coreboot-gerrit February 2019

coreboot-gerrit@coreboot.org

1 participants
1249 discussions

Change in ...coreboot[master]: security/vboot: Add measured boot mode
by build bot (Jenkins) (Code Review) 21 Feb '19

21 Feb '19

build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/29547 ) Change subject: security/vboot: Add measured boot mode ...................................................................... Patch Set 66: (14 comments) https://review.coreboot.org/#/c/29547/66/src/lib/cbfs.c File src/lib/cbfs.c: https://review.coreboot.org/#/c/29547/66/src/lib/cbfs.c@102 PS66, Line 102: size_t in_size, void *buffer, size_t buffer_size, uint32_t compression) line over 80 characters https://review.coreboot.org/#/c/29547/66/src/lib/cbfs.c@115 PS66, Line 115: if ((ENV_BOOTBLOCK || ENV_VERSTAGE) && !IS_ENABLED(CONFIG_COMPRESS_PRERAM_STAGES)) line over 80 characters https://review.coreboot.org/#/c/29547/66/src/lib/cbfs.c@257 PS66, Line 257: if (ENV_VERSTAGE && !IS_ENABLED(CONFIG_NO_XIP_EARLY_STAGES) && IS_ENABLED(CONFIG_BOOT_DEVICE_MEMORY_MAPPED)) { line over 80 characters https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_crtm.h File src/security/vboot/vboot_crtm.h: https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_crtm.h@49 PS66, Line 49: #if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT) && !ENV_BOOTBLOCK && !ENV_DECOMPRESSOR) line over 80 characters https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_crtm.c File src/security/vboot/vboot_crtm.c: https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_crtm.c@38 PS66, Line 38: if (cbfs_boot_locate(&bootblock_data, prog_name(&bootblock), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_crtm.c@55 PS66, Line 55: if (cbfs_boot_locate(&romstage_data, prog_name(&romstage), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_crtm.c@73 PS66, Line 73: if (cbfs_boot_locate(&verstage_data, prog_name(&verstage), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_logic.c File src/security/vboot/vboot_logic.c: https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_logic.c@98 PS66, Line 98: BUG(); /* Should never get called if init() returned an error. */ Avoid crashing the kernel - try using WARN_ON & recovery code rather than BUG() or BUG_ON() https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_logic.c@1… PS66, Line 104: BUG(); /* Should never get called if init() returned an error. */ Avoid crashing the kernel - try using WARN_ON & recovery code rather than BUG() or BUG_ON() https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_logic.c@2… PS66, Line 281: return vboot_extend_pcr(ctx, 0, BOOT_MODE_PCR) || vboot_extend_pcr(ctx, 1, HWID_DIGEST_PCR); line over 80 characters https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_logic.c@3… PS66, Line 308: if (IS_ENABLED(CONFIG_RESUME_PATH_SAME_AS_BOOT) && vboot_platform_is_resuming()) line over 80 characters https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_logic.c@3… PS66, Line 319: if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT) && !(ctx.flags & VB2_CONTEXT_S3_RESUME)) { line over 80 characters https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_logic.c@3… PS66, Line 324: if (IS_ENABLED(CONFIG_VBOOT_PHYSICAL_DEV_SWITCH) && get_developer_mode_switch()) line over 80 characters https://review.coreboot.org/#/c/29547/66/src/security/vboot/vboot_logic.c@3… PS66, Line 333: if (IS_ENABLED(CONFIG_VBOOT_WIPEOUT_SUPPORTED) && get_wipeout_mode_switch()) line over 80 characters -- To view, visit https://review.coreboot.org/c/coreboot/+/29547 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Gerrit-Change-Number: 29547 Gerrit-PatchSet: 66 Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: David Hendricks <david.hendricks(a)gmail.com> Gerrit-Reviewer: Huang Jin <huang.jin(a)intel.com> Gerrit-Reviewer: Julius Werner <jwerner(a)chromium.org> Gerrit-Reviewer: Krystian Hebel <krystian.hebel(a)3mdeb.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Michał Żygowski <michal.zygowski(a)3mdeb.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Paul Menzel <paulepanter(a)users.sourceforge.net> Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Piotr Król <piotr.krol(a)3mdeb.com> Gerrit-Reviewer: Stefan Reinauer <stefan.reinauer(a)coreboot.org> Gerrit-Reviewer: Werner Zeh <werner.zeh(a)siemens.com> Gerrit-Reviewer: York Yang <york.yang(a)intel.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-Comment-Date: Thu, 21 Feb 2019 15:35:38 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment

