Generate a signed UEFI capsule from the final coreboot ROM image using
EDK2 BaseTools.
When using an EDK2 payload and enabling DRIVERS_EFI_UPDATE_CAPSULES and
DRIVERS_EFI_GENERATE_CAPSULE, the build produces build/coreboot.cap once
the ROM is finalised (after all files were added to CBFS). The capsule
can also be generated explicitly with `make capsule`.
Move the capsule generation and certificate preparation into
payloads/external/edk2/Makefile, including generating the trusted root
certificate PCD include via BinToPcd.
Support capsule flows with an embedded FmpDxe driver by optionally
embedding FmpDxe.efi into generated capsules, and wiring the
embedded-driver Kconfig options through to the EDK2 payload build and
capsule generation.
Always set PersistAcrossReset on the capsule. Make InitiateReset
configurable (default off) because Linux rejects capsules with
InitiateReset when writing via /dev/efi_capsule_loader.
Use CONFIG_DRIVERS_EFI_MAIN_FW_VERSION for GenerateCapsule
--fw-version, but fall back to parsing a leading <major>.<minor> from
CONFIG_LOCALVERSION when it is left at 0. If
CONFIG_DRIVERS_EFI_MAIN_FW_LSV is 0, use the resolved firmware version.
Document capsule generation and embedded driver configuration.
Corresponding edk2 patches can be found at:
https://github.com/tianocore/edk2/pull/12053
Change-Id: I5f56b894d40ddb49f3158bb72f0143d0ebe9c34c
Signed-off-by: Sean Rhodes <sean@starlabs.systems>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/90862
Reviewed-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Add a build time warning in case the DRIVERS_EFI_VARIABLE_STORE is not
selected, but UefiPayload will have a working firmware menu and will
write non-volatile variables into flash.
Without DRIVERS_EFI_VARIABLE_STORE coreboot will be fully functional,
but the settings made in the firmware menu have no effect at all.
Change-Id: Ib8872297d5d3451834f8ccfdaaee32f23727c178
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/91230
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Matt DeVillier <matt.devillier@gmail.com>
Add CONFIG_LP_DEFCONFIG_OVERRIDE_X64 flag to select default 64-bit
config file in payloads/libpayload/configs directory.
This is used in standalone environment. The existing libpayload
deconfig file is for boards with 32-bit format and deconfig_64
file is added for 64-bit without adding specific
board.[board name] file in libpayload.
BUG=none
TEST=Build with this new flag and check that the libpayload and
depthcharge.elf are built in 64-bit format.
Signed-off-by: Cliff Huang <cliff.huang@intel.com>
Change-Id: Iac07cf9e3c11e49955c69553407be76ef4f8c060
Reviewed-on: https://review.coreboot.org/c/coreboot/+/84107
Reviewed-by: Jérémy Compostella <jeremy.compostella@intel.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Kim, Wonkyu <wonkyu.kim@intel.com>
Add support for building iPXE as an EFI target and including it in
the EDK2 payload as a boot option. This allows network booting
directly from the UEFI boot menu without requiring a separate iPXE
ROM file, as it is integrated into the payload.
As the required payload-side changes are not yet upstream, guard
the option on !EDK2_REPO_OFFICIAL.
Adjust PXE Kconfig defaults so that PXE is built from source as
ipxe.efi when EDK2_ENABLE_IPXE is selected.
TEST=build/boot iPXE from edk2 boot menu on google/fizz.
Change-Id: Ied61c7b8aa7a34261d6c6f7fd089b1affdc7d3f6
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Matt DeVillier <matt.devillier@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/82721
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Sean Rhodes <sean@starlabs.systems>
Reviewed-by: Walter Sonius <walterav1984@gmail.com>
This option existed to enable the MMIO eMMC DXE driver for AMD Picasso
boards with eMMC storage. The driver has been integrated into edk2 and
no longer requires guarding via a build-time option.
Remove the EDK2_PCO_MMIO_EMMC Kconfig symbol definition, associated
build logic, and the board-level select from google/zork.
TEST=build/boot AMD Picasso boards with edk2 payload.
Change-Id: I458a45ad752d88cc9252f2d8fe6b0e8ec054329d
Signed-off-by: Matt DeVillier <matt.devillier@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/89858
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Alicja Michalska <ahplka19@gmail.com>
This option existed because the inclusion of the UFS driver in edk2
needed to be guarded due to some issues on non-UFS equipped devices.
Those issues have been resolved in edk2, so the UFS driver does not
need guarding anymore.
Remove the EDK2_UFS_ENABLE Kconfig symbol definition, associated build
logic, and selection from google/brya baseboard.
TEST=build/boot UFS and non-UFS ChromeOS boards with edk2 payload.
