coreboot-gerrit August 2020

coreboot-gerrit@coreboot.org

1 participants
2457 discussions

Change in coreboot[master]: Makefile.inc: Add Boot Guard IBB logic for CBFS files
by Michał Żygowski (Code Review) 09 Jun '23

09 Jun '23

Michał Żygowski has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43394 ) Change subject: Makefile.inc: Add Boot Guard IBB logic for CBFS files ...................................................................... Makefile.inc: Add Boot Guard IBB logic for CBFS files The Boot Guard implementation will leverage FIT entries to locate IBB files in CBFS to create the IBB hash. ifittool will create entries of type 7 which will be then parsd by another tool to calculate hash of whole IBB. These entries will be removed or left untouched based on the Boot Guard revison. This will open a path to support Converged Boot Guard and Trusted Execution Technology. Signed-off-by: Michał Żygowski <michal.zygowski(a)3mdeb.com> Change-Id: I73e23ddbd8c7f6eef2de3cd3baeb656c86917261 --- M Makefile.inc M src/drivers/intel/fsp2_0/Makefile.inc M src/security/vboot/Makefile.inc 3 files changed, 23 insertions(+), 3 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/94/43394/1 diff --git a/Makefile.inc b/Makefile.inc index 89bb3e4..912dd42 100644 --- a/Makefile.inc +++ b/Makefile.inc @@ -712,6 +712,19 @@ endif +# For Intel BtG files in the CBFS needs to be marked as 'Initial Boot Block'. +# As CBFS attributes aren't cheap, only mark them if BtG is enabled. +ifeq ($(CONFIG_INTEL_BOOTGUARD),y) + +BTGIBB := --ibb + +else + +BTGIBB := + +endif + + ifeq ($(CONFIG_COMPRESS_BOOTBLOCK),y) $(objcbfs)/bootblock.lz4: $(objcbfs)/bootblock.elf $(objutil)/cbfstool/cbfs-compression-tool @@ -1051,7 +1064,7 @@ -f $(objcbfs)/bootblock.bin \ -n bootblock \ -t bootblock \ - $(TXTIBB) \ + $(TXTIBB) $(BTGIBB) \ -b -$(call file-size,$(objcbfs)/bootblock.bin) $(cbfs-autogen-attributes) \ $(TS_OPTIONS) else # ifeq ($(CONFIG_ARCH_X86),y) diff --git a/src/drivers/intel/fsp2_0/Makefile.inc b/src/drivers/intel/fsp2_0/Makefile.inc index e954a46..278036a 100644 --- a/src/drivers/intel/fsp2_0/Makefile.inc +++ b/src/drivers/intel/fsp2_0/Makefile.inc @@ -43,7 +43,7 @@ $(FSP_T_CBFS)-file := $(call strip_quotes,$(CONFIG_FSP_T_FILE)) $(FSP_T_CBFS)-type := fsp ifeq ($(CONFIG_FSP_T_XIP),y) -$(FSP_T_CBFS)-options := --xip $(TXTIBB) +$(FSP_T_CBFS)-options := --xip $(TXTIBB) $(BTGIBB) endif cbfs-files-$(CONFIG_ADD_FSP_BINARIES) += $(FSP_M_CBFS) diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 90b2756..4097a53 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -141,7 +141,14 @@ endif endif -$(CONFIG_CBFS_PREFIX)/verstage-options += $(TXTIBB) +$(CONFIG_CBFS_PREFIX)/verstage-options += $(BTGIBB) $(TXTIBB) + +ifeq ($(CONFIG_INTEL_BOOTGUARD),y) +INTERMEDIATE+=add_verstage_ibb_fit + +add_verstage_ibb_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n $(CONFIG_CBFS_PREFIX)/verstage -t 7 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif else # CONFIG_VBOOT_SEPARATE_VERSTAGE ifeq ($(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK),y) -- To view, visit https://review.coreboot.org/c/coreboot/+/43394 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I73e23ddbd8c7f6eef2de3cd3baeb656c86917261 Gerrit-Change-Number: 43394 Gerrit-PatchSet: 1 Gerrit-Owner: Michał Żygowski <michal.zygowski(a)3mdeb.com> Gerrit-Reviewer: Aaron Durbin <adurbin(a)chromium.org> Gerrit-Reviewer: Andrey Petrov <andrey.petrov(a)gmail.com> Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-MessageType: newchange

4 4

Change in coreboot[master]: soc/intel/skylake/Kconfig: Select FSPT XIP in FSP CAR is used
by Michał Żygowski (Code Review) 09 Jun '23

