Hi all, I found the typical fmap for a coreboot build using vboot (e.g. those for chromeos) is quite complex, at least with two RW sections containing CBFS, but I only want to use vboot to perform TPM measurement (like what head does with a patched coreboot), so
the simple scheme with a single CBFS containing all stages and payloads is prefered.
My question is: if vboot is only used to perform TPM measurement, at least which sections must be added to the fmap, in addition to default ones (RW_MRC_CACHE and CBFS), allowing vboot to work?
Hello Persmule,
On 07.08.2019 06:23, Persmule wrote:
Hi all, I found the typical fmap for a coreboot build using vboot (e.g. those for chromeos) is quite complex, at least with two RW sections containing CBFS, but I only want to use vboot to perform TPM measurement (like what head does with a patched coreboot), so
the simple scheme with a single CBFS containing all stages and payloads is prefered.
Here is an example: https://github.com/coreboot/coreboot/blob/master/src/mainboard/lenovo/x220/v...
My question is: if vboot is only used to perform TPM measurement, at least which sections must be added to the fmap, in addition to default ones (RW_MRC_CACHE and CBFS), allowing vboot to work?
Vboot is responsible for firmware verification (checks firmware signature blocks). The TPM measurements are only an extension to Vboot logic adopted in coreboot. In order to have verified boot, at least one RW partition must exists. for Measured boot, only single CBFS is fine. to support verified and measured boot, one RW partition is sufficient. The example linked above has the minimal fmap layout for verified and measured boot for Lenovo x220. SMMSTORE is optional as well as RW_VPD and RO_VPD (depends on use case). SI_GBE region is mandatory for vPRO platforms to support Gigabit Ethernet, SI_ME and SI_DESC are Intel ME and Flash descriptor regions, also mandatory.
coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
Best regards,
Hi Michal,
On Wednesday, August 7, 2019 10:06 AM, Michal Zygowski michal.zygowski@3mdeb.com wrote:
Here is an example:https://github.com/coreboot/coreboot/blob/master/src/mainboard/lenovo/x220/v...
Vboot is responsible for firmware verification (checks firmware signature blocks). The TPM measurements are only an extension to Vboot logic adopted in coreboot. In order to have verified boot, at least one RW partition must exists.
Is it possible to omit RW sections completely, letting vboot always boot into "system recovery" (in the RO section) which is actually used for normal boot? (I believe that stages and payloads in the RO section will be measured too when booting into "system recovery". Please correct me if I am wrong.)
for Measured boot, only single CBFS is fine. to support verified and measured boot, one RW partition is sufficient. The example linked above has the minimal fmap layout for verified and measured boot for Lenovo x220. SMMSTORE is optional as well as RW_VPD and RO_VPD (depends on use case). SI_GBE region is mandatory for vPRO platforms to support Gigabit Ethernet, SI_ME and SI_DESC are Intel ME and Flash descriptor regions, also mandatory.
Besides, at least how many bytes should be retained for the GBB section?
On 08.08.2019 08:28, Persmule wrote:
Hi Michal,
On Wednesday, August 7, 2019 10:06 AM, Michal Zygowski michal.zygowski@3mdeb.com wrote:
Here is an example:https://github.com/coreboot/coreboot/blob/master/src/mainboard/lenovo/x220/v...
Vboot is responsible for firmware verification (checks firmware signature blocks). The TPM measurements are only an extension to Vboot logic adopted in coreboot. In order to have verified boot, at least one RW partition must exists.
Is it possible to omit RW sections completely, letting vboot always boot into "system recovery" (in the RO section) which is actually used for normal boot? (I believe that stages and payloads in the RO section will be measured too when booting into "system recovery". Please correct me if I am wrong.)
Yes, if you are interested entirely in measured boot mode only, the RO section is sufficient.
for Measured boot, only single CBFS is fine. to support verified and measured boot, one RW partition is sufficient. The example linked above has the minimal fmap layout for verified and measured boot for Lenovo x220. SMMSTORE is optional as well as RW_VPD and RO_VPD (depends on use case). SI_GBE region is mandatory for vPRO platforms to support Gigabit Ethernet, SI_ME and SI_DESC are Intel ME and Flash descriptor regions, also mandatory.
Besides, at least how many bytes should be retained for the GBB section?
The GBB is much greater since ChromeOS recovery bitmaps resides there. For non-ChromeOS devices (like many Lenovo laptops implement in coreboot) I saw min 120KiB (0x1e000). Should be sufficient. Example fmap description of flash with RO section: https://github.com/coreboot/coreboot/blob/master/src/mainboard/ocp/wedge100s... (probably you would like to adjust some offsets and sizes)
coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
Thanks Micha,
The exemplar fmd you linked is very close to the simplest scheme I imagine.
I may be going to work on the build system, in order to generate such fmd automatically in the future, since there is a Kconfig variable CBFS_SIZE which actually stands for the size of SI_BIOS section, and sizes of SI_DESC, SI_GBE and SI_ME section can be inspected from the IFD file via ifdtool.
On Thursday, August 8, 2019 8:12 AM, Michal Zygowski michal.zygowski@3mdeb.com wrote:
Yes, if you are interested entirely in measured boot mode only, the RO section is sufficient.
The GBB is much greater since ChromeOS recovery bitmaps resides there. For non-ChromeOS devices (like many Lenovo laptops implement in coreboot) I saw min 120KiB (0x1e000). Should be sufficient. Example fmap description of flash with RO section: https://github.com/coreboot/coreboot/blob/master/src/mainboard/ocp/wedge100s... (probably you would like to adjust some offsets and sizes)
Best regards,
On 08.08.2019 11:21, Persmule wrote:
Thanks Micha,
The exemplar fmd you linked is very close to the simplest scheme I imagine.
I may be going to work on the build system, in order to generate such fmd automatically in the future, since there is a Kconfig variable CBFS_SIZE which actually stands for the size of SI_BIOS section, and sizes of SI_DESC, SI_GBE and SI_ME section can be inspected from the IFD file via ifdtool.
That would be very useful. Contributions welcome.
On Thursday, August 8, 2019 8:12 AM, Michal Zygowski michal.zygowski@3mdeb.com wrote:
Yes, if you are interested entirely in measured boot mode only, the RO section is sufficient.
The GBB is much greater since ChromeOS recovery bitmaps resides there. For non-ChromeOS devices (like many Lenovo laptops implement in coreboot) I saw min 120KiB (0x1e000). Should be sufficient. Example fmap description of flash with RO section: https://github.com/coreboot/coreboot/blob/master/src/mainboard/ocp/wedge100s... (probably you would like to adjust some offsets and sizes)
Best regards,
coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
-
Michal Zygowski -
Persmule