Maximilian Brune | 1d7a9de | 2022-04-14 14:54:16 +0200 | [diff] [blame] | 1 | ## SPDX-License-Identifier: GPL-2.0-only |
| 2 | |
| 3 | obj ?= build |
| 4 | src ?= src |
| 5 | build-dir = $(obj)/sbom |
| 6 | src-dir = $(src)/sbom |
| 7 | |
| 8 | CONFIG_ME_BIN_PATH := $(call strip_quotes, $(CONFIG_ME_BIN_PATH)) |
| 9 | CONFIG_FSP_S_FILE := $(call strip_quotes, $(CONFIG_FSP_S_FILE)) |
| 10 | CONFIG_FSP_M_FILE := $(call strip_quotes, $(CONFIG_FSP_M_FILE)) |
| 11 | CONFIG_FSP_T_FILE := $(call strip_quotes, $(CONFIG_FSP_T_FILE)) |
| 12 | CONFIG_PAYLOAD_FILE := $(call strip_quotes, $(CONFIG_PAYLOAD_FILE)) |
| 13 | CONFIG_EC_PATH := $(call strip_quotes, $(CONFIG_EC_PATH)) |
| 14 | CONFIG_BIOS_ACM_PATH := $(call strip_quotes, $(CONFIG_BIOS_ACM_PATH)) |
| 15 | CONFIG_SINIT_ACM_PATH := $(call strip_quotes, $(CONFIG_SINIT_ACM_PATH)) |
| 16 | |
| 17 | ifeq ($(CONFIG_SBOM_PAYLOAD_GENERATE), y) |
| 18 | payload-git-dir-$(CONFIG_PAYLOAD_BOOTBOOT) = payloads/external/BOOTBOOT/bootboot |
| 19 | payload-git-dir-$(CONFIG_PAYLOAD_DEPTHCHARGE) = payloads/external/depthcharge/depthcharge |
| 20 | payload-git-dir-$(CONFIG_PAYLOAD_FILO) = payloads/external/FILO/filo |
| 21 | payload-git-dir-$(CONFIG_PAYLOAD_GRUB2) = payloads/external/GRUB2/grub2 |
| 22 | payload-git-dir-$(CONFIG_PAYLOAD_LINUXBOOT) = payloads/external/LinuxBoot/linuxboot |
| 23 | payload-git-dir-$(CONFIG_PAYLOAD_SEABIOS) = payloads/external/SeaBIOS/seabios |
| 24 | payload-git-dir-$(CONFIG_PAYLOAD_SKIBOOT) = payloads/external/skiboot/skiboot |
| 25 | #payload-git-dir-$(CONFIG_PAYLOAD_TIANOCORE) = payloads/external/tianocore/ |
| 26 | payload-git-dir-$(CONFIG_PAYLOAD_UBOOT) = payloads/external/U-Boot/u-boot |
| 27 | payload-git-dir-$(CONFIG_PAYLOAD_IPXE) = payloads/external/iPXE/ipxe |
| 28 | ifneq ($(payload-git-dir-y),) |
| 29 | # only proceed with payload sbom data, if one of the above payloads were selected (should be guarded by Kconfig as well) |
| 30 | # e.g. payload-git-dir-y=payloads/external/SeaBIOS/seabios -> payload-json-file=$(build-dir)/payload-SeaBIOS.json |
| 31 | payload-swid = $(build-dir)/payload-$(subst /,,$(dir $(patsubst payloads/external/%,%,$(payload-git-dir-y)))).json |
| 32 | payload-swid-template = $(patsubst $(build-dir)/%.json,$(src-dir)/%.json,$(payload-swid)) |
| 33 | endif |
| 34 | endif |
| 35 | |
| 36 | swid-files-$(CONFIG_SBOM_ME) += $(if $(CONFIG_SBOM_ME_GENERATE), $(build-dir)/intel-me.json, $(CONFIG_SBOM_ME_PATH)) |
| 37 | swid-files-$(CONFIG_SBOM_PAYLOAD) += $(if $(CONFIG_SBOM_PAYLOAD_GENERATE), $(payload-swid), $(CONFIG_SBOM_PAYLOAD_PATH)) |
| 38 | # TODO think about just using one CoSWID tag for all intel-microcode instead of one for each. maybe put each microcode into files entity of CoSWID tag? |
| 39 | swid-files-$(CONFIG_SBOM_MICROCODE) += $(patsubst 3rdparty/intel-microcode/intel-ucode/%, $(build-dir)/intel-microcode-%.json, $(filter 3rdparty/intel-microcode/intel-ucode/%, $(cpu_microcode_bins))) |
