This supports XCODE toolchain in Mac OS.
- Tested on macOS Catalina version 10.15.2
- Tested with Apple clang version 11
- Verified QEMU target
Signed-off-by: Aiden Park <aiden.park@intel.com>
When multiple USB mass storage boot devices are connected, current
SBL will only boot from the 1st one enumerated by the USB bus. This
patch added support to boot from the remaining devices. This feature
will be controlled by PcdMultiUsbBootDeviceEnabled. And it can be
overridden by board using ENABLE_MULTI_USB_BOOT_DEV. When it is enabled
for USB block IO interface, the hardware partition in boot option
will be used to indicate the index of the USB mass storage devvice.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch added DMA memory type into memory allocation pool for payloads.
This DMA memory buffer with PcdDmaBufferSize is located at address
aligned at PcdDmaBufferAlignment after Payload reserved memory. Memory
type EfiRuntimeServicesData is used to indicate DMA memory type.
Stage1B calculates the DMA memory location using fixed PCDs so that
platform can set up DMA protection as early as possible after memory is
ready. In Stage1B or Stage2 platform code should use platform VTd
information to setup PMR to protect all low memory except for the DMA
buffer range. DMA memory will be added into memory pool at the entry
point of the payload. Before transfering to OS, the DMA memory protection
can be disabled, and the DMA memory pool can be reclaimed for OS usage.
Currently only boot media device will utilize the DMA buffer range for
block access operations. So it should only be required by payloads. GFX,
when enabled, will also use DMA. It will be targeted to the system stolen
memory which is not protected by PMR.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
PciEnumeration() scans a single PCI root bridge currently.
The PCI_ENUM_POLICY_INFO structure will be generated at build time,
and this will allow PCI enumeration more flexible.
typedef struct {
UINT8 DowngradeIo32;// default:1
UINT8 DowngradeMem64; // default:1
UINT8 DowngradePMem64;// default:1
UINT8 Reserved;
UINT8 BusScanType; // default:0 (0: list, 1: range)
UINT8 NumOfBus; // the number of BusScanItems
UINT8 BusScanItems[0];
} PCI_ENUM_POLICY_INFO;
Signed-off-by: Aiden Park <aiden.park@intel.com>
This patch allows to extract individual microcode binary from the
IFWI image. It can also replace the microcode in the IFWI image.
FIT entries will be patched accordingly as part of the microcode
replacement.
For example:
To extract microcode to directory Ucode:
python BootloaderCorePkg\Tools\IfwiUtility.py extract -i
Outputs\cfl\SlimBootloader.bin -p IFWI/BIOS/RD0/UCOD -u Ucode
To replace all microcode binaries (*.mcb) under directory Ucode
into IFWI image:
python BootloaderCorePkg\Tools\IfwiUtility.py replace -i
Outputs\cfl\ifwi_whl.bin -p IFWI/BIOS/RD0/UCOD -u Ucode -o
Outputs\cfl\ifwi_whl_new.bin
The example only handled BP0. If required, needs to do the similar for
BP1 by changing the component path.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch allows the platform to add EMPTY component in the
flash layout definition in BoardConfig.py. Without this patch,
it will cause build error because it expects EMPTY as an actual
component file.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
In GenContainer tool auth definitions for RSA cases were
updated to include hash alg used. In current implementation
auth type is generated from hash type and private key while
container created. This patch removes hash type param
and auth type is used for hash alg generation.
Platform code to be updated as per updated auth definitions
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch allows to setup Stage1 stack/data in any CAR range.
By default, the stack base offset is 0 from CarBase.
Signed-off-by: Aiden Park <aiden.park@intel.com>
Since Python 2.7 is EOL already. SBL needs to drop the support.
This patch switched to use python version 3.6 or above for SBL
build. If lower version is used, warning message will be printed
out.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch enabled Visual Studio 2017 Community 2017 build support.
The following were done:
- Added new method to detect VS2017 installation path and version
- Droped VS2005, VS2008, VS2010 and VS2012 build support. Only
VS2013 and VS2015 are supported.
- Fixed build issue in FspApiLib due to new compiler optimizations
- Synced the build support for QEMU FSP patch
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch introduces support for RSA3K and SHA384 signing
And verifications support to Slimbootloader. Component hash
verification is done using PcdCompSignHashAlg.
To enable RSA3072 and SHA384,
- Signing hash algorithm SIGN_HASH_TYPE should be set to SHA2_384
- RSA3K private keys should be configured in platform board configs.
