Gitiles
Code Review Sign In
review.coreboot.org / coreboot / fdabf3fcd792e5939445233c74eb8bf3bb73de39
commitfdabf3fcd792e5939445233c74eb8bf3bb73de39[log] [tgz]
authorJulius Werner <jwerner@chromium.org>Wed May 06 17:06:35 2020 -0700
committerJulius Werner <jwerner@chromium.org>Thu Dec 03 00:11:08 2020 +0000
tree2e197225a159c20a533e267d728326709711e690
parent0ba16637d8f12fe9ba8388222cfa71fc5206c0f3 [diff]
cbfs: Add verification for RO CBFS metadata hash

This patch adds the first stage of the new CONFIG_CBFS_VERIFICATION
feature. It's not useful to end-users in this stage so it cannot be
selected in menuconfig (and should not be used other than for
development) yet. With this patch coreboot can verify the metadata hash
of the RO CBFS when it starts booting, but it does not verify individual
files yet. Likewise, verifying RW CBFSes with vboot is not yet
supported.

Verification is bootstrapped from a "metadata hash anchor" structure
that is embedded in the bootblock code and marked by a unique magic
number.  This anchor contains both the CBFS metadata hash and a separate
hash for the FMAP which is required to find the primary CBFS. Both are
verified on first use in the bootblock (and halt the system on failure).

The CONFIG_TOCTOU_SAFETY option is also added for illustrative purposes
to show some paths that need to be different when full protection
against TOCTOU (time-of-check vs. time-of-use) attacks is desired. For
normal verification it is sufficient to check the FMAP and the CBFS
metadata hash only once in the bootblock -- for TOCTOU verification we
do the same, but we need to be extra careful that we do not re-read the
FMAP or any CBFS metadata in later stages. This is mostly achieved by
depending on the CBFS metadata cache and FMAP cache features, but we
allow for one edge case in case the RW CBFS metadata cache overflows
(which may happen during an RW update and could otherwise no longer be
fixed because mcache size is defined by RO code). This code is added to
demonstrate design intent but won't really matter until RW CBFS
verification can be supported.

Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I8930434de55eb938b042fdada9aa90218c0b5a34
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41120
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
14 files changed
tree: 2e197225a159c20a533e267d728326709711e690
  1. 3rdparty/
  2. configs/
  3. Documentation/
  4. LICENSES/
  5. payloads/
  6. src/
  7. tests/
  8. util/
  9. .checkpatch.conf
  10. .clang-format
  11. .editorconfig
  12. .gitignore
  13. .gitmodules
  14. .gitreview
  15. AUTHORS
  16. COPYING
  17. gnat.adc
  18. MAINTAINERS
  19. Makefile
  20. Makefile.inc
  21. README.md
  22. toolchain.inc
README.md

coreboot README

coreboot is a Free Software project aimed at replacing the proprietary BIOS (firmware) found in most computers. coreboot performs a little bit of hardware initialization and then executes additional boot logic, called a payload.

With the separation of hardware initialization and later boot logic, coreboot can scale from specialized applications that run directly firmware, run operating systems in flash, load custom bootloaders, or implement firmware standards, like PC BIOS services or UEFI. This allows for systems to only include the features necessary in the target application, reducing the amount of code and flash space required.

coreboot was formerly known as LinuxBIOS.

Payloads

After the basic initialization of the hardware has been performed, any desired "payload" can be started by coreboot.

See https://www.coreboot.org/Payloads for a list of supported payloads.

Supported Hardware

coreboot supports a wide range of chipsets, devices, and mainboards.

For details please consult:

Build Requirements

  • make
  • gcc / g++ Because Linux distribution compilers tend to use lots of patches. coreboot does lots of "unusual" things in its build system, some of which break due to those patches, sometimes by gcc aborting, sometimes - and that's worse - by generating broken object code. Two options: use our toolchain (eg. make crosstools-i386) or enable the ANY_TOOLCHAIN Kconfig option if you're feeling lucky (no support in this case).
  • iasl (for targets with ACPI support)
  • pkg-config
  • libssl-dev (openssl)

Optional:

  • doxygen (for generating/viewing documentation)
  • gdb (for better debugging facilities on some targets)
  • ncurses (for make menuconfig and make nconfig)
  • flex and bison (for regenerating parsers)

Building coreboot

Please consult https://www.coreboot.org/Build_HOWTO for details.

Testing coreboot Without Modifying Your Hardware

If you want to test coreboot without any risks before you really decide to use it on your hardware, you can use the QEMU system emulator to run coreboot virtually in QEMU.

Please see https://www.coreboot.org/QEMU for details.

Website and Mailing List

Further details on the project, a FAQ, many HOWTOs, news, development guidelines and more can be found on the coreboot website:

https://www.coreboot.org

You can contact us directly on the coreboot mailing list:

https://www.coreboot.org/Mailinglist

Copyright and License

The copyright on coreboot is owned by quite a large number of individual developers and companies. Please check the individual source files for details.

coreboot is licensed under the terms of the GNU General Public License (GPL). Some files are licensed under the "GPL (version 2, or any later version)", and some files are licensed under the "GPL, version 2". For some parts, which were derived from other projects, other (GPL-compatible) licenses may apply. Please check the individual source files for details.

This makes the resulting coreboot images licensed under the GPL, version 2.