Maximilian Brune has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/63639 )

Change subject: Add SBOM (Software Bill of Materials) Generation ......................................................................

Add SBOM (Software Bill of Materials) Generation

Add Makefile.inc to Generate and build coswid tags Add templates for most payloads, coreboot and intel-microcode Add Kconfig entries to optionaly add coswid tags for payloads, coreboot and intel microcode Add CBFS entry called sbom to each build via Makefile.inc

Signed-off-by: Maximilian Brune code.ivng5@simplelogin.co Change-Id: Icb7481d4903f95d200eddbfed7728fbec51819d0 --- M Makefile.inc M payloads/Kconfig M src/Kconfig A src/sbom/Makefile.inc A src/sbom/coreboot.ini.src A src/sbom/intel-microcode.ini.src A src/sbom/payload-BOOTBOOT.ini.src A src/sbom/payload-FILO.ini.src A src/sbom/payload-GRUB2.ini.src A src/sbom/payload-LinuxBoot.ini.src A src/sbom/payload-SeaBIOS.ini.src A src/sbom/payload-U-Boot.ini.src A src/sbom/payload-Yabits.ini.src A src/sbom/payload-depthcharge.ini.src A src/sbom/payload-iPXE.ini.src A src/sbom/payload-skiboot.ini.src M src/southbridge/intel/common/firmware/Kconfig 17 files changed, 318 insertions(+), 0 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/39/63639/1

diff --git a/Makefile.inc b/Makefile.inc index 6b1c45c..f438136 100644 --- a/Makefile.inc +++ b/Makefile.inc @@ -93,6 +93,7 @@ subdirs-y += src/mainboard/$(MAINBOARDDIR) subdirs-y += src/security subdirs-y += payloads payloads/external +subdirs-y += src/sbom

subdirs-y += site-local subdirs-y += util/checklist util/testing diff --git a/payloads/Kconfig b/payloads/Kconfig index 386b207..f69f091 100644 --- a/payloads/Kconfig +++ b/payloads/Kconfig @@ -54,6 +54,30 @@ help The path and filename of the ELF executable file to use as payload.

+config PAYLOAD_SBOM + bool "Include payload uswid tag into SBOM file" + default y + help + Select this option if you want to include a coswid (Concise Software Identification Tag) + of the payload into the SBOM (Software Bill of Materials) File in your build + +config PAYLOAD_SBOM_GENERATE + bool "Generate SBOM file" + depends on PAYLOAD_SBOM && !(PAYLOAD_ELF || PAYLOAD_FIT || PAYLOAD_LINUX) + default y + help + Select this option if you want coreboot to generate and include + the coswid (Concise Software Identification Tag) instead of supplying it manually. + Be aware that this option is only meant to be a transition and suppliers of Software + should always prefer to include their own Software descriptions, since ours may be + incomplete or straight up wrong. + +config PAYLOAD_SBOM_PATH + string "SBOM file path" + depends on PAYLOAD_SBOM && !PAYLOAD_SBOM_GENERATE + help + The path of the .ini file describing the payload Software included in the build + choice prompt "Payload compression algorithm" default COMPRESSED_PAYLOAD_LZMA diff --git a/src/Kconfig b/src/Kconfig index d57ce90..4dc24a4 100644 --- a/src/Kconfig +++ b/src/Kconfig @@ -426,6 +426,13 @@ override other sources and allow the local image to preempt the mainboard selected source and can be used for other FW_CONFIG_SOURCEs fallback option.

