Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32153
Change subject: src/security/vboot: When VBOOT Stage Verification is enabled, boot ROMSTAGE and POSTCAR from Read-Only region.
......................................................................
src/security/vboot: When VBOOT Stage Verification is enabled,
boot ROMSTAGE and POSTCAR from Read-Only region.
When VBOOT Stage Verification is enabled, the root-of-trust is the
Read-Only image. So, move the ROMSTAGE and POSTCAR is Read-Only
region. POSTCAR triggers VBOOT Stage Authentication starting with
RAMSTAGE. RAMSTAGE authenticates PAYLOAD.
TEST=Create a coreboot.rom image by enabling CONFIG_VBOOT and
CONFIG_VBOOT_STAGE_VERIFICATION. Verify that the image boots
to authenticated payload and graphics is displayed via HDMI
and Display Port.
Change-Id: I6d4b7dbea62a92ca75d731c84b7c1402a207634a
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com>
---
M src/security/vboot/Makefile.inc
M src/security/vboot/vboot_loader.c
2 files changed, 19 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/53/32153/1
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index a65b066..1a6ca9f 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -211,6 +211,10 @@
$(if $(filter \
$(if $(filter y,$(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK)),, \
%/romstage) \
+ $(if $(filter y,$(CONFIG_VBOOT_STAGE_VERIFICATION)), \
+ %/romstage, ) \
+ $(if $(filter y,$(CONFIG_VBOOT_STAGE_VERIFICATION)), \
+ %/postcar, ) \
mts \
%/verstage \
locales \
diff --git a/src/security/vboot/vboot_loader.c b/src/security/vboot/vboot_loader.c
index b71178e..36f2a07 100644
--- a/src/security/vboot/vboot_loader.c
+++ b/src/security/vboot/vboot_loader.c
@@ -37,6 +37,16 @@
CONFIG(VBOOT_SEPARATE_VERSTAGE),
"return from verstage only makes sense for separate verstages");
+/* This helper decides if stage verification logic needs to be
+ * initiated or not. */
+static int stage_verification_should_run(void)
+{
+ if (CONFIG(VBOOT_STAGE_VERIFICATION))
+ return ENV_POSTCAR | ENV_RAMSTAGE;
+
+ return 0;
+}
+
/* The stage loading code is compiled and entered from multiple stages. The
* helper functions below attempt to provide more clarity on when certain
* code should be called. */
@@ -141,6 +151,11 @@
if (!vboot_logic_executed())
return -1;
+ /* Do not initiate VBOOT Stage Verification until all the
+ * stages from RO region are loaded */
+ if (!stage_verification_should_run())
+ return -1;
+
if (vboot_get_selected_region(&selected_region))
return -1;
--
To view, visit https://review.coreboot.org/c/coreboot/+/32153
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I6d4b7dbea62a92ca75d731c84b7c1402a207634a
Gerrit-Change-Number: 32153
Gerrit-PatchSet: 1
Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com>
Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org>
Gerrit-Reviewer: Amol N Sukerkar <amol.n.sukerkar(a)intel.com>
Gerrit-Reviewer: Martin Roth <martinroth(a)google.com>
Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com>
Gerrit-MessageType: newchange
Amol N Sukerkar has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32159
Change subject: Documentation/security/vboot: Add logic to verify stage/blob using VBOOT 2.1 library
......................................................................
Documentation/security/vboot: Add logic to verify stage/blob using
VBOOT 2.1 library
Added documentation to explain the logic that makes use of VBOOT 2.1 library to
verify Coreboot stages/blobs.