- Set IPP_CRYPTO_ALG_MASK to include SHA2_384
- Enable required IPP_CRYPTO_OPTIMIZATION_MASK
- Default siging hash type is set to SHA2_256. Use hash type option
while using the tools as Gencontainer, CfgDataTool in standalone
mode.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
When firmware updated is not enabled, it will not build firmware update
payload, so there is hash for FWUPDATE.hash.
Update the build tool only require it when firmware update is enabled.
Signed-off-by: Guo Dong <guo.dong@intel.com>
Current SBL hash store has many limitations:
- Only support fixed hash size
- Only support 1:1 public key and usage mapping
- Only support build time key enrollment
This patch addressed this issue by introducing:
- Add a updatable KEYH component to hold extra key hash
- Allow append new hash entries from KEYH
- Use variable length entry for hash
- Introduce "Usage" bit mask for a key usage
This will allow using a single key to sign multiple components, or
using multiple keys to sign a single component. The built-in hash
store will only contain hash for STAGE1B, STAGE2, PAYLOAD,
PAYLOAD_FWU and MASTER public key hash. Master key hash will be used
to verify the KEYH component loaded at runtime in Stage1B. Once KEYH
is loaded, it will be appended into global hash store. The combined
hash store will be used to verify other components on the boot flow.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
HashStoreTable is defined for variable size to support
different hash alg and sizes. This would optimize the
hash store size in storage. Signing hash alg defined in BoardConfig file.
Hash store data is aligned as per the Digest length used.
Signed-off-by: Subash Lakkimsetti <subashx.lakkimsetti@intel.com>
AVX(G9) and SSE4(W7) is added to IPP crypto lib.
PcdCryptoShaOptEnabled is added to enable optimzations
in IPP SHA256 and SHA384.
Default is set to V8 (SSE3) for SHA256. ENABLE_CRYPTO_SHA_OPT has to
be configured in Platform board config files for optimizations
to be enabled.
Signed-off-by: Subash Lakkimsetti <subashx.lakkimsetti@intel.com>
This will fully support PatchCheck.py.
- Remove all trailing whitespace
- Convert LF to CRLF by default
- Update EFI_D_* to DEBUG_*
- Re-enable CRLF check in PatchCheck.py
Signed-off-by: Aiden Park <aiden.park@intel.com>
PcdDebugInterfaceFlags and PcdDebugOutputDeviceMask are defined
for debug devices, so removed PcdDebugInterfaceFlags.
Add a new PCD PcdDebugPortNumber to indicate the serial debug
number.
Signed-off-by: Guo Dong <guo.dong@intel.com>
Current SBL has platform specific GetBuiltInConfigData() implementation
because the internal CFGDATA blob is embedded into Stage1B data section.
Instead, it can be put into Stage1B FV FFS file, and then use a PCD to
get the base. In this way, it can be handled directly in core code and
remove platform specific implementation.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
Functionality to Crypto Hash function is guarded with an
PcdIppHashLibSupportedMask.
PcdIppHashLibSupportedMask indicates IPP crypto algo supported
Signed-off-by: Subash Lakkimsetti <subashx.lakkimsetti@intel.com>
hash_type parameter added to build tool API's as required and
current supported hash in tools is for SHA2_256.
Added functionality for retriving RSA private key type.
Signed-off-by: Subash Lakkimsetti <subashx.lakkimsetti@intel.com>
SBL depends on flash map to locate all component info. It is
mandatory to keep flash map. HAVE_FLASH_MAP config option should
be removed. This patch removed this config option and the related
PcdFlashMapEnabled PCD.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch allows platform to degrade eMMC HS400 to HS200 using
static configuration. To do this, please add the following into
BoardConfig.py:
self.ENABLE_EMMC_HS400 = 0
This is useful when platform has hardware issue to run at eMMC
HS400 mode.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch added csme wrapper driver for csme update library.
following functionality is added in this patch
1. Boardconfig PCD option ENABLE_CSME_UPDATE is added to
enable/disable csme update support
2. Boardconfig PCD option BUILD_CSME_UPDATE_DRIVER is added
to enable/disable building csme update driver
3. If BUILD_CSME_UPDATE_DRIVER is 1, user need to create
library that inludes csme update library
this newly created library will get linked to csme update
wrapper driver providing csme update driver
4. By default ENABLE_CSME_UPDATE is set to 0
5. Revision control for input and output data structure to
update driver is not implemented and will be avaiable
in further patches.
Signed-off-by: Raghava Gudla <raghava.gudla@intel.com>
Add support to load the boot image from container.
