search

linuxboot / heads

A minimal Linux that runs as a coreboot or LinuxBoot ROM payload to provide a secure, flexible boot environment for laptops, workstations and servers.
https://osresearch.net/
GNU General Public License v2.0
1.42k stars 186 forks source link

Update coreboot from 4.8.1 to 4.9 #500

Closed tlaurion closed 2 years ago

JeffreyAbbinante commented 5 years ago

Refer to pull request #501

tlaurion commented 5 years ago

@JeffreyAbbinante : 

cd heads
cp -r patches/coreboot-4.8.1/ patches/coreboot-4.9

Start the work!! :) Most of the patches seem to have been merged already. @kylerankin : Librem13v2 patches would need to be validated.

I was expecting to see measured boot offered into coreboot to play with it on x230, asked @zaolin over slack if only the following platforms were supported:

user@build-x230-coreboot-49:~/heads/build/coreboot-4.9$ grep -R CONFIG_VBOOT_MEASURED_BOOT
src/soc/amd/stoneyridge/Makefile.inc:postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += i2c.c
src/soc/intel/apollolake/Makefile.inc:postcar-$(CONFIG_VBOOT_MEASURED_BOOT) += gspi.c

On which he replied that all platforms were supported. Unfortunately, it doesn't seem to be the case. I see vboot being supported in all platforms, and measured boot being a suboption only for some boards: make -C build/coreboot-4.9/ DOTCONFIG=../../config/coreboot-x230.config menuconfig x230_vboot_security

JeffreyAbbinante commented 5 years ago

What patches should I be leaving out? I only have an X230 to test them on.

tlaurion commented 5 years ago

@JeffreyAbbinante :

As validating and porting all of the other patches so measure boot works for all supported boards before this PR being merged :)

JeffreyAbbinante commented 5 years ago

Can you contribute to my pull request? I can add you to my fork if you like. For now, I have coreboot 4.9 booting with the heads system.

flammit commented 5 years ago

@JeffreyAbbinante FYI what @tlaurion is referring to is that the patches/ directory is version-specific (patches/coreboot-4.8.1), so while you've updated the coreboot module to be 4.9, the patches to coreboot that provide Heads-specific functionality need to be migrated and tested as well. Right now, your system is booting using vanilla coreboot without the module measurement, etc.

JeffreyAbbinante commented 5 years ago

@flammit I understood what he meant. I am compiling a version with the patches already right now.

flammit commented 5 years ago

@JeffreyAbbinante whoops - that's what I get for not reading the whole thread. sorry about that and thanks for the help!

JeffreyAbbinante commented 5 years ago

@flammit no problem. Would anyone happen to know what patches were merged into upstream?

tlaurion commented 5 years ago

@JeffreyAbbinante :

I'm unfortunately doing something else right now and can't review the patches. I've started, but since I did not see measure boot functions as I was expecting and the measured patch failed, I went to do other things after asking @zaolin for more information.

Here is what I have in my bash history to test applicability of each patch:

cd heads
find ./ -name *_verify|xargs rm
tar cvzf packages-coreboot49.tar.gz  ./build/coreboot-4.9/util/crossgcc/tarballs/ packages/
cp -r patches/coreboot-4.8.1/ patches/coreboot-4.9
rm -rf build/coreboot-4.9/ && tar zxvf packages-coreboot49.tar.gz && make BOARD=x230

The patches present under patches/coreboot-4.9 will be applied one one by one when building the coreboot module you modified already following upper level Makefile instructions. Then one by one, verify what failed in .rej files produced, and modify original patches accordingly and repeat: rm -rf build/coreboot-4.9/ && tar zxvf packages-coreboot49.tar.gz && make BOARD=x230

Would anyone happen to know what patches were merged into upstream?

Most of them were. You will see warnings from patch command requesting you if you want those changes to be applied in reverse (to undo the patch).

I will resume attempts in the next following days but i'm really happy someone else is also taking a look at it :)

Let us know where it hangs!

JeffreyAbbinante commented 5 years ago

So I took out my other laptop with a bit more processing power... to make compiling faster. I hope to find some stuff later this week.