+config COREBOOT_SBOM + bool "Generate SBOM data for coreboot" + default y + help + Select this option if you want to include a coswid (Concise Software Identification Tag) + of the corebot itself into the SBOM (Software Bill of Materials) File in your build + config HAVE_RAMPAYLOAD bool

diff --git a/src/sbom/Makefile.inc b/src/sbom/Makefile.inc new file mode 100644 index 0000000..cb546c4 --- /dev/null +++ b/src/sbom/Makefile.inc @@ -0,0 +1,104 @@ +obj ?= build +src ?= src +build-dir = $(obj)/sbom +src-dir = $(src)/sbom + +ifeq ($(CONFIG_PAYLOAD_SBOM), y) +ifeq ($(CONFIG_PAYLOAD_SBOM_GENERATE), y) +payload-git-dir-$(CONFIG_PAYLOAD_BOOTBOOT) = payloads/external/BOOTBOOT/bootboot +payload-git-dir-$(CONFIG_PAYLOAD_DEPTHCHARGE) = payloads/external/depthcharge/depthcharge +payload-git-dir-$(CONFIG_PAYLOAD_FILO) = payloads/external/FILO/filo +payload-git-dir-$(CONFIG_PAYLOAD_GRUB2) = payloads/external/GRUB2/grub2 +payload-git-dir-$(CONFIG_PAYLOAD_LINUXBOOT) = payloads/external/LinuxBoot/linuxboot +payload-git-dir-$(CONFIG_PAYLOAD_SEABIOS) = payloads/external/SeaBIOS/seabios +payload-git-dir-$(CONFIG_PAYLOAD_SKIBOOT) = payloads/external/skiboot/skiboot +#payload-git-dir-$(CONFIG_PAYLOAD_TIANOCORE) = payloads/external/tianocore/ +payload-git-dir-$(CONFIG_PAYLOAD_UBOOT) = payloads/external/U-Boot/u-boot +payload-git-dir-$(CONFIG_PAYLOAD_YABITS) = payloads/external/Yabits/uefi +payload-git-dir-$(CONFIG_PAYLOAD_IPXE) = payloads/external/iPXE/ipxe +# e.g. payloads/external/SeaBIOS/seabios -> $(build-dir)/SeaBIOS.uswid +payload-uswid-file = $(build-dir)/payload-$(subst /,,$(dir $(patsubst payloads/external/%,%,$(payload-git-dir-y)))).uswid +payload-ini-file = $(patsubst %.uswid,%.ini,$(payload-uswid-file)) +payload-ini-src-file = $(patsubst $(build-dir)/%.uswid,$(src-dir)/%.ini.src,$(payload-uswid-file)) +else +payload-uswid-file = $(build-dir)/payload.uswid +endif +endif + +#uswid-files-$(CONFIG_ME_SBOM) += $(build-dir)/me.uswid +#uswid-files-$(CONFIG_IFD_SBOM) += $(build-dir)/ifd.uswid +uswid-files-$(CONFIG_COREBOOT_SBOM) += $(build-dir)/coreboot.uswid + +uswid-files-y += $(patsubst 3rdparty/intel-microcode/intel-ucode/%, $(build-dir)/intel-microcode-%.uswid, $(cpu_microcode_bins)) +#TODO same for AMD microcodes + +## Build final SBOM (Software Bill of Materials) by concatinting all .uswid files + +$(build-dir)/uswid-concat.bin: $(uswid-files-y) $(payload-uswid-file) | $(build-dir) + cat $^ > $@ + +# all build files depend on the $(build-dir) directory being created +$(build-dir): + mkdir -p $(build-dir) + + +## Build all necessary .uswid files + +$(uswid-files-y) $(payload-uswid-file): $(build-dir)/%.uswid: $(build-dir)/%.ini | $(build-dir) + uswid --load $< --save $@ + + +## Generate all .ini files + +$(build-dir)/coreboot.ini: $(src-dir)/coreboot.ini.src .git/HEAD + cp $< $@;\ + git_tree_hash=$$(git log -n 1 --format=%T);\ + git_comm_hash=$$(git log -n 1 --format=%H);\ + sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@;\ + +ifeq ($(CONFIG_IFD_SBOM_GENERATE), y) +$(build-dir)/ifd.ini: $(src-dir)/ifd.ini.src $(IFD_BIN_PATH) | $(build-dir) + cp $< $@ + #TODO generate Intel Flash descriptor sbom data +else +$(build-dir)/ifd.ini: $(call strip_quotes, $(CONFIG_IFD_SBOM_PATH)) | $(build-dir) + cp $< $@ +endif + +ifeq ($(CONFIG_ME_SBOM_GENERATE), y) +$(build-dir)/me.ini: $(src-dir)/me.ini.src $(ME_BIN_PATH) | $(build-dir) + cp $< $@ + #TODO generate Intel Management Engine sbom data +else +$(build-dir)/me.ini: $(call strip_quotes, $(CONFIG_ME_SBOM_PATH)) | $(build-dir) + cp $< $@ +endif + +$(build-dir)/intel-microcode-%.ini: $(src-dir)/intel-microcode.ini.src 3rdparty/intel-microcode/intel-ucode/% | $(build-dir) + cp $< $@ + year=$$(hexdump --skip 8 --length 2 --format '"%04x"' $(word 2,$^));\ + day=$$(hexdump --skip 10 --length 1 --format '"%02x"' $(word 2,$^));\ + month=$$(hexdump --skip 11 --length 1 --format '"%02x"' $(word 2,$^));\ + echo "/$*:$$year-$$month-$$day/ Microcode bins: $(cpu_microcode_bins)";\ + sed -i "s/<software_version>/$*:$$year-$$month-$$day/" $@ + +$(build-dir)/amd-microcode-%.ini: $(src-dir)/amd-microcode.ini.src dosomething | $(build-dir) + cp $< $@ + echo Microcode bins: $(cpu_microcode_bins) + echo Firmware Location: $(FIRMWARE_LOCATION) ${FIRMWARE_LOCATION} + +ifeq ($(CONFIG_PAYLOAD_SBOM_GENERATE), y) +$(payload-ini-file): $(payload-ini-src-file) $(payload-git-dir-y)/.git | $(build-dir) + cp $< $@;\ + git_tree_hash=$$(git --git-dir $(word 2,$^) log -n 1 --format=%T);\ + git_comm_hash=$$(git --git-dir $(word 2,$^) log -n 1 --format=%H);\ + sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@; +else +$(build-dir)/payload.ini: $(call strip_quotes, $(CONFIG_PAYLOAD_SBOM_PATH)) + cp $< $@ +endif + +cbfs-files-y += sbom +sbom-file = $(build-dir)/uswid-concat.bin +sbom-type = raw + diff --git a/src/sbom/coreboot.ini.src b/src/sbom/coreboot.ini.src new file mode 100644 index 0000000..a547f09 --- /dev/null +++ b/src/sbom/coreboot.ini.src @@ -0,0 +1,13 @@ +[uSWID] +; uuidgen --name review.coreboot.org/coreboot.git --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c8" --sha1 +tag-id = a4eb14a7-43a5-536b-aaf4-4be142b4dc9b +software-name = Coreboot +software-version = <software_version> +product = Coreboot +summary = coreboot is a project to develop open source boot firmware for various architectures. +colloquial-version = <colloquial_version> + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/sbom/intel-microcode.ini.src b/src/sbom/intel-microcode.ini.src new file mode 100644 index 0000000..d7f37dc --- /dev/null +++ b/src/sbom/intel-microcode.ini.src @@ -0,0 +1,12 @@ +[uSWID] +; uuidgen --name intel.com/microcode --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c8" --sha1 +tag-id = 561a5b02-27e1-56d8-9ca7-08175ced619f +software-name = Intel-Microcode +software-version = <software_version> +product = Intel-Microcode +summary = Micrcode Updates for Intel Processors + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/sbom/payload-BOOTBOOT.ini.src b/src/sbom/payload-BOOTBOOT.ini.src new file mode 100644 index 0000000..aa5c1a4 --- /dev/null +++ b/src/sbom/payload-BOOTBOOT.ini.src @@ -0,0 +1,13 @@ +[uSWID] +; uuidgen --name gitlab.com/bztsrc/bootboot --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c8" --sha1 +tag-id = 1990bdb5-9393-50cc-8267-843ed0f0419d +software-name = BootBoot +software-version = <software_version> +product = BootBoot +summary = BOOTBOOT multi platform micro-kernel loader +colloquial-version = <colloquial_version> + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/sbom/payload-FILO.ini.src b/src/sbom/payload-FILO.ini.src new file mode 100644 index 0000000..dfd9502 --- /dev/null +++ b/src/sbom/payload-FILO.ini.src @@ -0,0 +1,13 @@ +[uSWID] +; uuidgen --name review.coreboot.org/filo --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c8" --sha1 +tag-id = 4870d7d4-de29-5eab-af8d-511da8c984c9 +software-name = FILO +software-version = <software_version> +product = FILO +summary = FILO is a bootloader which loads boot images from a local filesystem, without