heads/config/coreboot-qemu-tpm2.config

528 lines
14 KiB
Makefile
Raw Normal View History

2023-05-23 14:37:16 +00:00
#
# Automatically generated file; DO NOT EDIT.
# coreboot configuration
#
#
# General setup
#
CONFIG_COREBOOT_BUILD=y
CONFIG_LOCALVERSION=""
CONFIG_CBFS_PREFIX="fallback"
CONFIG_COMPILER_GCC=y
# CONFIG_COMPILER_LLVM_CLANG is not set
CONFIG_ARCH_SUPPORTS_CLANG=y
# CONFIG_ANY_TOOLCHAIN is not set
CONFIG_CCACHE=y
2023-05-23 14:37:16 +00:00
# CONFIG_IWYU is not set
# CONFIG_FMD_GENPARSER is not set
# CONFIG_UTIL_GENPARSER is not set
CONFIG_OPTION_BACKEND_NONE=y
# CONFIG_USE_OPTION_TABLE is not set
CONFIG_COMPRESS_RAMSTAGE_LZMA=y
# CONFIG_COMPRESS_RAMSTAGE_LZ4 is not set
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
# CONFIG_INCLUDE_CONFIG_FILE is not set
2023-05-23 14:37:16 +00:00
CONFIG_COLLECT_TIMESTAMPS=y
# CONFIG_TIMESTAMPS_ON_CONSOLE is not set
CONFIG_USE_BLOBS=y
# CONFIG_USE_AMD_BLOBS is not set
# CONFIG_USE_QC_BLOBS is not set
# CONFIG_COVERAGE is not set
# CONFIG_UBSAN is not set
CONFIG_HAVE_ASAN_IN_RAMSTAGE=y
# CONFIG_ASAN is not set
CONFIG_NO_STAGE_CACHE=y
# CONFIG_CBMEM_STAGE_CACHE is not set
# CONFIG_UPDATE_IMAGE is not set
# CONFIG_BOOTSPLASH_IMAGE is not set
# CONFIG_FW_CONFIG is not set
#
# Software Bill Of Materials (SBOM)
#
# CONFIG_SBOM is not set
# end of Software Bill Of Materials (SBOM)
# end of General setup
#
# Mainboard
#
#
# Important: Run 'make distclean' before switching boards
#
# CONFIG_VENDOR_51NB is not set
# CONFIG_VENDOR_ACER is not set
# CONFIG_VENDOR_ADLINK is not set
# CONFIG_VENDOR_AMD is not set
# CONFIG_VENDOR_AOPEN is not set
# CONFIG_VENDOR_APPLE is not set
# CONFIG_VENDOR_ASROCK is not set
# CONFIG_VENDOR_ASUS is not set
# CONFIG_VENDOR_BIOSTAR is not set
# CONFIG_VENDOR_BOSTENTECH is not set
# CONFIG_VENDOR_CAVIUM is not set
# CONFIG_VENDOR_CLEVO is not set
# CONFIG_VENDOR_COMPULAB is not set
# CONFIG_VENDOR_DELL is not set
CONFIG_VENDOR_EMULATION=y
# CONFIG_VENDOR_EXAMPLE is not set
# CONFIG_VENDOR_FACEBOOK is not set
# CONFIG_VENDOR_FOXCONN is not set
# CONFIG_VENDOR_GETAC is not set
# CONFIG_VENDOR_GIGABYTE is not set
# CONFIG_VENDOR_GOOGLE is not set
# CONFIG_VENDOR_HP is not set
# CONFIG_VENDOR_IBASE is not set
# CONFIG_VENDOR_INTEL is not set
# CONFIG_VENDOR_KONTRON is not set
# CONFIG_VENDOR_LENOVO is not set
# CONFIG_VENDOR_LIBRETREND is not set
# CONFIG_VENDOR_MSI is not set
# CONFIG_VENDOR_OCP is not set
# CONFIG_VENDOR_OPENCELLULAR is not set
# CONFIG_VENDOR_PACKARDBELL is not set
# CONFIG_VENDOR_PCENGINES is not set
# CONFIG_VENDOR_PINE64 is not set
