coreboot-gerrit May 2021

coreboot-gerrit@coreboot.org

1 participants
6048 discussions

Change in coreboot[master]: soc/intel/elkhartlake: Update FSP-S UPD RP & USB related configs
by Lean Sheng Tan (Code Review) 28 May '21

28 May '21

Attention is currently required from: Maulik V Vaghela, Mario Scheithauer, Subrata Banik, Lean Sheng Tan, Patrick Rudolph. Hello build bot (Jenkins), Maulik V Vaghela, Mario Scheithauer, Subrata Banik, Werner Zeh, Patrick Rudolph, I'd like you to reexamine a change. Please visit https://review.coreboot.org/c/coreboot/+/55034 to look at the new patch set (#5). Change subject: soc/intel/elkhartlake: Update FSP-S UPD RP & USB related configs ...................................................................... soc/intel/elkhartlake: Update FSP-S UPD RP & USB related configs Further add initial Silicon UPD settings for: - root ports - USB Signed-off-by: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Change-Id: I60afb78a7997b8465dd6318f3abee28f95a65100 --- M src/mainboard/intel/elkhartlake_crb/variants/ehlcrb/devicetree.cb M src/soc/intel/elkhartlake/chip.h M src/soc/intel/elkhartlake/fsp_params.c 3 files changed, 108 insertions(+), 4 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/34/55034/5 -- To view, visit https://review.coreboot.org/c/coreboot/+/55034 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I60afb78a7997b8465dd6318f3abee28f95a65100 Gerrit-Change-Number: 55034 Gerrit-PatchSet: 5 Gerrit-Owner: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Gerrit-Reviewer: Mario Scheithauer <mario.scheithauer(a)siemens.com> Gerrit-Reviewer: Maulik V Vaghela <maulik.v.vaghela(a)intel.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Subrata Banik <subrata.banik(a)intel.com> Gerrit-Reviewer: Werner Zeh <werner.zeh(a)siemens.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-CC: Paul Menzel <paulepanter(a)mailbox.org> Gerrit-Attention: Maulik V Vaghela <maulik.v.vaghela(a)intel.com> Gerrit-Attention: Mario Scheithauer <mario.scheithauer(a)siemens.com> Gerrit-Attention: Subrata Banik <subrata.banik(a)intel.com> Gerrit-Attention: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Gerrit-Attention: Patrick Rudolph <siro(a)das-labor.org> Gerrit-MessageType: newpatchset

1 0

Change in coreboot[master]: src/... - Add Boot Guard support
by Christopher Meis (Code Review) 28 May '21

28 May '21

Attention is currently required from: Christopher Meis, Patrick Rudolph, Christian Walter. Hello build bot (Jenkins), Patrick Rudolph, Christian Walter, Patrick Rudolph, I'd like you to reexamine a change. Please visit https://review.coreboot.org/c/coreboot/+/55048 to look at the new patch set (#3). Change subject: src/... - Add Boot Guard support ...................................................................... src/... - Add Boot Guard support src/cpu/intel/fit/Kconfig - Add Boot Guard support src/mainboard/prodrive/hermes/Kconfig - Add FIX_BOOTBLOCK_SIZE src/security/intel/* - Add Boot Guard support Change-Id: I2b73a79f51692178e8565803efb2c9caf3096ff9 Signed-off-by: Christopher Meis <christopher.meis(a)9elements.com> --- M src/cpu/intel/fit/Kconfig M src/mainboard/prodrive/hermes/Kconfig M src/security/intel/Kconfig M src/security/intel/Makefile.inc A src/security/intel/bg/Kconfig A src/security/intel/bg/Makefile.inc A src/security/intel/bg/cmos.c 7 files changed, 429 insertions(+), 1 deletion(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/48/55048/3 -- To view, visit https://review.coreboot.org/c/coreboot/+/55048 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I2b73a79f51692178e8565803efb2c9caf3096ff9 Gerrit-Change-Number: 55048 Gerrit-PatchSet: 3 Gerrit-Owner: Christopher Meis Gerrit-Reviewer: Christian Walter <christian.walter(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-Attention: Christopher Meis Gerrit-Attention: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Attention: Christian Walter <christian.walter(a)9elements.com> Gerrit-Attention: Patrick Rudolph <siro(a)das-labor.org> Gerrit-MessageType: newpatchset

1 0

Change in coreboot[master]: soc/intel/elkhartlake: Update FADT table
by Lean Sheng Tan (Code Review) 28 May '21

