76dab5f98f
To support the new CONFIG_CBFS_VERIFICATION feature, cbfstool needs to update the metadata hash embedded in the bootblock code every time it adds or removes a CBFS file. This can lead to problems on certain platforms where the bootblock needs to be specially wrapped in some platform-specific data structure so that the platform's masked ROM can recognize it. If that data structure contains any form of hash or signature of the bootblock code that is checked on every boot, it will no longer match if cbfstool modifies it after the fact. In general, we should always try to disable these kinds of features where possible (they're not super useful anyway). But for platforms where the hardware simply doesn't allow that, this patch introduces the concept of "platform fixups" to cbfstool. Whenever cbfstool finds a metadata hash anchor in a CBFS image, it will run all built-in "fixup probe" functions on that bootblock to check if it can recognize it as the wrapper format for a platform known to have such an issue. If so, it will register a corresponding fixup function that will run whenever it tries to write back modified data to that bootblock. The function can then modify any platform-specific headers as necessary. As first supported platform, this patch adds a fixup for Qualcomm platforms (specifically the header format used by sc7180), which recalculates the bootblock body hash originally added by util/qualcomm/createxbl.py. (Note that this feature is not intended to support platform-specific signature schemes like BootGuard directly in cbfstool. For anything that requires an actual secret key, it should be okay if the user needs to run a platform-specific signing tool on the final CBFS image before flashing. This feature is intended for the normal unsigned case (which on some platforms may be implemented as signing with a well-known key) so that on a board that is not "locked down" in any way the normal use case of manipulating an image with cbfstool and then directly flashing the output file stays working with CONFIG_CBFS_VERIFICATION.) Signed-off-by: Julius Werner <jwerner@chromium.org> Change-Id: I02a83a40f1d0009e6f9561ae5d2d9f37a510549a Reviewed-on: https://review.coreboot.org/c/coreboot/+/41122 Reviewed-by: Angel Pons <th3fanbus@gmail.com> Reviewed-by: Aaron Durbin <adurbin@chromium.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> |
||
|---|---|---|
| 3rdparty | ||
| configs | ||
| Documentation | ||
| LICENSES | ||
| payloads | ||
| src | ||
| tests | ||
| util | ||
| .checkpatch.conf | ||
| .clang-format | ||
| .editorconfig | ||
| .gitignore | ||
| .gitmodules | ||
| .gitreview | ||
| AUTHORS | ||
| COPYING | ||
| gnat.adc | ||
| MAINTAINERS | ||
| Makefile | ||
| Makefile.inc | ||
| README.md | ||
| toolchain.inc | ||
coreboot README
coreboot is a Free Software project aimed at replacing the proprietary BIOS (firmware) found in most computers. coreboot performs a little bit of hardware initialization and then executes additional boot logic, called a payload.
With the separation of hardware initialization and later boot logic, coreboot can scale from specialized applications that run directly firmware, run operating systems in flash, load custom bootloaders, or implement firmware standards, like PC BIOS services or UEFI. This allows for systems to only include the features necessary in the target application, reducing the amount of code and flash space required.
coreboot was formerly known as LinuxBIOS.
Payloads
After the basic initialization of the hardware has been performed, any desired "payload" can be started by coreboot.
See https://www.coreboot.org/Payloads for a list of supported payloads.
Supported Hardware
coreboot supports a wide range of chipsets, devices, and mainboards.
For details please consult:
Build Requirements
- make
- gcc / g++
Because Linux distribution compilers tend to use lots of patches. coreboot
does lots of "unusual" things in its build system, some of which break due
to those patches, sometimes by gcc aborting, sometimes - and that's worse -
by generating broken object code.
Two options: use our toolchain (eg. make crosstools-i386) or enable the
ANY_TOOLCHAINKconfig option if you're feeling lucky (no support in this case). - iasl (for targets with ACPI support)
- pkg-config
- libssl-dev (openssl)
Optional:
- doxygen (for generating/viewing documentation)
- gdb (for better debugging facilities on some targets)
- ncurses (for
make menuconfigandmake nconfig) - flex and bison (for regenerating parsers)
Building coreboot
Please consult https://www.coreboot.org/Build_HOWTO for details.
Testing coreboot Without Modifying Your Hardware
If you want to test coreboot without any risks before you really decide to use it on your hardware, you can use the QEMU system emulator to run coreboot virtually in QEMU.
Please see https://www.coreboot.org/QEMU for details.
Website and Mailing List
Further details on the project, a FAQ, many HOWTOs, news, development guidelines and more can be found on the coreboot website:
You can contact us directly on the coreboot mailing list:
https://www.coreboot.org/Mailinglist
Copyright and License
The copyright on coreboot is owned by quite a large number of individual developers and companies. Please check the individual source files for details.
coreboot is licensed under the terms of the GNU General Public License (GPL). Some files are licensed under the "GPL (version 2, or any later version)", and some files are licensed under the "GPL, version 2". For some parts, which were derived from other projects, other (GPL-compatible) licenses may apply. Please check the individual source files for details.
This makes the resulting coreboot images licensed under the GPL, version 2.