09 Jun '23

Michał Żygowski has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43396 ) Change subject: soc/intel/skylake/Kconfig: Select FSPT XIP in FSP CAR is used ...................................................................... soc/intel/skylake/Kconfig: Select FSPT XIP in FSP CAR is used Signed-off-by: Michał Żygowski <michal.zygowski(a)3mdeb.com> Change-Id: Ic7c984c6e2c0f93cbb97a7aa8426c2f6ef889162 --- M src/soc/intel/skylake/Kconfig 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/96/43396/1 diff --git a/src/soc/intel/skylake/Kconfig b/src/soc/intel/skylake/Kconfig index a3e8d9f..1f36c27 100644 --- a/src/soc/intel/skylake/Kconfig +++ b/src/soc/intel/skylake/Kconfig @@ -30,6 +30,7 @@ select CPU_INTEL_FIRMWARE_INTERFACE_TABLE select CPU_INTEL_COMMON_HYPERTHREADING select FSP_M_XIP + select FSP_T_XIP if FSP_CAR select GENERIC_GPIO_LIB select HAVE_FSP_GOP select HAVE_FSP_LOGO_SUPPORT -- To view, visit https://review.coreboot.org/c/coreboot/+/43396 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Ic7c984c6e2c0f93cbb97a7aa8426c2f6ef889162 Gerrit-Change-Number: 43396 Gerrit-PatchSet: 1 Gerrit-Owner: Michał Żygowski <michal.zygowski(a)3mdeb.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-MessageType: newchange

4 4

Change in coreboot[master]: soc/intel/tgl: Enable Tracehub (not to be merged)
by Shreesh Chhabbi (Code Review) 09 Jun '23

09 Jun '23

Shreesh Chhabbi has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/42397 ) Change subject: soc/intel/tgl: Enable Tracehub (not to be merged) ...................................................................... soc/intel/tgl: Enable Tracehub (not to be merged) Change-Id: I288c17c0a3258cd506cac23014aac5e7520143b2 Signed-off-by: Shreesh Chhabbi <shreesh.chhabbi(a)intel.com> --- M src/soc/intel/tigerlake/fsp_params.c M src/soc/intel/tigerlake/romstage/fsp_params.c 2 files changed, 18 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/97/42397/1 diff --git a/src/soc/intel/tigerlake/fsp_params.c b/src/soc/intel/tigerlake/fsp_params.c index b9dbec8..7450c34 100644 --- a/src/soc/intel/tigerlake/fsp_params.c +++ b/src/soc/intel/tigerlake/fsp_params.c @@ -80,14 +80,19 @@ { int i; FSP_S_CONFIG *params = &supd->FspsConfig; + unsigned int *tracehub_mem; struct device *dev; struct soc_intel_tigerlake_config *config; config = config_of_soc(); + tracehub_mem = malloc(4*1024*sizeof(uint32_t)); + /* Parse device tree and enable/disable Serial I/O devices */ parse_devicetree(params); + params->TraceHubMemBase = (UINT32) tracehub_mem; + /* Load VBT before devicetree-specific config. */ params->GraphicsConfigPtr = (uintptr_t)vbt_get(); diff --git a/src/soc/intel/tigerlake/romstage/fsp_params.c b/src/soc/intel/tigerlake/romstage/fsp_params.c index f7956c8..b58952f 100644 --- a/src/soc/intel/tigerlake/romstage/fsp_params.c +++ b/src/soc/intel/tigerlake/romstage/fsp_params.c @@ -18,6 +18,9 @@ unsigned int i; uint32_t mask = 0; const struct device *dev; + //uint32_t *tracehub_mem; + + //tracehub_mem = malloc(4*1024*sizeof(uint32_t)); dev = pcidev_path_on_root(SA_DEVFN_IGD); if (!dev || !dev->enabled) { @@ -196,6 +199,16 @@ /* Change VmxEnable UPD value according to ENABLE_VMX Kconfig */ m_cfg->VmxEnable = CONFIG(ENABLE_VMX); + //m_cfg->TraceHubMemBase = tracehub_mem; + m_cfg->DciEn = 1; + m_cfg->DciDbcMode = 0; + m_cfg->CpuTraceHubMode = 2; + m_cfg->CpuTraceHubMemReg0Size = 2; + m_cfg->CpuTraceHubMemReg1Size = 2; + m_cfg->PchTraceHubMode = 2; + m_cfg->PchTraceHubMemReg0Size = 2; + m_cfg->PchTraceHubMemReg1Size = 2; + m_cfg->PlatformDebugConsent = 2; } void platform_fsp_memory_init_params_cb(FSPM_UPD *mupd, uint32_t version) -- To view, visit https://review.coreboot.org/c/coreboot/+/42397 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I288c17c0a3258cd506cac23014aac5e7520143b2 Gerrit-Change-Number: 42397 Gerrit-PatchSet: 1 Gerrit-Owner: Shreesh Chhabbi <shreesh.chhabbi(a)intel.com> Gerrit-MessageType: newchange

2 1

Change in coreboot[master]: arch/x86/exception: Add support for printing stack to x86_64
by Raul Rangel (Code Review) 09 Jun '23

