coreboot October 2022

coreboot@coreboot.org

16 participants
36 discussions

Creating a coreboot Security team
by coreboot org 03 Nov '22

03 Nov '22

Hi everyone, At one of the last coreboot leadership meetings, the idea of a coreboot security team was brought up. We'd like to build a group to look at coreboot's source code with an eye on security, respond to issues on the security mailing list, help fix security-related issues, and shepherd security related patches through gerrit. Additionally we'd like upcoming features to go through this group to look for possible security issues. This team would preferably be a mix of some of the senior coreboot developers, firmware/software security researchers, and industry professionals. I know that many of the companies working on coreboot have dedicated security teams. It would be great if a couple of these companies could be convinced to assign individuals to spend a few hours a week on the coreboot project. If anyone would be interested in being on this team, or knows someone who would be good in this role, please reach out. Thanks. Martin

2 1

regarding build failure due to SHA api added in amdfwtools
by ritul guru 02 Nov '22

02 Nov '22

Hi, I am getting build below error, any pre-req to get SHA256 definitions? /usr/bin/ld: build/util/amdfwtool/amdfwtool.o: in function `add_single_sha': /amd/src/coreboot/util/amdfwtool/amdfwtool.c:685: undefined reference to `SHA256' /usr/bin/ld: /amd/src/coreboot/util/amdfwtool/amdfwtool.c:682: undefined reference to `SHA384' collect2: error: ld returned 1 exit status make: *** [util/amdfwtool/Makefile.inc:19: build/util/amdfwtool/amdfwtool] Error 1 *Thanks & RegardsRitul Guru+91-9916513186*

3 7

New Defects reported by Coverity Scan for coreboot
by scan-admin＠coverity.com 28 Oct '22