| 40 | swid-files-$(CONFIG_SBOM_MICROCODE) += $(patsubst ${FIRMWARE_LOCATION}/UcodePatch_%.bin, $(build-dir)/amd-microcode-%.json, $(filter ${FIRMWARE_LOCATION}/UcodePatch_%.bin, $(cpu_microcode_bins))) |
| 41 | swid-files-$(CONFIG_SBOM_FSP) += $(CONFIG_SBOM_FSP_PATH) |
| 42 | swid-files-$(CONFIG_SBOM_EC) += $(CONFIG_SBOM_EC_PATH) |
| 43 | swid-files-$(CONFIG_SBOM_BIOS_ACM) += $(CONFIG_BIOS_ACM_PATH) |
| 44 | swid-files-$(CONFIG_SBOM_SINIT_ACM) += $(CONFIG_SINIT_ACM_PATH) |
| 45 | |
| 46 | vboot-pkgconfig-files = $(obj)/external/vboot_reference-bootblock/vboot_host.pc $(obj)/external/vboot_reference-romstage/vboot_host.pc $(obj)/external/vboot_reference-ramstage/vboot_host.pc $(obj)/external/vboot_reference-postcar/vboot_host.pc |
| 47 | swid-files-$(CONFIG_SBOM_VBOOT) += $(vboot-pkgconfig-files) |
| 48 | $(vboot-pkgconfig-files): $(VBOOT_LIB_bootblock) $(VBOOT_LIB_romstage) $(VBOOT_LIB_ramstage) $(VBOOT_LIB_postcar) # src/security/vboot/Makefile.inc |
| 49 | |
| 50 | ifeq ($(CONFIG_SBOM_COMPILER),y) |
| 51 | ifeq ($(CONFIG_ANY_TOOLCHAIN),y) |
| 52 | swid-files-compiler = $(build-dir)/compiler-generic.json |
| 53 | else ifeq ($(CONFIG_COMPILER_GCC),y) |
| 54 | swid-files-compiler = $(build-dir)/compiler-gcc.json |
| 55 | else ifeq ($(CONFIG_COMPILER_LLVM_CLANG),y) |
| 56 | swid-files-compiler = $(build-dir)/compiler-clang.json |
| 57 | endif |
| 58 | compiler-toolchain = $(CC_bootblock) $(CC_romstage) $(CC_ramstage) $(CC_postcar) $(CC_verstage) $(LD_bootblock) $(LD_romstage) $(LD_ramstage) $(LD_postcar) $(LD_verstage) $(AS_bootblock) $(AS_romstage) $(AS_ramstage) $(AS_postcar) $(AS_verstage) |
| 59 | endif |
| 60 | |
| 61 | coreboot-licenses = $(foreach license, $(patsubst %.txt, %, $(filter-out retained-copyrights.txt, $(patsubst LICENSES/%, %, $(wildcard LICENSES/*)))), https://spdx.org/licenses/$(license).html) |
| 62 | |
| 63 | # only include CBFS SBOM section if there is any data for it |
| 64 | ifeq ($(CONFIG_SBOM),y) |
| 65 | cbfs-files-y += sbom |
| 66 | sbom-file = $(build-dir)/sbom.uswid |
| 67 | sbom-type = raw |
| 68 | endif |
| 69 | |
| 70 | ## Build final SBOM (Software Bill of Materials) file in uswid format |
| 71 | |
| 72 | $(build-dir)/sbom.uswid: $(build-dir)/coreboot.json $(swid-files-y) $(swid-files-compiler) | $(build-dir)/goswid $(build-dir) |
| 73 | echo " SBOM " $^ |
| 74 | $(build-dir)/goswid convert -o $@ \ |
| 75 | --parent $(build-dir)/coreboot.json \ |
| 76 | $(if $(swid-files-y), --requires $$(echo $(swid-files-y) | tr ' ' ','),) \ |
| 77 | $(if $(swid-files-compiler), --compiler $(swid-files-compiler),) |
| 78 | |
| 79 | # all build files depend on the $(build-dir) directory being created |
| 80 | $(build-dir): |
| 81 | mkdir -p $(build-dir) |
| 82 | |
| 83 | $(build-dir)/goswid: | $(build-dir) |
| 84 | echo " SBOM building goswid tool" |
| 85 | cd util/goswid; \ |
| 86 | GO111MODULE=on go build -o $(abspath $@) ./cmd/goswid |
| 87 | |
| 88 | ## Generate all .json files |
| 89 | |
| 90 | $(build-dir)/compiler-%.json: $(src-dir)/compiler-%.json | $(build-dir)/goswid |
| 91 | cp $< $@ |
