coreboot-gerrit May 2019

coreboot-gerrit@coreboot.org

1 participants
1485 discussions

Change in ...coreboot[master]: security/vboot: Added logic to authenticate firmware using VBOOT libr...
by Amol N Sukerkar (Code Review) 15 Nov '21

15 Nov '21

Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32148 Change subject: security/vboot: Added logic to authenticate firmware using VBOOT library version 2.1 ...................................................................... security/vboot: Added logic to authenticate firmware using VBOOT library version 2.1 This feature adds logic to authenticate Coreboot stages using VBOOT libraries version 2.1 Users of this feature will need to enable CONFIG_VBOOT_STAGE_VERIFICATION to enable the corresponding logic in Coreboot to authenticate the VBLOCK version 2.1 and the Coreboot stage hashes. TEST=Create a coreboot.rom image which has keyblock and VBLOCK with VBOOT version 2.1 structures. This is done by enabling CONFIG_VBOOT_STAGE_VERIFICATION. Verify that the image boots to authenticated payload. Change-Id: Ie06d51d180d4c8a872d678d6bd5c67de0efffca2 Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com> --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_handoff.c M src/security/vboot/vboot_loader.c A src/security/vboot/vboot_logic_ex.c 5 files changed, 475 insertions(+), 3 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/48/32148/1 diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index ca25423..e7bd3f9 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -2,6 +2,7 @@ ## ## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved. ## Copyright (C) 2018 Siemens AG +## Copyright (C) 2019 Intel Corp. All rights reserved. ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by @@ -53,6 +54,12 @@ help Have two update partitions beside the RO partition. +config VBOOT_STAGE_VERIFICATION + bool "Verify stages with vboot 2.1" + default n + help + Enables vboot verification for each stage + config VBOOT_VBNV_CMOS bool default n @@ -323,18 +330,52 @@ config VBOOT_ROOT_KEY string "Root key (public)" default "$(VBOOT_SOURCE)/tests/devkeys/root_key.vbpubk" + depends on !VBOOT_STAGE_VERIFICATION config VBOOT_RECOVERY_KEY string "Recovery key (public)" default "$(VBOOT_SOURCE)/tests/devkeys/recovery_key.vbpubk" + depends on !VBOOT_STAGE_VERIFICATION config VBOOT_FIRMWARE_PRIVKEY string "Firmware key (private)" default "$(VBOOT_SOURCE)/tests/devkeys/firmware_data_key.vbprivk" + depends on !VBOOT_STAGE_VERIFICATION config VBOOT_KERNEL_KEY string "Kernel subkey (public)" default "$(VBOOT_SOURCE)/tests/devkeys/kernel_subkey.vbpubk" + depends on !VBOOT_STAGE_VERIFICATION + +config VBOOT_2_1_ROOT_KEY + string "Root Key version 2.1 (public)" + default "$(VBOOT_SOURCE)/tests/devkeys/root_key.vbpubk2" + depends on VBOOT_STAGE_VERIFICATION + +config VBOOT_2_1_PRIVATE_KEY + string "Root Key version 2.1 (private)" + default "$(VBOOT_SOURCE)/tests/devkeys/root_key.vbprik2" + depends on VBOOT_STAGE_VERIFICATION + +config VBOOT_2_1_FW_PRE_PUBLIC_KEY + string "FW Preamble Key version 2.1 (public)" + default "$(VBOOT_SOURCE)/tests/devkeys/fw_pre.vbpubk2" + depends on VBOOT_STAGE_VERIFICATION + +config VBOOT_2_1_FW_PRE_PRIVATE_KEY + string "FW PREAMBLE Key version 2.1 (private)" + default "$(VBOOT_SOURCE)/tests/devkeys/fw_pre.vbprik2" + depends on VBOOT_STAGE_VERIFICATION + +config VBOOT_2_1_RAMSTAGE_HASH_KEY + string "Coreboot RAMStage Stage Hashing Key(private)" + default "$(VBOOT_SOURCE)/tests/devkeys/rhash.vbprik2" + depends on VBOOT_STAGE_VERIFICATION + +config VBOOT_2_1_PAYLOAD_HASH_KEY + string "Coreboot PAYLOAD Stage Hashing Key(private)" + default "$(VBOOT_SOURCE)/tests/devkeys/phash.vbprik2" + depends on VBOOT_STAGE_VERIFICATION config VBOOT_KEYBLOCK string "Keyblock to use for the RW regions" diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 6d2096d..a65b066 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -3,6 +3,7 @@ ## ## Copyright (C) 2014 The ChromiumOS Authors. All rights reserved. ## Copyright (C) 2018 Siemens AG +## Copyright (C) 2019 Intel Corp. All rights reserved. ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by @@ -35,16 +36,27 @@ bootblock-y += vbnv.c verstage-y += vbnv.c romstage-y += vbnv.c +postcar-$(CONFIG_VBOOT_STAGE_VERIFICATION) += vbnv.c ramstage-y += vbnv.c bootblock-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c verstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c romstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c + +ifeq ($(CONFIG_VBOOT_STAGE_VERIFICATION),y) +postcar-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c +endif + ramstage-$(CONFIG_VBOOT_VBNV_CMOS) += vbnv_cmos.c bootblock-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c verstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c romstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c + +ifeq ($(CONFIG_VBOOT_STAGE_VERIFICATION),y) +postcar-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c +endif + ramstage-$(CONFIG_VBOOT_VBNV_CMOS_BACKUP_TO_FLASH) += vbnv_flash.c bootblock-$(CONFIG_VBOOT_VBNV_EC) += vbnv_ec.c @@ -77,12 +89,26 @@ endif bootblock-y += common.c + +ifeq ($(CONFIG_VBOOT_STAGE_VERIFICATION),y) +verstage-y += vboot_logic_ex.c +else verstage-y += vboot_logic.c +endif +postcar-$(CONFIG_VBOOT_STAGE_VERIFICATION) += vboot_logic_ex.c +ramstage-$(CONFIG_VBOOT_STAGE_VERIFICATION) += vboot_logic_ex.c + verstage-y += common.c verstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += verstage.c ifeq (${CONFIG_VBOOT_MOCK_SECDATA},y) verstage-y += secdata_mock.c romstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += secdata_mock.c + +ifeq ($(CONFIG_VBOOT_STAGE_VERIFICATION),y) +postcar-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += secdata_mock.c +ramstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += secdata_mock.c +endif + else verstage-y += secdata_tpm.c romstage-$(CONFIG_VBOOT_SEPARATE_VERSTAGE) += secdata_tpm.c @@ -101,7 +127,11 @@ # call with $1 = stage name to create rules for building the library # for the stage and adding it to the stage's set of object files. define vboot-for-stage +ifeq ($(CONFIG_VBOOT_STAGE_VERIFICATION),y) +VB2_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw21.a +else VB2_LIB_$(1) = $(obj)/external/vboot_reference-$(1)/vboot_fw20.a +endif VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$(CPPFLAGS_$(1))) VBOOT_CFLAGS_$(1) += $$(CFLAGS_$(1)) VBOOT_CFLAGS_$(1) += $$(call vboot-fixup-includes,$$($(1)-c-ccopts)) @@ -116,7 +146,8 @@ $(MAKE) -C $(VBOOT_SOURCE) \ BUILD=$$(abspath $$(dir $$(VB2_LIB_$(1)))) \ V=$(V) \ - fwlib20 + $(if $(filter y,$(CONFIG_VBOOT_STAGE_VERIFICATION)), \ + fwlib21, fwlib20) $(1)-srcs += $$(VB2_LIB_$(1)) @@ -129,6 +160,11 @@ $(eval $(call vboot-for-stage,ramstage)) $(eval $(call vboot-for-stage,postcar)) +ifeq ($(CONFIG_VBOOT_STAGE_VERIFICATION),y) +postcar-srcs += $(VB2_LIB) +ramstage-srcs += $(VB2_LIB) +endif + ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y) $(eval $(call vboot-for-stage,verstage)) @@ -236,12 +272,21 @@ $(obj)/gbb.region: $(obj)/gbb.stub @printf " SETUP GBB\n" cp $< $@.tmp +ifeq ($(CONFIG_VBOOT_STAGE_VERIFICATION), y) + $(FUTILITY) gbb_utility -s \ + --hwid="$(CONFIG_GBB_HWID)" \ + --rootkey="$(CONFIG_VBOOT_2_1_ROOT_KEY)" \ + --flags=$(GBB_FLAGS) \ + $@.tmp +else $(FUTILITY) gbb_utility -s \ --hwid="$(CONFIG_GBB_HWID)" \ --rootkey="$(CONFIG_VBOOT_ROOT_KEY)" \ --recoverykey="$(CONFIG_VBOOT_RECOVERY_KEY)" \ --flags=$(GBB_FLAGS) \ $@.tmp +endif # CONFIG_VBOOT_STAGE_VERIFICATION + ifneq ($(CONFIG_GBB_BMPFV_FILE),) $(FUTILITY) gbb_utility -s \ --bmpfv="$(CONFIG_GBB_BMPFV_FILE)" \ @@ -288,6 +333,47 @@ mv $@.tmp2 $@ rm -f $@.tmp $@.tmp.size +ifeq ($(CONFIG_VBOOT_STAGE_VERIFICATION), y) +# Extract RAMStage and PAYLOAD and hash them +# Since we are booting from FW_MAIN_A, RAMStage and payload are +# extracted from FW_MAIN_A. +$(obj)/ramstage.hash: $(obj)/coreboot.rom + @printf " CREATE RAMSTAGE HASH\n" + $(CBFSTOOL) $< print -r FW_MAIN_A > $<.tmp + python $(VBOOT_SOURCE)/compute_hash.py -i $<.tmp -o $@.tmp -c $< -f ramstage + $(FUTILITY) --vb21 sign \ + --type rwsig \ + --prikey "$(CONFIG_VBOOT_2_1_RAMSTAGE_HASH_KEY)" \ + $@.tmp $@ + rm -f $<.tmp $@.tmp + +$(obj)/payload.hash: $(obj)/coreboot.rom + @printf " CREATE PAYLOAD HASH\n" + $(CBFSTOOL) $< print -r FW_MAIN_A > $<.tmp + python $(VBOOT_SOURCE)/compute_hash.py -i $<.tmp -o $@.tmp -c $< -f payload + $(FUTILITY) --vb21 sign \ + --type rwsig \ + --prikey "$(CONFIG_VBOOT_2_1_PAYLOAD_HASH_KEY)" \ + $@.tmp $@ + rm -f $<.tmp $@.tmp + +$(obj)/firmware.kb21: $(FUTILITY) + $(FUTILITY) vbutil_keyblock \ + --pack21 $@ \ + --signprivate "$(CONFIG_VBOOT_2_1_PRIVATE_KEY)" \ + --datapubkey "$(CONFIG_VBOOT_2_1_FW_PRE_PUBLIC_KEY)" \ + --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) + +$(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY) \ + $(obj)/ramstage.hash $(obj)/payload.hash $(obj)/firmware.kb21 + $(FUTILITY) vbutil_firmware \ + --vblock21 $@ \ + --keyblock "$(top)/$(obj)/firmware.kb21" \ + --signprepriv "$(CONFIG_VBOOT_2_1_FW_PRE_PRIVATE_KEY)" \ + --hashdir "$(top)/$(obj)" \ + --version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \ + --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) +else $(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY) $(FUTILITY) vbutil_firmware \ --vblock $@ \ @@ -297,6 +383,7 @@ --fv $< \ --kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \ --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) +endif # CONFIG_VBOOT_STAGE_VERIFICATION ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y) files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin @@ -314,3 +401,4 @@ endif endif # CONFIG_VBOOT + diff --git a/src/security/vboot/vboot_handoff.c b/src/security/vboot/vboot_handoff.c index 1f6d4ee..c8980b6 100644 --- a/src/security/vboot/vboot_handoff.c +++ b/src/security/vboot/vboot_handoff.c @@ -2,6 +2,7 @@ * This file is part of the coreboot project. * * Copyright (C) 2013 Google, Inc. + * Copyright (C) 2019 Intel Corp. