As part of chromium:942901, physical dev switch functionality
is being deprecated.
This flag is no longer read after CL:1526070, and thus
does not need to be set here.
coreboot's vboot subrepository needs to be updated to include
CL:1526070 before this CL can be merged.
BUG=b:124141368, b:124192753, chromium:942901
TEST=Build and deploy to eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=make clean && make test-abuild
CQ-DEPEND=CL:1526070
BRANCH=none
Change-Id: Ie5849f9e0fcb8e4e6d35d542a141bf635e751af4
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31952
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Currently only two devices make use of physical dev switch:
stumpy, lumpy
Deprecate this switch. If these devices are flashed to ToT,
they may still make use of virtual dev switch, activated
via recovery screen.
BUG=b:124141368, b:124192753, chromium:942901
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I87ec0db6148c1727b95475d94e3e3f6e7ec83193
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31943
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This option has been relocated to depthcharge:
https://crrev.com/c/1524806
BUG=b:124141368, b:124192753
TEST=Build and deploy to eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
TEST=make clean && make test-abuild
CQ-DEPEND=CL:1524806
BRANCH=none
Change-Id: Ib4a83af2ba143577a064fc0d72c9bc318db56adc
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31909
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Previously, the size of memory made for vboot_working_data
through the macro VBOOT2_WORK was always specified in each
individual memlayout file. However, there is effectively no
reason to provide this customizability -- the workbuf size
required for verifying firmware has never been more than 12K.
(This could potentially increase in the future if key sizes
or algorithms are changed, but this could be applied globally
rather than for each individual platform.)
This CL binds the VBOOT2_WORK macro to directly use the
VB2_WORKBUF_RECOMMENDED_DATA_SIZE constant as defined by vboot
API. Since the constant needs to be used in a linker script, we
may not include the full vboot API, and must instead directly
include the vb2_constants.h header.
BUG=b:124141368, b:124192753
TEST=Build locally for eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
TEST=make clean && make test-abuild
BRANCH=none
CQ-DEPEND=CL:1504490
Change-Id: Id71a8ab2401efcc0194d48c8af9017fc90513cb8
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31474
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Drop 'include <string.h>' when it is not used and
add it when it is missing.
Also extra lines removed, or added just before local includes.
Change-Id: Iccac4dbaa2dd4144fc347af36ecfc9747da3de20
Signed-off-by: Elyes HAOUAS <ehaouas@noos.fr>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31966
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Create a new cbtable entry called VBOOT_WORKBUF for
storing a pointer to the vboot workbuf within the
vboot_working_data structure.
BUG=b:124141368, b:124192753
TEST=Build and deploy to eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
BRANCH=none
Change-Id: Id68f43c282939d9e1b419e927a14fe8baa290d91
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31887
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Symbols prefixed with vb2_ should be reserved for internal
vboot library use.
Anything outside of that may choose some other prefix.
Here, we choose vboot_ instead.
Also, add some documentation to security/vboot/misc.h,
which provides headers for a number of different C files.
BUG=b:124141368
TEST=Build and deploy to eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: I5d9154fd2d5df25ee254bd5ce4a173afaa6588be
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31886
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
For platforms that do not employ VBOOT_STARTS_IN_ROMSTAGE,
vboot verification occurs before CBMEM is brought online.
In order to make vboot data structures available downstream,
copy vb2_working_data from CAR/SRAM into CBMEM when CBMEM
comes online. Create VBOOT_MIGRATE_WORKING_DATA config
option to toggle this functionality.
BUG=b:124141368, b:124192753
TEST=Built and deployed on eve with STARTS_IN_BOOTBLOCK
TEST=Built and deployed on eve with STARTS_IN_ROMSTAGE
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
BRANCH=none
Change-Id: I62c11268a83927bc00ae9bd93b1b31363b38e8cf
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31329
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
This patch is a raw application of
find src/ -type f | xargs sed -i -e 's/IS_ENABLED\s*(CONFIG_/CONFIG(/g'
Change-Id: I6262d6d5c23cabe23c242b4f38d446b74fe16b88
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31774
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Rename VB2_DISABLE_DEVELOPER_MODE to VB2_CONTEXT_DISABLE_DEVELOPER_MODE.
See CL in CQ-DEPEND for details.
BUG=b:124141368
TEST=Build locally
CQ-DEPEND=CL:1460645
BRANCH=none
Change-Id: Ib9754425dc2f346e8edac584c4d076d13ae31d2d
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31298
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Rename VB2_SD_DEV_MODE_ENABLED to VB2_SD_FLAG_DEV_MODE_ENABLED.
See CL in CQ-DEPEND for details.
BUG=b:124141368
TEST=Build locally
CQ-DEPEND=CL:1460644
BRANCH=none
Change-Id: I298cd3a5026055e439de1ce409e61f1feb24369b
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/31297
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Until now the TCPA log wasn't working correctly.
* Refactor TCPA log code.
* Add TCPA log dump fucntion.
* Make TCPA log available in bootblock.
