coreboot-gerrit July 2020

coreboot-gerrit@coreboot.org

1 participants
3167 discussions

Change in coreboot[master]: security/intel/txt: Add Intel TXT support
by Philipp Deppenwiese (Code Review) 08 Jul '20

08 Jul '20

Hello build bot (Jenkins), Patrick Georgi, Martin Roth, I'd like you to reexamine a change. Please visit https://review.coreboot.org/c/coreboot/+/37016 to look at the new patch set (#7). Change subject: security/intel/txt: Add Intel TXT support ...................................................................... security/intel/txt: Add Intel TXT support * Add TXT ramstage driver ** Show startup errors ** Check for TXT reset ** Check for Secrets-in-memory ** Add assembly for GETSEC instruction ** Check platform state if GETSEC instruction is supported ** Configure TXT memory regions ** Lock TXT ** Protect TSEG using DMA protected regions ** Place SINIT ACM ** Print information about ACMs * Extend security_clear_dram_request() ** To clear all DRAM if secrets are in memory Tested on OCP Wedge100s and Facebook Watson * Able to enter a Measure Launch Environment using SINIT ACM and TBOOT * Secrets in Memory bit is set on ungraceful shutdown * Memory is cleared after ungraceful shutdown Change-Id: Iaf4be7f016cc12d3971e1e1fe171e6665e44c284 Signed-off-by: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Signed-off-by: Philipp Deppenwiese <zaolin(a)das-labor.org> --- M src/security/intel/txt/Kconfig M src/security/intel/txt/Makefile.inc A src/security/intel/txt/common.c A src/security/intel/txt/getsec.c A src/security/intel/txt/getsec_enteraccs.S A src/security/intel/txt/logging.c A src/security/intel/txt/ramstage.c A src/security/intel/txt/txt.h A src/security/intel/txt/txt_getsec.h A src/security/intel/txt/txt_register.h M src/security/memory/memory.c 11 files changed, 1,853 insertions(+), 1 deletion(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/16/37016/7 -- To view, visit https://review.coreboot.org/c/coreboot/+/37016 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Iaf4be7f016cc12d3971e1e1fe171e6665e44c284 Gerrit-Change-Number: 37016 Gerrit-PatchSet: 7 Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-CC: Arthur Heymans <arthur(a)aheymans.xyz> Gerrit-CC: Paul Menzel <paulepanter(a)users.sourceforge.net> Gerrit-MessageType: newpatchset

1 0

Change in coreboot[master]: soc/amd/picasso: Update APOB size & base generation
by Martin Roth (Code Review) 08 Jul '20

08 Jul '20

Martin Roth has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/42824 ) Change subject: soc/amd/picasso: Update APOB size & base generation ...................................................................... soc/amd/picasso: Update APOB size & base generation Make the APOB size & base generation the same as all the other command line arguments to amdfwtool. BUG=None TEST=Build & boot trembyle Signed-off-by: Martin Roth <martin(a)coreboot.org> Change-Id: Id78383d87bc98dd2c859c75585266411c226f950 --- M src/soc/amd/picasso/Makefile.inc 1 file changed, 10 insertions(+), 6 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/24/42824/1 diff --git a/src/soc/amd/picasso/Makefile.inc b/src/soc/amd/picasso/Makefile.inc index 2f2d02d..35bc1e7 100644 --- a/src/soc/amd/picasso/Makefile.inc +++ b/src/soc/amd/picasso/Makefile.inc @@ -257,6 +257,12 @@ PSP_VERSTAGE_FILE=$(obj)/psp_verstage.bin endif # CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK +APOB_NV_SIZE=$(shell printf "0x%x" $(shell cat $(obj)/fmap.fmd | $(_GET_APOBNV_SIZE))) +APOB_NV_BASE=$(shell printf "0x%x" $(call int-add, \ + $(shell cat $(obj)/fmap.fmd | $(_GET_FLASH_BASE)) \ + $(shell cat $(obj)/fmap.fmd | $(_GET_BIOS_REG_BASE)) \ + $(shell cat $(obj)/fmap.fmd | $(_GET_APOBNV_BASE)))) + # type = 0xb - See #55758 (NDA) for bit definitions. PSP_SOFTFUSE_BITS += 28 @@ -320,6 +326,8 @@ OPT_MP2CFG_FILE=$(call add_opt_prefix, $(PSP_MP2CFG_FILE), --mp2-config) OPT_PSP_SHAREDMEM_BASE=$(call add_opt_prefix, $(PSP_SHAREDMEM_BASE), --sharedmem) OPT_PSP_SHAREDMEM_SIZE=$(call add_opt_prefix, $(PSP_SHAREDMEM_SIZE), --sharedmem-size) +OPT_APOB_NV_SIZE=$(call add_opt_prefix, $(APOB_NV_SIZE), --apob-nv-size) +OPT_APOB_NV_BASE=$(call add_opt_prefix, $(APOB_NV_BASE),--apob-nv-base) AMDFW_COMMON_ARGS=$(OPT_AMD_PUBKEY_FILE) \ $(OPT_PSPBTLDR_FILE) \ @@ -331,12 +339,8 @@ $(OPT_SMUFW2_SUB1_FILE) \ $(OPT_PSP_APCB_FILES) \ $(OPT_APOB_ADDR) \ - --apob-nv-size $(shell printf "0x%x" \ - $(shell cat $(obj)/fmap.fmd | $(_GET_APOBNV_SIZE))) \ - --apob-nv-base $(shell printf "0x%x" $(call int-add, \ - $(shell cat $(obj)/fmap.fmd | $(_GET_FLASH_BASE)) \ - $(shell cat $(obj)/fmap.fmd | $(_GET_BIOS_REG_BASE)) \ - $(shell cat $(obj)/fmap.fmd | $(_GET_APOBNV_BASE)))) \ + $(OPT_APOB_NV_SIZE) \ + $(OPT_APOB_NV_BASE) \ $(OPT_PSP_BIOSBIN_FILE) \ $(OPT_PSP_BIOSBIN_DEST) \ $(OPT_PSP_BIOSBIN_SIZE) \ -- To view, visit https://review.coreboot.org/c/coreboot/+/42824 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Id78383d87bc98dd2c859c75585266411c226f950 Gerrit-Change-Number: 42824 Gerrit-PatchSet: 1 Gerrit-Owner: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-MessageType: newchange

