From b22fc163054c9c5c8622ec5e750713ff94f8e08b Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Thu, 19 Dec 2024 16:44:17 +0000 Subject: [PATCH] kontron-vx3060-s2: simplify example, add build test, improve docs --- .../test-build-kontron-vx3060-s2.yml | 25 +++++ config/examples/kontron_vx3060_s2.config | 19 +--- docs/Targets.md | 93 +++++++++++++++++-- tools/scripts/x86_fsp/tgl/assemble_image.sh | 27 ++---- 4 files changed, 117 insertions(+), 47 deletions(-) create mode 100644 .github/workflows/test-build-kontron-vx3060-s2.yml diff --git a/.github/workflows/test-build-kontron-vx3060-s2.yml b/.github/workflows/test-build-kontron-vx3060-s2.yml new file mode 100644 index 000000000..08e3395d5 --- /dev/null +++ b/.github/workflows/test-build-kontron-vx3060-s2.yml @@ -0,0 +1,25 @@ +name: kontron_vx3060_s2 build test + +on: + pull_request: + branches: [ '*' ] +jobs: + fsp_qemu_test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + submodules: true + - name: install req + run: | + sudo apt-get update + sudo apt-get install --no-install-recommends -y -q nasm gcc-multilib + - name: setup git + run: | + git config --global user.email "you@example.com" + git config --global user.name "Your Name" + - name: run test + run: | + cp config/examples/kontron_vx3060_s2.config .config + ./tools/scripts/x86_fsp/tgl/tgl_download_fsp.sh + make diff --git a/config/examples/kontron_vx3060_s2.config b/config/examples/kontron_vx3060_s2.config index 45305c9a0..8fcab216f 100644 --- a/config/examples/kontron_vx3060_s2.config +++ b/config/examples/kontron_vx3060_s2.config @@ -1,7 +1,7 @@ ARCH=x86_64 TARGET=kontron_vx3060_s2 WOLFBOOT_SMALL_STACK=0 -SIGN=ECC384 +SIGN=ECC256 HASH=SHA256 DEBUG=0 SPMATH=1 @@ -21,16 +21,12 @@ WOLFBOOT_LOAD_BASE=0x58000200 WOLFBOOT_SECTOR_SIZE?=0x1000 WOLFBOOT_DATA_ADDRESS=0x1000000 - -FSP_S_BASE=0xffea0000 FSP_T_BASE=0xfff59000 FSP_M_BASE=0xfff60000 WOLFBOOT_ORIGIN=0xfff00000 -# 4 MB +# 6 MB BOOTLOADER_PARTITION_SIZE=0x600000 -# 12 MB -BIOS_REGION_SIZE=0xc00000 UCODE0_BASE=0xffd90000 UCODE0_BIN=src/x86/ucode0.bin @@ -38,30 +34,19 @@ UCODE0_BIN=src/x86/ucode0.bin FSP_T_BIN=./src/x86/fsp_t.bin FSP_M_BIN=./src/x86/fsp_m.bin FSP_S_BIN=./src/x86/fsp_s.bin -FSP_S_UPD_DATA_BIN=./src/x86/fsp_s_upd_data.bin X86_UART_BASE=0xFE032000 X86_UART_REG_WIDTH=4 X86_UART_MMIO=1 - PCH_PCR_BASE=0xFD000000 PCI_ECAM_BASE=0xC0000000 - PCI_USE_ECAM=1 PCH_HAS_PCR=1 - 64BIT=1 ELF=1 DEBUG_ELF=0 MULTIBOOT2=1 - FSP_S_LOAD_BASE=0x0FED5F00 STAGE1_AUTH=1 -MEASURED_BOOT=1 -MEASURED_PCR_A=0 DISK_LOCK=0 -WOLFTPM=1 -WOLFBOOT_TPM_SEAL=1 -WOLFBOOT_TPM_SEAL_KEY_ID=1 -WOLFBOOT_UNIVERSAL_KEYSTORE=1 DEBUG_SYMBOLS=1 diff --git a/docs/Targets.md b/docs/Targets.md index 435088b57..5cd41af25 100644 --- a/docs/Targets.md +++ b/docs/Targets.md @@ -9,6 +9,7 @@ This README describes configuration of supported targets. * [Cypress PSoC-6](#cypress-psoc-6) * [Infineon AURIX TC3xx](#infineon-aurix-tc3xx) * [Intel x86-64 Intel FSP](#intel-x86_64-with-intel-fsp-support) +* [Kontron VX3060-S2](#kontron-vx3060-s2) * [Microchip SAMA5D3](#microchip-sama5d3) * [Microchip SAME51](#microchip-same51) * [Nordic nRF52840](#nordic-nrf52840) @@ -3199,24 +3200,96 @@ IMAGE=test-app/image.elf SIGN=--ecc384 tools/scripts/x86_fsp/qemu/make_hd.sh For more advanced uses of TPM, please check [TPM.md](TPM.md) to configure wolfBoot according to your secure boot strategy. -### Running on Kontron VX3060-S2 +## Kontron VX3060-S2 -A reference configuration and helper scripts are provided to run wolfBoot on -Kontron VX3060-S2 board. -A flash dump of the original Flash BIOS is needed. -To compile a flashable image run the following steps: +wolfBoot supports Kontron VX3060-S2 board using Intel Firmware Support Package +(FSP). You can find more details about the wolfBoot support with Intel FSP in +the above [section](#intel-x86_64-with-intel-fsp-support). A minimal +configuration example is provided in +[config/examples/kontron_vx3060_s2.config](config/examples/kontron_vx3060_s2.config). +In order to produce a flashable flash image, a dump of the original flash is +required. To build wolfBoot, follow the following steps: ``` cp config/examples/kontron_vx3060_s2.config .config ./tools/scripts/x86_fsp/tgl/tgl_download_fsp.sh -make tpmtools -./tools/scripts/x86_fsp/tgl/assemble_image.sh -k -make CFLAGS_EXTRA="-DHAVE_ECC256" +make ./tools/scripts/x86_fsp/tgl/assemble_image.sh -n /path/to/original/flash/dump ``` -they produce a file named `final_image.bin` inside the root folder of the -repository that can be directly flashed into the BIOS flash of the board. +After running the above commands, you should find a file named `final_image.bin` in the root folder of the repository. The image can be flashed directly into the board. +By default wolfBoot tries to read a wolfBoot image from the SATA drive. +The drive should be partitioned with a GPT table, wolfBoot tries to load an image saved in the 5th or the 6th partition. +You can find more details in `src/update_disk.c`. wolfBoot doesn't try to read from a filesystem and the images need to be written directly into the partition. +This is an example boot log: +``` +Press any key within 2 seconds to toogle BIOS flash chip +Cache-as-RAM initialized +FSP-T:A.0.7E build 70 +FSP-M:A.0.7E build 70 +microcode revision: AA, date: 12-28-2022 +machine_update_m_params +calling FspMemInit... +warm reset required +Press any key within 2 seconds to toogle BIOS flash chip +Cache-as-RAM initialized +FSP-T:A.0.7E build 70 +FSP-M:A.0.7E build 70 +microcode revision: AA, date: 12-28-2022 +machine_update_m_params +calling FspMemInit... +success +top reserved 0_78C50000h +mem: [ 0x78C40000, 0x78C50000 ] - stack (0x10000) +mem: [ 0x78C3FFF4, 0x78C40000 ] - stage2 parameter (0xC) +hoblist@0x78C90000 +mem: [ 0x78C38000, 0x78C3FFF4 ] - page tables (0x7FF4) +page table @ 0x78C38000 [length: 7000] +mem: [ 0x78C37FF8, 0x78C38000 ] - stage2 ptr holder (0x8) +TOLUM: 0x78C37FF8 +mem: [ 0x100000, 0x100014 ] - stage1 .data (0x14) +mem: [ 0x100020, 0x100040 ] - stage1 .bss (0x20) +CPUID(0):1B 756E6547 6C65746E +mem: [ 0x58000100, 0x5806196C ] - wolfboot (0x6186C) +mem: [ 0x5806196C, 0x58282000 ] - wolfboot .bss (0x220694) +load wolfboot end +Authenticating wolfboot at 58000200... +Boot partition: 0x58000100 (sz 399212, ver 0x1, type 0x201) +verify_payload: image