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar(a)intel.com>
Change-Id: I1eb174bb4f4d84eb8f6befdce18421b6b85ccc02
---
M Documentation/security/index.md
A Documentation/security/vboot/flash_partition.png
A Documentation/security/vboot/vboot_21_logic.png
A Documentation/security/vboot/vboot_flow_20.png
A Documentation/security/vboot/vboot_flow_21.png
A Documentation/security/vboot/verified_boot_21.md
6 files changed, 115 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/59/32159/1
diff --git a/Documentation/security/index.md b/Documentation/security/index.md
index 89db42e..aebfc82 100644
--- a/Documentation/security/index.md
+++ b/Documentation/security/index.md
@@ -5,3 +5,4 @@
## Vendor
- [Measured Boot](vboot/measured_boot.md)
+- [Verified Boot with VBOOT 2.1](vboot/verified_boot_21.md)
diff --git a/Documentation/security/vboot/flash_partition.png b/Documentation/security/vboot/flash_partition.png
new file mode 100644
index 0000000..91e459b
--- /dev/null
+++ b/Documentation/security/vboot/flash_partition.png
Binary files differ
diff --git a/Documentation/security/vboot/vboot_21_logic.png b/Documentation/security/vboot/vboot_21_logic.png
new file mode 100644
index 0000000..d32e99e
--- /dev/null
+++ b/Documentation/security/vboot/vboot_21_logic.png
Binary files differ
diff --git a/Documentation/security/vboot/vboot_flow_20.png b/Documentation/security/vboot/vboot_flow_20.png
new file mode 100644
index 0000000..fce4c5d
--- /dev/null
+++ b/Documentation/security/vboot/vboot_flow_20.png
Binary files differ
diff --git a/Documentation/security/vboot/vboot_flow_21.png b/Documentation/security/vboot/vboot_flow_21.png
new file mode 100644
index 0000000..24859fe
--- /dev/null
+++ b/Documentation/security/vboot/vboot_flow_21.png
Binary files differ
diff --git a/Documentation/security/vboot/verified_boot_21.md b/Documentation/security/vboot/verified_boot_21.md
new file mode 100644
index 0000000..15253b3
--- /dev/null
+++ b/Documentation/security/vboot/verified_boot_21.md
@@ -0,0 +1,114 @@
+# Enabling Intel BootGuard Support in Coreboot
+
+## Introduction
+
+One of the primary and key requirement for Intel customers is to enable Secure
+Boot in their platform where root of trust resides in the hardware and is
+immutable. While the obvious choice when it comes to hardware root of trust is
+Intel Bootguard for IA platforms, the mechanism that extends the chain
+of trust from hardware to bootloader, to payload/OS loader and eventually to the
+OS is currently not implemented in Coreboot mainly due to licensing constraints.
+This document describes the mechanism implemented in Coreboot using Google VBOOT
+libraries version 2.1 that makes use of Intel BootGuard technology as Root of
+Trust and extends the chain of trust to Coreboot which in turn extends it to the
+payload. Note: UEFI payload will use secure boot mechanism to verify and launch
+OS but that is beyond the scope of this document and will not be covered here.
+More details about VBOOT support in Coreboot are available at
+https://www.coreboot.org/git-docs/Intel/vboot.html.
+
+
+## Intel BootGuard Technology
+
+Intel BootGuard is a platform boot integrity
+protection technology. It allows initial stage of bootloader to be verified (and
+measured in TPM) by a piece of firmware (ACM) which itself is verified by Intel
+CPU microcode. A high level summary of the steps required to enable Intel
+BootGuard are: 1. Use Intel FSP-T with Coreboot bootloader. It contains the
+logic of correctly handling BtGuard enabled state. 2. Integrate ACM
+(Authenticated Code module) binary in bootloader image. 3. Generate BtGuard Key
+Manifest(BtG KM) and BtGuard Boot PolicyManifest(BtG BPM) and embed them in
+bootloader image. a. BtG KM contains the hash of the key used for signing BtG
+BPM. BtG KM is signed by the key whose hash is embedded in field-programmable
+fuses. b. BtG BPM contains the hash of initial stage of boot loader. It also
+stores other policies related to Intel TXT, BtG DMA protection etc. 4. Add
+entries for CPU microcode patch, ACM, BtG KM and BtG BPM in FIT table. 5.
+Update BootGuard related field-programmable fuses on the test platform.
+
+
+## VBOOT in Coreboot
+
+The current implementation of VBOOT tool support and logic
+in Coreboot is at version 2.0. The architecture, design and usage of this
+feature has been described here,
+https://www.coreboot.org/git-docs/Intel/vboot.html.
