Attention is currently required from: Felix Singer, Nico Huber, Paul Menzel, Maximilian Brune, Angel Pons.

Maximilian Brune uploaded patch set #27 to this change.

View Change

Add SBOM (Software Bill of Materials) Generation

Firmware is most of the time just one final Image that get's flashed.
since this final image consists of binaries/code from a vast amount
of different people/companies, it's hard to actually determine
all the small parts included in it. the goal is to take a firmware image
and easily find out what it consists of. basically answering
the question: who supplied the code that's running on my system
right now? for example buyers can use an SBOM to perform an automated
vulnerability check or license analysis, both of which can be used
to evaluate risk in a product. Furthermore one can check fast if the
firmware is exposed to a new vulnerability included in one of the
software parts (with the specified version) of the firmware.
further reference: https://blogs.gnome.org/hughsie/2022/03/10/
firmware-software-bill-of-materials/

- Add Makefile.inc to generate and build coswid tags
- Add templates for most payloads, coreboot, intel-microcode and
  intel-management engine
- Add Kconfig entries to optionaly add coswid tags for
  payloads, coreboot, intel microcode and intel mangement engine
- Add CBFS entry called SBOM to each build via Makefile.inc
- Add goswid utility tool to generate SBOM data

Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com>
Change-Id: Icb7481d4903f95d200eddbfed7728fbec51819d0
---
M Makefile.inc
M payloads/Kconfig
M src/Kconfig
M src/cpu/Kconfig
A src/sbom/Makefile.inc
A src/sbom/coreboot.json.src
A src/sbom/intel-me.json.src
A src/sbom/intel-microcode.json.src
A src/sbom/payload-BOOTBOOT.json.src
A src/sbom/payload-FILO.json.src
A src/sbom/payload-GRUB2.json.src
A src/sbom/payload-LinuxBoot.json.src
A src/sbom/payload-SeaBIOS.json.src
A src/sbom/payload-U-Boot.json.src
A src/sbom/payload-Yabits.json.src
A src/sbom/payload-depthcharge.json.src
A src/sbom/payload-iPXE.json.src
A src/sbom/payload-skiboot.json.src
M src/southbridge/intel/common/firmware/Kconfig
A util/goswid/cmd/main.go
A util/goswid/go.mod
A util/goswid/go.sum
A util/goswid/pkg/uswid/uswid.go
A util/goswid/vendor/github.com/davecgh/go-spew/LICENSE
A util/goswid/vendor/github.com/davecgh/go-spew/spew/bypass.go
A util/goswid/vendor/github.com/davecgh/go-spew/spew/bypasssafe.go
A util/goswid/vendor/github.com/davecgh/go-spew/spew/common.go
A util/goswid/vendor/github.com/davecgh/go-spew/spew/config.go
A util/goswid/vendor/github.com/davecgh/go-spew/spew/doc.go
A util/goswid/vendor/github.com/davecgh/go-spew/spew/dump.go
A util/goswid/vendor/github.com/davecgh/go-spew/spew/format.go
A util/goswid/vendor/github.com/davecgh/go-spew/spew/spew.go
A util/goswid/vendor/github.com/fxamacker/cbor/v2/.gitignore
A util/goswid/vendor/github.com/fxamacker/cbor/v2/.golangci.yml
A util/goswid/vendor/github.com/fxamacker/cbor/v2/CBOR_BENCHMARKS.md
A util/goswid/vendor/github.com/fxamacker/cbor/v2/CBOR_GOLANG.md
A util/goswid/vendor/github.com/fxamacker/cbor/v2/CODE_OF_CONDUCT.md
A util/goswid/vendor/github.com/fxamacker/cbor/v2/CONTRIBUTING.md
A util/goswid/vendor/github.com/fxamacker/cbor/v2/LICENSE
A util/goswid/vendor/github.com/fxamacker/cbor/v2/README.md
A util/goswid/vendor/github.com/fxamacker/cbor/v2/SECURITY.md
A util/goswid/vendor/github.com/fxamacker/cbor/v2/cache.go
A util/goswid/vendor/github.com/fxamacker/cbor/v2/decode.go
A util/goswid/vendor/github.com/fxamacker/cbor/v2/doc.go
A util/goswid/vendor/github.com/fxamacker/cbor/v2/encode.go
A util/goswid/vendor/github.com/fxamacker/cbor/v2/stream.go
A util/goswid/vendor/github.com/fxamacker/cbor/v2/structfields.go
A util/goswid/vendor/github.com/fxamacker/cbor/v2/tag.go
A util/goswid/vendor/github.com/fxamacker/cbor/v2/valid.go
A util/goswid/vendor/github.com/google/uuid/.travis.yml
A util/goswid/vendor/github.com/google/uuid/CONTRIBUTING.md
A util/goswid/vendor/github.com/google/uuid/CONTRIBUTORS
A util/goswid/vendor/github.com/google/uuid/LICENSE
A util/goswid/vendor/github.com/google/uuid/README.md
A util/goswid/vendor/github.com/google/uuid/dce.go
A util/goswid/vendor/github.com/google/uuid/doc.go
A util/goswid/vendor/github.com/google/uuid/hash.go
A util/goswid/vendor/github.com/google/uuid/marshal.go
A util/goswid/vendor/github.com/google/uuid/node.go
A util/goswid/vendor/github.com/google/uuid/node_js.go
A util/goswid/vendor/github.com/google/uuid/node_net.go
A util/goswid/vendor/github.com/google/uuid/null.go
A util/goswid/vendor/github.com/google/uuid/sql.go
A util/goswid/vendor/github.com/google/uuid/time.go
A util/goswid/vendor/github.com/google/uuid/util.go
A util/goswid/vendor/github.com/google/uuid/uuid.go
A util/goswid/vendor/github.com/google/uuid/version1.go
A util/goswid/vendor/github.com/google/uuid/version4.go
A util/goswid/vendor/github.com/pmezard/go-difflib/LICENSE
A util/goswid/vendor/github.com/pmezard/go-difflib/difflib/difflib.go
A util/goswid/vendor/github.com/stretchr/testify/LICENSE
A util/goswid/vendor/github.com/stretchr/testify/assert/assertion_compare.go
A util/goswid/vendor/github.com/stretchr/testify/assert/assertion_format.go
A util/goswid/vendor/github.com/stretchr/testify/assert/assertion_format.go.tmpl