help from legacy BIOS services +colloquial-version = <colloquial_version> + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/sbom/payload-GRUB2.ini.src b/src/sbom/payload-GRUB2.ini.src new file mode 100644 index 0000000..2a85b51 --- /dev/null +++ b/src/sbom/payload-GRUB2.ini.src @@ -0,0 +1,13 @@ +[uSWID] +; uuidgen --name savannah.gnu.org/projects/grub --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c8" --sha1 +tag-id = de008f0f-b80c-56f5-b9fa-54fbdcf87f5a +software-name = GRUB2 +software-version = <software_version> +product = GRUB2 +summary = GNU GRUB is a boot loader, which can load a wide variety of free operating systems, as well as proprietary operating systems with chain-loading +colloquial-version = <colloquial_version> + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/sbom/payload-LinuxBoot.ini.src b/src/sbom/payload-LinuxBoot.ini.src new file mode 100644 index 0000000..927151d --- /dev/null +++ b/src/sbom/payload-LinuxBoot.ini.src @@ -0,0 +1,13 @@ +[uSWID] +; uuidgen --name github.com/linuxboot/linuxboot --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c8" --sha1 +tag-id = f9c08a21-2fa3-57dc-9413-43e0be43a0df +software-name = LinuxBoot +software-version = <software_version> +product = LinuxBoot +summary = LinuxBoot is a firmware for modern servers that replaces specific firmware functionality like the UEFI DXE phase with a Linux kernel and runtime +colloquial-version = <colloquial_version> + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/sbom/payload-SeaBIOS.ini.src b/src/sbom/payload-SeaBIOS.ini.src new file mode 100644 index 0000000..0252d64 --- /dev/null +++ b/src/sbom/payload-SeaBIOS.ini.src @@ -0,0 +1,13 @@ +[uSWID] +; uuidgen --name review.coreboot.org/seabios --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c8" --sha1 +tag-id = 0e79fe1b-d8b2-503d-a1b8-c9eccdba3881 +software-name = Seabios +software-version = <software_version> +product = Seabios +summary = SeaBIOS is an open-source legacy BIOS implementation which can be used as a coreboot payload. It implements the standard BIOS calling interfaces that a typical x86 proprietary BIOS implements +colloquial-version = <colloquial_version> + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/sbom/payload-U-Boot.ini.src b/src/sbom/payload-U-Boot.ini.src new file mode 100644 index 0000000..4745ccf --- /dev/null +++ b/src/sbom/payload-U-Boot.ini.src @@ -0,0 +1,13 @@ +[uSWID] +; uuidgen --name source.denx.de/u-boot/u-boot --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c8" --sha1 +tag-id = fac44df7-62ec-544b-b4cf-50a522c7c463 +software-name = U-Boot +software-version = <software_version> +product = U-Boot +summary = Das U-Boot (subtitled "the Universal Boot Loader") is an open-source, primary boot loader used in embedded devices to package the instructions to boot the device's operating system kernel. +colloquial-version = <colloquial_version> + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/sbom/payload-Yabits.ini.src b/src/sbom/payload-Yabits.ini.src new file mode 100644 index 0000000..a9a4351 --- /dev/null +++ b/src/sbom/payload-Yabits.ini.src @@ -0,0 +1,13 @@ +[uSWID] +; uuidgen --name github.com/yabits/uefi --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c8" --sha1 +tag-id = cd926122-1bd3-5271-94ca-40932b3a171d +software-name = yabits +software-version = <software_version> +product = yabits +summary = Fast and lightweight yet another UEFI implementation +colloquial-version = <colloquial_version> + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/sbom/payload-depthcharge.ini.src b/src/sbom/payload-depthcharge.ini.src new file mode 100644 index 0000000..4e89b98 --- /dev/null +++ b/src/sbom/payload-depthcharge.ini.src @@ -0,0 +1,13 @@ +[uSWID] +; uuidgen --name chromium.googlesource.com/chromiumos/platform/depthcharge --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c8" --sha1 +tag-id = f6d08807-8c49-52d6-aa82-ba9242c309c0 +software-name = depthcharge +software-version = <software_version> +product = depthcharge +summary = Depthcharge is a toolkit designed to support security research and “jailbreaking” of embedded platforms using the Das U-Boot bootloader, herein referred to only as “U-Boot” +colloquial-version = <colloquial_version> + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/sbom/payload-iPXE.ini.src b/src/sbom/payload-iPXE.ini.src new file mode 100644 index 0000000..3330943 --- /dev/null +++ b/src/sbom/payload-iPXE.ini.src @@ -0,0 +1,13 @@ +[uSWID] +; uuidgen --name github.com/ipxe/ipxe --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c8" --sha1 +tag-id = 8264e64a-facf-57cd-84e7-20c49d76cd12 +software-name = iPXE +software-version = <software_version> +product = iPXE +summary = iPXE is an open source network boot firmware. It provides a full PXE implementation enhanced with additional features. +colloquial-version = <colloquial_version> + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/sbom/payload-skiboot.ini.src b/src/sbom/payload-skiboot.ini.src new file mode 100644 index 0000000..8ddbfbc --- /dev/null +++ b/src/sbom/payload-skiboot.ini.src @@ -0,0 +1,14 @@ +[uSWID] +; uuidgen --name github.com/open-power/skiboot --namespace "6ba7b811-9dad-11d1-80b4-00c04fd430c +8" --sha1 +tag-id = e4ebbda4-ef8c-5736-a28f-ac5c3a13a72d +software-name = skiboot +software-version = <software_version> +product = skiboot +summary = Skiboot is boot and runtime firmware for OpenPOWER systems. It’s loaded by earlier boot firmware (typically Hostboot). Along with loading the bootloader, it provides some runtime services to the OS (typically Linux). +colloquial-version = <colloquial_version> + +[uSWID-Entity:TagCreator] +name = 9elements +regid = 9elements.com +;extra-roles = <extra_roles> diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index 45d8be8..2549c10 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -64,6 +64,32 @@ proceeding with the build, in order to prevent an accidental loading of a corrupted ME/TXE image.

+config ME_SBOM + bool "Include SBOM file" + depends on HAVE_ME_BIN + default y + help + Select this option if you want to include a coswid (Concise Software Identification Tag) + of the ME (Management Engine) into the SBOM (Software Bill of Materials) File in your build + +config ME_SBOM_GENERATE + bool "Generate SBOM file" + depends on ME_SBOM + default y + help + Select this option if you want coreboot to generate and include + the coswid (Concise Software Identification Tag) instead of supplying it manually. + Be aware that this option is only meant to be a transition and suppliers of Software + should always prefer to include their own Software descriptions, since ours may be + incomplete or straight up wrong. + +config ME_SBOM_PATH + string "SBOM file path" + depends on ME_SBOM && !ME_SBOM_GENERATE + help + The path of the SBOM file (sbom.ini file) + The path of the .ini file describing the Software included in the build + config ME_REGION_ALLOW_CPU_READ_ACCESS bool "Allows HOST/CPU read access to ME region" depends on HAVE_IFD_BIN