2 2

Change in coreboot[master]: arch/x86: Add memmove.c to x86 bootblock
by Martin Roth (Code Review) 08 Jul '20

08 Jul '20

Martin Roth has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/42823 ) Change subject: arch/x86: Add memmove.c to x86 bootblock ...................................................................... arch/x86: Add memmove.c to x86 bootblock This was specifically needed for vboot with psp_verstage, but adding it to always be built into bootblock if needed like memcpy & memset makes sense. TEST=Build & boot trembyle BUG=None Signed-off-by: Martin Roth <martin(a)coreboot.org> Change-Id: Ib724aaf1492edf053a593b42107684b7bf896592 --- M src/arch/x86/Makefile.inc M src/soc/amd/picasso/Makefile.inc 2 files changed, 1 insertion(+), 1 deletion(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/23/42823/1 diff --git a/src/arch/x86/Makefile.inc b/src/arch/x86/Makefile.inc index 6297384..10f86ca 100644 --- a/src/arch/x86/Makefile.inc +++ b/src/arch/x86/Makefile.inc @@ -94,6 +94,7 @@ bootblock-$(CONFIG_IDT_IN_EVERY_STAGE) += idt.S bootblock-y += memcpy.c bootblock-y += memset.c +bootblock-y += memmove.c bootblock-$(CONFIG_COLLECT_TIMESTAMPS_TSC) += timestamp.c bootblock-$(CONFIG_X86_TOP4G_BOOTMEDIA_MAP) += mmap_boot.c bootblock-$(CONFIG_BOOTBLOCK_NORMAL) += bootblock_normal.c diff --git a/src/soc/amd/picasso/Makefile.inc b/src/soc/amd/picasso/Makefile.inc index b18ad87..2f2d02d 100644 --- a/src/soc/amd/picasso/Makefile.inc +++ b/src/soc/amd/picasso/Makefile.inc @@ -23,7 +23,6 @@ bootblock-y += gpio.c bootblock-y += smi_util.c bootblock-y += config.c -bootblock-y += ../../../arch/x86/memmove.c romstage-y += i2c.c romstage-y += i2c-x86.c -- To view, visit https://review.coreboot.org/c/coreboot/+/42823 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Ib724aaf1492edf053a593b42107684b7bf896592 Gerrit-Change-Number: 42823 Gerrit-PatchSet: 1 Gerrit-Owner: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-MessageType: newchange

3 3

Change in coreboot[master]: security/intel/txt: Add Intel TXT support
by Philipp Deppenwiese (Code Review) 08 Jul '20

08 Jul '20

Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37016 ) Change subject: security/intel/txt: Add Intel TXT support ...................................................................... Patch Set 6: (2 comments) https://review.coreboot.org/c/coreboot/+/37016/6/src/security/intel/txt/com… File src/security/intel/txt/common.c: https://review.coreboot.org/c/coreboot/+/37016/6/src/security/intel/txt/com… PS6, Line 31: int boot_cpu(void); > this is defined in <smp/node. […] Ack https://review.coreboot.org/c/coreboot/+/37016/6/src/security/intel/txt/com… PS6, Line 450: msr = rdmsr(LAPIC_BASE_MSR); > unused Ack -- To view, visit https://review.coreboot.org/c/coreboot/+/37016 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Iaf4be7f016cc12d3971e1e1fe171e6665e44c284 Gerrit-Change-Number: 37016 Gerrit-PatchSet: 6 Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-CC: Arthur Heymans <arthur(a)aheymans.xyz> Gerrit-CC: Paul Menzel <paulepanter(a)users.sourceforge.net> Gerrit-Comment-Date: Wed, 08 Jul 2020 21:05:06 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: Arthur Heymans <arthur(a)aheymans.xyz> Gerrit-MessageType: comment

1 0

Change in coreboot[master]: soc/amd/picasso: Halt if workbuf is absent after psp_verstage
by Martin Roth (Code Review) 08 Jul '20

