fdabf3fcd7
This patch adds the first stage of the new CONFIG_CBFS_VERIFICATION feature. It's not useful to end-users in this stage so it cannot be selected in menuconfig (and should not be used other than for development) yet. With this patch coreboot can verify the metadata hash of the RO CBFS when it starts booting, but it does not verify individual files yet. Likewise, verifying RW CBFSes with vboot is not yet supported. Verification is bootstrapped from a "metadata hash anchor" structure that is embedded in the bootblock code and marked by a unique magic number. This anchor contains both the CBFS metadata hash and a separate hash for the FMAP which is required to find the primary CBFS. Both are verified on first use in the bootblock (and halt the system on failure). The CONFIG_TOCTOU_SAFETY option is also added for illustrative purposes to show some paths that need to be different when full protection against TOCTOU (time-of-check vs. time-of-use) attacks is desired. For normal verification it is sufficient to check the FMAP and the CBFS metadata hash only once in the bootblock -- for TOCTOU verification we do the same, but we need to be extra careful that we do not re-read the FMAP or any CBFS metadata in later stages. This is mostly achieved by depending on the CBFS metadata cache and FMAP cache features, but we allow for one edge case in case the RW CBFS metadata cache overflows (which may happen during an RW update and could otherwise no longer be fixed because mcache size is defined by RO code). This code is added to demonstrate design intent but won't really matter until RW CBFS verification can be supported. Signed-off-by: Julius Werner <jwerner@chromium.org> Change-Id: I8930434de55eb938b042fdada9aa90218c0b5a34 Reviewed-on: https://review.coreboot.org/c/coreboot/+/41120 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Patrick Georgi <pgeorgi@google.com> |
||
|---|---|---|
| .. | ||
| abuild | ||
| acpi | ||
| amdfwtool | ||
| amdtools | ||
| apcb | ||
| archive | ||
| autoport | ||
| bincfg | ||
| board_status | ||
| bucts | ||
| cavium | ||
| cbfstool | ||
| cbmem | ||
| chromeos | ||
| crossgcc | ||
| docker | ||
| dtd_parser | ||
| ectool | ||
| exynos | ||
| find_usbdebug | ||
| futility | ||
| fuzz-tests | ||
| genbuild_h | ||
| gitconfig | ||
| ifdtool | ||
| intelmetool | ||
| intelp2m | ||
| inteltool | ||
| intelvbttool | ||
| ipqheader | ||
| kbc1126 | ||
| kconfig | ||
| lint | ||
| mainboard/google | ||
| marvell | ||
| me_cleaner | ||
| mma | ||
| msrtool | ||
| mtkheader | ||
| nvidia | ||
| nvramtool | ||
| pgtblgen | ||
| pmh7tool | ||
| post | ||
| qemu | ||
| qualcomm | ||
| release | ||
| riscv | ||
| rockchip | ||
| sconfig | ||
| scripts | ||
| showdevicetree | ||
| spd_tools | ||
| spdtool | ||
| spkmodem_recv | ||
| superiotool | ||
| supermicro | ||
| testing | ||
| uio_usbdebug | ||
| util_readme | ||
| vboot_list | ||
| vgabios | ||
| x86 | ||
| xcompile | ||
| README.md | ||
README.md
- abuild - coreboot autobuild script builds coreboot images for all
available targets.
bash - acpi - Walk through all ACPI tables with their addresses.
bash - amdfwtool - Create AMD Firmware combination
C - amdtools - A set of tools to compare extended) K8 memory
settings.
Perl - archive - Concatenate files and create an archive
C - autoport - Automated porting coreboot to Sandy Bridge/Ivy Bridge
platforms
Go - bincfg - Compiler/Decompiler for data blobs with specs
LexYacc - board_status - Tools to collect logs and upload them to the board
status repository
BashGo - bucts - A tool to manipulate the BUC.TS bit on Intel targets.
C - cavium - Devicetree_convert Tool to convert a DTB to a static C
file
Python - cbfstool
- cbfstool - For manipulating CBFS file
C - fmaptool - Converts plaintext fmd files into fmap blobs
C - rmodtool - Creates rmodules
C - ifwitool - For manipulating IFWI
C
- cbfstool - For manipulating CBFS file
- cbmem - CBMEM parser to read e.g. timestamps and console log
C - chromeos - These scripts can be used to access Chrome OS
resources, for example to extract System Agent reference code and other
blobs (e.g. mrc.bin, refcode, VGA option roms) from a Chrome OS
recovery image.
C - crossgcc - A cross toolchain builder for -elf toolchains (ie. no libc support)
- docker - Dockerfiles for coreboot-sdk, coreboot-jenkins-node, coreboot.org-status and docs.coreboot.org
- dtd_parser - DTD structure parser
Python2 - ectool - Dumps the RAM of a laptop's Embedded/Environmental
Controller (EC).