# CONFIG_VENDOR_PORTWELL is not set
# CONFIG_VENDOR_PRODRIVE is not set
# CONFIG_VENDOR_PROTECTLI is not set
# CONFIG_VENDOR_PURISM is not set
# CONFIG_VENDOR_RAZER is not set
# CONFIG_VENDOR_RODA is not set
# CONFIG_VENDOR_SAMSUNG is not set
# CONFIG_VENDOR_SAPPHIRE is not set
# CONFIG_VENDOR_SCALEWAY is not set
# CONFIG_VENDOR_SIEMENS is not set
# CONFIG_VENDOR_SIFIVE is not set
# CONFIG_VENDOR_STARLABS is not set
# CONFIG_VENDOR_SUPERMICRO is not set
# CONFIG_VENDOR_SYSTEM76 is not set
# CONFIG_VENDOR_TI is not set
# CONFIG_VENDOR_UP is not set
CONFIG_BOARD_SPECIFIC_OPTIONS=y
CONFIG_MAINBOARD_PART_NUMBER="QEMU x86 q35/ich9"
CONFIG_MAINBOARD_VERSION="1.0"
CONFIG_MAINBOARD_DIR="emulation/qemu-q35"
CONFIG_DIMM_MAX=4
CONFIG_DIMM_SPD_SIZE=256
CONFIG_FMDFILE=""
# CONFIG_NO_POST is not set
CONFIG_MAINBOARD_VENDOR="Emulation"
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
CONFIG_CBFS_SIZE=0xfe0000
2023-05-23 14:37:16 +00:00
# CONFIG_CONSOLE_SERIAL is not set
CONFIG_MAX_CPUS=4
CONFIG_ONBOARD_VGA_IS_PRIMARY=y
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
# CONFIG_POST_DEVICE is not set
2023-05-23 14:37:16 +00:00
# CONFIG_POST_IO is not set
CONFIG_DEVICETREE="devicetree.cb"
# CONFIG_VBOOT is not set
CONFIG_VBOOT_VBNV_OFFSET=0x2c
# CONFIG_CHROMEOS is not set
CONFIG_OVERRIDE_DEVICETREE=""
# CONFIG_VGA_BIOS is not set
CONFIG_MAINBOARD_SMBIOS_MANUFACTURER="Emulation"
CONFIG_PRERAM_CBMEM_CONSOLE_SIZE=0xc00
CONFIG_CMOS_DEFAULT_FILE="src/mainboard/$(MAINBOARDDIR)/cmos.default"
CONFIG_CMOS_LAYOUT_FILE="src/mainboard/$(MAINBOARDDIR)/cmos.layout"
# CONFIG_CONSOLE_POST is not set
CONFIG_TPM_PIRQ=0x0
# CONFIG_BOARD_EMULATION_QEMU_AARCH64 is not set
# CONFIG_BOARD_EMULATION_QEMU_ARMV7 is not set
# CONFIG_BOARD_EMULATION_QEMU_X86_I440FX is not set
# CONFIG_BOARD_EMULATION_QEMU_POWER8 is not set
# CONFIG_BOARD_EMULATION_QEMU_POWER9 is not set
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y
2023-05-23 14:37:16 +00:00
# CONFIG_BOARD_EMULATION_QEMU_RISCV_RV64 is not set
# CONFIG_BOARD_EMULATION_QEMU_RISCV_RV32 is not set
# CONFIG_BOARD_EMULATION_SPIKE_RISCV is not set
CONFIG_MEMLAYOUT_LD_FILE="src/arch/x86/memlayout.ld"
CONFIG_DCACHE_RAM_BASE=0x10000
CONFIG_DCACHE_RAM_SIZE=0x90000
CONFIG_C_ENV_BOOTBLOCK_SIZE=0x40000
CONFIG_DCACHE_BSP_STACK_SIZE=0x4000
CONFIG_ECAM_MMCONF_BASE_ADDRESS=0xb0000000
CONFIG_ECAM_MMCONF_BUS_NUMBER=256
CONFIG_MAX_ACPI_TABLE_SIZE_KB=224
CONFIG_DRIVERS_INTEL_WIFI=y
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="QEMU x86 q35/ich9"
CONFIG_PS2K_EISAID="PNP0303"
CONFIG_PS2M_EISAID="PNP0F13"