1 0

Change in ...coreboot[master]: security/vboot: Add measured boot mode
by Philipp Deppenwiese (Code Review) 21 Feb '19

21 Feb '19

Hello Patrick Rudolph, Aaron Durbin, Piotr Król, Julius Werner, Krystian Hebel, Patrick Rudolph, Stefan Reinauer, Paul Menzel, build bot (Jenkins), Patrick Georgi, Werner Zeh, Huang Jin, York Yang, David Hendricks, Martin Roth, Michał Żygowski, I'd like you to reexamine a change. Please visit https://review.coreboot.org/c/coreboot/+/29547 to look at the new patch set (#66). Change subject: security/vboot: Add measured boot mode ...................................................................... security/vboot: Add measured boot mode * Introduce a measured boot mode into vboot. * Add hook for stage measurements in prog_loader and cbfs. * Implement and hook-up CRTM in vboot and check for suspend. Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Signed-off-by: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Signed-off-by: Werner Zeh <werner.zeh(a)siemens.com> --- M Documentation/index.md A Documentation/security.md A Documentation/security/index.md A Documentation/security/vboot/measured_boot.md A Documentation/security/vboot/srtm.png M src/cpu/intel/haswell/Makefile.inc M src/cpu/intel/model_2065x/Makefile.inc M src/cpu/intel/model_206ax/Makefile.inc M src/lib/cbfs.c M src/lib/prog_loaders.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc A src/security/vboot/vboot_crtm.c A src/security/vboot/vboot_crtm.h M src/security/vboot/vboot_logic.c M src/soc/amd/stoneyridge/Makefile.inc M src/soc/intel/baytrail/Makefile.inc M src/soc/intel/braswell/Makefile.inc M src/soc/intel/broadwell/Makefile.inc M src/soc/intel/fsp_baytrail/Makefile.inc M src/soc/intel/fsp_broadwell_de/Makefile.inc M src/soc/mediatek/mt8183/include/soc/memlayout.ld M util/abuild/abuild 24 files changed, 364 insertions(+), 49 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/47/29547/66 -- To view, visit https://review.coreboot.org/c/coreboot/+/29547 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Gerrit-Change-Number: 29547 Gerrit-PatchSet: 66 Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: David Hendricks <david.hendricks(a)gmail.com> Gerrit-Reviewer: Huang Jin <huang.jin(a)intel.com> Gerrit-Reviewer: Julius Werner <jwerner(a)chromium.org> Gerrit-Reviewer: Krystian Hebel <krystian.hebel(a)3mdeb.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Michał Żygowski <michal.zygowski(a)3mdeb.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Paul Menzel <paulepanter(a)users.sourceforge.net> Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Piotr Król <piotr.krol(a)3mdeb.com> Gerrit-Reviewer: Stefan Reinauer <stefan.reinauer(a)coreboot.org> Gerrit-Reviewer: Werner Zeh <werner.zeh(a)siemens.com> Gerrit-Reviewer: York Yang <york.yang(a)intel.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-MessageType: newpatchset

1 0

Change in ...coreboot[master]: security/vboot: Add measured boot mode
by build bot (Jenkins) (Code Review) 21 Feb '19

