Currently this tools creates keys and replaces existing ones.
Added user confirmation before existings ones are replaced.
Selecting all replaces subsequent keys getting generated.
Update OS private key name to OS1_TestKey_Priv_RSA3072.pem.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Current Linux payload support in SBL only loads command line and
kernel image, and it does not load InitRd image. It is possible
to have the InitRd image built into the keneral image, but it is
more convenient to have separate InitRd support. This patch added
this.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
Capsule Command support added for anti rollback
security version number. User can create command
in text file and create capsule with CMDI mode.
{ARBSVNCOMMIT}
Platform APIs would be invoked to do SVN
commit operations by useing HECI interfaces.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
LocateComponentEntry is modified to locate only container
entry. Additional checks are required at consumer end
for Container entry and CompEntry.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Use default svn while creation of container using command line
when user do not specify svn. Using layout format, user still need
to specify the SVN value.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
The current MulitBoot loading code in SBL did not follow the specification.
The spec stated "The offset in the OS image file at which to start loading
is defined by the offset at which the header was found, minus
(header_addr - load_addr)". However, the current code always copies from
offset 0 of the image file. It caused exception when loading some valid
multiboot image.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
Add support for security version check for
container and its components with ones available
in flash for capsule updates.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch fixed incorrect hiding conditions for CFL GPIO pins.
Verified the GPIO configuration options can show/hide depending
on the state of GPIO skip option. It fixed#762.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
Add option -k with SBL build for key generation.
This is to enable user who do not generate keys
for signing as pre-build step.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Add svn field to container generation. SVN need
to be verified while doing container capsule
update. svn is added as end parameter to layout.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
KEY IDs are extended to include key type and sizes.
Platforms can configure corresponding RSA2048 and
RSA3072 KEY IDs. Updated tools to adjust hash type
based on key size.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
Gpio convert tool can be common and accepts a
platform specific config file with Group Info
and other settings as input.
Example for CFL/WHL:
Convert gpio.csv into .dsc format:
python
($SBL)\SblOpen\Platform\CommonBoardPkg\Tools\GpioDataConvert.py
-if gpio.csv
-of dsc
-cf ($SBL)\SblOpen\Platform\CoffeelakeBoardPkg\Script\GpioDataConfig.py
Signed-off-by: Sai Talamudupula <sai.kiran.talamudupula@intel.com>
Smbios spec advises to use 'Handle' field in the
Type header to get the type information. This patch
updates the Handle field with the 'Type' value to
be unique. Also, update the Entry Point struct to
report the number of Types implemented currently.
Signed-off-by: Sai Talamudupula <sai.kiran.talamudupula@intel.com>
Signing interface is updated to use keys generated
from GenerateKeys.py available in tools.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
The 'fs' shell command initializes media device with media type info,
but it's not able to initialize another controller of same media type.
Therefore, 'fs init' accepts device instance number.
ex) SATA(0), SATA device instance 1, hwpart 2, swpart 3
fs init 0:1 2 3
Signed-off-by: Aiden Park <aiden.park@intel.com>
Udated error handling for SBL Key dir and error
messages to guide user to use GenerateKeys tool.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch converted key hash store in SBL image into container
format. In this way unified data structure can be used to
simplify code.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
A PPB PCI_IO_DEVICE instance has BIT31 in its Address field to identify
the device as PPB type. But, the bit is set after scanning the PPB.
This skips PPB type check in PciGetMaxBusNumber() and let a caller
guarantee PPB type check instead of adding a field in PCI_IO_DEVICE
for PPB device.
Signed-off-by: Aiden Park <aiden.park@intel.com>
Dummy keys are generated for Os Image Pub Key.
This is to get key hash component generated along
with PUBKEY_OS. User need to replace OS1_TestKey_Pub_**
with appropriate keys.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch enables usage of key id for private keys
in slimboot repo. Key ids are configured in
BuildLoader and platform BoardConfig files.
SLIMBOOT_KEY_DIR is set to default folder outside
sblopen.
Generation of extrenal Keyhash OS key hash to be configured
for QEMU/CGL/APL with appropriate keys.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
At PciScanBus, a PCI bridge sets PCI Bridge Subordinate Bus to 0xFF
temporary to go thru any PPB. But, a platform has some reserved buses
(ex. 0xFB-0xFF) on PCI hierarchy, and writing 0xFF regardless of
reserved bus ranges causes system hang.
Therefore, PciGetMaxBusNumber will be used for PCI Bridge Subordinate
Bus and it gets the number of buses from PCI Enum Policy to skip the
reserved buses.
Signed-off-by: Aiden Park <aiden.park@intel.com>
The unnecessary wbinvd() is removed from the common ResetSystemLib,
and it moves to a platform specific reset routine.