Change-Id: I3f20d503de4a642ee3fbb175c267e1f5f7328c8d
Signed-off-by: Matt DeVillier <matt.devillier@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/89857
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Alicja Michalska <ahplka19@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Adds the abillity to use a custom u-boot repo and a custom branch.
Change-Id: I15df8a41d3d94ca0559abc964792035651b3d8b2
Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/89616
Reviewed-by: Marc Jones <marc@marcjonesconsulting.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This requires version of EDK2 in use to understand those defines, but
the build isn't affected negatively if they aren't handled.
Upstream EDK2 has CAPSULE_SUPPORT for a while and modifications that
make it enable FMP capsules are already merged to be part of the next
stable release (the one after edk2-stable202508 which should be
edk2-stable202511).
The `sed` part is updated because GUID contains dashes just like option
names, so need to take leading spaces into account to avoid processing
dashes in values. This doesn't cover all possible cases, but should be
good enough.
Change-Id: I1c684cb8929842a5d3c4b06e8a9c0a748470ea41
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/83682
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Benjamin Doron <benjamin.doron00@gmail.com>
On recent AMD platforms the VRT bit in the StatusD register is
read-writeable and set every 1024msec when RTC power is good.
This leads to a timeout in RtcWaitToUpdate() waiting for the bit
to be set and the gEfiRealTimeClockArchProtocolGuid won't be installed.
The protocol is critical to boot.
Adjust the code to not clear the VRT bit, as RtcWaitToUpdate() will
return an error, as it assumes the VRT bit is read-only and hardwired
to one as on Intel ICHs. While the timeout could be increased it
would also increase boot time by up to a second.
On platforms where the VRT bit is read-only the introduced code
does the same as before.
Change-Id: I8bc432114c83fa5f5fb35a144e3a35c38ee8a3de
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/87415
Reviewed-by: Matt DeVillier <matt.devillier@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@mailbox.org>
Add a Kconfig to support passing `LOAD_OPTION_ROMS=TRUE` as a build
parameter in order to enable edk2 support for dGPUs.
Change-Id: I05444425d1cb98b023681639389949bf3f3b8e9c
Signed-off-by: Matt DeVillier <matt.devillier@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/87407
Reviewed-by: Frans Hendriks <fhendriks@eltan.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Sean Rhodes <sean@starlabs.systems>
Reviewed-by: Alicja Michalska <ahplka19@gmail.com>
Only print the warning if Linuxboot payload is actually selected,
because we don't care otherwise.
Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com>
Change-Id: I5008d685c52c1d4e0d7eba44c964c51a2a6f99c3
Reviewed-on: https://review.coreboot.org/c/coreboot/+/85957
Reviewed-by: Ana Carolina Cabral <ana.cpmelo95@gmail.com>
Reviewed-by: Matt DeVillier <matt.devillier@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Alicja Michalska <ahplka19@gmail.com>
Currently u-root doesn't build for various reasons.
1. The boot cmds have changed. Some have been removed and the default
has changed to the 'boot' cmd for loading an OS.
2. The elvish shell has been removed as default shell. The gosh is now
the default.
3. For some reason the -uroot-source parameter doesn't exist anymore? So
instead we just cd into the u-root directory and build the initramfs
there.
Build tested:
| CONFIG_LINUXBOOT_COMPILE_KERNEL | CONFIG_LINUXBOOT_BUILD_INITRAMFS |
----------------------------------------------------------------------
| n | n |
| n | y |
| y | n |
| y | y |
----------------------------------------------------------------------
Change-Id: If66238cec248deb3594de82f3adbc608516a2fc5
Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/84119
Reviewed-by: Alicja Michalska <ahplka19@gmail.com>
Reviewed-by: Frans Hendriks <fhendriks@eltan.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Currently our coreboot toolchain cannot build the Linux kernel in case
of x86_64. It spits out the following error during build:
```
make -C build/kernel-6_3 \
CROSS_COMPILE=/home/max/coreboot-amd/util/crossgcc/xgcc/bin/x86_64-elf- \
ARCH=x86_64 KBUILD_BUILD_USER=coreboot KBUILD_BUILD_HOST=reproducible \
KBUILD_BUILD_TIMESTAMP=Tue Aug 20 13:36:03 2024 KBUILD_BUILD_VERSION=0 bzImage
arch/x86/lib/clear_page_64.S: Assembler messages:
arch/x86/lib/clear_page_64.S:18: Error: number of operands mismatch for `mov'
arch/x86/lib/clear_page_64.S:27: Error: number of operands mismatch for `mov'
make[4]: *** [scripts/Makefile.build:374: arch/x86/lib/clear_page_64.o] Error 1
make[3]: *** [scripts/Makefile.build:494: arch/x86/lib] Error 2
make[3]: *** Waiting for unfinished jobs....