JeffreyAbbinante commented 5 years ago

The measured boot patch needs work for sure. "Applying patch file : patches/coreboot-4.9/0000-measuredboot.patch patching file src/Kconfig Hunk #1 succeeded at 278 (offset 18 lines). can't find file to patch at input line 31 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |diff --git ./src/drivers/pc80/tpm/romstage.c ./src/drivers/pc80/tpm/romstage.c |index b8e4705..7732e66 100644 |--- ./src/drivers/pc80/tpm/romstage.c |+++ ./src/drivers/pc80/tpm/romstage.c -------------------------- File to patch:"

JeffreyAbbinante commented 5 years ago

I went through the work of testing all the patches individually. This is what I got so far. Some of the patches were already applied but it seems like we all have a lot of work to do.

Applying patch file : patches/coreboot-4.9/0000-measuredboot.patch patching file src/Kconfig Hunk #1 succeeded at 278 (offset 18 lines). can't find file to patch at input line 31 Perhaps you used the wrong -p or --strip option? The text leading up to this was:

|diff --git ./src/drivers/pc80/tpm/romstage.c ./src/drivers/pc80/tpm/romstage.c |index b8e4705..7732e66 100644 |--- ./src/drivers/pc80/tpm/romstage.c |+++ ./src/drivers/pc80/tpm/romstage.c

File to patch:

Applying patch file : patches/coreboot-4.9/0007-intel-fsp-fsp2_0-Fix-FSP-2.0-headers-to-match-github.patch can't find file to patch at input line 22 Perhaps you used the wrong -p or --strip option? The text leading up to this was:

From 8e7e0e390fcfda226f0d78bfa883ffee12f751a8 Mon Sep 17 00:00:00 2001 From: Youness Alaoui youness.alaoui@puri.sm Date: Fri, 9 Feb 2018 18:32:51 -0500 Subject: [PATCH 7/9] intel/fsp/fsp2_0: Fix FSP 2.0 headers to match github version
The current FSP 2.0 headers do not match the headers from the official
FSP 2.0 image that was released on github [1].
[1] https://github.com/IntelFsp/FSP/tree/Kabylake/KabylakeFspBinPkg
Change-Id: I233bf7cf6f62e9e1b389d42a09461717a3285f0f
Signed-off-by: Youness Alaoui youness.alaoui@puri.sm
---
src/vendorcode/intel/fsp/fsp2_0/skykabylake/MemInfoHob.h 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/vendorcode/intel/fsp/fsp2_0/skykabylake/MemInfoHob.h b/src/vendorcode/intel/fsp/fsp2_0/skykabylake/MemInfoHob.h
index 248b4d5ef1..3abc877a19 100644
--- a/src/vendorcode/intel/fsp/fsp2_0/skykabylake/MemInfoHob.h
+++ b/src/vendorcode/intel/fsp/fsp2_0/skykabylake/MemInfoHob.h

File to patch:

Applying patch file : patches/coreboot-4.9/0009-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch patching file src/arch/x86/postcar.c Hunk #1 FAILED at 19. Hunk #2 succeeded at 40 (offset -3 lines). 1 out of 2 hunks FAILED -- saving rejects to file src/arch/x86/postcar.c.rej patching file src/drivers/intel/fsp2_0/memory_init.c Hunk #1 FAILED at 150. Hunk #2 succeeded at 408 (offset -75 lines). 1 out of 2 hunks FAILED -- saving rejects to file src/drivers/intel/fsp2_0/memory_init.c.rej patching file src/drivers/intel/fsp2_0/silicon_init.c Hunk #2 succeeded at 104 (offset 2 lines). Hunk #3 succeeded at 122 (offset 2 lines). patching file src/drivers/pc80/tpm/Makefile.inc Hunk #1 FAILED at 3. 1 out of 1 hunk FAILED -- saving rejects to file src/drivers/pc80/tpm/Makefile.inc.rej patching file src/security/tpm/Makefile.inc Hunk #1 FAILED at 4. 1 out of 1 hunk FAILED -- saving rejects to file src/security/tpm/Makefile.inc.rej make[1]: [Makefile:357: /home/jeffrey/git/heads-cb4.9/build/coreboot-4.9/.canary] Error 1 make[1]: Leaving directory '/home/jeffrey/git/heads-cb4.9' Makefile:559: recipe for target 'all' failed make: [all] Error 2

