diff --git a/.circleci/config.yml b/.circleci/config.yml index b40385a2..8def1efd 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -59,6 +59,24 @@ jobs: # - store-artifacts: # path: build/qemu-linuxboot/hashes.txt + - run: + name: librem_l1um + command: | + rm -rf build/librem_l1um/* build/log/* && make CPUS=4 \ + V=1 \ + BOARD=librem_l1um || (find ./build/ -name "*.log" -type f -mmin -1|while read log; do echo ""; echo '==>' "$log" '<=='; echo ""; cat $log;done; exit 1) \ + no_output_timeout: 3h + - run: + name: Ouput librem_l1um hashes + command: | + cat build/librem_l1um/hashes.txt \ + - run: + name: Archiving build logs for librem_l1um + command: | + tar zcvf build/librem_l1um/logs.tar.gz build/log/* + - store-artifacts: + path: build/librem_l1um + - run: name: librem_mini command: | diff --git a/boards/librem_l1um/librem_l1um.config b/boards/librem_l1um/librem_l1um.config new file mode 100644 index 00000000..cd77d7e4 --- /dev/null +++ b/boards/librem_l1um/librem_l1um.config @@ -0,0 +1,43 @@ +# Configuration for a librem_l1um +CONFIG_LINUX_CONFIG=config/linux-librem_l1um.config +CONFIG_COREBOOT_CONFIG=config/coreboot-librem_l1um.config + +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.11 +export CONFIG_LINUX_VERSION=4.19.139 +export CONFIG_PURISM_BLOBS=y + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y + +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y +CONFIG_HOTPKEY=y + +CONFIG_LINUX_USB=y + +export CONFIG_TPM=y +export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" +export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles" +export CONFIG_BOOT_DEV="/dev/nvme0n1p1" +export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem Server L1UM Heads Boot Menu" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export CONFIG_AUTO_BOOT_TIMEOUT=5 +export CONFIG_FLASHROM_OPTIONS="-p internal" +export CONFIG_USB_KEYBOARD=y diff --git a/config/coreboot-librem_l1um.config b/config/coreboot-librem_l1um.config new file mode 100644 index 00000000..b51de61f --- /dev/null +++ b/config/coreboot-librem_l1um.config @@ -0,0 +1,28 @@ +CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_PURISM=y +CONFIG_CBFS_SIZE=0xC00000 +CONFIG_MAINBOARD_SMBIOS_MANUFACTURER="Purism" +CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="Librem Server L1UM" +CONFIG_IFD_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_l1um/flashdescriptor.bin" +CONFIG_ME_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_l1um/me.bin" +CONFIG_HAVE_IFD_BIN=y +# CONFIG_DRIVERS_INTEL_WIFI is not set +CONFIG_BOARD_PURISM_LIBREM_L1UM=y +CONFIG_PCIEXP_COMMON_CLOCK=y +CONFIG_FSP_EHCI1_ENABLE=y +CONFIG_FSP_EHCI2_ENABLE=y +CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_BINS=y +CONFIG_CPU_UCODE_BINARIES="3rdparty/purism-blobs/mainboard/purism/librem_l1um/cpu_microcode_blob.bin" +CONFIG_HAVE_ME_BIN=y +CONFIG_NO_GFX_INIT=y +CONFIG_DRIVERS_GENERIC_CBFS_SERIAL=y +CONFIG_SMBIOS_ENCLOSURE_TYPE=0x17 +CONFIG_USER_TPM1=y +CONFIG_NO_POST=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/librem_l1um/bzImage" +CONFIG_LINUX_INITRD="../../build/librem_l1um/initrd.cpio.xz" +CONFIG_LINUX_COMMAND_LINE="quiet loglevel=3" diff --git a/config/linux-librem_l1um.config b/config/linux-librem_l1um.config new file mode 100644 index 00000000..977da889 --- /dev/null +++ b/config/linux-librem_l1um.config @@ -0,0 +1,309 @@ +CONFIG_LOCALVERSION="-heads" +# CONFIG_LOCALVERSION_AUTO is not set +CONFIG_KERNEL_XZ=y +# CONFIG_SWAP is not set +# CONFIG_CROSS_MEMORY_ATTACH is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_PREEMPT_VOLUNTARY=y +CONFIG_LOG_BUF_SHIFT=18 +CONFIG_BLK_DEV_INITRD=y +CONFIG_INITRAMFS_SOURCE="../../../blobs/dev.cpio" +# CONFIG_RD_GZIP is not set +# CONFIG_RD_BZIP2 is not set +# CONFIG_RD_LZMA is not set +# CONFIG_RD_LZO is not set +# CONFIG_RD_LZ4 is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +# CONFIG_SGETMASK_SYSCALL is not set +# CONFIG_SYSFS_SYSCALL is not set +# CONFIG_FHANDLE is not set +# CONFIG_BASE_FULL is not set +# CONFIG_SIGNALFD is not set +# CONFIG_TIMERFD is not set +# CONFIG_EVENTFD is not set +# CONFIG_AIO is not set +# CONFIG_ADVISE_SYSCALLS is not set +CONFIG_EMBEDDED=y +# CONFIG_VM_EVENT_COUNTERS is not set +# CONFIG_SLUB_DEBUG is not set +# CONFIG_COMPAT_BRK is not set +CONFIG_SMP=y +# CONFIG_RETPOLINE is not set +# CONFIG_X86_EXTENDED_PLATFORM is not set +CONFIG_PROCESSOR_SELECT=y +# CONFIG_CPU_SUP_CENTAUR is not set +CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y +# CONFIG_X86_MCE_AMD is not set +# CONFIG_PERF_EVENTS_INTEL_RAPL is not set +# CONFIG_MICROCODE is not set +CONFIG_X86_PMEM_LEGACY=y +# CONFIG_X86_SMAP is not set +# CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS is not set +# CONFIG_SECCOMP is not set +CONFIG_KEXEC=y +CONFIG_KEXEC_FILE=y +# CONFIG_RELOCATABLE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +# CONFIG_MODIFY_LDT_SYSCALL is not set +# CONFIG_SUSPEND is not set +CONFIG_PCI_MSI=y +CONFIG_PCI_IOV=y +CONFIG_PCI_PRI=y +# CONFIG_FIRMWARE_MEMMAP is not set +# CONFIG_DMIID is not set +# CONFIG_VIRTUALIZATION is not set +CONFIG_JUMP_LABEL=y +CONFIG_MODULES=y +# CONFIG_IOSCHED_DEADLINE is not set +# CONFIG_IOSCHED_CFQ is not set +# CONFIG_COREDUMP is not set +# CONFIG_SPARSEMEM_VMEMMAP is not set +# CONFIG_COMPACTION is not set +# CONFIG_BOUNCE is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 +CONFIG_NET=y +CONFIG_PACKET=y +CONFIG_UNIX=y +CONFIG_INET=y +CONFIG_SYN_COOKIES=y +# CONFIG_INET_XFRM_MODE_TRANSPORT is not set +# CONFIG_INET_XFRM_MODE_TUNNEL is not set +# CONFIG_INET_XFRM_MODE_BEET is not set +# CONFIG_INET_DIAG is not set +# CONFIG_IPV6 is not set +# CONFIG_WIRELESS is not set +# CONFIG_UEVENT_HELPER is not set +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +# CONFIG_STANDALONE is not set +# CONFIG_ALLOW_DEV_COREDUMP is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_RAM=y +CONFIG_BLK_DEV_RAM_SIZE=65536 +CONFIG_BLK_DEV_NVME=y +CONFIG_EEPROM_93CX6=m +CONFIG_INTEL_MEI_ME=m +CONFIG_INTEL_MEI_TXE=m +# CONFIG_SCSI_PROC_FS is not set +CONFIG_BLK_DEV_SD=y +CONFIG_BLK_DEV_SR=y +CONFIG_CHR_DEV_SG=y +CONFIG_SCSI_SCAN_ASYNC=y +CONFIG_ISCSI_TCP=y +CONFIG_ATA=y +CONFIG_SATA_AHCI=y +# CONFIG_ATA_SFF is not set +CONFIG_MD=y +CONFIG_BLK_DEV_DM=y +CONFIG_DM_CRYPT=y +CONFIG_DM_VERITY=y +CONFIG_DM_VERITY_FEC=y +CONFIG_NETDEVICES=y +# CONFIG_NET_VENDOR_3COM is not set +# CONFIG_NET_VENDOR_ADAPTEC is not set +# CONFIG_NET_VENDOR_AGERE is not set +# CONFIG_NET_VENDOR_ALTEON is not set +# CONFIG_NET_VENDOR_AMAZON is not set +# CONFIG_NET_VENDOR_AMD is not set +# CONFIG_NET_VENDOR_ARC is not set +# CONFIG_NET_VENDOR_ATHEROS is not set +# CONFIG_NET_VENDOR_BROADCOM is not set +# CONFIG_NET_VENDOR_BROCADE is not set +# CONFIG_NET_VENDOR_CAVIUM is not set +# CONFIG_NET_VENDOR_CHELSIO is not set +# CONFIG_NET_VENDOR_CISCO is not set +# CONFIG_NET_VENDOR_DEC is not set +# CONFIG_NET_VENDOR_DLINK is not set +# CONFIG_NET_VENDOR_EMULEX is not set +# CONFIG_NET_VENDOR_EZCHIP is not set +# CONFIG_NET_VENDOR_HP is not set +# CONFIG_NET_VENDOR_I825XX is not set +CONFIG_E1000=m +CONFIG_E1000E=m +# CONFIG_NET_VENDOR_MARVELL is not set +# CONFIG_NET_VENDOR_MELLANOX is not set +# CONFIG_NET_VENDOR_MICREL is not set +# CONFIG_NET_VENDOR_MYRI is not set +# CONFIG_NET_VENDOR_NATSEMI is not set +# CONFIG_NET_VENDOR_NETRONOME is not set +# CONFIG_NET_VENDOR_NVIDIA is not set +# CONFIG_NET_VENDOR_OKI is not set +# CONFIG_NET_VENDOR_QLOGIC is not set +# CONFIG_NET_VENDOR_QUALCOMM is not set +# CONFIG_NET_VENDOR_RDC is not set +# CONFIG_NET_VENDOR_REALTEK is not set +# CONFIG_NET_VENDOR_RENESAS is not set +# CONFIG_NET_VENDOR_ROCKER is not set +# CONFIG_NET_VENDOR_SAMSUNG is not set +# CONFIG_NET_VENDOR_SEEQ is not set +# CONFIG_NET_VENDOR_SILAN is not set +# CONFIG_NET_VENDOR_SIS is not set +# CONFIG_NET_VENDOR_SMSC is not set +# CONFIG_NET_VENDOR_STMICRO is not set +# CONFIG_NET_VENDOR_SUN is not set +# CONFIG_NET_VENDOR_SYNOPSYS is not set +# CONFIG_NET_VENDOR_TEHUTI is not set +# CONFIG_NET_VENDOR_TI is not set +# CONFIG_NET_VENDOR_VIA is not set +# CONFIG_NET_VENDOR_WIZNET is not set +# CONFIG_USB_NET_DRIVERS is not set +# CONFIG_WLAN is not set +# CONFIG_INPUT_MOUSE is not set +# CONFIG_SERIO_SERPORT is not set +# CONFIG_UNIX98_PTYS is not set +# CONFIG_LEGACY_PTYS is not set +CONFIG_SERIAL_8250=y +# CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set +CONFIG_SERIAL_8250_CONSOLE=y +# CONFIG_SERIAL_8250_PCI is not set +CONFIG_SERIAL_8250_EXTENDED=y +# CONFIG_SERIAL_8250_LPSS is not set +# CONFIG_SERIAL_8250_MID is not set +CONFIG_TTY_PRINTK=y +CONFIG_HW_RANDOM=y +CONFIG_HW_RANDOM_TIMERIOMEM=m +CONFIG_HW_RANDOM_INTEL=m +CONFIG_HW_RANDOM_AMD=m +CONFIG_HW_RANDOM_VIA=m +CONFIG_TCG_TPM=y +CONFIG_TCG_TIS=y +# CONFIG_I2C_COMPAT is not set +CONFIG_I2C_MUX=m +CONFIG_I2C_MUX_PCA9541=m +CONFIG_I2C_MUX_REG=m +# CONFIG_I2C_HELPER_AUTO is not set +CONFIG_I2C_SLAVE=y +CONFIG_PTP_1588_CLOCK=y +# CONFIG_HWMON is not set +# CONFIG_X86_PKG_TEMP_THERMAL is not set +CONFIG_MFD_SYSCON=y +CONFIG_DRM=y +CONFIG_DRM_AST=y +CONFIG_FB_VESA=y +CONFIG_FRAMEBUFFER_CONSOLE=y +CONFIG_USB=y +CONFIG_USB_XHCI_HCD=m +CONFIG_USB_XHCI_PLATFORM=m +CONFIG_USB_EHCI_HCD=m +CONFIG_USB_EHCI_HCD_PLATFORM=m +CONFIG_USB_STORAGE=m +CONFIG_RTC_CLASS=y +# CONFIG_X86_PLATFORM_DEVICES is not set +CONFIG_INTEL_IOMMU=y +CONFIG_INTEL_IOMMU_SVM=y +CONFIG_GENERIC_PHY=y +# CONFIG_BLK_DEV_PMEM is not set +# CONFIG_ND_BLK is not set +# CONFIG_BTT is not set +CONFIG_EXT4_FS=y +# CONFIG_DNOTIFY is not set +# CONFIG_INOTIFY_USER is not set +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +CONFIG_MSDOS_FS=y +CONFIG_VFAT_FS=y +# CONFIG_PROC_SYSCTL is not set +# CONFIG_PROC_PAGE_MONITOR is not set +# CONFIG_MISC_FILESYSTEMS is not set +CONFIG_NLS_DEFAULT="utf8" +CONFIG_NLS_CODEPAGE_437=y +CONFIG_NLS_ISO8859_1=y +CONFIG_NLS_UTF8=y +CONFIG_HARDENED_USERCOPY=y +CONFIG_CRYPTO_RSA=m +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MCRYPTD=m +CONFIG_CRYPTO_AUTHENC=m +CONFIG_CRYPTO_CCM=m +CONFIG_CRYPTO_GCM=m +CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=m +CONFIG_CRYPTO_XTS=y +CONFIG_CRYPTO_KEYWRAP=m +CONFIG_CRYPTO_CMAC=m +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=m +CONFIG_CRYPTO_VMAC=m +CONFIG_CRYPTO_CRC32C_INTEL=y +CONFIG_CRYPTO_CRC32=m +CONFIG_CRYPTO_CRC32_PCLMUL=m +CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m +CONFIG_CRYPTO_POLY1305_X86_64=m +CONFIG_CRYPTO_MD4=m +CONFIG_CRYPTO_MICHAEL_MIC=m +CONFIG_CRYPTO_RMD128=m +CONFIG_CRYPTO_RMD160=m +CONFIG_CRYPTO_RMD256=m +CONFIG_CRYPTO_RMD320=m +CONFIG_CRYPTO_SHA1_SSSE3=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_TGR192=m +CONFIG_CRYPTO_WP512=m +CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=m +CONFIG_CRYPTO_ARC4=m +CONFIG_CRYPTO_BLOWFISH=m +CONFIG_CRYPTO_BLOWFISH_X86_64=m +CONFIG_CRYPTO_CAMELLIA=m +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m +CONFIG_CRYPTO_CAST5_AVX_X86_64=m +CONFIG_CRYPTO_CAST6_AVX_X86_64=m +CONFIG_CRYPTO_DES3_EDE_X86_64=m +CONFIG_CRYPTO_FCRYPT=m +CONFIG_CRYPTO_KHAZAD=m +CONFIG_CRYPTO_SALSA20=m +CONFIG_CRYPTO_CHACHA20_X86_64=m +CONFIG_CRYPTO_SEED=m +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m +CONFIG_CRYPTO_TEA=m +CONFIG_CRYPTO_TWOFISH=m +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m +CONFIG_CRYPTO_DEFLATE=m +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=m +CONFIG_CRYPTO_LZ4=m +CONFIG_CRYPTO_LZ4HC=m +CONFIG_CRYPTO_ANSI_CPRNG=m +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +CONFIG_CRYPTO_USER_API_RNG=y +CONFIG_CRYPTO_USER_API_AEAD=y +# CONFIG_CRYPTO_HW is not set +CONFIG_CRC_CCITT=m +CONFIG_CRC_T10DIF=y +CONFIG_CRC_ITU_T=m +CONFIG_CRC7=m +CONFIG_LIBCRC32C=m +CONFIG_CRC8=m +CONFIG_XZ_DEC_TEST=m +CONFIG_CORDIC=m +CONFIG_IRQ_POLL=y +CONFIG_PRINTK_TIME=y +CONFIG_BOOT_PRINTK_DELAY=y +CONFIG_DYNAMIC_DEBUG=y +CONFIG_DEBUG_INFO=y +CONFIG_DEBUG_INFO_DWARF4=y +CONFIG_GDB_SCRIPTS=y +# CONFIG_ENABLE_MUST_CHECK is not set +CONFIG_FRAME_WARN=1024 +CONFIG_DEBUG_FS=y +CONFIG_MAGIC_SYSRQ=y +CONFIG_HARDLOCKUP_DETECTOR=y +CONFIG_WQ_WATCHDOG=y +# CONFIG_SCHED_DEBUG is not set +CONFIG_STACKTRACE=y +# CONFIG_DEBUG_BUGVERBOSE is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_FTRACE is not set +# CONFIG_STRICT_DEVMEM is not set +# CONFIG_X86_VERBOSE_BOOTUP is not set +# CONFIG_DOUBLEFAULT is not set +CONFIG_IO_DELAY_0XED=y +CONFIG_OPTIMIZE_INLINING=y +# CONFIG_X86_DEBUG_FPU is not set diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh index d82d43b7..ab12fed4 100755 --- a/initrd/bin/flash.sh +++ b/initrd/bin/flash.sh @@ -43,6 +43,14 @@ flash_rom() { cbfs -o /tmp/${CONFIG_BOARD}.rom -d serial_number 2>/dev/null || true cbfs -o /tmp/${CONFIG_BOARD}.rom -a serial_number -f /tmp/serial fi + # persist PCHSTRP9 from flash descriptor + if [ "$CONFIG_BOARD" = "librem_l1um" ]; then + echo "Persisting PCHSTRP9" + flashrom $CONFIG_FLASHROM_OPTIONS -r /tmp/ifd.bin --ifd -i fd >/dev/null 2>&1 \ + || die "Failed to read flash descriptor" + dd if=/tmp/ifd.bin bs=1 count=4 skip=292 of=/tmp/pchstrp9.bin >/dev/null 2>&1 + dd if=/tmp/pchstrp9.bin bs=1 count=4 seek=292 of=/tmp/${CONFIG_BOARD}.rom conv=notrunc >/dev/null 2>&1 + fi flashrom $CONFIG_FLASHROM_OPTIONS -w /tmp/${CONFIG_BOARD}.rom \ || die "$ROM: Flash failed" diff --git a/modules/coreboot b/modules/coreboot index 8dd6b07c..7e3b7f1e 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -4,6 +4,11 @@ ifeq "$(CONFIG_COREBOOT_VERSION)" "4.8.1" coreboot_version := 4.8.1 coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23 coreboot-blobs_hash := 18aa509ae3af005a05d7b1e0b0246dc640249c14fc828f5144b6fd20bb10e295 +else ifeq "$(CONFIG_COREBOOT_VERSION)" "4.11" + coreboot_version := 4.11 + coreboot_hash := 97fd859b4c39a25534fe33c30eb86e54a233952e08a024c55858d11598a8ad87 + coreboot-blobs_hash := aa7855c5bd385b3360dadc043ea6bc93f564e6e4840d9b3ee5b9e696bbd055db + coreboot_depends := $(if $(CONFIG_PURISM_BLOBS), purism-blobs) else ifeq "$(CONFIG_COREBOOT_VERSION)" "4.12" coreboot_version := 4.12 coreboot_hash := edcad000ee9b73183c396ea76155629b3d27c693e0f1ae83e3424c4d936e2be2 diff --git a/patches/coreboot-4.11/0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch b/patches/coreboot-4.11/0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch new file mode 100644 index 00000000..b8e0f356 --- /dev/null +++ b/patches/coreboot-4.11/0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch @@ -0,0 +1,47 @@ +From 06f2fcc0ffc1a903f304d8a3382f3a57163989a1 Mon Sep 17 00:00:00 2001 +From: Jacob Garber +Date: Mon, 4 Nov 2019 09:35:15 -0700 +Subject: [PATCH] cpu/x86/smm: Use PRIxPTR to print uintptr_t + +Since 'base' is a uintptr_t, it needs the PRIxPTR format specifier. This +fixes a compilation error when targeting x86_64 or using Clang 9.0.0. + +Change-Id: Ib806e2b3cbb255ef208b361744ac4547b8ba262f +Signed-off-by: Jacob Garber +Reviewed-on: https://review.coreboot.org/c/coreboot/+/36785 +Tested-by: build bot (Jenkins) +Reviewed-by: HAOUAS Elyes +--- + src/cpu/x86/smm/tseg_region.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/cpu/x86/smm/tseg_region.c b/src/cpu/x86/smm/tseg_region.c +index a8b8bb7b9a..5b5c5729d5 100644 +--- a/src/cpu/x86/smm/tseg_region.c ++++ b/src/cpu/x86/smm/tseg_region.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + /* + * Subregions within SMM +@@ -88,11 +89,11 @@ void smm_list_regions(void) + return; + + printk(BIOS_DEBUG, "SMM Memory Map\n"); +- printk(BIOS_DEBUG, "SMRAM : 0x%zx 0x%zx\n", base, size); ++ printk(BIOS_DEBUG, "SMRAM : 0x%" PRIxPTR " 0x%zx\n", base, size); + + for (i = 0; i < SMM_SUBREGION_NUM; i++) { + if (smm_subregion(i, &base, &size)) + continue; +- printk(BIOS_DEBUG, " Subregion %d: 0x%zx 0x%zx\n", i, base, size); ++ printk(BIOS_DEBUG, " Subregion %d: 0x%" PRIxPTR " 0x%zx\n", i, base, size); + } + } +-- +2.21.1 + + diff --git a/patches/coreboot-4.11/0001-Add-Heads-TPM-measured-boot-support.patch b/patches/coreboot-4.11/0001-Add-Heads-TPM-measured-boot-support.patch new file mode 100644 index 00000000..0385342e --- /dev/null +++ b/patches/coreboot-4.11/0001-Add-Heads-TPM-measured-boot-support.patch @@ -0,0 +1,1890 @@ +From 48784d452a85ee282823d1d8c8d3d4eec56de3a2 Mon Sep 17 00:00:00 2001 +From: Martin Kepplinger +Date: Wed, 15 May 2019 11:55:24 +0200 +Subject: [PATCH] Add Heads TPM measured boot support + +Change-Id: I3a64998de2fbb7f2059cb8c68cfbf949b0665665 +Signed-off-by: Martin Kepplinger +--- + src/Kconfig | 15 +++ + src/include/program_loading.h | 2 + + src/lib/cbfs.c | 19 ++- + src/lib/hardwaremain.c | 8 ++ + src/lib/rmodule.c | 3 +- + src/security/tpm/Makefile.inc | 5 + + src/security/tpm/sha1.c | 180 +++++++++++++++++++++++++++++ + src/security/tpm/sha1.h | 47 ++++++++ + src/security/tpm/tspi/tspi.c | 2 +- + src/security/tpm/tss.h | 5 + + src/security/tpm/tss/tcg-1.2/tss.c | 19 +++ + 11 files changed, 299 insertions(+), 6 deletions(-) + create mode 100644 src/security/tpm/sha1.c + create mode 100644 src/security/tpm/sha1.h + +diff --git a/src/Kconfig b/src/Kconfig +index c0315239fc..48e53dc239 100644 +--- a/src/Kconfig ++++ b/src/Kconfig +@@ -332,6 +332,21 @@ config BOOTSPLASH_FILE + config HAVE_RAMPAYLOAD + bool + ++config MEASURED_BOOT ++ bool "Enable TPM measured boot" ++ default n ++ select TPM1 ++ depends on MAINBOARD_HAS_LPC_TPM ++ depends on !VBOOT ++ help ++ Enable this option to measure the bootblock, romstage and ++ CBFS files into TPM PCRs. This does not verify these values ++ (that is the job of something like vboot), but makes it possible ++ for the payload to validate the boot path and allow something ++ like Heads to attest to the user that the system is likely safe. ++ ++ You probably want to say N. ++ + config RAMPAYLOAD + bool "Enable coreboot flow without executing ramstage" + default y if ARCH_X86 +diff --git a/src/Kconfig.orig b/src/Kconfig.orig +new file mode 100644 +index 0000000000..2bb5bfeab0 +--- /dev/null ++++ b/src/Kconfig.orig +@@ -0,0 +1,1210 @@ ++## ++## This file is part of the coreboot project. ++## ++## Copyright (C) 2012 Alexandru Gagniuc ++## Copyright (C) 2009-2010 coresystems GmbH ++## ++## This program is free software; you can redistribute it and/or modify ++## it under the terms of the GNU General Public License as published by ++## the Free Software Foundation; version 2 of the License. ++## ++## This program is distributed in the hope that it will be useful, ++## but WITHOUT ANY WARRANTY; without even the implied warranty of ++## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++## GNU General Public License for more details. ++## ++ ++mainmenu "coreboot configuration" ++ ++menu "General setup" ++ ++config COREBOOT_BUILD ++ bool ++ default y ++ ++config LOCALVERSION ++ string "Local version string" ++ help ++ Append an extra string to the end of the coreboot version. ++ ++ This can be useful if, for instance, you want to append the ++ respective board's hostname or some other identifying string to ++ the coreboot version number, so that you can easily distinguish ++ boot logs of different boards from each other. ++ ++config CONFIGURABLE_CBFS_PREFIX ++ bool ++ help ++ Select this to prompt to use to configure the prefix for cbfs files. ++ ++config CBFS_PREFIX ++ string "CBFS prefix to use" if CONFIGURABLE_CBFS_PREFIX ++ default "fallback" ++ help ++ Select the prefix to all files put into the image. It's "fallback" ++ by default, "normal" is a common alternative. ++ ++choice ++ prompt "Compiler to use" ++ default COMPILER_GCC ++ help ++ This option allows you to select the compiler used for building ++ coreboot. ++ You must build the coreboot crosscompiler for the board that you ++ have selected. ++ ++ To build all the GCC crosscompilers (takes a LONG time), run: ++ make crossgcc ++ ++ For help on individual architectures, run the command: ++ make help_toolchain ++ ++config COMPILER_GCC ++ bool "GCC" ++ help ++ Use the GNU Compiler Collection (GCC) to build coreboot. ++ ++ For details see http://gcc.gnu.org. ++ ++config COMPILER_LLVM_CLANG ++ bool "LLVM/clang (TESTING ONLY - Not currently working)" ++ help ++ Use LLVM/clang to build coreboot. To use this, you must build the ++ coreboot version of the clang compiler. Run the command ++ make clang ++ Note that this option is not currently working correctly and should ++ really only be selected if you're trying to work on getting clang ++ operational. ++ ++ For details see http://clang.llvm.org. ++ ++endchoice ++ ++config ANY_TOOLCHAIN ++ bool "Allow building with any toolchain" ++ default n ++ help ++ Many toolchains break when building coreboot since it uses quite ++ unusual linker features. Unless developers explicitely request it, ++ we'll have to assume that they use their distro compiler by mistake. ++ Make sure that using patched compilers is a conscious decision. ++ ++config CCACHE ++ bool "Use ccache to speed up (re)compilation" ++ default n ++ help ++ Enables the use of ccache for faster builds. ++ ++ Requires the ccache utility in your system $PATH. ++ ++ For details see https://ccache.samba.org. ++ ++config FMD_GENPARSER ++ bool "Generate flashmap descriptor parser using flex and bison" ++ default n ++ help ++ Enable this option if you are working on the flashmap descriptor ++ parser and made changes to fmd_scanner.l or fmd_parser.y. ++ ++ Otherwise, say N to use the provided pregenerated scanner/parser. ++ ++config UTIL_GENPARSER ++ bool "Generate SCONFIG & BINCFG parser using flex and bison" ++ default n ++ help ++ Enable this option if you are working on the sconfig device tree ++ parser or bincfg and made changes to the .l or .y files. ++ ++ Otherwise, say N to use the provided pregenerated scanner/parser. ++ ++config USE_OPTION_TABLE ++ bool "Use CMOS for configuration values" ++ depends on HAVE_OPTION_TABLE ++ help ++ Enable this option if coreboot shall read options from the "CMOS" ++ NVRAM instead of using hard-coded values. ++ ++config STATIC_OPTION_TABLE ++ bool "Load default configuration values into CMOS on each boot" ++ depends on USE_OPTION_TABLE ++ help ++ Enable this option to reset "CMOS" NVRAM values to default on ++ every boot. Use this if you want the NVRAM configuration to ++ never be modified from its default values. ++ ++config COMPRESS_RAMSTAGE ++ bool "Compress