[coreboot-gerrit] Change in coreboot[master]: Makefile.inc: Add Boot Guard IBB logic for CBFS files

13 Jul 2020

Michał Żygowski has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43394 )
Change subject: Makefile.inc: Add Boot Guard IBB logic for CBFS files
......................................................................
Makefile.inc: Add Boot Guard IBB logic for CBFS files
The Boot Guard implementation will leverage FIT entries to locate IBB
files in CBFS to create the IBB hash. ifittool will create entries of
type 7 which will be then parsd by another tool to calculate hash of
whole IBB. These entries will be removed or left untouched based on the
Boot Guard revison. This will open a path to support Converged Boot
Guard and Trusted Execution Technology.
Signed-off-by: Michał Żygowski michal.zygowski@3mdeb.com
Change-Id: I73e23ddbd8c7f6eef2de3cd3baeb656c86917261
---
M Makefile.inc
M src/drivers/intel/fsp2_0/Makefile.inc
M src/security/vboot/Makefile.inc
3 files changed, 23 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/94/43394/1

diff --git a/Makefile.inc b/Makefile.inc
index 89bb3e4..912dd42 100644
--- a/Makefile.inc
+++ b/Makefile.inc
@@ -712,6 +712,19 @@
endif
+# For Intel BtG files in the CBFS needs to be marked as 'Initial Boot Block'.
+# As CBFS attributes aren't cheap, only mark them if BtG is enabled.
+ifeq ($(CONFIG_INTEL_BOOTGUARD),y)
+
+BTGIBB := --ibb
+
+else
+
+BTGIBB :=
+
+endif
+
+
 ifeq ($(CONFIG_COMPRESS_BOOTBLOCK),y)
$(objcbfs)/bootblock.lz4: $(objcbfs)/bootblock.elf $(objutil)/cbfstool/cbfs-compression-tool
@@ -1051,7 +1064,7 @@
    	-f $(objcbfs)/bootblock.bin \
    	-n bootblock \
    	-t bootblock \
-		$(TXTIBB) \
+		$(TXTIBB) $(BTGIBB) \
    	-b -$(call file-size,$(objcbfs)/bootblock.bin) $(cbfs-autogen-attributes) \
    	$(TS_OPTIONS)
 else # ifeq ($(CONFIG_ARCH_X86),y)
diff --git a/src/drivers/intel/fsp2_0/Makefile.inc b/src/drivers/intel/fsp2_0/Makefile.inc
index e954a46..278036a 100644
--- a/src/drivers/intel/fsp2_0/Makefile.inc
+++ b/src/drivers/intel/fsp2_0/Makefile.inc
@@ -43,7 +43,7 @@
 $(FSP_T_CBFS)-file := $(call strip_quotes,$(CONFIG_FSP_T_FILE))
 $(FSP_T_CBFS)-type := fsp
 ifeq ($(CONFIG_FSP_T_XIP),y)
-$(FSP_T_CBFS)-options := --xip $(TXTIBB)
+$(FSP_T_CBFS)-options := --xip $(TXTIBB) $(BTGIBB)
 endif
cbfs-files-$(CONFIG_ADD_FSP_BINARIES) += $(FSP_M_CBFS)
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index 90b2756..4097a53 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -141,7 +141,14 @@
 endif
endif
-$(CONFIG_CBFS_PREFIX)/verstage-options += $(TXTIBB)
+$(CONFIG_CBFS_PREFIX)/verstage-options += $(BTGIBB) $(TXTIBB)
+
+ifeq ($(CONFIG_INTEL_BOOTGUARD),y)
+INTERMEDIATE+=add_verstage_ibb_fit
+
+add_verstage_ibb_fit: $(obj)/coreboot.pre $(IFITTOOL)
+	$(IFITTOOL) -r COREBOOT -a -n $(CONFIG_CBFS_PREFIX)/verstage -t 7 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $<
+endif
else # CONFIG_VBOOT_SEPARATE_VERSTAGE
 ifeq ($(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK),y)
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/43394
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I73e23ddbd8c7f6eef2de3cd3baeb656c86917261
Gerrit-Change-Number: 43394
Gerrit-PatchSet: 1
Gerrit-Owner: Michał Żygowski michal.zygowski@3mdeb.com
Gerrit-Reviewer: Aaron Durbin adurbin@chromium.org
Gerrit-Reviewer: Andrey Petrov andrey.petrov@gmail.com
Gerrit-Reviewer: Martin Roth martinroth@google.com
Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com
Gerrit-Reviewer: Patrick Rudolph siro@das-labor.org
Gerrit-MessageType: newchange



    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in coreboot[master]: Makefile.inc: Add Boot Guard IBB logic for CBFS files