21 Feb '19

build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/29547 ) Change subject: security/vboot: Add measured boot mode ...................................................................... Patch Set 65: (14 comments) https://review.coreboot.org/#/c/29547/65/src/lib/cbfs.c File src/lib/cbfs.c: https://review.coreboot.org/#/c/29547/65/src/lib/cbfs.c@102 PS65, Line 102: size_t in_size, void *buffer, size_t buffer_size, uint32_t compression) line over 80 characters https://review.coreboot.org/#/c/29547/65/src/lib/cbfs.c@115 PS65, Line 115: if ((ENV_BOOTBLOCK || ENV_VERSTAGE) && !IS_ENABLED(CONFIG_COMPRESS_PRERAM_STAGES)) line over 80 characters https://review.coreboot.org/#/c/29547/65/src/lib/cbfs.c@257 PS65, Line 257: if (ENV_VERSTAGE && !IS_ENABLED(CONFIG_NO_XIP_EARLY_STAGES) && IS_ENABLED(CONFIG_BOOT_DEVICE_MEMORY_MAPPED)) { line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.h File src/security/vboot/vboot_crtm.h: https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.h@49 PS65, Line 49: #if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT) && !ENV_BOOTBLOCK && !ENV_DECOMPRESSOR) line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.c File src/security/vboot/vboot_crtm.c: https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.c@38 PS65, Line 38: if (cbfs_boot_locate(&bootblock_data, prog_name(&bootblock), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.c@55 PS65, Line 55: if (cbfs_boot_locate(&romstage_data, prog_name(&romstage), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.c@73 PS65, Line 73: if (cbfs_boot_locate(&verstage_data, prog_name(&verstage), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c File src/security/vboot/vboot_logic.c: https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@98 PS65, Line 98: BUG(); /* Should never get called if init() returned an error. */ Avoid crashing the kernel - try using WARN_ON & recovery code rather than BUG() or BUG_ON() https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@1… PS65, Line 104: BUG(); /* Should never get called if init() returned an error. */ Avoid crashing the kernel - try using WARN_ON & recovery code rather than BUG() or BUG_ON() https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@2… PS65, Line 281: return vboot_extend_pcr(ctx, 0, BOOT_MODE_PCR) || vboot_extend_pcr(ctx, 1, HWID_DIGEST_PCR); line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@3… PS65, Line 308: if (IS_ENABLED(CONFIG_RESUME_PATH_SAME_AS_BOOT) && vboot_platform_is_resuming()) line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@3… PS65, Line 319: if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT) && !(ctx.flags & VB2_CONTEXT_S3_RESUME)) { line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@3… PS65, Line 324: if (IS_ENABLED(CONFIG_VBOOT_PHYSICAL_DEV_SWITCH) && get_developer_mode_switch()) line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@3… PS65, Line 333: if (IS_ENABLED(CONFIG_VBOOT_WIPEOUT_SUPPORTED) && get_wipeout_mode_switch()) line over 80 characters -- To view, visit https://review.coreboot.org/c/coreboot/+/29547 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Gerrit-Change-Number: 29547 Gerrit-PatchSet: 65 Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: David Hendricks <david.hendricks(a)gmail.com> Gerrit-Reviewer: Huang Jin <huang.jin(a)intel.com> Gerrit-Reviewer: Julius Werner <jwerner(a)chromium.org> Gerrit-Reviewer: Krystian Hebel <krystian.hebel(a)3mdeb.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Michał Żygowski <michal.zygowski(a)3mdeb.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Paul Menzel <paulepanter(a)users.sourceforge.net> Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Piotr Król <piotr.krol(a)3mdeb.com> Gerrit-Reviewer: Stefan Reinauer <stefan.reinauer(a)coreboot.org> Gerrit-Reviewer: Werner Zeh <werner.zeh(a)siemens.com> Gerrit-Reviewer: York Yang <york.yang(a)intel.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-Comment-Date: Thu, 21 Feb 2019 15:27:02 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment

1 0

Change in ...coreboot[master]: security/vboot: Add measured boot mode
by build bot (Jenkins) (Code Review) 21 Feb '19

