
Reviewed-by: Martin Roth <martinroth@google.com>
Reviewed-by: Marshall Dawson <marshalldawson3rd@gmail.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Add the ability to specify the fwid version via a file instead of
via config. This makes it so when doing an incremental build all
objects are not invalidated when bumping the fwid.
The coreboot ebuild will create this file to pass the latest version.
BUG=b:112267918
TEST=ran dmidecide -t 0 and verified version was present
Change-Id: I955106efd648a75a1311f24ede46bd238d1517e0
Signed-off-by: Raul E Rangel <rrangel@chromium.org>
Reviewed-on: https://review.coreboot.org/27884
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Change bce49c2 (security/tpm: Improve TCPA log generation) missed
checking for NULL pointer before accessing the tcpa_table returned by
tcpa_log_init. This change fixes the boot hang observed on octopus by
ensuring pointer is checked for NULL before using it.
BUG=b:111403731
TEST=Verified that octopus boots up fine.
Change-Id: I2e46197065f8db1dc028a85551546263e60d46b2
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://review.coreboot.org/27933
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Justin TerAvest <teravest@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
* Make tcpa_log_init static and move init code into
the tcpa_log_add_table_entry routine.
* Add more checks for log initialization.
* Fix minor issues
Change-Id: I215d79eed7ad17c6ab87f0c4b14a282e519ef07d
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/27769
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Change f849972 (security/vboot: Enable TCPA log extension) enabled
support for adding TCPA log to CBMEM. However, if CBMEM is not online,
this function doesn't do anything and returns early. This condition is
not really a valid error condition as it depends on when the call to
tcpa_log_add_table_entry is made. Since tcpa_log_add_table_entry
returns -1 when cbmem is not online, tpm_extend_pcr prints an error
message with prefix "ERROR:". This can confuse any scripts trying to
catch errors in boot flow.
This CL makes the following changes:
1. Removes the print in tpm_extend_pcr since tcpa_log_add_table_entry
already prints out appropriate ERROR messages in case of failure to
add log entry.
2. Since the return value of tcpa_log_add_table_entry is not used
anymore, return type for tcpa_log_add_table_entry is changed to void.
BUG=b:112030232
Change-Id: I32d313609a3e57845e67059b3747b81b5c8adb2a
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://review.coreboot.org/27757
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Justin TerAvest <teravest@chromium.org>
* Move vboot/tpm specific implementation to vboot.
* Only call functions if CONFIG_FSP2_0_USES_TPM_MRC_HASH is set.
* Preparation for software hash function support, no logic changed.
Change-Id: I41a458186c7981adaf3fea8974adec2ca8668f14
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/24904
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
These two files were added before I was able to get the updated linter
committed. Updated/Add the headers so the stable header lint check
can be updated.
Change-Id: I464ddecb5eebe8c5b907f3dcfeab1b06501af6ab
Signed-off-by: Martin Roth <martinroth@google.com>
Reviewed-on: https://review.coreboot.org/27362
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Fix a linking problem with VBOOT and USE_OPTION_TABLE enabled.
Make use of cbfs_locate_file_in_region() and always search the
cmos_layout.bin in the 'COREBOOT' region.
With this change applied there's no need to include the vboot_locator
in SMM any more, we can't break NVRAM with different CMOS layouts,
and we keep VBOOT and non VBOOT behaviour the same.
Only include cmos_layout.bin and cmos.default in RO region.
Add notes explaining the decisions.
Tested on Intel Sandybridge, builds and boots with vboot enabled.
Change-Id: I10ae94d7936581bbb5ea49384122062bd4934ea5
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/26863
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
All those symbols are part of /include/symbols.h file hence
removing from /security/vboot/symbols.h
Change-Id: Id968186e28d6b772a1a6bca200a852407324d6e3
Signed-off-by: Subrata Banik <subrata.banik@intel.com>
Reviewed-on: https://review.coreboot.org/26274
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
coreboot on skylake originally did ship with romcc bootblock and
verstage running after it. However, that configuration makes boot
flows very complicated. No platform in the current code base uses
this combination. Make VBOOT_STARTS_IN_BOOTBLOCK depend on
C_ENVIRONMENT_BOOTBLOCK.