28 Oct '22

Hi, Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan. 6 new defect(s) introduced to coreboot found with Coverity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 6 of 6 defect(s) ** CID 1500223: (TAINTED_SCALAR) /util/amdfwtool/amdfwread.c: 140 in read_bios_directory() /util/amdfwtool/amdfwread.c: 141 in read_bios_directory() ________________________________________________________________________________________________________ *** CID 1500223: (TAINTED_SCALAR) /util/amdfwtool/amdfwread.c: 140 in read_bios_directory() 134 header->cookie, expected_cookie); 135 return 1; 136 } 137 138 /* Read the entries */ 139 *num_entries = header->num_entries; >>> CID 1500223: (TAINTED_SCALAR) >>> Passing tainted expression "24UL * header->num_entries" to "malloc", which uses it as an allocation size. [Note: The source code implementation of the function has been overridden by a builtin model.] 140 *entries = malloc(sizeof(bios_directory_entry) * header->num_entries); 141 if (fread(*entries, sizeof(bios_directory_entry), header->num_entries, fw) 142 != header->num_entries) { 143 ERR("Failed to read %d BIOS entries\n", header->num_entries); 144 return 1; 145 } /util/amdfwtool/amdfwread.c: 141 in read_bios_directory() 135 return 1; 136 } 137 138 /* Read the entries */ 139 *num_entries = header->num_entries; 140 *entries = malloc(sizeof(bios_directory_entry) * header->num_entries); >>> CID 1500223: (TAINTED_SCALAR) >>> Passing tainted expression "header->num_entries" to "fread", which uses it as an offset. 141 if (fread(*entries, sizeof(bios_directory_entry), header->num_entries, fw) 142 != header->num_entries) { 143 ERR("Failed to read %d BIOS entries\n", header->num_entries); 144 return 1; 145 } 146 ** CID 1500222: Control flow issues (DEADCODE) /src/soc/mediatek/mt8188/ddp.c: 103 in main_disp_path_setup() ________________________________________________________________________________________________________ *** CID 1500222: Control flow issues (DEADCODE) /src/soc/mediatek/mt8188/ddp.c: 103 in main_disp_path_setup() 97 static void main_disp_path_setup(u32 width, u32 height, u32 vrefresh) 98 { 99 u32 idx; 100 const u32 pixel_clk = width * height * vrefresh; 101 102 for (idx = 0; idx < MAIN_PATH_OVL_NR; idx++) { >>> CID 1500222: Control flow issues (DEADCODE) >>> Execution cannot reach the expression "0U" inside this statement: "ovl_set_roi(idx, width, hei...". 103 ovl_set_roi(idx, width, height, idx ? 0 : 0xff0000ff); 104 ovl_layer_smi_id_en(idx); 105 ovl_layer_gclast_en(idx); 106 ovl_layer_output_clamp_en(idx); 107 ovl_layer_en(idx); 108 } ** CID 1500221: Insecure data handling (TAINTED_SCALAR) /util/amdfwtool/amdfwread.c: 260 in amdfw_bios_dir_walk() ________________________________________________________________________________________________________ *** CID 1500221: Insecure data handling (TAINTED_SCALAR) /util/amdfwtool/amdfwread.c: 260 in amdfw_bios_dir_walk() 254 255 if (read_bios_directory(fw, bios_offset, cookie, &header, 256 &current_entries, &num_current_entries) != 0) 257 return 1; 258 259 do_indentation_string(indent, level); >>> CID 1500221: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "num_current_entries" as a loop boundary. 260 for (size_t i = 0; i < num_current_entries; i++) { 261 uint32_t type = current_entries[i].type; 262 uint64_t mode = current_entries[i].address_mode; 263 uint64_t addr = current_entries[i].source; 264 265 if (type == AMD_BIOS_APOB || type == AMD_BIOS_PSP_SHARED_MEM) ** CID 1500220: Resource leaks (RESOURCE_LEAK) /util/amdfwtool/amdfwread.c: 312 in amdfw_psp_dir_walk() ________________________________________________________________________________________________________ *** CID 1500220: Resource leaks (RESOURCE_LEAK) /util/amdfwtool/amdfwread.c: 312 in amdfw_psp_dir_walk() 306 uint32_t ish_dir_offset = 0; 307 ish_directory_table ish_dir; 308 char indent[MAX_INDENTATION_LEN] = {0}; 309 310 if (read_psp_directory(fw, psp_offset, cookie, &header, 311 &current_entries, &num_current_entries) != 0) >>> CID 1500220: Resource leaks (RESOURCE_LEAK) >>> Variable "current_entries" going out of scope leaks the storage it points to. 312 return 1; 313 314 do_indentation_string(indent, level); 315 for (size_t i = 0; i < num_current_entries; i++) { 316 uint32_t type = current_entries[i].type; 317 uint64_t mode = current_entries[i].address_mode; ** CID 1500219: Insecure data handling (TAINTED_SCALAR) /util/amdfwtool/amdfwread.c: 315 in amdfw_psp_dir_walk() ________________________________________________________________________________________________________ *** CID 1500219: Insecure data handling (TAINTED_SCALAR) /util/amdfwtool/amdfwread.c: 315 in amdfw_psp_dir_walk() 309 310 if (read_psp_directory(fw, psp_offset, cookie, &header, 311 &current_entries, &num_current_entries) != 0) 312 return 1; 313 314 do_indentation_string(indent, level); >>> CID 1500219: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "num_current_entries" as a loop boundary. 315 for (size_t i = 0; i < num_current_entries; i++) { 316 uint32_t type = current_entries[i].type; 317 uint64_t mode = current_entries[i].address_mode; 318 uint64_t addr = current_entries[i].addr; 319 320 if (type == AMD_PSP_FUSE_CHAIN) ** CID 1500218: Resource leaks (RESOURCE_LEAK) /util/amdfwtool/amdfwread.c: 257 in amdfw_bios_dir_walk() ________________________________________________________________________________________________________ *** CID 1500218: Resource leaks (RESOURCE_LEAK) /util/amdfwtool/amdfwread.c: 257 in amdfw_bios_dir_walk() 251 bios_directory_hdr header; 252 uint32_t l2_dir_offset = 0; 253 char indent[MAX_INDENTATION_LEN] = {0}; 254 255 if (read_bios_directory(fw, bios_offset, cookie, &header, 256 &current_entries, &num_current_entries) != 0) >>> CID 1500218: Resource leaks (RESOURCE_LEAK) >>> Variable "current_entries" going out of scope leaks the storage it points to. 257 return 1; 258 259 do_indentation_string(indent, level); 260 for (size_t i = 0; i < num_current_entries; i++) { 261 uint32_t type = current_entries[i].type; 262 uint64_t mode = current_entries[i].address_mode; ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P…

