erebion/coreboot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coreboot/src/security/vboot/common.c
Martin Roth 8a3a3c820b security/vboot: Add option to run verstage before bootblock 
For AMD's family 17h, verstage can run as a userspace app in the PSP
before the X86 is released. The flags for this have been made generic
to support any other future systems that might run verstage before
the main processor starts.

Although an attempt has been made to make things somewhat generic,
since this is the first and currently only chip to support verstage
before bootblock, there are a number of options which might ultimately
be needed which have currently been left out for simplicity.  Examples
of this are:
- PCI is not currently supported - this is currently just a given
instead of making a separate Kconfig option for it.
- The PSP uses an ARM v7 processor, so that's the only processor that
is getting updated for the verstage-before-bootblock option.

BUG=b:158124527
TEST=Build with following patches

Signed-off-by: Martin Roth <martin@coreboot.org>
Change-Id: I4849777cb7ba9f90fe8428b82c21884d1e662b96
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41814
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
2020-06-15 21:04:00 +00:00

100 lines
2.6 KiB
C
Raw Blame History

/* SPDX-License-Identifier: GPL-2.0-only */
#include <assert.h>
#include <cbmem.h>
#include <console/console.h>
#include <fmap.h>
#include <vb2_api.h>
#include <security/vboot/misc.h>
#include <security/vboot/symbols.h>
#include <security/vboot/vboot_common.h>
static struct vb2_context *vboot_ctx;
static void *vboot_get_workbuf(void)
{
void *wb = NULL;
if (cbmem_possibly_online())
wb = cbmem_find(CBMEM_ID_VBOOT_WORKBUF);
if (wb == NULL && !CONFIG(VBOOT_STARTS_IN_ROMSTAGE) && preram_symbols_available())
wb = _vboot2_work;
assert(wb != NULL);
return wb;
}
struct vb2_context *vboot_get_context(void)
{
void *wb;
/* Return if context has already been initialized/restored. */
if (vboot_ctx)
return vboot_ctx;
wb = vboot_get_workbuf();
/* Restore context from a previous stage. */
if (vboot_logic_executed()) {
assert(vb2api_reinit(wb, &vboot_ctx) == VB2_SUCCESS);
return vboot_ctx;
}
assert(verification_should_run());
/* Initialize vb2_shared_data and friends. */
assert(vb2api_init(wb, VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE,
&vboot_ctx) == VB2_SUCCESS);
return vboot_ctx;
}
int vboot_locate_firmware(struct vb2_context *ctx, struct region_device *fw)
{
const char *name;
if (vboot_is_firmware_slot_a(ctx))
name = "FW_MAIN_A";
else
name = "FW_MAIN_B";
int ret = fmap_locate_area_as_rdev(name, fw);
if (ret)
return ret;
/* Truncate area to the size that was actually signed by vboot. */
return rdev_chain(fw, fw, 0, vb2api_get_firmware_size(ctx));
}
static void vboot_setup_cbmem(int unused)
{
vb2_error_t rv;
const size_t cbmem_size = VB2_KERNEL_WORKBUF_RECOMMENDED_SIZE;
void *wb_cbmem = cbmem_add(CBMEM_ID_VBOOT_WORKBUF, cbmem_size);
assert(wb_cbmem != NULL);
/*
* On platforms where VBOOT_STARTS_BEFORE_BOOTBLOCK, the verification
* occurs before the main processor starts running. The vboot data-
* structure is available in the _vboot2_work memory area as soon
* as the main processor is released.
*
* For platforms where VBOOT_STARTS_IN_BOOTBLOCK, vboot verification
* occurs before CBMEM is brought online, using pre-RAM. In order to
* make vboot data structures available downstream, copy vboot workbuf
* from SRAM/CAR into CBMEM.
*
* For platforms where VBOOT_STARTS_IN_ROMSTAGE, verification occurs
* after CBMEM is brought online. Directly initialize vboot data
* structures in CBMEM, which will also be available downstream.
*/
if (!CONFIG(VBOOT_STARTS_IN_ROMSTAGE))
rv = vb2api_relocate(wb_cbmem, _vboot2_work, cbmem_size,
&vboot_ctx);
else
rv = vb2api_init(wb_cbmem, cbmem_size, &vboot_ctx);
assert(rv == VB2_SUCCESS);
}
ROMSTAGE_CBMEM_INIT_HOOK(vboot_setup_cbmem)
Reference in a new issue View git blame Copy permalink