ramstage with LZMA" ++ depends on HAVE_RAMSTAGE ++ # Default value set at the end of the file ++ help ++ Compress ramstage to save memory in the flash image. Note ++ that decompression might slow down booting if the boot flash ++ is connected through a slow link (i.e. SPI). ++ ++config COMPRESS_PRERAM_STAGES ++ bool "Compress romstage and verstage with LZ4" ++ depends on !ARCH_X86 && (HAVE_ROMSTAGE || HAVE_VERSTAGE) ++ # Default value set at the end of the file ++ help ++ Compress romstage and (if it exists) verstage with LZ4 to save flash ++ space and speed up boot, since the time for reading the image from SPI ++ (and in the vboot case verifying it) is usually much greater than the ++ time spent decompressing. Doesn't work for XIP stages (assume all ++ ARCH_X86 for now) for obvious reasons. ++ ++config COMPRESS_BOOTBLOCK ++ bool ++ depends on HAVE_BOOTBLOCK ++ help ++ This option can be used to compress the bootblock with LZ4 and attach ++ a small self-decompression stub to its front. This can drastically ++ reduce boot time on platforms where the bootblock is loaded over a ++ very slow connection and bootblock size trumps all other factors for ++ speed. Since using this option usually requires changes to the ++ SoC memlayout and possibly extra support code, it should not be ++ user-selectable. (There's no real point in offering this to the user ++ anyway... if it works and saves boot time, you would always want it.) ++ ++config INCLUDE_CONFIG_FILE ++ bool "Include the coreboot .config file into the ROM image" ++ # Default value set at the end of the file ++ help ++ Include the .config file that was used to compile coreboot ++ in the (CBFS) ROM image. This is useful if you want to know which ++ options were used to build a specific coreboot.rom image. ++ ++ Saying Y here will increase the image size by 2-3KB. ++ ++ You can use the following command to easily list the options: ++ ++ grep -a CONFIG_ coreboot.rom ++ ++ Alternatively, you can also use cbfstool to print the image ++ contents (including the raw 'config' item we're looking for). ++ ++ Example: ++ ++ $ cbfstool coreboot.rom print ++ coreboot.rom: 4096 kB, bootblocksize 1008, romsize 4194304, ++ offset 0x0 ++ Alignment: 64 bytes ++ ++ Name Offset Type Size ++ cmos_layout.bin 0x0 cmos layout 1159 ++ fallback/romstage 0x4c0 stage 339756 ++ fallback/ramstage 0x53440 stage 186664 ++ fallback/payload 0x80dc0 payload 51526 ++ config 0x8d740 raw 3324 ++ (empty) 0x8e480 null 3610440 ++ ++config COLLECT_TIMESTAMPS ++ bool "Create a table of timestamps collected during boot" ++ default y if ARCH_X86 ++ help ++ Make coreboot create a table of timer-ID/timer-value pairs to ++ allow measuring time spent at different phases of the boot process. ++ ++config TIMESTAMPS_ON_CONSOLE ++ bool "Print the timestamp values on the console" ++ default n ++ depends on COLLECT_TIMESTAMPS ++ help ++ Print the timestamps to the debug console if enabled at level spew. ++ ++config USE_BLOBS ++ bool "Allow use of binary-only repository" ++ help ++ This draws in the blobs repository, which contains binary files that ++ might be required for some chipsets or boards. ++ This flag ensures that a "Free" option remains available for users. ++ ++config COVERAGE ++ bool "Code coverage support" ++ depends on COMPILER_GCC ++ help ++ Add code coverage support for coreboot. This will store code ++ coverage information in CBMEM for extraction from user space. ++ If unsure, say N. ++ ++config UBSAN ++ bool "Undefined behavior sanitizer support" ++ default n ++ help ++ Instrument the code with checks for undefined behavior. If unsure, ++ say N because it adds a small performance penalty and may abort ++ on code that happens to work in spite of the UB. ++ ++config NO_RELOCATABLE_RAMSTAGE ++ bool ++ default n if ARCH_X86 ++ default y ++ ++config RELOCATABLE_RAMSTAGE ++ bool ++ default !NO_RELOCATABLE_RAMSTAGE ++ select RELOCATABLE_MODULES ++ help ++ The reloctable ramstage support allows for the ramstage to be built ++ as a relocatable module. The stage loader can identify a place ++ out of the OS way so that copying memory is unnecessary during an S3 ++ wake. When selecting this option the romstage is responsible for ++ determing a stack location to use for loading the ramstage. ++ ++config CACHE_RELOCATED_RAMSTAGE_OUTSIDE_CBMEM ++ depends on RELOCATABLE_RAMSTAGE ++ bool ++ help ++ The relocated ramstage is saved in an area specified by the ++ by the board and/or chipset. ++ ++config UPDATE_IMAGE ++ bool "Update existing coreboot.rom image" ++ help ++ If this option is enabled, no new coreboot.rom file ++ is created. Instead it is expected that there already ++ is a suitable file for further processing. ++ The bootblock will not be modified. ++ ++ If unsure, select 'N' ++ ++config BOOTSPLASH_IMAGE ++ bool "Add a bootsplash image" ++ help ++ Select this option if you have a bootsplash image that you would ++ like to add to your ROM. ++ ++ This will only add the image to the ROM. To actually run it check ++ options under 'Display' section. ++ ++config BOOTSPLASH_FILE ++ string "Bootsplash path and filename" ++ depends on BOOTSPLASH_IMAGE ++ # Default value set at the end of the file ++ help ++ The path and filename of the file to use as graphical bootsplash ++ screen. The file format has to be jpg. ++ ++config HAVE_RAMPAYLOAD ++ bool ++ ++config RAMPAYLOAD ++ bool "Enable coreboot flow without executing ramstage" ++ default y if ARCH_X86 ++ depends on HAVE_RAMPAYLOAD ++ help ++ If this option is enabled, coreboot flow will skip ramstage ++ loading and execution of ramstage to load payload. ++ ++ Instead it is expected to load payload from postcar stage itself. ++ ++ In this flow coreboot will perform basic x86 initialization ++ (DRAM resource allocation), MTRR programming, ++ Skip PCI enumeration logic and only allocate BAR for fixed devices ++ (bootable devices, TPM over GSPI). ++ ++endmenu ++ ++menu "Mainboard" ++ ++source "src/mainboard/Kconfig" ++ ++config DEVICETREE ++ string ++ default "devicetree.cb" ++ help ++ This symbol allows mainboards to select a different file under their ++ mainboard directory for the devicetree.cb file. This allows the board ++ variants that need different devicetrees to be in the same directory. ++ ++ Examples: "devicetree.variant.cb" ++ "variant/devicetree.cb" ++ ++config OVERRIDE_DEVICETREE ++ string ++ default "" ++ help ++ This symbol allows variants to provide an override devicetree file to ++ override the registers and/or add new devices on top of the ones ++ provided by baseboard devicetree using CONFIG_DEVICETREE. ++ ++ Examples: "devicetree.variant-override.cb" ++ "variant/devicetree-override.cb" ++ ++config CBFS_SIZE ++ hex "Size of CBFS filesystem in ROM" ++ # Default value set at the end of the file ++ help ++ This is the part of the ROM actually managed by CBFS, located at the ++ end of the ROM (passed through cbfstool -o) on x86 and at at the start ++ of the ROM (passed through cbfstool -s) everywhere else. It defaults ++ to span the whole ROM on all but Intel systems that use an Intel Firmware ++ Descriptor. It can be overridden to make coreboot live alongside other ++ components like ChromeOS's vboot/FMAP or Intel's IFD / ME / TXE ++ binaries. ++ ++config FMDFILE ++ string "fmap description file in fmd format" ++ default "src/mainboard/$(CONFIG_MAINBOARD_DIR)/chromeos.fmd" if CHROMEOS ++ default "" ++ help ++ The build system creates a default FMAP from ROM_SIZE and CBFS_SIZE, ++ but in some cases more complex setups are required. ++ When an fmd is specified, it overrides the default format. ++ ++endmenu ++ ++# load site-local kconfig to allow user specific defaults and overrides ++source "site-local/Kconfig" ++ ++config SYSTEM_TYPE_LAPTOP ++ default n ++ bool ++ ++config SYSTEM_TYPE_TABLET ++ default n ++ bool ++ ++config SYSTEM_TYPE_DETACHABLE ++ default n ++ bool ++ ++config SYSTEM_TYPE_CONVERTIBLE ++ default n ++ bool ++ ++config CBFS_AUTOGEN_ATTRIBUTES ++ default n ++ bool ++ help ++ If this option is selected, every file in cbfs which has a constraint ++ regarding position or alignment will get an additional file attribute ++ which describes this constraint. ++ ++menu "Chipset" ++ ++comment "SoC" ++source "src/soc/*/Kconfig" ++comment "CPU" ++source "src/cpu/Kconfig" ++comment "Northbridge" ++source "src/northbridge/*/*/Kconfig" ++comment "Southbridge" ++source "src/southbridge/*/*/Kconfig" ++comment "Super I/O" ++source "src/superio/*/*/Kconfig" ++comment "Embedded Controllers" ++source "src/ec/acpi/Kconfig" ++source "src/ec/*/*/Kconfig" ++ ++source "src/southbridge/intel/common/firmware/Kconfig" ++source "src/vendorcode/*/Kconfig" ++ ++source "src/arch/*/Kconfig" ++ ++endmenu ++ ++source "src/device/Kconfig" ++ ++menu "Generic Drivers" ++source "src/drivers/*/Kconfig" ++source "src/drivers/*/*/Kconfig" ++source "src/commonlib/storage/Kconfig" ++endmenu ++ ++menu "Security" ++ ++source "src/security/Kconfig" ++ ++endmenu ++ ++source "src/acpi/Kconfig" ++ ++# This option is for the current boards/chipsets where SPI flash ++# is not the boot device. Currently nearly all boards/chipsets assume ++# SPI flash is the boot device. ++config BOOT_DEVICE_NOT_SPI_FLASH ++ bool ++ default n ++ ++config BOOT_DEVICE_SPI_FLASH ++ bool ++ default y if !BOOT_DEVICE_NOT_SPI_FLASH ++ default n ++ ++config BOOT_DEVICE_MEMORY_MAPPED ++ bool ++ default y if ARCH_X86 && BOOT_DEVICE_SPI_FLASH ++ default n ++ help ++ Inform system if SPI is memory-mapped or not. ++ ++config BOOT_DEVICE_SUPPORTS_WRITES ++ bool ++ default n ++ help ++ Indicate that the platform has writable boot device ++ support. ++ ++config RTC ++ bool ++ default n ++ ++config HEAP_SIZE ++ hex ++ default 0x100000 if FLATTENED_DEVICE_TREE ++ default 0x4000 ++ ++config STACK_SIZE ++ hex ++ default 0x1000 if ARCH_X86 ++ default 0x0 ++ ++config MAX_CPUS ++ int ++ default 1 ++ ++source "src/console/Kconfig" ++ ++config HAVE_ACPI_RESUME ++ bool ++ default n ++ ++config ACPI_HUGE_LOWMEM_BACKUP ++ bool ++ default n ++ help ++ On S3 resume path, backup low memory from RAMBASE..RAMTOP in CBMEM. ++ ++config RESUME_PATH_SAME_AS_BOOT ++ bool ++ default y if ARCH_X86 ++ depends on HAVE_ACPI_RESUME ++ help ++ This option indicates that when a system resumes it takes the ++ same path as a regular boot. e.g. an x86 system runs from the ++ reset vector at 0xfffffff0 on both resume and warm/cold boot. ++ ++config HAVE_ROMSTAGE_CONSOLE_SPINLOCK ++ bool ++ default n ++ ++config HAVE_ROMSTAGE_NVRAM_CBFS_SPINLOCK ++ bool ++ default n ++ help ++ This should be enabled on certain plaforms, such as the AMD ++ SR565x, that cannot handle concurrent CBFS accesses from ++ multiple APs during early startup. ++ ++config HAVE_ROMSTAGE_MICROCODE_CBFS_SPINLOCK ++ bool ++ default n ++ ++config NO_MONOTONIC_TIMER ++ def_bool n ++ ++config HAVE_MONOTONIC_TIMER ++ bool ++ depends on !NO_MONOTONIC_TIMER ++ default y ++ help ++ The board/chipset provides a monotonic timer. ++ ++config GENERIC_UDELAY ++ bool ++ depends on HAVE_MONOTONIC_TIMER ++ default y if !ARCH_X86 ++ help ++ The