Change in coreboot[master]: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE
Kyösti Mälkki has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
[NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE
Change-Id: I4254d681525327c7eec18832586818e9c4e8eb22 Signed-off-by: Kyösti Mälkki kyosti.malkki@gmail.com --- M configs/config.facebook_fbg1701.mboot_vboot M src/mainboard/facebook/fbg1701/Kconfig M src/mainboard/facebook/fbg1701/board_verified_boot.c 3 files changed, 6 insertions(+), 5 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/94/41694/1
diff --git a/configs/config.facebook_fbg1701.mboot_vboot b/configs/config.facebook_fbg1701.mboot_vboot index b372bbe..34d349a 100644 --- a/configs/config.facebook_fbg1701.mboot_vboot +++ b/configs/config.facebook_fbg1701.mboot_vboot @@ -1,5 +1,4 @@ CONFIG_VENDOR_FACEBOOK=y -CONFIG_C_ENV_BOOTBLOCK_SIZE=0x6000 CONFIG_ONBOARD_SAMSUNG_MEM=y CONFIG_CPU_MICROCODE_CBFS_LOC=0xFFF8B000 CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_BINS=y diff --git a/src/mainboard/facebook/fbg1701/Kconfig b/src/mainboard/facebook/fbg1701/Kconfig index ca19e05..d04fb75 100644 --- a/src/mainboard/facebook/fbg1701/Kconfig +++ b/src/mainboard/facebook/fbg1701/Kconfig @@ -64,10 +64,6 @@ bool "TPM Setup in RAMSTAGE" default n
-config C_ENV_BOOTBLOCK_SIZE - hex "C Bootblock Size" - default 0x4000 - config VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST bool default y diff --git a/src/mainboard/facebook/fbg1701/board_verified_boot.c b/src/mainboard/facebook/fbg1701/board_verified_boot.c index 57bd199..685818b 100644 --- a/src/mainboard/facebook/fbg1701/board_verified_boot.c +++ b/src/mainboard/facebook/fbg1701/board_verified_boot.c @@ -8,10 +8,13 @@ const verify_item_t bootblock_verify_list[] = { { VERIFY_FILE, ROMSTAGE, { { NULL, CBFS_TYPE_STAGE } }, HASH_IDX_ROM_STAGE, MBOOT_PCR_INDEX_0 }, +#if 0 +/* TODO: Is it possible to remove C_ENV_BOOTBLOCK_SIZE here? */ { VERIFY_BLOCK, "BootBlock", { { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1, CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK, MBOOT_PCR_INDEX_0 }, +#endif #if CONFIG(VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST) { VERIFY_BLOCK, "PublicKey", { { (void *)CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_LOCATION, @@ -34,10 +37,13 @@ MBOOT_PCR_INDEX_1 }, { VERIFY_FILE, "spd.bin", { { NULL, CBFS_TYPE_SPD } }, HASH_IDX_SPD0, MBOOT_PCR_INDEX_1 }, +#if 0 +/* TODO: Is it possible to remove C_ENV_BOOTBLOCK_SIZE here? */ { VERIFY_BLOCK, "BootBlock", { { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1, CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK, MBOOT_PCR_INDEX_0 }, +#endif #if CONFIG(VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST) { VERIFY_BLOCK, "PublicKey", { { (void *)CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_LOCATION,
Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 1:
Franw, Wim: I am looking at removing global C_ENV_BOOTBLOCK_SIZE and top-align bootblock for better SPI flash utilisation. CB:37895 patchset #9 would probably break measured boot since C_ENV_BOOTBLOCK_SIZE is no longer utilised.
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 1:
Patch Set 1:
Franw, Wim: I am looking at removing global C_ENV_BOOTBLOCK_SIZE and top-align bootblock for better SPI flash utilisation. CB:37895 patchset #9 would probably break measured boot since C_ENV_BOOTBLOCK_SIZE is no longer utilised.
Kyosti, I haven't looked into the details. Is there an alternative way to determine the size of the bootblock? Is the size of the bootblock still controlled somehow?
Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 1:
Patch Set 1:
Patch Set 1:
Franw, Wim: I am looking at removing global C_ENV_BOOTBLOCK_SIZE and top-align bootblock for better SPI flash utilisation. CB:37895 patchset #9 would probably break measured boot since C_ENV_BOOTBLOCK_SIZE is no longer utilised.
Kyosti, I haven't looked into the details. Is there an alternative way to determine the size of the bootblock? Is the size of the bootblock still controlled somehow?
There would be no static value to use as an initializer, size of bootblock would grow dynamically based on the features one has enabled.
I can think of two solutions:
a) Get bootblock start and size from CBFS, something like:
VERIFY_FILE, "bootblock", CBFS_TYPE_BOOTBLOCK
b) Maintain C_ENV_BOOTBLOCK_SIZE under arch/x86 such that when it has a non-zero value, start of bootblock is extended to that size.
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 1:
Patch Set 1:
Patch Set 1:
Patch Set 1:
Franw, Wim: I am looking at removing global C_ENV_BOOTBLOCK_SIZE and top-align bootblock for better SPI flash utilisation. CB:37895 patchset #9 would probably break measured boot since C_ENV_BOOTBLOCK_SIZE is no longer utilised.
Kyosti, I haven't looked into the details. Is there an alternative way to determine the size of the bootblock? Is the size of the bootblock still controlled somehow?
There would be no static value to use as an initializer, size of bootblock would grow dynamically based on the features one has enabled.
I can think of two solutions:
a) Get bootblock start and size from CBFS, something like:
VERIFY_FILE, "bootblock", CBFS_TYPE_BOOTBLOCK
b) Maintain C_ENV_BOOTBLOCK_SIZE under arch/x86 such that when it has a non-zero value, start of bootblock is extended to that size.
I have looked at it. I think the best solution is your 2nd option. This will work for us and it allows you to control bootblock size in case the top block of the flash can be swapped or if you want to permanently lock it for some reason.
Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 1:
I can think of two solutions:
a) Get bootblock start and size from CBFS, something like:
VERIFY_FILE, "bootblock", CBFS_TYPE_BOOTBLOCK
b) Maintain C_ENV_BOOTBLOCK_SIZE under arch/x86 such that when it has a non-zero value, start of bootblock is extended to that size.
I have looked at it. I think the best solution is your 2nd option. This will work for us and it allows you to control bootblock size in case the top block of the flash can be swapped or if you want to permanently lock it for some reason.
Well my preference is option a) but someone else needs to evaluate the following argumentation:
1. It is possible that bootblock and romstage come from different builds, i.e. not have exactly the same config.h, while matching C_ENV_BOOTBLOCK_SIZE is required for your implementation to work. 2. Seems like VERIFY_BLOCK bypasses cbfs_boot_map_with_leak() call so there is an assumption that all of bootmedia is MMIO mapped. 3. Absolute addressing of CBFS files does not play together with multiple FMAP regions.
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 1:
Patch Set 1:
I can think of two solutions:
a) Get bootblock start and size from CBFS, something like:
VERIFY_FILE, "bootblock", CBFS_TYPE_BOOTBLOCK
b) Maintain C_ENV_BOOTBLOCK_SIZE under arch/x86 such that when it has a non-zero value, start of bootblock is extended to that size.
I have looked at it. I think the best solution is your 2nd option. This will work for us and it allows you to control bootblock size in case the top block of the flash can be swapped or if you want to permanently lock it for some reason.
Well my preference is option a) but someone else needs to evaluate the following argumentation:
- It is possible that bootblock and romstage come from different builds, i.e. not have exactly the same config.h, while matching C_ENV_BOOTBLOCK_SIZE is required for your implementation to work.
- Seems like VERIFY_BLOCK bypasses cbfs_boot_map_with_leak() call so there is an assumption that all of bootmedia is MMIO mapped.
- Absolute addressing of CBFS files does not play together with multiple FMAP regions.
Thanks for sharing your arguments. I had a look and I think you are right. We can use VERIFY_FILE instead of VERIFY_BLOCK. In fact the verify block was a legacy from our original implementation in Braswell where we treated the actual boot block and the public key as one block. We will have a look and do some testing on this to make sure the coreboot implementation matches the signing scripts.
