Change in coreboot[master]: mb/facebook/fbg1701: Add public key to verification

List overview All Threads
Download

newer

older

Change in coreboot[master]:...

Wim Vervoorn (Code Review)

31 Oct 2019 31 Oct '19

10:34 a.m.

Wim Vervoorn has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/36504 )

Change subject: mb/facebook/fbg1701: Add public key to verification ......................................................................

mb/facebook/fbg1701: Add public key to verification

The public key was not verified during the verfied boot operation. This is now added. The key is measured to PCR0.

BUG=N/A TEST=tested on facebook fbg1701

Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Signed-off-by: Wim Vervoorn wvervoorn@eltan.com --- M src/mainboard/facebook/fbg1701/board_verified_boot.c M src/mainboard/facebook/fbg1701/manifest.h M src/vendorcode/eltan/security/verified_boot/Kconfig 3 files changed, 7 insertions(+), 4 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/04/36504/1

diff --git a/src/mainboard/facebook/fbg1701/board_verified_boot.c b/src/mainboard/facebook/fbg1701/board_verified_boot.c index 24e7037..1ccb0b8e 100644 --- a/src/mainboard/facebook/fbg1701/board_verified_boot.c +++ b/src/mainboard/facebook/fbg1701/board_verified_boot.c @@ -26,6 +26,10 @@ { { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1, CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK, MBOOT_PCR_INDEX_0 }, + { VERIFY_BLOCK, "PublicKey", + { { (void *)CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_LOCATION, + CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_SIZE, } }, HASH_IDX_PUBLICKEY, + MBOOT_PCR_INDEX_0 }, { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } }; #endif diff --git a/src/mainboard/facebook/fbg1701/manifest.h b/src/mainboard/facebook/fbg1701/manifest.h index 5a583f4..5fa86ed 100644 --- a/src/mainboard/facebook/fbg1701/manifest.h +++ b/src/mainboard/facebook/fbg1701/manifest.h @@ -30,6 +30,6 @@ #define HASH_IDX_LOGO 7 #define HASH_IDX_DSDT 8 #define HASH_IDX_POSTCAR_STAGE 9 -#define HASH_IDX_BOOTBLOCK 10 /* Should always be the last one */ - +#define HASH_IDX_PUBLICKEY 10 +#define HASH_IDX_BOOTBLOCK 11 /* Should always be the last one */ #endif diff --git a/src/vendorcode/eltan/security/verified_boot/Kconfig b/src/vendorcode/eltan/security/verified_boot/Kconfig index d9e989f..ab254c4 100644 --- a/src/vendorcode/eltan/security/verified_boot/Kconfig +++ b/src/vendorcode/eltan/security/verified_boot/Kconfig @@ -42,8 +42,7 @@

config VENDORCODE_ELTAN_OEM_MANIFEST_ITEMS int "Manifest Items" - default 11 if POSTCAR_STAGE - default 10 + default 12

config VENDORCODE_ELTAN_OEM_MANIFEST_ITEM_SIZE int

Attachments:

attachment.htm (text/html — 4.7 KB)

Show replies by date

Wim Vervoorn (Code Review)

31 Oct 31 Oct

11:05 a.m.

Hello Frans Hendriks, build bot (Jenkins),

I'd like you to reexamine a change. Please visit

https://review.coreboot.org/c/coreboot/+/36504

to look at the new patch set (#2).

Change subject: mb/facebook/fbg1701: Add public key to verification ......................................................................

mb/facebook/fbg1701: Add public key to verification

The public key was not verified during the verfied boot operation. This is now added. The key is measured to PCR0.

BUG=N/A TEST=tested on facebook fbg1701

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/04/36504/2

Wim Vervoorn (Code Review)

11:08 a.m.

New subject: Change in coreboot[master]: mb/facebook/fbg1701: Add public key to bootblock_verify_list

Hello Frans Hendriks, build bot (Jenkins),

I'd like you to reexamine a change. Please visit

https://review.coreboot.org/c/coreboot/+/36504

to look at the new patch set (#3).

Change subject: mb/facebook/fbg1701: Add public key to bootblock_verify_list ......................................................................

mb/facebook/fbg1701: Add public key to bootblock_verify_list

The public key was not verified during the verified boot operation. This is now added. The key is measured to PCR0.

The items in the manifest are now fixed at 12 as we always have the postcar stage.

BUG=N/A TEST=tested on facebook fbg1701

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/04/36504/3

Frans Hendriks (Code Review)

11:42 a.m.

New subject: Change in coreboot[master]: mb/facebook/fbg1701: Add public key to bootblock_verify_list

Frans Hendriks has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36504 )

Change subject: mb/facebook/fbg1701: Add public key to bootblock_verify_list ......................................................................