+
+### VBOOT 2.0 in Coreboot (Currently available)
+
+As described in the location mentioned above, the VBOOT 2.0 verified boot logic
+flow works as follows. Upon boot, verstage attempts to verify the read-write
+section A. It gets the public root key from GBB area and verifies the VBLOCK
+area in read-write section A. If the verification is successful, then verstage
+instructs Coreboot to boot rest of the firmware in read-write section A
+(romstage, postcar, ramstage and payload). If the verification fails, then,
+VBOOT falls back on read-only area to boot.
+The flow chart below shows this flow:
+
+**VBOOT 2.0 Verification Flow in Coreboot**
+![VBOOT_20_Flow_in_Coreboot][VBOOT_Flow_20]
+
+[VBOOT_Flow_20]: vboot_flow_20.png
+
+While this design implements verified boot to a certain extent, it does not take
+into account a few use-cases and concerns some Intel customers run into. A
+couple of them are as listed below,
+- Some hardware designs cannot support ‘read-only’ flash region as Root of Trust
+ and therefore prefer Intel BootGuard technology as RoT for verified boot
+mechanism.
+- In some use-cases, some of the firmware components may come from different
+ media, for instance, customer could boot payload from USB thumb drive instead
+of SPI flash. In that case, the entire read-write section will not have all the
+firmware components. There needs to be a mechanism to verify payload along with
+other components.
+- In exisiting implementation, all the firmware components in the boot chain are
+ verified in verstage. This may result in a TOCTOU attack where right after the
+verification phase, some firmware stages/components (such as payload, FSP, etc.)
+can be swapped with malware. To extend the vboot security model, the mechanism
+described below is proposed where the root of trust Bootguard begins by
+verifying the IBB and the chain of trust is extended only to the next
+stage/component at every verification pass. For instance, once Bootguard
+verifies IBB which contains verstage, romstage and postcar), postcar then uses
+the VBOOT mechanism to verify ramstage. Once ramstage is loaded into DRAM,
+ramstage in turn will verify FSP and payload.
+
+### Proposed Changes using VBOOT2.1 Libraries
+
+The proposed changes are described as follows. Upon power on of the device,
+Intel Bootguard attempts to verify IBB. IBB in this case, replaces the read-only
+portion of the flash map and contains bootblock, verstage, romstage and postcar
+stage. If the verification is successful, Intel Bootguard launches IBB and the
+system boots until postcar stage. In postcar stage, GBB is extracted and GBB
+verified the VBLOCK. Once VBLOCK is verified, postcar stage extracts the
+ramstage hash from VBLOCK and verifies the ramstage after it has been loaded
+into DRAM. This is done to ensure maximum security. Once ramstage is verified,
+ramstage is launched. At this point, ramstage extracts the hash of FSPS, DSDT
+ACPI table and payload in that order, and verifies and launches them
+sequentially. At any point, if the verification fails, the system boot will
+halt.
+
+**Stage/Blob Verification using VBOOT2.1 Library**
+![VBOOT_Stage_Blob_Verification][VBOOT_Flow_21]
+
+[VBOOT_Flow_21]: vboot_flow_21.png
+
+### Flash Partition and Code Flow in Coreboot
+
+**Flash Partition for Verification using VBOOT 2.1 Library**
+![VBOOT_Verification_2_1_Flash][Flash_Partition]
+
+[Flash_Partition]: flash_partition.png
+
+**Verification Logic using VBOOT 2.1 Library**
+![VBOOT_Verification_2_1_Logic][vboot_21_logic]
+
+[vboot_21_logic]: vboot_21_logic.png
+
--
To view, visit https://review.coreboot.org/c/coreboot/+/32159
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I1eb174bb4f4d84eb8f6befdce18421b6b85ccc02
Gerrit-Change-Number: 32159
Gerrit-PatchSet: 1
Gerrit-Owner: Amol N Sukerkar <amol.n.sukerkar(a)intel.com>
Gerrit-MessageType: newchange