vendorcode/eltan/security/verified_boot: Add verified boot support

Create verified boot support, which includes verifiication of bootblock.
This feature use the vendorcode/eltan/security/lib.

cbfs_locator is used to init the verified boot support.
vendor_secure_prepare() and vendor_secure_locate() are used to preform the
required action in each stage.

The next lists will be used for verification:
 * bootblock_verify_list
 * postcar_verify_list
 * romstage_verify_list
 * ramstage_verify_list

BUG=N/A
TEST=Created binary and verify logging on Facebook FBG-1701

Change-Id: If6c1423b0b4a309cefb7fe7a29d5100ba289e0b4
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/30835
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Lance Zhao <lance.zhao@gmail.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>

1 files changed, 63 insertions, 0 deletions

diff --git a/src/vendorcode/eltan/security/verified_boot/Kconfig b/src/vendorcode/eltan/security/verified_boot/Kconfig
new file mode 100644
index 0000000000..3177529dc9
--- /dev/null
+++ b/src/vendorcode/eltan/security/verified_boot/Kconfig
@@ -0,0 +1,63 @@
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2018-2019 Eltan B.V.
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 2 of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+
+menu "Verified Boot (verified_boot)"
+
+config VENDORCODE_ELTAN_VBOOT
+	bool "Enable Verified Boot"
+	depends on !VBOOT
+	default n
+
+config VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST
+	bool "Enable Signed Manifest"
+	depends on VENDORCODE_ELTAN_VBOOT
+	default n
+
+config VENDORCODE_ELTAN_VBOOT_USE_SHA512
+	bool "SHA512 hashes"
+	depends on VENDORCODE_ELTAN_VBOOT
+	default n
+	help
+	  Use SHA512 for the vboot operations, this applies to the digest in
+	  the manifest and the manifest digest.
+
+config VENDORCODE_ELTAN_OEM_MANIFEST_LOC
+	hex "Manifest Location"
+	default 0xFFFFF840
+
+config VENDORCODE_ELTAN_VBOOT_MANIFEST
+	string "Verified boot manifest file"
+	default "mainboard/$(MAINBOARD_DIR)/manifest.h"
+
+config VENDORCODE_ELTAN_OEM_MANIFEST_ITEMS
+	int "Manifest Items"
+	default 11 if POSTCAR_STAGE
+	default 10
+
+config VENDORCODE_ELTAN_OEM_MANIFEST_ITEM_SIZE
+	int
+	default 64 if VENDORCODE_ELTAN_VBOOT_USE_SHA512
+	default 32
+
+config VENDORCODE_ELTAN_VBOOT_KEY_LOCATION
+	hex "Verified boot Key Location"
+	depends on VENDORCODE_ELTAN_VBOOT_SIGNED_MANIFEST
+	default 0xFFFFF500
+
+config VENDORCODE_ELTAN_VBOOT_KEY_SIZE
+	int
+	default 554 if VENDORCODE_ELTAN_VBOOT_USE_SHA512
+	default 520
+
+endmenu # Verified Boot (verified_boot)