Container must be signed using the same private key
as the key used to sign IAS (i.e. IAS_PRIVATE_KEY).
Signed-off-by: Sai Talamudupula <sai.kiran.talamudupula@intel.com>
Compile optimization sometimes needs to be disabled for debugging.
EDKII BaseTools provide NOOPT target, so leverage it.
The default GCC '-O0' and VS '/Od' option results in huge size image,
so the optimization level is adjusted with approximately level.
Add a new build option '-no' or '--noopt' for NOOPT target
- Release build option '-r' will ignore '--noopt' option
ex) python BuildLoader.py build qemu --noopt
Signed-off-by: Aiden Park <aiden.park@intel.com>
Make PcdCpuMaxLogicalProcessorNumber configurable on a Board
- PcdCpuMaxLogicalProcessorNumber = 16 by default
- Configurable by CPU_MAX_LOGICAL_PROCESSOR_NUMBER in BoardConfig.py
Signed-off-by: Aiden Park <aiden.park@intel.com>
Some misc enhancements for build scripts including:
- Adding all required exectuable check for build
- Removng hardcoded Python27 path
- Printing out used python version and path
- Using EDKII stable201905 tag to build QEMU FSP
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch cleaned APL and CFL stitching script.
- Shared common code for stitching functions on flash map process
- Converted coding style to snake_case for consistent naming convention
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
EDK II build has enabled python3 support. Since SBL has its own scripts,
it is required to port them accordingly to support python3. This patch
added python3 build support for SBL.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
With this change, customer could copy only board package folder
outside of SBL repo and build it without copying silicon folder.
It could help customer create their own repo and use SBL open
source repo as a submodule.
Signed-off-by: Guo Dong <guo.dong@intel.com>
Removing hard code in PrepareBuildComponentBin.py, so it could
support other platforms. And enhance its logic to support to
run in different places.
Moving repo and commit information to driver INF so this script
could reuse code to support different drivers.
Signed-off-by: Guo Dong <guo.dong@intel.com>
This patch enabled Linux as payload support on QEMU platform. To build
Linux as payload, please follow instructions mentioned in commit:
4a5af4f8b0
In addtion, to boot Linux payload on QEMU, please append following
into QEMU command line to set Payload ID to 'LINX' dynamically.
-boot order=abc
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch added GenContainer.py script to create, extrace, replace,
sign and display a container image. If platform provides
GetContainerList() in BoardConfig.py, the build process will consume
it to create container images.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch allows platform to use BoardConfig.py to override the
LOGO_FILE path so that customized logo file can be used instead of
the common one.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
Synced up MdePkg, IntelFsp2Pkg and BaseTools to EDK2 stable tag
edk2-stable201905.
There are several changes for MdePkg and BaseTools.
MdePkg:
- Support light print to reduce SBL size
MdePkg\Library\BasePrintLib\PrintLibInternal.c
MdePkg\Include\Library\DebugLib.h
- TCG TPM2 spec changes and remove dependencies
MdePkg\Include\IndustryStandard\UefiTcgPlatform.h
MdePkg\Include\IndustryStandard\Tpm2Acpi.h
- Use old NVM protocol file
MdePkg\Include\Protocol\NvmExpressPassthru.h
- Removed unused files
BaseTools:
- Added LZ4 support
- Removed unused files
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
The GCC build is failing due to recent check-in for OS Loader FV
building. GCC5 is throwing an error that the required fv size
of 0x37718 is exceeding the set fv size of 0x37000. Bump up the FV
size to address this issue.
Signed-off-by: James Gutbub <james.gutbub@intel.com>
Some OSes may require a pre-OS checker executable
to run before actually jumping to the OS. Add
support for this pre-OS checker loading & execution
as part of the OS Loader payload when it is compiled
as an FV and when ENABLE_PRE_OS_CHECKER option is
enabled in BoardConfig.py (per the following command):
SblBuild.py build <plat> -p OsLoader.Fv:LLDR:Lz4
The pre-OS checker entry point takes in a single
parameter which provides the CPU boot state that
should be loaded once jumping into the OS for the
pre-OS checker to launch after it finishes execution
(e.g. pre-OS checker does not return to Slim Bootloader).
Signed-off-by: James Gutbub <james.gutbub@intel.com>
This patch added support for FWST ACPI table. This table
contains generic address structure which has pointer to the
EFI System Resource Table.
ESRT table for now supports only system firmware. This table
will provide the operating system and tools knowledge of what
is the last attempt status and version of the system firmare
update.