09 Jun '23

Raul Rangel has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43356 ) Change subject: arch/x86/exception: Add support for printing stack to x86_64 ...................................................................... arch/x86/exception: Add support for printing stack to x86_64 x86_64 uses rsp and rbp which are 8 bytes wide. BUG=b:159081993 TEST=none Signed-off-by: Raul E Rangel <rrangel(a)chromium.org> Change-Id: Ie0571dd3a02acc4b70bdd00221e69cc2e20afec3 --- M src/arch/x86/exception.c 1 file changed, 13 insertions(+), 1 deletion(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/43356/1 diff --git a/src/arch/x86/exception.c b/src/arch/x86/exception.c index 958ebfc..48083ca 100644 --- a/src/arch/x86/exception.c +++ b/src/arch/x86/exception.c @@ -545,8 +545,19 @@ printk(BIOS_EMERG, "%.2x ", code[i]); } +#ifdef __x86_64__ + /* Align to 8-byte boundary and up the stack. */ + u64 *ptr = (u64 *)(ALIGN_DOWN(info->rsp, sizeof(u64)) + MDUMP_SIZE - sizeof(u64)); + for (i = 0; i < MDUMP_SIZE / sizeof(u64); ++i, --ptr) { + printk(BIOS_EMERG, "\n%p:\t0x%016llx", ptr, *ptr); + if ((uintptr_t)ptr == info->rbp) + printk(BIOS_EMERG, " <-rbp"); + else if ((uintptr_t)ptr == info->rsp) + printk(BIOS_EMERG, " <-rsp"); + } +#else /* Align to 4-byte boundary and up the stack. */ - u32 *ptr = (u32 *)(ALIGN_DOWN((uintptr_t)info->esp, sizeof(u32)) + MDUMP_SIZE - 4); + u32 *ptr = (u32 *)(ALIGN_DOWN(info->esp, sizeof(u32)) + MDUMP_SIZE - sizeof(u32)); for (i = 0; i < MDUMP_SIZE / sizeof(u32); ++i, --ptr) { printk(BIOS_EMERG, "\n%p:\t0x%08x", ptr, *ptr); if ((uintptr_t)ptr == info->ebp) @@ -554,6 +565,7 @@ else if ((uintptr_t)ptr == info->esp) printk(BIOS_EMERG, " <-esp"); } +#endif die("\n"); #endif -- To view, visit https://review.coreboot.org/c/coreboot/+/43356 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Ie0571dd3a02acc4b70bdd00221e69cc2e20afec3 Gerrit-Change-Number: 43356 Gerrit-PatchSet: 1 Gerrit-Owner: Raul Rangel <rrangel(a)chromium.org> Gerrit-MessageType: newchange

4 6

Change in coreboot[master]: nb/intel/i945: Switch back from V4 to V3 resource allocator to fix hangs
by Paul Menzel (Code Review) 09 Jun '23

09 Jun '23

Paul Menzel has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43574 ) Change subject: nb/intel/i945: Switch back from V4 to V3 resource allocator to fix hangs ...................................................................... nb/intel/i945: Switch back from V4 to V3 resource allocator to fix hangs On the Lenovo T60 (TYPE 2007 with dedicated ATI/AMD graphics card) with the resource allocator v4 the system 99 percent of the time hangs decompressing the payload or a little later. coreboot runs the VGA Option ROM, as the GRUB payload is used. CBFS: Locating 'fallback/payload' CBFS: Found @ offset 4d580 size 60f2c Checking segment from ROM address 0xffe4d7b8 Checking segment from ROM address 0xffe4d7d4 Checking segment from ROM address 0xffe4d7f0 Loading segment from ROM address 0xffe4d7b8 code (compression=1) New segment dstaddr 0x00009000 memsize 0x17858 srcaddr 0xffe4d80c filesize 0x833b Loading Segment: addr: 0x00009000 memsz: 0x0000000000017858 filesz: 0x000000000000833b using LZMA Clearing Segment: addr: 0x0000000000018dc3 memsz: 0x0000000000007a95 Loading segment from ROM address 0xffe4d7d4 code (compression=1) New segment dstaddr 0x00100000 memsize 0x11a6c0 srcaddr 0xffe55b47 filesize 0x58b9d Loading Segment: addr: 0x00100000 memsz: 0x000000000011a6c0 filesz: 0x0000000000058b9d using LZMA Sometimes it halts also a little later. CBFS: Locating 'fallback/payload' CBFS: Found @ offset 4d580 size 60f2c Checking segment from ROM address 0xffe4d7b8 Checking segment from ROM address 0xffe4d7d4 Checking segment from ROM address 0xffe4d7f0 Loading segment from ROM address 0xffe4d7b8 code (compression=1) New segment dstaddr 0x00009000 memsize 0x17858 srcaddr 0xffe4d80c filesize 0x833b Loading Segment: addr: 0x00009000 memsz: 0x0000000000017858 filesz: 0x000000000000833b using LZMA Clearing Segment: addr: 0x0000000000018dc3 memsz: 0x0000000000007a95 Loading segment from ROM address 0xffe4d7d4 code (compression=1) New segment dstaddr 0x00100000 memsize 0x11a6c0 srcaddr 0xffe55b47 filesize 0x58b9d Loading Segment: addr: 0x00100000 memsz: 0x000000000011a6c0 filesz: 0x0000000000058b9d using LZMA Loading segment from ROM address 0xffe4d7f0 Entry Point 0x00009000 BS: BS_PAYLOAD_LOAD run times (exec / console): 365 / 81 ms ICH-NM10-PCH: watchdog disabled Jumping to boot code at 0x00009000(0xbfb7e000) A cursor in blinking on the top left corner. Fixes: 23b874a374 (device: Switch to resource allocator v4 by default treewide) Resolves: https://ticket.coreboot.org/issues/267 Change-Id: I1d8d60c26bfe036cbd769ef96b4873e1438adea8 Signed-off-by: Paul Menzel <pmenzel(a)molgen.mpg.de> --- M src/northbridge/intel/i945/Kconfig 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/74/43574/1 diff --git a/src/northbridge/intel/i945/Kconfig b/src/northbridge/intel/i945/Kconfig index d6498f1..ea74a8f 100644 --- a/src/northbridge/intel/i945/Kconfig +++ b/src/northbridge/intel/i945/Kconfig @@ -2,6 +2,7 @@ config NORTHBRIDGE_INTEL_I945 bool + select RESOURCE_ALLOCATOR_V3 if NORTHBRIDGE_INTEL_I945 -- To view, visit https://review.coreboot.org/c/coreboot/+/43574 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I1d8d60c26bfe036cbd769ef96b4873e1438adea8 Gerrit-Change-Number: 43574 Gerrit-PatchSet: 1 Gerrit-Owner: Paul Menzel <paulepanter(a)users.sourceforge.net> Gerrit-MessageType: newchange