board/chipset uses a generic udelay function utilizing the ++ monotonic timer. ++ ++config TIMER_QUEUE ++ def_bool n ++ depends on HAVE_MONOTONIC_TIMER ++ help ++ Provide a timer queue for performing time-based callbacks. ++ ++config COOP_MULTITASKING ++ def_bool n ++ depends on TIMER_QUEUE && ARCH_X86 ++ help ++ Cooperative multitasking allows callbacks to be multiplexed on the ++ main thread of ramstage. With this enabled it allows for multiple ++ execution paths to take place when they have udelay() calls within ++ their code. ++ ++config NUM_THREADS ++ int ++ default 4 ++ depends on COOP_MULTITASKING ++ help ++ How many execution threads to cooperatively multitask with. ++ ++config HAVE_OPTION_TABLE ++ bool ++ default n ++ help ++ This variable specifies whether a given board has a cmos.layout ++ file containing NVRAM/CMOS bit definitions. ++ It defaults to 'n' but can be selected in mainboard/*/Kconfig. ++ ++config PCI_IO_CFG_EXT ++ bool ++ default n ++ ++config IOAPIC ++ bool ++ default n ++ ++config USE_WATCHDOG_ON_BOOT ++ bool ++ default n ++ ++config GFXUMA ++ bool ++ default n ++ help ++ Enable Unified Memory Architecture for graphics. ++ ++config HAVE_ACPI_TABLES ++ bool ++ help ++ This variable specifies whether a given board has ACPI table support. ++ It is usually set in mainboard/*/Kconfig. ++ ++config HAVE_MP_TABLE ++ bool ++ help ++ This variable specifies whether a given board has MP table support. ++ It is usually set in mainboard/*/Kconfig. ++ Whether or not the MP table is actually generated by coreboot ++ is configurable by the user via GENERATE_MP_TABLE. ++ ++config HAVE_PIRQ_TABLE ++ bool ++ help ++ This variable specifies whether a given board has PIRQ table support. ++ It is usually set in mainboard/*/Kconfig. ++ Whether or not the PIRQ table is actually generated by coreboot ++ is configurable by the user via GENERATE_PIRQ_TABLE. ++ ++config COMMON_FADT ++ bool ++ default n ++ ++config ACPI_NHLT ++ bool ++ default n ++ help ++ Build support for NHLT (non HD Audio) ACPI table generation. ++ ++config ACPI_BERT ++ bool ++ depends on HAVE_ACPI_TABLES ++ help ++ Build an ACPI Boot Error Record Table. ++ ++#These Options are here to avoid "undefined" warnings. ++#The actual selection and help texts are in the following menu. ++ ++menu "System tables" ++ ++config GENERATE_MP_TABLE ++ prompt "Generate an MP table" if HAVE_MP_TABLE || DRIVERS_GENERIC_IOAPIC ++ bool ++ default HAVE_MP_TABLE || DRIVERS_GENERIC_IOAPIC ++ help ++ Generate an MP table (conforming to the Intel MultiProcessor ++ specification 1.4) for this board. ++ ++ If unsure, say Y. ++ ++config GENERATE_PIRQ_TABLE ++ prompt "Generate a PIRQ table" if HAVE_PIRQ_TABLE ++ bool ++ default HAVE_PIRQ_TABLE ++ help ++ Generate a PIRQ table for this board. ++ ++ If unsure, say Y. ++ ++config GENERATE_SMBIOS_TABLES ++ depends on ARCH_X86 ++ bool "Generate SMBIOS tables" ++ default y ++ help ++ Generate SMBIOS tables for this board. ++ ++ If unsure, say Y. ++ ++config SMBIOS_PROVIDED_BY_MOBO ++ bool ++ default n ++ ++config MAINBOARD_SERIAL_NUMBER ++ prompt "SMBIOS Serial Number" if !SMBIOS_PROVIDED_BY_MOBO ++ string ++ depends on GENERATE_SMBIOS_TABLES ++ default "123456789" ++ help ++ The Serial Number to store in SMBIOS structures. ++ ++config MAINBOARD_VERSION ++ prompt "SMBIOS Version Number" if !SMBIOS_PROVIDED_BY_MOBO ++ string ++ depends on GENERATE_SMBIOS_TABLES ++ default "1.0" ++ help ++ The Version Number to store in SMBIOS structures. ++ ++config MAINBOARD_SMBIOS_MANUFACTURER ++ prompt "SMBIOS Manufacturer" if !SMBIOS_PROVIDED_BY_MOBO ++ string ++ depends on GENERATE_SMBIOS_TABLES ++ default MAINBOARD_VENDOR ++ help ++ Override the default Manufacturer stored in SMBIOS structures. ++ ++config MAINBOARD_SMBIOS_PRODUCT_NAME ++ prompt "SMBIOS Product name" if !SMBIOS_PROVIDED_BY_MOBO ++ string ++ depends on GENERATE_SMBIOS_TABLES ++ default MAINBOARD_PART_NUMBER ++ help ++ Override the default Product name stored in SMBIOS structures. ++ ++config SMBIOS_ENCLOSURE_TYPE ++ hex ++ depends on GENERATE_SMBIOS_TABLES ++ default 0x09 if SYSTEM_TYPE_LAPTOP ++ default 0x1e if SYSTEM_TYPE_TABLET ++ default 0x1f if SYSTEM_TYPE_CONVERTIBLE ++ default 0x20 if SYSTEM_TYPE_DETACHABLE ++ default 0x03 ++ help ++ System Enclosure or Chassis Types as defined in SMBIOS specification. ++ The default value is SMBIOS_ENCLOSURE_DESKTOP (0x03) but laptop, ++ convertible, or tablet enclosure will be used if the appropriate ++ system type is selected. ++ ++endmenu ++ ++source "payloads/Kconfig" ++ ++menu "Debugging" ++ ++comment "CPU Debug Settings" ++source "src/cpu/*/Kconfig.debug" ++ ++comment "General Debug Settings" ++ ++# TODO: Better help text and detailed instructions. ++config GDB_STUB ++ bool "GDB debugging support" ++ default n ++ depends on CONSOLE_SERIAL ++ help ++ If enabled, you will be able to set breakpoints for gdb debugging. ++ See src/arch/x86/lib/c_start.S for details. ++ ++config GDB_WAIT ++ bool "Wait for a GDB connection in the ramstage" ++ default n ++ depends on GDB_STUB ++ help ++ If enabled, coreboot will wait for a GDB connection in the ramstage. ++ ++ ++config FATAL_ASSERTS ++ bool "Halt when hitting a BUG() or assertion error" ++ default n ++ help ++ If enabled, coreboot will call hlt() on a BUG() or failed ASSERT(). ++ ++config HAVE_DEBUG_GPIO ++ bool ++ ++config DEBUG_GPIO ++ bool "Output verbose GPIO debug messages" ++ depends on HAVE_DEBUG_GPIO ++ ++config DEBUG_CBFS ++ bool "Output verbose CBFS debug messages" ++ default n ++ help ++ This option enables additional CBFS related debug messages. ++ ++config HAVE_DEBUG_RAM_SETUP ++ def_bool n ++ ++config DEBUG_RAM_SETUP ++ bool "Output verbose RAM init debug messages" ++ default n ++ depends on HAVE_DEBUG_RAM_SETUP ++ help ++ This option enables additional RAM init related debug messages. ++ It is recommended to enable this when debugging issues on your ++ board which might be RAM init related. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config DEBUG_PIRQ ++ bool "Check PIRQ table consistency" ++ default n ++ depends on GENERATE_PIRQ_TABLE ++ help ++ If unsure, say N. ++ ++config HAVE_DEBUG_SMBUS ++ def_bool n ++ ++config DEBUG_SMBUS ++ bool "Output verbose SMBus debug messages" ++ default n ++ depends on HAVE_DEBUG_SMBUS ++ help ++ This option enables additional SMBus (and SPD) debug messages. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config DEBUG_SMI ++ bool "Output verbose SMI debug messages" ++ default n ++ depends on HAVE_SMI_HANDLER ++ select SPI_FLASH_SMM if SPI_CONSOLE || CONSOLE_SPI_FLASH ++ help ++ This option enables additional SMI related debug messages. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++# Only visible if debug level is DEBUG (7) or SPEW (8) as it does additional ++# printk(BIOS_DEBUG, ...) calls. ++config DEBUG_MALLOC ++ prompt "Output verbose malloc debug messages" if DEFAULT_CONSOLE_LOGLEVEL_7 || DEFAULT_CONSOLE_LOGLEVEL_8 ++ bool ++ default n ++ help ++ This option enables additional malloc related debug messages. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++# Only visible if debug level is DEBUG (7) or SPEW (8) as it does additional ++# printk(BIOS_DEBUG, ...) calls. ++config DEBUG_ACPI ++ prompt "Output verbose ACPI debug messages" if DEFAULT_CONSOLE_LOGLEVEL_7 || DEFAULT_CONSOLE_LOGLEVEL_8 ++ bool ++ default n ++ help ++ This option enables additional ACPI related debug messages. ++ ++ Note: This option will slightly increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config DEBUG_CONSOLE_INIT ++ bool "Debug console initialisation code" ++ default n ++ help ++ With this option printk()'s are attempted before console hardware ++ initialisation has been completed. Your mileage may vary. ++ ++ Typically you will need to modify source in console_hw_init() such ++ that a working console appears before the one you want to debug. ++ ++ If unsure, say N. ++ ++# Only visible if debug level is DEBUG (7) or SPEW (8) as it does additional ++# printk(BIOS_DEBUG, ...) calls. ++config REALMODE_DEBUG ++ prompt "Enable debug messages for option ROM execution" if DEFAULT_CONSOLE_LOGLEVEL_7 || DEFAULT_CONSOLE_LOGLEVEL_8 ++ bool ++ default n ++ depends on PCI_OPTION_ROM_RUN_REALMODE ++ help ++ This option enables additional x86emu related debug messages. ++ ++ Note: This option will increase the time to emulate a ROM. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG ++ bool "Output verbose x86emu debug messages" ++ default n ++ depends on PCI_OPTION_ROM_RUN_YABEL ++ help ++ This option enables additional x86emu related debug messages. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG_JMP ++ bool "Trace JMP/RETF" ++ default n ++ depends on X86EMU_DEBUG ++ help ++ Print information about JMP and RETF opcodes from x86emu. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG_TRACE ++ bool "Trace all opcodes" ++ default n ++ depends on X86EMU_DEBUG ++ help ++ Print _all_ opcodes that are executed by x86emu. ++ ++ WARNING: This will produce a LOT of output and take a long time. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG_PNP ++ bool "Log Plug&Play accesses" ++ default n ++ depends on X86EMU_DEBUG ++ help ++ Print Plug And Play accesses made by option ROMs. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG_DISK ++ bool "Log Disk I/O" ++ default n ++ depends on X86EMU_DEBUG ++ help ++ Print Disk I/O related messages. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG_PMM ++ bool "Log PMM" ++ default n ++ depends on X86EMU_DEBUG ++ help ++ Print messages related to POST Memory Manager (PMM). ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++ ++config X86EMU_DEBUG_VBE ++ bool "Debug VESA BIOS Extensions" ++ default n ++ depends on X86EMU_DEBUG ++ help ++ Print messages related to VESA BIOS Extension (VBE) functions. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG_INT10 ++ bool "Redirect INT10 output to console" ++ default n ++ depends on X86EMU_DEBUG ++ help ++ Let INT10 (i.e. character output) calls print messages to debug output. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG_INTERRUPTS ++ bool "Log intXX calls" ++ default n ++ depends on X86EMU_DEBUG ++ help ++ Print messages related to interrupt handling. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG_CHECK_VMEM_ACCESS ++ bool "Log special memory accesses" ++ default n ++ depends on X86EMU_DEBUG ++ help ++ Print messages related to accesses to certain areas of the virtual ++ memory (e.g. BDA (BIOS Data Area) or interrupt vectors) ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG_MEM ++ bool "Log all memory accesses" ++ default n ++ depends on X86EMU_DEBUG ++ help ++ Print memory accesses made by option ROM. ++ Note: This also includes accesses to fetch instructions. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG_IO ++ bool "Log IO accesses" ++ default n ++ depends on X86EMU_DEBUG ++ help ++ Print I/O accesses made by option ROM. ++ ++ Note: This option will increase the size of the coreboot image. ++ ++ If unsure, say N. ++ ++config X86EMU_DEBUG_TIMINGS ++ bool "Output timing information" ++ default n ++ depends on X86EMU_DEBUG && UDELAY_LAPIC && HAVE_MONOTONIC_TIMER ++ help ++ Print timing information needed by i915tool. ++ ++ If unsure, say N. ++ ++config DEBUG_SPI_FLASH ++ bool "Output verbose SPI flash debug messages" ++ default n ++ depends on SPI_FLASH ++ help ++ This option enables additional SPI flash related debug messages. ++ ++if SOUTHBRIDGE_INTEL_BD82X6X && DEFAULT_CONSOLE_LOGLEVEL_8 ++# Only visible with the right southbridge and loglevel. ++config DEBUG_INTEL_ME ++ bool "Verbose logging for Intel Management Engine" ++ default n ++ help ++ Enable verbose logging for Intel Management Engine driver that ++ is present on Intel 6-series chipsets. ++endif ++ ++config TRACE ++ bool "Trace function calls" ++ default n ++ help ++ If enabled, every function will print information to console once ++ the function is entered. The syntax is ~0xaaaabbbb(0xccccdddd) ++ the 0xaaaabbbb is the actual function and 0xccccdddd is EIP ++ of calling function. Please note some printk related functions ++ are omitted from trace to have good looking console dumps. ++ ++config DEBUG_COVERAGE ++ bool "Debug code coverage" ++ default n ++ depends on COVERAGE ++ help ++ If enabled, the code coverage hooks in coreboot will output some ++ information about the coverage data that is dumped. ++ ++config DEBUG_BOOT_STATE ++ bool "Debug boot state machine" ++ default n ++ help ++ Control debugging of the boot state machine. When selected displays ++ the state boundaries in ramstage. ++ ++config DEBUG_ADA_CODE ++ bool "Compile debug code in Ada sources" ++ default n ++ help ++ Add the compiler switch `-gnata` to compile code guarded by ++ `pragma Debug`. ++ ++config HAVE_EM100_SUPPORT ++ bool "Platform can support the Dediprog EM100 SPI emulator" ++ help ++ This is enabled by platforms which can support using the EM100. ++ ++config EM100 ++ bool "Configure image for EM100 usage" ++ depends on HAVE_EM100_SUPPORT ++ help ++ The Dediprog EM100 SPI emulator allows fast loading of new SPI images ++ over USB. However it only supports a maximum SPI clock of 20MHz and ++ single data output. Enable this option to use a 20MHz SPI clock and ++ disable "Dual Output Fast Read" Support. ++ ++ On AMD platforms this changes the SPI speed at run-time if the ++ mainboard code supports this. On supported Intel platforms this works ++ by changing the settings in the descriptor.bin file. ++ ++endmenu ++ ++ ++############################################################################### ++# Set variables with no prompt - these can be set anywhere, and putting at ++# the end of this file gives the most flexibility. ++ ++source "src/lib/Kconfig" ++ ++config ENABLE_APIC_EXT_ID ++ bool ++ default n ++ ++config WARNINGS_ARE_ERRORS ++ bool ++ default y ++ ++# The four POWER_BUTTON_DEFAULT_ENABLE, POWER_BUTTON_DEFAULT_DISABLE, ++# POWER_BUTTON_FORCE_ENABLE and POWER_BUTTON_FORCE_DISABLE options are ++# mutually exclusive. One of these options must be selected in the ++# mainboard Kconfig if the chipset supports enabling and disabling of ++# the power button. Chipset code uses the ENABLE_POWER_BUTTON option set ++# in mainboard/Kconfig to know if the button should be enabled or not. ++ ++config POWER_BUTTON_DEFAULT_ENABLE ++ def_bool n ++ help ++ Select when the board has a power button which can optionally be ++ disabled by the user. ++ ++config POWER_BUTTON_DEFAULT_DISABLE ++ def_bool n ++ help ++ Select when the board has a power button which can optionally be ++ enabled by the user, e.g. when the board ships with a jumper over ++ the power switch contacts. ++ ++config POWER_BUTTON_FORCE_ENABLE ++ def_bool n ++ help ++ Select when the board requires that the power button is always ++ enabled. ++ ++config POWER_BUTTON_FORCE_DISABLE ++ def_bool n ++ help ++ Select when the board requires that the power button is always ++ disabled, e.g. when it has been hardwired to ground. ++ ++config POWER_BUTTON_IS_OPTIONAL ++ bool ++ default y if POWER_BUTTON_DEFAULT_ENABLE || POWER_BUTTON_DEFAULT_DISABLE ++ default n if !(POWER_BUTTON_DEFAULT_ENABLE || POWER_BUTTON_DEFAULT_DISABLE) ++ help ++ Internal option that controls ENABLE_POWER_BUTTON visibility. ++ ++config REG_SCRIPT ++ bool ++ default n ++ help ++ Internal option that controls whether we compile in register scripts. ++ ++config MAX_REBOOT_CNT ++ int ++ default 3 ++ help ++ Internal option that sets the maximum number of bootblock executions allowed ++ with the normal image enabled before assuming the normal image is defective ++ and switching to the fallback image. ++ ++config UNCOMPRESSED_RAMSTAGE ++ bool ++ ++config NO_XIP_EARLY_STAGES ++ bool ++ default n if ARCH_X86 ++ default y ++ help ++ Identify if early stages are eXecute-In-Place(XIP). ++ ++config EARLY_CBMEM_LIST ++ bool ++ default n ++ help ++ Enable display of CBMEM during romstage and postcar. ++ ++config RELOCATABLE_MODULES ++ bool ++ help ++ If RELOCATABLE_MODULES is selected then support is enabled for ++ building relocatable modules in the RAM stage. Those modules can be ++ loaded anywhere and all the relocations are handled automatically. ++ ++config NO_STAGE_CACHE ++ bool ++ default y if !HAVE_ACPI_RESUME ++ help ++ Do not save any component in stage cache for resume path. On resume, ++ all components would be read back from CBFS again. ++ ++config GENERIC_GPIO_LIB ++ bool ++ help ++ If enabled, compile the generic GPIO library. A "generic" GPIO ++ implies configurability usually found on SoCs, particularly the ++ ability to control internal pull resistors. ++ ++config BOOTBLOCK_CUSTOM ++ # To be selected by arch, SoC or mainboard if it does not want use the normal ++ # src/lib/bootblock.c#main() C entry point. ++ bool ++ ++config C_ENVIRONMENT_BOOTBLOCK ++ # To be selected by arch or platform if a C environment is available during the ++ # bootblock. Normally this signifies availability of RW memory (e.g. SRAM). ++ bool ++ ++############################################################################### ++# Set default values for symbols created before mainboards. This allows the ++# option to be displayed in the general menu, but the default to be loaded in ++# the mainboard if desired. ++config COMPRESS_RAMSTAGE ++ default y if !UNCOMPRESSED_RAMSTAGE ++ ++config COMPRESS_PRERAM_STAGES ++ depends on !ARCH_X86 ++ default y ++ ++config INCLUDE_CONFIG_FILE ++ default y ++ ++config BOOTSPLASH_FILE ++ depends on BOOTSPLASH_IMAGE ++ default "bootsplash.jpg" ++ ++config CBFS_SIZE ++ default ROM_SIZE ++ ++config HAVE_BOOTBLOCK ++ bool ++ default y ++ ++config HAVE_VERSTAGE ++ bool ++ depends on VBOOT_SEPARATE_VERSTAGE ++ default y ++ ++config HAVE_ROMSTAGE ++ bool ++ default y ++ ++config HAVE_POSTCAR ++ bool ++ depends on POSTCAR_STAGE ++ default y ++ ++config HAVE_RAMSTAGE ++ bool ++ default n if RAMPAYLOAD ++ default y +diff --git a/src/include/program_loading.h b/src/include/program_loading.h +index 1b71fadb1b..afd8ba0c54 100644 +--- a/src/include/program_loading.h ++++ b/src/include/program_loading.h +@@ -26,6 +26,8 @@ enum { + /* Last segment of program. Can be used to take different actions for + * cache maintenance of a program load. */ + SEG_FINAL = 1 << 0, ++ /* Indicate that the program segment should not be measured */ ++ SEG_NO_MEASURE = 1 << 1, + }; + + enum prog_type { +diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c +index fbe6e43496..b0a4f8843a 100644 +--- a/src/lib/cbfs.c ++++ b/src/lib/cbfs.c +@@ -97,7 +97,13 @@ void *cbfs_boot_map_with_leak(const char *name, uint32_t type, size_t *size) + if (size != NULL) + *size = fsize; + +- return rdev_mmap(&fh.data, 0, fsize); ++ void *buffer = rdev_mmap(&fh.data, 0, fsize); ++ ++#ifndef __SMM__ ++ prog_segment_loaded((uintptr_t)buffer, fsize, 0); ++#endif ++ ++ return buffer; + } + + int cbfs_locate_file_in_region(struct cbfsf *fh, const char *region_name, +@@ -125,7 +131,8 @@ size_t cbfs_load_and_decompress(const struct region_device *rdev, size_t offset, + return 0; + if (rdev_readat(rdev, buffer, offset, in_size) != in_size) + return 0; +- return in_size; ++ out_size = in_size; ++ break; + + case CBFS_COMPRESS_LZ4: + if ((ENV_BOOTBLOCK || ENV_VERSTAGE) && +@@ -143,7 +150,7 @@ size_t cbfs_load_and_decompress(const struct region_device *rdev, size_t offset, + timestamp_add_now(TS_START_ULZ4F); + out_size = ulz4fn(compr_start, in_size, buffer, buffer_size); + timestamp_add_now(TS_END_ULZ4F); +- return out_size; ++ break; + + case CBFS_COMPRESS_LZMA: + /* We assume here romstage and postcar are never compressed. */ +@@ -165,11 +172,15 @@ size_t cbfs_load_and_decompress(const struct region_device *rdev, size_t offset, + + rdev_munmap(rdev, map); + +- return out_size; ++ break; + + default: + return 0; + } ++ ++ prog_segment_loaded((uintptr_t)buffer, out_size, 0); ++ ++ return out_size; + } + + static inline int tohex4(unsigned int c) +diff --git a/src/lib/hardwaremain.c b/src/lib/hardwaremain.c +index 51ff330d84..358d3e40b3 100644 +--- a/src/lib/hardwaremain.c ++++ b/src/lib/hardwaremain.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + #if CONFIG(HAVE_ACPI_RESUME) + #include + #endif +@@ -540,3 +541,10 @@ void boot_state_current_unblock(void) + { + boot_state_unblock(current_phase.state_id, current_phase.seq); + } ++ ++// ramstage measurements go into PCR3 if we are doing measured boot ++void platform_segment_loaded(uintptr_t start, size_t size, int flags) ++{ ++ if (CONFIG(MEASURED_BOOT) && !