Philipp Deppenwiese has submitted this change and it was merged. ( https://review.coreboot.org/c/coreboot/+/30218 )

Change subject: vendorcode/eltan: Add vendor code for measured and verified boot ......................................................................

vendorcode/eltan: Add vendor code for measured and verified boot

This patch contains the general files for the vendorcode/eltan that has been uploaded recently: - Add eltan directory to vendorcode. - Add documentation about the support in the vendorcode directories. - Add the Makefile.inc and Kconfig for the vendorcode/eltan and vendorcode/eltan/security.

BUG=N/A TEST=Created verified binary and verify logging on Portwell PQ-M107

Change-Id: Ic1d5a21d40b6a31886777e8e9fe7b28c860f1a80 Signed-off-by: Frans Hendriks fhendriks@eltan.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/30218 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Philipp Deppenwiese zaolin.daisuki@gmail.com --- A Documentation/vendorcode/eltan/index.md A Documentation/vendorcode/eltan/security.md M src/vendorcode/Makefile.inc A src/vendorcode/eltan/Kconfig A src/vendorcode/eltan/Makefile.inc A src/vendorcode/eltan/security/Kconfig A src/vendorcode/eltan/security/Makefile.inc 7 files changed, 127 insertions(+), 0 deletions(-)

Approvals: build bot (Jenkins): Verified Philipp Deppenwiese: Looks good to me, approved

diff --git a/Documentation/vendorcode/eltan/index.md b/Documentation/vendorcode/eltan/index.md new file mode 100644 index 0000000..4484798 --- /dev/null +++ b/Documentation/vendorcode/eltan/index.md @@ -0,0 +1,8 @@ +# Eltan vendorcode-specific documentation + +This section contains documentation about coreboot on Eltan specific +vendorcode. + +## Sections + +- [Security](security.md) diff --git a/Documentation/vendorcode/eltan/security.md b/Documentation/vendorcode/eltan/security.md new file mode 100644 index 0000000..04537df --- /dev/null +++ b/Documentation/vendorcode/eltan/security.md @@ -0,0 +1,39 @@ +# Eltan Security + +## Security +This code enables measured boot and verified boot support. +Verified boot is available in coreboot, but based on ChromeOS. This vendorcode +uses a small encryption library and leave much more space in flash for the +payload. + +## Hashing Library +The library suppports SHA-1, SHA-256 and SHA-512. The required routines of +`3rdparty/vboot/firmware/2lib` are used. + +## Measured boot +measured boot support will use TPM2 device if available. The items specified +in `mb_log_list[]` will be measured. + +## Verified boot +verified boot support will use TPM2 device if available. The items specified +in the next table will be verified: +* `bootblock_verify_list[]` +* `verify_item_t romstage_verify_list[]` +* `ram_stage_additional_list[]` +* `ramstage_verify_list[]` +* `payload_verify_list[]` +* `oprom_verify_list[]` + +## Enabling support + +* Measured boot can be enabled using **CONFIG_MBOOT** +* Create mb_log_list table with list of item to measure +* Create tables bootblock_verify_list[], verify_item_t romstage_verify_list[], + ram_stage_additional_list[], ramstage_verify_list[], payload_verify_list[], + oprom_verify_list[] +* Verified boot can be enabled using **CONFIG_VERIFIED_BOOT** +* Added Kconfig values for verbose console output + +## Debugging + +You can enable verbose console output in *menuconfig*. diff --git a/src/vendorcode/Makefile.inc b/src/vendorcode/Makefile.inc index 522d415..8ccb0d0 100644 --- a/src/vendorcode/Makefile.inc +++ b/src/vendorcode/Makefile.inc @@ -3,3 +3,4 @@ subdirs-y += intel subdirs-y += siemens subdirs-y += cavium +subdirs-y += eltan diff --git a/src/vendorcode/eltan/Kconfig b/src/vendorcode/eltan/Kconfig new file mode 100644 index 0000000..731dd2c --- /dev/null +++ b/src/vendorcode/eltan/Kconfig @@ -0,0 +1,17 @@ +## +## This file is part of the coreboot project. +## +## Copyright (C) 2014-2018 Eltan B.V. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +source src/vendorcode/eltan/security/mboot/Kconfig +source src/vendorcode/eltan/security/verified_boot/Kconfig diff --git a/src/vendorcode/eltan/Makefile.inc b/src/vendorcode/eltan/Makefile.inc new file mode 100644 index 0000000..1f6a406 --- /dev/null +++ b/src/vendorcode/eltan/Makefile.inc @@ -0,0 +1,16 @@ +# +# This file is part of the coreboot project. +# +# Copyright (C) 2018 Eltan B.V. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +subdirs-y += security diff --git a/src/vendorcode/eltan/security/Kconfig b/src/vendorcode/eltan/security/Kconfig new file mode 100644 index 0000000..2af5808 --- /dev/null +++ b/src/vendorcode/eltan/security/Kconfig @@ -0,0 +1,16 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2018 Eltan B.V. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +source src/vendorcode/eltan/security/mboot/Kconfig +source src/vendorcode/eltan/security/verified_boot/Kconfig diff --git a/src/vendorcode/eltan/security/Makefile.inc b/src/vendorcode/eltan/security/Makefile.inc new file mode 100644 index 0000000..26b324b --- /dev/null +++ b/src/vendorcode/eltan/security/Makefile.inc @@ -0,0 +1,30 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2018 Eltan B.V. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +subdirs-y += lib +subdirs-y += verified_boot +subdirs-y += mboot + +ifeq ($(CONFIG_MBOOT), y) +CPPFLAGS_common += -I$(src)/vendorcode/eltan/security/mboot +CPPFLAGS_common += -I$(src)/vendorcode/eltan/security/include +endif + +ifeq ($(CONFIG_VERIFIED_BOOT), y) +CPPFLAGS_common += -I$(src)/vendorcode/eltan/security/verified_boot +endif + +ifeq ($(CONFIG_TPM2),y) +CPPFLAGS_common += -I$(src)/security/include +endif