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -170,10 +171,12 @@ * Therefore, the vboot results would not be initialized so don't * automatically add results when cbmem comes online. */ -#if !CONFIG(VBOOT_STARTS_IN_ROMSTAGE) +#if !IS_ENABLED(CONFIG_VBOOT_STARTS_IN_ROMSTAGE) && \ + !IS_ENABLED(CONFIG_VBOOT_STAGE_VERIFICATION) static void vb2_fill_handoff_cbmem(int unused) { vboot_fill_handoff(); } ROMSTAGE_CBMEM_INIT_HOOK(vb2_fill_handoff_cbmem) #endif + diff --git a/src/security/vboot/vboot_loader.c b/src/security/vboot/vboot_loader.c index 0640ebd..e09a314 100644 --- a/src/security/vboot/vboot_loader.c +++ b/src/security/vboot/vboot_loader.c @@ -2,6 +2,7 @@ * This file is part of the coreboot project. * * Copyright 2015 Google, Inc. + * Copyright 2019 Intel Corp. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -60,6 +61,16 @@ return 0; } +/* This is the helper function that decides when the stage verification + * code should be called. */ +static int stage_verification_should_run(void) +{ + if (IS_ENABLED(CONFIG_VBOOT_STAGE_VERIFICATION)) + return ENV_POSTCAR | ENV_RAMSTAGE; + + return 0; +} + static int vboot_executed CAR_GLOBAL; int vboot_logic_executed(void) @@ -86,9 +97,11 @@ static void vboot_prepare(void) { - if (verification_should_run()) { + if (verification_should_run() || + stage_verification_should_run()) { /* Note: this path is not used for VBOOT_RETURN_FROM_VERSTAGE */ verstage_main(); + car_set_var(vboot_executed, 1); vboot_save_recovery_reason_vbnv(); } else if (verstage_should_load()) { @@ -154,3 +167,4 @@ .prepare = vboot_prepare, .locate = vboot_locate, }; + diff --git a/src/security/vboot/vboot_logic_ex.c b/src/security/vboot/vboot_logic_ex.c new file mode 100644 index 0000000..7a735a9 --- /dev/null +++ b/src/security/vboot/vboot_logic_ex.c @@ -0,0 +1,326 @@ +/* + * This file is part of the coreboot project. + * + * Copyright 2019 Intel Corp. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <security/tpm/antirollback.h> +#include <arch/exception.h> +#include <assert.h> +#include <bootmode.h> +#include <console/console.h> +#include <console/vtxprintf.h> +#include <delay.h> +#include <string.h> +#include <timestamp.h> +#include <vb2_api.h> +#include <security/vboot/misc.h> +#include <security/vboot/vbnv.h> + +#include <cbfs.h> +#include <cbmem.h> +#include <rmodule.h> + +/* For individual stage verification design, only + * RW Region A is relevant. So, force CBFS to bot + * from RW Region A */ +static void reset_fw_slot(struct vb2_context *ctx) +{ + ctx->flags &= ~VB2_CONTEXT_FW_SLOT_B; +} + +/* Decide which RW region we are booting from */ +static int is_slot_a(struct vb2_context *ctx) +{ + return !(ctx->flags & VB2_CONTEXT_FW_SLOT_B); +} + +/* exports */ + +void vb2ex_printf (const char *func, const char *fmt, ...) +{ + va_list args; + + if (func) + printk(BIOS_INFO, "VB2:%s() ", func); + + va_start(args, fmt); + vprintk(BIOS_INFO, fmt, args); + va_end(args); + + return; +} + +int vb2ex_tpm_clear_owner(struct vb2_context *ctx) +{ + uint32_t rv; + printk(BIOS_INFO, "Clearing TPM owner\n"); + rv = tpm_clear_and_reenable(); + if (rv) + return VB2_ERROR_EX_TPM_CLEAR_OWNER; + return VB2_SUCCESS; +} + +int vb2ex_read_resource(struct vb2_context *ctx, + enum vb2_resource_index index, + uint32_t offset, + void *buf, + uint32_t size) +{ + struct region_device rdev; + const char *name; + + switch (index) { + case VB2_RES_GBB: + name = "GBB"; + break; + case VB2_RES_FW_VBLOCK: + if (is_slot_a(ctx)) + name = "VBLOCK_A"; + else + name = "VBLOCK_B"; + break; + default: + return VB2_ERROR_EX_READ_RESOURCE_INDEX; + } + + if (vboot_named_region_device(name, &rdev)) + return VB2_ERROR_EX_READ_RESOURCE_SIZE; + + if (rdev_readat(&rdev, buf, offset, size) != size) + return VB2_ERROR_EX_READ_RESOURCE_SIZE; + + return VB2_SUCCESS; +} + +/* No-op stubs that can be overridden by SoCs with hardware crypto support. */ +__attribute__((weak)) +int vb2ex_hwcrypto_digest_init(enum vb2_hash_algorithm hash_alg, + uint32_t data_size) +{ + return VB2_ERROR_EX_HWCRYPTO_UNSUPPORTED; +} + +__attribute__((weak)) +int vb2ex_hwcrypto_digest_extend(const uint8_t *buf, uint32_t size) +{ + BUG(); /* Should never get called if init() returned an error. */ + return VB2_ERROR_UNKNOWN; +} + +__attribute__((weak)) +int vb2ex_hwcrypto_digest_finalize(uint8_t *digest, uint32_t digest_size) +{ + BUG(); /* Should never get called if init() returned an error. */ + return VB2_ERROR_UNKNOWN; +} + +static int locate_firmware(struct vb2_context *ctx, + struct region_device *fw_main) +{ + const char *name = "FW_MAIN_A"; + + if (is_slot_a(ctx)) + name = "FW_MAIN_A"; + else + name = "FW_MAIN_B"; + + return vboot_named_region_device(name, fw_main); +} + +/** + * Save non-volatile and/or secure data if needed. + */ +static void save_if_needed(struct vb2_context *ctx) +{ + if (ctx->flags & VB2_CONTEXT_NVDATA_CHANGED) { + printk(BIOS_INFO, "Saving nvdata\n"); + save_vbnv(ctx->nvdata); + ctx->flags &= ~VB2_CONTEXT_NVDATA_CHANGED; + } + if (ctx->flags & VB2_CONTEXT_SECDATA_CHANGED) { + printk(BIOS_INFO, "Saving secdata\n"); + antirollback_write_space_firmware(ctx); + ctx->flags &= ~VB2_CONTEXT_SECDATA_CHANGED; + } +} + +/* VB2 context initialization helper function */ +static void init_ctx(struct vb2_context *ctx) +{ + int rv; + + /* Set up context and work buffer */ + vboot_init_work_context(ctx); + + /* Initialize and read nvdata from non-volatile storage. */ + vbnv_init(ctx->nvdata); + + /* This function is required as it reads secdata (use mock secdat) + * If secdata is not valid, call to vb2api_fw_phase1 will fail. So, + * even if this is not required in the current context, call it. */ + antirollback_read_space_firmware(ctx); + + /* Do early init (set up secdata and NVRAM, load GBB) */ + printk(BIOS_INFO, "Phase 1\n"); + rv = vb2api_fw_phase1(ctx); + if (rv) { + printk(BIOS_INFO, "Reboot requested (%x)\n", rv); + save_if_needed(ctx); + vboot_reboot(); + } + + /* Determine which firmware slot to boot (based on NVRAM) */ + printk(BIOS_INFO, "Phase 2\n"); + rv = vb2api_fw_phase2(ctx); + reset_fw_slot(ctx); + if (rv) { + printk(BIOS_INFO, "Reboot requested (%x)\n", rv); + save_if_needed(ctx); + vboot_reboot(); + } +} + +/* hash verification helper function */ +static int verify_hash(struct vb2_context *ctx, void *map, + const struct vb2_id *id) +{ + int rv; + uint32_t size = 0; + + printk(BIOS_INFO, "Phase 4\n"); + + /* init hash */ + rv = vb21api_init_hash(ctx, id, &size); + if (rv) + return rv; + + /* extend hash over the body */ + rv = vb2api_extend_hash(ctx,(uint8_t *)map, size); + if (rv) + return rv; + + /* check hash */ + rv = vb21api_check_hash(ctx); + if (rv) + return rv; + + return rv; +} + +/* initialize the VB2 context in VERStage, so + * we know which RW partition to boot the rest + * of the stages from */ +static void init_ctx_verstage(void) +{ + struct vb2_context ctx; + struct region_device fw_main; + int rv; + + init_ctx(&ctx); + + rv = locate_firmware(&ctx, &fw_main); + if (rv) + die("Failed to read FMAP to locate firmware"); + + printk(BIOS_INFO, "Slot %c is selected\n", is_slot_a(&ctx) ? 'A' : 'B'); + + vboot_set_selected_region(region_device_region(&fw_main)); +} + +/* Veify the stage to be executed */ +static void verify_stage(void) +{ + struct vb2_context ctx; + struct region_device fw_main; + int rv; + const struct region_device *fh = NULL; + size_t fsize = 0; + void *map = NULL; + struct cbfsf file; + const struct vb2_id* id; + + /* For each stage to be verified, extract map and + * hashing algo */ + if (ENV_POSTCAR) { + printk(BIOS_INFO, "Verify ramstage\n"); + id = vb2_hash_id(VB2_HASH_SHA256); + struct prog stage = PROG_INIT(PROG_RAMSTAGE, + CONFIG_CBFS_PREFIX "/ramstage"); + + /* load stage */ + if (cbfs_boot_locate(&file, prog_name(&stage), NULL)) + die("failed to load stage"); + + cbfs_file_data(prog_rdev(&stage), &file); + fh = &stage.rdev; + + fsize = region_device_sz(fh); + map = rdev_mmap(fh, 0, fsize); + if (!map) printk(BIOS_INFO, "ERROR: Mapping failed\n"); + } else if (ENV_RAMSTAGE) { + printk(BIOS_INFO, "Verify payload\n"); + id = vb2_hash_id(VB2_HASH_SHA512); + struct prog stage = PROG_INIT(PROG_PAYLOAD, + CONFIG_CBFS_PREFIX "/payload"); + + /* load stage */ + if (cbfs_boot_locate(&file, prog_name(&stage), NULL)) + die("failed to load stage"); + + cbfs_file_data(prog_rdev(&stage), &file); + fh = &stage.rdev; + + fsize = region_device_sz(fh); + map = rdev_mmap(fh, 0, fsize); + if (!map) printk(BIOS_INFO, "ERROR: Mapping failed\n"); + } else + die("Impossible"); + + //get_stage_attr(&map, &id); + /* initialize the vb context and read the NV data */ + init_ctx(&ctx); + + rv = locate_firmware(&ctx, &fw_main); + if (rv) + die("Failed to read FMAP to locate firmware"); + + /* Try the slot (verify its keyblock and preamble) */ + printk(BIOS_INFO, "Phase 3\n"); + rv = vb21api_fw_phase3(&ctx); + if (rv) { + printk(BIOS_INFO, "Reboot requested (%x)\n", rv); + save_if_needed(&ctx); + vboot_reboot(); + } + + /* verify the hash */ + rv = verify_hash(&ctx, map, id); + if (rv) { + printk(BIOS_ERR, "ERROR:0x%x ", rv); + die("Stage Verification Failed"); + } + + rdev_munmap(fh, map); + + printk(BIOS_INFO, "stage verified successfully, proceed...\n"); +} + +/* Main Entry Point for Stage Verification */ +void verstage_main(void) +{ + if (ENV_VERSTAGE) + init_ctx_verstage(); + else if (ENV_POSTCAR || ENV_RAMSTAGE) + verify_stage(); +} + -- To view, visit https://review.coreboot.org/c/coreboot/+/32148 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Ie06d51d180d4c8a872d678d6bd5c67de0efffca2 Gerrit-Change-Number: 32148 Gerrit-PatchSet: 1 Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-MessageType: newchange