08 Jul '20

Martin Roth has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/42810 ) Change subject: soc/amd/picasso: Halt if workbuf is absent after psp_verstage ...................................................................... soc/amd/picasso: Halt if workbuf is absent after psp_verstage Check for the workbuf in bootblock if psp_verstage is being used. BUG=b:158124527 TEST=Build & boot Trembyle with psp_verstage Signed-off-by: Martin Roth <martin(a)coreboot.org> Change-Id: I0ec8d2c953bce4c44cde5102d2765e0ab9b5875e --- M src/soc/amd/picasso/bootblock/bootblock.c 1 file changed, 17 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/10/42810/1 diff --git a/src/soc/amd/picasso/bootblock/bootblock.c b/src/soc/amd/picasso/bootblock/bootblock.c index a3935cc..f633767 100644 --- a/src/soc/amd/picasso/bootblock/bootblock.c +++ b/src/soc/amd/picasso/bootblock/bootblock.c @@ -14,6 +14,11 @@ #include <amdblocks/amd_pci_mmconf.h> #include <acpi/acpi.h> +/* vboot includes directory may bot be in include path if vboot is not enabled */ +#if CONFIG(VBOOT_STARTS_BEFORE_BOOTBLOCK) +#include <2struct.h> +#endif + asmlinkage void bootblock_resume_entry(void); /* PSP performs the memory training and setting up DRAM map prior to x86 cores @@ -123,5 +128,17 @@ u32 val = cpuid_eax(1); printk(BIOS_DEBUG, "Family_Model: %08x\n", val); +#if CONFIG(VBOOT_STARTS_BEFORE_BOOTBLOCK) +#include <2struct.h> + unsigned int *workbuf_location = (unsigned int *)CONFIG_PSP_SHAREDMEM_BASE; + if (*workbuf_location != VB2_SHARED_DATA_MAGIC) { + printk(BIOS_ERR,"ERROR: VBOOT workbuf not valid.\n"); + + printk(BIOS_DEBUG,"Signature: %#08x\n",*workbuf_location); + + die("Halting.\n"); + } +#endif + fch_early_init(); } -- To view, visit https://review.coreboot.org/c/coreboot/+/42810 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I0ec8d2c953bce4c44cde5102d2765e0ab9b5875e Gerrit-Change-Number: 42810 Gerrit-PatchSet: 1 Gerrit-Owner: Martin Roth <martinroth(a)google.com> Gerrit-MessageType: newchange

3 11

Change in coreboot[master]: soc/amd/common: Don't init SMIs or SCIs in psp_verstage
by Martin Roth (Code Review) 08 Jul '20

08 Jul '20

Martin Roth has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/42765 ) Change subject: soc/amd/common: Don't init SMIs or SCIs in psp_verstage ...................................................................... soc/amd/common: Don't init SMIs or SCIs in psp_verstage We can't set the SMI or SCI flags in psp verstage, so skip them. TEST=Build BUG=b:154142138 Signed-off-by: Martin Roth <martin(a)coreboot.org> Change-Id: I40eb464cde6b233607de1e177702c643ea2b4bb2 --- M src/soc/amd/common/block/gpio_banks/gpio.c 1 file changed, 12 insertions(+), 1 deletion(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/65/42765/1 diff --git a/src/soc/amd/common/block/gpio_banks/gpio.c b/src/soc/amd/common/block/gpio_banks/gpio.c index 419f67a..3169e0e 100644 --- a/src/soc/amd/common/block/gpio_banks/gpio.c +++ b/src/soc/amd/common/block/gpio_banks/gpio.c @@ -180,6 +180,7 @@ int gevent_num; const struct soc_amd_event *gev_tbl; size_t gev_items; + const bool can_set_smi_flags = !(CONFIG(VBOOT_STARTS_BEFORE_BOOTBLOCK) && ENV_SEPARATE_VERSTAGE); inter_master = gpio_get_bar() + GPIO_MASTER_SWITCH; direction = 0; @@ -198,7 +199,9 @@ */ mem_read_write32(inter_master, 0, GPIO_MASK_STS_EN | GPIO_INTERRUPT_EN); - soc_get_gpio_event_table(&gev_tbl, &gev_items); + if (can_set_smi_flags) { + soc_get_gpio_event_table(&gev_tbl, &gev_items); + } for (index = 0; index < size; index++) { gpio = gpio_list_ptr[index].gpio; @@ -234,11 +237,19 @@ AMD_GPIO_CONTROL_MASK); break; case GPIO_SMI_FLAG: + /* Can't set SMI flags from PSP */ + if (!can_set_smi_flags) + break; + mem_read_write32(gpio_ptr, control, INT_SCI_SMI_MASK); program_smi(control_flags, gevent_num); break; case GPIO_SCI_FLAG: + /* Can't set SCI flags from PSP */ + if (!can_set_smi_flags) + break; + mem_read_write32(gpio_ptr, control, INT_SCI_SMI_MASK); get_sci_config_bits(control_flags, &bit_edge, -- To view, visit https://review.coreboot.org/c/coreboot/+/42765 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I40eb464cde6b233607de1e177702c643ea2b4bb2 Gerrit-Change-Number: 42765 Gerrit-PatchSet: 1 Gerrit-Owner: Martin Roth <martinroth(a)google.com> Gerrit-MessageType: newchange