BUG=b:78656686
Change-Id: Ia9446f209521f71c91b83d579b9e2d89744292bc
Signed-off-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-on: https://review.coreboot.org/25984
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Subrata Banik <subrata.banik@intel.com>
Reviewed-by: Justin TerAvest <teravest@chromium.org>
Reviewed-by: Hannah Williams <hannah.williams@intel.com>
Add a function that will check the various requirements to
enable USB Device Controller (UDC):
- developer mode enabled
- GBB flag set or VBNV flag set
If VBOOT is not enabled, then default is to allow UDC enabling.
BUG=b:78577893
BRANCH=poppy
Change-Id: Id146ac1065f209865372aeb423f66ae734702954
Signed-off-by: Duncan Laurie <dlaurie@google.com>
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://review.coreboot.org/25847
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This change adds basic support for reading flags from GBB header
located in "GBB" section on SPI flash.
Change-Id: I35ecb5ba964511379baa4e9f458ba2e8c6b74b4e
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://review.coreboot.org/25459
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This patch changes the GBB flag configuration to the latest usage in
upstream vboot (as of https://chromium-review.googlesource.com/976660).
Change-Id: I585d662d7de34b4964d028e3d06b4df5665fbe9e
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/25346
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
In TPM 2.0 case, if the factory initialization is interrupted after
defining, say, the kernel tpm nvram space but before writing to this
space, the following will happen upon reboot when the factory
initialization will be re-attempted. Writing to this space will be
skipped, and coreboot will finish the factory initialization with
this space remained unwritten. At a later stage, when the rollback
logic will attempt to check the version in the kernel space, it will
fail (TPM2.0 returns an error when reading from unwritten spaces),
and the system will go into recovery with no way out (since the
kernel space will never be written).
This change fixes that by always writing to the kernel, MRC hash and
firmware spaces during factory initialization, even if the space
already existed by that time.
BUG=b:71884828
TEST=delete, define, but not write to the kernel space; trigger
factory initialization; coreboot should fill the kernel
space and continue booting.
Change-Id: I48d8bb4f9fc0e5276e6ec81247b3b6768ec9fa3b
Signed-off-by: Andrey Pronin <apronin@google.com>
Reviewed-on: https://review.coreboot.org/23456
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
* Move code from src/lib and src/include into src/security/tpm
* Split TPM TSS 1.2 and 2.0
* Fix header includes
* Add a new directory structure with kconfig and makefile includes
Change-Id: Id15a9aa6bd367560318dfcfd450bf5626ea0ec2b
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/22103
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
In order to make VBOOT2 independent from the CHROMEOS
kconfig option a weak method for get_write_protect_state
and get_recovery_mode_switch() is required.
Introduce a kconfig option for controlling this
behaviour.
This is a temporary fix and will be removed afterwards.
Change-Id: I3b1555bd93e1605e04d5c3ea6a752eb1459e426e
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/22102
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Martin Roth <martinroth@google.com>
This include is not needed, and the header file is going away in
vboot_reference. So, remove it.
BUG=chromium:789276
BRANCH=none
TEST=emerge-reef coreboot
Change-Id: Ie0b37ae3d2f979f79060a15ca3f7157f49c89785
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Signed-off-by: Randall Spangler <randall@spanglers.com>
Reviewed-on: https://review.coreboot.org/22733
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
This commit just moves the vboot sources into
the security directory and fixes kconfig/makefile paths.
Fix vboot2 headers
Change-Id: Icd87f95640186f7a625242a3937e1dd13347eb60
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/22074
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Martin Roth <martinroth@google.com>
Joel Kitching