Patrick Georgi submitted this change.

View Change

Approvals: build bot (Jenkins): Verified Patrick Georgi: Looks good to me, approved Frans Hendriks: Looks good to me, approved 
mb/facebook/fbg1701: Add public key to bootblock_verify_list

The public key was not verified during the verified boot operation.
This is now added. The items in the manifest are now fixed at 12 as
we always have the postcar stage.

BUG=N/A
TEST=tested on facebook fbg1701

Change-Id: I85fd391294db0ea796001720c2509f797be5aedf
Signed-off-by: Wim Vervoorn <wvervoorn@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36504
Reviewed-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
M src/mainboard/facebook/fbg1701/board_verified_boot.c
M src/mainboard/facebook/fbg1701/manifest.h
M src/vendorcode/eltan/security/verified_boot/Kconfig
3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/mainboard/facebook/fbg1701/board_verified_boot.c b/src/mainboard/facebook/fbg1701/board_verified_boot.c
index 24e7037..1ccb0b8e 100644
--- a/src/mainboard/facebook/fbg1701/board_verified_boot.c
+++ b/src/mainboard/facebook/fbg1701/board_verified_boot.c
@@ -26,6 +26,10 @@
 		{ { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1,
 		CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK,
 		MBOOT_PCR_INDEX_0 },
+	{ VERIFY_BLOCK, "PublicKey",
+		{ { (void *)CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_LOCATION,
+		CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_SIZE, } }, HASH_IDX_PUBLICKEY,
+		MBOOT_PCR_INDEX_0 },
 	{ VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 }
 };
 #endif
diff --git a/src/mainboard/facebook/fbg1701/manifest.h b/src/mainboard/facebook/fbg1701/manifest.h
index 5a583f4..caf9e5e 100644
--- a/src/mainboard/facebook/fbg1701/manifest.h
+++ b/src/mainboard/facebook/fbg1701/manifest.h
@@ -30,6 +30,6 @@
 #define HASH_IDX_LOGO		7
 #define HASH_IDX_DSDT		8
 #define HASH_IDX_POSTCAR_STAGE	9
-#define HASH_IDX_BOOTBLOCK	10 /* Should always be the last one */
-
+#define HASH_IDX_PUBLICKEY	10
+#define HASH_IDX_BOOTBLOCK	11 /* Should always be the last one */
 #endif
diff --git a/src/vendorcode/eltan/security/verified_boot/Kconfig b/src/vendorcode/eltan/security/verified_boot/Kconfig
index d9e989f..ab254c4 100644
--- a/src/vendorcode/eltan/security/verified_boot/Kconfig
+++ b/src/vendorcode/eltan/security/verified_boot/Kconfig
@@ -42,8 +42,7 @@
 
 config VENDORCODE_ELTAN_OEM_MANIFEST_ITEMS
 	int "Manifest Items"
-	default 11 if POSTCAR_STAGE
-	default 10
+	default 12
 
 config VENDORCODE_ELTAN_OEM_MANIFEST_ITEM_SIZE
 	int

To view, visit change 36504. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I85fd391294db0ea796001720c2509f797be5aedf
Gerrit-Change-Number: 36504
Gerrit-PatchSet: 9
Gerrit-Owner: Wim Vervoorn
Gerrit-Reviewer: Frans Hendriks <fhendriks@eltan.com>
Gerrit-Reviewer: Patrick Georgi <pgeorgi@google.com>
Gerrit-Reviewer: Wim Vervoorn
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-CC: Paul Menzel <paulepanter@users.sourceforge.net>
Gerrit-MessageType: merged