3 3

Change in ...coreboot[master]: src/lib: Disable display init skip when VBOOT Stage Verification is e...
by Amol N Sukerkar (Code Review) 15 Nov '21

15 Nov '21

Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32149 Change subject: src/lib: Disable display init skip when VBOOT Stage Verification is enabled ...................................................................... src/lib: Disable display init skip when VBOOT Stage Verification is enabled When VBOOT is enabled, by default it native display init is skipped and custom display init mechanism is utilized. VBOOT Stage Verification utilizes native display init. This change implements that feature. TEST=Create a coreboot.rom image by enabling CONFIG_VBOOT and CONFIG_VBOOT_STAGE_VERIFICATION. Verify that the image boots to authenticated payload and graphics is displayed via HDMI and Display Port. Change-Id: I65a96ec74f7b494d0c16814d84067e004ceebe70 Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com> --- M src/lib/bootmode.c 1 file changed, 7 insertions(+), 2 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/49/32149/1 diff --git a/src/lib/bootmode.c b/src/lib/bootmode.c index e402536..2cf9bd0 100644 --- a/src/lib/bootmode.c +++ b/src/lib/bootmode.c @@ -2,6 +2,7 @@ * This file is part of the coreboot project. * * Copyright (C) 2011 The ChromiumOS Authors. All rights reserved. + * Copyright (C) 2019 Intel Corporation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -34,8 +35,12 @@ int display_init_required(void) { - /* For Chrome OS always honor vboot_handoff_skip_display_init(). */ - if (CONFIG(CHROMEOS)) + /* For Chrome OS always honor vboot_handoff_skip_display_init(). + * A special case is when CONFIG_VBOOT_STAGE_VERIFICATION is + * enabled. In that case, vboot_handoff_skip_display_init() + * is overridden native display init mechanism. */ + if (IS_ENABLED(CONFIG_CHROMEOS) && + !IS_ENABLED(CONFIG_VBOOT_STAGE_VERIFICATION)) return !vboot_handoff_skip_display_init(); /* By default always initialize display. */ -- To view, visit https://review.coreboot.org/c/coreboot/+/32149 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I65a96ec74f7b494d0c16814d84067e004ceebe70 Gerrit-Change-Number: 32149 Gerrit-PatchSet: 1 Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-MessageType: newchange

