Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x86 fsp backport #443

Merged
merged 96 commits into from
May 9, 2024
Merged

x86 fsp backport #443

merged 96 commits into from
May 9, 2024

Conversation

rizlik
Copy link
Contributor

@rizlik rizlik commented Apr 24, 2024
edited
Loading

  • port of improvements and bugfix of x86 FSP code
  • cleaning of qemu x86 fsp scripts and documentation
    notes:
  • last "pure" backport commit is: 09a2c21

(non-complete) list of commits that may have side-effects out of x86 fsp context:

rizlik and others added 23 commits April 23, 2024 10:41
@rizlik
kontron: update default config to load wolfboot at 1408 MB
c4e2afd
@rizlik
tpm seal: add define to choose the key id to seal with
b663ebe
@rizlik
user_settings: allow multiples HAVE_ECC* defines
7f4db82
@rizlik
fsp: stage1: init TPM if TPM_VERIFY = 1 or MEASURED_BOOT = 1
c3bf126
@rizlik
tgl: fsp: check CPU shutdown mode
7e7c5f3 
If CPU enter a triple fault, it goes in shutdown mode and the reset vector is
invoked again, without a proper PLTRST#. MemoryInit API fails in this
case. Check if CPU is in shutdown mode and reset the platform if so.
@rizlik
elf: correct newlines
9c0ca1f
@rizlik
tpm: policy_sign: fix: modulo by zero
abee55e
@rizlik
x86_fsp: qemu: make_hd: allow image from env variable
ddd7fb1
@rizlik
x86_fsp: add QEMU test app (ELF 64bit)
84350a9
@rizlik
x86_fsp: qemu: add qemu build and test script
6d6a9c9
@tmael @rizlik
Enhance QEMU scripts
371c03e
@danielinux @rizlik
A few extra minor improvements to scripts
9f314ce
@rizlik
x86: ahci: check get_key_sha256() return code
e434ddb
@rizlik
x86: qemu: improve test_qemu.sh script, add it to github action
bb7d90c
@rizlik
x86: sata: separate sata_unlock_disk() as a separate operation
7247d11
@rizlik
x86: ata: add check on drive number
bc1e40b
@rizlik
x86: fsp: move stage1 to stage2 related function in a separate file
fd457e5
@rizlik
ahci: allow to delete sealed secret on error
97b3bee
@rizlik
test_qemu.sh: support rebuild-only testing
46b3d82
@rizlik
gpt: support partition label
e7a6262
@rizlik
x86_fsp: update qemu script to support GPT labels
84be0dd
@rizlik
x86_fsp: scripts: print output of QEMU during test
fdcb83f
@rizlik
x86: use hlt instruction in panic()
d89b44e
@rizlik rizlik requested review from danielinux and dgarske April 24, 2024 15:22
@rizlik rizlik force-pushed the x86_fsp_backport branch from 4c14129 to 8cd363d Compare April 24, 2024 15:32
danielinux
danielinux requested changes Apr 25, 2024
View reviewed changes
Copy link
Member

@danielinux danielinux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove the tools/x86_fsp, tools/tgl, tools/qemu directories and move them under tools/scripts as we discussed. Adjust paths in the doc accordingly.

rizlik added 13 commits April 29, 2024 09:53
@rizlik
x86_fsp: qemu: move fsp qemu script in tools/x86_fsp/qemu folder
ac1465e
@rizlik
x86_fsp: remove unused configuration
4e99075
@rizlik
tools: qemu64-tpm.sh: make TPM optional
db2b538
@rizlik
tools: rename qemu64-tpm.sh in the more general qemu.sh
9410292
@rizlik
config: examples: use ecc256 and sha256 for basic QEMU FSP example
6c5efe2
@rizlik
mk: x86_fsp: stage1: don't remove fsp_s_signature file
cb9decc 
it's needed to compute the hash of PCR TPM register
@rizlik
config: examples: kontron vx3060 s2
5331244 
- use sha256 as hashing algo
- enable measure_boot and tpm seal
@rizlik
x86_fsp: add helper script to compute TPM PCR reg
5fd8094
@rizlik
x86_fsp: tgl: helper script
96654a3
@rizlik
docs: update QEMU FSP targets documentation
2f4abd5
@rizlik
docs: add Kontron VX3060-S2 FSP target
a8cbc61
@rizlik
tools: move tools/x86_fsp in tools/scripts/x86_fsp
943edf9
@rizlik
x86_fsp: test_qemu.sh: allow grep to return error when checking output
53d012f
@rizlik rizlik force-pushed the x86_fsp_backport branch from 8cd363d to 53d012f Compare April 29, 2024 08:04
rizlik added 2 commits April 29, 2024 10:27
@rizlik
pci: move pcie_retraining_link in boot_x86_fsp
ee4747e 
the function relies a non-general delay() function, so move the function in a
more target-specific file.
@rizlik
fix: user_settings.h: fix typo in ECC521 defines
a98e74f
@rizlik rizlik requested a review from danielinux April 30, 2024 08:17
danielinux
danielinux requested changes May 2, 2024
View reviewed changes
Copy link
Member

@danielinux danielinux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well done, the port seems very clean. Could possibly use more documentation e.g. on the ATA state machine and other internals. Added config options should be covered in docs/

src/x86/ahci.c Show resolved Hide resolved
src/x86/ahci.c Show resolved Hide resolved
tools/tpm/policy_sign.c Show resolved Hide resolved
@rizlik rizlik requested a review from danielinux May 2, 2024 14:26
danielinux
danielinux reviewed May 7, 2024
View reviewed changes
Copy link
Member

@danielinux danielinux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding the docs. A few minor typos/rewording.

docs/ata_security.md Outdated

## Disabling the password

If you need to disable the password, a master password should be already set on the device. Then you can use the following option to compile wolfBoot so that it will disable the password from the drive and panic:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/option/options

docs/ata_security.md Outdated
If the ATA disk has no password set, the disk will be locked with the password provided at the first boot.

## Unlocking the Disk with a TPM-Sealed Secret
wolfBoot allows to seal secret safely in the TPM in a way that it can be unsealed only under specific conditions. Please refer to files TPM.md and measured_boot.md for more information. If the option `WOLFBOOT_TPM_SEAL` is enabled and `DISK_LOCK` is enabled, wolfBoot will use a TPM sealed secret as the password to unlock the disk. The following options controls the sealing and unsealing of the secret:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the options WOLFBOOT_TPM_SEAL and DISK_LOCK are enabled, wolfboot uses

@rizlik rizlik requested a review from danielinux May 8, 2024 07:40
dgarske
dgarske requested changes May 9, 2024
View reviewed changes
src/stage2_params.c Outdated
@@ -0,0 +1,132 @@
/* stage2_params.h
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stage2_params.c

src/x86/gpt.c Show resolved Hide resolved
test-app/app_x86_fsp_qemu.c Outdated

#ifdef PLATFORM_x86_fsp_qemu

#include<printf.h>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add space. #include <printf.h>

@dgarske dgarske self-requested a review May 9, 2024 14:43
danielinux
danielinux approved these changes May 9, 2024
View reviewed changes
Copy link
Member

@danielinux danielinux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good now.

@dgarske dgarske merged commit 027c684 into master May 9, 2024
87 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dgarske dgarske dgarske approved these changes

@danielinux danielinux danielinux approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rizlik @danielinux @dgarske @wolfSSL-Bot @tmael