Philipp Deppenwiese merged this change.

View Change

Approvals: build bot (Jenkins): Verified Philipp Deppenwiese: Looks good to me, approved 
vendorcode/eltan: Add vendor code for measured and verified boot

This patch contains the general files for the vendorcode/eltan that has
been uploaded recently:
- Add eltan directory to vendorcode.
- Add documentation about the support in the vendorcode directories.
- Add the Makefile.inc and Kconfig for the vendorcode/eltan and
  vendorcode/eltan/security.

BUG=N/A
TEST=Created verified binary and verify logging on Portwell PQ-M107

Change-Id: Ic1d5a21d40b6a31886777e8e9fe7b28c860f1a80
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/30218
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
---
A Documentation/vendorcode/eltan/index.md
A Documentation/vendorcode/eltan/security.md
M src/vendorcode/Makefile.inc
A src/vendorcode/eltan/Kconfig
A src/vendorcode/eltan/Makefile.inc
A src/vendorcode/eltan/security/Kconfig
A src/vendorcode/eltan/security/Makefile.inc
7 files changed, 127 insertions(+), 0 deletions(-)

diff --git a/Documentation/vendorcode/eltan/index.md b/Documentation/vendorcode/eltan/index.md
new file mode 100644
index 0000000..4484798
--- /dev/null
+++ b/Documentation/vendorcode/eltan/index.md
@@ -0,0 +1,8 @@
+# Eltan vendorcode-specific documentation
+
+This section contains documentation about coreboot on Eltan specific
+vendorcode.
+
+## Sections
+
+- [Security](security.md)
diff --git a/Documentation/vendorcode/eltan/security.md b/Documentation/vendorcode/eltan/security.md
new file mode 100644
index 0000000..04537df
--- /dev/null
+++ b/Documentation/vendorcode/eltan/security.md
@@ -0,0 +1,39 @@
+# Eltan Security
+
+## Security
+This code enables measured boot and verified boot support.
+Verified boot is available in coreboot, but based on ChromeOS. This vendorcode
+uses a small encryption library and leave much more space in flash for the
+payload.
+
+## Hashing Library
+The library suppports SHA-1, SHA-256 and SHA-512. The required routines of
+`3rdparty/vboot/firmware/2lib` are used.
+
+## Measured boot
+measured boot support will use TPM2 device if available. The items specified
+in `mb_log_list[]` will be measured.
+
+## Verified boot
+verified boot support will use TPM2 device if available. The items specified
+in the next table will be verified:
+* `bootblock_verify_list[]`
+* `verify_item_t romstage_verify_list[]`
+* `ram_stage_additional_list[]`
+* `ramstage_verify_list[]`
+* `payload_verify_list[]`
+* `oprom_verify_list[]`
+
+## Enabling support
+
+* Measured boot can be enabled using **CONFIG_MBOOT**
+* Create mb_log_list table with list of item to measure
+* Create tables bootblock_verify_list[], verify_item_t romstage_verify_list[],
+  ram_stage_additional_list[], ramstage_verify_list[], payload_verify_list[],
+  oprom_verify_list[]
+* Verified boot can be enabled using **CONFIG_VERIFIED_BOOT**
+* Added Kconfig values for verbose console output
+
+## Debugging
+
+You can enable verbose console output in *menuconfig*.
diff --git a/src/vendorcode/Makefile.inc b/src/vendorcode/Makefile.inc
index 522d415..8ccb0d0 100644
--- a/src/vendorcode/Makefile.inc
+++ b/src/vendorcode/Makefile.inc
@@ -3,3 +3,4 @@
 subdirs-y += intel
 subdirs-y += siemens
 subdirs-y += cavium
+subdirs-y += eltan
diff --git a/src/vendorcode/eltan/Kconfig b/src/vendorcode/eltan/Kconfig
new file mode 100644
index 0000000..731dd2c
--- /dev/null
+++ b/src/vendorcode/eltan/Kconfig
@@ -0,0 +1,17 @@
+##
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2014-2018 Eltan B.V.
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 2 of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+
+source src/vendorcode/eltan/security/mboot/Kconfig
+source src/vendorcode/eltan/security/verified_boot/Kconfig
diff --git a/src/vendorcode/eltan/Makefile.inc b/src/vendorcode/eltan/Makefile.inc
new file mode 100644
index 0000000..1f6a406
--- /dev/null
+++ b/src/vendorcode/eltan/Makefile.inc
@@ -0,0 +1,16 @@
+#
+# This file is part of the coreboot project.
+#
+# Copyright (C) 2018 Eltan B.V.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+
+subdirs-y += security
diff --git a/src/vendorcode/eltan/security/Kconfig b/src/vendorcode/eltan/security/Kconfig
new file mode 100644
index 0000000..2af5808
--- /dev/null
+++ b/src/vendorcode/eltan/security/Kconfig
@@ -0,0 +1,16 @@
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2018 Eltan B.V.
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 2 of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+
+source src/vendorcode/eltan/security/mboot/Kconfig
+source src/vendorcode/eltan/security/verified_boot/Kconfig
diff --git a/src/vendorcode/eltan/security/Makefile.inc b/src/vendorcode/eltan/security/Makefile.inc
new file mode 100644
index 0000000..26b324b
--- /dev/null
+++ b/src/vendorcode/eltan/security/Makefile.inc
@@ -0,0 +1,30 @@
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2018 Eltan B.V.
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 2 of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+
+subdirs-y += lib
+subdirs-y += verified_boot
+subdirs-y += mboot
+
+ifeq ($(CONFIG_MBOOT), y)
+CPPFLAGS_common += -I$(src)/vendorcode/eltan/security/mboot
+CPPFLAGS_common += -I$(src)/vendorcode/eltan/security/include
+endif
+
+ifeq ($(CONFIG_VERIFIED_BOOT), y)
+CPPFLAGS_common += -I$(src)/vendorcode/eltan/security/verified_boot
+endif
+
+ifeq ($(CONFIG_TPM2),y)
+CPPFLAGS_common += -I$(src)/security/include
+endif

To view, visit change 30218. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ic1d5a21d40b6a31886777e8e9fe7b28c860f1a80
Gerrit-Change-Number: 30218
Gerrit-PatchSet: 12
Gerrit-Owner: Frans Hendriks <fhendriks@eltan.com>
Gerrit-Reviewer: Frans Hendriks <fhendriks@eltan.com>
Gerrit-Reviewer: Martin Roth <martinroth@google.com>
Gerrit-Reviewer: Patrick Georgi <pgeorgi@google.com>
Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-CC: Angel Pons <th3fanbus@gmail.com>
Gerrit-CC: Arthur Heymans <arthur@aheymans.xyz>
Gerrit-CC: Nico Huber <nico.h@gmx.de>
Gerrit-CC: Patrick Rudolph
Gerrit-CC: Patrick Rudolph <siro@das-labor.org>
Gerrit-CC: Paul Menzel <paulepanter@users.sourceforge.net>
Gerrit-MessageType: merged