2 1

Change in ...coreboot[master]: src/include/cbfs.h: Added prototype for function to verify a stage af...
by Amol N Sukerkar (Code Review) 15 Nov '21

15 Nov '21

Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32150 Change subject: src/include/cbfs.h: Added prototype for function to verify a stage after it has been loaded into DRAM ...................................................................... src/include/cbfs.h: Added prototype for function to verify a stage after it has been loaded into DRAM This support enables a user to implement a stage verification mechanism AFTER the stage has been loaded into DRAM. This feature is currently used by VBOOT_STAGE_VERIFICATION TEST=Create a coreboot.rom image which has keyblock and VBLOCK with VBOOT version 2.1 structures. This is done by enabling CONFIG_VBOOT_STAGE_VERIFICATION. Verify that the image boots to authenticated payload. Change-Id: I8702f00186db568316e04ffb87fd1439a27bdb6e Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com> --- M src/include/cbfs.h 1 file changed, 6 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/50/32150/1 diff --git a/src/include/cbfs.h b/src/include/cbfs.h index 85e25b3..d24fe58 100644 --- a/src/include/cbfs.h +++ b/src/include/cbfs.h @@ -2,6 +2,7 @@ * This file is part of the coreboot project. * * Copyright 2015 Google Inc. + * Copyright 2019 Intel Corp. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -90,4 +91,9 @@ int (*locate)(struct cbfs_props *props); }; +/* This function can be used to implement any secure boot mechanism to + * verify the stage AFTER it is loaded into DRAM */ +void verify_stage_if_required(const struct region_device *rdev); + #endif + -- To view, visit https://review.coreboot.org/c/coreboot/+/32150 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I8702f00186db568316e04ffb87fd1439a27bdb6e Gerrit-Change-Number: 32150 Gerrit-PatchSet: 1 Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-MessageType: newchange

2 1

Change in ...coreboot[master]: src/lib: Implemented function calls to verify a stage after it has be...
by Amol N Sukerkar (Code Review) 15 Nov '21

15 Nov '21

Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32151 Change subject: src/lib: Implemented function calls to verify a stage after it has been loaded into DRAM ...................................................................... src/lib: Implemented function calls to verify a stage after it has been loaded into DRAM This support enables a user to implement a stage verification mechanism AFTER the stage has been loaded into DRAM. This feature is currently used by VBOOT_STAGE_VERIFICATION TEST=Create a coreboot.rom image which has keyblock and VBLOCK with VBOOT version 2.1 structures. This is done by enabling CONFIG_VBOOT_STAGE_VERIFICATION. Verify that the image boots to authenticated payload. Change-Id: I649f511bc5375448dd7625b57a680135395d1062 Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com> --- M src/lib/Kconfig M src/lib/cbfs.c M src/lib/selfboot.c 3 files changed, 59 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/51/32151/1 diff --git a/src/lib/Kconfig b/src/lib/Kconfig index 2f10c1c..8111f8d 100644 --- a/src/lib/Kconfig +++ b/src/lib/Kconfig @@ -30,6 +30,13 @@ Selected by features that require to parse and manipulate a flattened devicetree in ramstage. +config VERIFY_ONLY_PAYLOAD_IN_RAMSTAGE + bool "Verify only payload in ramstage" + default n + help + Selected by features that require verified boot but when only payload + is verified in ramstage. + if RAMSTAGE_LIBHWBASE config HWBASE_DYNAMIC_MMIO diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c index 728674f..9da0fae 100644 --- a/src/lib/cbfs.c +++ b/src/lib/cbfs.c @@ -3,6 +3,7 @@ * * Copyright (C) 2011 secunet Security Networks AG * Copyright 2015 Google Inc. + * Copyright 2019 Intel Corp. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -36,6 +37,28 @@ #define DEBUG(x...) #endif +/* This is marked as weak so some verification mechanism can + * use it to verify after loading into DRAM. Primarily + * overriden by VBOOT mechanism. + */ +void __weak verify_stage_if_required(const struct region_device *rdev) +{ + /* no op */ +} + +/* This function checks if a certain stage/binary meets the criteria + * to be verified AFTER it is loaded into DRAM + */ +static int cbfs_verification_meets_criteria(void) +{ + /* if this is true, it means we are verifying nothing here + * that is loaded in RAMSTAGE */ + if (IS_ENABLED(CONFIG_VERIFY_ONLY_PAYLOAD_IN_RAMSTAGE)) + return !ENV_RAMSTAGE; + else + return 0; +} + int cbfs_boot_locate(struct cbfsf *fh, const char *name, uint32_t *type) { struct region_device rdev; @@ -109,6 +132,11 @@ return 0; if (rdev_readat(rdev, buffer, offset, in_size) != in_size) return 0; + + /* If the stage/binary loaded in DRAM requires verification + * proceed if it meets the required criteria */ + if (cbfs_verification_meets_criteria()) + verify_stage_if_required(rdev); return in_size; case CBFS_COMPRESS_LZ4: @@ -127,6 +155,12 @@ timestamp_add_now(TS_START_ULZ4F); out_size = ulz4fn(compr_start, in_size, buffer, buffer_size); timestamp_add_now(TS_END_ULZ4F); + + /* If the stage/binary loaded in DRAM requires verification + * proceed if it meets the required criteria */ + if (cbfs_verification_meets_criteria()) + verify_stage_if_required(rdev); + return out_size; case CBFS_COMPRESS_LZMA: @@ -149,6 +183,11 @@ rdev_munmap(rdev, map); + /* If the stage/binary loaded in DRAM requires verification + * proceed if it meets the required criteria */ + if (cbfs_verification_meets_criteria()) + verify_stage_if_required(rdev); + return out_size; default: diff --git a/src/lib/selfboot.c b/src/lib/selfboot.c index 9aa4741..3d438e8 100644 --- a/src/lib/selfboot.c +++ b/src/lib/selfboot.c @@ -4,6 +4,7 @@ * Copyright (C) 2003 Eric W. Biederman <ebiederm(a)xmission.com> * Copyright (C) 2009 Ron Minnich <rminnich(a)gmail.com> * Copyright (C) 2016 George Trudeau <george.trudeau(a)usherbrooke.ca> + * Copyright (C) 2019 Intel Corp. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -32,6 +33,15 @@ /* The type syntax for C is essentially unparsable. -- Rob Pike */ typedef int (*checker_t)(struct cbfs_payload_segment *cbfssegs, void *args); +/* This is marked as weak so some verification mechanism can + * use it to verify after loading into DRAM. Primarily + * overriden by VBOOT mechanism. + */ +void __weak verify_stage_if_required(const struct region_device *rdev) +{ + /* no op */ +} + /* Decode a serialized cbfs payload segment * from memory into native endianness. */ @@ -269,6 +279,9 @@ rdev_munmap(prog_rdev(payload), data); + /* verify payload using a secure boot mechanism if required */ + verify_stage_if_required(prog_rdev(payload)); + /* Pass cbtables to payload if architecture desires it. */ prog_set_entry(payload, (void *)entry, cbmem_find(CBMEM_ID_CBTABLE)); -- To view, visit https://review.coreboot.org/c/coreboot/+/32151 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I649f511bc5375448dd7625b57a680135395d1062 Gerrit-Change-Number: 32151 Gerrit-PatchSet: 1 Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-MessageType: newchange

3 2

Change in ...coreboot[master]: src/security/vboot: Changed the logic to verify a stage after it has ...
by Amol N Sukerkar (Code Review) 15 Nov '21

