From 3cae9afbf91d7b164a033968350f8f60b84301b9 Mon Sep 17 00:00:00 2001 From: Frans Hendriks Date: Fri, 5 Apr 2019 10:00:18 +0200 Subject: vendorcode/eltan: Add vendor code for measured and verified boot This patch contains the general files for the vendorcode/eltan that has been uploaded recently: - Add eltan directory to vendorcode. - Add documentation about the support in the vendorcode directories. - Add the Makefile.inc and Kconfig for the vendorcode/eltan and vendorcode/eltan/security. BUG=N/A TEST=Created verified binary and verify logging on Portwell PQ-M107 Change-Id: Ic1d5a21d40b6a31886777e8e9fe7b28c860f1a80 Signed-off-by: Frans Hendriks Reviewed-on: https://review.coreboot.org/c/coreboot/+/30218 Tested-by: build bot (Jenkins) Reviewed-by: Philipp Deppenwiese --- Documentation/vendorcode/eltan/index.md | 8 ++++++ Documentation/vendorcode/eltan/security.md | 39 ++++++++++++++++++++++++++++++ src/vendorcode/Makefile.inc | 1 + src/vendorcode/eltan/Kconfig | 17 +++++++++++++ src/vendorcode/eltan/Makefile.inc | 16 ++++++++++++ src/vendorcode/eltan/security/Kconfig | 16 ++++++++++++ src/vendorcode/eltan/security/Makefile.inc | 30 +++++++++++++++++++++++ 7 files changed, 127 insertions(+) create mode 100644 Documentation/vendorcode/eltan/index.md create mode 100644 Documentation/vendorcode/eltan/security.md create mode 100644 src/vendorcode/eltan/Kconfig create mode 100644 src/vendorcode/eltan/Makefile.inc create mode 100644 src/vendorcode/eltan/security/Kconfig create mode 100644 src/vendorcode/eltan/security/Makefile.inc diff --git a/Documentation/vendorcode/eltan/index.md b/Documentation/vendorcode/eltan/index.md new file mode 100644 index 0000000000..4484798a23 --- /dev/null +++ b/Documentation/vendorcode/eltan/index.md @@ -0,0 +1,8 @@ +# Eltan vendorcode-specific documentation + +This section contains documentation about coreboot on Eltan specific +vendorcode. + +## Sections + +- [Security](security.md) diff --git a/Documentation/vendorcode/eltan/security.md b/Documentation/vendorcode/eltan/security.md new file mode 100644 index 0000000000..04537df23c --- /dev/null +++ b/Documentation/vendorcode/eltan/security.md @@ -0,0 +1,39 @@ +# Eltan Security + +## Security +This code enables measured boot and verified boot support. +Verified boot is available in coreboot, but based on ChromeOS. This vendorcode +uses a small encryption library and leave much more space in flash for the +payload. + +## Hashing Library +The library suppports SHA-1, SHA-256 and SHA-512. The required routines of +`3rdparty/vboot/firmware/2lib` are used. + +## Measured boot +measured boot support will use TPM2 device if available. The items specified +in `mb_log_list[]` will be measured. + +## Verified boot +verified boot support will use TPM2 device if available. The items specified +in the next table will be verified: +* `bootblock_verify_list[]` +* `verify_item_t romstage_verify_list[]` +* `ram_stage_additional_list[]` +* `ramstage_verify_list[]` +* `payload_verify_list[]` +* `oprom_verify_list[]` + +## Enabling support + +* Measured boot can be enabled using **CONFIG_MBOOT** +* Create mb_log_list table with list of item to measure +* Create tables bootblock_verify_list[], verify_item_t romstage_verify_list[], + ram_stage_additional_list[], ramstage_verify_list[], payload_verify_list[], + oprom_verify_list[] +* Verified boot can be enabled using **CONFIG_VERIFIED_BOOT** +* Added Kconfig values for verbose console output + +## Debugging + +You can enable verbose console output in *menuconfig*. diff --git a/src/vendorcode/Makefile.inc b/src/vendorcode/Makefile.inc index 522d4150e4..8ccb0d0ee7 100644 --- a/src/vendorcode/Makefile.inc +++ b/src/vendorcode/Makefile.inc @@ -3,3 +3,4 @@ subdirs-y += google subdirs-y += intel subdirs-y += siemens subdirs-y += cavium +subdirs-y += eltan diff --git a/src/vendorcode/eltan/Kconfig b/src/vendorcode/eltan/Kconfig new file mode 100644 index 0000000000..731dd2cea3 --- /dev/null +++ b/src/vendorcode/eltan/Kconfig @@ -0,0 +1,17 @@ +## +## This file is part of the coreboot project. +## +## Copyright (C) 2014-2018 Eltan B.V. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +source src/vendorcode/eltan/security/mboot/Kconfig +source src/vendorcode/eltan/security/verified_boot/Kconfig diff --git a/src/vendorcode/eltan/Makefile.inc b/src/vendorcode/eltan/Makefile.inc new file mode 100644 index 0000000000..1f6a4065cf --- /dev/null +++ b/src/vendorcode/eltan/Makefile.inc @@ -0,0 +1,16 @@ +# +# This file is part of the coreboot project. +# +# Copyright (C) 2018 Eltan B.V. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +subdirs-y += security diff --git a/src/vendorcode/eltan/security/Kconfig b/src/vendorcode/eltan/security/Kconfig new file mode 100644 index 0000000000..2af58080da --- /dev/null +++ b/src/vendorcode/eltan/security/Kconfig @@ -0,0 +1,16 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2018 Eltan B.V. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +source src/vendorcode/eltan/security/mboot/Kconfig +source src/vendorcode/eltan/security/verified_boot/Kconfig diff --git a/src/vendorcode/eltan/security/Makefile.inc b/src/vendorcode/eltan/security/Makefile.inc new file mode 100644 index 0000000000..26b324ba58 --- /dev/null +++ b/src/vendorcode/eltan/security/Makefile.inc @@ -0,0 +1,30 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2018 Eltan B.V. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +subdirs-y += lib +subdirs-y += verified_boot +subdirs-y += mboot + +ifeq ($(CONFIG_MBOOT), y) +CPPFLAGS_common += -I$(src)/vendorcode/eltan/security/mboot +CPPFLAGS_common += -I$(src)/vendorcode/eltan/security/include +endif + +ifeq ($(CONFIG_VERIFIED_BOOT), y) +CPPFLAGS_common += -I$(src)/vendorcode/eltan/security/verified_boot +endif + +ifeq ($(CONFIG_TPM2),y) +CPPFLAGS_common += -I$(src)/security/include +endif -- cgit v1.2.3