28 May '21

Attention is currently required from: Patrick Rudolph. Lean Sheng Tan has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/55049 ) Change subject: soc/intel/elkhartlake: Update FADT table ...................................................................... soc/intel/elkhartlake: Update FADT table Update FADT table per relevant PM settings: Fix PM Timer block access size and disable C2 and C3 states for the CPU. Further on, set the century byte offset in FADT to point to the common location in CMOS. Signed-off-by: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Change-Id: I72a57bf8ec61c3eabc4522c2695ae4b16979f188 Change-Id: Ie2f3468cd3da2ab66802e5d7765b5e5b4dc26bbe --- M src/soc/intel/elkhartlake/acpi.c 1 file changed, 6 insertions(+), 1 deletion(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/49/55049/1 diff --git a/src/soc/intel/elkhartlake/acpi.c b/src/soc/intel/elkhartlake/acpi.c index 0006b5f..a0c966e 100644 --- a/src/soc/intel/elkhartlake/acpi.c +++ b/src/soc/intel/elkhartlake/acpi.c @@ -156,9 +156,14 @@ fadt->x_pm_tmr_blk.space_id = ACPI_ADDRESS_SPACE_IO; fadt->x_pm_tmr_blk.bit_width = fadt->pm_tmr_len * 8; fadt->x_pm_tmr_blk.bit_offset = 0; - fadt->x_pm_tmr_blk.access_size = ACPI_ACCESS_SIZE_UNDEFINED; + fadt->x_pm_tmr_blk.access_size = ACPI_ACCESS_SIZE_DWORD_ACCESS; fadt->x_pm_tmr_blk.addrl = pmbase + PM1_TMR; fadt->x_pm_tmr_blk.addrh = 0x0; + fadt->preferred_pm_profile = PM_MOBILE; + fadt->p_lvl2_lat = ACPI_FADT_C2_NOT_SUPPORTED; + fadt->p_lvl3_lat = ACPI_FADT_C3_NOT_SUPPORTED; + fadt->duty_width = 0x3; /* CLK_VAL bits 3:1 */ + fadt->century = 0x32; if (config->s0ix_enable) fadt->flags |= ACPI_FADT_LOW_PWR_IDLE_S0; -- To view, visit https://review.coreboot.org/c/coreboot/+/55049 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Ie2f3468cd3da2ab66802e5d7765b5e5b4dc26bbe Gerrit-Change-Number: 55049 Gerrit-PatchSet: 1 Gerrit-Owner: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Attention: Patrick Rudolph <siro(a)das-labor.org> Gerrit-MessageType: newchange

1 0

Change in coreboot[master]: soc/intel/elkhartlake: Update FSP-S UPD RP & USB related configs
by Lean Sheng Tan (Code Review) 28 May '21

28 May '21

Attention is currently required from: Maulik V Vaghela, Mario Scheithauer, Subrata Banik, Patrick Rudolph. Hello build bot (Jenkins), Maulik V Vaghela, Mario Scheithauer, Subrata Banik, Werner Zeh, Patrick Rudolph, I'd like you to reexamine a change. Please visit https://review.coreboot.org/c/coreboot/+/55034 to look at the new patch set (#4). Change subject: soc/intel/elkhartlake: Update FSP-S UPD RP & USB related configs ...................................................................... soc/intel/elkhartlake: Update FSP-S UPD RP & USB related configs Further add initial Silicon UPD settings for: - root ports - USB Signed-off-by: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Change-Id: I60afb78a7997b8465dd6318f3abee28f95a65100 --- M src/mainboard/intel/elkhartlake_crb/variants/ehlcrb/devicetree.cb M src/soc/intel/elkhartlake/chip.h M src/soc/intel/elkhartlake/fsp_params.c 3 files changed, 108 insertions(+), 4 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/34/55034/4 -- To view, visit https://review.coreboot.org/c/coreboot/+/55034 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I60afb78a7997b8465dd6318f3abee28f95a65100 Gerrit-Change-Number: 55034 Gerrit-PatchSet: 4 Gerrit-Owner: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Gerrit-Reviewer: Mario Scheithauer <mario.scheithauer(a)siemens.com> Gerrit-Reviewer: Maulik V Vaghela <maulik.v.vaghela(a)intel.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Subrata Banik <subrata.banik(a)intel.com> Gerrit-Reviewer: Werner Zeh <werner.zeh(a)siemens.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-CC: Paul Menzel <paulepanter(a)mailbox.org> Gerrit-Attention: Maulik V Vaghela <maulik.v.vaghela(a)intel.com> Gerrit-Attention: Mario Scheithauer <mario.scheithauer(a)siemens.com> Gerrit-Attention: Subrata Banik <subrata.banik(a)intel.com> Gerrit-Attention: Patrick Rudolph <siro(a)das-labor.org> Gerrit-MessageType: newpatchset

1 0

Change in coreboot[master]: soc/intel/elkhartlake: Update FSP-S UPD LPSS related configs
by Lean Sheng Tan (Code Review) 28 May '21

28 May '21

Attention is currently required from: Maulik V Vaghela, Mario Scheithauer, Subrata Banik, Lean Sheng Tan, Patrick Rudolph. Hello build bot (Jenkins), Maulik V Vaghela, Mario Scheithauer, Subrata Banik, Werner Zeh, Patrick Rudolph, I'd like you to reexamine a change. Please visit https://review.coreboot.org/c/coreboot/+/54959 to look at the new patch set (#10). Change subject: soc/intel/elkhartlake: Update FSP-S UPD LPSS related configs ...................................................................... soc/intel/elkhartlake: Update FSP-S UPD LPSS related configs Add Silicon upd settings for LPSS (GSPI/UART/I2C). Signed-off-by: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Change-Id: Ib0c3cd1d37ff9892d09d6d86ac50e230549c7e53 --- M src/mainboard/intel/elkhartlake_crb/variants/ehlcrb/devicetree.cb M src/soc/intel/elkhartlake/chip.h M src/soc/intel/elkhartlake/fsp_params.c 3 files changed, 139 insertions(+), 4 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/59/54959/10 -- To view, visit https://review.coreboot.org/c/coreboot/+/54959 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: Ib0c3cd1d37ff9892d09d6d86ac50e230549c7e53 Gerrit-Change-Number: 54959 Gerrit-PatchSet: 10 Gerrit-Owner: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Gerrit-Reviewer: Mario Scheithauer <mario.scheithauer(a)siemens.com> Gerrit-Reviewer: Maulik V Vaghela <maulik.v.vaghela(a)intel.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Subrata Banik <subrata.banik(a)intel.com> Gerrit-Reviewer: Werner Zeh <werner.zeh(a)siemens.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-CC: Paul Menzel <paulepanter(a)mailbox.org> Gerrit-Attention: Maulik V Vaghela <maulik.v.vaghela(a)intel.com> Gerrit-Attention: Mario Scheithauer <mario.scheithauer(a)siemens.com> Gerrit-Attention: Subrata Banik <subrata.banik(a)intel.com> Gerrit-Attention: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Gerrit-Attention: Patrick Rudolph <siro(a)das-labor.org> Gerrit-MessageType: newpatchset