15 Nov '21

Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32152 Change subject: src/security/vboot: Changed the logic to verify a stage after it has been loaded into DRAM ...................................................................... src/security/vboot: Changed the logic to verify a stage after it has been loaded into DRAM This feature enables VBOOT_STAGE_VERIFICATION logic to make use of function prototype made available by Coreboot to verify a stage after it has been loaded into DRAM TEST=Create a coreboot.rom image which has keyblock and VBLOCK with VBOOT version 2.1 structures. This is done by enabling CONFIG_VBOOT_STAGE_VERIFICATION. Verify that the image boots to authenticated payload. Change-Id: I0381299f97d0b59969e2d6c6b4df4e4cc3e39f69 Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com> --- M src/security/vboot/vboot_loader.c M src/security/vboot/vboot_logic_ex.c 2 files changed, 25 insertions(+), 55 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/52/32152/1 diff --git a/src/security/vboot/vboot_loader.c b/src/security/vboot/vboot_loader.c index e09a314..b71178e 100644 --- a/src/security/vboot/vboot_loader.c +++ b/src/security/vboot/vboot_loader.c @@ -61,16 +61,6 @@ return 0; } -/* This is the helper function that decides when the stage verification - * code should be called. */ -static int stage_verification_should_run(void) -{ - if (IS_ENABLED(CONFIG_VBOOT_STAGE_VERIFICATION)) - return ENV_POSTCAR | ENV_RAMSTAGE; - - return 0; -} - static int vboot_executed CAR_GLOBAL; int vboot_logic_executed(void) @@ -97,11 +87,9 @@ static void vboot_prepare(void) { - if (verification_should_run() || - stage_verification_should_run()) { + if (verification_should_run()) { /* Note: this path is not used for VBOOT_RETURN_FROM_VERSTAGE */ verstage_main(); - car_set_var(vboot_executed, 1); vboot_save_recovery_reason_vbnv(); } else if (verstage_should_load()) { diff --git a/src/security/vboot/vboot_logic_ex.c b/src/security/vboot/vboot_logic_ex.c index 7a735a9..1b526c7 100644 --- a/src/security/vboot/vboot_logic_ex.c +++ b/src/security/vboot/vboot_logic_ex.c @@ -238,55 +238,28 @@ } /* Veify the stage to be executed */ -static void verify_stage(void) +static void verify_stage(const struct region_device *rdev) { struct vb2_context ctx; struct region_device fw_main; int rv; - const struct region_device *fh = NULL; size_t fsize = 0; void *map = NULL; - struct cbfsf file; const struct vb2_id* id; - /* For each stage to be verified, extract map and - * hashing algo */ - if (ENV_POSTCAR) { - printk(BIOS_INFO, "Verify ramstage\n"); + /* get region memory map */ + fsize = region_device_sz(rdev); + map = rdev_mmap(rdev, 0, fsize); + if (!map) die("ERROR: Stage Mapping failed"); + + /* get the hash id */ + if (ENV_POSTCAR) id = vb2_hash_id(VB2_HASH_SHA256); - struct prog stage = PROG_INIT(PROG_RAMSTAGE, - CONFIG_CBFS_PREFIX "/ramstage"); + else if (ENV_RAMSTAGE) + id = vb2_hash_id(VB2_HASH_SHA512); + else + die("Invalid hash id"); - /* load stage */ - if (cbfs_boot_locate(&file, prog_name(&stage), NULL)) - die("failed to load stage"); - - cbfs_file_data(prog_rdev(&stage), &file); - fh = &stage.rdev; - - fsize = region_device_sz(fh); - map = rdev_mmap(fh, 0, fsize); - if (!map) printk(BIOS_INFO, "ERROR: Mapping failed\n"); - } else if (ENV_RAMSTAGE) { - printk(BIOS_INFO, "Verify payload\n"); - id = vb2_hash_id(VB2_HASH_SHA512); - struct prog stage = PROG_INIT(PROG_PAYLOAD, - CONFIG_CBFS_PREFIX "/payload"); - - /* load stage */ - if (cbfs_boot_locate(&file, prog_name(&stage), NULL)) - die("failed to load stage"); - - cbfs_file_data(prog_rdev(&stage), &file); - fh = &stage.rdev; - - fsize = region_device_sz(fh); - map = rdev_mmap(fh, 0, fsize); - if (!map) printk(BIOS_INFO, "ERROR: Mapping failed\n"); - } else - die("Impossible"); - - //get_stage_attr(&map, &id); /* initialize the vb context and read the NV data */ init_ctx(&ctx); @@ -310,17 +283,26 @@ die("Stage Verification Failed"); } - rdev_munmap(fh, map); + rdev_munmap(rdev, map); printk(BIOS_INFO, "stage verified successfully, proceed...\n"); } +/* stage verification if required */ +void verify_stage_if_required(const struct region_device *rdev) +{ + if (!rdev) { + die("Invalid region device"); + } else { + if (ENV_POSTCAR || ENV_RAMSTAGE) + verify_stage(rdev); + } +} + /* Main Entry Point for Stage Verification */ void verstage_main(void) { if (ENV_VERSTAGE) init_ctx_verstage(); - else if (ENV_POSTCAR || ENV_RAMSTAGE) - verify_stage(); } -- To view, visit https://review.coreboot.org/c/coreboot/+/32152 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I0381299f97d0b59969e2d6c6b4df4e4cc3e39f69 Gerrit-Change-Number: 32152 Gerrit-PatchSet: 1 Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-MessageType: newchange

3 2

Change in ...coreboot[master]: src/security/vboot: When VBOOT Stage Verification is enabled, ...
by Amol N Sukerkar (Code Review) 15 Nov '21

15 Nov '21

Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32153 Change subject: src/security/vboot: When VBOOT Stage Verification is enabled, boot ROMSTAGE and POSTCAR from Read-Only region. ...................................................................... src/security/vboot: When VBOOT Stage Verification is enabled, boot ROMSTAGE and POSTCAR from Read-Only region. When VBOOT Stage Verification is enabled, the root-of-trust is the Read-Only image. So, move the ROMSTAGE and POSTCAR is Read-Only region. POSTCAR triggers VBOOT Stage Authentication starting with RAMSTAGE. RAMSTAGE authenticates PAYLOAD. TEST=Create a coreboot.rom image by enabling CONFIG_VBOOT and CONFIG_VBOOT_STAGE_VERIFICATION. Verify that the image boots to authenticated payload and graphics is displayed via HDMI and Display Port. Change-Id: I6d4b7dbea62a92ca75d731c84b7c1402a207634a Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com> --- M src/security/vboot/Makefile.inc M src/security/vboot/vboot_loader.c 2 files changed, 19 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/53/32153/1 diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index a65b066..1a6ca9f 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -211,6 +211,10 @@ $(if $(filter \ $(if $(filter y,$(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK)),, \ %/romstage) \ + $(if $(filter y,$(CONFIG_VBOOT_STAGE_VERIFICATION)), \ + %/romstage, ) \ + $(if $(filter y,$(CONFIG_VBOOT_STAGE_VERIFICATION)), \ + %/postcar, ) \ mts \ %/verstage \ locales \ diff --git a/src/security/vboot/vboot_loader.c b/src/security/vboot/vboot_loader.c index b71178e..36f2a07 100644 --- a/src/security/vboot/vboot_loader.c +++ b/src/security/vboot/vboot_loader.c @@ -37,6 +37,16 @@ CONFIG(VBOOT_SEPARATE_VERSTAGE), "return from verstage only makes sense for separate verstages"); +/* This helper decides if stage verification logic needs to be + * initiated or not. */ +static int stage_verification_should_run(void) +{ + if (CONFIG(VBOOT_STAGE_VERIFICATION)) + return ENV_POSTCAR | ENV_RAMSTAGE; + + return 0; +} + /* The stage loading code is compiled and entered from multiple stages. The * helper functions below attempt to provide more clarity on when certain * code should be called. */ @@ -141,6 +151,11 @@ if (!vboot_logic_executed()) return -1; + /* Do not initiate VBOOT Stage Verification until all the + * stages from RO region are loaded */ + if (!stage_verification_should_run()) + return -1; + if (vboot_get_selected_region(&selected_region)) return -1; -- To view, visit https://review.coreboot.org/c/coreboot/+/32153 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I6d4b7dbea62a92ca75d731c84b7c1402a207634a Gerrit-Change-Number: 32153 Gerrit-PatchSet: 1 Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-MessageType: newchange

4 10

Change in ...coreboot[master]: src/security/vboot: Added logic to also verify FSP_S component ...
by Amol N Sukerkar (Code Review) 15 Nov '21