Changing to file verification for the boot block should solve all of the issues you mention. The issue with a locked boot block can be solved in another way and is anyhow board specific.
Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 1:
Thanks for sharing your arguments. I had a look and I think you are right. We can use VERIFY_FILE instead of VERIFY_BLOCK. In fact the verify block was a legacy from our original implementation in Braswell where we treated the actual boot block and the public key as one block. We will have a look and do some testing on this to make sure the coreboot implementation matches the signing scripts.
Changing to file verification for the boot block should solve all of the issues you mention. The issue with a locked boot block can be solved in another way and is anyhow board specific.
Wim, thanks. I need to coordinate some amd/picasso changes for top-aligned bootblock too, so it's likely early July before I would need a solution here. But sounds now like you could drop VERIFY_BLOCK implementation as independent work.
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 1:
Patch Set 1:
Thanks for sharing your arguments. I had a look and I think you are right. We can use VERIFY_FILE instead of VERIFY_BLOCK. In fact the verify block was a legacy from our original implementation in Braswell where we treated the actual boot block and the public key as one block. We will have a look and do some testing on this to make sure the coreboot implementation matches the signing scripts.
Changing to file verification for the boot block should solve all of the issues you mention. The issue with a locked boot block can be solved in another way and is anyhow board specific.
Wim, thanks. I need to coordinate some amd/picasso changes for top-aligned bootblock too, so it's likely early July before I would need a solution here. But sounds now like you could drop VERIFY_BLOCK implementation as independent work.
We will removed the VERIFY_BLOCK method from the fbg1701 and replace it with a VERIFY_FILE implementation. That should do it for this board.
Frans Hendriks has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 1:
Patch Set 1:
Patch Set 1:
Thanks for sharing your arguments. I had a look and I think you are right. We can use VERIFY_FILE instead of VERIFY_BLOCK. In fact the verify block was a legacy from our original implementation in Braswell where we treated the actual boot block and the public key as one block. We will have a look and do some testing on this to make sure the coreboot implementation matches the signing scripts.
Changing to file verification for the boot block should solve all of the issues you mention. The issue with a locked boot block can be solved in another way and is anyhow board specific.
Wim, thanks. I need to coordinate some amd/picasso changes for top-aligned bootblock too, so it's likely early July before I would need a solution here. But sounds now like you could drop VERIFY_BLOCK implementation as independent work.
We will removed the VERIFY_BLOCK method from the fbg1701 and replace it with a VERIFY_FILE implementation. That should do it for this board.
We have implemented VERIFY_FILE. It's working fine. Will update the patch
Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 1:
Patch Set 1:
Patch Set 1:
Patch Set 1:
Thanks for sharing your arguments. I had a look and I think you are right. We can use VERIFY_FILE instead of VERIFY_BLOCK. In fact the verify block was a legacy from our original implementation in Braswell where we treated the actual boot block and the public key as one block. We will have a look and do some testing on this to make sure the coreboot implementation matches the signing scripts.
Changing to file verification for the boot block should solve all of the issues you mention. The issue with a locked boot block can be solved in another way and is anyhow board specific.
Wim, thanks. I need to coordinate some amd/picasso changes for top-aligned bootblock too, so it's likely early July before I would need a solution here. But sounds now like you could drop VERIFY_BLOCK implementation as independent work.
We will removed the VERIFY_BLOCK method from the fbg1701 and replace it with a VERIFY_FILE implementation. That should do it for this board.
We have implemented VERIFY_FILE. It's working fine. Will update the patch
You can push a single patch with current master as a parent, just copy Change-Id from here.
Wim Vervoorn has uploaded a new patch set (#3) to the change originally created by Kyösti Mälkki. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE
Remove the use of C_ENV_BOOTBLOCK_SIZE. Verify the bootblock by reading the CBFS file instead of directly accessing the datablock.