| 92 | for tool in $$(echo $(compiler-toolchain) | tr ' ' '\n' | sort | uniq); do \ |
| 93 | version=$$($$tool --version 2>&1 | head -n 1 | grep -Eo '([0-9]+\.[0-9]+\.*[0-9]*)'); \ |
| 94 | $(build-dir)/goswid add-payload-file -o $@ -i $@ --name $$(basename $$tool) --version $$version; \ |
| 95 | done |
| 96 | |
| 97 | $(build-dir)/coreboot.json: $(src-dir)/coreboot.json .git/HEAD | $(build-dir)/goswid |
| 98 | cp $< $@ |
| 99 | git_tree_hash=$$(git log -n 1 --format=%T);\ |
| 100 | git_comm_hash=$$(git log -n 1 --format=%H);\ |
| 101 | sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@;\ |
| 102 | $(build-dir)/goswid add-license -o $@ -i $@ $(coreboot-licenses) |
| 103 | |
| 104 | $(build-dir)/intel-me.json: $(src-dir)/intel-me.json $(CONFIG_ME_BIN_PATH) | $(build-dir) |
| 105 | cp $< $@ |
| 106 | #TODO put more Intel Management Engine metadata in sbom file |
| 107 | |
| 108 | |
| 109 | $(build-dir)/generic-fsp.json: $(src-dir)/generic-fsp.json $(CONFIG_FSP_S_FILE) $(CONFIG_FSP_T_FILE) $(CONFIG_FSP_M_FILE) | $(build-dir)/goswid |
| 110 | cp $(src-dir)/generic-fsp.json $@ |
| 111 | ifneq ($(CONFIG_FSP_S_FILE),) |
| 112 | echo " SBOM Adding FSP-S" |
| 113 | $(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-S" |
| 114 | endif |
| 115 | ifneq ($(CONFIG_FSP_T_FILE),) |
| 116 | echo " SBOM Adding FSP-T" |
| 117 | $(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-T" |
| 118 | endif |
| 119 | ifneq ($(CONFIG_FSP_M_FILE),) |
| 120 | echo " SBOM Adding FSP-M" |
| 121 | $(build-dir)/goswid add-payload-file -o $@ -i $@ --name "FSP-M" |
| 122 | endif |
| 123 | |
| 124 | $(build-dir)/intel-microcode-%.json: $(src-dir)/intel-microcode.json 3rdparty/intel-microcode/intel-ucode/% | $(build-dir) $(build-dir)/goswid |
| 125 | cp $< $@ |
| 126 | year=$$(hexdump --skip 8 --length 2 --format '"%04x"' $(word 2,$^));\ |
| 127 | day=$$(hexdump --skip 10 --length 1 --format '"%02x"' $(word 2,$^));\ |
| 128 | month=$$(hexdump --skip 11 --length 1 --format '"%02x"' $(word 2,$^));\ |
| 129 | sed -i "s/<software_version>/$$year-$$month-$$day/" $@ |
| 130 | #TODO add cpuid (processor family, model, stepping) as extra attribute |
| 131 | |
| 132 | $(build-dir)/amd-microcode-%.json: $(src-dir)/amd-microcode.json ${FIRMWARE_LOCATION}/UcodePatch_%.bin | $(build-dir) $(build-dir)/goswid |
| 133 | cp $< $@ |
| 134 | year=$$(hexdump --skip 0 --length 2 --format '"%04x"' $(word 2,$^));\ |
| 135 | day=$$(hexdump --skip 2 --length 1 --format '"%02x"' $(word 2,$^));\ |
| 136 | month=$$(hexdump --skip 3 --length 1 --format '"%02x"' $(word 2,$^));\ |
| 137 | sed -i "s/<software_version>/$$year-$$month-$$day/" $@ |
| 138 | |
| 139 | $(payload-swid): $(payload-swid-template) $(CONFIG_PAYLOAD_FILE) | $(build-dir) |
| 140 | cp $< $@;\ |
| 141 | git_tree_hash=$$(git --git-dir $(payload-git-dir-y)/.git log -n 1 --format=%T);\ |
| 142 | git_comm_hash=$$(git --git-dir $(payload-git-dir-y)/.git log -n 1 --format=%H);\ |
| 143 | sed -i -e "s/<colloquial_version>/$$git_tree_hash/" -e "s/<software_version>/$$git_comm_hash/" $@; |