15 Nov '21

Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32156 Change subject: src/security/vboot: Added logic to also verify FSP_S component and syntax change for verify_stage_if_required. ...................................................................... src/security/vboot: Added logic to also verify FSP_S component and syntax change for verify_stage_if_required. When VBOOT Stage Verification is enabled, FSP_S component needs to be verified. This logic has been added. TEST=Create a coreboot.rom image by enabling CONFIG_VBOOT and CONFIG_VBOOT_STAGE_VERIFICATION. Verify that the image boots to authenticated payload and graphics is displayed via HDMI and Display Port. Change-Id: I7e2323086ecddc5195d8b55b47cc71f599b5a0b8 Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com> --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_logic_ex.c 3 files changed, 57 insertions(+), 19 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/32156/1 diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index e7bd3f9..036c553 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -372,6 +372,11 @@ default "$(VBOOT_SOURCE)/tests/devkeys/rhash.vbprik2" depends on VBOOT_STAGE_VERIFICATION +config VBOOT_2_1_FSPS_HASH_KEY + string "Coreboot fsps.bin Stage Hashing Key(private)" + default "$(VBOOT_SOURCE)/tests/devkeys/fhash.vbprik2" + depends on VBOOT_STAGE_VERIFICATION + config VBOOT_2_1_PAYLOAD_HASH_KEY string "Coreboot PAYLOAD Stage Hashing Key(private)" default "$(VBOOT_SOURCE)/tests/devkeys/phash.vbprik2" diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 1a6ca9f..1c03c78 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -338,9 +338,9 @@ rm -f $@.tmp $@.tmp.size ifeq ($(CONFIG_VBOOT_STAGE_VERIFICATION), y) -# Extract RAMStage and PAYLOAD and hash them -# Since we are booting from FW_MAIN_A, RAMStage and payload are -# extracted from FW_MAIN_A. +# Extract RAMStage, fsps.bin and PAYLOAD and hash them +# Since we are booting from FW_MAIN_A, RAMStage, fsps.bin +# and payload are extracted from FW_MAIN_A. $(obj)/ramstage.hash: $(obj)/coreboot.rom @printf " CREATE RAMSTAGE HASH\n" $(CBFSTOOL) $< print -r FW_MAIN_A > $<.tmp @@ -351,6 +351,16 @@ $@.tmp $@ rm -f $<.tmp $@.tmp +$(obj)/fsps.hash: $(obj)/coreboot.rom + @printf " CREATE FSPS.BIN HASH\n" + $(CBFSTOOL) $< extract -n $(call strip_quotes,$(CONFIG_FSP_S_CBFS)) \ + -r FW_MAIN_A -f $@.tmp &> /dev/null + $(FUTILITY) --vb21 sign \ + --type rwsig \ + --prikey "$(CONFIG_VBOOT_2_1_FSPS_HASH_KEY)" \ + $@.tmp $@ + rm -f $<.tmp $@.tmp + $(obj)/payload.hash: $(obj)/coreboot.rom @printf " CREATE PAYLOAD HASH\n" $(CBFSTOOL) $< print -r FW_MAIN_A > $<.tmp @@ -369,7 +379,8 @@ --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) $(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY) \ - $(obj)/ramstage.hash $(obj)/payload.hash $(obj)/firmware.kb21 + $(obj)/ramstage.hash $(obj)/fsps.hash $(obj)/payload.hash \ + $(obj)/firmware.kb21 $(FUTILITY) vbutil_firmware \ --vblock21 $@ \ --keyblock "$(top)/$(obj)/firmware.kb21" \ diff --git a/src/security/vboot/vboot_logic_ex.c b/src/security/vboot/vboot_logic_ex.c index 1b526c7..0a071f0 100644 --- a/src/security/vboot/vboot_logic_ex.c +++ b/src/security/vboot/vboot_logic_ex.c @@ -154,6 +154,32 @@ } } +/* get the hash id from component name */ +static void get_hash_id(struct vb2_id *id, const char *name) +{ + /* in POSTCAR stage, safely assume that we are + * in the process of verifying RAMSTAGE */ + if (ENV_POSTCAR) { + const struct vb2_id tmp_id = VB2_ID_RAMSTAGE; + memcpy(id, &tmp_id, sizeof(*id)); + } else if (ENV_RAMSTAGE) { + /* In RAMSTAGE, we verify FSPS and PAYLOAD, + * conditionally, so, get the appropriate ID */ + if (!memcmp(name, CONFIG_CBFS_PREFIX"/payload", + sizeof(name))) { + const struct vb2_id tmp_id = VB2_ID_PAYLOAD; + memcpy(id, &tmp_id, sizeof(*id)); + } else if (!memcmp(name, CONFIG_FSP_S_CBFS, + sizeof(name))) { + const struct vb2_id tmp_id = VB2_ID_FSPS; + memcpy(id, &tmp_id, sizeof(*id)); + } + else + die("Invalid component"); + } else + die("Invalid stage"); +} + /* VB2 context initialization helper function */ static void init_ctx(struct vb2_context *ctx) { @@ -197,11 +223,11 @@ int rv; uint32_t size = 0; - printk(BIOS_INFO, "Phase 4\n"); + printk(BIOS_INFO, "Phase 4\n"); /* init hash */ rv = vb21api_init_hash(ctx, id, &size); - if (rv) + if (rv) return rv; /* extend hash over the body */ @@ -237,28 +263,23 @@ vboot_set_selected_region(region_device_region(&fw_main)); } -/* Veify the stage to be executed */ -static void verify_stage(const struct region_device *rdev) +/* Verify the stage to be executed */ +static void verify_stage(const struct region_device *rdev, + const char *name) { struct vb2_context ctx; struct region_device fw_main; int rv; size_t fsize = 0; void *map = NULL; - const struct vb2_id* id; + struct vb2_id id; /* get region memory map */ fsize = region_device_sz(rdev); map = rdev_mmap(rdev, 0, fsize); if (!map) die("ERROR: Stage Mapping failed"); - /* get the hash id */ - if (ENV_POSTCAR) - id = vb2_hash_id(VB2_HASH_SHA256); - else if (ENV_RAMSTAGE) - id = vb2_hash_id(VB2_HASH_SHA512); - else - die("Invalid hash id"); + get_hash_id(&id, name); /* initialize the vb context and read the NV data */ init_ctx(&ctx); @@ -277,7 +298,7 @@ } /* verify the hash */ - rv = verify_hash(&ctx, map, id); + rv = verify_hash(&ctx, map, &id); if (rv) { printk(BIOS_ERR, "ERROR:0x%x ", rv); die("Stage Verification Failed"); @@ -289,13 +310,14 @@ } /* stage verification if required */ -void verify_stage_if_required(const struct region_device *rdev) +void verify_stage_if_required(const struct region_device *rdev, + const char *name) { if (!rdev) { die("Invalid region device"); } else { if (ENV_POSTCAR || ENV_RAMSTAGE) - verify_stage(rdev); + verify_stage(rdev, name); } } -- To view, visit https://review.coreboot.org/c/coreboot/+/32156 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I7e2323086ecddc5195d8b55b47cc71f599b5a0b8 Gerrit-Change-Number: 32156 Gerrit-PatchSet: 1 Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-MessageType: newchange

3 3

Change in ...coreboot[master]: src/security/vboot: Enabled support for dsdt.aml
by Amol N Sukerkar (Code Review) 15 Nov '21