BUG=None BRANCH=None TEST=tested on facebook fbg1701
Change-Id: I4254d681525327c7eec18832586818e9c4e8eb22 Signed-off-by: Wim Vervoorn wvervoorn@eltan.com --- M configs/config.facebook_fbg1701.mboot_vboot M src/mainboard/facebook/fbg1701/Kconfig M src/mainboard/facebook/fbg1701/board_verified_boot.c M src/mainboard/facebook/fbg1701/board_verified_boot.h 4 files changed, 5 insertions(+), 13 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/94/41694/3
Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 4:
Wim, master is currently broken. I will rebase these at some convenient time later into the x86-bootblock topic branch.
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 4:
Patch Set 4:
Wim, master is currently broken. I will rebase these at some convenient time later into the x86-bootblock topic branch.
I added a patch for the berknip board to repair the issue committing to the master
Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 5:
We need to keep C_ENV_BOOTBLOCK_SIZE around until we merge top-aligned bootblock. I can rebase this and sort out the build error.
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 5:
Patch Set 5:
We need to keep C_ENV_BOOTBLOCK_SIZE around until we merge top-aligned bootblock. I can rebase this and sort out the build error.
The build error is pretty clear. It because it now used the 64K default and generates a conflict. If I remove the patch that removes the C_ENV_BOOTBLOCK_SIZE setting. The build error will be gone but it needs to be removed later. If you plan to change the code so that the boot block built will be actual size this patch can remain the same but needs to be rebased on your change. What do you prefer?
Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 5:
Patch Set 5:
Patch Set 5:
We need to keep C_ENV_BOOTBLOCK_SIZE around until we merge top-aligned bootblock. I can rebase this and sort out the build error.
The build error is pretty clear. It because it now used the 64K default and generates a conflict. If I remove the patch that removes the C_ENV_BOOTBLOCK_SIZE setting. The build error will be gone but it needs to be removed later. If you plan to change the code so that the boot block built will be actual size this patch can remain the same but needs to be rebased on your change. What do you prefer?
If it works for you, go ahead and remove configs/ and fbg1701/Kconfig parts from this commit. I will squash those to CB:41695 on my next update.
Wim Vervoorn has uploaded a new patch set (#6) to the change originally created by Kyösti Mälkki. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE
Remove the use of C_ENV_BOOTBLOCK_SIZE. Verify the bootblock by reading the CBFS file instead of directly accessing the datablock.
BUG=None BRANCH=None TEST=tested on facebook fbg1701
Change-Id: I4254d681525327c7eec18832586818e9c4e8eb22 Signed-off-by: Wim Vervoorn wvervoorn@eltan.com --- M src/mainboard/facebook/fbg1701/board_verified_boot.c M src/mainboard/facebook/fbg1701/board_verified_boot.h 2 files changed, 5 insertions(+), 8 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/94/41694/6
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 6:
Patch Set 5:
Patch Set 5:
Patch Set 5:
We need to keep C_ENV_BOOTBLOCK_SIZE around until we merge top-aligned bootblock. I can rebase this and sort out the build error.
The build error is pretty clear. It because it now used the 64K default and generates a conflict. If I remove the patch that removes the C_ENV_BOOTBLOCK_SIZE setting. The build error will be gone but it needs to be removed later. If you plan to change the code so that the boot block built will be actual size this patch can remain the same but needs to be rebased on your change. What do you prefer?
If it works for you, go ahead and remove configs/ and fbg1701/Kconfig parts from this commit. I will squash those to CB:41695 on my next update.
Done.
Angel Pons has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 7: Code-Review+2
Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 7: Code-Review+2
Frans Hendriks has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 7: Code-Review+2
Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 7: Code-Review+1
Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE
Remove the use of C_ENV_BOOTBLOCK_SIZE. Verify the bootblock by reading the CBFS file instead of directly accessing the datablock.