open successfully. +verify_payload: integrity OK. Checking signature. +wolfBoot: verified OK. +starting wolfboot 64bit +call temp ram exit...successA.0.7E build 70 +call silicon...successcap a 2268409840 +ddt disabled 0 +device enable: 172049 +device enable: 172049 +AHCI port 0: Disk detected (det: 04 ipm: 00) +AHCI port 1: Disk detected (det: 03 ipm: 01) +SATA disk drive detected on AHCI port 1 +Reading MBR... +Found GPT PTE at sector 1 +Found valid boot signature in MBR +Valid GPT partition table +Current LBA: 0x1 +Backup LBA: 0x6FCCF2F +Max number of partitions: 128 +Software limited: only allowing up to 16 partitions per disk. +Disk size: 1107095552 +disk0.p0 (0_8000000h@ 0_100000) +disk0.p1 (0_20000000h@ 0_8100000) +disk0.p2 (4_0h@ 0_28100000) +disk0.p3 (4_0h@ 4_28100000) +disk0.p4 (1_0h@ 8_28100000) +disk0.p5 (0_80000000h@ 9_28100000) +disk0.p6 (0_80000000h@ 9_A8100000) +Total partitions on disk0: 7 +Checking primary OS image in 0,5... +Checking secondary OS image in 0,6... +Versions, A:1 B:1 +Load address 0x58282000 +Attempting boot from partition A +``` ## Infineon AURIX TC3xx diff --git a/tools/scripts/x86_fsp/tgl/assemble_image.sh b/tools/scripts/x86_fsp/tgl/assemble_image.sh index adbe6e10f..50cad1ec5 100755 --- a/tools/scripts/x86_fsp/tgl/assemble_image.sh +++ b/tools/scripts/x86_fsp/tgl/assemble_image.sh @@ -3,20 +3,10 @@ WOLFBOOT_DIR=$(pwd) # 16 MB -BIOS_REGION_SIZE=16777216 BIOS_REGION_PATH=/tmp/bios.bin -SIGN_OPTIONS="--ecc384 --sha256" -SIGN_KEY=$WOLFBOOT_DIR/wolfboot_signing_private_key.der -SIGN_TOOL=./tools/keytools/sign set -e -make_keys() -{ - make keytools - ./tools/keytools/keygen --ecc384 -g wolfboot_signing_private_key.der --ecc256 -g tpm_seal_key.key -keystoreDir src/ -} - build_and_sign_image() { # compute the size differences between $FLASH_DUMP and "$WOLFBOOT_DIR"/wolfboot_stage1.bin and store it in SIZE @@ -26,27 +16,24 @@ build_and_sign_image() cp "$FLASH_DUMP" "$WOLFBOOT_DIR/temp_image.bin" truncate -s $SIZE "$WOLFBOOT_DIR/temp_image.bin" cat "$WOLFBOOT_DIR/temp_image.bin" "$BIOS_REGION_PATH" > "$WOLFBOOT_DIR/final_image.bin" - PCR0=$(python ./tools/scripts/x86_fsp/compute_pcr.py "$WOLFBOOT_DIR"/final_image.bin | tail -n 1) - "$WOLFBOOT_DIR"/tools/tpm/policy_sign -ecc256 -key=tpm_seal_key.key -pcr=0 -pcrdigest=$PCR0 - IMAGE_FILE="$WOLFBOOT_DIR"/final_image.bin "$WOLFBOOT_DIR"/tools/scripts/x86_fsp/tpm_install_policy.sh policy.bin.sig + if grep -q '^WOLFBOOT_TPM_SEAL=1$' .config; then + PCR0=$(python ./tools/scripts/x86_fsp/compute_pcr.py "$WOLFBOOT_DIR"/final_image.bin | tail -n 1) + "$WOLFBOOT_DIR"/tools/tpm/policy_sign -ecc256 -key=tpm_seal_key.key -pcr=0 -pcrdigest="$PCR0" + IMAGE_FILE="$WOLFBOOT_DIR"/final_image.bin "$WOLFBOOT_DIR"/tools/scripts/x86_fsp/tpm_install_policy.sh policy.bin.sig + fi } assemble() { - cp $WOLFBOOT_DIR/wolfboot_stage1.bin $BIOS_REGION_PATH + cp "$WOLFBOOT_DIR/wolfboot_stage1.bin" $BIOS_REGION_PATH build_and_sign_image } # Parse command line options -while getopts "ks:n:m:" opt; do +while getopts "s:n:m:" opt; do case "$opt" in - k) - make_keys - exit 0 - ;; n) FLASH_DUMP="$OPTARG" - IBG=0 ;; *) echo "Usage: $0 [-k] [-s FLASH_DUMP]"