15 Nov '21

Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32157 Change subject: src/security/vboot: Enabled support for dsdt.aml ...................................................................... src/security/vboot: Enabled support for dsdt.aml This change enables vboot Stage Verification support for dsdt.aml ACPI table. BRANCH=none TEST=Create a coreboot.rom image by enabling CONFIG_VBOOT_STAGE_VERIFICATION and CONFIG_VBOOT. Verify that the image boots to authenticated payload and graphics is displayed via HDMI and Display Port. Change-Id: I51a627bc0622da64ce4486f27912753497822ce0 Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com> --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc M src/security/vboot/vboot_logic_ex.c 3 files changed, 36 insertions(+), 20 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/57/32157/1 diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index 036c553..5e60ee7 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -373,10 +373,20 @@ depends on VBOOT_STAGE_VERIFICATION config VBOOT_2_1_FSPS_HASH_KEY - string "Coreboot fsps.bin Stage Hashing Key(private)" + string "Coreboot fsps.bin Hashing Key(private)" default "$(VBOOT_SOURCE)/tests/devkeys/fhash.vbprik2" depends on VBOOT_STAGE_VERIFICATION +config VBOOT_2_1_DSDT_AML_HASH_KEY + string "Coreboot dsdt.aml Hashing Key(private)" + default "$(VBOOT_SOURCE)/tests/devkeys/dhash.vbprik2" + depends on VBOOT_STAGE_VERIFICATION + +config VBOOT_2_1_TPM2_AML_HASH_KEY + string "Coreboot tpm2.aml Hashing Key(private)" + default "$(VBOOT_SOURCE)/tests/devkeys/thash.vbprik2" + depends on VBOOT_STAGE_VERIFICATION + config VBOOT_2_1_PAYLOAD_HASH_KEY string "Coreboot PAYLOAD Stage Hashing Key(private)" default "$(VBOOT_SOURCE)/tests/devkeys/phash.vbprik2" diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 1c03c78..b0700a3 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -354,13 +354,23 @@ $(obj)/fsps.hash: $(obj)/coreboot.rom @printf " CREATE FSPS.BIN HASH\n" $(CBFSTOOL) $< extract -n $(call strip_quotes,$(CONFIG_FSP_S_CBFS)) \ - -r FW_MAIN_A -f $@.tmp &> /dev/null + -r FW_MAIN_A -f $@.tmp $(FUTILITY) --vb21 sign \ --type rwsig \ --prikey "$(CONFIG_VBOOT_2_1_FSPS_HASH_KEY)" \ $@.tmp $@ rm -f $<.tmp $@.tmp +$(obj)/dsdt.hash: $(obj)/coreboot.rom + @printf " CREATE DSDT.AML HASH\n" + $(CBFSTOOL) $< extract -n $(CONFIG_CBFS_PREFIX)/dsdt.aml \ + -r FW_MAIN_A -f $@.tmp + $(FUTILITY) --vb21 sign \ + --type rwsig \ + --prikey "$(CONFIG_VBOOT_2_1_DSDT_AML_HASH_KEY)" \ + $@.tmp $@ + rm -f $<.tmp $@.tmp + $(obj)/payload.hash: $(obj)/coreboot.rom @printf " CREATE PAYLOAD HASH\n" $(CBFSTOOL) $< print -r FW_MAIN_A > $<.tmp @@ -379,7 +389,8 @@ --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS) $(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY) \ - $(obj)/ramstage.hash $(obj)/fsps.hash $(obj)/payload.hash \ + $(obj)/ramstage.hash $(obj)/fsps.hash $(obj)/dsdt.hash \ + $(obj)/payload.hash \ $(obj)/firmware.kb21 $(FUTILITY) vbutil_firmware \ --vblock21 $@ \ diff --git a/src/security/vboot/vboot_logic_ex.c b/src/security/vboot/vboot_logic_ex.c index 0a071f0..000d99e 100644 --- a/src/security/vboot/vboot_logic_ex.c +++ b/src/security/vboot/vboot_logic_ex.c @@ -13,7 +13,6 @@ * GNU General Public License for more details. */ -#include <security/tpm/antirollback.h> #include <arch/exception.h> #include <assert.h> #include <bootmode.h> @@ -30,6 +29,8 @@ #include <cbmem.h> #include <rmodule.h> +#include "antirollback.h" + /* For individual stage verification design, only * RW Region A is relevant. So, force CBFS to bot * from RW Region A */ @@ -60,16 +61,6 @@ return; } -int vb2ex_tpm_clear_owner(struct vb2_context *ctx) -{ - uint32_t rv; - printk(BIOS_INFO, "Clearing TPM owner\n"); - rv = tpm_clear_and_reenable(); - if (rv) - return VB2_ERROR_EX_TPM_CLEAR_OWNER; - return VB2_SUCCESS; -} - int vb2ex_read_resource(struct vb2_context *ctx, enum vb2_resource_index index, uint32_t offset, @@ -163,18 +154,22 @@ const struct vb2_id tmp_id = VB2_ID_RAMSTAGE; memcpy(id, &tmp_id, sizeof(*id)); } else if (ENV_RAMSTAGE) { - /* In RAMSTAGE, we verify FSPS and PAYLOAD, - * conditionally, so, get the appropriate ID */ + /* In RAMSTAGE, we verify FSPS, dsdt.aml, tpm2.aml + * and PAYLOAD, conditionally, so, get the appropriate ID + */ if (!memcmp(name, CONFIG_CBFS_PREFIX"/payload", - sizeof(name))) { + sizeof(CONFIG_CBFS_PREFIX"/payload"))) { const struct vb2_id tmp_id = VB2_ID_PAYLOAD; memcpy(id, &tmp_id, sizeof(*id)); } else if (!memcmp(name, CONFIG_FSP_S_CBFS, - sizeof(name))) { + sizeof(CONFIG_FSP_S_CBFS))) { const struct vb2_id tmp_id = VB2_ID_FSPS; memcpy(id, &tmp_id, sizeof(*id)); - } - else + } else if (!memcmp(name, CONFIG_CBFS_PREFIX"/dsdt.aml", + sizeof(CONFIG_CBFS_PREFIX"/dsdt.aml"))) { + const struct vb2_id tmp_id = VB2_ID_DSDT_AML; + memcpy(id, &tmp_id, sizeof(*id)); + } else die("Invalid component"); } else die("Invalid stage"); -- To view, visit https://review.coreboot.org/c/coreboot/+/32157 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I51a627bc0622da64ce4486f27912753497822ce0 Gerrit-Change-Number: 32157 Gerrit-PatchSet: 1 Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-MessageType: newchange

3 3

Change in ...coreboot[master]: src/arch/x86: Enabled support for dsdt.aml
by Amol N Sukerkar (Code Review) 15 Nov '21

15 Nov '21

Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32158 Change subject: src/arch/x86: Enabled support for dsdt.aml ...................................................................... src/arch/x86: Enabled support for dsdt.aml This change enables vboot Stage Verification support for dsdt.aml ACPI table. BRANCH=none TEST=Create a coreboot.rom image by enabling CONFIG_VBOOT_STAGE_VERIFICATION and CONFIG_VBOOT. Verify that the image boots to authenticated payload and graphics is displayed via HDMI and Display Port. Change-Id: I971ed8ed28cdb6355d342793ae6bb3d754939c21 Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com> --- M src/arch/x86/acpi.c 1 file changed, 33 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/58/32158/1 diff --git a/src/arch/x86/acpi.c b/src/arch/x86/acpi.c index f08a401..d129261 100644 --- a/src/arch/x86/acpi.c +++ b/src/arch/x86/acpi.c @@ -9,6 +9,7 @@ * Copyright (C) 2015 Timothy Pearson <tpearson(a)raptorengineeringinc.com>, * Raptor Engineering * Copyright (C) 2016-2019 Siemens AG + * Copyright (C) 2019 Intel Corp. * * ACPI FADT, FACS, and DSDT table support added by * Nick Barker <nick.barker9(a)btinternet.com>, and those portions @@ -1110,6 +1111,34 @@ return 0; } +/* This is marked as weak so some verification mechanism can + * use it to verify after loading into DRAM. Primarily + * overriden by VBOOT mechanism. + */ +void __weak verify_stage_if_required(const struct region_device *rdev, + const char * name) +{ + /* no op */ +} + +/* This is wrapper for acpi table to be verified, if required */ +static void verify_acpi_table(const char *name) +{ + const struct region_device *rdev = NULL; + struct prog file = PROG_INIT(PROG_UNKNOWN, name); + + if (prog_locate(&file)) { + printk (BIOS_ERR, "ERROR: Unable to locate %s\n", prog_name(&file)); + return; + } + + rdev = &file.rdev; + + /* verify if required */ + verify_stage_if_required(rdev, prog_name(&file)); +} + + unsigned long write_acpi_tables(unsigned long start) { unsigned long current; @@ -1228,6 +1257,10 @@ current = acpi_align_current(current); acpi_create_fadt(fadt, facs, dsdt); + + /* verify DSDT ACPI table */ + verify_acpi_table(CONFIG_CBFS_PREFIX "/dsdt.aml"); + acpi_add_table(rsdp, fadt); if (slic_file) { -- To view, visit https://review.coreboot.org/c/coreboot/+/32158 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I971ed8ed28cdb6355d342793ae6bb3d754939c21 Gerrit-Change-Number: 32158 Gerrit-PatchSet: 1 Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-MessageType: newchange

3 6

Change in ...coreboot[master]: Documentation/security/vboot: Add logic to verify stage/blob using VB...
by Amol N Sukerkar (Code Review) 15 Nov '21

