Generate SHA256/SHA384 hash of the signed firmware so that PSP verstage
can pass it to PSP. The PSP will use these hashes to verify the
integrity of those signed firmwares.
BUG=b:203597980
TEST=Build Skyrim BIOS image.
Change-Id: I50d278536ba1eac754eb8a39c4c2e428a2371c44
Signed-off-by: Kangheui Won <khwon@chromium.org>
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/60290
Reviewed-by: Jon Murphy <jpmurphy@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Add support for separating signed firmwares into another CBFS. If
sig_opt flag in AMD/PSPFW file header is 1, it means that the firmware
is signed against AMD chain of trust and will be verified by PSP. If
those firmware binaries are put outside FW_MAIN_[AB], vboot can skip
redundant verification, improving overall verification time.
BUG=b:206909680
TEST=Build amdfwtool. Build Skyrim BIOS image and boot to OS.
Change-Id: I9f3610a7002b2a9c70946b083b0b3be6934200b0
Signed-off-by: Kangheui Won <khwon@chromium.org>
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/59866
Reviewed-by: Jon Murphy <jpmurphy@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Checkpatch script recommends to use __packed instead of
__attribute__((packed)). Currently the build rule for amdfwtool does not
include the required header file with __packed definition. Update the
compiler flag to include the required header file.
BUG=None
TEST=Build amdfwtool.
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Change-Id: I448cbad533608dd5c2bd4f2d827fcc5db5dee5cb
Reviewed-on: https://review.coreboot.org/c/coreboot/+/67384
Reviewed-by: Jon Murphy <jpmurphy@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Amdfwtool creates AMD firmware images however there is currently no way
to get information from an existing image. This commit adds amdfwread to
support that functionality. At the moment only reading PSP soft fuse
flags is supported. Example usage: `amdfwread --soft-fuse bios.bin`,
example output: `Soft-fuse:0x400000030000041`.
BUG=b:202397678
TEST=Ran amdfwread and verified that it correctly reads the soft fuse
bits, verified that built AMD FW still boots on DUT
Signed-off-by: Robert Zieba <robertzieba@google.com>
Change-Id: I15fa07c9cad8e4640e9c40e5539b0dab44424850
Reviewed-on: https://review.coreboot.org/c/coreboot/+/62795
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Rob Barnes <robbarnes@google.com>
AMDFWtool maintains 2 copies of PSP Level2 entries - one in primary slot
A (Type 0x48) and another in backup slot B (Type 0x4A). On boards which
use VBOOT with 2 RW firmware slots, maintaining 2 copies of PSP Level2
entries in each FW slot is redundant and space-consuming. Introduce
option to maintain only one copy of PSP Level2 entries and point to it
from both slots A & B.
BUG=None
TEST=Build and boot to OS in Skyrim. Ensure that only one copy is added
to each FW slot. This achieved a space saving of 1.5 MB in each FW slot.
Before:
apu/amdfw 0x415fc0 raw 3043328 none
After:
apu/amdfw 0x415fc0 raw 1556480 none
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Change-Id: I06eef8e14b9c14db1d02b621c2f7207188d86326
Reviewed-on: https://review.coreboot.org/c/coreboot/+/63509
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Image Slot Header (ISH) is a new feature.
The rom layout for A/B recovery with ISH:
EFS -> PSP L1 0x48 -> ISH A -> PSP L2 A -> BIOS L2 A
0x4A -> ISH B -> PSP L2 B -> BIOS L2 B
The newer 55758 will updated about the boot priority and update retry
in ISH header.
Change-Id: Ib0690cde1dce949514c7aacebe13096b7814ceff
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/57747
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
The rom layout for A/B recovery:
EFS -> PSP L1 0x48 -> PSP L2 A -> BIOS L2 A
0x4A -> PSP L2 B -> BIOS L2 B
The coreboot doesn't implement the AMD's A/B recovery. This is only
for the ROM layout. To save some flash space, the entire B section can
be eliminated.
To enable A/B recovery in PSP layout, add "--recovery-ab" to
amdfwtool.
TEST=Majolica(Cezanne)
Change-Id: I27f5d3476f648fcecafb8d258ccb6cfad4f50036
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/56773
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
SPL: Security Patch Level
The data in SPL is used for FW anti-rollback, preventing rollback of
platform level firmware to older version that are deemed vulnerable
from a security point of view.
BUG=b:216096562
Change-Id: I4665f2372ccd599ab835c8784da08cde5558a795
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/61426
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
Address Mode 0: Physical Address, bit 63~56: 0x00
Address Mode 1: Relative Address to entire BIOS image, bit 63~56: 0x40
Address Mode 2: Relative Address to PSP/BIOS directory, bit 63~56: 0x80
Address Mode 3: Relative Address to slot N, bit 63~56: 0xC0
It is the expanding mode for simple relative address mode, for which
address_mode equals 1.
Only mode 2 is added. We need to record current table base address and
calculate the offset. The ctx.current_table is zero outside the
table. When it goes into the function to integrate the table, it
should backup the old value and get current table base. Before it goes
out the function, it should restore the value.
If the table address mode is 2, the address in each entry should be
also add address mode information. If not, the address mode in entry
is meanless.
The old mode 0,1 should be back compatible.
Change-Id: I29a03f4381cd0507e2b2e3b359111e3375a73de1
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/59308
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
The element at offset 0x14 in the embedded_firmware struct is the
pointer to the combo PSP directory header, so rename it from comboable
to combo_psp_directory to clarify that this is not a flag, but a pointer
to a data structure. Also rename psp_entry to psp_directory since it
points to the PSP directory table.
Signed-off-by: Felix Held <felix-coreboot@felixheld.de>
Change-Id: Ic6149c17ae813f4dcea71c308054849a1a2e4394
Reviewed-on: https://review.coreboot.org/c/coreboot/+/58419
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
Reviewed-by: Kangheui Won <khwon@chromium.org>
