Michał Żygowski has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43394 )
Change subject: Makefile.inc: Add Boot Guard IBB logic for CBFS files ......................................................................
Makefile.inc: Add Boot Guard IBB logic for CBFS files
The Boot Guard implementation will leverage FIT entries to locate IBB files in CBFS to create the IBB hash. ifittool will create entries of type 7 which will be then parsd by another tool to calculate hash of whole IBB. These entries will be removed or left untouched based on the Boot Guard revison. This will open a path to support Converged Boot Guard and Trusted Execution Technology.
Signed-off-by: Michał Żygowski michal.zygowski@3mdeb.com Change-Id: I73e23ddbd8c7f6eef2de3cd3baeb656c86917261 --- M Makefile.inc M src/drivers/intel/fsp2_0/Makefile.inc M src/security/vboot/Makefile.inc 3 files changed, 23 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/94/43394/1
diff --git a/Makefile.inc b/Makefile.inc index 89bb3e4..912dd42 100644 --- a/Makefile.inc +++ b/Makefile.inc @@ -712,6 +712,19 @@
endif
+# For Intel BtG files in the CBFS needs to be marked as 'Initial Boot Block'. +# As CBFS attributes aren't cheap, only mark them if BtG is enabled. +ifeq ($(CONFIG_INTEL_BOOTGUARD),y) + +BTGIBB := --ibb + +else + +BTGIBB := + +endif + + ifeq ($(CONFIG_COMPRESS_BOOTBLOCK),y)
$(objcbfs)/bootblock.lz4: $(objcbfs)/bootblock.elf $(objutil)/cbfstool/cbfs-compression-tool @@ -1051,7 +1064,7 @@ -f $(objcbfs)/bootblock.bin \ -n bootblock \ -t bootblock \ - $(TXTIBB) \ + $(TXTIBB) $(BTGIBB) \ -b -$(call file-size,$(objcbfs)/bootblock.bin) $(cbfs-autogen-attributes) \ $(TS_OPTIONS) else # ifeq ($(CONFIG_ARCH_X86),y) diff --git a/src/drivers/intel/fsp2_0/Makefile.inc b/src/drivers/intel/fsp2_0/Makefile.inc index e954a46..278036a 100644 --- a/src/drivers/intel/fsp2_0/Makefile.inc +++ b/src/drivers/intel/fsp2_0/Makefile.inc @@ -43,7 +43,7 @@ $(FSP_T_CBFS)-file := $(call strip_quotes,$(CONFIG_FSP_T_FILE)) $(FSP_T_CBFS)-type := fsp ifeq ($(CONFIG_FSP_T_XIP),y) -$(FSP_T_CBFS)-options := --xip $(TXTIBB) +$(FSP_T_CBFS)-options := --xip $(TXTIBB) $(BTGIBB) endif
cbfs-files-$(CONFIG_ADD_FSP_BINARIES) += $(FSP_M_CBFS) diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index 90b2756..4097a53 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -141,7 +141,14 @@ endif
endif -$(CONFIG_CBFS_PREFIX)/verstage-options += $(TXTIBB) +$(CONFIG_CBFS_PREFIX)/verstage-options += $(BTGIBB) $(TXTIBB) + +ifeq ($(CONFIG_INTEL_BOOTGUARD),y) +INTERMEDIATE+=add_verstage_ibb_fit + +add_verstage_ibb_fit: $(obj)/coreboot.pre $(IFITTOOL) + $(IFITTOOL) -r COREBOOT -a -n $(CONFIG_CBFS_PREFIX)/verstage -t 7 -s $(CONFIG_CPU_INTEL_NUM_FIT_ENTRIES) -f $< +endif
else # CONFIG_VBOOT_SEPARATE_VERSTAGE ifeq ($(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK),y)
Patrick Rudolph has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/43394 )
Change subject: Makefile.inc: Add Boot Guard IBB logic for CBFS files ......................................................................
Patch Set 1: Code-Review+1
(1 comment)
https://review.coreboot.org/c/coreboot/+/43394/1/Makefile.inc File Makefile.inc:
https://review.coreboot.org/c/coreboot/+/43394/1/Makefile.inc@719 PS1, Line 719: BTGIBB can't this be merged with TXTIBB. It looks like the same files are marked as IBB
Michał Żygowski has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/43394 )
Change subject: Makefile.inc: Add Boot Guard IBB logic for CBFS files ......................................................................
Patch Set 1:
(1 comment)
https://review.coreboot.org/c/coreboot/+/43394/1/Makefile.inc File Makefile.inc:
https://review.coreboot.org/c/coreboot/+/43394/1/Makefile.inc@719 PS1, Line 719: BTGIBB
can't this be merged with TXTIBB. […]
TXTIBB sets a little bit more than Boot Guard. Although according to the spec IBB should initialize memory, IMO it is not necessary if we start measured/verified boot in botoblock. That was my motivation for separate IBB. Also there is a limit of FIT entries for Skylake equal 10. This amount of IBB elements would not fit into the table.
Michael Niewöhner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/43394 )
Change subject: Makefile.inc: Add Boot Guard IBB logic for CBFS files ......................................................................
Patch Set 1:
(2 comments)
https://review.coreboot.org/c/coreboot/+/43394/1//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/43394/1//COMMIT_MSG@11 PS1, Line 11: parsd parsed
https://review.coreboot.org/c/coreboot/+/43394/1//COMMIT_MSG@11 PS1, Line 11: another tool which tool?
Stefan Reinauer has abandoned this change. ( https://review.coreboot.org/c/coreboot/+/43394?usp=email )
Change subject: Makefile.inc: Add Boot Guard IBB logic for CBFS files ......................................................................
Abandoned
-
Michael Niewöhner (Code Review) -
Michał Żygowski (Code Review)
-
Patrick Rudolph (Code Review)
-
Stefan Reinauer (Code Review)