(flags & SEG_NO_MEASURE)) ++ tlcl_measure(2, (const void *) start, size); ++} +diff --git a/src/lib/rmodule.c b/src/lib/rmodule.c +index 56529d2fb2..2702b9d36e 100644 +--- a/src/lib/rmodule.c ++++ b/src/lib/rmodule.c +@@ -197,7 +197,8 @@ int rmodule_load(void *base, struct rmodule *module) + rmodule_clear_bss(module); + + prog_segment_loaded((uintptr_t)module->location, +- rmodule_memory_size(module), SEG_FINAL); ++ rmodule_memory_size(module), ++ SEG_FINAL | SEG_NO_MEASURE); + + return 0; + } +diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc +index a2d32cff89..e9a785b797 100644 +--- a/src/security/tpm/Makefile.inc ++++ b/src/security/tpm/Makefile.inc +@@ -18,6 +18,11 @@ romstage-y += tspi/tspi.c + verstage-$(CONFIG_VBOOT) += tspi/tspi.c + postcar-$(CONFIG_VBOOT) += tspi/tspi.c + ++ifeq ($(CONFIG_MEASURED_BOOT),y) ++romstage-y += sha1.c ++ramstage-y += sha1.c ++endif # CONFIG_MEASURED_BOOT ++ + ramstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c + romstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c + verstage-$(CONFIG_VBOOT_MEASURED_BOOT) += tspi/log.c +diff --git a/src/security/tpm/sha1.c b/src/security/tpm/sha1.c +new file mode 100644 +index 0000000000..9879f729b1 +--- /dev/null ++++ b/src/security/tpm/sha1.c +@@ -0,0 +1,180 @@ ++/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. ++ * Use of this source code is governed by a BSD-style license that can be ++ * found in the LICENSE file. ++ * ++ * SHA-1 implementation largely based on libmincrypt in the the Android ++ * Open Source Project (platorm/system/core.git/libmincrypt/sha.c ++ */ ++ ++#include ++#include ++ ++static uint32_t ror27(uint32_t val) ++{ ++ return (val >> 27) | (val << 5); ++} ++static uint32_t ror2(uint32_t val) ++{ ++ return (val >> 2) | (val << 30); ++} ++static uint32_t ror31(uint32_t val) ++{ ++ return (val >> 31) | (val << 1); ++} ++ ++static void sha1_transform(struct sha1_ctx *ctx) ++{ ++ uint32_t W[80]; ++ register uint32_t A, B, C, D, E; ++ int t; ++ ++ A = ctx->state[0]; ++ B = ctx->state[1]; ++ C = ctx->state[2]; ++ D = ctx->state[3]; ++ E = ctx->state[4]; ++ ++#define SHA_F1(A, B, C, D, E, t) do { \ ++ E += ror27(A) + \ ++ (W[t] = __builtin_bswap32(ctx->buf.w[t])) + \ ++ (D^(B&(C^D))) + 0x5A827999; \ ++ B = ror2(B); \ ++ } while (0) ++ ++ for (t = 0; t < 15; t += 5) { ++ SHA_F1(A, B, C, D, E, t + 0); ++ SHA_F1(E, A, B, C, D, t + 1); ++ SHA_F1(D, E, A, B, C, t + 2); ++ SHA_F1(C, D, E, A, B, t + 3); ++ SHA_F1(B, C, D, E, A, t + 4); ++ } ++ SHA_F1(A, B, C, D, E, t + 0); /* 16th one, t == 15 */ ++ ++#undef SHA_F1 ++ ++#define SHA_F1(A, B, C, D, E, t) do { \ ++ E += ror27(A) + \ ++ (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \ ++ (D^(B&(C^D))) + 0x5A827999; \ ++ B = ror2(B); \ ++ } while (0) ++ ++ SHA_F1(E, A, B, C, D, t + 1); ++ SHA_F1(D, E, A, B, C, t + 2); ++ SHA_F1(C, D, E, A, B, t + 3); ++ SHA_F1(B, C, D, E, A, t + 4); ++ ++#undef SHA_F1 ++ ++#define SHA_F2(A, B, C, D, E, t) do { \ ++ E += ror27(A) + \ ++ (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \ ++ (B^C^D) + 0x6ED9EBA1; \ ++ B = ror2(B); \ ++ } while (0) ++ ++ for (t = 20; t < 40; t += 5) { ++ SHA_F2(A, B, C, D, E, t + 0); ++ SHA_F2(E, A, B, C, D, t + 1); ++ SHA_F2(D, E, A, B, C, t + 2); ++ SHA_F2(C, D, E, A, B, t + 3); ++ SHA_F2(B, C, D, E, A, t + 4); ++ } ++ ++#undef SHA_F2 ++ ++#define SHA_F3(A, B, C, D, E, t) do { \ ++ E += ror27(A) + \ ++ (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \ ++ ((B&C)|(D&(B|C))) + 0x8F1BBCDC; \ ++ B = ror2(B); \ ++ } while (0) ++ ++ for (; t < 60; t += 5) { ++ SHA_F3(A, B, C, D, E, t + 0); ++ SHA_F3(E, A, B, C, D, t + 1); ++ SHA_F3(D, E, A, B, C, t + 2); ++ SHA_F3(C, D, E, A, B, t + 3); ++ SHA_F3(B, C, D, E, A, t + 4); ++ } ++ ++#undef SHA_F3 ++ ++#define SHA_F4(A, B, C, D, E, t) do { \ ++ E += ror27(A) + \ ++ (W[t] = ror31(W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16])) + \ ++ (B^C^D) + 0xCA62C1D6; \ ++ B = ror2(B); \ ++ } while (0) ++ ++ for (; t < 80; t += 5) { ++ SHA_F4(A, B, C, D, E, t + 0); ++ SHA_F4(E, A, B, C, D, t + 1); ++ SHA_F4(D, E, A, B, C, t + 2); ++ SHA_F4(C, D, E, A, B, t + 3); ++ SHA_F4(B, C, D, E, A, t + 4); ++ } ++ ++#undef SHA_F4 ++ ++ ctx->state[0] += A; ++ ctx->state[1] += B; ++ ctx->state[2] += C; ++ ctx->state[3] += D; ++ ctx->state[4] += E; ++} ++ ++void sha1_update(struct sha1_ctx *ctx, const uint8_t *data, uint32_t len) ++{ ++ int i = ctx->count % sizeof(ctx->buf); ++ const uint8_t *p = (const uint8_t *)data; ++ ++ ctx->count += len; ++ ++ while (len > sizeof(ctx->buf) - i) { ++ memcpy(&ctx->buf.b[i], p, sizeof(ctx->buf) - i); ++ len -= sizeof(ctx->buf) - i; ++ p += sizeof(ctx->buf) - i; ++ sha1_transform(ctx); ++ i = 0; ++ } ++ ++ while (len--) { ++ ctx->buf.b[i++] = *p++; ++ if (i == sizeof(ctx->buf)) { ++ sha1_transform(ctx); ++ i = 0; ++ } ++ } ++} ++ ++ ++uint8_t *sha1_final(struct sha1_ctx *ctx) ++{ ++ uint32_t cnt = ctx->count * 8; ++ int i; ++ ++ sha1_update(ctx, (uint8_t *)"\x80", 1); ++ while ((ctx->count % sizeof(ctx->buf)) != (sizeof(ctx->buf) - 8)) ++ sha1_update(ctx, (uint8_t *)"\0", 1); ++ ++ for (i = 0; i < 8; ++i) { ++ uint8_t tmp = cnt >> ((7 - i) * 8); ++ sha1_update(ctx, &tmp, 1); ++ } ++ ++ for (i = 0; i < 5; i++) ++ ctx->buf.w[i] = __builtin_bswap32(ctx->state[i]); ++ ++ return ctx->buf.b; ++} ++ ++void sha1_init(struct sha1_ctx *ctx) ++{ ++ ctx->state[0] = 0x67452301; ++ ctx->state[1] = 0xEFCDAB89; ++ ctx->state[2] = 0x98BADCFE; ++ ctx->state[3] = 0x10325476; ++ ctx->state[4] = 0xC3D2E1F0; ++ ctx->count = 0; ++} +diff --git a/src/security/tpm/sha1.h b/src/security/tpm/sha1.h +new file mode 100644 +index 0000000000..bc3faa58ea +--- /dev/null ++++ b/src/security/tpm/sha1.h +@@ -0,0 +1,47 @@ ++/* Copyright (c) 2014 The Chromium OS Authors. All rights reserved. ++ * Use of this source code is governed by a BSD-style license that can be ++ * found in the LICENSE file. ++ */ ++ ++/* SHA-1 functions */ ++ ++#ifndef _sha1_h_ ++#define _sha1_h_ ++ ++#include ++#include ++ ++#define SHA1_DIGEST_SIZE 20 ++#define SHA1_BLOCK_SIZE 64 ++ ++/* ++ * FIXME the DIV_ROUND_UP statement expression blows up here: ++ In file included from src/security/tpm/sha1.h:12, ++ from src/security/tpm/sha1.c:9: ++ src/commonlib/include/commonlib/helpers.h:81:28: error: braced-group ++ within expression allowed only inside a function ++ #define DIV_ROUND_UP(x, y) ({ \ ++ ^ ++ src/security/tpm/sha1.h:23:14: note: in expansion of macro'DIV_ROUND_UP' ++ uint32_t w[DIV_ROUND_UP(SHA1_BLOCK_SIZE, sizeof(uint32_t))]; ++ ^~~~~~~~~~~~ ++ make[1]: *** [Makefile:356: x230/romstage/security/tpm/sha1.o] Error 1 ++ */ ++#undef DIV_ROUND_UP ++#define DIV_ROUND_UP(x, y) (((x) + (y) - 1) / (y)) ++ ++/* SHA-1 context */ ++struct sha1_ctx { ++ uint32_t count; ++ uint32_t state[5]; ++ union { ++ uint8_t b[SHA1_BLOCK_SIZE]; ++ uint32_t w[DIV_ROUND_UP(SHA1_BLOCK_SIZE, sizeof(uint32_t))]; ++ } buf; ++}; ++ ++void sha1_init(struct sha1_ctx *ctx); ++void sha1_update(struct sha1_ctx *ctx, const uint8_t *data, uint32_t len); ++uint8_t *sha1_final(struct sha1_ctx *ctx); ++ ++#endif /* _sha1_h_ */ +diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c +index 966b8b7c77..9076ced37a 100644 +--- a/src/security/tpm/tspi/tspi.c ++++ b/src/security/tpm/tspi/tspi.c +@@ -20,8 +20,8 @@ + #include + #include + #include +-#if CONFIG(VBOOT) + #include ++#if CONFIG(VBOOT) + #include + #include + #endif +diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h +index 336935d911..90a96621ed 100644 +--- a/src/security/tpm/tss.h ++++ b/src/security/tpm/tss.h +@@ -52,6 +52,11 @@ uint32_t tlcl_get_flags(uint8_t *disable, uint8_t *deactivated, + */ + uint32_t tlcl_get_permanent_flags(TPM_PERMANENT_FLAGS *pflags); + ++/** ++ * Perform a SHA1 hash on a region and extend a PCR with the hash. ++ */ ++uint32_t tlcl_measure(int pcr_num, const void *start, size_t len); ++ + #endif + + #if CONFIG(TPM2) +diff --git a/src/security/tpm/tss.h.orig b/src/security/tpm/tss.h.orig +new file mode 100644 +index 0000000000..30e2a7b4b8 +--- /dev/null ++++ b/src/security/tpm/tss.h.orig +@@ -0,0 +1,192 @@ ++/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. ++ * Copyright (C) 2018-2019 Eltan B.V. ++ * Use of this source code is governed by a BSD-style license that can be ++ * found in the LICENSE file. ++ */ ++ ++/* ++ * TPM Lightweight Command Library. ++ * ++ * A low-level library for interfacing to TPM hardware or an emulator. ++ */ ++ ++#ifndef TSS_H_ ++#define TSS_H_ ++ ++#include ++#include ++ ++#include ++#include ++#include ++ ++#if CONFIG(TPM1) ++ ++#include ++ ++/** ++ * Define a space with permission [perm]. [index] is the index for the space, ++ * [size] the usable data size. The TPM error code is returned. ++ */ ++uint32_t tlcl_define_space(uint32_t index, uint32_t perm, uint32_t size); ++ ++/** ++ * Issue a PhysicalEnable. The TPM error code is returned. ++ */ ++uint32_t tlcl_set_enable(void); ++ ++/** ++ * Issue a SetDeactivated. Pass 0 to activate. Returns result code. ++ */ ++uint32_t tlcl_set_deactivated(uint8_t flag); ++ ++/** ++ * Get flags of interest. Pointers for flags you aren't interested in may ++ * be NULL. The TPM error code is returned. ++ */ ++uint32_t tlcl_get_flags(uint8_t *disable, uint8_t *deactivated, ++ uint8_t *nvlocked); ++ ++/** ++ * Get the entire set of permanent flags. ++ */ ++uint32_t tlcl_get_permanent_flags(TPM_PERMANENT_FLAGS *pflags); ++ ++#endif ++ ++#if CONFIG(TPM2) ++ ++#include ++ ++/* ++ * Define a TPM2 space. The define space command TPM command used by the tlcl ++ * layer offers the ability to use custom nv attributes and policies. ++ */ ++uint32_t tlcl_define_space(uint32_t space_index, size_t space_size, ++ const TPMA_NV nv_attributes, ++ const uint8_t *nv_policy, size_t nv_policy_size); ++ ++/* ++ * Issue TPM2_GetCapability command ++ */ ++uint32_t tlcl_get_capability(TPM_CAP capability, uint32_t property, ++ uint32_t property_count, ++ TPMS_CAPABILITY_DATA *capability_data); ++ ++/* ++ * Makes tpm_process_command available for on top implementations of ++ * custom tpm standards like cr50 ++ */ ++void *tpm_process_command(TPM_CC command, void *command_body); ++ ++#endif ++ ++/*****************************************************************************/ ++/* Generic Functions implemented in tlcl.c */ ++ ++/** ++ * Call this first. Returns 0 if success, nonzero if error. ++ */ ++uint32_t tlcl_lib_init(void); ++ ++/** ++ * Perform a raw TPM request/response transaction. ++ */ ++uint32_t tlcl_send_receive(const uint8_t *request, uint8_t *response, ++ int max_length); ++ ++/* Commands */ ++ ++/** ++ * Send a TPM_Startup(ST_CLEAR). The TPM error code is returned (0 for ++ * success). ++ */ ++uint32_t tlcl_startup(void); ++ ++/** ++ * Resume by sending a TPM_Startup(ST_STATE). The TPM error code is returned ++ * (0 for success). ++ */ ++uint32_t tlcl_resume(void); ++ ++/** ++ * Save TPM state by sending either TPM_SaveState() (TPM1.2) or ++ * TPM_Shutdown(ST_STATE) (TPM2.0). The TPM error code is returned (0 for ++ * success). ++ */ ++uint32_t tlcl_save_state(void); ++ ++/** ++ * Run the self test. ++ * ++ * Note---this is synchronous. To run this in parallel with other firmware, ++ * use ContinueSelfTest(). The TPM error code is returned. ++ */ ++uint32_t tlcl_self_test_full(void); ++ ++/** ++ * Run the self test in the background. ++ */ ++uint32_t tlcl_continue_self_test(void); ++ ++/** ++ * Write [length] bytes of [data] to space at [index]. The TPM error code is ++ * returned. ++ */ ++uint32_t tlcl_write(uint32_t index, const void *data, uint32_t length); ++ ++/** ++ * Read [length] bytes from space at [index] into [data]. The TPM error code ++ * is returned. ++ */ ++uint32_t tlcl_read(uint32_t index, void *data, uint32_t length); ++ ++/** ++ * Assert physical presence in software. The TPM error code is returned. ++ */ ++uint32_t tlcl_assert_physical_presence(void); ++ ++/** ++ * Enable the physical presence command. The TPM error code is returned. ++ */ ++uint32_t tlcl_physical_presence_cmd_enable(void); ++ ++/** ++ * Finalize the physical presence settings: software PP is enabled, hardware PP ++ * is disabled, and the lifetime lock is set. The TPM error code is returned. ++ */ ++uint32_t tlcl_finalize_physical_presence(void); ++ ++/** ++ * Set the nvLocked bit. The TPM error code is returned. ++ */ ++uint32_t tlcl_set_nv_locked(void); ++ ++/** ++ * Issue a ForceClear. The TPM error code is returned. ++ */ ++uint32_t tlcl_force_clear(void); ++ ++/** ++ * Set the bGlobalLock flag, which only a reboot can clear. The TPM error ++ * code is returned. ++ */ ++uint32_t tlcl_set_global_lock(void); ++ ++/** ++ * Make an NV Ram location read_only. The TPM error code is returned. ++ */ ++uint32_t tlcl_lock_nv_write(uint32_t index); ++ ++/** ++ * Perform a TPM_Extend. ++ */ ++uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest, ++ uint8_t *out_digest); ++ ++/** ++ * Disable platform hierarchy. Specific to TPM2. The TPM error code is returned. ++ */ ++uint32_t tlcl_disable_platform_hierarchy(void); ++ ++#endif /* TSS_H_ */ +diff --git a/src/security/tpm/tss/tcg-1.2/tss.c b/src/security/tpm/tss/tcg-1.2/tss.c +index b11d6a3d16..ef4f4d8b86 100644 +--- a/src/security/tpm/tss/tcg-1.2/tss.c ++++ b/src/security/tpm/tss/tcg-1.2/tss.