2 2

Change in coreboot[master]: mb/google/hatch: Make Nightfury variant alphabettically sorted
by Edward O'Callaghan (Code Review) 09 Jun '23

09 Jun '23

Edward O'Callaghan has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/40400 ) Change subject: mb/google/hatch: Make Nightfury variant alphabettically sorted ...................................................................... mb/google/hatch: Make Nightfury variant alphabettically sorted Change-Id: I21a710ee0df45188f1f43aad61967069faf88fdb Signed-off-by: Edward O'Callaghan <quasisec(a)google.com> --- M src/mainboard/google/hatch/Kconfig M src/mainboard/google/hatch/Kconfig.name 2 files changed, 8 insertions(+), 8 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/00/40400/1 diff --git a/src/mainboard/google/hatch/Kconfig b/src/mainboard/google/hatch/Kconfig index 2419722..6eff9070 100644 --- a/src/mainboard/google/hatch/Kconfig +++ b/src/mainboard/google/hatch/Kconfig @@ -103,8 +103,8 @@ default "Kindred" if BOARD_GOOGLE_KINDRED default "Kohaku" if BOARD_GOOGLE_KOHAKU default "Mushu" if BOARD_GOOGLE_MUSHU - default "Palkia" if BOARD_GOOGLE_PALKIA default "Nightfury" if BOARD_GOOGLE_NIGHTFURY + default "Palkia" if BOARD_GOOGLE_PALKIA default "Puff" if BOARD_GOOGLE_PUFF default "Kaisa" if BOARD_GOOGLE_KAISA default "Stryke" if BOARD_GOOGLE_STRYKE @@ -131,8 +131,8 @@ default "kindred" if BOARD_GOOGLE_KINDRED default "kohaku" if BOARD_GOOGLE_KOHAKU default "mushu" if BOARD_GOOGLE_MUSHU - default "palkia" if BOARD_GOOGLE_PALKIA default "nightfury" if BOARD_GOOGLE_NIGHTFURY + default "palkia" if BOARD_GOOGLE_PALKIA default "puff" if BOARD_GOOGLE_PUFF default "kaisa" if BOARD_GOOGLE_KAISA default "stryke" if BOARD_GOOGLE_STRYKE diff --git a/src/mainboard/google/hatch/Kconfig.name b/src/mainboard/google/hatch/Kconfig.name index ce34211..f3f944f 100644 --- a/src/mainboard/google/hatch/Kconfig.name +++ b/src/mainboard/google/hatch/Kconfig.name @@ -60,6 +60,12 @@ select BOARD_GOOGLE_BASEBOARD_HATCH_LAPTOP select BOARD_ROMSIZE_KB_16384 +config BOARD_GOOGLE_NIGHTFURY + bool "-> Nightfury" + select BOARD_GOOGLE_BASEBOARD_HATCH + select BOARD_GOOGLE_BASEBOARD_HATCH_LAPTOP + select BOARD_ROMSIZE_KB_16384 + config BOARD_GOOGLE_PALKIA bool "-> Palkia" select BOARD_GOOGLE_BASEBOARD_HATCH @@ -68,12 +74,6 @@ select CHROMEOS_DSM_CALIB select DRIVERS_I2C_RT1011 -config BOARD_GOOGLE_NIGHTFURY - bool "-> Nightfury" - select BOARD_GOOGLE_BASEBOARD_HATCH - select BOARD_GOOGLE_BASEBOARD_HATCH_LAPTOP - select BOARD_ROMSIZE_KB_16384 - config BOARD_GOOGLE_PUFF bool "-> Puff" select BOARD_GOOGLE_BASEBOARD_HATCH -- To view, visit https://review.coreboot.org/c/coreboot/+/40400 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I21a710ee0df45188f1f43aad61967069faf88fdb Gerrit-Change-Number: 40400 Gerrit-PatchSet: 1 Gerrit-Owner: Edward O'Callaghan <quasisec(a)chromium.org> Gerrit-MessageType: newchange