1 0

Change in coreboot[master]: soc/intel/elkhartlake: Update FSP-S UPD graphic & chipset related set...
by Lean Sheng Tan (Code Review) 28 May '21

28 May '21

Attention is currently required from: Maulik V Vaghela, Paul Menzel, Mario Scheithauer, Subrata Banik, Patrick Rudolph. Hello build bot (Jenkins), Maulik V Vaghela, Mario Scheithauer, Subrata Banik, Werner Zeh, Patrick Rudolph, I'd like you to reexamine a change. Please visit https://review.coreboot.org/c/coreboot/+/54960 to look at the new patch set (#9). Change subject: soc/intel/elkhartlake: Update FSP-S UPD graphic & chipset related settings ...................................................................... soc/intel/elkhartlake: Update FSP-S UPD graphic & chipset related settings Further add initial Silicon UPD settings for: - graphics & display - chipset lockdown - PAVP - legacy timer - PCH master gating control - HECI This CL also enables HECI 1 in devicetree.cb. Signed-off-by: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Change-Id: I657f44f8506640c23049614b2db9d1837e6d44ed --- M src/mainboard/intel/elkhartlake_crb/variants/ehlcrb/devicetree.cb M src/soc/intel/elkhartlake/fsp_params.c 2 files changed, 59 insertions(+), 13 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/60/54960/9 -- To view, visit https://review.coreboot.org/c/coreboot/+/54960 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I657f44f8506640c23049614b2db9d1837e6d44ed Gerrit-Change-Number: 54960 Gerrit-PatchSet: 9 Gerrit-Owner: Lean Sheng Tan <lean.sheng.tan(a)intel.com> Gerrit-Reviewer: Mario Scheithauer <mario.scheithauer(a)siemens.com> Gerrit-Reviewer: Maulik V Vaghela <maulik.v.vaghela(a)intel.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Subrata Banik <subrata.banik(a)intel.com> Gerrit-Reviewer: Werner Zeh <werner.zeh(a)siemens.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-CC: Paul Menzel <paulepanter(a)mailbox.org> Gerrit-Attention: Maulik V Vaghela <maulik.v.vaghela(a)intel.com> Gerrit-Attention: Paul Menzel <paulepanter(a)mailbox.org> Gerrit-Attention: Mario Scheithauer <mario.scheithauer(a)siemens.com> Gerrit-Attention: Subrata Banik <subrata.banik(a)intel.com> Gerrit-Attention: Patrick Rudolph <siro(a)das-labor.org> Gerrit-MessageType: newpatchset

1 0

Change in coreboot[master]: src/... - Add Boot Guard support
by Christopher Meis (Code Review) 28 May '21

28 May '21

Attention is currently required from: Christopher Meis, Patrick Rudolph, Christian Walter. Hello build bot (Jenkins), Patrick Rudolph, Christian Walter, Patrick Rudolph, I'd like you to reexamine a change. Please visit https://review.coreboot.org/c/coreboot/+/55048 to look at the new patch set (#2). Change subject: src/... - Add Boot Guard support ...................................................................... src/... - Add Boot Guard support src/cpu/intel/fit/Kconfig - Add Boot Guard support src/mainboard/prodrive/hermes/Kconfig - Add FIX_BOOTBLOCK_SIZE src/security/intel/* - Add Boot Guard support Change-Id: I2b73a79f51692178e8565803efb2c9caf3096ff9 Signed-off-by: Christopher Meis <christopher.meis(a)9elements.com> --- M src/cpu/intel/fit/Kconfig M src/mainboard/prodrive/hermes/Kconfig M src/security/intel/Kconfig M src/security/intel/Makefile.inc A src/security/intel/bg/Kconfig A src/security/intel/bg/Makefile.inc A src/security/intel/bg/cmos.c 7 files changed, 429 insertions(+), 1 deletion(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/48/55048/2 -- To view, visit https://review.coreboot.org/c/coreboot/+/55048 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I2b73a79f51692178e8565803efb2c9caf3096ff9 Gerrit-Change-Number: 55048 Gerrit-PatchSet: 2 Gerrit-Owner: Christopher Meis Gerrit-Reviewer: Christian Walter <christian.walter(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-Attention: Christopher Meis Gerrit-Attention: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Attention: Christian Walter <christian.walter(a)9elements.com> Gerrit-Attention: Patrick Rudolph <siro(a)das-labor.org> Gerrit-MessageType: newpatchset