4 22

Change in coreboot[master]: lib: Temporarily remove timestamps from psp_verstage
by Martin Roth (Code Review) 08 Jul '20

08 Jul '20

Martin Roth has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/42381 ) Change subject: lib: Temporarily remove timestamps from psp_verstage ...................................................................... lib: Temporarily remove timestamps from psp_verstage The timstamp functionality is not yet added for psp_verstage, so temporarily remove it until that's completed. BUG=b:154142138 TEST=Build & Boot psp_verstage on trembyle Signed-off-by: Martin Roth <martin(a)coreboot.org> Change-Id: I020619e3615ce92dedbe868104d2bfd83cb7caa9 --- M src/lib/Makefile.inc 1 file changed, 4 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/81/42381/1 diff --git a/src/lib/Makefile.inc b/src/lib/Makefile.inc index e0003bd..72d4f24 100644 --- a/src/lib/Makefile.inc +++ b/src/lib/Makefile.inc @@ -46,7 +46,11 @@ verstage-y += libgcc.c verstage-y += memcmp.c verstage-y += string.c + +# TODO: Remove this when PSP bootblock timestamps are implemented. +ifeq ($(CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK),) verstage-$(CONFIG_COLLECT_TIMESTAMPS) += timestamp.c +endif verstage-y += boot_device.c verstage-$(CONFIG_CONSOLE_CBMEM) += cbmem_console.c -- To view, visit https://review.coreboot.org/c/coreboot/+/42381 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I020619e3615ce92dedbe868104d2bfd83cb7caa9 Gerrit-Change-Number: 42381 Gerrit-PatchSet: 1 Gerrit-Owner: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-MessageType: newchange

5 8

Change in coreboot[master]: soc/amd/picasso: Update the AMD firmware in RW-A & RW-B regions
by Martin Roth (Code Review) 08 Jul '20