5 8

Change in coreboot[master]: configs: Build test google/veyron_jaq with depthcharge payload
by Paul Menzel (Code Review) 09 Jun '23

09 Jun '23

Paul Menzel has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43469 ) Change subject: configs: Build test google/veyron_jaq with depthcharge payload ...................................................................... configs: Build test google/veyron_jaq with depthcharge payload Change-Id: Id59a2f98d928cc01a47ac3b64f9face811dc79e1 Signed-off-by: Paul Menzel <pmenzel(a)molgen.mpg.de> --- A configs/config.google_veyron_jaq_depthcharge_master 1 file changed, 5 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/69/43469/1 diff --git a/configs/config.google_veyron_jaq_depthcharge_master b/configs/config.google_veyron_jaq_depthcharge_master new file mode 100644 index 0000000..032ff6d --- /dev/null +++ b/configs/config.google_veyron_jaq_depthcharge_master @@ -0,0 +1,5 @@ +CONFIG_VENDOR_GOOGLE=y +CONFIG_BOARD_GOOGLE_VEYRON_JAQ=y +CONFIG_CHROMEOS=y +CONFIG_PAYLOAD_DEPTHCHARGE=y +CONFIG_DEPTHCHARGE_MASTER=y -- To view, visit https://review.coreboot.org/c/coreboot/+/43469 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Id59a2f98d928cc01a47ac3b64f9face811dc79e1 Gerrit-Change-Number: 43469 Gerrit-PatchSet: 1 Gerrit-Owner: Paul Menzel <paulepanter(a)users.sourceforge.net> Gerrit-MessageType: newchange

2 3

Change in coreboot[master]: mb/google/kukui: fix damu touchscreen reset sequence
by Magf - (Code Review) 09 Jun '23

09 Jun '23

Magf - has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43319 ) Change subject: mb/google/kukui: fix damu touchscreen reset sequence ...................................................................... mb/google/kukui: fix damu touchscreen reset sequence Damu touchscreen is a typical hid-over-i2c device and its reset pin has a sequence requirement (T5) > 500us. Kernel hid-over-i2c driver has no interface to support a reset pin, so current implementation will be using a default pull down pin and rely on kernel to pull it to high to make it exit reset. But when warm reboot, because kernel will not pull it low, if we want a reset, we can pull it low and rely on kernel to release it to get a valid reset > 500us. BUG=b:159688118 BRANCH=kukui TEST=build and boot damu device, when warm reboot, we can get a valid reset sequence which is greater than 500us. Change-Id: I069f5ef3e9477410d5349e5a702a4fbc14c201ed Signed-off-by: Paul Ma <magf(a)bitland.crop-partner.google.com> --- M src/mainboard/google/kukui/chromeos.c M src/mainboard/google/kukui/gpio.h 2 files changed, 4 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/19/43319/1 diff --git a/src/mainboard/google/kukui/chromeos.c b/src/mainboard/google/kukui/chromeos.c index c5810d1..755a386 100644 --- a/src/mainboard/google/kukui/chromeos.c +++ b/src/mainboard/google/kukui/chromeos.c @@ -15,6 +15,9 @@ gpio_input_pullup(CR50_IRQ); gpio_output(GPIO_RESET, 0); gpio_output(GPIO_EN_SPK_AMP, 0); + + if (CONFIG(BOARD_GOOGLE_DAMU)) + gpio_output(GPIO_TOUCH_RST, 0); } void fill_lb_gpios(struct lb_gpios *gpios) diff --git a/src/mainboard/google/kukui/gpio.h b/src/mainboard/google/kukui/gpio.h index c71fe3e..e0329ce 100644 --- a/src/mainboard/google/kukui/gpio.h +++ b/src/mainboard/google/kukui/gpio.h @@ -11,6 +11,7 @@ #define CR50_IRQ GPIO(PERIPHERAL_EN3) #define GPIO_RESET GPIO(PERIPHERAL_EN8) #define GPIO_EN_SPK_AMP GPIO(PERIPHERAL_EN12) +#define GPIO_TOUCH_RST GPIO(ANT_SEL1) void setup_chromeos_gpios(void); -- To view, visit https://review.coreboot.org/c/coreboot/+/43319 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I069f5ef3e9477410d5349e5a702a4fbc14c201ed Gerrit-Change-Number: 43319 Gerrit-PatchSet: 1 Gerrit-Owner: Magf - <magf(a)bitland.corp-partner.google.com> Gerrit-MessageType: newchange