1 0

Change in coreboot[master]: acpi: Add support for reporting CrashLog in BERT table
by Felix Held (Code Review) 28 May '21

28 May '21

Felix Held has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/49799 ) Change subject: acpi: Add support for reporting CrashLog in BERT table ...................................................................... Patch Set 10: (1 comment) Patchset: PS10: > [. […] hm, i have the impression that we're talking past each other on this. i'll try to write a few patches that will improve and unify things a bit, but works well with both flows and won't require invasive changes on either side; that should be more efficient. i'll add you as reviewer once the patches are ready -- To view, visit https://review.coreboot.org/c/coreboot/+/49799 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I00e390d735d61beac2e89a726e39119d9b06b3df Gerrit-Change-Number: 49799 Gerrit-PatchSet: 10 Gerrit-Owner: Francois Toguo Fotso <francois.toguo.fotso(a)intel.com> Gerrit-Reviewer: Lance Zhao Gerrit-Reviewer: Martin Roth <martinroth(a)google.com> Gerrit-Reviewer: Nikunj Dadhania <nikunj.dadhania(a)intel.com> Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Reviewer: Tim Wawrzynczak <twawrzynczak(a)chromium.org> Gerrit-Reviewer: Tim Wawrzynczak <twawrzynczak(a)google.com> Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-CC: 9elements QA <hardwaretestrobot(a)gmail.com> Gerrit-CC: Felix Held <felix-coreboot(a)felixheld.de> Gerrit-CC: Marshall Dawson <marshalldawson3rd(a)gmail.com> Gerrit-CC: Paul Menzel <paulepanter(a)mailbox.org> Gerrit-CC: Raj Astekar <raj.astekar(a)intel.com> Gerrit-Comment-Date: Fri, 28 May 2021 13:44:38 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: Francois Toguo Fotso <francois.toguo.fotso(a)intel.com> Gerrit-MessageType: comment

1 0

Change in coreboot[master]: src/... - Add Boot Guard support
by build bot (Jenkins) (Code Review) 28 May '21

28 May '21

Attention is currently required from: Patrick Rudolph, Christian Walter. build bot (Jenkins) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/55048 ) Change subject: src/... - Add Boot Guard support ...................................................................... Patch Set 1: (4 comments) File src/mainboard/prodrive/hermes/Kconfig: Robot Comment from checkpatch (run ID jenkins-coreboot-checkpatch-120232): https://review.coreboot.org/c/coreboot/+/55048/comment/10e0e5f8_7cd537c0 PS1, Line 72: trailing whitespace File src/security/intel/bg/Kconfig: Robot Comment from checkpatch (run ID jenkins-coreboot-checkpatch-120232): https://review.coreboot.org/c/coreboot/+/55048/comment/5bcef0a6_432788c8 PS1, Line 9: Enables Intel Boot Guard Support. This will enable one to add a trailing whitespace Robot Comment from checkpatch (run ID jenkins-coreboot-checkpatch-120232): https://review.coreboot.org/c/coreboot/+/55048/comment/cf8057b1_9770f2dd PS1, Line 10: Key Manifest (KM) and a Boot Policy Manifest (BPM) to the trailing whitespace Robot Comment from checkpatch (run ID jenkins-coreboot-checkpatch-120232): https://review.coreboot.org/c/coreboot/+/55048/comment/c23d4cc2_29bfd2df PS1, Line 11: filesystem. It will also wrap a FIT around the firmware and trailing whitespace -- To view, visit https://review.coreboot.org/c/coreboot/+/55048 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I2b73a79f51692178e8565803efb2c9caf3096ff9 Gerrit-Change-Number: 55048 Gerrit-PatchSet: 1 Gerrit-Owner: Christopher Meis Gerrit-Reviewer: Christian Walter <christian.walter(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org> Gerrit-CC: build bot (Jenkins) <no-reply(a)coreboot.org> Gerrit-Attention: Patrick Rudolph <patrick.rudolph(a)9elements.com> Gerrit-Attention: Christian Walter <christian.walter(a)9elements.com> Gerrit-Attention: Patrick Rudolph <siro(a)das-labor.org> Gerrit-Comment-Date: Fri, 28 May 2021 13:37:53 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment

1 0

Change in coreboot[master]: src/... - Add Boot Guard support
by Christopher Meis (Code Review) 28 May '21