Patch Set 3: Code-Review+2

-- To view, visit https://review.coreboot.org/c/coreboot/+/36504 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Gerrit-Change-Number: 36504 Gerrit-PatchSet: 3 Gerrit-Owner: Wim Vervoorn Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com Gerrit-Reviewer: Wim Vervoorn Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org Gerrit-Comment-Date: Thu, 31 Oct 2019 10:42:28 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment

Patrick Georgi (Code Review)

1 Nov 1 Nov

1:03 p.m.

New subject: Change in coreboot[master]: mb/facebook/fbg1701: Add public key to bootblock_verify_list

Patrick Georgi has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36504 )

Change subject: mb/facebook/fbg1701: Add public key to bootblock_verify_list ......................................................................

Patch Set 5:

(1 comment)

https://review.coreboot.org/c/coreboot/+/36504/5/src/mainboard/facebook/fbg1... File src/mainboard/facebook/fbg1701/board_verified_boot.c:

https://review.coreboot.org/c/coreboot/+/36504/5/src/mainboard/facebook/fbg1... PS5, Line 19: the bootblock will not measure the : * items to the TPM This seems to contradict the commit message that the key ends up in PCR0, or is the same structure used in a later stage to report post-hoc what was booted?

-- To view, visit https://review.coreboot.org/c/coreboot/+/36504 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Gerrit-Change-Number: 36504 Gerrit-PatchSet: 5 Gerrit-Owner: Wim Vervoorn Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com Gerrit-Reviewer: Wim Vervoorn Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org Gerrit-CC: Patrick Georgi pgeorgi@google.com Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net Gerrit-Comment-Date: Fri, 01 Nov 2019 12:03:16 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment

Wim Vervoorn (Code Review)

1:42 p.m.

New subject: Change in coreboot[master]: mb/facebook/fbg1701: Add public key to bootblock_verify_list

Hello Frans Hendriks, build bot (Jenkins),

I'd like you to reexamine a change. Please visit

https://review.coreboot.org/c/coreboot/+/36504

to look at the new patch set (#6).

Change subject: mb/facebook/fbg1701: Add public key to bootblock_verify_list ......................................................................

mb/facebook/fbg1701: Add public key to bootblock_verify_list

The public key was not verified during the verified boot operation. This is now added. The items in the manifest are now fixed at 12 as we always have the postcar stage.

BUG=N/A TEST=tested on facebook fbg1701

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/04/36504/6

-- To view, visit https://review.coreboot.org/c/coreboot/+/36504 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Gerrit-Change-Number: 36504 Gerrit-PatchSet: 6 Gerrit-Owner: Wim Vervoorn Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com Gerrit-Reviewer: Wim Vervoorn Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org Gerrit-CC: Patrick Georgi pgeorgi@google.com Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net Gerrit-MessageType: newpatchset

Wim Vervoorn (Code Review)

1:48 p.m.

New subject: Change in coreboot[master]: mb/facebook/fbg1701: Add public key to bootblock_verify_list

Hello Frans Hendriks, build bot (Jenkins),

I'd like you to reexamine a change. Please visit

https://review.coreboot.org/c/coreboot/+/36504

to look at the new patch set (#7).

Change subject: mb/facebook/fbg1701: Add public key to bootblock_verify_list ......................................................................

mb/facebook/fbg1701: Add public key to bootblock_verify_list

The public key was not verified during the verified boot operation. This is now added. The items in the manifest are now fixed at 12 as we always have the postcar stage.

BUG=N/A TEST=tested on facebook fbg1701

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/04/36504/7

-- To view, visit https://review.coreboot.org/c/coreboot/+/36504 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Gerrit-Change-Number: 36504 Gerrit-PatchSet: 7 Gerrit-Owner: Wim Vervoorn Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com Gerrit-Reviewer: Wim Vervoorn Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org Gerrit-CC: Patrick Georgi pgeorgi@google.com Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net Gerrit-MessageType: newpatchset

Wim Vervoorn (Code Review)

1:48 p.m.

New subject: Change in coreboot[master]: mb/facebook/fbg1701: Add public key to bootblock_verify_list

Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36504 )

Change subject: mb/facebook/fbg1701: Add public key to bootblock_verify_list ......................................................................

Patch Set 7:

(1 comment)

https://review.coreboot.org/c/coreboot/+/36504/5/src/mainboard/facebook/fbg1... File src/mainboard/facebook/fbg1701/board_verified_boot.c:

https://review.coreboot.org/c/coreboot/+/36504/5/src/mainboard/facebook/fbg1... PS5, Line 19: the bootblock will not measure the : * items to the TPM

...