08 Jul '20

Martin Roth has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/42225 ) Change subject: soc/amd/picasso: Update the AMD firmware in RW-A & RW-B regions ...................................................................... soc/amd/picasso: Update the AMD firmware in RW-A & RW-B regions The AMD firmware package created by amdfwtool contains pointers to the various binaries and settings. When these are moved to the RW-A & RW-B regions, the packages need to be recreated for the new addresses. Signed-off-by: Martin Roth <martin(a)coreboot.org> Change-Id: I0d50968b6ab4b3ab51f8c9bc66c56e141ef728ed --- M src/soc/amd/picasso/Kconfig M src/soc/amd/picasso/Makefile.inc 2 files changed, 148 insertions(+), 58 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/25/42225/1 diff --git a/src/soc/amd/picasso/Kconfig b/src/soc/amd/picasso/Kconfig index 3fcf50a..b77b189 100644 --- a/src/soc/amd/picasso/Kconfig +++ b/src/soc/amd/picasso/Kconfig @@ -75,10 +75,6 @@ int default 64 -config VERSTAGE_ADDR - hex - default 0x4000000 - config VGA_BIOS_ID string default "1002,15d8" @@ -399,4 +395,46 @@ Runs verstage on the PSP. Only available on certain Chrome OS branded parts from AMD. +config VERSTAGE_ADDR + hex + depends on VBOOT_STARTS_IN_BOOTBLOCK + default 0x4000000 + +config DISABLE_SPI_FLASH_ROM_SHARING + def_bool n + help + Instruct the chipset to not honor the EGPIO67_SPI_ROM_REQ pin + which indicates a board level ROM transaction request. This + removes arbitration with board and assumes the chipset controls + the SPI flash bus entirely. + +if VBOOT_SLOTS_RW_AB && VBOOT_STARTS_BEFORE_BOOTBLOCK + +config RWA_REGION_ONLY + string + default "apu/amdfw_a" + help + Add a space-delimited list of filenames that should only be in the + RW-A section. + +config RWB_REGION_ONLY + string + default "apu/amdfw_b" + help + Add a space-delimited list of filenames that should only be in the + RW-B section. + +#TODO: Change this to get the positions from fmap +config PICASSO_FW_A_POSITION + hex + help + Location of the AMD firmware in the RW_A region + +config PICASSO_FW_B_POSITION + hex + help + Location of the AMD firmware in the RW_B region + +endif # VBOOT_SLOTS_RW_AB && VBOOT_STARTS_BEFORE_BOOTBLOCK + endif # SOC_AMD_PICASSO diff --git a/src/soc/amd/picasso/Makefile.inc b/src/soc/amd/picasso/Makefile.inc index b8c865f..d80713c 100644 --- a/src/soc/amd/picasso/Makefile.inc +++ b/src/soc/amd/picasso/Makefile.inc @@ -232,6 +232,19 @@ PSP_UCODE_FILE2=$(FIRMWARE_LOCATE)/UcodePatch_PCO_B0.bin PSP_UCODE_FILE3=$(FIRMWARE_LOCATE)/UcodePatch_RV2_A0.bin +# type = 0x6B - PSP Shared memory location +ifneq ($(CONFIG_PSP_SHAREDMEM_SIZE),0x0) +# Place SHAREDMEM immediately below the 4KB boundary below the reset vector. +PSP_SHAREDMEM_SIZE=$(CONFIG_PSP_SHAREDMEM_SIZE) +_PSP_SHAREDMEM_BASE=$(call int-subtract, $(call int-subtract, $(call int-add, $(CONFIG_X86_RESET_VECTOR) + 0x10) $(PSP_SHAREDMEM_SIZE)) 0x1000) +PSP_SHAREDMEM_BASE=$(shell printf "0x%x" $(_PSP_SHAREDMEM_BASE)) +endif + +# type = 0x52 - PSP Bootloader Userspace Application (verstage) +ifeq ($(CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK),y) +PSP_VERSTAGE_FILE=$(obj)/psp_verstage.bin +endif + # type = 0xb - See #55758 (NDA) for bit definitions. PSP_SOFTFUSE_BITS += 28 @@ -274,6 +287,7 @@ OPT_ABL6_FILE=$(call add_opt_prefix, $(PSP_ABL6_FILE), --abl-image) OPT_ABL7_FILE=$(call add_opt_prefix, $(PSP_ABL7_FILE), --abl-image) OPT_WHITELIST_FILE=$(call add_opt_prefix, $(PSP_WHITELIST_FILE), --whitelist) +OPT_VERSTAGE_FILE=$(call add_opt_prefix, $(PSP_VERSTAGE_FILE), --verstage) OPT_PSP_APCB_FILES=$(foreach i, $(shell seq $(words $(PSP_APCB_FILES))), \ $(call add_opt_prefix, $(word $(i), $(PSP_APCB_FILES)), \ @@ -295,6 +309,64 @@ OPT_PSP_UCODE_FILE2=$(call add_opt_prefix, $(PSP_UCODE_FILE2), --instance 1 --ucode) OPT_PSP_UCODE_FILE3=$(call add_opt_prefix, $(PSP_UCODE_FILE3), --instance 2 --ucode) OPT_MP2CFG_FILE=$(call add_opt_prefix, $(PSP_MP2CFG_FILE), --mp2-config) +OPT_PSP_SHAREDMEM_BASE=$(call add_opt_prefix, $(PSP_SHAREDMEM_BASE), --sharedmem) +OPT_PSP_SHAREDMEM_SIZE=$(call add_opt_prefix, $(PSP_SHAREDMEM_SIZE), --sharedmem-size) + +AMDFW_COMMON_ARGS=$(OPT_AMD_PUBKEY_FILE) \ + $(OPT_PSPBTLDR_FILE) \ + $(OPT_PSPSCUREOS_FILE) \ + $(OPT_PSP_SEC_DBG_KEY_FILE) \ + $(OPT_SMUFW1_SUB2_FILE) \ + $(OPT_SMUFW2_SUB2_FILE) \ + $(OPT_SMUFW1_SUB1_FILE) \ + $(OPT_SMUFW2_SUB1_FILE) \ + $(OPT_PSP_APCB_FILES) \ + $(OPT_APOB_ADDR) \ + --apob-nv-size $(shell printf "0x%x" \ + $(shell cat $(obj)/fmap.fmd | $(_GET_APOBNV_SIZE))) \ + --apob-nv-base $(shell printf "0x%x" $(call int-add, \ + $(shell cat $(obj)/fmap.fmd | $(_GET_FLASH_BASE)) \ + $(shell cat $(obj)/fmap.fmd | $(_GET_BIOS_REG_BASE)) \ + $(shell cat $(obj)/fmap.fmd | $(_GET_APOBNV_BASE)))) \ + $(OPT_PSP_BIOSBIN_FILE) \ + $(OPT_PSP_BIOSBIN_DEST) \ + $(OPT_PSP_BIOSBIN_SIZE) \ + $(OPT_PSP_SOFTFUSE) \ + $(OPT_PSP_PMUI_FILE1) \ + $(OPT_PSP_PMUI_FILE2) \ + $(OPT_PSP_PMUI_FILE3) \ + $(OPT_PSP_PMUI_FILE4) \ + $(OPT_PSP_PMUD_FILE1) \ + $(OPT_PSP_PMUD_FILE2) \ + $(OPT_PSP_PMUD_FILE3) \ + $(OPT_PSP_PMUD_FILE4) \ + $(OPT_PSP_UCODE_FILE1) \ + $(OPT_PSP_UCODE_FILE2) \ + $(OPT_PSP_UCODE_FILE3) \ + $(OPT_MP2CFG_FILE) \ + $(OPT_ABL0_FILE) \ + $(OPT_ABL1_FILE) \ + $(OPT_ABL2_FILE) \ + $(OPT_ABL3_FILE) \ + $(OPT_ABL4_FILE) \ + $(OPT_ABL5_FILE) \ + $(OPT_ABL6_FILE) \ + $(OPT_ABL7_FILE) \ + $(OPT_WHITELIST_FILE) \ + $(OPT_SECG1_FILE) \ + $(OPT_SECG2_FILE) \ + $(OPT_MP2FW1_FILE) \ + $(OPT_MP2FW2_FILE) \ + $(OPT_DRIVERS_FILE) \ + $(OPT_PSP_S0I3_FILE) \ + $(OPT_IKEK_FILE) \ + $(OPT_SEC_DEBUG_FILE) \ + $(OPT_VERSTAGE_FILE) \ + $(OPT_PSP_SHAREDMEM_BASE) \ + $(OPT_PSP_SHAREDMEM_SIZE) \ + --combo-capable \ + $(OPT_TOKEN_UNLOCK) \ + --flashsize $(CONFIG_ROM_SIZE) # Copy prebuild APCBs if they exist $(obj)/APCB_%.bin: $(MAINBOARD_BLOBS_DIR)/APCB_%.bin @@ -375,66 +447,16 @@ $(call_strip_quotes, $(PSP_S0I3_FILE)) \ $(call_strip_quotes, $(PSP_IKEK_FILE)) \ $(call_strip_quotes, $(PSP_SEC_DEBUG_FILE)) \ + $(PSP_VERSTAGE_FILE) \ $$(PSP_APCB_FILES) \ $(AMDFWTOOL) \ $(obj)/fmap.fmd rm -f $@ @printf " AMDFWTOOL $(subst $(obj)/,,$(@))\n" $(AMDFWTOOL) \ - $(OPT_AMD_PUBKEY_FILE) \ - $(OPT_PSPBTLDR_FILE) \ - $(OPT_PSPSCUREOS_FILE) \ - $(OPT_PSP_SEC_DBG_KEY_FILE) \ - $(OPT_SMUFW1_SUB2_FILE) \ - $(OPT_SMUFW2_SUB2_FILE) \ - $(OPT_SMUFW1_SUB1_FILE) \ - $(OPT_SMUFW2_SUB1_FILE) \ - $(OPT_PSP_APCB_FILES) \ - $(OPT_APOB_ADDR) \ - --apob-nv-size $(shell printf "0x%x" \ - $(shell cat $(obj)/fmap.fmd | $(_GET_APOBNV_SIZE))) \ - --apob-nv-base $(shell printf "0x%x" $(call int-add, \ - $(shell cat $(obj)/fmap.fmd | $(_GET_FLASH_BASE)) \ - $(shell cat $(obj)/fmap.fmd | $(_GET_BIOS_REG_BASE)) \ - $(shell cat $(obj)/fmap.fmd | $(_GET_APOBNV_BASE)))) \ - $(OPT_PSP_BIOSBIN_FILE) \ - $(OPT_PSP_BIOSBIN_DEST) \ - $(OPT_PSP_BIOSBIN_SIZE) \ - $(OPT_PSP_SOFTFUSE) \ - $(OPT_PSP_PMUI_FILE1) \ - $(OPT_PSP_PMUI_FILE2) \ - $(OPT_PSP_PMUI_FILE3) \ - $(OPT_PSP_PMUI_FILE4) \ - $(OPT_PSP_PMUD_FILE1) \ - $(OPT_PSP_PMUD_FILE2) \ - $(OPT_PSP_PMUD_FILE3) \ - $(OPT_PSP_PMUD_FILE4) \ - $(OPT_PSP_UCODE_FILE1) \ - $(OPT_PSP_UCODE_FILE2) \ - $(OPT_PSP_UCODE_FILE3) \ - $(OPT_MP2CFG_FILE) \ - $(OPT_ABL0_FILE) \ - $(OPT_ABL1_FILE) \ - $(OPT_ABL2_FILE) \ - $(OPT_ABL3_FILE) \ - $(OPT_ABL4_FILE) \ - $(OPT_ABL5_FILE) \ - $(OPT_ABL6_FILE) \ - $(OPT_ABL7_FILE) \ - $(OPT_WHITELIST_FILE) \ - $(OPT_SECG1_FILE) \ - $(OPT_SECG2_FILE) \ - $(OPT_MP2FW1_FILE) \ - $(OPT_MP2FW2_FILE) \ - $(OPT_DRIVERS_FILE) \ - $(OPT_PSP_S0I3_FILE) \ - $(OPT_IKEK_FILE) \ - $(OPT_SEC_DEBUG_FILE) \ - --combo-capable \ - $(OPT_TOKEN_UNLOCK) \ - --flashsize $(CONFIG_ROM_SIZE) \ - --location $(shell printf "0x%x" $(PICASSO_FWM_POSITION)) \ - --output $@ + $(AMDFW_COMMON_ARGS) \ + --location $(shell printf "%#x" $(PICASSO_FWM_POSITION)) \ + --output $@ $(PSP_BIOSBIN_FILE): $(PSP_ELF_FILE) $(AMDCOMPRESS) rm -f $@ @@ -442,6 +464,24 @@ $(AMDCOMPRESS) --infile $(PSP_ELF_FILE) --outfile $@ --compress \ --maxsize $(PSP_BIOSBIN_SIZE) +$(obj)/amdfw_a.rom: $(obj)/amdfw.rom + rm -f $@ + @printf " AMDFWTOOL $(subst $(obj)/,,$(@))\n" + $(AMDFWTOOL) \ + $(AMDFW_COMMON_ARGS) \ + --location $(shell printf "%#x" $(CONFIG_PICASSO_FW_A_POSITION)) \ + --anywhere \ + --output $@ + +$(obj)/amdfw_b.rom: $(obj)/amdfw.rom + rm -f $@ + @printf " AMDFWTOOL $(subst $(obj)/,,$(@))\n" + $(AMDFWTOOL) \ + $(AMDFW_COMMON_ARGS) \ + --location $(shell printf "%#x" $(CONFIG_PICASSO_FW_B_POSITION)) \ + --anywhere \ + --output $@ + ifeq ($(CONFIG_AMDFW_OUTSIDE_CBFS),y) PHONY+=add_amdfw INTERMEDIATE+=add_amdfw @@ -467,6 +507,18 @@ apu/amdfw-position := $(PICASSO_FWM_POSITION) apu/amdfw-type := raw +ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB)$(CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK),yy) +cbfs-files-y += apu/amdfw_a +apu/amdfw_a-file := $(obj)/amdfw_a.rom +apu/amdfw_a-position := $(call strip_quotes, $(CONFIG_PICASSO_FW_A_POSITION)) +apu/amdfw_a-type := raw + +cbfs-files-y += apu/amdfw_b +apu/amdfw_b-file := $(obj)/amdfw_b.rom +apu/amdfw_b-position := $(call strip_quotes, $(CONFIG_PICASSO_FW_B_POSITION)) +apu/amdfw_b-type := raw +endif + endif # ifeq ($(CONFIG_AMDFW_OUTSIDE_CBFS),y) $(call strip_quotes,$(CONFIG_FSP_M_CBFS))-options := -b $(CONFIG_FSP_M_ADDR) -- To view, visit https://review.coreboot.org/c/coreboot/+/42225 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I0d50968b6ab4b3ab51f8c9bc66c56e141ef728ed Gerrit-Change-Number: 42225 Gerrit-PatchSet: 1 Gerrit-Owner: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-MessageType: newchange