28 May '21

Christopher Meis has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/55048 ) Change subject: src/... - Add Boot Guard support ...................................................................... src/... - Add Boot Guard support src/cpu/intel/fit/Kconfig - Add Boot Guard support src/mainboard/prodrive/hermes/Kconfig - Add FIX_BOOTBLOCK_SIZE src/security/intel/* - Add Boot Guard support Change-Id: I2b73a79f51692178e8565803efb2c9caf3096ff9 Signed-off-by: Christopher Meis <christopher.meis(a)9elements.com> --- M src/cpu/intel/fit/Kconfig M src/mainboard/prodrive/hermes/Kconfig M src/security/intel/Kconfig M src/security/intel/Makefile.inc A src/security/intel/bg/Kconfig A src/security/intel/bg/Makefile.inc A src/security/intel/bg/cmos.c 7 files changed, 429 insertions(+), 2 deletions(-) git pull ssh://review.coreboot.org:29418/coreboot refs/changes/48/55048/1 diff --git a/src/cpu/intel/fit/Kconfig b/src/cpu/intel/fit/Kconfig index 9ea867e..554fbc0 100644 --- a/src/cpu/intel/fit/Kconfig +++ b/src/cpu/intel/fit/Kconfig @@ -5,7 +5,7 @@ config CPU_INTEL_NUM_FIT_ENTRIES int - default 16 if INTEL_TXT || INTEL_CBNT_SUPPORT + default 16 if INTEL_TXT || INTEL_CBNT_SUPPORT || INTEL_BG_SUPPORT default 4 depends on CPU_INTEL_FIRMWARE_INTERFACE_TABLE help diff --git a/src/mainboard/prodrive/hermes/Kconfig b/src/mainboard/prodrive/hermes/Kconfig index ac497e6..240031a 100644 --- a/src/mainboard/prodrive/hermes/Kconfig +++ b/src/mainboard/prodrive/hermes/Kconfig @@ -69,5 +69,11 @@ config CBFS_SIZE hex default 0x900000 - + +config C_ENV_BOOTBLOCK_SIZE + hex + default 0xc000 if FIXED_BOOTBLOCK_SIZE + help + This matches the IBB size used for CBnT. Adjust this to the + used CBnT settings. endif # BOARD_PRODRIVE_HERMES_BASEBOARD diff --git a/src/security/intel/Kconfig b/src/security/intel/Kconfig index 0609a45..5cc62bb 100644 --- a/src/security/intel/Kconfig +++ b/src/security/intel/Kconfig @@ -3,3 +3,4 @@ source "src/security/intel/txt/Kconfig" source "src/security/intel/stm/Kconfig" source "src/security/intel/cbnt/Kconfig" +source "src/security/intel/bg/Kconfig" \ No newline at end of file diff --git a/src/security/intel/Makefile.inc b/src/security/intel/Makefile.inc index 20aea27..6878a5f 100644 --- a/src/security/intel/Makefile.inc +++ b/src/security/intel/Makefile.inc @@ -1,3 +1,4 @@ subdirs-y += txt subdirs-y += stm subdirs-y += cbnt +subdirs-y += bg diff --git a/src/security/intel/bg/Kconfig b/src/security/intel/bg/Kconfig new file mode 100644 index 0000000..da17c00 --- /dev/null +++ b/src/security/intel/bg/Kconfig @@ -0,0 +1,255 @@ +# SPDX-License-Identifier: GPL-2.0-only + +config INTEL_BG_SUPPORT + bool "Intel Boot Guard support" + default n + # With Boot Guard the bootblock is set up as a Boot Guard IBB and needs a fixed size + select FIXED_BOOTBLOCK_SIZE + help + Enables Intel Boot Guard Support. This will enable one to add a + Key Manifest (KM) and a Boot Policy Manifest (BPM) to the + filesystem. It will also wrap a FIT around the firmware and + update appropriate entries. + +if INTEL_BG_SUPPORT + +config INTEL_BG_GENERATE_KM + bool "Generate Key Manifest (KM)" + default y + select INTEL_BG_NEED_KM_PUB_KEY + select INTEL_BG_NEED_KM_PRIV_KEY if !INTEL_BG_KM_ONLY_UNSIGNED + select INTEL_BG_NEED_BPM_PUB_KEY if !INTEL_BG_BG_PROV_KM_USE_CFG_FILE + help + Select y to generate the Key Manifest (KM). + Select n to include a KM binary. + +config INTEL_BG_KM_ONLY_UNSIGNED + bool "Only unsigned key manifest (KM)" + depends on INTEL_BG_GENERATE_KM + help + Skip signing the KM. + The resulting unsigned KM will be placed at build/km_unsigned.bin. + The resulting coreboot image will not be functional with BG. + After the unsigned KM is signed externally you can either rebuild + coreboot using that binary or add it to cbfs and fit: + "$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16" + "$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom" + '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. + +config INTEL_BG_BG_PROV_KM_USE_CFG_FILE + bool "KM: use a BG json config file" + depends on INTEL_BG_GENERATE_KM + default y + help + Select y to generate KM from a json config file. + Select n to generate KM from Kconfig options + +config INTEL_BG_GENERATE_BPM + bool "Generate Boot Policy Manifest (BPM)" + default y + select INTEL_BG_NEED_BPM_PRIV_KEY