1 0

MrChromebox coreboot 4.18-based community release is out
by Matt DeVillier 25 Oct '22

25 Oct '22

Greetings all! I've just now posted my MrChromebox-4.18 release, which currently supports over 100 unique devices spanning a dozen platforms. A full list of supported devices can be found at https://mrchromebox.tech/#devices. Beside updating the base coreboot code, this release as usual is full of fixes and improvements: * Added support for coolstar's upcoming Windows audio drivers for Skylake, Kabylake, Apollolake, and Geminilake platform devices * Fixed extraneous microphone channels picking up noise when recording (multi) * updated Tianocore/edk2 using branch upp_202210 * Improved boot-time USB detection in Tianocore * Fixed CR50 TPM init on devices with an I2C CR50 TPM * Fixed Windows BSOD/ACPI BIOS ERROR on a handful of devices * Updated CPU microcode for all devices to latest available Beta images are available upon request for newer boards using Tigerlake, Jasperlake, or Alderlake SoCs and AMD Zen+/Picasso (just don't ask me how well they run Windows -- that's coolstar's domain). As usual, the full list of changes can be found on my github repos: https://github.com/MrChromebox/coreboot/commits/2022.10.24 https://github.com/MrChromebox/edk2/commits/upp_202210 https://github.com/MrChromebox/chrome-ec/branches/all cheers, Matt

1 0

Join coreboot Security team
by Ivan Kuzneczov 24 Oct '22

24 Oct '22

Hi all, After reading https://mail.coreboot.org/hyperkitty/list/coreboot@coreboot.org/thread/7N4A… , as a software security researcher, I am interested in the planning coreboot Security team. How can I join it? Thanks. Ivan Kuzneczov

2 1

[coreboot - Bug #412] (New) x230 reboots on suspend
by Carson Alberding 21 Oct '22

21 Oct '22

Issue #412 has been reported by Carson Alberding. ---------------------------------------- Bug #412: x230 reboots on suspend https://ticket.coreboot.org/issues/412 * Author: Carson Alberding * Status: New * Priority: Normal * Target version: none * Start date: 2022-09-02 * Affected versions: master * Related links: https://ticket.coreboot.org/issues/393 * Affected hardware: x230 * Affected OS: windows/arch linux ---------------------------------------- Very similar to issue 393 where the x230 reboots when suspended to RAM. Seems to be an issue with coreboot v4.16 & 4.17 or something is missing in the config (attached). Any insight on this would be appreciated! ---Files-------------------------------- coreboot_config.txt (18.8 KB) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: https://ticket.coreboot.org/my/account

5 11

[coreboot - Bug #429] (New) I2C CR50 TPM fails to initialize
by Matt DeVillier 21 Oct '22

21 Oct '22

Issue #429 has been reported by Matt DeVillier. ---------------------------------------- Bug #429: I2C CR50 TPM fails to initialize https://ticket.coreboot.org/issues/429 * Author: Matt DeVillier * Status: New * Priority: High * Target version: none * Start date: 2022-10-17 * Affected versions: 4.15, 4.16, 4.17, master ---------------------------------------- On several (but not all) Chromebook platforms which use an I2C interface for the CR50 TPM, the TPM fails to initialize due to I2C transaction errors. The following boards with I2C CR50 TPM are known to be affected: google/brya (banshee variant confirmed, others untested) google/drallion google/poppy (soraka and nautilus variants) google/reef (all variants) The following boards with I2C CR50 TPM are known to be working: google/eve google/guybrush google/kahlee google/zork cbmem shows the following, with the i2c transactions repeating 100x until failing. This causes a significant increase in boot time. [INFO ] Probing TPM I2C: i2c 2:50 W 1 bytes : 06 [ERROR] I2C TX abort detected (00000001) [ERROR] cr50_i2c_read: Address write failed [INFO ] .i2c 2:50 W 1 bytes : 06 [ERROR] I2C TX abort detected (00000001) [ERROR] cr50_i2c_read: Address write failed ... soraka/nautilus show slightly different output: [INFO ] Probing TPM I2C: Cr50 TPM IRQ timeout! [INFO ] .Cr50 TPM IRQ timeout! [INFO ] .Cr50 TPM IRQ timeout! [INFO ] .Cr50 TPM IRQ timeout! ... -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: https://ticket.coreboot.org/my/account