Applying patch file : patches/coreboot-4.9/0020-kgpe-d16.patch patching file src/mainboard/asus/kgpe-d16/Kconfig Hunk #1 succeeded at 27 (offset -1 lines). patching file src/mainboard/asus/kgpe-d16/devicetree.cb patching file src/mainboard/asus/kgpe-d16/dsdt.asl Hunk #1 succeeded at 51 (offset 1 line). Hunk #2 succeeded at 489 (offset 1 line). Hunk #3 succeeded at 617 (offset 1 line). patching file src/mainboard/asus/kgpe-d16/mainboard.c Hunk #1 succeeded at 66 (offset -4 lines). patching file src/mainboard/asus/kgpe-d16/romstage.c Hunk #1 FAILED at 88. 1 out of 1 hunk FAILED -- saving rejects to file src/mainboard/asus/kgpe-d16/romstage.c.rej make[1]: [Makefile:357: /home/jeffrey/git/heads-cb4.9/build/coreboot-4.9/.canary] Error 1 make[1]: Leaving directory '/home/jeffrey/git/heads-cb4.9' Makefile:559: recipe for target 'all' failed make: [all] Error 2

Applying patch file : patches/coreboot-4.9/0030-sandybridge.patch patching file src/northbridge/intel/sandybridge/romstage.c Hunk #1 FAILED at 29. Hunk #2 succeeded at 70 (offset -2 lines). Hunk #3 FAILED at 130. 2 out of 3 hunks FAILED -- saving rejects to file src/northbridge/intel/sandybridge/romstage.c.rej make[1]: [Makefile:357: /home/jeffrey/git/heads-cb4.9/build/coreboot-4.9/.canary] Error 1 make[1]: Leaving directory '/home/jeffrey/git/heads-cb4.9' Makefile:559: recipe for target 'all' failed make: [all] Error 2

Applying patch file : patches/coreboot-4.9/0050-buildgcc-Do-not-try-to-install-GCC-if-build-failed.patch patching file util/crossgcc/buildgcc Hunk #1 FAILED at 751. 1 out of 1 hunk FAILED -- saving rejects to file util/crossgcc/buildgcc.rej make[1]: [Makefile:357: /home/jeffrey/git/heads-cb4.9/build/coreboot-4.9/.canary] Error 1 make[1]: Leaving directory '/home/jeffrey/git/heads-cb4.9' Makefile:559: recipe for target 'all' failed make: [all] Error 2

Applying patch file : patches/coreboot-4.9/0051-buildgcc-Update-IASL-to-20180531.patch patching file util/crossgcc/buildgcc Hunk #1 FAILED at 18. Hunk #2 FAILED at 42. 2 out of 2 hunks FAILED -- saving rejects to file util/crossgcc/buildgcc.rej The next patch would delete the file util/crossgcc/patches/acpica-unix2-20161222_iasl.patch, which does not exist! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0052-crossgcc-Update-to-clang-6.0-cmake-3.11.3.patch patching file util/crossgcc/buildgcc Reversed (or previously applied) patch detected! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0053-src-Get-rid-of-unneeded-whitespace.patch patching file util/crossgcc/buildgcc Reversed (or previously applied) patch detected! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0054-util-crossgcc-Allow-building-a-new-gcc-against-new-b.patch patching file util/crossgcc/buildgcc Hunk #1 FAILED at 752. 1 out of 1 hunk FAILED -- saving rejects to file util/crossgcc/buildgcc.rej make[1]: [Makefile:357: /home/jeffrey/git/heads-cb4.9/build/coreboot-4.9/.canary] Error 1 make[1]: Leaving directory '/home/jeffrey/git/heads-cb4.9' Makefile:559: recipe for target 'all' failed make: [all] Error 2

Applying patch file : patches/coreboot-4.9/0055-crosgcc-patches-Add-make-patch-for-GLIBC-glob-interf.patch patching file util/crossgcc/patches/make-4.2.1_gnu_glob_interface_v2.patch