15 Nov '21

Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32159 Change subject: Documentation/security/vboot: Add logic to verify stage/blob using VBOOT 2.1 library ...................................................................... Documentation/security/vboot: Add logic to verify stage/blob using VBOOT 2.1 library Added documentation to explain the logic that makes use of VBOOT 2.1 library to verify Coreboot stages/blobs. Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com> Change-Id: I1eb174bb4f4d84eb8f6befdce18421b6b85ccc02 --- M Documentation/security/index.md A Documentation/security/vboot/flash_partition.png A Documentation/security/vboot/vboot_21_logic.png A Documentation/security/vboot/vboot_flow_20.png A Documentation/security/vboot/vboot_flow_21.png A Documentation/security/vboot/verified_boot_21.md 6 files changed, 115 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/59/32159/1 diff --git a/Documentation/security/index.md b/Documentation/security/index.md index 89db42e..aebfc82 100644 --- a/Documentation/security/index.md +++ b/Documentation/security/index.md @@ -5,3 +5,4 @@ ## Vendor - [Measured Boot](vboot/measured_boot.md) +- [Verified Boot with VBOOT 2.1](vboot/verified_boot_21.md) diff --git a/Documentation/security/vboot/flash_partition.png b/Documentation/security/vboot/flash_partition.png new file mode 100644 index 0000000..91e459b --- /dev/null +++ b/Documentation/security/vboot/flash_partition.png Binary files differ diff --git a/Documentation/security/vboot/vboot_21_logic.png b/Documentation/security/vboot/vboot_21_logic.png new file mode 100644 index 0000000..d32e99e --- /dev/null +++ b/Documentation/security/vboot/vboot_21_logic.png Binary files differ diff --git a/Documentation/security/vboot/vboot_flow_20.png b/Documentation/security/vboot/vboot_flow_20.png new file mode 100644 index 0000000..fce4c5d --- /dev/null +++ b/Documentation/security/vboot/vboot_flow_20.png Binary files differ diff --git a/Documentation/security/vboot/vboot_flow_21.png b/Documentation/security/vboot/vboot_flow_21.png new file mode 100644 index 0000000..24859fe --- /dev/null +++ b/Documentation/security/vboot/vboot_flow_21.png Binary files differ diff --git a/Documentation/security/vboot/verified_boot_21.md b/Documentation/security/vboot/verified_boot_21.md new file mode 100644 index 0000000..15253b3 --- /dev/null +++ b/Documentation/security/vboot/verified_boot_21.md @@ -0,0 +1,114 @@ +# Enabling Intel BootGuard Support in Coreboot + +## Introduction + +One of the primary and key requirement for Intel customers is to enable Secure +Boot in their platform where root of trust resides in the hardware and is +immutable. While the obvious choice when it comes to hardware root of trust is +Intel Bootguard for IA platforms, the mechanism that extends the chain +of trust from hardware to bootloader, to payload/OS loader and eventually to the +OS is currently not implemented in Coreboot mainly due to licensing constraints. +This document describes the mechanism implemented in Coreboot using Google VBOOT +libraries version 2.1 that makes use of Intel BootGuard technology as Root of +Trust and extends the chain of trust to Coreboot which in turn extends it to the +payload. Note: UEFI payload will use secure boot mechanism to verify and launch +OS but that is beyond the scope of this document and will not be covered here. +More details about VBOOT support in Coreboot are available at +https://www.coreboot.org/git-docs/Intel/vboot.html. + + +## Intel BootGuard Technology + +Intel BootGuard is a platform boot integrity +protection technology. It allows initial stage of bootloader to be verified (and +measured in TPM) by a piece of firmware (ACM) which itself is verified by Intel +CPU microcode. A high level summary of the steps required to enable Intel +BootGuard are: 1. Use Intel FSP-T with Coreboot bootloader. It contains the +logic of correctly handling BtGuard enabled state. 2. Integrate ACM +(Authenticated Code module) binary in bootloader image. 3. Generate BtGuard Key +Manifest(BtG KM) and BtGuard Boot PolicyManifest(BtG BPM) and embed them in +bootloader image. a. BtG KM contains the hash of the key used for signing BtG +BPM. BtG KM is signed by the key whose hash is embedded in field-programmable +fuses. b. BtG BPM contains the hash of initial stage of boot loader. It also +stores other policies related to Intel TXT, BtG DMA protection etc. 4. Add +entries for CPU microcode patch, ACM, BtG KM and BtG BPM in FIT table. 5. +Update BootGuard related field-programmable fuses on the test platform. + + +## VBOOT in Coreboot + +The current implementation of VBOOT tool support and logic +in Coreboot is at version 2.0. The architecture, design and usage of this +feature has been described here, +https://www.coreboot.org/git-docs/Intel/vboot.html. + +### VBOOT 2.0 in Coreboot (Currently available) + +As described in the location mentioned above, the VBOOT 2.0 verified boot logic +flow works as follows. Upon boot, verstage attempts to verify the read-write +section A. It gets the public root key from GBB area and verifies the VBLOCK +area in read-write section A. If the verification is successful, then verstage +instructs Coreboot to boot rest of the firmware in read-write section A +(romstage, postcar, ramstage and payload). If the verification fails, then, +VBOOT falls back on read-only area to boot. +The flow chart below shows this flow: + +**VBOOT 2.0 Verification Flow in Coreboot** +![VBOOT_20_Flow_in_Coreboot][VBOOT_Flow_20] + +[VBOOT_Flow_20]: vboot_flow_20.png + +While this design implements verified boot to a certain extent, it does not take +into account a few use-cases and concerns some Intel customers run into. A +couple of them are as listed below, +- Some hardware designs cannot support ‘read-only’ flash region as Root of Trust + and therefore prefer Intel BootGuard technology as RoT for verified boot +mechanism. +- In some use-cases, some of the firmware components may come from different + media, for instance, customer could boot payload from USB thumb drive instead +of SPI flash. In that case, the entire read-write section will not have all the +firmware components. There needs to be a mechanism to verify payload along with +other components. +- In exisiting implementation, all the firmware components in the boot chain are + verified in verstage. This may result in a TOCTOU attack where right after the +verification phase, some firmware stages/components (such as payload, FSP, etc.) +can be swapped with malware. To extend the vboot security model, the mechanism +described below is proposed where the root of trust Bootguard begins by +verifying the IBB and the chain of trust is extended only to the next +stage/component at every verification pass. For instance, once Bootguard +verifies IBB which contains verstage, romstage and postcar), postcar then uses +the VBOOT mechanism to verify ramstage. Once ramstage is loaded into DRAM, +ramstage in turn will verify FSP and payload. + +### Proposed Changes using VBOOT2.1 Libraries + +The proposed changes are described as follows. Upon power on of the device, +Intel Bootguard attempts to verify IBB. IBB in this case, replaces the read-only +portion of the flash map and contains bootblock, verstage, romstage and postcar +stage. If the verification is successful, Intel Bootguard launches IBB and the +system boots until postcar stage. In postcar stage, GBB is extracted and GBB +verified the VBLOCK. Once VBLOCK is verified, postcar stage extracts the +ramstage hash from VBLOCK and verifies the ramstage after it has been loaded +into DRAM. This is done to ensure maximum security. Once ramstage is verified, +ramstage is launched. At this point, ramstage extracts the hash of FSPS, DSDT +ACPI table and payload in that order, and verifies and launches them +sequentially. At any point, if the verification fails, the system boot will +halt. + +**Stage/Blob Verification using VBOOT2.1 Library** +![VBOOT_Stage_Blob_Verification][VBOOT_Flow_21] + +[VBOOT_Flow_21]: vboot_flow_21.png + +### Flash Partition and Code Flow in Coreboot + +**Flash Partition for Verification using VBOOT 2.1 Library** +![VBOOT_Verification_2_1_Flash][Flash_Partition] + +[Flash_Partition]: flash_partition.png + +**Verification Logic using VBOOT 2.1 Library** +![VBOOT_Verification_2_1_Logic][vboot_21_logic] + +[vboot_21_logic]: vboot_21_logic.png + -- To view, visit https://review.coreboot.org/c/coreboot/+/32159 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I1eb174bb4f4d84eb8f6befdce18421b6b85ccc02 Gerrit-Change-Number: 32159 Gerrit-PatchSet: 1 Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com> Gerrit-MessageType: newchange

5 13

← Newer
1
...
7
8
9
10
11
12
13
...
149
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

coreboot-gerrit May 2019