21 Feb '19

build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/29547 ) Change subject: security/vboot: Add measured boot mode ...................................................................... Patch Set 65: (14 comments) https://review.coreboot.org/#/c/29547/65/src/lib/cbfs.c File src/lib/cbfs.c: https://review.coreboot.org/#/c/29547/65/src/lib/cbfs.c@102 PS65, Line 102: size_t in_size, void *buffer, size_t buffer_size, uint32_t compression) line over 80 characters https://review.coreboot.org/#/c/29547/65/src/lib/cbfs.c@115 PS65, Line 115: if ((ENV_BOOTBLOCK || ENV_VERSTAGE) && !IS_ENABLED(CONFIG_COMPRESS_PRERAM_STAGES)) line over 80 characters https://review.coreboot.org/#/c/29547/65/src/lib/cbfs.c@257 PS65, Line 257: if (ENV_VERSTAGE && !IS_ENABLED(CONFIG_NO_XIP_EARLY_STAGES) && IS_ENABLED(CONFIG_BOOT_DEVICE_MEMORY_MAPPED)) { line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.h File src/security/vboot/vboot_crtm.h: https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.h@49 PS65, Line 49: #if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT) && !ENV_BOOTBLOCK && !ENV_DECOMPRESSOR) line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.c File src/security/vboot/vboot_crtm.c: https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.c@38 PS65, Line 38: if (cbfs_boot_locate(&bootblock_data, prog_name(&bootblock), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.c@55 PS65, Line 55: if (cbfs_boot_locate(&romstage_data, prog_name(&romstage), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_crtm.c@73 PS65, Line 73: if (cbfs_boot_locate(&verstage_data, prog_name(&verstage), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c File src/security/vboot/vboot_logic.c: https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@98 PS65, Line 98: BUG(); /* Should never get called if init() returned an error. */ Avoid crashing the kernel - try using WARN_ON & recovery code rather than BUG() or BUG_ON() https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@1… PS65, Line 104: BUG(); /* Should never get called if init() returned an error. */ Avoid crashing the kernel - try using WARN_ON & recovery code rather than BUG() or BUG_ON() https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@2… PS65, Line 281: return vboot_extend_pcr(ctx, 0, BOOT_MODE_PCR) || vboot_extend_pcr(ctx, 1, HWID_DIGEST_PCR); line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@3… PS65, Line 308: if (IS_ENABLED(CONFIG_RESUME_PATH_SAME_AS_BOOT) && vboot_platform_is_resuming()) line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@3… PS65, Line 319: if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT) && !(ctx.flags & VB2_CONTEXT_S3_RESUME)) { line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@3… PS65, Line 324: if (IS_ENABLED(CONFIG_VBOOT_PHYSICAL_DEV_SWITCH) && get_developer_mode_switch()) line over 80 characters https://review.coreboot.org/#/c/29547/65/src/security/vboot/vboot_logic.c@3… PS65, Line 333: if (IS_ENABLED(CONFIG_VBOOT_WIPEOUT_SUPPORTED) && get_wipeout_mode_switch()) line over 80 characters -- To view, visit https://review.coreboot.org/c/coreboot/+/29547 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Gerrit-Change-Number: 29547 Gerrit-PatchSet: 65 Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: David Hendricks <david.hendricks(a)gmail.com> Gerrit-Reviewer: Huang Jin <huang.jin(a)intel.com> Gerrit-Reviewer: Julius Werner <jwerner(a)chromium.org> Gerrit-Reviewer: Krystian Hebel <krystian.hebel(a)3mdeb.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Michał Żygowski <michal.zygowski(a)3mdeb.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Paul Menzel <paulepanter(a)users.sourceforge.net> Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Piotr Król <piotr.krol(a)3mdeb.com> Gerrit-Reviewer: Stefan Reinauer <stefan.reinauer(a)coreboot.org> Gerrit-Reviewer: Werner Zeh <werner.zeh(a)siemens.com> Gerrit-Reviewer: York Yang <york.yang(a)intel.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-Comment-Date: Thu, 21 Feb 2019 15:22:54 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment

1 0

Change in ...coreboot[master]: security/vboot: Add measured boot mode
by Philipp Deppenwiese (Code Review) 21 Feb '19