3 14

Change in coreboot[master]: mb/google/zork/vilboz: update telemetry settings for vilboz
by Peichao Li (Code Review) 09 Jun '23

09 Jun '23

Peichao Li has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43664 ) Change subject: mb/google/zork/vilboz: update telemetry settings for vilboz ...................................................................... mb/google/zork/vilboz: update telemetry settings for vilboz Update telemetry value for SDLE test result. BUG=b:160698427 b:161084687 BRANCH=None TEST=emerge-zork coreboot chromeos-bootimage Signed-off-by: Peichao.Wang <peichao.wang(a)bitland.corp-partner.google.com> Change-Id: I3e3e8a3ec1c607d1a94761abd9fe1ab5585873e2 --- M src/mainboard/google/zork/variants/vilboz/overridetree.cb 1 file changed, 14 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/64/43664/1 diff --git a/src/mainboard/google/zork/variants/vilboz/overridetree.cb b/src/mainboard/google/zork/variants/vilboz/overridetree.cb index 49d21d5..3ddbb6c 100644 --- a/src/mainboard/google/zork/variants/vilboz/overridetree.cb +++ b/src/mainboard/google/zork/variants/vilboz/overridetree.cb @@ -16,6 +16,20 @@ register "stapm_time_constant" = "2500" # second register "sustained_power_limit" = "4800" # mW + register "telemetry_vddcr_vdd_slope" = "32435" #mA + register "telemetry_vddcr_vdd_offset" = "168" + register "telemetry_vddcr_soc_slope" = "22644" #mA + register "telemetry_vddcr_soc_offset" = "0-70" + + # VRM Limits + register "vrm_maximum_current_limit" = "19000" #mA + register "vrm_soc_maximum_current_limit" = "13000" #mA + register "vrm_current_limit" = "15000" #mA + register "vrm_soc_current_limit" = "10000" #mA + + # PROCHOT_L de-assertion Ramp Time + register "prochot_l_deassertion_ramp_time" = "20" #mS + # End : OPN Performance Configuration # I2C2 for touchscreen and trackpad -- To view, visit https://review.coreboot.org/c/coreboot/+/43664 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I3e3e8a3ec1c607d1a94761abd9fe1ab5585873e2 Gerrit-Change-Number: 43664 Gerrit-PatchSet: 1 Gerrit-Owner: Peichao Li <peichao.wang(a)bitland.corp-partner.google.com> Gerrit-MessageType: newchange

3 2

Change in coreboot[master]: Documentation/security/intel: add Boot Guard related documentation
by Michał Żygowski (Code Review) 09 Jun '23