if !INTEL_BG_BPM_ONLY_UNSIGNED + help + Select y to generate the Boot Policy Manifest (BPM). + Select n to include a BPM binary. + +config INTEL_BG_BPM_ONLY_UNSIGNED + bool "Only unsigned boot policy manifest (BPM)" + depends on INTEL_BG_GENERATE_BPM + help + Skip signing the BPM. + The resulting unsigned BPM will be placed at build/bpm_unsigned.bin. + The resulting coreboot image will not be functional with BG. + After the unsigned BPM is signed externally you can add it to cbfs + and fit: + "$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16" + "$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom" + '-s 12' where 12 is CONFIG_CPU_INTEL_NUM_FIT_ENTRIES. + +config INTEL_BG_BG_PROV_BPM_USE_CFG_FILE + bool "BPM: use a BG json config file" + depends on INTEL_BG_GENERATE_BPM + default y + help + Select y to generate BPM from a json config file. + Select n to generate BPM from Kconfig options + +config INTEL_BG_BG_PROV_CFG_FILE + string "BG json config file" + depends on INTEL_BG_BG_PROV_KM_USE_CFG_FILE || INTEL_BG_BG_PROV_BPM_USE_CFG_FILE + help + Location of the bg-prov json config file. + Either get a sample JSON config file: + $ bg-prov template + Or extract it from a working configuration: + $ bg-prov read-config + +config INTEL_BG_PROV_EXTERNAL_BIN + bool "Use an external bg-prov binary" + default n + depends on INTEL_BG_GENERATE_BPM || INTEL_BG_GENERATE_KM + help + Building bg-prov requires godeps which makes it impossible to build + it in an offline environment. A solution is to use an external binary. + +config INTEL_BG_PROV_EXTERNAL_BIN_PATH + string "bg-prov path" + depends on INTEL_BG_PROV_EXTERNAL_BIN + help + Path to the bg-prov binary. + +config INTEL_BG_NEED_KM_PUB_KEY + bool + +config INTEL_BG_NEED_KM_PRIV_KEY + bool + +config INTEL_BG_KM_PUB_KEY_FILE + string "Key manifest (KM) public key" + depends on INTEL_BG_NEED_KM_PUB_KEY && !INTEL_BG_NEED_KM_PRIV_KEY + help + Location of the key manifest (KM) public key file in .pem format. + +config INTEL_BG_KM_PRIV_KEY_FILE + string "Key manifest (KM) private key" + depends on INTEL_BG_NEED_KM_PRIV_KEY + help + Location of the key manifest (KM) private key file in .pem format. + +config INTEL_BG_NEED_BPM_PUB_KEY + bool + +config INTEL_BG_NEED_BPM_PRIV_KEY + bool + +config INTEL_BG_BPM_PUB_KEY_FILE + string "Boot policy manifest (BPM) public key" + depends on INTEL_BG_NEED_BPM_PUB_KEY && !INTEL_BG_NEED_BPM_PRIV_KEY + help + Location of the boot policy manifest (BPM) public key file in .pem format. + +config INTEL_BG_BPM_PRIV_KEY_FILE + string "Boot policy manifest (BPM) private key" + depends on INTEL_BG_NEED_BPM_PRIV_KEY + help + Location of the boot policy manifest (BPM) private key file in .pem format. + +if !INTEL_BG_BG_PROV_KM_USE_CFG_FILE && INTEL_BG_GENERATE_KM + +menu "KM options" + +config INTEL_BG_KM_VERSION + int "KM version" + default 1 + help + Version of the Key Manifest defined by the Platform Manufacturer. + The actual value is transparent to Boot Guard and is not processed by Boot Guard. + +config INTEL_BG_KM_SVN + int "KM security Version Number" + range 0 15 + default 0 + help + This value is determined by the Platform Manufacturer. + Boot Guard uses this to compare it to the Key Manifest + Revocation Value (Revocation.KMSVN) in FPF. + + If KMSVN < Revocation.KMSVN, the KM will be revoked. It will trigger ENF (the + enforcement policy). + IF KMSVN > Revocation.KMSVN, the Revocation.KMSVN will be set to the KMSVN. + + Note: Once the value reaches 0Fh, revocation saturates and one can no longer + revoke newer KMs. + +config INTEL_BG_KM_ID + int "KM ID" + default 1 + help + This identifies the Key Manifest to be used for a platform. + This must match the Key Manifest Identifier programmed in + the field programmable fuses. + +endmenu + +endif # !INTEL_BG_BG_PROV_KM_USE_CFG_FILE + +if !INTEL_BG_BG_PROV_BPM_USE_CFG_FILE && INTEL_BG_GENERATE_BPM +menu "BPM options" + +config INTEL_BG_BPM_VERSION + int "BPM version" + default 1 + help + Version of the Key Manifest defined by the Platform Manufacturer. + The actual value is transparent to Boot Guard and is not processed by Boot Guard. + +config INTEL_BG_BPM_SVN + int "BPM Security Version Number" + default 0 + help + This value is determined by the Platform Manufacturer. + +config INTEL_BG_ACM_SVN + int "S-ACM