[coreboot-gerrit] Patch set updated for coreboot: chromeos: Sign FW_MAIN_A and FW_MAIN_B
Patrick Georgi (pgeorgi@google.com)
gerrit at coreboot.org
Wed Feb 3 19:45:37 CET 2016
Patrick Georgi (pgeorgi at google.com) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/13560
-gerrit
commit 522f2b2d3984f22f42d37e49015f91f635116a51
Author: Patrick Georgi <pgeorgi at chromium.org>
Date: Tue Feb 2 17:52:09 2016 +0100
chromeos: Sign FW_MAIN_A and FW_MAIN_B
This requires payload integration somewhere to be useful, because
without that, adding it will (hopefully) break the signature.
Change-Id: I67b8267e5040e26353df02d258e92a0610e19a52
Signed-off-by: Patrick Georgi <pgeorgi at chromium.org>
---
src/vendorcode/google/chromeos/Makefile.inc | 37 +++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/src/vendorcode/google/chromeos/Makefile.inc b/src/vendorcode/google/chromeos/Makefile.inc
index d686a08..3182d6e 100644
--- a/src/vendorcode/google/chromeos/Makefile.inc
+++ b/src/vendorcode/google/chromeos/Makefile.inc
@@ -54,6 +54,9 @@ subdirs-$(CONFIG_VBOOT_VERIFY_FIRMWARE) += vboot2
CONFIG_GBB_HWID := $(call strip_quotes,$(CONFIG_GBB_HWID))
CONFIG_GBB_BMPFV_FILE := $(call strip_quotes,$(CONFIG_GBB_BMPFV_FILE))
+CONFIG_VBOOT_KEYBLOCK := $(call strip_quotes,$(CONFIG_VBOOT_KEYBLOCK))
+CONFIG_VBOOT_FIRMWARE_PRIVKEY := $(call strip_quotes,$(CONFIG_VBOOT_FIRMWARE_PRIVKEY))
+CONFIG_VBOOT_KERNEL_KEY := $(call strip_quotes,$(CONFIG_VBOOT_KERNEL_KEY))
# bool-to-mask(var, value)
# return "value" if var is "y", 0 otherwise
@@ -103,3 +106,37 @@ $(obj)/gbb.region: $(obj)/gbb.stub
build_complete:: $(obj)/gbb.region
@printf " WRITE GBB\n"
$(CBFSTOOL) $(obj)/coreboot.rom write -u -r GBB -f $<
+
+# Extract FW_MAIN_? region and minimize it if the last file is empty, so it
+# doesn't contain this empty file (that can have a significant size),
+# improving a lot on hash times due to a smaller amount of data loaded from
+# firmware storage.
+# When passing the minimized image to vbutil_firmware, its length is recorded
+# in the keyblock, and coreboot's vboot code clips the region_device to match,
+# which prevents any potential extension attacks.
+$(obj)/FW_MAIN_%.bin: $(obj)/coreboot.rom
+ $(CBFSTOOL) $< read -r $(basename $(notdir $@)) -f $@.tmp
+ $(CBFSTOOL) $(obj)/coreboot.rom print -k -r $(basename $(notdir $@)) | \
+ tail -1 | \
+ sed "s,^(empty)[[:space:]]\(0x[0-9a-f]*\)\tnull\t.*$$,\1," \
+ > $@.tmp.size
+ if [ -n "`cat $@.tmp.size`" ]; then \
+ head -c $$( printf "%d" $$(cat $@.tmp.size)) $@.tmp > $@.tmp2 && \
+ mv $@.tmp2 $@; \
+ else \
+ mv $@.tmp $@; \
+ fi
+
+$(obj)/VBLOCK_%.bin: $(obj)/FW_MAIN_%.bin $(FUTILITY)
+ $(FUTILITY) vbutil_firmware \
+ --vblock $@ \
+ --keyblock "$(CONFIG_VBOOT_KEYBLOCK)" \
+ --signprivate "$(CONFIG_VBOOT_FIRMWARE_PRIVKEY)" \
+ --version $(CONFIG_VBOOT_KEYBLOCK_VERSION) \
+ --fv $< \
+ --kernelkey "$(CONFIG_VBOOT_KERNEL_KEY)" \
+ --flags $(CONFIG_VBOOT_KEYBLOCK_PREAMBLE_FLAGS)
+
+files_added:: $(obj)/VBLOCK_A.bin $(obj)/VBLOCK_B.bin
+ $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_A -f $(obj)/VBLOCK_A.bin
+ $(CBFSTOOL) $(obj)/coreboot.rom write -u -r VBLOCK_B -f $(obj)/VBLOCK_B.bin
More information about the coreboot-gerrit
mailing list