Signed-off-by: Aiden Park <aiden.park@intel.com>
Maintaining individual public hashes for external key hash and
considering SHA384 sizes this value increases.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
- Created BaseIpcLib
- Sideband Interface picked from
tianocore/edk2-platforms
branch: devel-IntelAtomProcessorE3900
commit: 181f9e6c6ccde6e3fa62278b3a8b39cfb5844a7c
- IPC Interface picked from
tianocore/edk2-platforms
branch: devel-IntelAtomProcessorE3900
commit: 181f9e6c6ccde6e3fa62278b3a8b39cfb5844a7c
- Updated Stage1BBoardInitLib.C with a test function
Signed-off-by: Andrey Vinokurtsev <avinok@gmail.com>
RSA keys are generated based on key ids defined.
User can append signing_keys as per their requirements.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch adds support to key ids in single sign script.
Following pre-requistes to enable usage of key ids,
- Generate required RSA keys as per GenerateKeys.py
- SLIMBOOT_KEY_DIR env variable set to key folder
- Set private key paths to respective ids in
buildloader.py and boardconfigs files
- Update key hash store generation to use respective key ids
Enabling keyids in slimboot would be done subsequently.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
SPI driver is updated to support read linux from
BIOS and PDR region, When boot device SPI is
selected.
Signed-off-by: Mutha <naga.naveen.mutha@intel.com>
TestSigningPrivateKey is defaulted for container
creation in non-layout form and key dir is used.
In CfgDataStitch also TestSigningPrivateKey is
defaulted when key dir is specified.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
FspsUpd variable made global so that it could be accessed out of
FspSilicon function.
Patchable PCD has been created for FspsUpd and Memory pool allocated.
Signed-off-by: Perni <ramesh.chandra.perni@intel.com>
CommonUtility.py – It contains common functionality
for signing and extraction Of public key info.
It adds the necessary structures for signed data.
SingleSign.py – It contains core functionality related
to openssl for sign operations. This script will
be enhanced for accessing key store.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This patch fixed OsLoader boot from SD card issue on Intel APL CRB
borads. The SD/eMMC library was updated to follow the proper sequence
for SD card. Also platform code was updated to detect SD card and
apply SD card power using proper GPIO pins.
It fixed#729.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
IA32 UEFI payload uses PE format and X64 UEFI payload uses
PE+ format. So update LitePeCofflib to support both PE and
PE+.
Signed-off-by: Guo Dong <guo.dong@intel.com>
- Default SMBIOS Table initialized when SMBIOS is enabled.
- If required, Every Platform can override platform specific information.
- Enable SMBIOS in Qemu platform.
- Update Memory allocation for SmbiosStringsPtr for 32 entries.
Signed-off-by: Sm NARAYANAN <s.m.narayanan@intel.com>
SIGN_HASH_TYPE and IPP_HASH_LIB_SUPPORTED_MASK are derived from
_SIGN_HASH. AT times only _SIGN_HASH is configured in
BoardConfig.py which causes in incorrect hash set to
respective PCDs.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This will fix an unexpected exception when AhciHcPciBase is invalid
or the PCI config space is not enabled.
Signed-off-by: Aiden Park <aiden.park@intel.com>
Current SBL supports container header verification. If the container
signature is BOOT, it will use HASH_USAGE_PUBKEY_OS. Otherwise, it
will use HASH_USAGE_PUBKEY_CONTAINER_DEF. This patch added OEM signed
container support. If a container signature between OEM0 to OEM7 is
found, it will be verified use HASH_USAGE_PUBKEY_OEM(x) where x is 0
to 7. To add an OEM public key hash, it can be done by updating
pub_key_list in GetKeyHashList() in file BoardConfig.py.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
FSP 2.1 introduced new requirement to use bootloader stack for FSP-M. It
will cause issue for SBL since SBL only uses a small stack in Stage1. To
address this issue, a new PCD PcdFSPMStackTop is added to control the
stack settings for FSP-M.
- If it is 0, it will not switch stack before calling FspMemoryInit API.
- If it is 0xffffffff, it will switch to the new default FSP stack
before calling FspMemoryInit API.
- For other values, it will switch to the new stack at specified value
before calling FspMemoryInit API.
This PCD will be set automatically by FSP_M_STACK_TOP variable in
BoardConfig.py file.
This code has been tested on UP Extreme board with latest FSP version.
Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This patch adds generic functionality to
process Flash descriptor lock. It follows
Capsule Firmware update flow and interface
is updated. Command (CMDI) interface is added
to GenCapsuleFirmware which takes file with
command as input.
Sample Command format in text file input,
{FLASHDESCLOCK}
{Command2}
{Command3}
Firmware update lib handler parses high level commands
Specific command process and functionlity would be
performed by platform specific libraries.
Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>
This will support PCI SR-IOV(Single Root I/O Virtualization).
- Controlled by PcdSrIovSupport (SUPPORT_SR_IOV in BoardConfig)
- Disabled by default
Signed-off-by: Aiden Park <aiden.park@intel.com>