* Fix TCPA log formatting.
* Add x86 and Cavium memory for early log.
Change-Id: Ic93133531b84318f48940d34bded48cbae739c44
Signed-off-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/29563
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
* Introduce a measured boot mode into vboot.
* Add hook for stage measurements in prog_loader and cbfs.
* Implement and hook-up CRTM in vboot and check for suspend.
Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e
Signed-off-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/c/29547
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Fix up the logic of when to include VBOOT2_WORK symbols on x86,
which are only needed when VBOOT_STARTS_IN_BOOTBLOCK is enabled.
Also correct the value of the __PRE_RAM__ macro in the case that
VBOOT_STARTS_IN_ROMSTAGE is selected. In this case, DRAM is
already up and verstage should not be considered pre-ram.
BUG=b:124141368, b:124192753
TEST=Build locally for eve
TEST=util/lint/checkpatch.pl -g origin/master..HEAD
TEST=util/abuild/abuild -B -e -y -c 50 -p none -x
TEST=make clean && make test-abuild
BRANCH=none
Change-Id: Ie51e8f93b99ab230f3caeede2a33ec8b443e3d7a
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/c/31541
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
When <symbols.h> was first introduced, it only declared a handful of
regions and we didn't expect that too many architectures and platforms
would need to add their own later. However, our amount of platforms has
greatly expanded since, and with them the need for more special memory
regions. The amount of code duplication is starting to get unsightly,
and platforms keep defining their own <soc/symbols.h> files that need
this as well.
This patch adds another macro to cut down the definition boilerplate.
Unfortunately, macros cannot define other macros when they're called, so
referring to region sizes as _name_size doesn't work anymore. This patch
replaces the scheme with REGION_SIZE(name).
Not touching the regions in the x86-specific <arch/symbols.h> yet since
they don't follow the standard _region/_eregion naming scheme. They can
be converted later if desired.
Change-Id: I44727d77d1de75882c72a94f29bd7e2c27741dd8
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/31539
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Under some scenarios the key ladder on the Cr50 can get disabled. If
this state is detected, trigger a reboot of the Cr50 to restore full
TPM functionality.
BUG=b:121463033
BRANCH=none
TEST=Built coreboot on sarien and grunt platforms.
TEST=Ran 'gsctool -a -m disable' and reboot. Verified coreboot sends
VENDOR_CC_IMMEDIATE_RESET command to Cr50 and that the Cr50 resets and
then the platform boots normally.
TEST=Performed Cr50 rollback to 0.0.22 which does not support the
VENDOR_CC_TPM_MODE command, confirmed that platform boots normally and
the coreboot log captures the unsupported command.
Tested-by: Keith Short <keithshort@chromium.org>
Change-Id: I70e012efaf1079d43890e909bc6b5015bef6835a
Signed-off-by: Keith Short <keithshort@chromium.org>
Reviewed-on: https://review.coreboot.org/c/31260
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
In some cases (e.g. Arm architecture variants), include paths are stuck
into <stage>-generic-ccopts rather than CPPFLAGS_<stage> (in fact, the
whole redundancy between these two is kinda stupid and we should
probably eliminate the latter, but I don't want to get into that right
now). This patch makes sure those paths are also correctly translated
when invoking $(MAKE) for vboot.
Change-Id: I37f09b88e555567590664e0e6fac23c34fd887df
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/31084
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
On the Sarien/Arcada platforms, the EC is not trusted to provide
the state of the ESC+REFRESH+PWR recovery combination. On these
platforms the Cr50 latches the state of REFRESH+PWR for use as the
recovery mode key combination.
BUG=b:122715254
BRANCH=none
TEST=Verify recovery mode screen shown after pressing REFRESH+PWR
Signed-off-by: Keith Short <keithshort@chromium.org>
Change-Id: Ie3ce519956f916023c8c52f1d11fa93331f52f3c
Reviewed-on: https://review.coreboot.org/c/30929
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
When an untrusted OS is running, we would like to use the Cr50
vendor-specific VENDOR_CC_TPM_MODE command to disable TPM.
Before doing this, we should save TPM state. Implement
tlcl_save_state for this purpose.
This needs to live in coreboot codebase since on S3 resume path,
depthcharge is not reached.
Implement the function in both tcg-1.2 and tcg-2.0 for
completeness.
BUG=b:70681930,b:118202153
TEST=hack a call to tlcl_save_state into coreboot on S3 resume
verify in AP console that it is called
Signed-off-by: Joel Kitching <kitching@google.com>
Change-Id: I8b51ca68456fc9b655e4dc2d0958b7c040d50510
Reviewed-on: https://review.coreboot.org/c/29646
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
The coming feature "measured boot" relies on VB2_LIB in romstage. In the
case where there is no separate verstage, compile the library just for
romstage as it will then be shared across verstage and romstage code. If
there is a separate verstage, compile the library separately for
verstage and romstage.