3 11

Change in coreboot[master]: security/vboot: Allow files to go into only RW-A or RW-B region
by Martin Roth (Code Review) 08 Jul '20

08 Jul '20

Martin Roth has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/42822 ) Change subject: security/vboot: Allow files to go into only RW-A or RW-B region ...................................................................... security/vboot: Allow files to go into only RW-A or RW-B region The AMD firmware package created by amdfwtool contains pointers to the various binaries and settings. This means that we need different copies of the package in each region. This change allows for the different files in each of the 3 vboot regions. BUG=b:158124527 TEST=Build trembyle; see the correct versions of the files getting built into the RW-A & RW-B regions. Signed-off-by: Martin Roth <martin(a)coreboot.org> Change-Id: I45ff69dbc2266a67e05597bbe721fbf95cf41777 --- M src/security/vboot/Kconfig M src/security/vboot/Makefile.inc 2 files changed, 26 insertions(+), 3 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/22/42822/1 diff --git a/src/security/vboot/Kconfig b/src/security/vboot/Kconfig index ad5b61e..ee8d36a 100644 --- a/src/security/vboot/Kconfig +++ b/src/security/vboot/Kconfig @@ -218,6 +218,22 @@ Add a space delimited list of filenames that should only be in the RW sections. +config RWA_REGION_ONLY + string + default "" + depends on VBOOT_SLOTS_RW_AB + help + Add a space-delimited list of filenames that should only be in the + RW-A section. + +config RWB_REGION_ONLY + string + default "" + depends on VBOOT_SLOTS_RW_AB + help + Add a space-delimited list of filenames that should only be in the + RW-B section. + config VBOOT_ENABLE_CBFS_FALLBACK bool default n diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 1e0166e..90b2756 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -165,8 +165,9 @@ endif # Return the regions a specific file should be placed in. The files listed below and the ones -# that are specified in CONFIG_RO_REGION_ONLY are only specified in the RO region. The files -# specified in the CONFIG_RW_REGION_ONLY are only placed in the RW regions. +# that are specified in CONFIG_RO_REGION_ONLY, are only specified in the RO region. The files +# specified in the CONFIG_RW_REGION_ONLY are placed in all RW regions. Files specified +# in CONFIG_RWA_REGION_ONLY or CONFIG_RWB_REGION_ONLY get placed only in those sections. # All other files will be installed into RO and RW regions # Use $(sort) to cut down on extra spaces that would be translated to commas regions-for-file = $(subst $(spc),$(comma),$(sort \ @@ -185,9 +186,15 @@ $(call strip_quotes,$(CONFIG_RO_REGION_ONLY)) \ ,$(1)),COREBOOT,\ $(if $(filter \ + $(call strip_quotes,$(CONFIG_RWA_REGION_ONLY)) \ + ,$(1)), FW_MAIN_A, \ + $(if $(filter \ + $(call strip_quotes,$(CONFIG_RWB_REGION_ONLY)) \ + ,$(1)), FW_MAIN_B, \ + $(if $(filter \ $(call strip_quotes,$(CONFIG_RW_REGION_ONLY)) \ ,$(1)), $(RW_PARTITIONS), $(VBOOT_PARTITIONS) ) \ - ))) + ))))) CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID)) CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE)) -- To view, visit https://review.coreboot.org/c/coreboot/+/42822 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I45ff69dbc2266a67e05597bbe721fbf95cf41777 Gerrit-Change-Number: 42822 Gerrit-PatchSet: 1 Gerrit-Owner: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-MessageType: newchange

2 2

Change in coreboot[master]: soc/amd/picasso:Add psp_verstage components to amdfw binary
by Martin Roth (Code Review) 08 Jul '20

