Skip to content

Commit

Permalink
kontron-vx3060-s2: simplify example, add build test, improve docs
Browse files Browse the repository at this point in the history
  • Loading branch information
rizlik committed Dec 19, 2024
1 parent edeee1b commit b22fc16
Show file tree
Hide file tree
Showing 4 changed files with 117 additions and 47 deletions.
25 changes: 25 additions & 0 deletions .github/workflows/test-build-kontron-vx3060-s2.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: kontron_vx3060_s2 build test

on:
pull_request:
branches: [ '*' ]
jobs:
fsp_qemu_test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
submodules: true
- name: install req
run: |
sudo apt-get update
sudo apt-get install --no-install-recommends -y -q nasm gcc-multilib
- name: setup git
run: |
git config --global user.email "[email protected]"
git config --global user.name "Your Name"
- name: run test
run: |
cp config/examples/kontron_vx3060_s2.config .config
./tools/scripts/x86_fsp/tgl/tgl_download_fsp.sh
make
19 changes: 2 additions & 17 deletions config/examples/kontron_vx3060_s2.config
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
ARCH=x86_64
TARGET=kontron_vx3060_s2
WOLFBOOT_SMALL_STACK=0
SIGN=ECC384
SIGN=ECC256
HASH=SHA256
DEBUG=0
SPMATH=1
Expand All @@ -21,47 +21,32 @@ WOLFBOOT_LOAD_BASE=0x58000200
WOLFBOOT_SECTOR_SIZE?=0x1000
WOLFBOOT_DATA_ADDRESS=0x1000000


FSP_S_BASE=0xffea0000
FSP_T_BASE=0xfff59000
FSP_M_BASE=0xfff60000

WOLFBOOT_ORIGIN=0xfff00000
# 4 MB
# 6 MB
BOOTLOADER_PARTITION_SIZE=0x600000
# 12 MB
BIOS_REGION_SIZE=0xc00000

UCODE0_BASE=0xffd90000
UCODE0_BIN=src/x86/ucode0.bin

FSP_T_BIN=./src/x86/fsp_t.bin
FSP_M_BIN=./src/x86/fsp_m.bin
FSP_S_BIN=./src/x86/fsp_s.bin
FSP_S_UPD_DATA_BIN=./src/x86/fsp_s_upd_data.bin

X86_UART_BASE=0xFE032000
X86_UART_REG_WIDTH=4
X86_UART_MMIO=1

PCH_PCR_BASE=0xFD000000
PCI_ECAM_BASE=0xC0000000

PCI_USE_ECAM=1
PCH_HAS_PCR=1

64BIT=1
ELF=1
DEBUG_ELF=0
MULTIBOOT2=1

FSP_S_LOAD_BASE=0x0FED5F00
STAGE1_AUTH=1
MEASURED_BOOT=1
MEASURED_PCR_A=0
DISK_LOCK=0
WOLFTPM=1
WOLFBOOT_TPM_SEAL=1
WOLFBOOT_TPM_SEAL_KEY_ID=1
WOLFBOOT_UNIVERSAL_KEYSTORE=1
DEBUG_SYMBOLS=1
93 changes: 83 additions & 10 deletions docs/Targets.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ This README describes configuration of supported targets.
* [Cypress PSoC-6](#cypress-psoc-6)
* [Infineon AURIX TC3xx](#infineon-aurix-tc3xx)
* [Intel x86-64 Intel FSP](#intel-x86_64-with-intel-fsp-support)
* [Kontron VX3060-S2](#kontron-vx3060-s2)
* [Microchip SAMA5D3](#microchip-sama5d3)
* [Microchip SAME51](#microchip-same51)
* [Nordic nRF52840](#nordic-nrf52840)
Expand Down Expand Up @@ -3199,24 +3200,96 @@ IMAGE=test-app/image.elf SIGN=--ecc384 tools/scripts/x86_fsp/qemu/make_hd.sh
For more advanced uses of TPM, please check [TPM.md](TPM.md) to configure wolfBoot
according to your secure boot strategy.