21 Feb '19

Hello Patrick Rudolph, Aaron Durbin, Piotr Król, Julius Werner, Krystian Hebel, Patrick Rudolph, Stefan Reinauer, Paul Menzel, build bot (Jenkins), Patrick Georgi, Werner Zeh, Huang Jin, York Yang, David Hendricks, Martin Roth, Michał Żygowski, I'd like you to reexamine a change. Please visit https://review.coreboot.org/c/coreboot/+/29547 to look at the new patch set (#65). Change subject: security/vboot: Add measured boot mode ...................................................................... security/vboot: Add measured boot mode * Introduce a measured boot mode into vboot. * Add hook for stage measurements in prog_loader and cbfs. * Implement and hook-up CRTM in vboot and check for suspend. Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Signed-off-by: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Signed-off-by: Werner Zeh <werner.zeh(a)siemens.com> --- M Documentation/index.md A Documentation/security.md A Documentation/security/index.md A Documentation/security/vboot/measured_boot.md A Documentation/security/vboot/srtm.png M src/cpu/intel/haswell/Makefile.inc M src/cpu/intel/model_2065x/Makefile.inc M src/cpu/intel/model_206ax/Makefile.inc M src/lib/cbfs.c M src/lib/prog_loaders.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc A src/security/vboot/vboot_crtm.c A src/security/vboot/vboot_crtm.h M src/security/vboot/vboot_logic.c M src/soc/amd/stoneyridge/Makefile.inc M src/soc/intel/baytrail/Makefile.inc M src/soc/intel/braswell/Makefile.inc M src/soc/intel/broadwell/Makefile.inc M src/soc/intel/fsp_baytrail/Makefile.inc M src/soc/intel/fsp_broadwell_de/Makefile.inc M util/abuild/abuild 23 files changed, 363 insertions(+), 48 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/47/29547/65 -- To view, visit https://review.coreboot.org/c/coreboot/+/29547 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Gerrit-Change-Number: 29547 Gerrit-PatchSet: 65 Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: David Hendricks <david.hendricks(a)gmail.com> Gerrit-Reviewer: Huang Jin <huang.jin(a)intel.com> Gerrit-Reviewer: Julius Werner <jwerner(a)chromium.org> Gerrit-Reviewer: Krystian Hebel <krystian.hebel(a)3mdeb.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Michał Żygowski <michal.zygowski(a)3mdeb.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Paul Menzel <paulepanter(a)users.sourceforge.net> Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Piotr Król <piotr.krol(a)3mdeb.com> Gerrit-Reviewer: Stefan Reinauer <stefan.reinauer(a)coreboot.org> Gerrit-Reviewer: Werner Zeh <werner.zeh(a)siemens.com> Gerrit-Reviewer: York Yang <york.yang(a)intel.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-MessageType: newpatchset

1 0

Change in ...coreboot[master]: security/vboot: Add measured boot mode
by build bot (Jenkins) (Code Review) 21 Feb '19

