Change in coreboot[master]: util/cbfstool/fit.c: Add support for adding Boot Guard manifests - coreboot-gerrit

13 Jul 2020

Michał Żygowski has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43400 )
Change subject: util/cbfstool/fit.c: Add support for adding Boot Guard manifests
......................................................................
util/cbfstool/fit.c: Add support for adding Boot Guard manifests
Signed-off-by: Michał Żygowski michal.zygowski@3mdeb.com
Change-Id: I2c33d3c1dd2267ae5e0bccb57b716135598ea197
---
M util/cbfstool/fit.c
1 file changed, 69 insertions(+), 7 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/00/43400/1

diff --git a/util/cbfstool/fit.c b/util/cbfstool/fit.c
index 44573ca..e7aa8d7 100644
--- a/util/cbfstool/fit.c
+++ b/util/cbfstool/fit.c
@@ -76,6 +76,11 @@
    int size;
 };
+static inline int fit_entry_type(const struct fit_entry *entry)
+{
+	return entry->type_checksum_valid & ~FIT_ENTRY_CHECKSUM_VALID;
+}
+
 static inline void *rom_buffer_pointer(struct buffer *buffer, int offset)
 {
    return &buffer->data[offset];
@@ -83,12 +88,30 @@
static inline size_t fit_entry_size_bytes(const struct fit_entry *entry)
 {
+	/*
+	 * Do not shift the data to not loose MSB. Boot policy and Key Manifest
+	 * are not multiples of 16 bytes. The size is adjusted in FIT entry
+	 * adding function.
+	 */
+	if(fit_entry_type(entry) == FIT_TYPE_BOOT_POLICY ||
+	   fit_entry_type(entry) == FIT_TYPE_KEY_MANIFEST)
+		return (entry->size_reserved & 0xffffff);
+
    return (entry->size_reserved & 0xffffff) << 4;
 }
static inline void fit_entry_update_size(struct fit_entry *entry,
    				 const int size_bytes)
 {
+	/*
+	 * Do nothing for Boot policy and Key Manifest since these are not
+	 * multiples of 16 bytes. The size is adjusted in FIT entry adding
+	 * function.
+	 */
+	if(fit_entry_type(entry) == FIT_TYPE_BOOT_POLICY ||
+	   fit_entry_type(entry) == FIT_TYPE_KEY_MANIFEST)
+		return;
+
    /* Size is multiples of 16 bytes. */
    entry->size_reserved = (size_bytes >> 4) & 0xffffff;
 }
@@ -101,11 +124,6 @@
    fit_entry_update_size(entry, size);
 }
-static inline int fit_entry_type(struct fit_entry *entry)
-{
-	return entry->type_checksum_valid & ~FIT_ENTRY_CHECKSUM_VALID;
-}
-
 /*
  * Get an offset from a host pointer. This function assumes the ROM is located
  * in the host address space at [4G - romsize -> 4G). It also assume all
@@ -434,6 +452,44 @@
    fit_entry_add_size(&fit->header, sizeof(struct fit_entry));
 }
+/*
+ * There can be zero or one FIT_TYPE_BOOT_POLICY entries
+ *
+ * The caller has to provide valid arguments as those aren't verified.
+ */
+static void update_fit_boot_policy_entry(struct fit_table *fit,
+					struct fit_entry *entry,
+					uint64_t boot_policy_addr,
+					uint32_t boot_policy_size)
+{
+	entry->address = boot_policy_addr;
+	/* Boot Policy Manifest size is not multiple of 16 bytes */
+	fit_entry_update_size(entry, boot_policy_size << 4);
+	entry->type_checksum_valid = FIT_TYPE_BOOT_POLICY;
+	entry->version = FIT_TXT_VERSION;
+	entry->checksum = 0;
+	fit_entry_add_size(&fit->header, sizeof(struct fit_entry));
+}
+
+/*
+ * There can be zero or one FIT_TYPE_KEY_MANIFEST entries
+ *
+ * The caller has to provide valid arguments as those aren't verified.
+ */
+static void update_fit_key_manifest_entry(struct fit_table *fit,
+					struct fit_entry *entry,
+					uint64_t key_manifest_addr,
+					uint32_t key_manifest_size)
+{
+	entry->address = key_manifest_addr;
+	/* Key Manifest size is not multiple of 16 bytes */
+	fit_entry_update_size(entry, key_manifest_size << 4);
+	entry->type_checksum_valid = FIT_TYPE_KEY_MANIFEST;
+	entry->version = FIT_TXT_VERSION;
+	entry->checksum = 0;
+	fit_entry_add_size(&fit->header, sizeof(struct fit_entry));
+}
+
 /* Special case for ucode CBFS file, as it might contain more than one ucode */
 int fit_add_microcode_file(struct fit_table *fit,
    		   struct cbfs_image *image,
@@ -626,10 +682,10 @@
    case FIT_TYPE_BIOS_STARTUP:
    case FIT_TYPE_BIOS_POLICY:
    case FIT_TYPE_TXT_POLICY:
-		return 1;
-	case FIT_TYPE_TPM_POLICY:
    case FIT_TYPE_KEY_MANIFEST:
    case FIT_TYPE_BOOT_POLICY:
+		return 1;
+	case FIT_TYPE_TPM_POLICY:
    default:
    	return 0;
    }
@@ -684,6 +740,12 @@
    case FIT_TYPE_TXT_POLICY:
    	update_fit_txt_policy_entry(fit, entry, offset);
    	break;
+	case FIT_TYPE_KEY_MANIFEST:
+		update_fit_key_manifest_entry(fit, entry, offset, len);
+		break;
+	case FIT_TYPE_BOOT_POLICY:
+		update_fit_boot_policy_entry(fit, entry, offset, len);
+		break;
    default:
    	return 1;
    }
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/43400
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I2c33d3c1dd2267ae5e0bccb57b716135598ea197
Gerrit-Change-Number: 43400
Gerrit-PatchSet: 1
Gerrit-Owner: Michał Żygowski michal.zygowski@3mdeb.com
Gerrit-MessageType: newchange



    