Change-Id: I8126c21b8fbe8dd65d95af49cbe2ad776b8ef605
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/c/29827
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Make the firmware slot configuration in VBOOT selectable. The following
three modes are available:
-RO only
-RO + RW_A
-RO + RW_A + RW_B
The mode "RO only" is the lowest mode with no safety during update.
You can select either RW_A or RW_AB via Kconfig which will add the
selected parttions to the final image.
Change-Id: I278fc060522b13048b00090b8e5261c14496f56e
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/27714
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
VB2_LIB will be used across all stages to hash data. Add it to postcar
stage sources so that it is compiled if postcar exists. In this way the
new function tpm_measure_region() introduced in commit
61322d7 (security/tpm: Add function to measure a region device)
can be used in every stage.
Change-Id: I933d33b0188d1b123bb4735722b6086e7786624f
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/29465
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Add a new function which can hash a given region device and extend a PCR
in the TPM with the result. The needed SHA algorithms are included from
3rdparty/vboot and thus not duplicated in the coreboot tree.
For now VB2_LIB is not usable in postcar stage. Follow-up commits will
add the ability to use the lib in postcar as well. Once this feature is
ready, the library will be included in postcar stage to make this
function available in every stage.
Change-Id: I126cc3500fd039d63743db78002a04d201ab18aa
Signed-off-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-on: https://review.coreboot.org/29234
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
When used more widely across the tree, we don't want to have
to worry if all its users are on the same architecture
(eg. aarch32 vs aarch64), so just build their own library for
each stage.
Change-Id: Ib6807ff73c2713f3b23f43055325b2c40ff1a17d
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-on: https://review.coreboot.org/29253
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Werner Zeh <werner.zeh@siemens.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
- should not check VBOOT_STARTS_IN_BOOTBLOCK to set context flag
- implement vboot_platform_is_resuming on platforms missing it
- add ACPI_INTEL_HARDWARE_SLEEP_VALUES to two intel southbridges
[ originally https://review.coreboot.org/c/coreboot/+/28750 ]
BUG=b:114018226
TEST=compile coreboot
Change-Id: I1ef0bcdfd01746198f8140f49698b58065d820b9
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/29060
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Change TSS layer tlcl_send_startup() to expose TPM_RC_INITIALIZE,
which gets mapped to TPM_E_INVALID_POSTINIT. The return value
is exposed to TSPI layer tpm_setup(), and dealt with as follows:
- Regular startup: TPM_E_INVALID_POSTINIT should count as failure.
- S3 resume: TPM_E_INVALID_POSTINIT can be assumed to mean that
TPM maintains power during S3, and is already initialized.
Also, correct an error where |response| could be erroneously accessed
when it is set to NULL.
BUG=b:114018226
TEST=compile coreboot
Change-Id: Ib0c3750386ae04279401c1dc318c5019d39f5ecf
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/29063
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
board_reset() replaces the existing common reset API. There is no common
distinction between reset types across platforms, hence, common code
could never decide which one to call.
Currently only hard_reset() is used by common code. We replace these
calls and provide a fall-back to the current hard_reset() implemen-
tation. The fall-back will be removed along with hard_reset() after the
transition of all boards.
Change-Id: I274a8cee9cb38226b5a0bdff6a847c74ef0b3128
Signed-off-by: Nico Huber <nico.h@gmx.de>
Reviewed-on: https://review.coreboot.org/29047
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Introduce two helper functions for more readable code.
Use epilogue function instead of goto for error handling.
BUG=None
TEST=None
Change-Id: Ibea44880683a301e82ee2ba049003c36fcb44eba
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://review.coreboot.org/29026
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
More platforms are not able to hibernate under certain circumstances,
such as when AC is plugged. This original path was conservatively put in
to prevent potential damage when cr50-update-caused asynchronous resets
occur. Julius' compelling argument that async resets from recovery mode
requests should have enough coverage of the design over the course of
project development. Remove the hibernate path and assume all is well
going forward.
Change-Id: I37121e75ff4e6abcb41d8534a1eccf0788ce2ea2
Signed-off-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-on: https://review.coreboot.org/29076
Reviewed-by: Justin TerAvest <teravest@chromium.org>
Reviewed-by: Jett Rink <jettrink@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Its spreading copies got out of sync. And as it is not a standard header
but used in commonlib code, it belongs into commonlib. While we are at
it, always include it via GCC's `-include` switch.
Some Windows and BSD quirk handling went into the util copies. We always
guard from redefinitions now to prevent further issues.
Change-Id: I850414e6db1d799dce71ff2dc044e6a000ad2552
Signed-off-by: Nico Huber <nico.h@gmx.de>
Reviewed-on: https://review.coreboot.org/28927
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
* Fix ACPI resume path compilation for TPM ramstage
driver
* Move enabling of the TPM prior activation and remove
reboot return status from TPM enable.
More information can be found via the TCG
specification v1.2
Tested=Elgon
Change-Id: Ided110e0c1889b302e29acac6d8d2341f97eb10b
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/28085
Reviewed-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Joel Kitching