C - exynos - Computes and fills Exynos ROM checksum (for BL1 or BL2).
Python3 - find_usbdebug - Help find USB debug ports
- futility - Firmware utility for signing ChromeOS images
Make - fuzz-tests - Create test cases that crash the jpeg code.
C - genbuild_h - Generate build system definitions
Shell - genprof - Format function tracing logs
BashC - gitconfig - Initialize git repository submodules install git
hooks
Bash - ifdtool - Extract and dump Intel Firmware Descriptor information
C - intelmetool - Dump interesting things about Management Engine
even if hidden
C - inteltool - Provides information about the Intel CPU/chipset
hardware configuration (register contents, MSRs, etc).
C - intelvbttool - Parse VBT from VGA BIOS
C - ipqheader
- createxbl.py - Concatentates XBL segments into one ELF
image
Python - ipqheader.py - Returns a packed MBN header image with the
specified base and size
Python - mbncat.py - Generate ipq8064 uber SBL
Python - mbn_tools.py - Contains all MBN Utilities for image
generation
Python
- createxbl.py - Concatentates XBL segments into one ELF
image
- kbc1126 - Tools used to dump the two blobs from the factory
firmware of many HP laptops with 8051-based SMSC KBC1098/KBC1126
embedded controller and insert them to the firmware image.
C - kconfig - Build system
Make - lint - Source linter and linting rules
Shell - marvell - Add U-Boot boot loader for Marvell ARMADA38X
C - me_cleaner - Tool for
partial deblobbing of Intel ME/TXE firmware images
Python - mma - Memory Margin Analysis automation tests
Bash - msrtool - Dumps chipset-specific MSR registers.
C - mtkheader - Generate MediaTek bootload header.
Python3 - nvidia - nvidia blob parsers
- nvramtool - Reads and writes coreboot parameters and displaying
information from the coreboot table in CMOS/NVRAM.
C - pgtblgen - Generates page tables based on fixed physical address.
C - pmh7tool - Dumps, reads and writes PMH7 registers on Lenovo
ThinkPads. PMH7 is used for switching on and off the power of some
devices on the board such as dGPU.
C - post - Userspace utility that can be used to test POST cards.
C - qualcomm - CMM script to debug Qualcomm coreboot environments.
CMM - release - Generate coreboot release
Bash - riscv
- make-spike-elf.sh - Converts a flat file into an ELF, that
can be passed to SPIKE, the RISC-V reference emulator.
Bash - sifive-gpt.py - Wraps the bootblock in a GPT partition for
SiFive's bootrom.
Python3
- make-spike-elf.sh - Converts a flat file into an ELF, that
can be passed to SPIKE, the RISC-V reference emulator.
- rockchip - Generate Rockchip idblock bootloader.
Python3 - sconfig - coreboot device tree compiler
LexYacc - scripts
- config - Manipulate options in a .config file from the
command line
Bash - cross-repo-cherrypick - Pull in patches from another tree
from a gerrit repository.
Shell - decode_spd.sh - Decodes Serial Presence Detect (SPD) files into various human readable formats.
- dts-to-fmd.sh -Converts a depthcharge fmap.dts into an
fmaptool compatible .fmd format
Bash - find-unused-kconfig-symbols.sh - Points out Kconfig
variables that may be unused. There are some false positives, but it
serves as a starting point
Shell - gerrit-rebase - Applies all commits that from-branch has
over to-branch, based on a common ancestor and gerrit meta-data
Bash - get_maintainer.pl - Print selected MAINTAINERS information
for the files modified in a patch or for a file
Perl - maintainers.go - Build subsystem Maintainers
Go - no-fsf-addresses.sh - Removes various FSF addresses from
license headers
Shell - parse-maintainers.pl - Script to alphabetize MAINTAINERS
file
Perl - ucode_h_to_bin.sh - Microcode conversion tool
Bash - update_submodules - Check all submodules for updates
Bash
- config - Manipulate options in a .config file from the
command line
- showdevicetree - Compile and dump the device tree
C - spdtool - Dumps SPD ROMs from a given blob to separate files
using known patterns and reserved bits. Useful for analysing firmware
that holds SPDs on boards that have soldered down DRAM.
python - spkmodem_recv - Decode spkmodem signals
C - superiotool - A user-space utility to detect Super I/O of a
mainboard and provide detailed information about the register contents
of the Super I/O.
C - smcbiosinfo - Generates SMC biosinfo for BMC BIOS updates
C - testing - coreboot test targets
Make - uio_usbdebug - Debug coreboot's usbdebug driver inside a running
operating system (only Linux at this time).
C - util_readme - Creates README.md of description files in
./utilsubdirectoriesBash - vboot_list - Tools to generate a list of vboot enabled devices to
the documentation
Bash - vgabios - emulated vga driver for qemu
C - x86 - Generates 32-bit PAE page tables based on a CSV input file.
Go - xcompile - Cross compile setup
Bash