A util/goswid/vendor/github.com/stretchr/testify/assert/assertion_forward.go
A util/goswid/vendor/github.com/stretchr/testify/assert/assertion_forward.go.tmpl
A util/goswid/vendor/github.com/stretchr/testify/assert/assertions.go
A util/goswid/vendor/github.com/stretchr/testify/assert/doc.go
A util/goswid/vendor/github.com/stretchr/testify/assert/errors.go
A util/goswid/vendor/github.com/stretchr/testify/assert/forward_assertions.go
A util/goswid/vendor/github.com/stretchr/testify/assert/http_assertions.go
A util/goswid/vendor/github.com/stretchr/testify/require/doc.go
A util/goswid/vendor/github.com/stretchr/testify/require/forward_requirements.go
A util/goswid/vendor/github.com/stretchr/testify/require/require.go
A util/goswid/vendor/github.com/stretchr/testify/require/require.go.tmpl
A util/goswid/vendor/github.com/stretchr/testify/require/require_forward.go
A util/goswid/vendor/github.com/stretchr/testify/require/require_forward.go.tmpl
A util/goswid/vendor/github.com/stretchr/testify/require/requirements.go
A util/goswid/vendor/github.com/veraison/swid/.gitignore
A util/goswid/vendor/github.com/veraison/swid/.golangci.yml
A util/goswid/vendor/github.com/veraison/swid/CODE_OF_CONDUCT.md
A util/goswid/vendor/github.com/veraison/swid/CONTRIBUTING.md
A util/goswid/vendor/github.com/veraison/swid/LICENSE
A util/goswid/vendor/github.com/veraison/swid/Makefile
A util/goswid/vendor/github.com/veraison/swid/README.md
A util/goswid/vendor/github.com/veraison/swid/cbor.go
A util/goswid/vendor/github.com/veraison/swid/common.go
A util/goswid/vendor/github.com/veraison/swid/coswid_extension.go
A util/goswid/vendor/github.com/veraison/swid/directories.go
A util/goswid/vendor/github.com/veraison/swid/directory.go
A util/goswid/vendor/github.com/veraison/swid/directory_extension.go
A util/goswid/vendor/github.com/veraison/swid/doc.go
A util/goswid/vendor/github.com/veraison/swid/entities.go
A util/goswid/vendor/github.com/veraison/swid/entity.go
A util/goswid/vendor/github.com/veraison/swid/entity_extension.go
A util/goswid/vendor/github.com/veraison/swid/evidence.go
A util/goswid/vendor/github.com/veraison/swid/evidence_extension.go
A util/goswid/vendor/github.com/veraison/swid/evidences.go
A util/goswid/vendor/github.com/veraison/swid/file.go
A util/goswid/vendor/github.com/veraison/swid/file_extension.go
A util/goswid/vendor/github.com/veraison/swid/files.go
A util/goswid/vendor/github.com/veraison/swid/filesystemitem.go
A util/goswid/vendor/github.com/veraison/swid/globalattributes.go
A util/goswid/vendor/github.com/veraison/swid/hashentry.go
A util/goswid/vendor/github.com/veraison/swid/link.go
A util/goswid/vendor/github.com/veraison/swid/link_extension.go
A util/goswid/vendor/github.com/veraison/swid/links.go
A util/goswid/vendor/github.com/veraison/swid/ownership.go
A util/goswid/vendor/github.com/veraison/swid/payload.go
A util/goswid/vendor/github.com/veraison/swid/payload_extension.go
A util/goswid/vendor/github.com/veraison/swid/payloads.go
A util/goswid/vendor/github.com/veraison/swid/process.go
A util/goswid/vendor/github.com/veraison/swid/process_extension.go
A util/goswid/vendor/github.com/veraison/swid/processes.go
A util/goswid/vendor/github.com/veraison/swid/rel.go
A util/goswid/vendor/github.com/veraison/swid/resource.go
A util/goswid/vendor/github.com/veraison/swid/resource_extension.go
A util/goswid/vendor/github.com/veraison/swid/resourcecollection.go
A util/goswid/vendor/github.com/veraison/swid/resourcecollection_extension.go
A util/goswid/vendor/github.com/veraison/swid/resources.go
A util/goswid/vendor/github.com/veraison/swid/roles.go
A util/goswid/vendor/github.com/veraison/swid/roundtripper.go
A util/goswid/vendor/github.com/veraison/swid/softwareidentity.go
A util/goswid/vendor/github.com/veraison/swid/softwaremeta.go
A util/goswid/vendor/github.com/veraison/swid/softwaremeta_extension.go
A util/goswid/vendor/github.com/veraison/swid/softwaremetas.go
A util/goswid/vendor/github.com/veraison/swid/tagid.go
A util/goswid/vendor/github.com/veraison/swid/test_utils.go
A util/goswid/vendor/github.com/veraison/swid/use.go
A util/goswid/vendor/github.com/veraison/swid/versionscheme.go
A util/goswid/vendor/github.com/x448/float16/.travis.yml
A util/goswid/vendor/github.com/x448/float16/LICENSE
A util/goswid/vendor/github.com/x448/float16/README.md
A util/goswid/vendor/github.com/x448/float16/float16.go
A util/goswid/vendor/gopkg.in/yaml.v3/.travis.yml
A util/goswid/vendor/gopkg.in/yaml.v3/LICENSE
A util/goswid/vendor/gopkg.in/yaml.v3/NOTICE
A util/goswid/vendor/gopkg.in/yaml.v3/README.md
A util/goswid/vendor/gopkg.in/yaml.v3/apic.go
A util/goswid/vendor/gopkg.in/yaml.v3/decode.go
A util/goswid/vendor/gopkg.in/yaml.v3/emitterc.go
A util/goswid/vendor/gopkg.in/yaml.v3/encode.go
A util/goswid/vendor/gopkg.in/yaml.v3/parserc.go
A util/goswid/vendor/gopkg.in/yaml.v3/readerc.go
A util/goswid/vendor/gopkg.in/yaml.v3/resolve.go
A util/goswid/vendor/gopkg.in/yaml.v3/scannerc.go
A util/goswid/vendor/gopkg.in/yaml.v3/sorter.go
A util/goswid/vendor/gopkg.in/yaml.v3/writerc.go
A util/goswid/vendor/gopkg.in/yaml.v3/yaml.go
A util/goswid/vendor/gopkg.in/yaml.v3/yamlh.go
A util/goswid/vendor/gopkg.in/yaml.v3/yamlprivateh.go
A util/goswid/vendor/modules.txt
162 files changed, 33,607 insertions(+), 0 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/39/63639/27