This seems to contradict the commit message that the key ends up in PCR0, or is the same structure u […]

You are absolutely right, the PCR remark in the commit message is amistake. The PCR item in the boot_block_verify list is just a dummy and is not used as indicated in the comments. I update the commit message.

-- To view, visit https://review.coreboot.org/c/coreboot/+/36504 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Gerrit-Change-Number: 36504 Gerrit-PatchSet: 7 Gerrit-Owner: Wim Vervoorn Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com Gerrit-Reviewer: Wim Vervoorn Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org Gerrit-CC: Patrick Georgi pgeorgi@google.com Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net Gerrit-Comment-Date: Fri, 01 Nov 2019 12:48:31 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: Patrick Georgi pgeorgi@google.com Gerrit-MessageType: comment

Frans Hendriks (Code Review)

1:51 p.m.

New subject: Change in coreboot[master]: mb/facebook/fbg1701: Add public key to bootblock_verify_list

Frans Hendriks has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36504 )

Change subject: mb/facebook/fbg1701: Add public key to bootblock_verify_list ......................................................................

Patch Set 7: Code-Review+2

-- To view, visit https://review.coreboot.org/c/coreboot/+/36504 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Gerrit-Change-Number: 36504 Gerrit-PatchSet: 7 Gerrit-Owner: Wim Vervoorn Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com Gerrit-Reviewer: Wim Vervoorn Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org Gerrit-CC: Patrick Georgi pgeorgi@google.com Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net Gerrit-Comment-Date: Fri, 01 Nov 2019 12:51:02 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment

Patrick Georgi (Code Review)

1:52 p.m.

New subject: Change in coreboot[master]: mb/facebook/fbg1701: Add public key to bootblock_verify_list

Patrick Georgi has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36504 )

Change subject: mb/facebook/fbg1701: Add public key to bootblock_verify_list ......................................................................

Patch Set 7: Code-Review+2

(1 comment)

https://review.coreboot.org/c/coreboot/+/36504/7//COMMIT_MSG Commit Message:

https://review.coreboot.org/c/coreboot/+/36504/7//COMMIT_MSG@9 PS7, Line 9: The public key was not verified during the verified boot operation. This is now added. sorry, another commit message nit: git commit messages are supposed to stay within 70ish columns (the precise number varies and we need to formalize it for coreboot, but the limit is usually between 72 and 75)

-- To view, visit https://review.coreboot.org/c/coreboot/+/36504 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Gerrit-Change-Number: 36504 Gerrit-PatchSet: 7 Gerrit-Owner: Wim Vervoorn Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com Gerrit-Reviewer: Wim Vervoorn Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net Gerrit-Comment-Date: Fri, 01 Nov 2019 12:52:17 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment

Wim Vervoorn (Code Review)

2:42 p.m.

New subject: Change in coreboot[master]: mb/facebook/fbg1701: Add public key to bootblock_verify_list

Hello Frans Hendriks, build bot (Jenkins), Patrick Georgi,

I'd like you to reexamine a change. Please visit

https://review.coreboot.org/c/coreboot/+/36504

to look at the new patch set (#8).

Change subject: mb/facebook/fbg1701: Add public key to bootblock_verify_list ......................................................................

mb/facebook/fbg1701: Add public key to bootblock_verify_list

The public key was not verified during the verified boot operation. This is now added. The items in the manifest are now fixed at 12 as we always have the postcar stage.

BUG=N/A TEST=tested on facebook fbg1701

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/04/36504/8

-- To view, visit https://review.coreboot.org/c/coreboot/+/36504 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Gerrit-Change-Number: 36504 Gerrit-PatchSet: 8 Gerrit-Owner: Wim Vervoorn Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com Gerrit-Reviewer: Wim Vervoorn Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net Gerrit-MessageType: newpatchset

Wim Vervoorn (Code Review)

2:42 p.m.

New subject: Change in coreboot[master]: mb/facebook/fbg1701: Add public key to bootblock_verify_list

Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36504 )

Change subject: mb/facebook/fbg1701: Add public key to bootblock_verify_list ......................................................................

Patch Set 8:

(1 comment)

https://review.coreboot.org/c/coreboot/+/36504/7//COMMIT_MSG Commit Message:

https://review.coreboot.org/c/coreboot/+/36504/7//COMMIT_MSG@9 PS7, Line 9: The public key was not verified during the verified boot operation. This is now added.