# CONFIG_PCIEXP_L1_SUB_STATE is not set
# CONFIG_PCIEXP_CLK_PM is not set
CONFIG_DRIVERS_UART_8250IO=y
CONFIG_HEAP_SIZE=0x8000
CONFIG_EC_GPE_SCI=0x50
CONFIG_TPM_MEASURED_BOOT=y
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0,115200 console=tty"
2023-05-23 14:37:16 +00:00
CONFIG_BOARD_ROMSIZE_KB_2048=y
# CONFIG_COREBOOT_ROMSIZE_KB_256 is not set
# CONFIG_COREBOOT_ROMSIZE_KB_512 is not set
# CONFIG_COREBOOT_ROMSIZE_KB_1024 is not set
# CONFIG_COREBOOT_ROMSIZE_KB_2048 is not set
# CONFIG_COREBOOT_ROMSIZE_KB_4096 is not set
# CONFIG_COREBOOT_ROMSIZE_KB_5120 is not set
# CONFIG_COREBOOT_ROMSIZE_KB_6144 is not set
# CONFIG_COREBOOT_ROMSIZE_KB_8192 is not set
# CONFIG_COREBOOT_ROMSIZE_KB_10240 is not set
# CONFIG_COREBOOT_ROMSIZE_KB_12288 is not set
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
CONFIG_COREBOOT_ROMSIZE_KB_16384=y
2023-05-23 14:37:16 +00:00
# CONFIG_COREBOOT_ROMSIZE_KB_32768 is not set
# CONFIG_COREBOOT_ROMSIZE_KB_65536 is not set
CONFIG_COREBOOT_ROMSIZE_KB=16384
CONFIG_ROM_SIZE=0x01000000
CONFIG_HAVE_POWER_STATE_AFTER_FAILURE=y
CONFIG_HAVE_POWER_STATE_PREVIOUS_AFTER_FAILURE=y
CONFIG_POWER_STATE_OFF_AFTER_FAILURE=y
# CONFIG_POWER_STATE_ON_AFTER_FAILURE is not set
# CONFIG_POWER_STATE_PREVIOUS_AFTER_FAILURE is not set
CONFIG_MAINBOARD_POWER_FAILURE_STATE=0
# end of Mainboard
#
# Chipset
#
#
# SoC
#
CONFIG_CHIPSET_DEVICETREE=""
CONFIG_CBFS_MCACHE_SIZE=0x4000
CONFIG_ROMSTAGE_ADDR=0x2000000
CONFIG_VERSTAGE_ADDR=0x2000000
CONFIG_SMM_MODULE_STACK_SIZE=0x400
CONFIG_ACPI_CPU_STRING="\\_SB.CP%02X"
CONFIG_EHCI_BAR=0xfef00000
CONFIG_STACK_SIZE=0x2000
CONFIG_VBT_DATA_SIZE_KB=8
CONFIG_INTEL_GMA_BCLV_OFFSET=0xc8254
CONFIG_INTEL_GMA_BCLV_WIDTH=16
CONFIG_INTEL_GMA_BCLM_OFFSET=0xc8256
CONFIG_INTEL_GMA_BCLM_WIDTH=16
CONFIG_BOOTBLOCK_IN_CBFS=y
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
CONFIG_PCIEXP_ASPM=y
CONFIG_PCIEXP_COMMON_CLOCK=y
2023-05-23 14:37:16 +00:00
CONFIG_HPET_MIN_TICKS=0x80
CONFIG_CBFS_CACHE_ALIGN=8
CONFIG_FIXED_SMBUS_IO_BASE=0x400
#
# CPU
#
CONFIG_CPU_QEMU_X86=y
# CONFIG_CPU_QEMU_X86_NO_SMM is not set
CONFIG_CPU_QEMU_X86_ASEG_SMM=y
# CONFIG_CPU_QEMU_X86_TSEG_SMM is not set
CONFIG_PARALLEL_MP=y
CONFIG_XAPIC_ONLY=y
# CONFIG_X2APIC_ONLY is not set
# CONFIG_X2APIC_RUNTIME is not set
# CONFIG_X2APIC_LATE_WORKAROUND is not set
CONFIG_UDELAY_TSC=y
CONFIG_UNKNOWN_TSC_RATE=y
CONFIG_TSC_MONOTONIC_TIMER=y
CONFIG_LOGICAL_CPUS=y
CONFIG_HAVE_SMI_HANDLER=y
CONFIG_SMM_ASEG=y
CONFIG_AP_STACK_SIZE=0x800
CONFIG_SMP=y