### Running on Kontron VX3060-S2
## Kontron VX3060-S2

A reference configuration and helper scripts are provided to run wolfBoot on
Kontron VX3060-S2 board.
A flash dump of the original Flash BIOS is needed.
To compile a flashable image run the following steps:
wolfBoot supports Kontron VX3060-S2 board using Intel Firmware Support Package
(FSP). You can find more details about the wolfBoot support with Intel FSP in
the above [section](#intel-x86_64-with-intel-fsp-support). A minimal
configuration example is provided in
[config/examples/kontron_vx3060_s2.config](config/examples/kontron_vx3060_s2.config).
In order to produce a flashable flash image, a dump of the original flash is
required. To build wolfBoot, follow the following steps:

```
cp config/examples/kontron_vx3060_s2.config .config
./tools/scripts/x86_fsp/tgl/tgl_download_fsp.sh
make tpmtools
./tools/scripts/x86_fsp/tgl/assemble_image.sh -k
make CFLAGS_EXTRA="-DHAVE_ECC256"
make
./tools/scripts/x86_fsp/tgl/assemble_image.sh -n /path/to/original/flash/dump
```

they produce a file named `final_image.bin` inside the root folder of the
repository that can be directly flashed into the BIOS flash of the board.
After running the above commands, you should find a file named `final_image.bin` in the root folder of the repository. The image can be flashed directly into the board.
By default wolfBoot tries to read a wolfBoot image from the SATA drive.
The drive should be partitioned with a GPT table, wolfBoot tries to load an image saved in the 5th or the 6th partition.
You can find more details in `src/update_disk.c`. wolfBoot doesn't try to read from a filesystem and the images need to be written directly into the partition.
This is an example boot log:
```
Press any key within 2 seconds to toogle BIOS flash chip
Cache-as-RAM initialized
FSP-T:A.0.7E build 70
FSP-M:A.0.7E build 70
microcode revision: AA, date: 12-28-2022
machine_update_m_params
calling FspMemInit...
warm reset required
Press any key within 2 seconds to toogle BIOS flash chip
Cache-as-RAM initialized
FSP-T:A.0.7E build 70
FSP-M:A.0.7E build 70
microcode revision: AA, date: 12-28-2022
machine_update_m_params
calling FspMemInit...
success
top reserved 0_78C50000h
mem: [ 0x78C40000, 0x78C50000 ] - stack (0x10000)
mem: [ 0x78C3FFF4, 0x78C40000 ] - stage2 parameter (0xC)
hoblist@0x78C90000
mem: [ 0x78C38000, 0x78C3FFF4 ] - page tables (0x7FF4)
page table @ 0x78C38000 [length: 7000]
mem: [ 0x78C37FF8, 0x78C38000 ] - stage2 ptr holder (0x8)
TOLUM: 0x78C37FF8
mem: [ 0x100000, 0x100014 ] - stage1 .data (0x14)
mem: [ 0x100020, 0x100040 ] - stage1 .bss (0x20)
CPUID(0):1B 756E6547 6C65746E
mem: [ 0x58000100, 0x5806196C ] - wolfboot (0x6186C)
mem: [ 0x5806196C, 0x58282000 ] - wolfboot .bss (0x220694)
load wolfboot end
Authenticating wolfboot at 58000200...
Boot partition: 0x58000100 (sz 399212, ver 0x1, type 0x201)
verify_payload: image open successfully.
verify_payload: integrity OK. Checking signature.
wolfBoot: verified OK.
starting wolfboot 64bit
call temp ram exit...successA.0.7E build 70
call silicon...successcap a 2268409840
ddt disabled 0
device enable: 172049
device enable: 172049
AHCI port 0: Disk detected (det: 04 ipm: 00)
AHCI port 1: Disk detected (det: 03 ipm: 01)
SATA disk drive detected on AHCI port 1
Reading MBR...
Found GPT PTE at sector 1
Found valid boot signature in MBR
Valid GPT partition table
Current LBA: 0x1
Backup LBA: 0x6FCCF2F
Max number of partitions: 128
Software limited: only allowing up to 16 partitions per disk.
Disk size: 1107095552
disk0.p0 (0_8000000h@ 0_100000)
disk0.p1 (0_20000000h@ 0_8100000)
disk0.p2 (4_0h@ 0_28100000)
disk0.p3 (4_0h@ 4_28100000)
disk0.p4 (1_0h@ 8_28100000)
disk0.p5 (0_80000000h@ 9_28100000)
disk0.p6 (0_80000000h@ 9_A8100000)
Total partitions on disk0: 7
Checking primary OS image in 0,5...
Checking secondary OS image in 0,6...
Versions, A:1 B:1
Load address 0x58282000
Attempting boot from partition A
```