...

sorry, another commit message nit: git commit messages are supposed to stay within 70ish columns (th […]

Done

-- To view, visit https://review.coreboot.org/c/coreboot/+/36504 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Gerrit-Change-Number: 36504 Gerrit-PatchSet: 8 Gerrit-Owner: Wim Vervoorn Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com Gerrit-Reviewer: Wim Vervoorn Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net Gerrit-Comment-Date: Fri, 01 Nov 2019 13:42:51 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: Patrick Georgi pgeorgi@google.com Gerrit-MessageType: comment

Patrick Georgi (Code Review)

2:56 p.m.

New subject: Change in coreboot[master]: mb/facebook/fbg1701: Add public key to bootblock_verify_list

Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/36504 )

Change subject: mb/facebook/fbg1701: Add public key to bootblock_verify_list ......................................................................

mb/facebook/fbg1701: Add public key to bootblock_verify_list

The public key was not verified during the verified boot operation. This is now added. The items in the manifest are now fixed at 12 as we always have the postcar stage.

BUG=N/A TEST=tested on facebook fbg1701

Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Signed-off-by: Wim Vervoorn wvervoorn@eltan.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/36504 Reviewed-by: Frans Hendriks fhendriks@eltan.com Reviewed-by: Patrick Georgi pgeorgi@google.com Tested-by: build bot (Jenkins) no-reply@coreboot.org --- M src/mainboard/facebook/fbg1701/board_verified_boot.c M src/mainboard/facebook/fbg1701/manifest.h M src/vendorcode/eltan/security/verified_boot/Kconfig 3 files changed, 7 insertions(+), 4 deletions(-)

Approvals: build bot (Jenkins): Verified Patrick Georgi: Looks good to me, approved Frans Hendriks: Looks good to me, approved

diff --git a/src/mainboard/facebook/fbg1701/board_verified_boot.c b/src/mainboard/facebook/fbg1701/board_verified_boot.c index 24e7037..1ccb0b8e 100644 --- a/src/mainboard/facebook/fbg1701/board_verified_boot.c +++ b/src/mainboard/facebook/fbg1701/board_verified_boot.c @@ -26,6 +26,10 @@ { { (void *)0xffffffff - CONFIG_C_ENV_BOOTBLOCK_SIZE + 1, CONFIG_C_ENV_BOOTBLOCK_SIZE, } }, HASH_IDX_BOOTBLOCK, MBOOT_PCR_INDEX_0 }, + { VERIFY_BLOCK, "PublicKey", + { { (void *)CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_LOCATION, + CONFIG_VENDORCODE_ELTAN_VBOOT_KEY_SIZE, } }, HASH_IDX_PUBLICKEY, + MBOOT_PCR_INDEX_0 }, { VERIFY_TERMINATOR, NULL, { { NULL, 0 } }, 0, 0 } }; #endif diff --git a/src/mainboard/facebook/fbg1701/manifest.h b/src/mainboard/facebook/fbg1701/manifest.h index 5a583f4..caf9e5e 100644 --- a/src/mainboard/facebook/fbg1701/manifest.h +++ b/src/mainboard/facebook/fbg1701/manifest.h @@ -30,6 +30,6 @@ #define HASH_IDX_LOGO 7 #define HASH_IDX_DSDT 8 #define HASH_IDX_POSTCAR_STAGE 9 -#define HASH_IDX_BOOTBLOCK 10 /* Should always be the last one */ - +#define HASH_IDX_PUBLICKEY 10 +#define HASH_IDX_BOOTBLOCK 11 /* Should always be the last one */ #endif diff --git a/src/vendorcode/eltan/security/verified_boot/Kconfig b/src/vendorcode/eltan/security/verified_boot/Kconfig index d9e989f..ab254c4 100644 --- a/src/vendorcode/eltan/security/verified_boot/Kconfig +++ b/src/vendorcode/eltan/security/verified_boot/Kconfig @@ -42,8 +42,7 @@

config VENDORCODE_ELTAN_OEM_MANIFEST_ITEMS int "Manifest Items" - default 11 if POSTCAR_STAGE - default 10 + default 12

config VENDORCODE_ELTAN_OEM_MANIFEST_ITEM_SIZE int

-- To view, visit https://review.coreboot.org/c/coreboot/+/36504 To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings Gerrit-Project: coreboot Gerrit-Branch: master Gerrit-Change-Id: I85fd391294db0ea796001720c2509f797be5aedf Gerrit-Change-Number: 36504 Gerrit-PatchSet: 9 Gerrit-Owner: Wim Vervoorn Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com Gerrit-Reviewer: Wim Vervoorn Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net Gerrit-MessageType: merged

1849

days inactive

1850

days old

coreboot-gerrit@coreboot.org

12 comments

3 participants

tags (0)

participants (3)

Frans Hendriks (Code Review)
Patrick Georgi (Code Review)
Wim Vervoorn (Code Review)