Security Version Number" + default 2 + help + This defines the minimum version the S-ACM must have. + +config INTEL_BG_NUM_NEM_PAGES + int + default 32 + help + Set the amount of 4K pages of CAR required. + +config INTEL_BG_PBET + int "PBET value in s" + default 15 + help + Protect BIOS Environment Timer (PBET) value. + Factor used by CSE to compute PBE timer value. + Actual PBE timer value is set by CSE using formula: + PBE timer value = 5 sec + PBETValue. + +config INTEL_BG_IBB_FLAGS + int "IBB flags" + default 7 + help + IBB Control flags. + 3: Don't extend PCR 0 + 7: extend PCR 7 + +config INTEL_BG_SINIT_SVN + int "SINIT ACM security version number" + default 0 + help + Minimum required version for the SINIT ACM. + +config INTEL_BG_PD_INTERVAL + int + default 60 + help + Duration of Power Down in 5 sec increments. + +endmenu + +endif # !INTEL_BG_BG_PROV_BPM_USE_CFG_FILE + +config INTEL_BG_KEY_MANIFEST_BINARY + string "KM (Key Manifest) binary location" + depends on !INTEL_BG_GENERATE_KM + help + Location of the Key Manifest (KM) + +config INTEL_BG_BOOT_POLICY_MANIFEST_BINARY + string "BPM (Boot Policy Manifest) binary location" + depends on !INTEL_BG_GENERATE_BPM + help + Location of the Boot Policy Manifest (BPM) + +config INTEL_BG_CMOS_OFFSET + hex + default 0x7e + help + Address in RTC CMOS used by BG. Uses 2 bytes. If using an option table + adapt the cmos.layout accordingly. The bytes should not be checksummed. + +endif # INTEL_BG_SUPPORT diff --git a/src/security/intel/bg/Makefile.inc b/src/security/intel/bg/Makefile.inc new file mode 100644 index 0000000..6359328 --- /dev/null +++ b/src/security/intel/bg/Makefile.inc @@ -0,0 +1,148 @@ +ifeq ($(CONFIG_INTEL_BG_SUPPORT),y) + +ramstage-y += cmos.c + +# As specified in Intel Boot Guard BIOS +# Specification, document number # 558294 +PK_HASH_ALG_SHA1:=4 +PK_HASH_ALG_SHA256:=11 + +# The private key also contains the public key, so use that if a private key is provided. +ifeq ($(CONFIG_INTEL_BG_NEED_KM_PRIV_KEY),y) +$(obj)/km_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_BG_KM_PRIV_KEY_FILE)) + openssl pkey -in $< -pubout > $@ +else ifeq ($(CONFIG_INTEL_BG_NEED_KM_PUB_KEY),y) +$(obj)/km_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_BG_KM_PUB_KEY_FILE)) + cp $< $@ +endif + +# The private key also contains the public key, so use that if a private key is provided. +ifeq ($(CONFIG_INTEL_BG_NEED_BPM_PRIV_KEY),y) +$(obj)/bpm_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_BG_BPM_PRIV_KEY_FILE)) + openssl pkey -in $< -pubout > $@ +else ifeq ($(CONFIG_INTEL_BG_NEED_BPM_PUB_KEY),y) +$(obj)/bpm_pub.pem: $(call strip_quotes, $(CONFIG_INTEL_BG_BPM_PUB_KEY_FILE)) + cp $< $@ +endif + +BG_PROV:=$(obj)/bg-prov +BG_CFG:=$(obj)/bg.json + +ifneq ($(CONFIG_INTEL_BG_PROV_EXTERNAL_BIN),y) +$(BG_PROV): + printf " BG_PROV building tool\n" + cd 3rdparty/intel-sec-tools; \ + GO111MODULE=on go mod download; \ + GO111MODULE=on go mod verify; \ + GO111MODULE=on go build -o $(top)/$@ cmd/bg-prov/*.go +else +$(BG_PROV): $(call strip_quotes, $(CONFIG_INTEL_BG_PROV_EXTERNAL_BIN_PATH)) + cp $< $@ +endif + +$(BG_CFG): $(call strip_quotes, $(CONFIG_INTEL_BG_BG_PROV_CFG_FILE)) + cp $(CONFIG_INTEL_BG_BG_PROV_CFG_FILE) $@ + +ifeq ($(CONFIG_INTEL_BG_GENERATE_BPM),y) +ifeq ($(CONFIG_INTEL_BG_BG_PROV_BPM_USE_CFG_FILE),y) +$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) $(BG_CFG) + printf " BG_PROV creating unsigned BPM using config file\n" + $(BG_PROV) bpm-gen $@ $< --config=$(BG_CFG) --cut +else +$(obj)/bpm_unsigned.bin: $(obj)/coreboot.rom $(BG_PROV) + printf " BG_PROV creating unsigned BPM\n" + $(BG_PROV) bpm-gen $@ $< --pmbpmversion=$(CONFIG_INTEL_BG_BPM_VERSION) \ + --svn=$(CONFIG_INTEL_BG_BPM_SVN) \ + --acmsvn=$(CONFIG_INTEL_BG_ACM_SVN) \ + --nems=$(CONFIG_INTEL_BG_NUM_NEM_PAGES) \ + --pbet=$(CONFIG_INTEL_BG_PBET) \ + --ibbflags=$(CONFIG_INTEL_BG_IBB_FLAGS) \ + --entrypoint=$(shell printf "%d" 0xfffffff0) \ + --out=$(obj)/bpm_cfg.json +endif + +ifeq ($(CONFIG_INTEL_BG_BPM_ONLY_UNSIGNED),y) +build_complete:: $(obj)/bpm_unsigned.bin + @printf "\n** WARNING **\n" + @printf "Build generated an unsigned BPM image: build/bpm_unsigned.bin.\n" + @printf "The resulting image will not work with BG.