## Infineon AURIX TC3xx

Expand Down
27 changes: 7 additions & 20 deletions tools/scripts/x86_fsp/tgl/assemble_image.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,10 @@
WOLFBOOT_DIR=$(pwd)

# 16 MB
BIOS_REGION_SIZE=16777216
BIOS_REGION_PATH=/tmp/bios.bin
SIGN_OPTIONS="--ecc384 --sha256"
SIGN_KEY=$WOLFBOOT_DIR/wolfboot_signing_private_key.der
SIGN_TOOL=./tools/keytools/sign

set -e

make_keys()
{
make keytools
./tools/keytools/keygen --ecc384 -g wolfboot_signing_private_key.der --ecc256 -g tpm_seal_key.key -keystoreDir src/
}

build_and_sign_image()
{
# compute the size differences between $FLASH_DUMP and "$WOLFBOOT_DIR"/wolfboot_stage1.bin and store it in SIZE
Expand All @@ -26,27 +16,24 @@ build_and_sign_image()
cp "$FLASH_DUMP" "$WOLFBOOT_DIR/temp_image.bin"
truncate -s $SIZE "$WOLFBOOT_DIR/temp_image.bin"
cat "$WOLFBOOT_DIR/temp_image.bin" "$BIOS_REGION_PATH" > "$WOLFBOOT_DIR/final_image.bin"
PCR0=$(python ./tools/scripts/x86_fsp/compute_pcr.py "$WOLFBOOT_DIR"/final_image.bin | tail -n 1)
"$WOLFBOOT_DIR"/tools/tpm/policy_sign -ecc256 -key=tpm_seal_key.key -pcr=0 -pcrdigest=$PCR0
IMAGE_FILE="$WOLFBOOT_DIR"/final_image.bin "$WOLFBOOT_DIR"/tools/scripts/x86_fsp/tpm_install_policy.sh policy.bin.sig
if grep -q '^WOLFBOOT_TPM_SEAL=1$' .config; then
PCR0=$(python ./tools/scripts/x86_fsp/compute_pcr.py "$WOLFBOOT_DIR"/final_image.bin | tail -n 1)
"$WOLFBOOT_DIR"/tools/tpm/policy_sign -ecc256 -key=tpm_seal_key.key -pcr=0 -pcrdigest="$PCR0"
IMAGE_FILE="$WOLFBOOT_DIR"/final_image.bin "$WOLFBOOT_DIR"/tools/scripts/x86_fsp/tpm_install_policy.sh policy.bin.sig
fi
}

assemble()
{
cp $WOLFBOOT_DIR/wolfboot_stage1.bin $BIOS_REGION_PATH
cp "$WOLFBOOT_DIR/wolfboot_stage1.bin" $BIOS_REGION_PATH
build_and_sign_image
}

# Parse command line options
while getopts "ks:n:m:" opt; do
while getopts "s:n:m:" opt; do
case "$opt" in
k)
make_keys
exit 0
;;
n)
FLASH_DUMP="$OPTARG"
IBG=0
;;
*)
echo "Usage: $0 [-k] [-s FLASH_DUMP]"
Expand Down

0 comments on commit b22fc16

Please sign in to comment.