To view, visit change 63639. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Icb7481d4903f95d200eddbfed7728fbec51819d0
Gerrit-Change-Number: 63639
Gerrit-PatchSet: 27
Gerrit-Owner: Maximilian Brune <maximilian.brune@9elements.com>
Gerrit-Reviewer: Martin L Roth <gaumless@tutanota.com>
Gerrit-Reviewer: Nico Huber <nico.h@gmx.de>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-CC: Angel Pons <th3fanbus@gmail.com>
Gerrit-CC: Arthur Heymans <arthur@aheymans.xyz>
Gerrit-CC: Christian Walter <christian.walter@9elements.com>
Gerrit-CC: Felix Singer <felixsinger@posteo.net>
Gerrit-CC: Krystian Hebel <krystian.hebel@3mdeb.com>
Gerrit-CC: Paul Menzel <paulepanter@mailbox.org>
Gerrit-Attention: Felix Singer <felixsinger@posteo.net>
Gerrit-Attention: Nico Huber <nico.h@gmx.de>
Gerrit-Attention: Paul Menzel <paulepanter@mailbox.org>
Gerrit-Attention: Maximilian Brune <maximilian.brune@9elements.com>
Gerrit-Attention: Angel Pons <th3fanbus@gmail.com>
Gerrit-MessageType: newpatchset