\n" + @printf "After you have externally signed the image you can add it to the coreboot image:\n" + @printf "$$ cbfstool build/coreboot.rom add -f bpm.bin -n boot_policy_manifest.bin -t raw -a 16\n" + @printf "$$ ifittool -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s 12 -f build/coreboot.rom\n" +else +$(obj)/bpm.bin: $(obj)/bpm_unsigned.bin $(BG_PROV) $(call strip_quotes, $(CONFIG_INTEL_BG_BPM_PRIV_KEY_FILE)) + printf " BG_PROV signing real BPM\n" + $(BG_PROV) bpm-sign $< $@ $(CONFIG_INTEL_BG_BPM_PRIV_KEY_FILE) "" + +# Add BPM at the end of the build when all files have been added +files_added:: $(obj)/bpm.bin + printf " BG Adding BPM\n" + $(CBFSTOOL) $(obj)/coreboot.rom add -f $< -n boot_policy_manifest.bin -a 0x10 -t raw + printf " IFITTOOL Adding BPM\n" + $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $(obj)/coreboot.rom + +endif # CONFIG_INTEL_BG_BPM_ONLY_UNSIGNED + +else # CONFIG_INTEL_BG_GENERATE_BPM + +ifneq ($(CONFIG_INTEL_BG_BOOT_POLICY_MANIFEST_BINARY),"") +cbfs-files-y += boot_policy_manifest.bin +boot_policy_manifest.bin-file := $(CONFIG_INTEL_BG_BOOT_POLICY_MANIFEST_BINARY) +boot_policy_manifest.bin-type := raw +boot_policy_manifest.bin-align := 0x10 + +$(call add_intermediate, add_bpm_fit, $(IFITTOOL) set_fit_ptr) + $(IFITTOOL) -r COREBOOT -a -n boot_policy_manifest.bin -t 12 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif +endif # CONFIG_INTEL_BG_GENERATE_BPM + +ifeq ($(CONFIG_INTEL_BG_GENERATE_KM),y) +ifeq ($(CONFIG_INTEL_BG_BG_PROV_KM_USE_CFG_FILE),y) +$(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(BG_PROV) $(BG_CFG) + printf " BG_PROV creating unsigned KM using config file\n" + $(BG_PROV) km-gen $@ $< --config=$(BG_CFG) +else +$(obj)/km_unsigned.bin: $(obj)/km_pub.pem $(obj)/bpm_pub.pem $(BG_PROV) + printf " BG_PROV creating unsigned KM\n" + $(BG_PROV) km-gen $@ $< --kmversion=$(CONFIG_INTEL_BG_KM_VERSION) \ + --svn=$(CONFIG_INTEL_BG_KM_SVN) \ + --id=$(CONFIG_INTEL_BG_KM_ID) \ + --bpmpubkey=$(obj)/bpm_pub.pem \ + --bpmhashalgo=$(PK_HASH_ALG_SHA256) \ + --out=$(obj)/km_cfg.json +endif + +$(obj)/km.bin: $(obj)/km_unsigned.bin $(BG_PROV) $(call strip_quotes, $(CONFIG_INTEL_BG_KM_PRIV_KEY_FILE)) + printf " BG_PROV signing KM\n" + $(BG_PROV) km-sign $< $@ $(CONFIG_INTEL_BG_KM_PRIV_KEY_FILE) "" + +KM_FILE=$(obj)/km.bin +else +KM_FILE=$(CONFIG_INTEL_BG_KEY_MANIFEST_BINARY) +endif + +ifneq ($(KM_FILE),"") +ifeq ($(CONFIG_INTEL_BG_KM_ONLY_UNSIGNED),y) +$(call add_intermediate, gen_unsigned_km, $(obj)/km_unsigned.bin) + @printf "Generating unsgined KM\n" + +build_complete:: + @printf "\n** WARNING **\n" + @printf "Build generated an unsigned KM image: build/km_unsiged.bin.\n" + @printf "The resulting image will not work with BG.\n" + @printf "After you have externally signed the image you can add it to the coreboot image:\n" + @printf "$$ cbfstool build/coreboot.rom add -f km.bin -n key_manifest.bin -t raw -a 16\n" + @printf "$$ ifittool -r COREBOOT -a -n key_manifest.bin -t 11 -s 12 -f build/coreboot.rom\n" + +else +cbfs-files-y += key_manifest.bin +key_manifest.bin-file := $(KM_FILE) +key_manifest.bin-type := raw +key_manifest.bin-align := 0x10 + +$(call add_intermediate, add_km_fit, $(IFITTOOL) set_fit_ptr) + $(IFITTOOL) -r COREBOOT -a -n key_manifest.bin -t 11 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif + +endif # CONFIG_INTEL_BG_KM_ONLY_UNSIGNED +endif # CONFIG_INTEL_BG_SUPPORT diff --git a/src/security/intel/bg/cmos.c b/src/security/intel/bg/cmos.c new file mode 100644 index 0000000..318828b --- /dev/null +++ b/src/security/intel/bg/cmos.c @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +/* + * Address of the MRC status byte in CMOS. Should be reserved + * in mainboards' cmos.layout and not covered by checksum. + */ + +#if CONFIG(USE_OPTION_TABLE) +#include "option_table.h" +#if CMOS_VSTART_cbnt_cmos != CONFIG_INTEL_CBNT_CMOS_OFFSET * 8 +#error "CMOS start for CBNT CMOS is not correct, check your cmos.layout" +#endif +#if CMOS_VLEN_cbnt_cmos != 16 +#error "CMOS length for CBNT CMOS bytes are not correct, check your cmos.layout" +#endif +#endif -- To view, visit https://review.coreboot.org/c/coreboot/+/55048 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I2b73a79f51692178e8565803efb2c9caf3096ff9 Gerrit-Change-Number: 55048 Gerrit-PatchSet: 1 Gerrit-Owner: Christopher Meis Gerrit-MessageType: newchange

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

coreboot-gerrit May 2021