arch/x86/entry/entry_64.S: Assembler messages:
arch/x86/entry/entry_64.S:437: Error: unbalanced parenthesis in operand 1.
arch/x86/entry/entry_64.S:262: Info: macro invoked from here
arch/x86/entry/entry_64.S:265: Info: macro invoked from here
arch/x86/entry/entry_64.S:439: Error: unbalanced parenthesis in operand 1.
arch/x86/entry/entry_64.S:262: Info: macro invoked from here
arch/x86/entry/entry_64.S:265: Info: macro invoked from here
make[5]: *** [scripts/Makefile.build:374: arch/x86/entry/entry_64.o] Error 1
make[4]: *** [scripts/Makefile.build:494: arch/x86/entry] Error 2
make[4]: *** Waiting for unfinished jobs....
make[3]: *** [scripts/Makefile.build:494: arch/x86] Error 2
make[2]: *** [Makefile:2025: .] Error 2
make[1]: *** [targets/linux.mk:60: build/kernel-6_3/arch/x86/boot/bzImage] Error 2
make: *** [payloads/external/Makefile.mk:401: payloads/external/LinuxBoot/build/Image] Error 2
```
In order to fix it, we will default to the host toolchain in order to
build x86_64 Linux. For that we add another Kconfig that decides,
whether or not a cross toolchain is used to build Linux.
Change-Id: Icaf56d6991d79f629e9ba8c901b441d81921d594
Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/83990
Reviewed-by: Lean Sheng Tan <sheng.tan@9elements.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Frans Hendriks <fhendriks@eltan.com>
With commit 238ff1e9c7 ("payloads/ipxe: Prefix iPXE options with "IPXE"
instead "PXE""), the prefix for iPXE related Kconfig identifiers was
unified to "IPXE". So rename the identifier for the TRUST_CMD option as
well, which was introduced later.
Change-Id: I918358b859003503526ba7849494bb23f8c893fd
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/83361
Reviewed-by: Nicholas Chin <nic.c3.14@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
When starting a nested instance Make communicates information on the
number of jobs and how to synchronize difference instances via MAKEFLAGS
variable. Explicitly overwriting it when invoking
payloads/external/iPXE/Makefile ends up forcing serial build of iPXE.
iPXE builds hundreds of files and its dependency generation is done
separately from compilation making the whole process take couple minutes
on a single CPU (which becomes several seconds if large enough number of
CPUs is available).
iPXE seems to have Make-based build system that has no problems with
parallel build and not utilizing that effectively turns it into a
bottleneck when building a coreboot image in parallel.
It's unclear whether MAKEFLAGS= was even added for any particular
purpose. It doesn't prevent child instances from using variables of
parents, nor it prevents child instance from running in parallel
(because it's still passed as an environment variable that's processed
prior of variable assignments on command-line), but it does prevent
grandchild instance from running in parallel (actual iPXE's Makefile).
MFLAGS contains flags from MAKEFLAGS and isn't used implicitly by Make,
so no need to clear it either because iPXE doesn't use it.
Change-Id: Iac00e2f86d160793d3217e00ddc5012202b3196a
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/83081
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Singer <service+coreboot-gerrit@felixsinger.de>
Reviewed-by: Krystian Hebel <krystian.hebel@3mdeb.com>
This adds another external payload to coreboot. The payload has been
heavily based on u-boots UEFI implementation.
The leanefi payload is basically a translator from coreboot to UEFI. It
takes the coreboot tables and transforms them into UEFI interfaces.
Although it can potentially load any efi application that can
handle the minimized interface that leanefi provides, it has only
been tested with LinuxBoot (v6.3.5) as a payload. It has been optimized
to support only those interfaces that Linux requires to start.
Among other leanefi does not support:
- efi capsule update (also efi system resource table)
- efi variables
- efi text input protocol (it can only output)
- most boot services. mostly memory services are left (e.g. alloc/free)
- all runtime services (although there is still a very small runtime
footprint that is planned to be removed in the near future)
- TCG2/TPM (although that is mostly because of laziness)
The README.md currently provides more details on why.
The payload currently only supports arm64 and has only been tested
on emulation/simulator targets. The original motivation was to get ACPI
on arm64 published to the OS without using EDK2. It is however also
possible to supply the leanefi with a FDT that is published to the OS.
At that point one would however probably use coreboot only instead of
this shim layer on top. It would be way nicer to have Linux support
something else than UEFI to propagate the ACPI tables, but it requires
to get the Linux maintainer/community on board. So for now this shim
layer ciruimvents that.