09 Jun '23

Michał Żygowski has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43405 ) Change subject: Documentation/security/intel: add Boot Guard related documentation ...................................................................... Documentation/security/intel: add Boot Guard related documentation Signed-off-by: Michał Żygowski <michal.zygowski(a)3mdeb.com> Change-Id: Ifd7d4a4e4054652a5876c7e1ca1c1a1ecb73e176 --- M Documentation/security/index.md A Documentation/security/intel/bootguard.md 2 files changed, 247 insertions(+), 0 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/05/43405/1 diff --git a/Documentation/security/index.md b/Documentation/security/index.md index c9cb4a7..5605148 100644 --- a/Documentation/security/index.md +++ b/Documentation/security/index.md @@ -14,6 +14,10 @@ - [Intel TXT Initial Boot Block](intel/txt_ibb.md) - [Intel Authenticated Code Modules](intel/acm.md) +## Intel Boot Guard + +- [Intel Boot Guard](intel/bootguard.md) + ## SMM - [System Management Mode](smm.md) diff --git a/Documentation/security/intel/bootguard.md b/Documentation/security/intel/bootguard.md new file mode 100644 index 0000000..78d342b --- /dev/null +++ b/Documentation/security/intel/bootguard.md @@ -0,0 +1,243 @@ +# Intel Boot Guard + +Intel Boot Guard allows: + +1. Integrity verification and measurement of the early boot code. +2. Assuring that only authorized firmware can be executed, which can then be + considered trusted. +3. Providing a hardware-rooted Root of Trust for measurement and/or + verification. + +Intel Boot Guard requirements: + +1. Intel Boot Guard requires a **TPM** to measure parts of the firmware before + it's run on the BSP in case of profiles performing measurements. +2. Intel Boot Guard requires signed **Authenticated Code Modules** ([ACM]s), + provided by Intel. These ACMs are different for platforms without Intel TXT. +3. Intel Boot Guard is told to require a **Boot Guard capable CPU** (check on + Intel ARK). Experiments showed that it is not true. Intel 4th generation + processor or newer is sufficient. All that is required is a provisioned ME + firmware for Boot Guard and an ACM. +4. Intel ME has to be in Manufacturing Mode in order to enable Boot Guard. When + the Manufacturing Mode is disabled the FPFs are blown and it is impossible + to change the Boot Guard status (either enabled with keys you do not have + access to or permanently disabled). + +## Authenticated Code Modules + +The ACMs are Intel digitally signed modules that contain code to be run +before the traditional x86 CPU reset vector. + +More details can be found here: [Intel ACM]. + +## Modified bootflow with Intel Boot Guard + +With Intel Boot Guard the first instruction executed on the BSP isn't the +*reset vector*, but the [Intel ACM]. + +It initializes the TPM and measures parts of the firmware, the IBB. + +### Marking the Initial Boot Block + +Individual files in the CBFS can be marked as IBB in similar manner +as in Intel TXT. + +More details can be found in the [Intel TXT IBB] chapter. + +The difference here is that the IBB elements are removed from [FIT table] as +they are not required for Boot Guard. The newly implemented tool to create Boot +Guard manifests, ibmptool (part of cbfstool), handles creation of signed +manifests and calculates the hash of the IBB based on the [FIT] entries. IBB +must complete the memory initialization according to specification, but in +coreboot's case it is not needed, as the verified and measured boot mode may +start in bootblock already. Covering bootblock, verstage (and FSP-T +optionally) is sufficient. + +### Measurements + +The IBBs (Initial Boot Blocks) are measured into TPM's PCR7 by the Boot Guard +[ACM] before the CPU reset vector is executed. The extend operation is +controlled by flags filled for each IBB segment by ibpmtool. Boot Guard also +allows to specify the Locality (0 or 3) from which the TPM starts up and +measures the IBB. To indentify the regions that need to be measured, the [FIT] +contains one ore multiple *Type 7* entries, that point to the IBBs. + +## Boot Guard capable firmware building and options + +In order to build coreboot with Boot Guard support, few preparation steps are +required. + +1. Boot Guard requires 2 RSA keys from user: OEM Root key (for Key Manifest) + and Boot Policy key (for Boot Policy Manifest). The hash of the public part + of Boot Policy gets signed inside Key Manifest by OEM Root key. This allows + the OEM Root key owner to authorize many Boot Policy keys by simply + delivering a signed Key Manifest to end-user. The coreboot's implementation + allows to specify whether the Key Manifest should be built or a ready one to + be included. + + In order to create the keys OpenSSL may be used: + ``` + openssl genrsa -out OEM_Root_key_private.pem 2048 + openssl rsa -in OEM_Root_key_private.pem -outform PEM -pubout -out OEM_Root_key_public.pem + openssl genrsa -out BPM_key_private.pem 2048 + openssl rsa -in BPM_key_private.pem -outform PEM -pubout -out BPM_key_public.pem + ``` + + Boot Guard supports only RSA2048 for now, but it may change in the future. + +2. Obtain the Boot Guard ACM for your microarchitecture/platform. UEFITool is + able to detect the Boot Guard ACM in the firmware. +3. In menuconfig go to Security submenu and select Intel Boot Guard. Then enter + the Boot Guard submenu which appears after selecting previous option. +4. Provide path and filename to Boot Policy key and the ACM. In case you + already have a signed Key Manifest provide path to the file. Otherwise you + will have to change the Key Manifest source to build a Key Manifest. +5. Provide a Key Manifest Key ID (it must match the ID in the ME firmware + image). +6. Fill the ACM revocation value. Values of 0 and 1 are for engineering samples + and are not available for public use, production ACMs have value of 2. If + there were no revocations earlier it is safe to leave the default. + Revocations will be explained later. +7. Fill the Boot Guard ACM location in CBFS. The ACM must be 64k or 128k + aligned and be placed in the top most 2MB under 4GB in memory space. +8. Build the coreboot image. + +### ME provisioning + +Boot Guard requires provisioning of the ME firmware image. That is, ME firmware +must be configured with OEM Root key