21 Feb '19

build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/29547 ) Change subject: security/vboot: Add measured boot mode ...................................................................... Patch Set 64: (14 comments) https://review.coreboot.org/#/c/29547/64/src/lib/cbfs.c File src/lib/cbfs.c: https://review.coreboot.org/#/c/29547/64/src/lib/cbfs.c@102 PS64, Line 102: size_t in_size, void *buffer, size_t buffer_size, uint32_t compression) line over 80 characters https://review.coreboot.org/#/c/29547/64/src/lib/cbfs.c@115 PS64, Line 115: if ((ENV_BOOTBLOCK || ENV_VERSTAGE) && !IS_ENABLED(CONFIG_COMPRESS_PRERAM_STAGES)) line over 80 characters https://review.coreboot.org/#/c/29547/64/src/lib/cbfs.c@257 PS64, Line 257: if (ENV_VERSTAGE && !IS_ENABLED(CONFIG_NO_XIP_EARLY_STAGES) && IS_ENABLED(CONFIG_BOOT_DEVICE_MEMORY_MAPPED)) { line over 80 characters https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_crtm.h File src/security/vboot/vboot_crtm.h: https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_crtm.h@49 PS64, Line 49: #if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT) && !ENV_BOOTBLOCK && !ENV_DECOMPRESSOR) line over 80 characters https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_crtm.c File src/security/vboot/vboot_crtm.c: https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_crtm.c@38 PS64, Line 38: if (cbfs_boot_locate(&bootblock_data, prog_name(&bootblock), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_crtm.c@55 PS64, Line 55: if (cbfs_boot_locate(&romstage_data, prog_name(&romstage), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_crtm.c@73 PS64, Line 73: if (cbfs_boot_locate(&verstage_data, prog_name(&verstage), NULL) == 0) { line over 80 characters https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_logic.c File src/security/vboot/vboot_logic.c: https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_logic.c@98 PS64, Line 98: BUG(); /* Should never get called if init() returned an error. */ Avoid crashing the kernel - try using WARN_ON & recovery code rather than BUG() or BUG_ON() https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_logic.c@1… PS64, Line 104: BUG(); /* Should never get called if init() returned an error. */ Avoid crashing the kernel - try using WARN_ON & recovery code rather than BUG() or BUG_ON() https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_logic.c@2… PS64, Line 281: return vboot_extend_pcr(ctx, 0, BOOT_MODE_PCR) || vboot_extend_pcr(ctx, 1, HWID_DIGEST_PCR); line over 80 characters https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_logic.c@3… PS64, Line 308: if (IS_ENABLED(CONFIG_RESUME_PATH_SAME_AS_BOOT) && vboot_platform_is_resuming()) line over 80 characters https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_logic.c@3… PS64, Line 319: if (IS_ENABLED(CONFIG_VBOOT_MEASURED_BOOT) && !(ctx.flags & VB2_CONTEXT_S3_RESUME)) { line over 80 characters https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_logic.c@3… PS64, Line 324: if (IS_ENABLED(CONFIG_VBOOT_PHYSICAL_DEV_SWITCH) && get_developer_mode_switch()) line over 80 characters https://review.coreboot.org/#/c/29547/64/src/security/vboot/vboot_logic.c@3… PS64, Line 333: if (IS_ENABLED(CONFIG_VBOOT_WIPEOUT_SUPPORTED) && get_wipeout_mode_switch()) line over 80 characters -- To view, visit https://review.coreboot.org/c/coreboot/+/29547 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Gerrit-Change-Number: 29547 Gerrit-PatchSet: 64 Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: David Hendricks <david.hendricks(a)gmail.com> Gerrit-Reviewer: Huang Jin <huang.jin(a)intel.com> Gerrit-Reviewer: Julius Werner <jwerner(a)chromium.org> Gerrit-Reviewer: Krystian Hebel <krystian.hebel(a)3mdeb.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Michał Żygowski <michal.zygowski(a)3mdeb.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Paul Menzel <paulepanter(a)users.sourceforge.net> Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Piotr Król <piotr.krol(a)3mdeb.com> Gerrit-Reviewer: Stefan Reinauer <stefan.reinauer(a)coreboot.org> Gerrit-Reviewer: Werner Zeh <werner.zeh(a)siemens.com> Gerrit-Reviewer: York Yang <york.yang(a)intel.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-Comment-Date: Thu, 21 Feb 2019 15:21:43 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment

1 0

Change in ...coreboot[master]: security/vboot: Add measured boot mode
by Philipp Deppenwiese (Code Review) 21 Feb '19

21 Feb '19

Hello Patrick Rudolph, Aaron Durbin, Piotr Król, Julius Werner, Krystian Hebel, Patrick Rudolph, Stefan Reinauer, Paul Menzel, build bot (Jenkins), Patrick Georgi, Werner Zeh, Huang Jin, York Yang, David Hendricks, Martin Roth, Michał Żygowski, I'd like you to reexamine a change. Please visit https://review.coreboot.org/c/coreboot/+/29547 to look at the new patch set (#64). Change subject: security/vboot: Add measured boot mode ...................................................................... security/vboot: Add measured boot mode * Introduce a measured boot mode into vboot. * Add hook for stage measurements in prog_loader and cbfs. * Implement and hook-up CRTM in vboot and check for suspend. Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Signed-off-by: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Signed-off-by: Werner Zeh <werner.zeh(a)siemens.com> --- M Documentation/index.md A Documentation/security.md A Documentation/security/index.md A Documentation/security/vboot/measured_boot.md A Documentation/security/vboot/srtm.png M src/cpu/intel/haswell/Makefile.inc M src/cpu/intel/model_2065x/Makefile.inc M src/cpu/intel/model_206ax/Makefile.inc M src/lib/cbfs.c M src/lib/prog_loaders.c M src/security/tpm/tspi/tspi.c M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc A src/security/vboot/vboot_crtm.c A src/security/vboot/vboot_crtm.h M src/security/vboot/vboot_logic.c M src/soc/amd/stoneyridge/Makefile.inc M src/soc/intel/baytrail/Makefile.inc M src/soc/intel/braswell/Makefile.inc M src/soc/intel/broadwell/Makefile.inc M src/soc/intel/fsp_baytrail/Makefile.inc M src/soc/intel/fsp_broadwell_de/Makefile.inc M util/abuild/abuild 23 files changed, 362 insertions(+), 48 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/47/29547/64 -- To view, visit https://review.coreboot.org/c/coreboot/+/29547 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I339a2f1051e44f36aba9f99828f130592a09355e Gerrit-Change-Number: 29547 Gerrit-PatchSet: 64 Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: David Hendricks <david.hendricks(a)gmail.com> Gerrit-Reviewer: Huang Jin <huang.jin(a)intel.com> Gerrit-Reviewer: Julius Werner <jwerner(a)chromium.org> Gerrit-Reviewer: Krystian Hebel <krystian.hebel(a)3mdeb.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Michał Żygowski <michal.zygowski(a)3mdeb.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Paul Menzel <paulepanter(a)users.sourceforge.net> Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Piotr Król <piotr.krol(a)3mdeb.com> Gerrit-Reviewer: Stefan Reinauer <stefan.reinauer(a)coreboot.org> Gerrit-Reviewer: Werner Zeh <werner.zeh(a)siemens.com> Gerrit-Reviewer: York Yang <york.yang(a)intel.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-MessageType: newpatchset