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -361,3 +362,21 @@ uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest, + kPcrDigestLength); + return result; + } ++ ++uint32_t tlcl_measure(int pcr_num, const void *start, size_t len) ++{ ++ VBDEBUG("TPM: pcr %d measure %p @ %zu: ", pcr_num, start, len); ++ ++ struct sha1_ctx sha; ++ sha1_init(&sha); ++ sha1_update(&sha, start, len); ++ ++ const uint8_t *hash = sha1_final(&sha); ++ for (unsigned int i = 0; i < SHA1_DIGEST_SIZE; i++) ++ VBDEBUG("%02x", hash[i]); ++ VBDEBUG("\n"); ++ ++ //hexdump(start, 128); ++ ++ return tlcl_extend(pcr_num, hash, NULL); ++} +-- +2.20.1 + diff --git a/patches/coreboot-4.11/0002-soc-intel-broadwell_de-Add-measured-boot-support.patch b/patches/coreboot-4.11/0002-soc-intel-broadwell_de-Add-measured-boot-support.patch new file mode 100644 index 00000000..9153ffa1 --- /dev/null +++ b/patches/coreboot-4.11/0002-soc-intel-broadwell_de-Add-measured-boot-support.patch @@ -0,0 +1,47 @@ +diff --git a/src/soc/intel/fsp_broadwell_de/romstage/romstage.c b/src/soc/intel/fsp_broadwell_de/romstage/romstage.c +index 8438b1035c..ff7a29271f 100644 +--- a/src/soc/intel/fsp_broadwell_de/romstage/romstage.c ++++ b/src/soc/intel/fsp_broadwell_de/romstage/romstage.c +@@ -28,6 +28,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -156,6 +158,20 @@ void *asmlinkage main(FSP_INFO_HEADER *fsp_info_header) + early_iio_hide(); + timestamp_add_now(TS_BEFORE_INITRAM); + post_code(0x48); ++ ++ if (CONFIG(MEASURED_BOOT) && CONFIG(LPC_TPM)) { ++ // we don't know if we are coming out of a resume ++ // at this point, but want to setup the tpm ASAP ++ tpm_setup(0); ++ tlcl_lib_init(); ++ const void *const bootblock = (const void *) 0xFFFFF800; ++ const unsigned int bootblock_size = 0x800; ++ tlcl_measure(2, bootblock, bootblock_size); ++ ++ extern char _romstage, _eromstage; ++ tlcl_measure(2, &_romstage, &_eromstage - &_romstage); ++ } ++ + /* + * Call early init to initialize memory and chipset. This function returns + * to the romstage_main_continue function with a pointer to the HOB +@@ -214,3 +230,9 @@ uint64_t get_initial_timestamp(void) + { + return 0; + } ++ ++void platform_segment_loaded(uintptr_t start, size_t size, int flags) ++{ ++ if (CONFIG(MEASURED_BOOT) && !(flags & SEG_NO_MEASURE)) ++ tlcl_measure(2, (const void *) start, size); ++} +-- +2.20.1 + diff --git a/patches/coreboot-4.11/0003-drivers-generic-cbfs-serial-Add-driver-to-read-seria.patch b/patches/coreboot-4.11/0003-drivers-generic-cbfs-serial-Add-driver-to-read-seria.patch new file mode 100644 index 00000000..d554317d --- /dev/null +++ b/patches/coreboot-4.11/0003-drivers-generic-cbfs-serial-Add-driver-to-read-seria.patch @@ -0,0 +1,78 @@ +diff --git a/src/drivers/generic/cbfs-serial/Kconfig b/src/drivers/generic/cbfs-serial/Kconfig +new file mode 100644 +index 0000000000..209c242dba +--- /dev/null ++++ b/src/drivers/generic/cbfs-serial/Kconfig +@@ -0,0 +1,6 @@ ++config DRIVERS_GENERIC_CBFS_SERIAL ++ bool "Serial number in CBFS" ++ default n ++ help ++ Enable this option to read the board serial number from a ++ text file located in CBFS. +diff --git a/src/drivers/generic/cbfs-serial/Makefile.inc b/src/drivers/generic/cbfs-serial/Makefile.inc +new file mode 100644 +index 0000000000..163d439ba9 +--- /dev/null ++++ b/src/drivers/generic/cbfs-serial/Makefile.inc +@@ -0,0 +1 @@ ++ramstage-$(CONFIG_DRIVERS_GENERIC_CBFS_SERIAL) += cbfs-serial.c +diff --git a/src/drivers/generic/cbfs-serial/cbfs-serial.c b/src/drivers/generic/cbfs-serial/cbfs-serial.c +new file mode 100644 +index 0000000000..ee3e36620c +--- /dev/null ++++ b/src/drivers/generic/cbfs-serial/cbfs-serial.c +@@ -0,0 +1,50 @@ ++/* ++ * This file is part of the coreboot project. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; version 2 of the License. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++#include ++#include ++#include ++#include ++ ++ ++#define MAX_SERIAL_LENGTH 0x100 ++ ++const char *smbios_mainboard_serial_number(void) ++{ ++ static char serial_number[MAX_SERIAL_LENGTH + 1] = {0}; ++ struct cbfsf file; ++ ++ if (serial_number[0] != 0) ++ return serial_number; ++ ++ if (cbfs_boot_locate(&file, "serial_number", NULL) == 0) { ++ struct region_device cbfs_region; ++ size_t serial_len; ++ ++ cbfs_file_data(&cbfs_region, &file); ++ ++ serial_len = region_device_sz(&cbfs_region); ++ if (serial_len <= MAX_SERIAL_LENGTH) { ++ if (rdev_readat(&cbfs_region, serial_number, 0, ++ serial_len) == serial_len) { ++ serial_number[serial_len] = 0; ++ return serial_number; ++ } ++ } ++ } ++ ++ strncpy(serial_number, CONFIG_MAINBOARD_SERIAL_NUMBER, ++ MAX_SERIAL_LENGTH); ++ ++ return serial_number; ++} +-- +2.20.1 + diff --git a/patches/coreboot-4.11/0004-mb-purism-librem_l1um-Add-new-board.patch b/patches/coreboot-4.11/0004-mb-purism-librem_l1um-Add-new-board.patch new file mode 100644 index 00000000..d6646580 --- /dev/null +++ b/patches/coreboot-4.11/0004-mb-purism-librem_l1um-Add-new-board.patch @@ -0,0 +1,609 @@ +diff --git a/src/mainboard/purism/librem_l1um/Kconfig b/src/mainboard/purism/librem_l1um/Kconfig +new file mode 100644 +index 0000000000..ba504faa75 +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/Kconfig +@@ -0,0 +1,41 @@ ++if BOARD_PURISM_LIBREM_L1UM ++ ++config BOARD_SPECIFIC_OPTIONS ++ def_bool y ++ select BOARD_ROMSIZE_KB_16384 ++ select DRIVERS_UART_8250IO ++ select ENABLE_FSP_FAST_BOOT ++ select GENERATE_SMBIOS_TABLES ++ select HAVE_ACPI_TABLES ++ select IPMI_KCS ++ select MAINBOARD_HAS_LPC_TPM ++ select MAINBOARD_USES_IFD_GBE_REGION ++ select MRC_CACHE_FMAP ++ select SERIRQ_CONTINUOUS_MODE ++ select SOC_INTEL_FSP_BROADWELL_DE ++ select SUPERIO_ASPEED_AST2400 ++ ++config MAINBOARD_DIR ++ string ++ default "purism/librem_l1um" ++ ++config MAINBOARD_PART_NUMBER ++ string ++ default "LIBREM_L1UM" ++ ++config IRQ_SLOT_COUNT ++ int ++ default 18 ++ ++config CBFS_SIZE ++ hex ++ default 0x00C00000 ++ ++config VIRTUAL_ROM_SIZE ++ hex ++ default 0x1000000 ++ ++config INTEGRATED_UART ++ def_bool n ++ ++endif # BOARD_PURISM_LIBREM_L1UM +diff --git a/src/mainboard/purism/librem_l1um/Kconfig.name b/src/mainboard/purism/librem_l1um/Kconfig.name +new file mode 100644 +index 0000000000..3e3441931c +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/Kconfig.name +@@ -0,0 +1,2 @@ ++config BOARD_PURISM_LIBREM_L1UM ++ bool "Purism LIBREM_L1UM" +diff --git a/src/mainboard/purism/librem_l1um/Makefile.inc b/src/mainboard/purism/librem_l1um/Makefile.inc +new file mode 100644 +index 0000000000..991f44ed3c +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/Makefile.inc +@@ -0,0 +1,14 @@ ++## ++## This file is part of the coreboot project. ++## ++## This program is free software; you can redistribute it and/or modify ++## it under the terms of the GNU General Public License as published by ++## the Free Software Foundation; version 2 of the License. ++## ++## This program is distributed in the hope that it will be useful, ++## but WITHOUT ANY WARRANTY; without even the implied warranty of ++## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++## GNU General Public License for more details. ++## ++ ++ramstage-y += irqroute.c +diff --git a/src/mainboard/purism/librem_l1um/acpi/mainboard.asl b/src/mainboard/purism/librem_l1um/acpi/mainboard.asl +new file mode 100644 +index 0000000000..78858cc652 +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/acpi/mainboard.asl +@@ -0,0 +1,18 @@ ++/* ++ * This file is part of the coreboot project. ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License as ++ * published by the Free Software Foundation; version 2 of ++ * the License. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++Device (PWRB) ++{ ++ Name(_HID, EisaId("PNP0C0C")) ++} +diff --git a/src/mainboard/purism/librem_l1um/acpi/platform.asl b/src/mainboard/purism/librem_l1um/acpi/platform.asl +new file mode 100644 +index 0000000000..4cab1777c4 +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/acpi/platform.asl +@@ -0,0 +1,53 @@ ++/* ++ * This file is part of the coreboot project. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; version 2 of the License. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++/* The APM port can be used for generating software SMIs */ ++ ++OperationRegion (APMP, SystemIO, 0xb2, 2) ++Field (APMP, ByteAcc, NoLock, Preserve) ++{ ++ APMC, 8, // APM command ++ APMS, 8 // APM status ++} ++ ++/* Port 80 POST */ ++ ++OperationRegion (POST, SystemIO, 0x80, 1) ++Field (POST, ByteAcc, Lock, Preserve) ++{ ++ DBG0, 8 ++} ++ ++Name(\APC1, Zero) // IIO IOAPIC ++ ++Name(\PICM, Zero) // IOAPIC/8259 ++ ++Method(_PIC, 1) ++{ ++ Store(Arg0, PICM) ++} ++ ++/* The _PTS method (Prepare To Sleep) is called before the OS is ++ * entering a sleep state. The sleep state number is passed in Arg0 ++ */ ++ ++Method(_PTS,1) ++{ ++} ++ ++/* The _WAK method is called on system wakeup */ ++ ++Method(_WAK,1) ++{ ++ Return(Package(){0,0}) ++} +diff --git a/src/mainboard/purism/librem_l1um/acpi_tables.c b/src/mainboard/purism/librem_l1um/acpi_tables.c +new file mode 100644 +index 0000000000..7507f24fc7 +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/acpi_tables.c +@@ -0,0 +1,39 @@ ++/* ++ * This file is part of the coreboot project. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; version 2 of the License. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++#include ++#include ++#include ++ ++unsigned long acpi_fill_madt(unsigned long current) ++{ ++ u32 i; ++ ++ current = acpi_create_madt_lapics(current); ++ ++ current += acpi_create_madt_ioapic((acpi_madt_ioapic_t *) current, 8, ++ IOXAPIC1_BASE_ADDRESS, 0); ++ set_ioapic_id((u8 *)IOXAPIC1_BASE_ADDRESS, 8); ++ ++ current += acpi_create_madt_ioapic((acpi_madt_ioapic_t *) current, 9, ++ IOXAPIC2_BASE_ADDRESS, 24); ++ set_ioapic_id((u8 *)IOXAPIC2_BASE_ADDRESS, 9); ++ ++ current = acpi_madt_irq_overrides(current); ++ ++ for (i = 0; i < 16; i++) ++ current += acpi_create_madt_lapic_nmi( ++ (acpi_madt_lapic_nmi_t *)current, i, 0xD, 1); ++ ++ return current; ++} +diff --git a/src/mainboard/purism/librem_l1um/board_info.txt b/src/mainboard/purism/librem_l1um/board_info.txt +new file mode 100644 +index 0000000000..fc8da9d5f5 +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/board_info.txt +@@ -0,0 +1,8 @@ ++Board name: Purism Librem Server L1UM ++Category: server ++Board URL: https://puri.sm/products/librem-server/ ++ROM package: SOIC-8 ++ROM protocol: SPI ++ROM socketed: no ++Flashrom support: y ++Release year: 2020 +diff --git a/src/mainboard/purism/librem_l1um/devicetree.cb b/src/mainboard/purism/librem_l1um/devicetree.cb +new file mode 100644 +index 0000000000..5869b23e58 +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/devicetree.cb +@@ -0,0 +1,96 @@ ++chip soc/intel/fsp_broadwell_de ++ device cpu_cluster 0 on ++ device lapic 0 on end ++ end ++ device domain 0 on ++ device pci 00.0 on end # SoC router (6f00) ++ device pci 01.0 on end # CPU PCIe RP1 (6f02) ++ device pci 01.1 on end # CPU PCIe RP1 (6f03) ++ device pci 02.0 on end # CPU PCIe RP2 (6f04) ++ device pci 02.2 on end # CPU PCIe RP2 (6f06) ++ device pci 03.0 on end # CPU PCIe RP3 (6f08) ++ device pci 05.0 on end # Sys Mgmt (6f28) ++ device pci 05.1 on end # IIO HP (6f29) ++ device pci 05.2 on end # IIO RAS (6f2a) ++ device pci 05.4 on end # I/O APIC (6f2c) ++ device pci 05.6 off end # I/O Performance Monitoring (6f39) ++ device pci 06.0 off end # IIO Debug ++ device pci 06.1 off end # IIO Debug ++ device pci 06.2 off end # IIO Debug ++ device pci 06.3 off end # IIO Debug ++ device pci 06.4 off end # IIO Debug ++ device pci 06.5 off end # IIO Debug ++ device pci 06.6 off end # IIO Debug ++ device pci 06.7 off end # IIO Debug ++ device pci 07.0 off end # IIO Debug ++ device pci 07.1 off end # IIO Debug ++ device pci 07.2 off end # IIO Debug ++ device pci 07.3 off end # IIO Debug ++ device pci 07.4 off end # IIO Debug ++ device pci 14.0 on end # xHCI Controller (8c31) ++ device pci 16.0 off end # MEI Controller #1 (8c3a) ++ device pci 16.1 off end # MEI Controller #2 (8c3b) ++ device pci 16.2 off end # IDE-r Controller (8c3c) ++ device pci 16.3 off end # KT Controller (8c3d) ++ device pci 19.0 off end # Gigabit LAN Controller ++ device pci 1a.0 on end # EHCI Controller #2 (8c2d) ++ device pci 1c.0 on end # PCH PCIe RP1 (8c10) ++ device pci 1c.1 on end # PCH PCIe RP2 (8c12) ++ device pci 1c.3 on end # PCH PCIe RP4 (8c16) ++ device pci 1c.4 on end # PCH PCIe RP5 (8c18) ++ device pci 1d.0 on end # EHCI Controller #1 (8c26) ++ device pci 1f.0 on ++ chip drivers/ipmi ++ register "bmc_i2c_address" = "0x20" ++ device pnp ca2.0 on # IPMI KCS ++ irq 0x70 = 0x05 ++ end ++ end ++ chip superio/common ++ device pnp 2e.0 on ++ chip superio/aspeed/ast2400 ++ device pnp 2e.2 on # SUART1 ++ io 0x60 = 0x3f8 ++ irq 0x70 = 0x04 ++ end ++ device pnp 2e.3 on # SUART2 ++ io 0x60 = 0x2f8 ++ irq 0x70 = 0x03 ++ end ++ device pnp 2e.4 on # SWC ++ io 0x60 = 0x8e6 ++ io 0x62 = 0x8e0 ++ io 0x64 = 0x8e4 ++ io 0x66 = 0x8e8 ++ irq 0x70 = 0x09 ++ end ++ device pnp 2e.5 off end # KBC ++ device pnp 2e.7 on end # GPIO ++ device pnp 2e.b on # SUART3 ++ io 0x60 = 0x3e8 ++ irq 0x70 = 0x06 ++ end ++ device pnp 2e.c on # SUART4 ++ io 0x60 = 0x2e8 ++ irq 0x70 = 0x05 ++ end ++ device pnp 2e.d on # iLPC2AHB ++ irq 0x70 = 0x09 ++ end ++ device pnp 2e.e on # Mailbox ++ io 0x60 = 0x8c0 ++ irq 0x70 = 0x09 ++ end ++ end ++ end ++ end ++ chip drivers/pc80/tpm ++ device pnp 0c31.0 on end ++ end ++ end # LPC Bridge (8c54) ++ device pci 1f.2 on end # SATA Controller (8c02) ++ device pci 1f.3 on end # SMBus Controller (8c22) ++ device pci 1f.5 on end # SATA Controller ++ device pci 1f.6 on end # Thermal Mgmt Controller (8c24) ++ end ++end +diff --git a/src/mainboard/purism/librem_l1um/dsdt.asl b/src/mainboard/purism/librem_l1um/dsdt.asl +new file mode 100644 +index 0000000000..c9dd6f5506 +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/dsdt.asl +@@ -0,0 +1,41 @@ ++/* ++ * This file is part of the coreboot project. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; version 2 of the License. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++#include ++DefinitionBlock( ++ "dsdt.aml", ++ "DSDT", ++ 0x02, // DSDT revision: ACPI v2.0 and up ++ OEM_ID, ++ ACPI_TABLE_CREATOR, ++ 0x20110725 // OEM revision ++) ++{ ++ #include "acpi/platform.asl" ++ ++ Name(_S0, Package() { 0x00, 0x00, 0x00, 0x00 }) ++ Name(_S5, Package() { 0x07, 0x00, 0x00, 0x00 }) ++ ++ Scope (\_SB) ++ { ++ Device (PCI0) ++ { ++ #include ++ #include ++ } ++ ++ #include ++ } ++ ++ #include "acpi/mainboard.asl" ++} +diff --git a/src/mainboard/purism/librem_l1um/fadt.c b/src/mainboard/purism/librem_l1um/fadt.c +new file mode 100644 +index 0000000000..cba3b078fb +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/fadt.c +@@ -0,0 +1,25 @@ ++/* ++ * This file is part of the coreboot project. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; version 2 of the License. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++#include ++ ++void acpi_create_fadt(acpi_fadt_t *fadt, acpi_facs_t *facs, void *dsdt) ++{ ++ acpi_header_t *header = &(fadt->header); ++ ++ acpi_fill_in_fadt(fadt, facs, dsdt); ++ ++ /* Platform specific customizations go here */ ++ ++ header->checksum = acpi_checksum((void *) fadt, sizeof(acpi_fadt_t)); ++} +diff --git a/src/mainboard/purism/librem_l1um/irqroute.c b/src/mainboard/purism/librem_l1um/irqroute.c +new file mode 100644 +index 0000000000..fb2f90d0f4 +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/irqroute.c +@@ -0,0 +1,16 @@ ++/* ++ * This file is part of the coreboot project. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; version 2 of the License. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++#include "irqroute.h" ++ ++DEFINE_IRQ_ROUTES; +diff --git a/src/mainboard/purism/librem_l1um/irqroute.h b/src/mainboard/purism/librem_l1um/irqroute.h +new file mode 100644 +index 0000000000..82b9448f64 +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/irqroute.h +@@ -0,0 +1,45 @@ ++/* ++ * This file is part of the coreboot project. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; version 2 of the License. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++#ifndef IRQROUTE_H ++#define IRQROUTE_H ++ ++#include ++#include ++ ++#define PCI_DEV_PIRQ_ROUTES \ ++ PCI_DEV_PIRQ_ROUTE(XHCI_DEV, A, B, C, D), \ ++ PCI_DEV_PIRQ_ROUTE(ME_DEV, A, B, C, D), \ ++ PCI_DEV_PIRQ_ROUTE(GBE_DEV, A, B, C, D), \ ++ PCI_DEV_PIRQ_ROUTE(EHCI2_DEV, A, B, C, D), \ ++ PCI_DEV_PIRQ_ROUTE(HDA_DEV, A, B, C, D), \ ++ PCI_DEV_PIRQ_ROUTE(PCIE_DEV, A, B, C, D), \ ++ PCI_DEV_PIRQ_ROUTE(EHCI1_DEV, A, B, C, D), \ ++ PCI_DEV_PIRQ_ROUTE(SATA_DEV, A, B, C, D) ++ ++/* ++ * Route each PIRQ[A-H] to a PIC IRQ[0-15] ++ * Reserved: 0, 1, 2, 8, 13 ++ * ACPI/SCI: 9 ++ */ ++#define PIRQ_PIC_ROUTES \ ++ PIRQ_PIC(A, 5), \ ++ PIRQ_PIC(B, 6), \ ++ PIRQ_PIC(C, 7), \ ++ PIRQ_PIC(D, 10), \ ++ PIRQ_PIC(E, 11), \ ++ PIRQ_PIC(F, 12), \ ++ PIRQ_PIC(G, 14), \ ++ PIRQ_PIC(H, 15) ++ ++#endif /* IRQROUTE_H */ +diff --git a/src/mainboard/purism/librem_l1um/mainboard.c b/src/mainboard/purism/librem_l1um/mainboard.c +new file mode 100644 +index 0000000000..7a017bdcaf +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/mainboard.c +@@ -0,0 +1,26 @@ ++/* ++ * This file is part of the coreboot project. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; version 2 of the License. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++#include ++ ++/* ++ * mainboard_enable is executed as first thing after enumerate_buses(). ++ * This is the earliest point to add customization. ++ */ ++static void mainboard_enable(struct device *dev) ++{ ++} ++ ++struct chip_operations mainboard_ops = { ++ .enable_dev = mainboard_enable, ++}; +diff --git a/src/mainboard/purism/librem_l1um/romstage.c b/src/mainboard/purism/librem_l1um/romstage.c +new file mode 100644 +index 0000000000..112eb264fc +--- /dev/null ++++ b/src/mainboard/purism/librem_l1um/romstage.c +@@ -0,0 +1,98 @@ ++/* ++ * This file is part of the coreboot project. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; version 2 of the License. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define SERIAL_DEV PNP_DEV(0x2e, AST2400_SUART1) ++ ++/** ++ * brief mainboard call for setup that needs to be done before fsp init ++ */ ++void early_mainboard_romstage_entry(void) ++{ ++ /* ++ * Sometimes the system boots in an invalid state, where random values ++ * have been written to MSRs and then the MSRs are locked. ++ * Seems to always happen on warm reset. ++ * ++ * Power cycling or a board_reset() isn't sufficient in this case, so ++ * issue a full_reset() to "fix" this issue. ++ */ ++ msr_t msr = rdmsr(IA32_FEATURE_CONTROL); ++ if (msr.lo & 1) { ++ console_init(); ++ printk(BIOS_EMERG, "Detected broken platform state. Issuing full reset\n"); ++ full_reset(); ++ } ++ ++ /* enable early serial output */ ++ aspeed_enable_serial(SERIAL_DEV, CONFIG_TTYS0_BASE); ++} ++ ++/* ++ * brief mainboard call for setup that needs to be done after fsp init ++ */ ++void late_mainboard_romstage_entry(void) ++{ ++ // IPMI through BIC ++ pci_write_config32(PCI_DEV(0, LPC_DEV, LPC_FUNC), LPC_GEN2_DEC, ++ 0x0c0ca1); ++} ++ ++/* ++ * brief customize fsp parameters here if needed ++ */ ++void romstage_fsp_rt_buffer_callback(FSP_INIT_RT_BUFFER *FspRtBuffer) ++{ ++ UPD_DATA_REGION *fsp_upd_data = FspRtBuffer->Common.UpdDataRgnPtr; ++ ++ /* The internal UART operates on 0x3f8/0x2f8. ++ * As it's not wired up and conflicts with SuperIO decoding ++ * the same range, make sure to disable it. ++ */ ++ fsp_upd_data->SerialPortConfigure = 0; ++ fsp_upd_data->SerialPortControllerInit0 = 0; ++ fsp_upd_data->SerialPortControllerInit1 = 0; ++ ++ /* coreboot will initialize UART. ++ * No need for FSP to do it again. ++ */ ++ fsp_upd_data->SerialPortConfigure = 0; ++ fsp_upd_data->SerialPortBaudRate = 0; ++ ++ /* Make FSP use serial IO */ ++ fsp_upd_data->SerialPortType = 1; ++ ++ /* Set the bifurcation for IOU1 / port 0 ++ * default xxxxxx8, set to xxxx8x8 to ++ * enable PCIe slot 0 ++ */ ++ fsp_upd_data->ConfigIOU1_PciPort3 = 3; ++ ++ /* Set the bifurcation for IOU2 / port 1 ++ * default xxxxxx8, set to xxxxx4x4 to ++ * enable SAS controller and NVMe to coexist ++ */ ++ fsp_upd_data->ConfigIOU2_PciPort1 = 0; ++ ++} +-- +2.20.1 + diff --git a/patches/coreboot-4.11/0010-cross-compiler-support.patch b/patches/coreboot-4.11/0010-cross-compiler-support.patch new file mode 100644 index 00000000..aa925348 --- /dev/null +++ b/patches/coreboot-4.11/0010-cross-compiler-support.patch @@ -0,0 +1,32 @@ +diff --git a/Makefile b/Makefile +index f3f9592649..cb37557c81 100644 +--- a/Makefile ++++ b/Makefile +@@ -164,6 +164,24 @@ $(if $(wildcard .xcompile)$(NOCOMPILE),,$(eval $(shell util/xcompile/xcompile $( + + -include .xcompile + ++ifneq "$(CROSS)" "" ++ $(info coreboot: Using $(CROSS)gcc) ++ CROSS_COMPILE_x86_32 := $(CROSS) ++ CC_x86_32 := $(CROSS_COMPILE_x86_32)gcc ++ CPP_x86_32 := $(CROSS_COMPILE_x86_32)cpp ++ AS_x86_32 := $(CROSS_COMPILE_x86_32)as --32 ++ LD_x86_32 := $(CROSS_COMPILE_x86_32)ld.bfd -b elf32-i386 -melf_i386 ++ NM_x86_32 := $(CROSS_COMPILE_x86_32)nm ++ OBJCOPY_x86_32 := $(CROSS_COMPILE_x86_32)objcopy ++ OBJDUMP_x86_32 := $(CROSS_COMPILE_x86_32)objdump ++ READELF_x86_32 := $(CROSS_COMPILE_x86_32)readelf ++ STRIP_x86_32 := $(CROSS_COMPILE_x86_32)strip ++ AR_x86_32 := $(CROSS_COMPILE_x86_32)ar ++ GNATBIND_x86_32 := $(CROSS_COMPILE_x86_32)gnatbind ++ COMPILER_RT_x86_32 := $(shell $(CC_x86_32) --print-libgcc-file-name) ++endif ++ ++ + ifneq ($(XCOMPILE_COMPLETE),1) + $(shell rm -f .xcompile) + $(error .xcompile deleted because it's invalid. \ +-- +2.20.1 +