public hash, the Key Manifest Key ID and +the Boot Guard profile number. Currently it is only possible with Flash Image +Tool included in ME firmware kit available under CNDA. + +The OEM Root key public hash can be retrieved from the coreboot build log. The +ibpmtool prints the manifests content after it finishes its job. The OEM Root +Key hash is printed after dumping Key Manifest: + +``` +FYI: Hash of the KM public key (modulus only): + + B7 94 7B 36 D2 74 74 A5 B0 44 22 23 99 BE 57 07 + FA 84 97 0D 74 A7 8F 6F D0 6F 66 06 8C 41 D3 81 +``` + +For Skylake and Kaby Lake only modulus part of the RSA key is provided as OEM +Root Key public hash. For other microarchitectures the exponent is also +included in public hash calculation. + +As a last step provide the Key Manifest Key ID to the Flash Image Tool, the +same ID as provided to coreboot's menu config and enable desired Boot Guard +profile. Note, profiles 1 and 1 are no longer available since Coffee Lake. + +### ME fusing + +Blowing the FPFs with Boot Guard configuration requires specialized tool called +Flash Programming Tool which is distributed under CNDA. The fusing process is +achieved by closing the Manufacturing process. + +### Firmware layout requirements + +There are certain requirements about the firmware layout. + +1. IBB must reside in top most 4MB under 4GB in memory space. [FIT table], + microcode and Boot Guard Manifests are also expected to reside in this + range. +2. Boot Guard [ACM] must reside in top most 2MB under 4GB in memory space. + Additionally it must be aligned to 64 or 128 kilobytes (32 kilobytes is also + supported but not recommended as [ACM] size may be larger in the future). + +For Coffee Lake and newer microarchitectures, these requirements apply to +top most 8MB under 4GB in memory space. + +## Revocation + +Boot Guard has a few revocation mechanisms designed to keep the platform secure +from downgrading the firmware to vulnerable version. There are 3 main +revocation mechanisms: + +1. [ACM] SVN revocation +2. Kay Manifest (KM) SVN revocation +3. Boot Policy Manifest (BPM) SVN revocation + +### ACM SVN revocation + +The rule is simple. Each ACM has its Security Version Number (SVN). Production +ACMs start at SVN equal to 2. Each newer ACM executed on the hardware can bump +the ACM SVN present in FPFs. If the ACM SVN in FPF is higher than the ACM SVN +in the blob it will not be executed and enforcement logic will be triggered. In +the opposite situation the ACM SVN may be bumped to higher number in FPFs. It +is controlled by the ACMSVN_Auth field in Boot Policy Manifest. If the +ACMSVN_Auth in Boot Policy Manifest is equal to the ACM SVN in the blob and +ACMSVN_Auth is higher than the current ACM SVN in FPF, ACM SVN in FPFs will be +bumped. + +The ACMSVN_Auth value can be controlled by menuconfig option in Boot Guard +submenu. + +### KM SVN revocation + +The KM SVN follows the same rules as the ACM SVN revocation. The difference +here is that by default KM SVN starts at value of 0. OEM, firmware owner may +authorize new Kay Manifests by simply increasing the KM SVN number when +assembling a Key Manifest. + +The Key Manifest revocation value can be controlled by menuconfig option in +Boot Guard submenu. + +### BPM SVN revocation + +The BPM SVN follows the same rules as the KM SVN revocation. + +The Boot Policy Manifest revocation value can be controlled by menuconfig +option in Boot Guard submenu. + +## Boot Guard manifests optional fields + +Boot Guard Manifests have a few optional fields: + +1. Platform Manufacturer's Key Manifest version. +2. Platform Manufacturer's Boot Policy version. +3. Post IBB hash. +4. Platform Manufacturer's structure. + +The first two are just version numbers used by platform manufacturer's +purposes. They are present in according manifests and are not used by Boot +Guard. Free for one's use. + +Post IBB hash was intended to use as verification of code that is executed +after IBB. It may serve as another custom field for example to keep a hash +of vboot key or other firmware component. + +Platform Manufacturer's structure is an optional part of Boot Policy Manifest. +Currently it is not supported by ibpmtool and shouldn't be used to avoid +errors. ibpmtool assumes that there is no Platform Manufacturer's structure in +Boot Policy Manifest, so dumping one with ibpmtool will give false results. + +## TODO list + +There are still some Boot Guard features not covered by current implementation: + +1. Utilize VT-d and set PMRs in manifests to protect IBB from DMA. +2. Allow to set the TPM measurement option in IBB element flag in ibpmtool. +3. vboot does not work with Boot Guard. The amount of data that needs to be + fetched from SPI flash to verify RW partition is too huge to fit in NEM and + platform simply hangs. vboot needs per-file verification in order to work + with Boot Guard. Current working alternative is ELTAN's vboot. +4. Verify support for Boot Guard- and TXT-enabled systems prior to Coffee Lake. +5. Implement support for Converged Boot Guard and TXT. +6. Enforce the firmware layout requirements in the build system to avoid + user input errors. +7. Implement Platform Manufacturer's structure parsing in ibmptool. +8. Implement a simple Boot Guard library that will dump its status and errors. +9. Implement a TPM event log entry for Boot Guard measurement. +10. Boot Guard for Apollo Lake and newer Atom series processors seems to be a + little bit different. It will need additional effort to work. +11. Implement open-source CAR setup for Boot Guard enabled platforms. Currently + we lack a working implementation for Boot Guard flow (Boot Guard releases + CPUs from reset where IBB is already in cache and MTRRs are set for IBB + elements). For he time being FSP-T must be used. + +[Intel TXT IBB]: txt_ibb.md +[FIT]: ../../soc/intel/fit.md +[Intel ACM]: acm.md +[ACM]: acm.md +[FIT table]: ../../soc/intel/fit. -- To view, visit https://review.coreboot.org/c/coreboot/+/43405 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Ifd7d4a4e4054652a5876c7e1ca1c1a1ecb73e176 Gerrit-Change-Number: 43405 Gerrit-PatchSet: 1 Gerrit-Owner: Michał Żygowski <michal.zygowski(a)3mdeb.com> Gerrit-MessageType: newchange

5 5

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

coreboot-gerrit August 2020