Signed-off-by: Raghava Gudla <raghava.gudla@intel.com>
Stage2 and Payload are NOT verified by Intel BootGuard component.
Instead, Slimbootloader verfifies Stage2 and Payload using SBL hash store.
Signed-off-by: Agrawal <sachin.agrawal@intel.com>
This patch added a simple parser for grub.cfg to make it easy to boot
Ubuntu ISO image using OsLoader payload. Without it, it is required to
copy vmlinuz/initrd to root directory and create a config.cfg to list
the kernel boot command line in order to boot the ISO image. This patch
makes it possible to boot the original Ubuntu ISO (16.04 or 18.04)
directly. It provides better user experience for people who wants to
try out SBL.
Please note, same as before, when verified boot is enabled, only debug
build will support this feature. Release build will disable this feature
due to security concern, please use IAS image boot mechnism instead.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
Current SBL can only support on VBT file. However, different board
might need different VBT table. It is better to have the capability
to embed multiple VBT table into the image. This patch implemented
this feature and enabled it on QEMU. By default, it will take the
original behavior. if _MULTI_VBT_FILE in BoardConfig.py is specified,
multiple VBT files can be used.
If multiple VBT table support is required, list them as:
{VbtImageId1 :VbtFileName1, VbtImageId2 : VbtFileName2, ...}
VbtImageId is ID to identify a VBT image. It is a UINT32 number to
match the ImageId field in the VBT container.
VbtFileName is the VBT file name. It needs to be located under platform
VbtBin folder.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
BuildLoader.py will failure to run git command if Slim bootloader
source code is not in a git repo. Update Buildloader.py to check
if git repo could not be detected, it will not run git command to
clean un-tracked git files.
TEST=Tested to build/clean APL success without git repo.
Signed-off-by: Guo Dong <guo.dong@intel.com>
This patch fixed some QEMU firmware update related issues.
It enabled firmware update testing on QEMU using script.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
In current implementation, FspDebug/BldDebug flag is saved into
VerInfo.txt. But it should be always determined by the build flags
instead of the VerInfo.txt file. This patch fixed#84 .
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch enabled payload loading into high memory by default. It
is a more flexible way to allocate memory for payload image instead
of hard-coded base address. However, in some special cases, such
as UEFI payload, it still needs to be executed at pre-compiled address.
This patch also handled this special case in the flow.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch added support to allow payload binaries in platform folder
instead of PayloadPkg/PayloadBins. Sometimes platform might have its
own customized payload specifically for this platform. In this case,
it is better to put the payload binaries in its platform folder.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
Build a new SMM info HOB to payload to report SMM info.
Add UEFI payload variable region into flash map.
TEST=Tested on LeafHill with UEFI payload.
Signed-off-by: Guo Dong <guo.dong@intel.com>
SBL supports putting platform packages in a separate repo tree
defined by environment variable PLT_SOURCE. Current build process
will always retrieve the latest commit id info from open source
repo as version even when the platform uses a separate repo tree.
This patch corrected this behavior. When a platform package is in
a separate repo, the git commit id info will be retrieved from that
platform repo instead.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
When BaseTools is not ready, 'python BuildLoader.py clean' initiates
building BaseTools even if it is 'clean' command. Therefore, move
rebuild_basetools() into pre_build().
Additionaly, all unstaging files in BaseTools directory will be cleared
to re-compile BaseTools when 'distclean' is executed.
Signed-off-by: Aiden Park <aiden.park@intel.com>
The latest SBL source code does not build on certain environment.
For example, when PYTHON_HOME is not set manually, it will cause
build failure due to invalid path for python.exe. This patch will
set the PYTHON_HOME env variable if it has not been set already.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
Ported the patch from EDKII repository and added following up changes
<Original commit info in EDKII>
commit 7b500c606ad101fad52327318af37889048cd45e
Author: Liming Gao <liming.gao@intel.com>
Date: Tue Oct 16 23:08:46 2018 +0800
BaseTools: Remove the step to freeze python tool
https://bugzilla.tianocore.org/show_bug.cgi?id=1257
Binary python tool is not supported anymore. So, the freeze python tool
step is not required.
Signed-off-by: Aiden Park <aiden.park@intel.com>
The patch gives the platform the configuration capability to only build
required file system into final image.
This helps to have a smaller image for fast boot.