08 Jul '20

Martin Roth has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/42380 ) Change subject: soc/amd/picasso:Add psp_verstage components to amdfw binary ...................................................................... soc/amd/picasso:Add psp_verstage components to amdfw binary This adds the psp_verstage userspace application and the location of the shared memory area to the amdfw binary tables. BUG=b:158124527 TEST=Build & boot psp_verstage on trembyle Signed-off-by: Martin Roth <martin(a)coreboot.org> Change-Id: I45309b5998e6e442ff37cf1d2adb8ccfa1b6a619 --- M src/soc/amd/picasso/Makefile.inc 1 file changed, 19 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/80/42380/1 diff --git a/src/soc/amd/picasso/Makefile.inc b/src/soc/amd/picasso/Makefile.inc index 783b9a4..8e14d9d 100644 --- a/src/soc/amd/picasso/Makefile.inc +++ b/src/soc/amd/picasso/Makefile.inc @@ -239,6 +239,18 @@ PSP_UCODE_FILE2=$(FIRMWARE_LOCATE)/UcodePatch_PCO_B0.bin PSP_UCODE_FILE3=$(FIRMWARE_LOCATE)/UcodePatch_RV2_A0.bin +# type = 0x6B - PSP Shared memory location +ifneq ($(CONFIG_PSP_SHAREDMEM_SIZE),0x0) +PSP_SHAREDMEM_SIZE=$(CONFIG_PSP_SHAREDMEM_SIZE) +_PSP_SHAREDMEM_BASE=$(shell grep -ir _vboot2_work $(obj)/cbfs/$(CONFIG_CBFS_PREFIX)/bootblock.map | cut -f1 -d' ') +PSP_SHAREDMEM_BASE=$(shell printf "0x%x" $(_PSP_SHAREDMEM_BASE)) +endif + +# type = 0x52 - PSP Bootloader Userspace Application (verstage) +ifeq ($(CONFIG_VBOOT_STARTS_BEFORE_BOOTBLOCK),y) +PSP_VERSTAGE_FILE=$(obj)/psp_verstage.bin +endif + # type = 0xb - See #55758 (NDA) for bit definitions. PSP_SOFTFUSE_BITS += 28 @@ -281,6 +293,7 @@ OPT_ABL6_FILE=$(call add_opt_prefix, $(PSP_ABL6_FILE), --abl-image) OPT_ABL7_FILE=$(call add_opt_prefix, $(PSP_ABL7_FILE), --abl-image) OPT_WHITELIST_FILE=$(call add_opt_prefix, $(PSP_WHITELIST_FILE), --whitelist) +OPT_VERSTAGE_FILE=$(call add_opt_prefix, $(PSP_VERSTAGE_FILE), --verstage) OPT_PSP_APCB_FILES=$(foreach i, $(shell seq $(words $(PSP_APCB_FILES))), \ $(call add_opt_prefix, $(word $(i), $(PSP_APCB_FILES)), \ @@ -299,6 +312,8 @@ OPT_PSP_PMUD_FILE3=$(call add_opt_prefix, $(PSP_PMUD_FILE3), --subprogram 1 --instance 1 --pmu-data) OPT_PSP_PMUD_FILE4=$(call add_opt_prefix, $(PSP_PMUD_FILE4), --subprogram 1 --instance 4 --pmu-data) OPT_MP2CFG_FILE=$(call add_opt_prefix, $(PSP_MP2CFG_FILE), --mp2-config) +OPT_PSP_SHAREDMEM_BASE=$(call add_opt_prefix, $(PSP_SHAREDMEM_BASE), --sharedmem) +OPT_PSP_SHAREDMEM_SIZE=$(call add_opt_prefix, $(PSP_SHAREDMEM_SIZE), --sharedmem-size) # Copy prebuild APCBs if they exist $(obj)/APCB_%.bin: $(MAINBOARD_BLOBS_DIR)/APCB_%.bin @@ -376,6 +391,7 @@ $(call_strip_quotes, $(PSP_S0I3_FILE)) \ $(call_strip_quotes, $(PSP_IKEK_FILE)) \ $(call_strip_quotes, $(PSP_SEC_DEBUG_FILE)) \ + $(PSP_VERSTAGE_FILE) \ $$(PSP_APCB_FILES) \ $(AMDFWTOOL) \ $(obj)/fmap.fmd @@ -430,6 +446,9 @@ $(OPT_SEC_DEBUG_FILE) \ --combo-capable \ $(OPT_TOKEN_UNLOCK) \ + $(OPT_VERSTAGE_FILE) \ + $(OPT_PSP_SHAREDMEM_BASE) \ + $(OPT_PSP_SHAREDMEM_SIZE) \ --flashsize $(CONFIG_ROM_SIZE) \ --location $(shell printf "0x%x" $(PICASSO_FWM_POSITION)) \ --output $@ -- To view, visit https://review.coreboot.org/c/coreboot/+/42380 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I45309b5998e6e442ff37cf1d2adb8ccfa1b6a619 Gerrit-Change-Number: 42380 Gerrit-PatchSet: 1 Gerrit-Owner: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-MessageType: newchange

5 11

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

coreboot-gerrit July 2020