LBBR Test:
// 1. dump FDT from QEMU like mentioned in aarch64 coreboot doc
// 2. compile u-root however you like (aarch64)
// 3. compile Linux (embed u-root initramfs via Kconfig)
// 4. copy Linux kernel to payloads/leanefi/Image
// 5. copy following coreboot defconfig to configs/defconfig:
CONFIG_BOARD_EMULATION_QEMU_AARCH64=y
CONFIG_PAYLOAD_NONE=n
CONFIG_PAYLOAD_LEANEFI=y
CONFIG_LEANEFI_PAYLOAD=y
CONFIG_LEANEFI_PAYLOAD_PATH="[path-to-linux]/arch/arm64/boot/Image"
CONFIG_LEANEFI_FDT=y
CONFIG_LEANEFI_FDT_PATH="[path-to-dumped-DTB]"
// 6. compile coreboot
make defconfig
make -j$(nproc)
// 7. run qemu like mentioned in coreboot doc (no FIT)
// 8. say hello to u-root and optionally kexec into the next kernel
Signed-off-by: Maximilian Brune <maximilian.brune@9elements.com>
Change-Id: I4093378e89c3cb43fb0846666de80a7da36b03f1
Reviewed-on: https://review.coreboot.org/c/coreboot/+/78913
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Ron Minnich <rminnich@gmail.com>
Reviewed-by: Felix Singer <service+coreboot-gerrit@felixsinger.de>
Core 2 platforms have issues with HPET. Enable support to use the LAPIC
driver so those machines actually boot and don't hang.
The LAPIC is actually closer to the CPU than the HPET (on the PCH),
which reduces access latency, leading to higher resolution of the timer.
Tested on a Lenovo X200 with a Core 2 Duo.
Change-Id: I33144d6c1c120e7faa47b99e8262b0997c45c9b9
Signed-off-by: Jean Lucas <jean@4ray.co>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/82000
Reviewed-by: Matt DeVillier <matt.devillier@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Add a Kconfig to selectively enable the AMD Picasso eMMC driver
recently added to MrChromebox's edk2 fork. When selected, will enable
booting from AMD Picasso devices with eMMC storage.
TEST=tested with rest of patch train
Change-Id: I6536a6f243f6766b913e295afebcf5b965e4e969
Signed-off-by: Matt DeVillier <matt.devillier@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/81892
Reviewed-by: Sean Rhodes <sean@starlabs.systems>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Currently, we keep the double-quotes from Kconfig, resulting in an
invalid path. So just call `strip_quotes` like we do with all other
paths from Kconfig.
Change-Id: Ibcaa59be0fdd84d1fb9e061394fd9b0f7aa1830b
Signed-off-by: Nico Huber <nico.h@gmx.de>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/81947
Reviewed-by: Felix Singer <service+coreboot-gerrit@felixsinger.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@mailbox.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Add a Kconfig to selectively enable the UFS DXE driver recently added
to MrChromebox's edk2 fork. When selected, will enable booting from
devices with UFS storage.
TEST=tested with rest of patch train
Change-Id: I0b54d21dc87abf6938c03948830f92ce5097ef7d
Signed-off-by: Matt DeVillier <matt.devillier@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/81870
Reviewed-by: Sean Rhodes <sean@starlabs.systems>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Move hard-coded repo and repo name to Kconfig as default value
DEPTHCHARGE_REPO default to:
https://chromium.googlesource.com/chromiumos/platform/depthcharge
DEPTHCHARGE_BRANCH default to:
origin/main
When DEPTHCHARGE_MASTER=y, DEPTHCHARGE_BRANCH can be used to point
out a particular branch.
This change enable to use mirrored internal depthcharge repo and
branch for early SOC development (before upstreaming SOC and
dephthcharge code).
TEST=Build coreboot and check the repo remote link from:
payloads/external/depthcharge/depthcharge
Signed-off-by: Cliff Huang <cliff.huang@intel.com>
Change-Id: Icca10aa770b7b7a6e010f58bcf1e4f0a3401681a
Reviewed-on: https://review.coreboot.org/c/coreboot/+/80726
Reviewed-by: Bora Guvendik <bora.guvendik@intel.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Wonkyu Kim <wonkyu.kim@intel.com>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-by: Zhixing Ma <zhixing.ma@intel.com>
The .inc suffix is confusing to various tools as it's not specific to
Makefiles. This means that editors don't recognize the files, and don't
open them with highlighting and any other specific editor functionality.
This issue is also seen in the release notes generation script where
Makefiles get renamed before running cloc.
Signed-off-by: Martin Roth <gaumless@gmail.com>
Change-Id: Ie7038712de8cc646632d5e7d29550e3260bf2c62
Reviewed-on: https://review.coreboot.org/c/coreboot/+/80103
Reviewed-by: Felix Singer <service+coreboot-gerrit@felixsinger.de>
Reviewed-by: Maximilian Brune <maximilian.brune@9elements.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2024-01-24 10:15:10 +00:00
Renamed from payloads/external/Makefile.inc (Browse further)