BUG=None BRANCH=None TEST=tested on facebook fbg1701
Change-Id: I4254d681525327c7eec18832586818e9c4e8eb22 Signed-off-by: Wim Vervoorn wvervoorn@eltan.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/41694 Reviewed-by: Angel Pons th3fanbus@gmail.com Reviewed-by: Frans Hendriks fhendriks@eltan.com Reviewed-by: Kyösti Mälkki kyosti.malkki@gmail.com Tested-by: build bot (Jenkins) no-reply@coreboot.org --- M src/mainboard/facebook/fbg1701/board_verified_boot.c M src/mainboard/facebook/fbg1701/board_verified_boot.h 2 files changed, 5 insertions(+), 8 deletions(-)
Approvals: build bot (Jenkins): Verified Kyösti Mälkki: Looks good to me, but someone else must approve Wim Vervoorn: Looks good to me, approved Frans Hendriks: Looks good to me, approved Angel Pons: Looks good to me, approved
diff --git a/src/mainboard/facebook/fbg1701/board_verified_boot.c b/src/mainboard/facebook/fbg1701/board_verified_boot.c index 57bd199..a03c6fc 100644 --- a/src/mainboard/facebook/fbg1701/board_verified_boot.c +++ b/src/mainboard/facebook/fbg1701/board_verified_boot.c @@ -8,10 +8,8 @@ const verify_item_t bootblock_verify_list[] = { { VERIFY_FILE, ROMSTAGE, { { NULL, CBFS_TYPE_STAGE } }, HASH_IDX_ROM_STAGE, MBOOT_PCR_INDEX_0 }, - { VERIFY_BLOCK, "BootBlock", - { { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1, - CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK, - MBOOT_PCR_INDEX_0 }, + { VERIFY_FILE, BOOTBLOCK, { { NULL, CBFS_TYPE_BOOTBLOCK } }, + HASH_IDX_BOOTBLOCK, MBOOT_PCR_INDEX_0 }, #if CONFIG(VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST) { VERIFY_BLOCK, "PublicKey", { { (void *)CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_LOCATION, @@ -34,10 +32,8 @@ MBOOT_PCR_INDEX_1 }, { VERIFY_FILE, "spd.bin", { { NULL, CBFS_TYPE_SPD } }, HASH_IDX_SPD0, MBOOT_PCR_INDEX_1 }, - { VERIFY_BLOCK, "BootBlock", - { { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1, - CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK, - MBOOT_PCR_INDEX_0 }, + { VERIFY_FILE, BOOTBLOCK, { { NULL, CBFS_TYPE_BOOTBLOCK } }, + HASH_IDX_BOOTBLOCK, MBOOT_PCR_INDEX_0 }, #if CONFIG(VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST) { VERIFY_BLOCK, "PublicKey", { { (void *)CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_LOCATION, diff --git a/src/mainboard/facebook/fbg1701/board_verified_boot.h b/src/mainboard/facebook/fbg1701/board_verified_boot.h index 589006b..b5ff5f8 100644 --- a/src/mainboard/facebook/fbg1701/board_verified_boot.h +++ b/src/mainboard/facebook/fbg1701/board_verified_boot.h @@ -6,6 +6,7 @@ #include <vboot_check.h>
/* Define the items to be measured or verified */ +#define BOOTBLOCK (const char *)"bootblock" #define FSP (const char *)"fsp.bin" #define CMOS_LAYOUT (const char *)"cmos_layout.bin" #define RAMSTAGE (const char *)CONFIG_CBFS_PREFIX"/ramstage"
9elements QA has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 8:
Automatic boot test returned (PASS/FAIL/TOTAL): 4/0/4 Emulation targets: "QEMU x86 q35/ich9" using payload TianoCore : SUCCESS : https://lava.9esec.io/r/4540 "QEMU x86 q35/ich9" using payload SeaBIOS : SUCCESS : https://lava.9esec.io/r/4539 "QEMU x86 i440fx/piix4" using payload SeaBIOS : SUCCESS : https://lava.9esec.io/r/4538 "QEMU AArch64" using payload LinuxBoot_u-root_kexec : SUCCESS : https://lava.9esec.io/r/4537
Please note: This test is under development and might not be accurate at all!
-
9elements QA (Code Review) -
Angel Pons (Code Review)
-
Frans Hendriks (Code Review)
-
Kyösti Mälkki (Code Review)
-
Patrick Georgi (Code Review)
-
Wim Vervoorn (Code Review)