From 138402e7ff1cff8c33cc8b2adef15664276731a6 Mon Sep 17 00:00:00 2001 From: Sean Rhodes Date: Wed, 6 Jul 2022 19:51:51 +0100 Subject: [PATCH] soc/intel/apollolake: Create IBB, IBBL and OBB coreboot's method of creating IFWI is to modify an existing IFWI images by deleting the IBB, replacing the IBBL with the bootblock and everything else is put in the OBB. This poses a problem when using Intel's FIT or technologies such as Boot Guard. The main problem is that the IBB is never verified by the CSE or copied from SRAM to CAR, so the CSE cannot complete BUP and stays in recovery mode. The vast majority of the stages in Apollolake's Secure Boot flow is not met using this method (Intel document number 597827 summarizes these steps). This patch series is based on the principles of a patch from Brenton Dong (CB:17064) creates an IBBL, IBB and OBB binaries with the correct functions to complete the Secure Boot flow. This is to copy the IBB from SRAM using the CSE's Ring Buffer Protocol. These binaries can then be used by FIT or coreboot's existing method of hacking IFWI together (IFWI_STITCH) via IFWITOOL. If it is the latter and Boot Guard is enabled, the hashes for IFWI and "ibb+obb" must be recreated. Whilst this option doesn't form a complete image, the components it builds will work as Intel intended them to once stitched correctly into an IFWI image. Signed-off-by: Sean Rhodes Change-Id: I0deebf04f22f3017ee0c13bf1ca7f6dcc0d458b5 Reviewed-on: https://review.coreboot.org/c/coreboot/+/65680 Tested-by: build bot (Jenkins) Reviewed-by: Matt DeVillier --- src/soc/intel/apollolake/Makefile.mk | 26 +++++++++++++++++++ .../intel/common/firmware/Makefile.mk | 2 ++ 2 files changed, 28 insertions(+) diff --git a/src/soc/intel/apollolake/Makefile.mk b/src/soc/intel/apollolake/Makefile.mk index 82937bc9a6..3f2aa3bc2f 100644 --- a/src/soc/intel/apollolake/Makefile.mk +++ b/src/soc/intel/apollolake/Makefile.mk @@ -205,4 +205,30 @@ else cpu_microcode_bins += $(wildcard 3rdparty/intel-microcode/intel-ucode/06-5c-*) endif +$(objcbfs)/ibbl.rom: $(objcbfs)/bootblock.bin + cp $(objcbfs)/bootblock.bin $@ + +$(objcbfs)/ibbm.rom: $(objcbfs)/$(call strip_quotes,$(CONFIG_IBBM_ROM_COMPONENT)) + dd if=$(objcbfs)/$(call strip_quotes,$(CONFIG_IBBM_ROM_COMPONENT)) \ + of=$@ skip=96 bs=1 count=$(call _toint,$(CONFIG_IBBM_ROM_SIZE)) + +obb-deps-$(CONFIG_VBOOT) := $(obj)/gbb.region $(obj)/fwid.region +$(objcbfs)/obb.rom: $(CBFSTOOL) $(obj)/coreboot.rom $(obb-deps-y) +ifeq ($(CONFIG_VBOOT),y) + @printf " WRITE GBB\n" + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -i 0 -f $(obj)/gbb.region + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RO_FRID -i 0 -f $(obj)/fwid.region +ifeq ($(CONFIG_VBOOT_SLOTS_RW_A),y) + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_A -i 0 -f $(obj)/fwid.region +endif +ifeq ($(CONFIG_VBOOT_SLOTS_RW_AB),y) + $(CBFSTOOL) $(obj)/coreboot.rom write -u -r RW_FWID_B -i 0 -f $(obj)/fwid.region +endif +endif # CONFIG_VBOOT + $(CBFSTOOL) $(obj)/coreboot.rom read -r OBB -f $@ + +ifeq ($(CONFIG_IFWI_IBBM_LOAD),y) +coreboot: $(objcbfs)/ibbl.rom $(objcbfs)/ibbm.rom $(objcbfs)/obb.rom +endif + endif # if CONFIG_SOC_INTEL_APOLLOLAKE diff --git a/src/southbridge/intel/common/firmware/Makefile.mk b/src/southbridge/intel/common/firmware/Makefile.mk index 1425d5a352..a4f0e2e1a9 100644 --- a/src/southbridge/intel/common/firmware/Makefile.mk +++ b/src/southbridge/intel/common/firmware/Makefile.mk @@ -9,7 +9,9 @@ ifeq ($(CONFIG_HAVE_INTEL_FIRMWARE),y) ifeq ($(CONFIG_HAVE_IFD_BIN),y) $(call add_intermediate, add_intel_firmware) else ifeq ($(CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED),y) +ifneq ($(CONFIG_IFWI_IBBM_LOAD),y) show_notices:: warn_intel_firmware +endif # CONFIG_IFWI_IBBM_LOAD endif IFD_BIN_PATH := $(CONFIG_IFD_BIN_PATH)