#
# Northbridge
#
#
# Southbridge
#
# CONFIG_PCIEXP_HOTPLUG is not set
CONFIG_SOUTHBRIDGE_INTEL_I82801IX=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_RESET=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_RTC=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_PMCLIB=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_PMBASE=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_GPIO=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_EARLY_SMBUS=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMM=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_ACPI_MADT=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y
CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
# CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
CONFIG_TCO_SPACE_NOT_YET_SPLIT=y
CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y
CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
CONFIG_RCBA_LENGTH=0x4000
#
# Super I/O
#
#
# Embedded Controllers
#
CONFIG_MAINBOARD_HAS_CHROMEOS=y
#
# ChromeOS
#
# end of ChromeOS
CONFIG_ARCH_X86=y
CONFIG_ARCH_BOOTBLOCK_X86_32=y
CONFIG_ARCH_VERSTAGE_X86_32=y
CONFIG_ARCH_ROMSTAGE_X86_32=y
CONFIG_ARCH_POSTCAR_X86_32=y
CONFIG_ARCH_RAMSTAGE_X86_32=y
CONFIG_ARCH_ALL_STAGES_X86_32=y
CONFIG_HAVE_EXP_X86_64_SUPPORT=y
# CONFIG_USE_EXP_X86_64_SUPPORT is not set
CONFIG_X86_TOP4G_BOOTMEDIA_MAP=y
CONFIG_NUM_IPI_STARTS=2
CONFIG_PC80_SYSTEM=y
CONFIG_HAVE_CMOS_DEFAULT=y
CONFIG_POSTCAR_STAGE=y
CONFIG_BOOTBLOCK_SIMPLE=y
# CONFIG_BOOTBLOCK_NORMAL is not set
CONFIG_COLLECT_TIMESTAMPS_TSC=y
CONFIG_HAVE_CF9_RESET=y
CONFIG_DEBUG_HW_BREAKPOINTS=y
CONFIG_DEBUG_NULL_DEREF_BREAKPOINTS=y
# end of Chipset
#
# Devices
#
CONFIG_HAVE_VGA_TEXT_FRAMEBUFFER=y
CONFIG_HAVE_LINEAR_FRAMEBUFFER=y
CONFIG_MAINBOARD_HAS_NATIVE_VGA_INIT=y
CONFIG_MAINBOARD_FORCE_NATIVE_VGA_INIT=y
CONFIG_MAINBOARD_DO_NATIVE_VGA_INIT=y
CONFIG_NO_EARLY_GFX_INIT=y
#
# Display
#
CONFIG_VGA_TEXT_FRAMEBUFFER=y
# CONFIG_GENERIC_LINEAR_FRAMEBUFFER is not set
# end of Display
CONFIG_PCI=y
CONFIG_ECAM_MMCONF_SUPPORT=y
CONFIG_PCIX_PLUGIN_SUPPORT=y
CONFIG_CARDBUS_PLUGIN_SUPPORT=y
CONFIG_AZALIA_PLUGIN_SUPPORT=y
CONFIG_PCIEXP_PLUGIN_SUPPORT=y
CONFIG_ECAM_MMCONF_LENGTH=0x10000000
CONFIG_PCI_ALLOW_BUS_MASTER=y
CONFIG_PCI_SET_BUS_MASTER_PCI_BRIDGES=y
CONFIG_PCI_ALLOW_BUS_MASTER_ANY_DEVICE=y
# CONFIG_PCIEXP_SUPPORT_RESIZABLE_BARS is not set
# CONFIG_PCIEXP_LANE_ERR_STAT_CLEAR is not set
CONFIG_FIRMWARE_CONNECTION_MANAGER=y
# CONFIG_SOFTWARE_CONNECTION_MANAGER is not set
# CONFIG_EARLY_PCI_BRIDGE is not set
CONFIG_SUBSYSTEM_VENDOR_ID=0x0000
CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
# CONFIG_SOFTWARE_I2C is not set
CONFIG_I2C_TRANSFER_TIMEOUT_US=500000
# CONFIG_RESOURCE_ALLOCATION_TOP_DOWN is not set
CONFIG_USE_DDR5=y