1 0

Change in ...coreboot[master]: soc/intel/cannonlake: Use MEM_CH_SEL to initialize MemorySpdPrts
by Shelley Chen (Code Review) 21 Feb '19

21 Feb '19

Shelley Chen has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/31262 Change subject: soc/intel/cannonlake: Use MEM_CH_SEL to initialize MemorySpdPrts ...................................................................... soc/intel/cannonlake: Use MEM_CH_SEL to initialize MemorySpdPrts MEM_CH_SEL is used to indicate whether we are on a single or dual channel device, where MEM_CH_SEL = 1 for single channel skus and MEM_CH_SEL = 0 for dual channel skus. Initialize MemorySpdPrt pointers based on the value read from MEM_CH_SEL, which is read from GPP_F2. In the first build, we did not use GPP_F2, so we need to add an internal pulldown as those early devices were all dual channel devices. BUG=b:123062346, b:122959294 BRANCH=None TEST=Boot into current boards and ensure that we have 2 channels as expected Also, verify that GPP_F2 is set to 0. Change-Id: Ice22b103664187834e255d1359bfd9b51993b5b6 Signed-off-by: Shelley Chen <shchen(a)google.com> --- M src/soc/intel/cannonlake/cnl_memcfg_init.c 1 file changed, 12 insertions(+), 2 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/62/31262/1 diff --git a/src/soc/intel/cannonlake/cnl_memcfg_init.c b/src/soc/intel/cannonlake/cnl_memcfg_init.c index 4425862..8bd82a6 100644 --- a/src/soc/intel/cannonlake/cnl_memcfg_init.c +++ b/src/soc/intel/cannonlake/cnl_memcfg_init.c @@ -15,7 +15,9 @@ #include <assert.h> #include <console/console.h> #include <fsp/util.h> +#include <gpio.h> #include <soc/cnl_memcfg_init.h> +#include <soc/gpio_soc_defs.h> #include <spd_bin.h> #include <string.h> @@ -55,8 +57,16 @@ mem_cfg->MemorySpdDataLen = spd_data_len; mem_cfg->MemorySpdPtr00 = spd_data_ptr; - /* Use the same spd data for channel 1, Dimm 0 */ - mem_cfg->MemorySpdPtr10 = mem_cfg->MemorySpdPtr00; + /* + * GPP_F2 is the MEM_CH_SEL gpio, which is set to 1 for single + * channel skus and 0 for dual channel skus. + */ + if (gpio_get(GPP_F2) == 1) + mem_cfg->MemorySpdPtr10 = 0; + else { + /* Use the same spd data for channel 1, Dimm 0 */ + mem_cfg->MemorySpdPtr10 = mem_cfg->MemorySpdPtr00; + } } /* -- To view, visit https://review.coreboot.org/c/coreboot/+/31262 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Ice22b103664187834e255d1359bfd9b51993b5b6 Gerrit-Change-Number: 31262 Gerrit-PatchSet: 1 Gerrit-Owner: Shelley Chen <shchen(a)google.com> Gerrit-MessageType: newchange

4 27

Change in ...coreboot[master]: src/soc/intel/cannonlake: Add PsysPmax setting
by Gaggery Tsai (Code Review) 21 Feb '19