Applying patch file : patches/coreboot-4.9/0056-util-crossgcc-update-to-gcc-8.1.0-and-binutils-2.30.patch patching file util/crossgcc/buildgcc Hunk #1 FAILED at 18. Hunk #2 FAILED at 38. Hunk #3 FAILED at 57. 3 out of 3 hunks FAILED -- saving rejects to file util/crossgcc/buildgcc.rej patching file util/crossgcc/patches/binutils-2.30_mips-gold.patch (already renamed from util/crossgcc/patches/binutils-2.29.1_mips-gold.patch) The next patch would create the file util/crossgcc/patches/binutils-2.30_nds32.patch, which already exists! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0057-util-crosgcc-patches-update-make-4.2.1-patches.patch The next patch would create the file util/crossgcc/patches/make-4.2.1_0053-glob-Do-not-assume-glibc-glob-internals.patch, which already exists! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0058-util-crosgcc-Fix-most-shellcheck-errors-in-buildgcc.patch patching file util/crossgcc/buildgcc Reversed (or previously applied) patch detected! Assume -R? [n]

Applying patch file : patches/coreboot-4.9/0059-util-Add-description.md-to-each-util.patch The next patch would create the file util/crossgcc/description.md, which already exists! Assume -R? [n]

tlaurion commented 5 years ago

@zaolin confirms that measured boot hasn't made it to coreboot 4.9 as planned.

WiP here.

MrChromebox commented 5 years ago

0007-intel-fsp-fsp2_0-Fix-FSP-2.0-headers-to-match-github.patch

should be dropped, since coreboot now has the option to use the headers/binaries from the 3rdparty/fsp repo (which is a mirror of the Intel FSP github repo). Just requires changing the coreboot config for affected boards, which is trivial.

tlaurion commented 5 years ago

Let's track measured boot WiP upstream in coreboot and switch to coreboot git commit id once it's merged?

tlaurion commented 5 years ago

refer to #515

tlaurion commented 5 years ago

To be added in this PR

merge commented 5 years ago

To be added in this PR

* [ ]  integrate/ test :

  * [ ]  [Add VBOOT support](https://review.coreboot.org/c/coreboot/+/29816)
  * [ ]  [Enable VBOOT support](https://review.coreboot.org/c/coreboot/+/29815/1)

* [ ]  check if fmap is correct

* [ ]  set CMOS flags correctly

does this apply to the X230 too? Also, how about being lazy and bump coreboot with the next release that includes measured boot in vboot + support for the X230? I guess we'll have to do changes in userspace anyways? do we? which ones and who will do them? thanks!

tlaurion commented 5 years ago

@merge: I have none of the answers right now. I just added information here to update status. From my understanding, those changes would work with the x230 as well but need to be tested.

Yep, userspace will need to be adjusted also, since only a subset of PCRs are used now. I will find relative information on u-root and edit this post later on.

@zaolin: your direct input would be more then welcome on the work needing to be done.

Sent from my Galaxy S3 using FastHub-Libre

tlaurion commented 5 years ago

@merge : from https://review.coreboot.org/c/coreboot/+/29547/73/Documentation/security/vboot/measured_boot.md

userland tools will have to take into account sealing of only the following PCRs:


## Platform Configuration Register

Normally PCR 0-7 are reserved for firmware usage. In coreboot we use just 4 PCR

banks in order to store the measurements. coreboot uses the SHA-1 or SHA-256

hash algorithm depending on the TPM specification for measurements. PCR-4 to

PCR-7 are left empty.

### PCR-0

_Hash:_ SHA1

_Description:_ Google VBoot GBB flags.

### PCR-1

_Hash:_ SHA1/SHA256

_Description:_ Google VBoot GBB HWID.

### PCR-2

_Hash:_ SHA1/SHA256

_Description:_ Core Root of Trust for Measurement which includes all stages,

data and blobs.

### PCR-3

_Hash:_ SHA1/SHA256

_Description:_ Runtime data like hwinfo.hex or MRC cache.
zaolin commented 5 years ago

Estimation in man-days: 8 PD