Signed-off-by: Guo Dong <guo.dong@intel.com>
Current code refers hash store as "key store". It is confusing
since there is no key stored in the image at all. Instead, the
public key hash is stored. The patch renames the KeyStore
to HashStore.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
SBL has no intention to support SMI. However, on many hardware
platforms, there is no reliable way to prevent SMI from generating
through SMI IPI. In case it occurs, CPU will jump to the default
0x38000 location for execution, which exposes huge security issues.
The recommended solution is to do basic SMM base relocation and put
a dummy SMI handler (RSM) there for platform does not support SMI
disabling. In this way, the SMI will be ignored, and it also closes
the security concerns. This patch implemented basic SMM relocation.
It is under the control of a new PCD PcdSmmRebaseEnabled. By default,
it is disabled. To enable it, please set ENABLE_SMM_REBASE in
BoardConfig.py. As part of it, platform library needs to set
PcdSmramTsegBase and PcdSmramTsegSize properly in PreSiliconInit board
hook. Please take APL platform for reference.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
Previous USB keyboard console support commit worked fine on APL real
platform, but it has issue on QEMU. This patch further enables USB
keyboard console support for QEMU. A new PcdUsbKeyboardPollingTimeout
is added. It will be used to control the USB keyboard interrupt
transfer polling timeout. For QEMU, it needs a larger number due to
timing issue. As part of it, booting from USB device is also enabled
by this patch. This patch fixes#30.
To test USB keyboard console in QEMU, please first change
CONSOLE_IN _DEVICE_MASK in BoardConfig.py to 3, and then add the
following in the QEMU command line to add XHCI controller and USB KB:
-device qemu-xhci,id=xhci,bus=pcie.0,addr=4 -device usb-kbd,bus=xhci.0
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
On APL platform, all PCI MMIO range is set to UC in current
implementation. It includes graphics framebuffer MMIO. It
caused the system performance issue due to large mount of
framebuffer write access. This patch set framebuffer as
WC (WriteCombining) per recommendation to enhance system
performance.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch simplifies the GraphicsLib code and adds an abstraction layer
for printing to a virtual "console," through the familier
ConsoleWrite(buffer, len) style function call.
ConsoleWrite can be configured to output to either the serial port, or
the display framebuffer, or both. This primarily enables the command
shell to be used with a display and keyboard.
Signed-off-by: Borgerson, Matthew A <matthew.a.borgerson@intel.com>
* Enable DebugAgentLib to support source level debug over serial
By default, source level debug is NOT enabled. ENABLE_SOURCE_DEBUG
needs to be set to 1 in BoardConfig.py of each Platforms.
- self.ENABLE_SOURCE_DEBUG = 1
As an initial drop, there are some limitations on APL platform.
- Stage1A does not include DebugAgentLib due to Stage1A size
limitation(32KB). Further optimization is required.
- DebugAgentLib supports ONLY POSTMEM debugging on APL currently.
Refer to EDKII Debugging:
- https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Debugging
- https://github.com/tianocore/tianocore.github.io/wiki/SourceLevelDebugPkg
Change-Id: Ia28c5470bc5755768f2b380cc1dabbcb8ee60f0d
Signed-off-by: Aiden Park <aiden.park@intel.com>
* Additional changes for DebugAgent
- Adjust stage size depending on ENABLE_SOURCE_DEBUG Pcd value
- Add PeCoffFindAndReportImageInfo
- Fix debugger hang at Shell
Change-Id: I11b41e5ad610fcb2999e9d43e5dd8f8899e8265a
Signed-off-by: Aiden Park <aiden.park@intel.com>
* Move PeCoffFindAndReportImageInfo() from LitePeCoffLib to DebugAgentLib
Change-Id: I2c4ab4f9561dfd0536da1820048f0e5f2660e2ab
Signed-off-by: Aiden Park <aiden.park@intel.com>
Current implementation assumes serial port is the only input console
device supported. But other input console devices can be added later
on. This patch added a ConsoleInLib to abstract the input console
interfaces. It also added PCDs to control enabled input console
devices.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
When there are multi versions of VS installed on the Windows host
system, BuildLoader.py often set up old VS version for the toolchain
variable. Resolve it by changing the structure type of vs_ver_list.
Signed-off-by: Augustine Chen <augustine.chen@intel.com>
Update build tool to use Buildloader.py to build SBL
in both Linux and Windows.
Update tools to support multiple workspaces, so platform
packages could be in another place.
TEST=Build qemu and APL platform success.
Change-Id: I2482037ba605218c947b6de28abe8e3eeacdc17f
Signed-off-by: Guo, Dong <guo.dong@intel.com>
Aiden Park