21 Feb '19

Gaggery Tsai has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/31505 Change subject: src/soc/intel/cannonlake: Add PsysPmax setting ...................................................................... src/soc/intel/cannonlake: Add PsysPmax setting This patch feeds PsysPmax setting to FSP through UPD and adds a psys_pmax member in chip information so that we can set PsysPmax through DT. The PsysPmax needs to be set correctly mapping to maximum system power. Otherwise, system performance would be limited due to the default PsysPmax setting in FSP is only 21W. BUG=None BRANCH=None TEST=Set psys_pmax to an exmaple value eg 101 in DT && put debug code in FSP to print the PsysPmax value before sending to Pcode, ensure the setting is correctly programmed. Change-Id: Ia88ea17bc661a388c5b9bc3e59abc27c9f262977 Signed-off-by: Gaggery Tsai <gaggery.tsai(a)intel.com> --- M src/soc/intel/cannonlake/chip.h M src/soc/intel/cannonlake/fsp_params.c 2 files changed, 9 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/05/31505/1 diff --git a/src/soc/intel/cannonlake/chip.h b/src/soc/intel/cannonlake/chip.h index cb9ad38..1f26f1e 100644 --- a/src/soc/intel/cannonlake/chip.h +++ b/src/soc/intel/cannonlake/chip.h @@ -216,6 +216,8 @@ uint32_t tdp_psyspl3_dutycycle; /* PL4 Value in Watts */ uint32_t tdp_pl4; + /* Estimated maximum platform power in Watts */ + uint16_t psys_pmax; /* Intel Speed Shift Technology */ uint8_t speed_shift_enable; diff --git a/src/soc/intel/cannonlake/fsp_params.c b/src/soc/intel/cannonlake/fsp_params.c index c276c86..e7c1358 100644 --- a/src/soc/intel/cannonlake/fsp_params.c +++ b/src/soc/intel/cannonlake/fsp_params.c @@ -88,6 +88,13 @@ mainboard_silicon_init_params(params); + /* Set PsysPmax if it is available from DT */ + if (config->psys_pmax) { + /* PsysPmax is in unit of 1/8 Watt */ + tconfig->PsysPmax = config->psys_pmax * 8; + printk(BIOS_DEBUG, "psys_pmax = %d\n", tconfig->PsysPmax); + } + /* Unlock upper 8 bytes of RTC RAM */ params->PchLockDownRtcMemoryLock = 0; -- To view, visit https://review.coreboot.org/c/coreboot/+/31505 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Ia88ea17bc661a388c5b9bc3e59abc27c9f262977 Gerrit-Change-Number: 31505 Gerrit-PatchSet: 1 Gerrit-Owner: Gaggery Tsai <gaggery.tsai(a)intel.com> Gerrit-MessageType: newchange

3 7

Change in ...coreboot[master]: soc/intel/cannonlake: SoC specific microcode update check
by Rizwan Qureshi (Code Review) 21 Feb '19

21 Feb '19

Rizwan Qureshi has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/31492 ) Change subject: soc/intel/cannonlake: SoC specific microcode update check ...................................................................... Patch Set 4: Code-Review+2 -- To view, visit https://review.coreboot.org/c/coreboot/+/31492 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I3311a7413d27044f9c819179e5b0cb9a67b46955 Gerrit-Change-Number: 31492 Gerrit-PatchSet: 4 Gerrit-Owner: Ronak Kanabar <ronak.kanabar(a)intel.com> Gerrit-Reviewer: Aamir Bohra <aamir.bohra(a)intel.com> Gerrit-Reviewer: Furquan Shaikh <furquan(a)google.com> Gerrit-Reviewer: Maulik V Vaghela <maulik.v.vaghela(a)intel.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Rizwan Qureshi <rizwan.qureshi(a)intel.com> Gerrit-Reviewer: Ronak Kanabar <ronak.kanabar(a)intel.com> Gerrit-Reviewer: Subrata Banik <subrata.banik(a)intel.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-CC: RONAK KANABAR <ronak199323(a)gmail.com> Gerrit-Comment-Date: Thu, 21 Feb 2019 10:07:32 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

coreboot-gerrit February 2019