2 4

New Defects reported by Coverity Scan for coreboot
by scan-admin＠coverity.com 20 Oct '22

20 Oct '22

Hi, Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan. 1 new defect(s) introduced to coreboot found with Coverity Scan. 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 1 of 1 defect(s) ** CID 1499913: Integer handling issues (NO_EFFECT) /3rdparty/arm-trusted-firmware/drivers/arm/gic/v3/gicv3_main.c: 1109 in gicv3_raise_sgi() ________________________________________________________________________________________________________ *** CID 1499913: Integer handling issues (NO_EFFECT) /3rdparty/arm-trusted-firmware/drivers/arm/gic/v3/gicv3_main.c: 1109 in gicv3_raise_sgi() 1103 u_register_t target) 1104 { 1105 unsigned int tgt, aff3, aff2, aff1, aff0; 1106 uint64_t sgi_val; 1107 1108 /* Verify interrupt number is in the SGI range */ >>> CID 1499913: Integer handling issues (NO_EFFECT) >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "sgi_num >= 0U". 1109 assert((sgi_num >= MIN_SGI_ID) && (sgi_num < MIN_PPI_ID)); 1110 1111 /* Extract affinity fields from target */ 1112 aff0 = MPIDR_AFFLVL0_VAL(target); 1113 aff1 = MPIDR_AFFLVL1_VAL(target); 1114 aff2 = MPIDR_AFFLVL2_VAL(target); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P…

1 0

[coreboot - Bug #431] (New) fix src/arch/x86/smbios issues
by Martin Roth 20 Oct '22

20 Oct '22

Issue #431 has been reported by Martin Roth. ---------------------------------------- Bug #431: fix src/arch/x86/smbios issues https://ticket.coreboot.org/issues/431 * Author: Martin Roth * Status: New * Priority: Normal * Assignee: Solomon Alan-Dei * Category: coreboot common code * Target version: none * Start date: 2022-10-20 ---------------------------------------- There are currently 20 coverity issues affecting smbios code in src/arch/x86/smbios* https://scan6.scan.coverity.com/reports.htm#v55284/p10744 https://docs.google.com/spreadsheets/d/1hacitQU1zn7CU44eXP3xVdvq-OjnIF_h8LR… ---Files-------------------------------- Outstanding+Issues+in+smbios.csv (3.61 KB) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: https://ticket.coreboot.org/my/account

1 0

[coreboot - Bug #430] (New) Fix util/cbfstool coverity issues
by Martin Roth 20 Oct '22

20 Oct '22

Issue #430 has been reported by Martin Roth. ---------------------------------------- Bug #430: Fix util/cbfstool coverity issues https://ticket.coreboot.org/issues/430 * Author: Martin Roth * Status: New * Priority: Normal * Category: userspace utilities * Target version: none * Start date: 2022-10-20 ---------------------------------------- There are currently 25 coverity issues against files in the util/cbfstool directory: https://scan6.scan.coverity.com/reports.htm#v55283/p10744 https://docs.google.com/spreadsheets/d/1hacitQU1zn7CU44eXP3xVdvq-OjnIF_h8LR… ---Files-------------------------------- Outstanding+Issues+in+cbfstool.csv (4.47 KB) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: https://ticket.coreboot.org/my/account

1 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

coreboot October 2022