CONFIG_USE_LPDDR4=y
CONFIG_USE_DDR4=y
CONFIG_USE_DDR3=y
CONFIG_USE_DDR2=y
# end of Devices
#
# Generic Drivers
#
CONFIG_CRB_TPM_BASE_ADDRESS=0xfed40000
CONFIG_TPM_INIT_RAMSTAGE=y
# CONFIG_TPM_PPI is not set
CONFIG_DRIVERS_UART=y
# CONFIG_DRIVERS_UART_OXPCIE is not set
CONFIG_HAVE_USBDEBUG=y
CONFIG_HAVE_USBDEBUG_OPTIONS=y
# CONFIG_USBDEBUG is not set
# CONFIG_VPD is not set
CONFIG_DRIVERS_EMULATION_QEMU_BOCHS=y
# CONFIG_DRIVERS_GENERIC_CBFS_SERIAL is not set
# CONFIG_DRIVERS_GENERIC_CBFS_UUID is not set
# CONFIG_DRIVERS_GENESYSLOGIC_GL9750 is not set
# CONFIG_DRIVERS_GENESYSLOGIC_GL9755 is not set
# CONFIG_DRIVERS_GENESYSLOGIC_GL9763E is not set
# CONFIG_DRIVERS_I2C_MAX98396 is not set
CONFIG_INTEL_GMA_OPREGION_2_0=y
# CONFIG_DRIVERS_NXP_UWB_SR1XX is not set
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
CONFIG_DRIVERS_PS2_KEYBOARD=y
2023-05-23 14:37:16 +00:00
CONFIG_DRIVERS_MC146818=y
CONFIG_USE_PC_CMOS_ALTCENTURY=y
CONFIG_MEMORY_MAPPED_TPM=y
CONFIG_TPM_TIS_BASE_ADDRESS=0xfed40000
CONFIG_VGA=y
# CONFIG_DRIVERS_SIL_3114 is not set
CONFIG_DRIVERS_WIFI_GENERIC=y
# end of Generic Drivers
#
# Security
#
#
# CBFS verification
#
# CONFIG_CBFS_VERIFICATION is not set
# end of CBFS verification
#
# Verified Boot (vboot)
#
CONFIG_VBOOT_LIB=y
# end of Verified Boot (vboot)
#
# Trusted Platform Module
#
# CONFIG_NO_TPM is not set
# CONFIG_TPM1 is not set
CONFIG_TPM2=y
CONFIG_TPM=y
# CONFIG_DEBUG_TPM is not set
# CONFIG_TPM_RDRESP_NEED_DELAY is not set
CONFIG_TPM_LOG_CB=y
CONFIG_TPM_MEASURED_BOOT_RUNTIME_DATA=""
# end of Trusted Platform Module
#
# Memory initialization
#
CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
# CONFIG_SECURITY_CLEAR_DRAM_ON_REGULAR_BOOT is not set
# end of Memory initialization
# CONFIG_INTEL_TXT is not set
CONFIG_BOOTMEDIA_LOCK_NONE=y
# CONFIG_BOOTMEDIA_LOCK_CONTROLLER is not set
# CONFIG_BOOTMEDIA_LOCK_CHIP is not set
# end of Security
CONFIG_ACPI_HAVE_PCAT_8259=y
CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES=y
CONFIG_ACPI_SOC_NVS=y
CONFIG_HAVE_ACPI_TABLES=y
CONFIG_BOOT_DEVICE_NOT_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
#
# Console
#
CONFIG_BOOTBLOCK_CONSOLE=y
CONFIG_POSTCAR_CONSOLE=y
CONFIG_SQUELCH_EARLY_SMP=y
# CONFIG_SPKMODEM is not set
# CONFIG_CONSOLE_NE2K is not set
CONFIG_CONSOLE_CBMEM=y
# CONFIG_CONSOLE_CBMEM_DUMP_TO_UART is not set
# CONFIG_CONSOLE_I2C_SMBUS is not set
CONFIG_CONSOLE_QEMU_DEBUGCON=y
CONFIG_CONSOLE_QEMU_DEBUGCON_PORT=0x402
# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8 is not set
# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_7 is not set
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y
2023-05-23 14:37:16 +00:00
# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5 is not set
# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_4 is not set
# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_3 is not set
# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_2 is not set
# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_1 is not set
# CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0 is not set
CONFIG_DEFAULT_CONSOLE_LOGLEVEL=6
CONFIG_CONSOLE_USE_LOGLEVEL_PREFIX=y
CONFIG_CONSOLE_USE_ANSI_ESCAPES=y
# CONFIG_CMOS_POST is not set
CONFIG_HWBASE_DEBUG_NULL=y
# end of Console
CONFIG_HAVE_MONOTONIC_TIMER=y
CONFIG_HAVE_OPTION_TABLE=y
CONFIG_IOAPIC=y
CONFIG_USE_WATCHDOG_ON_BOOT=y
#
# System tables
#
CONFIG_GENERATE_SMBIOS_TABLES=y
CONFIG_MAINBOARD_SERIAL_NUMBER="123456789"
# end of System tables
#
# Payload
#
# CONFIG_PAYLOAD_NONE is not set
# CONFIG_PAYLOAD_ELF is not set
# CONFIG_PAYLOAD_BOOTBOOT is not set
# CONFIG_PAYLOAD_FILO is not set
# CONFIG_PAYLOAD_GRUB2 is not set
# CONFIG_PAYLOAD_SEAGRUB is not set
# CONFIG_PAYLOAD_LINUXBOOT is not set
# CONFIG_PAYLOAD_SEABIOS is not set
# CONFIG_PAYLOAD_UBOOT is not set
# CONFIG_PAYLOAD_YABITS is not set
# CONFIG_PAYLOAD_EDK2 is not set
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
CONFIG_PAYLOAD_LINUX=y
CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
2023-05-23 14:37:16 +00:00
CONFIG_PAYLOAD_OPTIONS=""
# CONFIG_PXE is not set
CONFIG_COMPRESS_SECONDARY_PAYLOAD=y
#
# Secondary Payloads
#
# CONFIG_COREINFO_SECONDARY_PAYLOAD is not set
# CONFIG_GRUB2_SECONDARY_PAYLOAD is not set
# CONFIG_MEMTEST_SECONDARY_PAYLOAD is not set
# CONFIG_NVRAMCUI_SECONDARY_PAYLOAD is not set
# CONFIG_SEABIOS_SECONDARY_PAYLOAD is not set
# CONFIG_TINT_SECONDARY_PAYLOAD is not set
# CONFIG_COREDOOM_SECONDARY_PAYLOAD is not set
# end of Secondary Payloads
# end of Payload
#
# Debugging
#
#
# CPU Debug Settings
#
# CONFIG_DISPLAY_MTRRS is not set
#
# BLOB Debug Settings
#
#
# General Debug Settings
#
# CONFIG_GDB_STUB is not set
# CONFIG_FATAL_ASSERTS is not set
# CONFIG_DEBUG_CBFS is not set
CONFIG_HAVE_DEBUG_SMBUS=y
# CONFIG_DEBUG_SMBUS is not set
# CONFIG_DEBUG_SMI is not set
# CONFIG_DEBUG_CONSOLE_INIT is not set
# CONFIG_DEBUG_BOOT_STATE is not set
# CONFIG_DEBUG_ADA_CODE is not set
# end of Debugging
CONFIG_DECOMPRESS_OFAST=y
CONFIG_WARNINGS_ARE_ERRORS=y
CONFIG_MAX_REBOOT_CNT=3
CONFIG_RELOCATABLE_MODULES=y
CONFIG_HAVE_BOOTBLOCK=y
CONFIG_HAVE_ROMSTAGE=y
CONFIG_HAVE_RAMSTAGE=y